Mergers and acquisitions are commonplace in the corporate world, and it's no different for organizations operating in the health care field. Yet combining two companies into one is a challenge, especially when it comes to ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Before purchasing or merging with an existing organization, make sure to audit its IT infrastructure in the context of HIPAA compliance.
The stakes are high: just ask companies like Cignet Health and CVS that have paid multimillion-dollar fines. What's worse, an entire organization may be at risk of HIPAA noncompliance if even one department is not adhering to policies.
This tip will describe some of the HIPAA compliance issues organizations often encounter when acquiring new organizations and provide tips for effectively implementing the parent organization's policies and procedures within the acquired organization.
Common M&A HIPAA compliance problems
A common problem among companies merging two HIPAA compliance programs is lack of enforcement: All of the controls have been documented and responsibilities delegated, but there's no follow-through and no internal penalties for those who ignore regulations.
Last year, I visited a large regional hospital that was struggling to integrate its policies and procedures into a set of small health care practices and laboratories that had been recently acquired. Although the parent organization had distributed policies and procedures to its new acquisitions, those policies were not being enforced. For example, the parent organization required its new employees to use the parent company’s email addresses, but the acquired organizations had not made the transition (and had no plan to). It was clear that there was no system in place to ensure that the new policies were being implemented appropriately.
Third-party IT management
On several occasions, I saw that a third-party IT group managed newly combined organizations. For example, a regional hospital in the New York area purchased a clinic that used an outside IT firm to manage its computer equipment. Since the IT firm had worked closely with the clinic for a long time, the hospital allowed the IT firm to continue managing its network. However, it was clear that the HIPAA policies and procedures of the parent company were not being implemented by the third-party IT group. Like many third-party IT providers, this one had several other clients in addition to the hospital and could not devote its staff's limited time at the hospital to implementing new policies and procedures.
The third-party IT group was the only organization that truly understood the clinic's network infrastructure, so the parent company couldn't simply take over management. However, it was obvious that even if the IT company had signed a HITECH Business Associate Agreement or BAA that codified its obligation to support its customer's compliance effort (and it wasn't clear that it had), it was not capable implementing it or motivated to do so.
Oddly enough, the problem of uncertain asset ownership pops up quite often. Who owns that server? You'd think this would be a simple question to answer, but, for affiliate organizations and new acquisitions, sometimes asset management and purchase records just don't exist. The result is that no one knows who should be managing IT assets, responsibility isn't assigned, systems aren't managed properly and the organization becomes noncompliant.
Best practices for M&A HIPAA compliance
The road to HIPAA compliance is filled with potholes, but by implementing the best practices below as soon as M&A activity is underway, the combined health care organization can steer clear of most of them.
Pre-audit: Before purchasing or merging with an existing organization, make sure to audit its IT infrastructure in the context of HIPAA compliance. Develop an accurate estimate of the resources needed to bring the soon-to-be-combined infrastructure into compliance with a single set of policies and procedures. Understand the potential merger or acquisition's attitude toward compliance. Is there evidence that that organization has been working toward compliance on its own? Also determine its motivations for unifying with your organization. Discussing motivations will often bring previously undisclosed issues to the surface and will help you understand what they desire from the union of your organizations.
Assign responsibility: Create a full-time position, if resources allow, so that someone can oversee the integration of new organizations into your company from a compliance perspective. Make sure this person checks that policies are up to date and are being enforced and that staff questions are received and addressed promptly. The employee in this role should also verify that business associate agreements are in place with third parties and enforced, ensuring that third parties are committed to supporting the HIPAA compliance of the combined organizations.
In situations where third-party IT groups are involved, clearly define the systems and networks for which they are the responsible. Ensure that the combined organization's internal IT department understands the role and scope of the systems managed by the third party. Make sure that important technical information is clearly documented, so that it is possible to transition to different IT management if needed. It is often helpful to create a high-level chart of the new acquisition's networks and systems and identify the group responsible for maintaining them.
Create a roadmap: Not every IT asset will be in compliance on day one of the newly combined entity; it's likely many won't be. Be ready to quickly take steps to rectify that problem and bring IT assets into compliance with organizational policies. Prioritize to-do items to ensure that top issues are addressed first. Above all, conduct HIPAA gap assessments and technical testing regularly (both of which are required for HIPAA compliance), so that you know where you've succeeded and where more work is required. Nothing happens overnight, so budget a realistic amount of time. Make sure to audit on a regular basis even after all the work is completed.
Train new staff: Finally, and perhaps most importantly, clearly communicate new policies and procedures and invest the time and effort necessary to train new staff. Even existing employees should receive refresher training at regular intervals, at least annually. New staff will require extra attention and extra training, especially if the pre-audit work turns up bad habits in the way data is handled and systems are secured.
Keep in mind there are multiple types of staff, from medical staff to office staff to IT staff, and they will all need different types of training. Don't rely on office administrators to train doctors regarding new policies; instead, send someone from the parent organization to train newly acquired staff directly. This will ensure that policies and procedures are clearly communicated.
Regardless of whether a merger or acquisition involves a small practice or multiple large hospitals, HIPAA compliance must be a top priority throughout the process.
Since my visit to the hospital, staff reported that a new position had been created that focuses on bringing newly acquired entities on board. The hospital found that the acquired organizations appreciated the assistance they received from the employee in the onboarding position. These newly integrated entities were able to ask the questions about policies they didn't understand, and employees received guidance for implementing the parent firm's policies into their organizations. This has significantly decreased the hospital staff's level of stress and the resistance it had seen prior to creating the onboarding position. Every merger or acquisition is unique, but an awareness of and ability to quickly respond to the challenges of HIPAA compliance before, during and after the transition will position any organization for success.
About the author:
Randi Price specializes in policy and procedure review and development, including ISO 27001 assessments and HIPAA risk analyses. She provides security management consulting for large enterprises such as financial and health care organizations. Randi is a certified digital forensic examiner and holds her GIAC forensic certification (GCFE). She holds two BS degrees in Management Information Systems and Accounting.
This was first published in May 2013