HIPAA and Divestitures: How to Transfer PHI Safely During a Sale or Spin‑Off

Overview of HIPAA Privacy and Security Rules

When you transfer protected health information (PHI) during a sale or spin‑off, HIPAA’s Privacy and Security Rules set the guardrails. These rules govern who may access PHI, for what purposes, and how electronic PHI (ePHI) must be protected before, during, and after the transaction.

Covered Entity Obligations and Key Roles

Covered Entity Obligations include maintaining a lawful basis for each disclosure, applying role‑based access, and documenting uses and disclosures. Business associates (BAs) that create, receive, maintain, or transmit PHI on your behalf must follow contractually required safeguards and breach reporting duties.

Minimum Necessary Standard

For most operational disclosures, you must apply the Minimum Necessary Standard. Limit the PHI shared to the least amount needed to accomplish the diligence or integration task—often through de‑identification, redaction, or limited data sets when feasible.

Security Safeguards and Electronic PHI Disposal Procedures

The Security Rule requires administrative, physical, and technical safeguards such as encryption in transit and at rest, access controls, and audit logging. When you retire systems or carve out data, use Electronic PHI Disposal Procedures that sanitize media and produce documented certificates of destruction.

Why this Matters in a Sale or Spin‑Off

Transactions often involve multiple parties, compressed timelines, and large data movements. Clear governance, disciplined scoping, and documented controls reduce legal risk, protect patients, and keep closing on track.

Requirements for PHI Transfer in Divestitures

HIPAA permits disclosures for treatment, payment, and health care operations, which include due diligence and change‑of‑ownership activities. Still, every transfer must have a defined purpose, a lawful basis, and tight scoping.

Transaction‑Ready Steps

• Define the data perimeter: map systems, repositories, and the PHI elements included in the deal; document carve‑outs.
• Select the lawful pathway: operations‑based disclosure, de‑identified data, or a limited data set with a data use agreement when appropriate.
• Apply the Minimum Necessary Standard: restrict fields, time ranges, and populations to what the buyer truly needs.
• Secure the transfer: encrypt files, use monitored data rooms, and enable immutable audit logs.
• Record retention and segregation: retain seller copies as required and segregate buyer data on receipt to prevent commingling.
• Patient Authorization Requirements: obtain written authorization only when a disclosure falls outside treatment, payment, operations, or another HIPAA permission.

Business Associate Agreements in Transactions

Business Associate Agreement Compliance is central to clean handoffs. Inventory all BA relationships tied to the assets and decide which contracts will be assigned, novated, terminated, or newly executed.

Pre‑Closing

For diligence, execute interim BAAs or NDAs with BA‑level security promises when advisors, bidders, or data‑room providers may access PHI. Specify the permitted uses and the Minimum Necessary Standard for reviewers.

At Closing

Confirm whether the buyer becomes a covered entity for the acquired PHI or acts as a BA during transition services. Align each vendor’s status and ensure BAAs reflect the new data flows and security responsibilities.

Post‑Closing

Update permitted uses, breach notification timelines, incident reporting, subcontractor flow‑downs, and return‑or‑destroy provisions. Require prompt cooperation in investigations and audits to maintain continuity of care and compliance.

Patient Notification and Consent Practices

HIPAA generally does not require blanket patient notices solely because ownership changes. However, you must make updated Notices of Privacy Practices (NPPs) available when material practices change and honor patients’ rights as applicable.

Authorization vs. Notice

Authorization is needed for disclosures outside HIPAA’s permissions or for marketing or a sale of PHI. Notice informs patients of your practices and rights but does not replace required authorizations. Align your approach with Patient Authorization Requirements when edge cases arise.

Practical Communications

• Post‑closing, refresh NPPs and website content; update contact points for privacy questions and requests.
• If service locations, portal access, or data rights change, provide clear, accessible communications and transition guidance.
• For sensitive data (e.g., substance use disorder, reproductive health, HIV, genetic data), confirm whether additional federal or state notices or consents apply.

State Privacy Law Considerations

HIPAA preempts conflicting state law unless the state rule is more stringent. Plan for State‑Specific HIPAA Variations that may require extra consent, shorter breach notification windows, or special handling for particular record types.

Key State‑Level Issues

• Enhanced consent for behavioral health, HIV, genetic, or reproductive health records; segmentation may be required.
• Additional security mandates or vendor management expectations that go beyond HIPAA.
• Consumer health data or general privacy laws that capture non‑HIPAA data collected by apps, websites, or wearables.
• Record retention, access, and correction rules that differ by state and facility type.

Due Diligence and Compliance in PHI Disclosure

Structure diligence to reduce PHI exposure while still enabling business evaluation. Start with de‑identified or aggregated data; move to limited data sets if necessary; reserve identifiable PHI for late‑stage, Minimum‑Necessary reviews.

Data Room Controls

• Use segregated repositories with multi‑factor authentication, watermarking, role‑based access, and time‑boxed rights.
• Maintain disclosure logs, reviewer attestations, and audit trails to support accountability and any accounting of disclosures needs.
• Vet all advisors and vendors; ensure BAAs or equivalent protections are in place before access begins.

Security and Disposal

• Encrypt in transit and at rest; monitor for anomalous downloads; promptly revoke access at phase gates.
• Apply Electronic PHI Disposal Procedures to duplicates and staging copies; document sanitization and certificates of destruction.
• Run and retain risk assessments and remediation plans tied to the transaction timeline.

Defining the Sale of PHI Under HIPAA

HIPAA restricts the sale of PHI, defined as a disclosure where the disclosing party receives direct or indirect remuneration in exchange for PHI. Remuneration in PHI Transactions generally triggers individual authorization unless a specific exception applies.

Common Exceptions

• Disclosures for treatment, payment, or health care operations, including due diligence and change‑of‑ownership activities.
• Public health or research disclosures where any fee is limited to cost‑based preparation and transmission.
• Disclosures required by law; payments to a BA for services performed under a BAA; providing an individual with a copy of their own PHI.

Practical Guardrails

• Document the operational purpose and tie any fees to cost‑based recovery—not data value.
• If the purpose is marketing, list brokering, or monetization, treat it as a sale of PHI and obtain patient authorization.
• State clearly in transaction documents that PHI movement is solely to effectuate operations within HIPAA permissions.

Conclusion

Safe PHI transfer in divestitures depends on precise scoping, a valid HIPAA basis, Business Associate Agreement Compliance, tight security, and disciplined documentation. By applying the Minimum Necessary Standard and accounting for state variations, you protect patients, reduce risk, and keep your deal timeline intact.

FAQs

What HIPAA rules govern PHI transfer during divestitures?

The Privacy Rule governs permissible uses and disclosures, including operations‑based activities like diligence and change‑of‑ownership. The Security Rule sets required safeguards for ePHI, and breach rules guide incident response. Together, they enable necessary transfers while limiting scope and requiring safeguards.

When is patient authorization required for PHI disclosure?

Authorization is required when a disclosure falls outside HIPAA permissions, such as many marketing uses or a sale of PHI. For treatment, payment, and health care operations—including diligence and integration—authorization is typically not required, but the Minimum Necessary Standard still applies.

How should business associate agreements be handled in divestitures?

Inventory all BAAs linked to the assets, decide which to assign or replace, and close any gaps with interim agreements. Update permitted uses, incident reporting, subcontractor flow‑downs, and return‑or‑destroy terms so responsibilities match the new data flows post‑closing.

What notifications must be provided to patients during a sale?

HIPAA does not mandate a blanket patient notice solely due to a sale. If your privacy practices change, update and make available an NPP reflecting the new entity and contacts. Provide clear communications about access, portals, or location changes, and obtain authorizations if any non‑permitted uses are planned.