Archer’s COVID-19 Taskforce

Learn More
Latest COVID-19 Updates

Learn More

Be Careful What You Contract For: HIPAA and Successor Liability

(Click here for printable PDF)

Successor liability arises when the purchaser is held responsible for the liabilities of the seller. Generally, asset purchases carry less risk of successor liability than ownership interest purchases or mergers. And sometimes, the liability of a seller can trigger an examination into the actions of the purchaser.

On April 28, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a resolution agreement with Peachstate Health Management, LLC d/b/a AEON Clinical Laboratories (Peachstate) to settle allegations of violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Under the resolution, Peachstate agreed to pay $25,000 and enter into a three-year corrective action plan (CAP) that requires Peachstate to conduct annual risk analyses and implement measures that are reviewed by OCR. The mere finding of a HIPAA violation is, unfortunately, not unique. What is notable in this instance is that the investigation was not initiated because of a breach of unsecured Protected Health Information (PHI) by Peachstate. Instead, the event that triggered the OCR investigation was a breach by Peachstate’s acquirer, a business associate of a different covered entity.

In January 2015, the Veterans Health Administration (VHA) notified OCR of a breach of the PHI of 7,000 of its patients by one of its business associates and telehealth vendors, AuthentiDate Holding Corporation (AHC). In August of 2016 (a year and a half after the breach notification), OCR began investigating AHC. During the course of that investigation, it found that AHC had acquired Peachstate, in a reverse merger in January of 2016, prompting OCR to open a new compliance review of Peachstate. OCR’s review found systemic noncompliance with the HIPAA Security Rule, including failures by Peachstate to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. It was this secondary compliance review that led to the investigation and eventual resolution agreement discussed here.

The Peachstate story serves as a reminder to parties in a transaction to engage in meaningful due diligence when acquiring or merging with companies that may be subject to the HIPAA Privacy and Security Rules. Moreover, to the extent a purchased entity will remain operational, it is important that it too understand the risk profile of its acquirer. As seen in the Peachstate case, an investigation into one party of a transaction, at whatever stage, may increase the risk of an investigation into the other, thereby potentially increasing liability for all. Due diligence, therefore, should involve a detailed review of a party’s HIPAA policies and procedures, business associate contracts, business associate HIPAA compliance programs, ongoing investigations, and any prior deficiencies and remediation efforts. Additionally, purchasers should consider structuring their deals as asset purchases (which limit successor liability) rather than ownership interest purchases or, as in the case discussed here, mergers.

Ultimately, it is critical for all parties involved in healthcare transactions to understand the nuances of HIPAA, including the risk of pre-transactional HIPAA violations. If you have any questions, or need assistance in understanding the rules and structure deals to avoid compliance issues, please contact Lisa Albright at 609-580-3710 or lalbright@archerlaw.com, or Lauren Peterson at 215-246-3172 or lpeterson@archerlaw.com.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal or tax advice, and may not be used and relied upon as a substitute for legal or tax advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or tax practitioner licensed to practice in the jurisdiction where that advice is sought.