When doing a valuation of a healthcare entity, you may receive protected patient information. When that happens, you face exposure to tough rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—and the penalties for violations are severe. Changes in the law have expanded the requirements for maintaining the security of patient data, which means that valuation experts are now more likely to face exposure.

Caught in the net: The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) significantly expanded the law to impose privacy rules beyond traditional entities such as healthcare providers and health plans (“covered entities”). Regulations under HITECH were published in January 2013, and certain provisions became effective later on. The rules now apply to a healthcare entity’s “business associates,” which can include you as an appraiser, according to Mark Dietrich, editor and contributing author to The BVR/AHLA Guide to Healthcare Industry Finance and Valuation, Fourth Edition. Dietrich wrote a new chapter in the book devoted to HIPAA and medical records in the context of valuation and litigation.

Dietrich’s analysis of how this affects valuation practices is a “must-read” for any analyst involved in healthcare valuations or litigation support, says Nancy Fannon (Meyers, Harrison & Pia Valuation and Litigation Support LLC). “The draconian penalties assessed for failure to follow HIPAA’s mandates should induce most appraisers to work their way through the complexity of these rules, and develop appropriate engagement practices involving the use of so-called protected health information (PHI) in any valuation engagement.”