In transactions involving the sale of most businesses, confidentiality agreements are standard practice for protecting confidential information shared between the parties.
In the sale of a dental practice, confidential information concerning patients, however, requires further protective steps. Patient confidential information constitutes Protected Health Information and is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA governs the handling of all Protected Health Information, including how healthcare businesses handle such information in a sale transaction. Under HIPAA, neither a covered entity nor its business associates may use or disclose Protected Health Information in connection with its treatment of patients and in other health care operations, which includes the sale of all or part of the covered entity. In the case of a sale of a covered entity to another covered entity (such as the sale of a dental practice from one dentist to another), there is an exception which permits disclosing Protected Health Information. It is unclear whether this exception applies to a covered entity disclosing Protected Health Information to bidders who are not covered entities (such as private equity or venture capital firms). As a result, a dentist must ensure that, in the course of the sale of his or her practice, all Protected Health Information is transferred to another dentist or an entity which is held to the same standards of confidentiality and is permitted to receive such information.
HIPAA further requires a “business associate agreement” between a health care organization (such as a dental practice) and any entity to which it shares Protected Health Information. A business associate agreement is important because it protects the patient’s private information as well as protecting the dentist from being liable for the unauthorized disclosure of Protected Health Information. Therefore, a dentist looking to sell his or her practice should enter into a business associate agreement with a potential buyer in order to clarify the confidentiality requirements.
Pursuant to HIPAA, when disclosing Protected Health Information, a covered entity or business associate must make reasonable efforts to limit disclosure of Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Therefore, in addition to strict guidelines set out by HIPAA, dentists and other healthcare operators should set parameters for potential buyers to conducting due diligence. In responding to any due diligence request of a potential buyer, dentists should limit sharing of Protected Health Information to what is reasonably necessary to allow buyer to appropriately conduct a due diligence investigation. Often data is only provided once personally identifiable information has been removed. Further, because it is advisable under HIPAA to safeguard data by encryption when stored on laptops, smartphones, tablets, and other electronic devices, a selling dentist may require potential buyers to inspect Protected Health Information only at the dentist’s office to minimize the possibility of information being accessed on a non-encrypted device.
Preventing unintended or unauthorized disclosure of Protected Health Information is an ever-present goal of all covered entities and business associates. Dentists should set out specific parameters for disclosing the minimum necessary information to potential buyers.