Successor liability arises when the purchaser is held responsible for the liabilities of the seller. Generally, asset purchases carry less risk of successor liability than ownership interest purchases or mergers. And sometimes, the liability of a seller can trigger an examination into the actions of the purchaser.
On April 28, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a resolution agreement with Peachstate Health Management, LLC d/b/a AEON Clinical Laboratories (Peachstate) to settle allegations of violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Under the resolution, Peachstate agreed to pay $25,000 and enter into a three-year corrective action plan (CAP) that requires Peachstate to conduct annual risk analyses and implement measures that are reviewed by OCR. The mere finding of a HIPAA violation is, unfortunately, not unique. What is notable in this instance is that the investigation was not initiated because of a breach of unsecured Protected Health Information (PHI) by Peachstate. Instead, the event that triggered the OCR investigation was a breach by Peachstate's acquirer, a business associate of a different covered entity.
In January 2015, the Veterans Health Administration (VHA) notified OCR of a breach of the PHI of 7,000 of its patients by one of its business associates and telehealth vendors, AuthentiDate Holding Corporation (AHC). In August of 2016 (a year and a half after the breach notification), OCR began investigating AHC. During the course of that investigation, it found that AHC had acquired Peachstate, in a reverse merger in January of 2016, prompting OCR to open a new compliance review of Peachstate. OCR's review found systemic noncompliance with the HIPAA Security Rule, including failures by Peachstate to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. It was this secondary compliance review that led to the investigation and eventual resolution agreement discussed here.
The Peachstate story serves as a reminder to parties in a transaction to engage in meaningful due diligence when acquiring or merging with companies that may be subject to the HIPAA Privacy and Security Rules. Moreover, to the extent a purchased entity will remain operational, it is important that it too understand the risk profile of its acquirer. As seen in the Peachstate case, an investigation into one party of a transaction, at whatever stage, may increase the risk of an investigation into the other, thereby potentially increasing liability for all. Due diligence, therefore, should involve a detailed review of a party's HIPAA policies and procedures, business associate contracts, business associate HIPAA compliance programs, ongoing investigations, and any prior deficiencies and remediation efforts. Additionally, purchasers should consider structuring their deals as asset purchases (which limit successor liability) rather than ownership interest purchases or, as in the case discussed here, mergers.
Ultimately, it is critical for all parties involved in healthcare transactions to understand the nuances of HIPAA, including the risk of pre-transactional HIPAA violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
