The kind of information exchange that’s necessary before and during a merger or acquisition can raise thorny HIPAA privacy issues, and federal guidance on the subject is sparse at best — especially for employers and other plan sponsors, Senior Editor David Slaughter writes.
In such a transaction between companies that are themselves covered by HIPAA — say, hospitals or health insurers — personal information on patients or members can be exchanged without these people’s specific written authorization. But it gets trickier when the companies are not in the health care field except that they sponsor group health plans for their employees, according to Jessica Bernanke, a senior compliance specialist with The Segal Company, speaking at a webinar sponsored by Thompson Interactive.
These companies’ group health plans, being covered entities, apparently may exchange this HIPAA “protected health information” (PHI) for due diligence purposes — as long as they observe certain limits, Bernanke said. PHI should be disclosed only for plan (not employer) use, and only between designated employees of each company who are “inside the HIPAA box” of staff who normally may access PHI to administer the plan.
And as HIPAA usually requires for PHI disclosures, only the minimum necessary should be exchanged, Bernanke continued. The disclosing company’s privacy officer should determine what this means, and “if there is a disagreement, the privacy officers should be involved in that negotiation.”
The types of information the acquiring company might want on a prospective acquiree’s health plan include financial records of stop-loss insurance and any high-cost claims, Bernanke added. “These records likely contain PHI,” but possibly can be aggregated or redacted, she said. The health plan’s record of compliance with HIPAA and other laws also would be of interest, but “many of these things could probably be confirmed without accessing PHI.”