The Intricacies and Importance of HIPAA Compliance for Deal Practitioners

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is unquestionably important and protects an individual’s personal health information. In the healthcare space, HIPAA is a critical responsibility and is now integrated within the practices of hospitals, insurance and service providers. However, for those conducting M&A in the healthcare industry that have not before dealt with the complexities of HIPAA, compliance can be a confusing and overwhelming prospect.

This article will define HIPAA for healthcare professionals and those facing HIPAA  in an M&A deal. This article will cover HIPAA meaning, requirements, intricacies, and legal safeguards.

What is HIPAA?

Understanding HIPAA is critical for those conducting a deal in the healthcare industry. HIPAA, the Health Insurance Portability and Accountability Act of 1996, was enacted by Congress in order to establish needed requirements within the healthcare industry. The legislation set guidelines to protect and modernize the flow of personally identifiable information and addressed overall issues and regulations within insurance coverage.

The Center for Medicaid and Medicare Services (CMS) along with the Health and Human Services (HHS) wrote the policy and governance for HIPAA. HIPAA was created to incorporate and improve the requirements of several other legislative acts such as the Employee Retirement Income Security Act, the Public Health Service Act and the Health Information Technology for Economic and Clinical Health Act.

What is the Purpose of HIPAA and Why was HIPAA Created?

HIPAA was enacted by Congress in order to solve issues within the healthcare industry that previous legislation failed to appropriately address.

The following are the two key concerns HIPAA was created to regulate:
  1. Health Insurance Coverage Reform
    In the legislation’s earliest form, HIPAA simply filled the needs left by the Employee Retirement Income Security Act of 1974 (ERISA) that focused more on pension and retirement benefits than healthcare. HIPAA established a way for employees to enroll in coverage while starting or in between jobs while also ensuring coverage of those with preexisting conditions. In general, HIPAA’s legislation better protects employee ability to gain access to health insurance.
  2. Health Data and Personal Information Privacy
    HIPAA is perhaps best known for establishing regulations and standards for the privacy of patients and security of their medical information. HIPAA protected health information by creating strict laws around disclosures while giving patients the right to access important health data on request. HIPAA also provides vital technical safeguards surrounding how to properly secure electronic health data. Overall, HIPAA law protects individual privacy in the healthcare space.

HIPAA Laws and Regulations

What is HIPAA law? Since being signed by Congress in 1996, HIPAA has been revised and added to multiple times over the past 20 years. These revisions account for advancements in technology and healthcare legislation. Being up to date on how to be HIPAA compliant is a key aspect of conducting a successful deal in the healthcare space.

HIPAA contains five sections known as titles:
  • Title I: Health Care Access, Portability and Renewability
    Title I sets guidelines to protect health insurance coverage for those transitioning between jobs and those with pre-existing conditions. This title ensures that group health plans cannot be denied or given with increased premiums based on pre-existing medical conditions.
  • Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
    Title II establishes national standards for how electronic health care information is shared during communications and transactions in order to protect patients’ medical data. These HIPAA data storage requirements were introduced by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003. These amendments were created to make sure that protected health information (PHI) was appropriately maintained, secured and distributed. This title gives access control back to the individual.
    Due to the strict regulatory requirements of this HIPAA title, it is the most important for those conducting an M&A deal within the healthcare industry to study and be aware of.
  • Title III: Tax Related Health Provisions Governing Medical Savings Accounts
    Title III simply standardizes that amount a person may save in a pre-tax medical savings account. Medical savings accounts are available for self-employed individuals or those employed by a small business offering a high deductible plan.
  • Title IV: Application and Enforcement of Group Health Insurance Requirements
    Title IV clarifies the conditions of group health plans for individuals with pre-existing conditions. This title also slightly modifies the continual coverage requirements.
  • Title V: Revenue Offset Governing Tax Deduction for Employers
    Title V establishes new provisions on company-owned life insurance and income tax for individuals who lose their U.S. citizenship.

Penalties for HIPAA Law Violations

What constitutes a HIPAA violation and what are the penalties? According to the US Department of Health and Human Services, the Office of Civil Rights has received 201,633 HIPAA violation complaints between April 2003 and February 2019. 70 percent of those violations pursued by the Office of Civil Rights (OCR) resulted in corrective action. To date, the OCR settled or imposed a monetary penalty on 63 cases resulting in over $99 million.

To penalize non-compliant parties, HIPAA established the following types of violations with correlating punishments:
Scroll table to see more ↔
Type of Violation
Minimum Penalty
Maximum Penalty
Individual was not aware, even after conducting reasonable diligence, of the HIPAA violation
$100 per violation and an annual maximum of $25,000 for any further violations
$50,000 per violation and an annual maximum of $1.5 million for further violations
Violated HIPAA due to reasonable cause and not willful neglect
$1,000 per violation and an annual maximum of $100,000 for any further violations
$50,000 per violation and an annual maximum of $1.5 million for any further violations
Violated HIPAA due to willful neglect but later corrected the violation within a required time period
$10,000 per violation and an annual maximum of $250,000 for any further violations
$50,000 per violation and an annual maximum of $1.5 million for any further violations
Violated HIPAA due to willful neglect and the violation was not corrected
$50,000 per violation and an annual maximum of $1 million for any further violations
$50,000 per violation and an annual maximum of $1.5 million for any further violations
A covered entity or specific individual knowingly disclosed or uncovered personally identifiable health information
Imprisonment up to 1 year

A fine up to $50,000
A covered entity or specific individual committed a HIPAA offense under false pretenses
Imprisonment up to 5 year

A fine up to $100,000
A covered entity or specific individual committed a HIPAA violation with the intent to distribute or sell personally identifiable health information
Imprisonment up to 10 year

A fine up to $250,000

How to Report a HIPAA Violation

After understanding what is considered a HIPAA violation, individuals should know who to report the offense to and how.

HIPAA complaints are filed with the Office for Civil Rights (OCR) of the US Department of Health and Human Services. Complaints can be filed by mail, fax, email, or through the department’s online portal.
HIPAA complaints must be filed within 180 days of the violating act or omission.

For more information, visit their website.

Who Regulates HIPAA?

HIPAA regulation is overseen by the Department of Health and Human Services (HHS), who drafted the legislation and decided what information is protected by HIPAA. Enforcement and investigation of any violations is overseen by the department’s Office of Civil Rights (OCR).

How DealRoom is Compliant?

HIPAA compliance requirements are strict and the industry needs to utilize software that meets these standards. DealRoom provides secure data storage and management for healthcare professionals and practitioners conducting a deal in the healthcare space. DealRoom meets HIPAA database requirements and technology standards and is certified as HIPAA/ITAR compliant.

DealRoom understands the importance of data security and HIPAA IT compliance. Our virtual data room and project management software was designed with security as a priority and goes the extra mile to ensure all information is kept safe.