Protecting Patient Information During Health Care M&A

March 5, 2024

When a health care entity journeys through a merger and acquisitions (“M&A”) deal, it is likely to be asked to disclose confidential and sensitive information at some point during the process.  However, beyond traditional business and financial data, these entities also safeguard patient health information, which is subject to protection under both federal and state laws.  As a result, before an M&A deal begins, those in possession of patient health information must strategize to determine how best to protect such information and to understand the requirements governing a disclosure when inevitably asked to share patient health information.

Understanding Non-Disclosure Agreements

Non-Disclosure Agreements (“NDAs”) play a vital role in safeguarding general confidential information during various business transactions, including M&A in the health care sector. The primary purpose of an NDA is to ensure confidentiality between parties involved in the transaction. This voluntary agreement serves as a legal contract between the parties that establishes a framework for the protection of sensitive data and ensures its protection from unauthorized disclosure throughout the negotiation process. One of the primary ways NDAs protect general confidential information is by clearly defining what information is considered confidential and establishing the scope of the agreement. This delineation helps both parties understand the boundaries within which sensitive data should be treated with utmost confidentiality.

NDAs additionally establish the obligations and responsibilities of the parties involved regarding the handling of confidential information. They often include provisions specifying that the recipient of the information must take reasonable measures to prevent unauthorized access, use, or disclosure of the confidential data. This can involve implementing security measures, restricting access to authorized personnel, and maintaining a level of care consistent with industry standards. In the event of a breach of the NDA, the agreement typically outlines the remedies available to the disclosing party. These may include injunctive relief, monetary damages, or other legal remedies. This creates a legal recourse for the party whose confidential information has been compromised, acting as a deterrent against unauthorized disclosures.

In the context of M&A, as business owners explore options for mergers, sales, or engagement with private equity, they often need to share sensitive information such as operational details, financial records, intellectual property, and business strategies. This is particularly pertinent in transactions where a thorough understanding of the target entity’s operations is essential for making informed decisions.

When an M&A deal begins at the Letter of Intent (“LOI”) phase, NDAs become integral in facilitating the necessary exchange of confidential details during the due diligence phase and protecting the interests of both the buyer and the seller. While LOIs are commonly referred to as “non-binding,” most often the LOI will contain certain binding terms and conditions which will include the NDA.  If parties were sharing information prior to the LOI, there could be a standalone NDA already in effect.  

The NDA thus acts as a protective mechanism, ensuring that such information is shared only for the intended purposes of evaluating, negotiating, or executing the proposed transaction, without the fear of this information being misused or disclosed to third parties. It also Top of FormBottom of Form

sets the stage for trust and cooperation by creating a legal framework that binds parties to secrecy regarding certain terms. This commitment to confidentiality paves the way for a collaborative and successful transaction.

Patient Health Information

The protection of patient health information (“PHI”) is a paramount concern in M&A deals within the health care sector. PHI encompasses information about an individual’s health and medical history. It includes details such as medical records, treatment information, health insurance details, and identifying information like names, addresses, and social security numbers. This sensitive data is collected, stored, or transmitted by covered entities, such as health care providers and health plans. On the federal level, PHI is notably governed by the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law that establishes national standards for protecting PHI, including medical records, treatment histories, and any data that can be linked to the patient’s health condition, from disclosure. So, during an M&A transaction, a health care entity must take HIPAA and its rules into account when it comes to disclosures during the process.

However, before disclosing PHI and subsequently triggering HIPAA, it is crucial to assess whether disclosure is even necessary for purposes of the deal. The necessity to disclose PHI during M&A is often contingent on the specific circumstances and objectives of the transaction. Yet, the fundamental question should be whether disclosure of PHI is required for the buyer to answer their particular questions.  There may be options to supply the buyer with relevant information without the need to disclose PHI by redacting or de-identifying the information.  In such instances, the lack of disclosure of PHI will avoid triggering HIPAA and the need to carefully navigate such rules.

If a health care practice finds itself in a situation where a buyer needs to see PHI, a common question is whether one can simply enter into a business associate agreement (“BAA”). A BAA is legally binding contract that establishes the responsibilities and obligations between covered entities and their business associates, or entities that handle PHI on their behalf, to ensure the protection of the PHI being accessed. So, a BAA is a solution only when the situation is such that the two parties fall within the definition of that relationship.  As a result, it becomes a more nuanced exercise to determine whether a BAA is the proper solution to comply with HIPAA.   

It is important to understand that HIPAA does allow a covered entity to use or disclose PHI for due diligence in transactions such as sales, transfers, mergers, or consolidations. However, this is contingent upon the transaction being between two covered entities, or between the disclosing covered entity and an entity becoming a covered entity post-transaction. Therefore, it becomes crucial to assess the identity of the involved parties and whether they can meet these particular definitions. Even if PHI disclosure for due diligence is permitted under this circumstance, the parties must still adhere to HIPAA’s Minimum Necessary standard making reasonable efforts to limit the disclosed information to the minimum necessary for the intended purpose of the use, disclosure, or request of the information. Furthermore, you must limit access to PHI by identifying specific individuals who need access and have in place appropriate access controls. Finally, it is important to assess whether third-party advisors and vendors involved in the transaction—such as attorneys, accountants, or brokers—require a BAA to ensure compliance with HIPAA when they may have access to PHI. In such scenarios, it is essential to sign a BAA before sharing PHI, as standard confidentiality agreements are insufficient.

State Law Considerations

In addition to federal laws like HIPAA, parties involved in an M&A deal must consider state laws governing PHI. States often enact their own laws, complementing HIPAA. In many states, the definition of PHI aligns with HIPAA. However, state laws may preempt federal laws if they offer more protective measures. Recognizing the interplay between federal and state regulations is essential for health care entities involved in M&A deals, as it ensures not only adherence to minimum standards but also compliance with more stringent state requirements.

Compliance in Health Care M&A

Ultimately, health care entities involved in M&A deals must thoroughly understand the compliance obligations for protecting their patient health information.  Early on they should have a strategy so that they can have the proper process and documentation in place to keep the deal moving but not jeopardize compliance with applicable privacy laws.

Contact ByrdAdatto for Help with Health Care M&A Compliance

At ByrdAdatto, we have experience clients through various phases of M&A transactions with a commitment to compliance. If you are navigating an M&A deal or interested in learning more about M&A, contact ByrdAdatto at

ByrdAdatto Founding Partner Bradford E. Adatto

Bradford E. Adatto

ByrdAdatto attorney Jay Reyero

Jay D. Reyero

More Great Content