Legal Blog

M&A Nuggets: HIPAA in M&A

Any buyer or seller of a health care related business has had to deal with the federal law known as HIPAA. Indeed, a buyer of a health care business typically devotes a significant amount of time to determine a seller’s compliance with HIPAA. Exactly what is HIPAA and exactly what should a buyer investigate regarding a seller’s compliance with HIPAA?

HIPAA consists primarily of a rule known as the “Privacy Rule”.  Simply put, the Privacy Rule protects, regulates and restricts the communication of protected health information by a covered entity or its business associate. A covered entity includes a health care provider and a health care clearinghouse, which is an entity that receives and processes health care information from a covered entity, such as a company providing billing services to a health care provider. A business associate is an entity that provides services to a covered entity that involve the use or disclosure of protected health information, such as claims processing, data analysis, utilization review and billing.

In any merger or acquisition of a health care related business, the below list of HIPAA requirements a) informs a seller what it needs to have in place to be ready for a buyer’s HIPAA due diligence, and b) provides a road map for the buyer to conduct due diligence regarding the seller’s HIPAA compliance.  To comply with HIPAA, a covered entity must do the following:

  1. Develop and implement policies and procedures to reasonably limit uses and disclosures of protected health information to the minimum extent necessary;
  2. Provide notice of its privacy practices (including electronically on any website) and make efforts to obtain acknowledgement from patients of their receipt of the notice;
  3. Designate a privacy official who is responsible for compliance with HIPAA;
  4. Train workforce members on privacy policies and procedures;
  5. Maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information;
  6. Maintain procedures for individuals to complain about a covered entity’s compliance with HIPAA;
  7. Enter into business associate agreements with business associates; and
  8. Maintain, for six years, the privacy policies and procedures, privacy practices notices, disposition of complaints and other activities that the Privacy Rule requires to be documented.

A subset of the Privacy Rule, the “Security Rule”, will be discussed in the next M & A nugget.


If you have any questions about this or any other M&A issue,
please contact Glenn Solomon at or 443-738-1522.


ABOUT GLENN D. SOLOMON | 443-738-1522

Glenn D. Solomon is a principal at Offit Kurman and has provided counsel to businesses and business owners for more than twenty-five years. He has extensive experience in the purchase and sale of businesses, structuring ownership agreements, and advising companies in financial distress.








Offit Kurman is one of the fastest-growing full-service law firms in the United States. With 14 offices in seven states, and the District of Columbia, and growing by 50% in two years through expansions in New York City and Charlotte, North Carolina, Offit Kurman is well-positioned to meet the legal needs of dynamic businesses and the individuals who own and operate them. For over 30 years, we’ve represented privately held companies and families of wealth throughout their business life cycles.

Whatever and wherever your industry, Offit Kurman is the better way to protect your business, preserve your family’s wealth, and resolve your most challenging legal conflicts. At Offit Kurman, we distinguish ourselves by the quality and breadth of our legal services—as well as our unique operational structure, which encourages a culture of collaboration and entrepreneurialism. The same approach that makes our firm attractive to legal practitioners also gives clients access to experienced counsel in every area of the law.

Find out why Offit Kurman is The Better Way to protect your business, your assets and your family by connecting via our Blog, Facebook, Twitter, Instagram, YouTube, and LinkedIn pages. You can also sign up to receive LawMatters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.