A good example of this is occurring today in the healthcare sector—specifically, with increasing potential for penalties related to Health Insurance Portability and Accountability Act (HIPAA) compliance. Following recent changes, healthcare organizations are being hit with penalties of up to $1.5 million following compliance audits, with smaller clinics and hospitals paying up to $400,000 to $500,000. Private equity firms that invest in healthcare are at least two degrees removed from any actual patient interaction. Yet, if HIPAA isn’t top of mind during an acquisition, a penalty of this size can easily put a portfolio company in the red and derail the return on investment.
HIPAA compliance is coming under greater scrutiny
To understand why this point is so important for private equity investors—and why the significance is greater than ever today—it is helpful to review a bit of background.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, helped standardize and streamline billing and health insurance transactions. However, the increasing use of technology, revealed an equally important challenge—that of keeping patient health information private. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, was designed to address this challenge by protecting the transmission of electronic medical records (EMRs) across multiple systems. Since most covered entities use subcontractors, HITECH extended HIPAA’s provisions to business associates and their subcontractors. Additionally, the HITECH Act added a tiered penalty structure with fines increasing with the level of culpability, providing the teeth required to enforce compliance.
The effectiveness of these changes was initially tested through compliance audits during a pilot program in 2010. Now, after a quick re-tooling, it appears that the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is preparing to kick off its official HIPAA compliance audit program very soon. The OCR recently posted a notice in the Federal Register announcing that it was surveying “up to 1,200 HIPAA-covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program.” Simply put, this means HIPAA audits are coming, and compliance can no longer be reactionary. Firms investing in healthcare must be prepared to take a closer look at the risks and implications.
An imperative part of due diligence
In this environment, it is imperative that due diligence for a potential healthcare acquisition includes an assessment of the policies and procedures that help maintain privacy and security of patient health information. Buyers must look for signs that compliance is ingrained into the culture of the target organization and not an “extra burden” emphasized only during potential audit periods and then forgotten. A comprehensive examination of the effectiveness of an existing HIPAA compliance program should look for four key components:
- People – Has the organization tasked specific people with managing compliance? Do these individuals have the complete support of senior management? Do they provide management with quarterly updates?
- Policies & Procedures – Does the organization have the right policies and procedures (e.g., for training, monitoring, and reporting)?
- Technology – Has the organization incorporated up-to-date technology into key business processes (e.g., encrypted file transfers and data encryption of desktops and systems that contain patient health information data)?
- IT Security Systems & Processes – Are the appropriate security measures in place from a physical and technical aspect (e.g., intrusion detection and prevention)?
Compliance, however, doesn’t end with having the proper pieces in place. Investors should look for evidence that the target organization is dedicated to constant self-evaluation and to implementing changes as needed. This is particularly important as recent changes give the OCR the authority to carry civil monetary revenue across fiscal years. The OCR can now leverage its civil monetary penalties towards planning new audit activities that focus on vulnerabilities that may change year to year. An area of focus for this year’s audits is the extent to which an organization has conducted an in-depth HIPAA security risk assessment, as the pilot program found this to be a widespread weakness.
Time is of the essence
HIPAA compliance is a critical challenge today for healthcare investors, and private equity firms will need to devote time and resources to this aspect of their due diligence. There isn’t much time to lose, as the first surveys could begin going out shortly after April 25—the last day the OCR is accepting comments through the Federal Register. Is your firm prepared? Even if you don’t invest in the healthcare sector, are there similar potentially significant changes for which your diligence should be accounting?