While a due diligence effort involving a healthcare IT company will be focused on the same issues as a company in any industry, there are additional areas that must be investigated.
Many of these issues revolve around the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which mandates various security and privacy requirements for “covered entities” and “business associates.” Generally speaking, a covered entity is a healthcare provider, clearinghouse or insurance plan. HIPAA defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
“Protected health information,” or PHI, includes data elements such as patient name, address, identifiers such as Social Security Number, patient account number, medical record numbers, etc.
One focus of HIPAA is the security of PHI “in motion” and “at rest.” PHI must be encrypted at all times, whether it is being emailed, uploaded to a website, viewed in a web browser or simply sitting in a database. HIPAA also restricts data access to users on a “need to know” basis. These factors have serious implications for the design and operation of software and other technology in the healthcare space.
An acquiring company or investor must be conscious of the issues around HIPAA when conducting an IT due diligence engagement. The effort and cost to address shortcomings when it comes to systems that deal with PHI can be significant. Systems that don’t properly protect PHI can open the provider of the system up to significant potential fines and penalties under HIPAA, not to mention serious damage to its reputation.
Some specific areas of investigation in a healthcare IT due diligence effort include the following.
- Does the technology staff have experience working with PHI? If not, is there a healthcare domain expert available who is providing guidance to the technology team? Has the technology staff received HIPAA training to sensitize them to the relevant issues?
- How has the encryption of PHI been addressed in the company’s tools and systems that utilize this data? Are all network and Internet connections encrypted (using SSL, for example)? Is any data sent over an unsecured protocol, such as standard FTP?
- Are the databases encrypted? This is an area where many companies fall short, as it can be expensive and/or difficult to accomplish PHI encryption while at rest in a database.
- Do the software products provide for the flexibility to display PHI only to those employees that have a need to know? Does the software provide audit capability to indicate which users have viewed specific PHI?
- Do employees copy or use PHI on their laptops, external hard drives or USB / thumb drives? Are the laptop hard drives and external storage devices encrypted? Lost or stolen unencrypted laptops are probably the leading cause of a HIPAA breach. If the laptop is encrypted, however, no breach has occurred even if a device is lost or stolen.
- If PHI is stored on a company network, are the network drives encrypted? Are appropriate access rights set up so network users have access only to the PHI that they need for their work?
- Are remote access systems such as VPNs properly encrypted? Does the target company have a written policy against storing PHI on laptops and other devices not provided by the company?
- Is PHI transmitted to mobile devices? If so, how is it encrypted? What policies and capabilities are in place in the case of a lost mobile device? Can the device be remotely wiped to ensure there is no chance of PHI being lost along with the device?
- You should pay particular attention to how user logins and passwords are stored in systems. Is there proper security and encryption in place? It doesn’t matter if PHI is encrypted in the system if a user login and / or password can easily be obtained and used.
- If the target company utilizes outside services such as a web hosting company or email provider, does the third party understand HIPAA issues?
HIPAA is complicated, and this article merely scratches the surface of the issues involved. The main takeaway is that there are special considerations involved in a due diligence effort involving a healthcare IT company. These issues can be easily missed by even a seasoned IT expert without healthcare experience. Therefore, it’s critical that an investor utilize an experienced healthcare IT professional when evaluating a technology company that deals with PHI.