research

Healthcare M&A: HIPAA Compliance, PHI Inventories, and the Integration Clock

Healthcare M&A involves HIPAA compliance obligations that follow the patient data. PHI inventories, BAAs, and the integration timeline that affects covered entity status.

Luna ·
healthcare hipaa phi compliance m-and-a

Healthcare M&A has a unique IT complexity: Protected Health Information (PHI). PHI is subject to HIPAA, and HIPAA obligations follow the data. When you acquire a healthcare company with PHI, you acquire the compliance obligations that come with it.

The integration challenge is that PHI lives in more places than most compliance teams realize — in the EHR, in the billing system, in the email system, in the marketing automation tool, in the Excel spreadsheet that someone uploaded to SharePoint.

The PHI Discovery Problem in Healthcare M&A

The first step in healthcare M&A IT due diligence is the PHI inventory: where is PHI, who has access to it, and what controls are in place to protect it?

The challenge: PHI is discoverable in:

  • The EHR (Epic, Cerner, MEDITECH — the obvious places)
  • The practice management / billing system (Waystar, Availity, eCW — the financial system of record)
  • The email system (any patient data ever sent via email — including in attachments)
  • The CRM (Salesforce Health Cloud, HubSpot with patient data, Dynamics with patient data)
  • Marketing automation tools (Mailchimp campaigns that contain patient information)
  • File shares (spreadsheets, documents, PDFs with patient data)
  • Cloud storage (Google Drive, Dropbox, OneDrive — shared by clinical and administrative staff)
  • Personal devices (if BYOD is not properly managed)

ACQI’s SaaS discovery module finds the SaaS applications that contain PHI. The data discovery module finds the file shares and cloud storage locations where PHI is stored.

The Business Associate Agreement (BAA) Problem

HIPAA requires that covered entities and business associates have BAAs in place with all service providers that handle PHI.

When a healthcare company uses a SaaS application that has PHI in it, they need a BAA with that SaaS vendor. If they don’t have one, they are in violation of HIPAA.

In healthcare M&A due diligence, it’s common to find:

  • SaaS applications with PHI that don’t have BAAs
  • BAAs with vendors that have incorrect or outdated business associate definitions
  • BAAs that have expired or been terminated but the vendor still has PHI

The BAA finding that changes the deal: A SaaS vendor that processes PHI but has never signed a BAA with the target. The BAA gap is a HIPAA violation. The remediation: either execute a BAA (if the vendor is willing) or migrate the PHI out of the application (which takes 60-120 days and requires data migration planning).

The Covered Entity Status Problem in Post-Merger Integration

A healthcare company that is a covered entity under HIPAA remains a covered entity after the acquisition — until the legal entity structure changes enough that the covered entity status needs to be re-evaluated.

In a typical M&A integration, the acquirer absorbs the target company’s legal entity. If the target company was a covered entity and the acquirer is not, the acquirer may inherit covered entity status — or the integration may need to maintain separate covered entity status for some period.

The integration timeline implication: HIPAA requires a 6-year retention of PHI records, even after a business relationship ends. If the integration involves migrating PHI from the target’s systems to the acquirer’s systems, the data migration needs to maintain HIPAA compliance throughout — which typically requires a data processing agreement and BAA between the acquirer’s IT environment and the target’s IT environment during the transition period.

The Healthcare M&A IT Integration Checklist

PHI Discovery (pre-close)

  • PHI inventory: complete list of all systems that contain PHI (EHR, billing, CRM, email, file shares, cloud storage)
  • BAA inventory: all vendors with BAAs (confirmed executed and current), all vendors that handle PHI without a BAA
  • Data flow mapping: how PHI flows between systems, which applications are connected

Security Assessment

  • HIPAA Security Rule gap analysis: administrative, physical, and technical safeguards
  • Access controls: who has access to PHI? Is access appropriate and documented?
  • Encryption: is PHI encrypted at rest and in transit?
  • Audit logging: are PHI access events logged and retained?

Integration Planning

  • PHI migration path: from which systems to which systems, over what timeline
  • BAA migration: new BAAs needed between the acquirer and all PHI-handling vendors
  • Covered entity status: legal entity structure post-merger and HIPAA covered entity obligations

Post-Close Compliance

  • BAA audit: all PHI-handling vendors have current, executed BAAs
  • PHI access audit: review of all users with PHI access, removal of access for terminated employees
  • Incident response plan: HIPAA-specific incident response procedures for PHI breaches
  • Breach notification: procedures for notifying HHS and affected individuals in case of a PHI breach

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team