In 2012, private equity firms invested almost $4 billion in health and medical services, according to Thomson Reuters. Many of the firms that have purchased healthcare organizations recently are aware of HIPAA and the omnibus rule that went into effect this year. However, many are not aware of the level of readiness and preparation HIPAA demands from all healthcare organizations, says Tony Kong, director of management and technology consulting firm West Monroe Partners' healthcare practice.
The most daunting aspect of HIPAA is the ramifications, says Mr. Kong. "Currently, [HIPAA violation] fines range from $50,000 to $1.5 million, but beyond monetary fines is the potential for reputational harm," he says, as healthcare organizations are required to notify local media outlets of data breaches. Having a reputation as lax with patient information security can affect the private equity firm's ability to grow the healthcare company because "once you're out there with that type of reputation, it can be tough to overcome."
To safeguard their interests and investments, Mr. Kong recommends private equity firms first engage in a readiness assessment to identify and mitigate any potential HIPAA vulnerabilities. "Ideally, you'd bring in an outside firm to take a look at your current state of readiness, your current policies and procedures, to see how well you're currently managing and protecting patient's health information," he says. He estimates an assessment by a third party would cost around $50,000 to $75,000, meaning the initial investment for the report is smaller than potential fines and lost revenue through a damaged reputation.
Following the assessment, Mr. Kong says firms should implement the outside firm's recommendations and conduct follow-up assessments, usually in-house, to ensure compliance steps (such as ensuring all laptops containing patient information are encrypted) are being carried out.
This initial readiness report, along with subsequent monitoring and status reports, should be included in the semi-annual report to the organization's board of directors, along with the financial and operations reporting, says Mr. Kong. "It doesn't have to be long, but there should be this ongoing reporting which creates a sense of accountability and ownership among the board members and communicates [HIPAA compliance] should be a high priority," he says. Engaging the board in HIPAA compliance will also help raise both the awareness and funding necessary to continue compliance programs and training.
"The biggest mistake a private equity firm could make would be to underfund or under-prioritize HIPAA readiness work," says Mr. Kong. "The potential impact is just too great not to make this a key priority."
Despite the damaging potential consequences of a HIPAA violation and the resource investment required to ensure compliance, Mr. Kong does not believe HIPAA has had an effect on the volume of private equity merger and acquisition activity within the healthcare sector. What has changed, he says, is that HIPAA compliance is now part of the due diligence process in many deals.
"The types of companies that are most impacted by this are the smaller companies that have grown rapidly but are still operating under pre-2009 HIPAA," says Mr. Kong. The focus at these companies will be ensuring business associate agreements and sub-business associate agreements are signed, "bring your own device" policies are HIPAA-compliant and other major components of the new HIPAA rule are observed.
More Articles on HIPAA:
AvMed Data Breach Settlement First to Extend Payments to Plaintiffs Who Did Not Suffer Identity Theft
ONC: Top 10 Myths About Security Risk Analysis
Another Massive — and Totally Preventable – HIPAA Breach