New HIPAA Twist in Business Valuation Highlighted at SECBA Event
July 23, 2018
Recent changes in the federal healthcare law could have huge implications for firms offering appraisal services. At the February conference hosted by the Southeast Chapter of Business Appraisers (SECBA) in Atlanta February 9-10, attendees learned about critical topics in the future of business valuation. One of the more serious topics was focused on the HIPAA fears.
Presenter Darcy Devine (BuckheadFMV) stated that, “my biggest concern as a healthcare appraiser is inadvertently violating the HIPAA rules over protected health information (PHI). We are a small appraisal firm, and the penalties would put us out of business.”
She’s referring to the changes in federal healthcare law that have expanded the requirements for maintaining the security of patient data. When doing a valuation of a healthcare entity, you may receive protected patient information. When that happens, you face exposure to the tough new rules under the Health Insurance Portability and Accountability Act (HIPAA) of 1996—and the penalties for violations are severe.
The rules have been changed such that they now apply to a healthcare entity’s business associates, which can include you as an appraiser, Devine said, “no matter whether the valuation engagement involves a standard appraisal or is in the context of litigation support, divorce, damages claims, shareholder buyouts, or other matters, you may fall under the HIPAA rules.”
For instance, you can come into contact with PHI in the conduct of a forensic investigation through testing of internal controls, while reviewing a healthcare provider’s revenue cycle activities, or even in utilizing bookkeeping and accounting data. Something as simple as a client’s patient refunds account in the general ledger can constitute PHI and trigger HIPAA exposure.
Also, you don’t have to be providing appraisal services directly to a covered entity to come into contact with PHI. If your client is a business associate of a covered entity, you can easily be deemed a business associate as well. For example, you may be valuing a firm that provides medical billing services and writes refund checks to its clients’ patients. As you can imagine, the possibilities of inadvertently falling under the HIPAA rules are almost infinite.
When valuing a healthcare provider, you often have to get reports from the revenue cycle system that show the units, charges, payments, and adjustments by service and by insurer, as well as an aged accounts receivable. It is not necessary, however, for any of the data to contain confidential patient information. When no PHI is necessary in the engagement, you should carefully structure your data requests and be certain that the client understands that no PHI should be provided, Devine advises. You can also request that health information be redacted to remove identifiers.
If this is an issue with a client, consider having an agreement stating that they will comply with HIPAA and have filed a confidentiality statement with the court, or including a provision in your engagement letter that causes the client to be liable for costs and damages for unwarranted disclosure of PHI to the valuator or the firm.
Industry expert Alina Niculita writes and curates valuation topics and is Director of Valuation Services for Morones Analytics