
AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
Assessing HIPAA Risks During the M&A Due Diligence Process
Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Vanessa Burrows, Counsel, Simpson Thacher & Bartlett LLP, and Wendi Wright, Senior Director of Privacy & Data Protection, Intuitive Surgical, about why HIPAA must be considered within the scope of M&A due diligence and what the diligence process looks like. They discuss documentation, the use of external data sources, the diligence call, and practices to review such as de-identified Protected Health Information and web tracking technologies. Vanessa and Wendi spoke on an AHLA webinar last year related to this topic. Sponsored by Clearwater.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Welcome everyone to another episode of a h l a's speaking of Health Law podcast. My name is John Moore. I'm Chief Risk Officer and Senior Vice President of Consulting and Customer Success at Clearwater, a leading provider of healthcare security and compliance services. I am very fortunate to have with me today Vanessa Burrows, Vanessa's council at Simpson Thacker and Bartlett in Washington, DC and Wendy Wright. Wendy is a senior director of Privacy and Data Protection at Intuitive Surgical in Sunnyvale, California. Um, welcome and , uh, how are you all today?
Speaker 3:Thank you for having us.
Speaker 4:Yep . Thanks for having us. Happy to be here.
Speaker 2:Great. Uh, in October of last year , uh, you folks did a , um, webinar , uh, training webinar for h l a called Will HIPAA Compliance Issues. Stop Your Deal Assessing HIPAA Risks in M and a. And I I thought that was a, a wonderful , um, presentation and learning experience, and I thought we could talk a bit about those issues today and maybe even some things that, that might have changed since you , uh, made that podcast with or made that , uh, webinar. Would that be okay with you?
Speaker 4:Yeah, absolutely. That sounds great. Thanks, John.
Speaker 3:Okay , sounds great .
Speaker 2:Excellent. So, Vanessa, I thought maybe I'd start with you and, and , um, just right from the get go , when, why should an acquiring organization include HIPAA in the scope of their, their diligence?
Speaker 4:Sure. Great question. Um , as for the, when I would say as soon as the client or a member of the DEAL team realizes that the target is handling protected health information or has , um, health data in some capacity, then the Targets activities should be assessed as well as , um, any, you know, implications for HIPAA and the Federal Trade Commission Health breach notification rule, as well as state health information laws and medical information laws to determine if they're applicable to the particular transaction. And then as for the why , the acquiring organization should include HIPAA in the scope of , of its diligence, I would say there's a number of risks that come with any , uh, non-compliance that's identified in the scope of diligence. First of all, there's penalties, of course, as well as , um, which can reach up to , uh, or actually over 1.9 million for all identical violations in a calendar year. And , um, in addition to the penalties, there's potential for class action litigation and other lawsuits, as well as investigations not only from the US Department of Health and Human Services Office for Civil Rights, but also the Federal Trade Commission and State Attorneys General. And then of course, there's , um, you know, the time that management would have to take to handle an investigation or handle complaints related to any non-compliance that's discovered in the, in the scope of diligence as well as negative press coverage. Um, the press coverage could come as a result of a press release from the federal government , um, whether it's from the FTC or H H S O C R , as well as , um, the press that would come along with any breach that's discovered in diligence that affects over 500 individuals for hipaa. And then of course, there's the need to build in time to institute a compliant program if there's issues discovered during due diligence, especially if the target , uh, company is an early stage company, they might not have , um, very well thought out policies and procedures, and then it will take a number of , uh, weeks or months to remediate any a non-compliance discovered in the course of diligence. Then of course, there's certain companies that would have concerns about public perceptions associated with a particular deal, and those companies will need to prepare talking points for the media and others as to why the company is actually acquiring the target and how the company is going to use protected health information or de-identified health information , uh, as a result of the acquisition or that's held by the target. This might be a particular concern for companies that are non-traditional or technology companies that are acquiring healthcare companies.
Speaker 2:Right . And so what , uh, Vanessa, when you go through that diligence process, what what does that look like for an organization?
Speaker 4:Sure, there's a number of , uh, documents that we would request, but it's not just limited to documentary diligence. Uh, there would be also diligence calls, diligence requests, and then , um, assessments of , of what types of data the target holds. So , uh, from the documentary diligence perspective, there's of course the virtual data room , uh, whether it's , um, on a well-known provider or just , um, documents that the company is sending in response to requests. Then there's publicly available materials, and Wendy's gonna touch later on the h h s Office for Civil Rights Breach Portal. Uh , and then there's the due diligence requests that we would prepare and send over to the target in advance. Depending on the responses to those requests, we might have a number of follow-up questions. Then in addition to the documentary diligence, there's of course , uh, due diligence calls , um, maybe one or more that are conducted with the company. So for that you would prepare the agenda, draft follow-up questions after the call, and then speak with management during the call as to their HIPAA compliance and , um, compliance with other health data requirements at the state level. There's also just the assessment that one has to do in conjunction with the health data held by the company to determine what laws apply. Um, and this is ever more important as there's a number of states that have enacted , uh, diligence , um, or laws that are applicable since Wendy and I held our presentation and webinar for A H L A back in October. Um, for example, Washington State has the MyHealth My Data Act. Um, it doesn't come into compliant, you know, come into effect for a number of , uh, years. It's in 2024, but at the same time, companies will need to prepare for it. So we'll start to ask questions about preparation for that law as well as other health data laws in the course of due diligence and just assessing what the company is doing with health data. Is the company a covered entity? Are they a business associate under hipaa? Are they a subcontractor? How are they creating, receiving, maintaining, and transmitting health data , um, at the target level? And then if the target says, well, we don't have to worry about hipaa, only de-identified information is , um, held by the target, so we would need to pressure test that assertion. Is the target accurate in its statements that it's only holding de-identified data, and then doesn't have to comply with a number of data , um, requirements or hipaa if they're only holding de-identified data. Then , um, in addition to kind of the documentary diligence, the diligence calls, and then the assessments of health data, we'd want to ensure that we're reviewing security procedures, encryption and offshore access. And this might be con conducted in conjunction with a consultant , um, who has security expertise. So there might be separate , um, very detailed technical calls with security consultants to get a full handle on what the company's security procedures are and how they handle data. Who is able to access that data, how they're accessing it offshore , if it's p h i . Um, so that will be, you know, maybe a , a whole separate set of calls. And then , um, finally we would evaluate breaches investigations and ongoing litigation and do litigation searches, negative news searches beyond just the general breach searches to see what pops up in the course of , um, those types of searches.
Speaker 2:Great . And you mentioned that the , uh, documentation being a , uh, obviously a significant part and one of the first things you're looking for in diligence. So when you do diligence and, and HIPAA diligence in particular, what documentation are you looking for? Does that vary from say, a covered entity versus a business associate?
Speaker 4:Yeah, absolutely. It , it would vary a little bit , um, depending on if the entity is a covered entity versus a business associate , um, if it's a covered entity, they would have notices of privacy practices , um, that should be publicly posted. So that would be one thing we would look for. Um, if of course the healthcare provider doesn't have a notice of privacy practices, that would be a , a red flag right off the bat. Um , and how they're acknowledging the receipt of notices of privacy practices. Um, same thing if it's a health plan , um, how are they distributing notices of privacy practices , uh, but whether it's a covered entity or a business associate, if they have any kind of high trust certification, we would request documents related to the high trust certification and , um, the assessments that have been conducted related to high trusts , or if that's in process, you know, we would ask questions about how that's going and ask for documents related to that. Then we would be interested in obtaining the most recent security risk assessment , as well as, you know , any prior security risk assessments if they're available, and then the remediation plans associated with those security risk assessments. We'd also request business associate agreements and review those, any data use agreements that the company holds, and then we'd look at contractual provisions that , uh, discuss protected health information or health data generally, and do those contractual provisions conflict with any business associate agreements or data use agreements. Um, sometimes that can be the case where , uh, companies wanna grant broader rights than would be permitted by a business associate agreement, but they do it in the contract, the master services agreement, for example. Then we would also look at policies and procedures provided by the target. Um, as I mentioned, the, you know, public notices of privacy practices. Um, are these policies missing? Are they outdated? Um, and kind of review whether the policies and procedures themselves are adequate for the company's business. Obviously, a covered entity is gonna have many more policies and procedures on the privacy side than a business associate would have. So we would , um, review those and, and , um, what protection is the company has put in place to handle protected health information at the, you know, kind of administrative level for policies and procedures. Then if the target is obtaining any kind of consent for the use or disclosure of protected health information, we would be interested in reviewing those consents and the rights that are provided by those consents. This can be really important if the protected health information is going to be shared , uh, with or disclosed to other third parties, and the individuals have actually provided consent for disclosures of their protective health information, then we would request training copies of training logs associated with training , uh, breach logs from a redacted perspective of course, and information on any breaches and security incidents that have happened that are successful. We'd also request copies of correspondence with regulators , um, and then litigation and complaints , uh, in addition to just copies of the normal business associate agreements , um, you know, probably the top 10, top 20 and a minimum in terms of their , uh, the suppliers or the subcontractors. We would ask for template business associate agreements and information on whether the company is using its template , um, on a regular basis, or whether the target is actually forced to, you know, always adhere to the other side's business associate agreement because that makes compliance much harder, and especially makes it more difficult in the event of a breach to track all of the notification requirements associated with multiple business associated agreements. And then we'd ask for de-identification rights and any analyses associated with de-identification rights that the target has done. And finally , um, we'd usually ask about cyber insurance coverage and the levels that the company has for its cyber insurance coverage that in the event of any breaches ,
Speaker 2:Uh , no in , uh, performing diligence ourselves on more than one occasion , uh, when requesting policies and procedures, we've gotten unquote HIPAA policies and procedures back that say insert company name here on more than one occasion. When do you , when reviewing documentation, what do you wanna see? I mean, what might be some typical red flags? Obviously that's an , you know, an obviously red flag there when they've not even taken the time to, to , uh, insert their own name into the policies and procedures. But what are you typically seeing? What would be something that would, would catch your eye in and re um, that would cause you to pay a little extra attention to the documentation that's been provided?
Speaker 3:Yes, thanks John , and thanks again for the opportunity. Um, your , your example is something that makes us giggle, but it is not unheard of at the same time. Um, or you'll see another company's name and you'll say, oh, gosh, was , uh, did you have a name change or did you have an acquisition? Uh, I , I think a lot of what we see, especially for non , uh, healthcare provider , uh, companies, is that they have bothered to do the copy and paste, but they haven't actually adapted the policies and procedures for their business. And as Vanessa said, is it specific for what you're doing? Are you an app provider? Do you have a medical device? Um, are you an electronic health records company? Have you adapted the policies and procedures and the training for what your actual business is? Um, what does the training look like? Is it off the shelf training? And again, is it applicable for the business that you are in? If it's an off the shelf training that's really targeted toward nurses, but it's , um, a tech company then seems like there's gonna be a disconnect and the employees aren't really gonna understand what they're responsible for or why it's, it's important for them. Um, I, I think the de-identification, as Vanessa said , um, what's the methodology? What is the documentation? Um, and then can we pressure test that can, can the target show us an example of dataset that they have de-identified or screen share that with us? Uh , really looking at the bus, any business associate agreements or data use agreements, what are the requirements and what are the restrictions and does that align with what we've heard in the other diligence calls in terms of how the business operates? So I think you have to really pay attention and listen for , or gaps or inconsistencies in the documents with how the target has described its business and how it operates. Um, encryption is a great thing to kind of talk about and play with, is , is data encrypted in, in motion at rest? How does this occur? Um, I think part of the meta recent fine , although not HEPA , is, is a , is a very interesting , uh, learning opportunity, is that it's more than just the documents. It is how is , how have you implemented the controls, the technical and organizational measures that you say you have in place? And so meta , for example, encrypted data , um, in transit, but not at rest . And is that reasonable given the type of data that you have and the size and complexity of the , of the target ? Um , again, it's, it's all going towards where is this company from a risk best perspective, and what is it going to take for your client to remediate if the acquisition goes through ? And as Vanessa and I said in the, in the , um, training in October, we've actually never had an experience, Vanessa, tell me, something has changed where a company has walked away from a potential acquisition because of hipaa . Um, or because of a , we kept a program even , um, I've seen active litigation , um, or active investigation with a target, and the company liked what the, what the target offered so much that they took that risk , um, to their own detriment. But , um, I have seen that happen as well. I think the offshore restrictions can be very tricky , um, because a lot of , um, healthcare providers in the United States do not want their p h I exposed outside of the United States. And it's important to know that your servers can be in the United States, the data can , uh, stay to the extent and <laugh> , uh, data stays in the United States, but you might still have support staff. You might have, you might even have your own , um, company , um, that is a subsidiary that's based outside of the United States. But if there are hard restrictions , um, in the, either in the targets contracts or in your contract with your existing customers, how would you manage that? Um , and what, what would that impact be? Um, just know that we aren't always looking to acquire clients aren't always looking to acquire targets that are based in the United States. Maybe the service, the offering, the technology is fantastic and it's in Venezuela. Um, how would you be able to bring that in the United States, or what would the appetite be for your existing clients to , um, to expand , uh, the access to their p h i outside of the United States? Vanessa mentioned third party audits. I I always find it very interesting. Uh, third party certifications or audits like a SOC two , type two . Let's see, the most recent, what's the scope of it? Does it actually cover sufficiently such that you are comfortable with the risk? Um, a SOC two , type two does not have to , um, cover all of the trust principles. It could be very narrow. It could be for a six month period and not a 12 month period. Um, how recent is it? And is it , um, is it really gonna , is it , has it really looked at what you would hope to see , um, such that you have as assurances that the company is mature? And again, those diligence calls are really important because you're listening for the target to be able to competently and confidently describe their approach to protecting p h i , what is their approach to privacy? What is their approach to security? Um, how seasoned are they? How articulate are they? How forthcoming are they ? And so really listening to the tone and tenor as well as the words that are said. And again, how does all of this align with the documents and what the story is that you've been told ? So those are some of the high level red flags. Al also a company, I will say that , uh, an org a company that's been around for some years that tells you that they don't have an incident log and that they have never had a privacy or security incident, even if it's not a capital B breach is something that you should be suspicious of. Yeah. Um , not because they're bad, but because it , we're just imperfect. And so it's not a matter of if , but when and have you recognized it and has it been logged and addressed , um, appropriately or even at all? And so , uh, I've also seen diligence where a company's been existence for 15 years and they said, we've never had a privacy or security incident. Well, that just feels impossible. Um, and so that again , tells me about that company's awareness or willingness to be aware of , um, of its own vulnerabilities. And again, that's not , uh, judgmental . We all have them . They all exist. Um, are you recognizing them? Are you identifying them and are you quickly curing them ?
Speaker 2:Yeah, I mean, I think that that in particular is, is is indicative of a lack of an active program regardless of whether the documentation is in place or not. Uh, you know, one of the other things that, that you said that really , uh, hit home with me because I see this a lot, is understanding that , um, there's a scope associated with third party assessments like the SOC two in particular, and I trust we see this as well. And, and that , uh, and I think at least I've often seen organizations play a bit fast and loose with those, certainly from a marketing perspective. And, and I think when we're, we're doing diligence, as you've mentioned, we need to be very careful , um, that we're, we're understanding what the exact scope of those assessments are. Uh , earlier Vanessa mentioned the OCR r breach portal. Wendy, you know, in addition to the documentation, are there external data sources like the OCR R breach portal that , uh, you're looking at in , in as part of the diligence process?
Speaker 3:Yes. Uh, I, I think , um, uh, the, any ags , um, website will also , um, when they take health actions, they like to publicize those. So look at the states in which they operate or which the, the targets customers are located. See if there've been any ag activity , um, if there is a , um, uh, a patient community or consumer community community that's online, you might take a look at that as well. Um, just a simple Google search can sometimes be very helpful , um, and you can see it . And that doesn't mean that just because somebody complains that there actually is a problem, but what is that perception in the community? Um, you might also see if this is , um, an , a target, an organization that maybe is very well respected and maybe they are invited to participate in , um, industry conferences , um, may maybe they really are , uh, considered a leader. And so I think that might give you some confidence as well. Just look at their website, play around search, see what do you see , um, are they HIPAA compliant with two Ps and three a's , you know, maybe that, maybe not so much , um, are how transparent are they , um, with their documentation and, and their claims? To your point, how much of it is, and you can always tell on the face of it, how much of it is looks to be pure marketing, and , um, how much of it really seems to be informational to , um, to the, to the user. Um, what other , uh, seals or certifications do they have? And then validating those for sure , uh, to the extent that's possible. Um, so, so those are just some of the places that I would start, but I would definitely look , um, in the, at the state's ags as well, also c cms , um, if there are any types of , um, CMS activity, which might not necessarily go into hipaa , but it helps give you an idea of your, their overall compliance, maturity and competency. And so , um, you know, Medicare Medicaid billing is usually a , a separate area than your HIPAA privacy and security, but they tend to all roll up into a chief compliance officer. And what are the struggles that the organization has had , um, and, and why, because if there are corporate integrity agreements, it could be that their , their , the compliance team is not properly resourced , um, or actually might be very distracted at at distracted and not have enough bandwidth for the HIPAA requirements, which again, is fine. It just means you have to tell your client, and by the way, you're gonna need to hire six more FTEs, <laugh> , uh, cause there's gonna be a lot of extra work to do
Speaker 2:The state ag , ag , uh, tips. I think I really go one , I don't, I don't know if I have the numbers to back this up, but it certainly seems like over the last few months there's been as much, if not more HIPAA enforcement activity at the state level than there has been , uh, coming out of OCR r Um, Vanessa, you mentioned, you know, earlier we, we were gonna do that , um, document request and then we're gonna have the diligence call. How long are you usually getting for that diligence call? And what would your agenda look like , um, for that?
Speaker 4:Uh , that's a great question. It definitely depends on the client and the company. If it's an auction process , uh, the diligence call timeframe might be very short. It might be, you know, one to two hours for everyone on the deal to ask their questions, which of course then means HIPAA is gonna get five to 10 minutes because there's other major issues that also have to be addressed in the course of a diligence call. Um, but then if you have a client that is really interested in data rights, there might be a separate hour, long hour and a half long call that's just focused on data rights and the company's processes for obtaining data rights. And this goes back to , uh, what Wendy had mentioned earlier. You know, typically HIPAA is not going to, or hipaa non-compliance is not going to result in the termination of a deal or pencils down on a deal. But , um, if the company doesn't have adequate consent and it's disclosing, p h i and the consent is very important for the other , um, acquiring company or the other contracting party in order to get access to that information. I have , um, been involved in one situation where that did , um, result in the termination of a deal. So , um, although it's not HIPAA non-compliance that led to that, you know, the failure to have the appropriate consent in place , um, or the , the appropriate data rights and to obtain the appropriate data rights to , uh, permit the , um, acquiring entity to use data in the way that it wants to use data that can sometimes , um, have a negative impact on a deal. But , um, I'd say, you know, typically there would be, you know, 10 to 15 minutes on a larger diligence call to assess , uh, privacy and security issues that might arise. And then of course, there would be a number of follow-ups . There could be , um, any number, you know, 2, 3, 4 follow-up calls. Um, if there's a breach that's ongoing and active, and as the deal progresses, there might be, you know, updates that need to be given , uh, to the acquiring company as a result of the active investigation. Or if , um, you know, we are not getting the answers that we'd like to obtain from the target company, we might keep requesting, you know, additional calls to follow up and try to get the answers that we need to give our clients an honest assessment of what's happening with a particular investigation, what's happening with a particular breach or , um, you know, the failure to provide policies and procedures or security risk assessment, because that will help us draft the reps and warranties parts of the deal documents appropriately based on the information we're able to obtain from the target and , um, the representations the target can make.
Speaker 2:So earlier you , uh, I think you mentioned de-identified p h i and , and talked a little bit about that we're seeing more and more cases or organizations share quote unquote de-identified d h i often for marketing or other business purposes. Is, is this a , a significant concern that, that , um, you have now and how would you evaluate that type of situation during diligence?
Speaker 4:Yeah, absolutely. I think during diligence, you'd have to assess whether de-identification has been done appropriately, especially if it's going to be used , um, you know, downstream by any number of , uh, subcontractors or other entities, or if the de-identified information is going to be sold , um, or u used for marketing or in other business purposes. So you want to assess whether the target's properly de-identified p h i using the safe harbor method. If not, then you have to assess what the risks are of that , um, improper de-identification. And then if the target's using the expert determination method to de-identify p h i , we would want to assess how the target is selecting its experts, whether the experts are appropriately qualified, and whether the target is following the guidance from the Department of US Health and Human Services for methods of de-identification of P H I in accordance with the HIPAA privacy rule. And then , um, as part of that , um, assessment about the use of an expert termination method, we'd wanna review the expert report and , um, any other statistical analyses that accompany those reports. Because if the de-identification is improper, then you're still sharing P H I and now you have probably , um, potentially committed a breach or , um, you know, depending on the, the measures that were in place to protect that data, if it was improperly de-identified , um, that could result in a whole hoax of other compliance questions and additional , um, investigations and analyses and breach assessments that have to be conducted based on the improper de-identification of data.
Speaker 2:Yeah, I , uh, I mean the, the use of this data for marketing is, I think for me, a particular concern, particularly when I hear the organizations suggest that the organization that they're sharing it with is essentially going to re-identify it for purposes of targeted marketing. And I, I think that with , through the use of AI and other tools is a , uh, it's a, I think a growing concern that that , uh, at least that we're seeing. Um, speaking of sort of new and growing concerns, Wendy, recently, there's been a lot of news around the use of pixel tools or other web tracking technologies by healthcare organizations. And this has caused OCR to release guidance specifically around the use of these technologies. There's been a tremendous amount of process suggestion that thousands of healthcare organizations are improperly using these tools and disclosing , uh, E P H I as a result. Is, is that something that you think can be considered doing during diligence or, or what , how are you treating that today?
Speaker 3:Yes, John , absolutely. And it's so tricky. I , I have to first say that I have a lot of empathy for marketing teams because I don't think when they take their marketing courses, they are educated about data privacy and , um, maybe they are in the sense of , um, cookie banners, but I don't think that there's much more than that <laugh> . And so I can really appreciate that on one hand, there's so much that you can do data that can be collected , um, and analyzed to really , um, understand the, the value of the marketing , um, marketing campaigns. And , uh, and there's so much data out there can really be combined to have some rich understanding of the visitors to the website or users of an app that the privacy laws, not just in hipaa , but worldwide, are really, really very , uh, shrinking the ability without, we're getting pretty close to explicit consent here in most cases. So I , I do think that it's something to investigate. Um, and , um, and , and I think we're all kind of struggling with how to implement , um, and , and give good guidance on , on the pixels . Uh , you know , I think the first question is are, are you using these tracking devices? And , um, that's great. Tell us when, and tell us how. And there could be some uses that are really very, quite legitimate. For example , um, maybe , uh, something is being used , um, and there are tests that are being , um, um, activities that are being provided to the actual patients , um, because you're measuring neuroplasticity or something similar to that. Um , and in which case then that clearly falls under , uh, treatment t p , um, and then you would have business associate agreements, and that could be very valid , um, assuming that you had appropriate limited , uh, secondary uses of the pH i itself . One question is, are you using first or third party tracking tools? And it seems like we get into a lot of trouble , um, and it gets trickier when we're looking at third party tools. And so we're using third party pixels to really dig deep into that. When are they being used? What are they being used for? What do those contracts look like? What are the rights , um, that are associated with that? Do you have patient authorization? Maybe, maybe you have patient authorization from every individual. It's very clear that this is something that's gonna be used for non , um, treatment payment healthcare operations, or it's only gonna be used in marketing and or it's gonna be used for marketing purposes. And in which case , um, your problem is , part of your problem is already solved. But I, I , I think that , um, there are more and more things that can be done, even just reading emails or tracking where , um, a cursor is hovering. Um, it's more than just has someone clicked a link, an embedded link and gone to a different site. Um, there's, there's quite a bit that you can gather from emails from, from , uh, websites, from apps. And so I think it's very important to ask those questions and understand what's , um, in place. And again , it lets you know the maturity of, of the target and how much remediation might need to happen or if , um, if, if it's just something where the target is decided, they would take the, the risk and , um, they have much greater appetite than your client does, in which case, how difficult is it going to be, not just to change the practice, but you're also talking about changing mindset and changing culture. And that takes much longer than putting into place an agreement, like a business associate agreement or even seeking authorization.
Speaker 2:So at the end of the day , uh, you know, did , we're doing diligence so that we can best advise the acquirer as to the , I guess in the risk associated with, or the potential costs associated with , um, the HIPAA compliance program. So let me give you two different scenarios and, and tell me how your conversation might go with the, the client or the acquirer. So let's, Wendy, let's start with you. Let's say we're performing diligence and it's a situation like you mentioned earlier where the organization says, well, we've never had an incident, and there's other evidence to suggest that they don't have a functioning HIPAA compliance program at all. I mean, what are you, what are you gonna advise in that, that type of scenario? Or what are you gonna , um, let the organization, the acquiring organization know ?
Speaker 3:Yes, I think, I think , uh, that's a great question and not a far flu scenario at all. Uh, I, I think first is here are the things that we look for . Here's why we look forward . Here's where we see the gaps and heat . Maybe do a visual and a heat map and say, just, just, no , we think that you, we, we have no idea where , uh, or here's some of the idea what we know and here's what we're gonna guess in terms of where the gaps are and where the risk is. And so just know that's what you're taking on , um, that potential burden. Um, and here's what it's going to take to build up HIPAA compliance and to integrate this , uh, the target into your client's environment and your client , uh, compliance program. And again, give an idea of resources, give an idea of time, maybe even make some suggestion cuz you should know your client well enough to make some suggestions in terms of , um, here are the things that we see our top priority and must be fixed immediately, 30, 60 days post contract. And here are things where we will , um, work over time and it will be iterative to remediate. But I , but I think you have to be very candid. Again, you have to be candid about resources. Does this mean really hiring new people? Are there things that can go to outside council ? Um , maybe if there are, are no business associated agreements and you need to put many of them in place , um, that may be something that outside council that can negotiate. But if you're talking about , um, revamping policies and procedures , um, or even building them from zero and absorbing that and educating and , um, and reorienting the targets , uh, teams to a help a mindset that is very, very urgent, but it takes some time. And how do you do that in a , in a non pejorative way? Someone's gotta figure that out. And I would just be very, very candid with my clients so that they're aware of it and that they build it into, into their budget.
Speaker 2:Great. Vanessa, I'll give you a little different scenario. Uh, in this situation. Uh , let's say there is a recent , uh, breach maybe the , the the customer or the target says to you , uh, well , um, we did have this Phish incident and well, it turns out that there was a spreadsheet with 3000 , um, patient names and patient information in that email account. And oh , we did report that to O C R and oh , by the way , uh, we just got this letter from O C R asking for information on our response to that, our policies, procedures, our most recent risk analysis evidence of our training program when phishing , et cetera . Uh , how would you advise in that sort of situation?
Speaker 4:Sure, John , that's a great question. Uh , just before we get into that, I wanted to go back to one point that you made about marketing and mm-hmm . <affirmative> , just to remind everyone that there is , um, actually a provision in 45 C FFR 1 64 0.5 14 B that says that , um, you know, as part of the de-identification , um, of p h I , the covered entity can't have actual knowledge that the information is gonna be used alone or in combination with other information to identify an individual who is the subject of the information. So to your point, John, if there is , um, knowledge that the information is gonna be used for marketing purposes, and if the , um, third party is gonna re-identify individuals, then I would , um, you know, advise caution that that couldn't really be considered a true de-identification under that standard set forth by O C R because of that re-identification risk and the knowledge that the information could be used to re-identify someone.
Speaker 2:I think, I think I'd have to agree with you there. It's , um, it's, you get into this question of how close to the actual individual do I have to be with my, with my re-identification when I'm targeting these folks? And it , it becomes a bit tricky, I think when, when they're deploying the de-identified data in conjunction with other data sets that the marketers are pulling together. It , it , it's a , but certainly when they've suggested that they're gonna have targeted marketing, I think that's a definite red flag.
Speaker 4:Yeah, absolutely. Uh , but then to go back to your question about the breach and the fishing incident, the spreadsheet , um, but is a great question. I would say I would advise my client, you know, we need to seek indemnification for this incident and any issues that are going to flow as a result of this incident, and we absolutely need to see that letter from O C R. We can't just rely on the target's representations about the letter from OCR R because we need to know is OCR R actually conducting an investigation or is this kind of a preliminary assessment from O C R requesting more information? Obviously if OCR R is labeling it as an investigation that , uh, raises more concerns because they've actually said that this is an investigation, just an information request, and then we'll need to negotiate harder on the representations and warranties and the deal documents. Um, you know, in addition to seeking indemnification for that incident. And it , the indemnification should also be brought enough to cover, you know, a historical , uh, risk of non-compliance. Um, O C R might identify any number of , um, provisions of the HIPAA security rule as a result of that fishing incident , um, that weren't complied with. So it's not just that incident itself, but also the historical non-compliance , um, in the security policies and procedures that the company has in historical non-compliance with security, technical, administrative, administrative and physical safeguards there. Um, and then I would also , uh, advise the client that we need to analyze any particular state laws that might apply to this situation, as well as , um, any representations that the target has made that might raise concerns from a federal trade commission perspective , um, related to that , um, security incident or potential breach.
Speaker 2:Great. And that's all the questions I had for you folks today. I, I don't know whether I give you each an opportunity if you have any additional thoughts, otherwise, maybe we'll just wrap up. Wendy, any additional thoughts?
Speaker 3:<affirmative> , I think , um, one is just do the best you can with diligence and if you , uh, are not working with a client that understands that the HIPAA and data protection , um, part of diligence is essential and, and as is, as important as the financial and some of the other components of diligence, never lose the opportunity to , uh, show your value and have them bring you in earlier and really be able to build out the questionnaire that you would send to the target. Um, you, you just don't want your, your client, nor do they want to be surprised , um, and find out that they've actually acquired someone that that has insufficient or worse , you know, really , um, laxed , um, or they've been very in inattentive to, to hipaa privacy, insecurity, security , uh, and, and know you do the best you can with the time that you're given. Sometimes I've been given, you know, hours, not weeks mm-hmm . <affirmative> , uh, and you just do the best you can and again, be very transparent that you, you gave me one and a half business days and here's the best I could do in that time.
Speaker 2:Great . Vanessa, any final thoughts?
Speaker 4:I would say trust your gut and if you think that there's a breach or a security incident that's been described that you can't fully understand because you're missing the documents or you're missing responses to follow up diligence requests, to try to get as much information as you can , um, make sure the client understands , uh, that you, you know, if you, like Wendy said, if you don't have time to conduct a Folsom level of diligence, that there is this potential liability out there. But you know, as much as you want to build rapport with the target and , um, you know, have a good relationship with the target , uh, you need to, you know, be a zealous advocate for your client and try to get those documents so you can really understand the full scope of any investigation from a state attorney general , um, H H S O C R or some other third party. And , um, of course, you know, any litigation searches because there, if there is a breach, there might have been multiple class actions filed. And so you need to understand that full scope as well.
Speaker 2:So thank you very much to both of you. I really enjoyed , uh, spending some time talking with you today about , um, HIPAA compliance and due diligence in hipaa. I think it was , uh, certainly a number of great takeaways for me from, from the discussion. I also wanted to thank our listeners for joining us on , uh, this episode of Speaking of Help Law . Thank you.
Speaker 3:Thank you, John .
Speaker 4:Thanks so much. Thank you for listening.
Speaker 1:If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org .