How HIPAA Omnibus Affects InvestorsNew Risks When Investing in Business Associates
The HIPAA Omnibus Rule is creating new risks for venture capitalists and private equity firms that invest in companies that qualify as business associates. That's because under the rule, these vendors are now directly liable for HIPAA compliance, and penalties for non-compliance can go as high as $1.5 million per HIPAA violation.
HIPAA Omnibus expands the definition of business associates to include more types of companies. The broader definition of a business associate now includes any entity that creates, receives, maintains or transmits protected health information for a function or regulated activity. For instance, under HIPAA Omnibus, many cloud services providers are now considered business associates of covered entities, such as hospitals or physician practices.
Tony Kong, director of the healthcare practice at West Monroe Partners, a management and technology consulting firm that provides due diligence services for investment companies, says it's essential for potential investors to carefully assess business associates' HIPAA compliance readiness. Many vendors facing the need to become HIPAA-compliant are ill-prepared, he notes.
"Many companies that started out small but grew in terms of their customer base did not make investments, such as naming a compliance officer, or conducting a HIPAA risk assessment," Kong says. "A lot of these companies handle protected health information, but have not yet made the investment in people, processes or technology to ensure HIPAA compliance and reduce risk."
The expanded federal HIPAA compliance audit program, slated to start next year, will include reviews of business associates, he points out. "And a lack of proper security controls resulting in a breach can translate to hefty monetary fines and reputational damage," he adds.
Health Evolution Partners, a San Francisco based investment firm that focuses on healthcare sector companies, is intensifying its attention to HIPAA compliance, says David Brailer, M.D., the company's CEO.
"We have found that often many [companies] don't understand all the things they are required to do. So we bring in people and go top-to-bottom [to assess compliance] and require a number of corrective actions ... as a condition of our investment," says Brailer, who was the first national coordinator for health IT under the administration of President George W. Bush.
"We also have oversight of their HIPAA compliance on an ongoing basis that is monitored centrally in our firm because there are so many issues," he says. "Our approach is that we act almost like a regulatory authority in our own right, by inspecting, auditing and enforcing compliance as part of agreements and goals for [a] company," he says. "We've found that our approach helps, because companies often don't understand what they have to do."
As part of HIPAA compliance efforts, business associates need to provide HIPAA training to their workforce, conduct a risk analysis, mitigate security risks that are identified - and document all of that activity, Kong says. "If that's done, then, if a breach happens, you may have little or no fines."
Kong recommends business associates hire a security consulting firm to conduct a risk assessment to help identify, for example, data that should be encrypted, including information stored on mobile devices.
After that initial outside analysis, Kong recommends that business associates designate a compliance officer who can conduct random internal audits to ensure that a company's security and privacy policies and procedures are followed.
In addition to entering business associate agreements with the covered entities they serve, vendors must enter agreements with their subcontractors as well, he says. For example, "If you're a BA that uses a third-party data center, you need to have a business associate agreement with that provider," he says.
Seat at the Table
Private equity firms generally have a seat on the boards of the firms in which they invest. Those board members should demand that senior management update them on HIPAA compliance, Kong stresses. Investors "should make it a priority for the senior management team to put the proper people, processes and technology in place," he says. "The status of HIPAA compliance should be reported back to the board annually or semiannually."
Similarly, Lisa Suennen, a managing member at the New York-based investment firm Psilos Group Managers, says compliance updates are an important component of board meetings for the companies in which it invests. "That's part of ongoing governance. ... HIPAA Omnibus is another set of regulations companies need to comply with ... along with compliance to regulations from the FDA and FTC."
Kong also suggests that business associates involved in mergers and acquisitions consider creating an escrow account to fund HIPAA compliance issues, before deals are closed. "The state of HIPAA compliance should be part of due diligence," he says. A lack of compliance could, in some cases, make it tougher to complete a merger, he notes.