How to Stay HIPAA Compliant When Selling a Medical Practice

Patient Notification and Consent

When authorization is and isn’t required

Under the HIPAA Privacy Rule, you may transfer Protected Health Information (PHI) to a successor covered entity for treatment, payment, and healthcare operations without a patient’s written authorization. This typically includes record transfers that occur as part of selling a medical practice.

If PHI will be disclosed to a party that is not a covered entity (or its Business Associate) or the disclosure constitutes a “sale of PHI” outside the permitted exceptions, obtain patient authorization in advance. Apply the Minimum Necessary Rule to any non-clinical disclosures throughout the deal.

What to include in patient notices

Provide clear, timely notice that explains the change in ownership, when the transfer will occur, who the new custodian of records will be, and how patients can access copies or request restrictions. Update signage, voicemail, website, and patient portal messages to direct inquiries to the correct contacts.

Ensure your Notice of Privacy Practices reflects the new arrangement. While HIPAA does not require individual redistribution for every change, you must post the revised notice and make it available upon request, consistent with your state’s requirements.

Practical steps

• Send written notices to active patients well before closing and retain proof of delivery.
• Provide a simple process for record copies and continuity-of-care referrals.
• Maintain a log of all disclosures made during the transition, aligned with the Minimum Necessary Rule.

Establishing Business Associate Agreements

Pre-closing access to PHI

During due diligence, a potential buyer should review de-identified data whenever possible. If identifiable PHI must be accessed before closing, either execute a Business Associate Agreement (BAA) with the buyer or use a limited data set with a Data Use Agreement, and share only what is necessary.

What your BAA should cover

• Permitted uses and disclosures, expressly tying them to the transaction and healthcare operations.
• Safeguards that meet the HIPAA Security Rule, including Data Encryption Standards for data at rest and in transit.
• Subcontractor flow-downs, breach notification timelines, and cooperation duties.
• Return or destruction of PHI when the BAA terminates, with exceptions if retention is legally required.

Post-closing vendor alignment

After closing, the buyer (as the covered entity) must ensure BAAs exist with all ongoing vendors that create, receive, maintain, or transmit PHI. The seller should terminate or assign legacy BAAs, document the handoff, and remove any residual vendor access tied to the seller’s accounts.

Managing Record Retention and Custodianship

Designate a custodian of records

State in the purchase agreement who will be the custodian of the designated record set, where records will be stored, and how requests will be fulfilled. Specify response times, fees, and processes for subpoenas and continuity-of-care requests.

Meet Record Retention Requirements

HIPAA requires you to retain HIPAA-related documentation (e.g., policies, BAAs, risk analyses, NPP versions) for at least six years. Medical record retention periods are set primarily by state law and payer rules; ensure the agreement adopts the longest applicable requirement.

Maintain access and integrity

• Preserve read-only access to legacy systems for the retention period or export complete, searchable records with audit metadata.
• Keep an inventory and chain-of-custody log for paper and electronic media, including backups and removable drives.
• Test that copies can be produced quickly and that redaction tools support the Minimum Necessary Rule.

Conducting Due Diligence Reviews

Control the data you share

Stage diligence in tiers: start with de-identified and aggregated metrics, move to a limited data set under a Data Use Agreement, and provide identifiable PHI only under a BAA and only when essential. Always document the legal basis and apply the Minimum Necessary Rule.

Secure the diligence environment

• Use a hardened virtual data room with encryption, role-based access, multi-factor authentication, and watermarking.
• Enable audit logs for every view, download, and export; reconcile logs at closing.
• Prohibit local downloads unless strictly needed and require secure deletion thereafter.

Evaluate compliance posture

Exchange recent risk analyses, security risk management plans, incident logs, training attestations, and BAA inventories. Confirm each party’s alignment with the HIPAA Privacy Rule and HIPAA Security Rule, including how they implement Data Encryption Standards and access controls.

Implementing Data Security Measures

Protect data in transit and at rest

Encrypt PHI with strong, industry-accepted algorithms (for example, AES-256 for storage and TLS 1.2+ for transmission). Ensure keys are rotated, stored separately, and access is logged and monitored.

Harden identity and access

• Enforce least privilege, unique user IDs, and multi-factor authentication on all systems handling PHI.
• Use role-based access control, time-bound access for migration teams, and real-time alerts for anomalous activity.
• Maintain tamper-evident audit logs, review them routinely, and retain them per your Record Retention Requirements.

Secure migration and disposal

Validate data mappings before cutover, run checksum or hash validations after transfer, and test restores from backups. Sanitize or destroy media using recognized methods and document destruction certificates for the deal file.

Plan for incidents

Define who handles breach investigation and notification before and after closing, with clear escalation paths and timelines. Coordinate cyber insurance and forensics vendors so response actions remain continuous across the transaction.

Fulfilling Post-Sale Obligations

Seller responsibilities

Maintain HIPAA-required documentation for at least six years, keep a designated contact for patient inquiries during the retention period, and cooperate with the buyer on any requests or investigations involving pre-closing events. Revoke user accounts, terminate BAAs you no longer need, and confirm that no residual PHI remains on seller-controlled systems.

Buyer responsibilities

Assume custodianship as agreed, honor patient rights (access, amendments, accounting of disclosures), and maintain copies policies that meet state Record Retention Requirements. Update the Notice of Privacy Practices, train staff on the new workflows, and verify that BAAs and security controls reflect the acquired systems.

Operational close-out checklist

• Publish updated patient contact and records-request information across all channels.
• Implement read-only access to legacy EHR data with strict logging and the Minimum Necessary Rule.
• Archive deal records, BAAs, risk assessments, and migration logs for audit readiness.

Summary

To stay HIPAA compliant during a sale, notify patients transparently, use the right Business Associate Agreements, define custodianship and retention, limit and secure PHI in diligence, apply strong Data Encryption Standards, and document every step. Align roles pre- and post-closing so obligations under the HIPAA Privacy Rule and HIPAA Security Rule remain continuous.

FAQs

What are the patient notification requirements under HIPAA when selling a practice?

HIPAA permits transferring PHI to a successor covered entity for treatment, payment, and healthcare operations without individual authorization. You should notify patients of the ownership change, identify the new custodian of records, explain how to obtain copies or request restrictions, and update your Notice of Privacy Practices. Also follow any state-specific notice rules that may set timing, method, or content requirements.

How should Business Associate Agreements be handled during the sale?

For pre-closing diligence that requires access to identifiable PHI, execute a Business Associate Agreement with the buyer or use a limited data set with a Data Use Agreement, and apply the Minimum Necessary Rule. After closing, ensure the buyer has BAAs with ongoing vendors, terminate or assign the seller’s BAAs as appropriate, and document return or destruction of PHI where services end.

What are the obligations for record retention after a practice sale?

Retain HIPAA documentation—such as policies, BAAs, risk analyses, and prior NPPs—for at least six years. Medical record retention periods are governed mainly by state law and payer requirements; adopt the longest applicable period in your agreement. Clearly assign the custodian of records and keep systems accessible (often read-only) so you can fulfill patient access and legal requests throughout the retention period.

How can data security be ensured when transferring patient records?

Use encrypted channels for all transfers, encrypt data at rest, enforce multi-factor authentication, and restrict access on a least-privilege basis. Validate migrations with checksums, maintain audit logs, and preserve backups until integrity is confirmed. When systems are decommissioned, sanitize or destroy media and document the process to meet HIPAA Security Rule expectations and your Data Encryption Standards.