HIPAA Compliance in Healthcare M&A: BAAs, Notice, and PHI Transfer

Healthcare is one of the few industries where federal privacy law directly shapes the mechanics of a business acquisition. HIPAA does not sit passively in the background of a healthcare deal: it governs what information can be included in the data room, how patient records transfer at close, what agreements must be in place with vendors and service providers, and what the buyer inherits in the way of compliance obligations and pre-close liability.

A buyer who treats HIPAA as a post-close integration task discovers that the compliance gaps identified after close are harder and more expensive to address than they would have been in diligence. Unreported breaches, missing business associate agreements, inadequate Security Rule documentation, and state privacy law violations are all categories of risk that must be assessed before the deal is priced and structured.

This guide is part of the Healthcare Practice Acquisition Guide cluster. It covers the complete HIPAA framework for healthcare acquisitions: covered entity and business associate definitions, BAA transfer mechanics, the impact of deal structure on HIPAA obligations, patient notice requirements, breach history review, Security Rule diligence, data room PHI handling, EHR integration, and the representations and warranties buyers require at close. For the Stark Law and Anti-Kickback dimension of healthcare acquisitions, see the companion article on Stark and AKS compliance in healthcare M&A.

Buyers evaluating the broader transaction framework should also review the M&A due diligence guide and the asset purchase versus stock purchase guide. Deal structure has direct implications for how HIPAA liabilities and BAA obligations are allocated between parties.

Why HIPAA Drives Timelines in Healthcare M&A

Healthcare transactions routinely take longer to close than comparable transactions in other industries, and HIPAA compliance is one of the structural reasons. HIPAA compliance review requires specialized expertise, a systematic review of vendor relationships and BAAs, analysis of the target's Security Rule implementation, and in some cases the need to remediate gaps before close. These are not activities that can be compressed into the final week before signing.

The data room structure for a healthcare acquisition must be designed with HIPAA in mind before it opens. Patient data, clinical records, and other PHI cannot be placed in the data room in identifiable form without careful analysis of whether the disclosure is permitted under HIPAA and under any applicable BAA between the covered entity and the data room provider. This means that the seller's counsel must be involved in data room setup before any sensitive information is shared.

Post-close integration of healthcare practices involves transitioning vendor relationships, updating BAAs, migrating EHR systems, updating Notice of Privacy Practices, and ensuring the buyer's Security Rule infrastructure extends to the acquired operations. These activities require planning that begins in diligence, not after close. Buyers who do not plan HIPAA integration in advance face a period of heightened compliance risk as the newly acquired operations transition to the buyer's framework.

Covered Entities vs Business Associates

HIPAA applies directly to covered entities: healthcare providers who transmit health information in electronic form in connection with HIPAA-covered transactions, health plans, and healthcare clearinghouses. Physician practices, hospitals, dental practices, and most clinical healthcare providers are covered entities under HIPAA.

Business associates are persons or entities that perform functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Typical business associates include EHR vendors, billing services, transcription services, IT managed services providers, cloud storage providers who host PHI, and legal counsel and accountants who receive PHI in performing their services. Business associates must have BAAs in place with the covered entity and are independently subject to HIPAA's Privacy and Security Rules with respect to the PHI they handle.

Subcontractors of business associates who receive PHI from the business associate are themselves business associates and must execute BAAs with the business associate. In a healthcare acquisition, the chain of BAA relationships extends through the target's full vendor ecosystem. Buyers should map this chain as part of HIPAA diligence to confirm that each level of the relationship is covered by an appropriate BAA.

Business Associate Agreements: Transfer Mechanics

Business associate agreements are contracts that establish the permitted uses and disclosures of PHI by the business associate, the business associate's HIPAA obligations, and the remedies available to the covered entity if the business associate violates the agreement. HIPAA regulations specify minimum required terms for BAAs, and covered entities may negotiate additional protections beyond those minimums.

In an asset purchase, the buyer is a new covered entity that has not previously been a party to the target's BAAs. Each vendor or service provider that will continue to handle PHI post-close must execute a new BAA with the buyer. This means the buyer's counsel must identify every business associate relationship in the target's operations, confirm which vendors will continue post-close, and execute new BAAs before the acquired operations go live under the buyer's ownership.

In a stock purchase, the target's existing BAAs technically survive as part of the acquired entity's contracts. However, buyers should review all existing BAAs rather than assuming they are adequate. BAA requirements under HIPAA have evolved, and agreements executed several years ago may not include all currently required provisions, particularly the 2013 Omnibus Rule updates that expanded business associate obligations and the breach notification requirements.

Asset vs Stock Purchase Effects on HIPAA Obligations

The choice between an asset purchase and a stock purchase has direct and significant consequences for HIPAA compliance obligations at close and in post-close integration. The implications differ across several dimensions: liability for pre-close compliance failures, BAA obligations, patient record transfer mechanics, and the scope of post-close remediation required.

In an asset purchase, the buyer acquires specified assets of the target but does not acquire the legal entity itself. The buyer does not automatically assume the seller's pre-close HIPAA liabilities. Patient records are transferred as part of the asset acquisition, and the transfer is generally permitted under HIPAA's treatment, payment, and operations provision or as a transfer to a successor entity without individual patient authorization, subject to applicable state law requirements. BAAs do not transfer: the buyer must execute new BAAs with all vendors who will handle PHI post-close.

In a stock purchase, the buyer acquires the legal entity with all of its existing obligations and liabilities. The target's existing BAAs survive as contracts of the acquired entity. Pre-close HIPAA violations, unreported breaches, and OCR enforcement exposure are all inherited by the buyer. The buyer becomes responsible for any ongoing notification obligations arising from pre-close breaches discovered post-close.

Notice of Privacy Practices Updates at Close

HIPAA's Privacy Rule requires covered entities to provide patients with a Notice of Privacy Practices (NPP) that describes how the entity uses and discloses PHI and patients' rights with respect to their information. The NPP must be updated when there are material changes to the entity's privacy practices and must be made available to patients in the manner prescribed by the regulations.

A change of ownership is a material event for NPP purposes. When a practice is acquired and begins operating under new ownership, patients should receive an updated NPP reflecting the new covered entity's identity and privacy practices. The timing and method of NPP distribution vary by provider type: for most healthcare providers with direct patient contact, the NPP must be provided at the first service encounter after the effective date of the change.

Practical NPP update planning in healthcare acquisitions involves: updating the NPP template to reflect the buyer's organizational identity and contact information; posting the updated NPP on the practice's website (if the practice maintains one); updating patient intake forms and intake processes to deliver the updated NPP at first post-close encounters; and retaining documentation of NPP distribution in accordance with HIPAA's documentation requirements. These are operational tasks that should be planned as part of the post-close integration checklist.

Patient Consent Requirements for PHI Transfer

HIPAA generally does not require individual patient authorization for the transfer of patient records as part of a bona fide sale of a healthcare practice. The transfer of records to a successor entity in a practice acquisition is generally characterized as part of healthcare operations, or as a transfer to a successor who will use the records to continue the patients' care. Under this analysis, individual patient authorization is not required for the records transfer itself.

However, the absence of a HIPAA authorization requirement does not mean the transfer is unconditionally permissible. The transfer must be structured in a manner that limits PHI to the minimum necessary for the purpose, that is consistent with applicable state law requirements, and that does not exceed the scope of what HIPAA permits for the specific type of disclosure involved. Buyers should work with healthcare counsel to confirm the legal basis for the records transfer and document the analysis.

State Health Privacy Laws Overlaying HIPAA

HIPAA establishes a federal floor for health privacy protection, not a ceiling. States may enact health privacy laws that provide greater protections than HIPAA, and where state law is more stringent, state law controls. In a healthcare acquisition, the applicable state privacy laws for each state where the target operates must be identified and analyzed alongside HIPAA. A federal HIPAA analysis alone is insufficient.

State health privacy laws vary significantly in their scope and stringency. Some states have comprehensive health privacy frameworks that require specific patient consent for disclosures that HIPAA would permit without consent. Others have specific laws governing mental health records, HIV status, genetic information, reproductive health, and minor patient records that create narrower exceptions and more robust patient rights than HIPAA provides. California's Confidentiality of Medical Information Act, New York's health privacy framework, and Texas's medical records statute are examples of state laws that healthcare acquirers must assess for targets operating in those states.

State attorney general enforcement of health privacy violations is a separate risk from federal OCR enforcement. Several state attorneys general have active health privacy enforcement programs, and violations of state health privacy laws can result in civil penalties and enforcement actions independent of any federal consequences. Healthcare buyers acquiring practices in states with robust attorney general enforcement should factor state law compliance into their diligence assessment and post-close compliance planning.

Breach History Diligence and Prior Audits

Breach history diligence is a required component of HIPAA review in any healthcare acquisition. The target's breach notification log, HHS OCR breach reporting records, and state attorney general notifications provide the buyer with a baseline view of the target's PHI security history and any open regulatory matters that will transfer with the business.

HIPAA's Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media of breaches of unsecured PHI. Breaches affecting fewer than 500 individuals are logged and reported to HHS annually. Breaches affecting 500 or more individuals must be reported to HHS and the media without unreasonable delay and within 60 days of discovery. HHS maintains a public list of breaches affecting 500 or more individuals (the "Wall of Shame"), which buyers should review during preliminary diligence.

Security Rule Diligence: Administrative, Physical, Technical

HIPAA's Security Rule establishes national standards for protecting the confidentiality, integrity, and availability of electronic PHI (ePHI). The Security Rule is organized around three categories of safeguards: administrative, physical, and technical. Each category includes required and addressable implementation specifications. Covered entities must implement required specifications and must either implement addressable specifications or document why alternative measures are reasonable and appropriate.

Security Rule diligence in a healthcare acquisition involves reviewing the target's documentation of its Security Rule compliance, including its Security Risk Assessment, its policies and procedures for each safeguard category, and its documentation of addressable implementation specification decisions. A well-documented Security Rule program signals a mature compliance infrastructure. Sparse or missing documentation is a risk indicator that warrants follow-up.

Data Rooms Handling PHI Pre-Close

The due diligence data room in a healthcare acquisition is a sensitive environment from a HIPAA compliance perspective. The seller's counsel and management must structure what goes into the data room carefully to avoid unauthorized PHI disclosures that could constitute HIPAA violations independent of the transaction.

HIPAA's Privacy Rule permits covered entities to disclose PHI for certain purposes without individual patient authorization. Healthcare operations disclosures include certain due diligence activities, but the scope of what qualifies as a permissible operations disclosure is not unlimited and does not clearly extend to full patient record access by a potential acquirer's diligence team. Best practice is to avoid placing identifiable PHI in the data room entirely and to rely on de-identified data for any population-level or clinical utilization analysis that the buyer requires.

The data room platform itself is a business associate if it stores or provides access to PHI. Healthcare transactions typically require the data room provider to execute a BAA with the covered entity before PHI is uploaded to the platform. Sellers should confirm whether the data room provider offers a BAA and whether the data room service meets the HIPAA Security Rule technical safeguard requirements before loading any potentially identifiable information.

Post-Close Integration of EHR Systems

EHR system integration is one of the most operationally complex and HIPAA-sensitive aspects of post-close healthcare acquisition integration. The acquired practice may be running on a different EHR platform from the buyer, or may be running an older version of the same platform. Migrating patient records from one EHR system to another involves transferring large volumes of ePHI and requires careful planning to maintain Security Rule compliance throughout the process.

EHR data migration must be conducted by a business associate (typically the EHR vendor or a specialized healthcare IT firm) under an executed BAA. The migration process must maintain ePHI integrity and must protect ePHI from unauthorized access during transit and during any period when data exists in both systems. Access controls must be updated to ensure that only authorized users can access patient records in the new system, and audit controls should be in place to document who accessed what records during the migration period.

Some healthcare acquisitions involve continuing to operate the acquired practice on its existing EHR system for a transition period rather than immediately migrating to the buyer's platform. This approach can reduce immediate integration disruption but creates a period during which the buyer is operating multiple EHR systems, which complicates BAA management, Security Rule compliance, and workforce access control administration. The integration timeline and approach should be planned with the operational and HIPAA compliance requirements in mind before close.

Reps and Warranties for HIPAA Compliance

HIPAA representations and warranties in a healthcare purchase agreement allocate the risk of pre-close compliance failures between the parties. Well-drafted HIPAA reps go beyond a generic "compliance with applicable law" representation and address the specific elements of the HIPAA regulatory framework that are most likely to present post-close liability.

Core HIPAA reps should cover: that the target has complied in all material respects with HIPAA and applicable state health privacy laws throughout the lookback period; that all required BAAs are in place with vendors and service providers who handle PHI; that the target has conducted a Security Risk Assessment within a reasonable period prior to close; that the target has implemented administrative, physical, and technical safeguards as required by the Security Rule; that all breaches of unsecured PHI have been identified, reported, and documented in accordance with the Breach Notification Rule; and that no OCR investigation, audit, enforcement action, or state attorney general inquiry is pending or threatened.

The survival period for HIPAA representations should reflect OCR's enforcement lookback period. HIPAA civil monetary penalties can be assessed for violations that occurred within specified lookback periods depending on the level of culpability involved, and the lookback period can be substantial for violations involving willful neglect. Healthcare M&A agreements often include extended survival periods for HIPAA reps and specific indemnification provisions for post-close discovery of pre-close breaches, OCR enforcement matters, and state attorney general actions.

The indemnification structure for HIPAA reps should be reviewed alongside the broader indemnification framework in the purchase agreement. The indemnification provisions guide covers basket, cap, and survival mechanics that apply across the rep and warranty framework. Buyers evaluating deal structure should also review the asset purchase versus stock purchase guide for how structure affects HIPAA liability allocation, and the MSO healthcare guide for the management services organization model that some buyers use in healthcare acquisitions.

Frequently Asked Questions

Related Resources

Healthcare Practice Acquisition Guide

The complete legal framework for physician practice and healthcare entity acquisitions.

Read Guide →

Stark Law and Anti-Kickback in Healthcare M&A

Fraud and abuse compliance framework for physician practice acquisitions: Stark exceptions, AKS safe harbors, and diligence red flags.

Read Guide →

MSO Healthcare Guide

Management services organization structures in healthcare acquisitions and ongoing operations.

Read Guide →

Healthcare M&A Attorney Michigan

Legal representation for physician practice acquisitions, HIPAA compliance, and healthcare deal structuring.

View Services →

Small Business Acquisition Attorney

M&A legal services for healthcare buyers and sellers through diligence, structuring, and close.

View Services →