HIPAA Compliance During Healthcare Mergers and Acquisitions

When two healthcare organizations combine, the riskiest asset on the balance sheet is often the one no one prices: protected health information (PHI). A merger or acquisition moves patient records, breach history, and compliance liabilities from one entity to another — and HIPAA follows the data. Getting HIPAA compliance right during healthcare mergers and acquisitions is as much about what you inherit as what you build.

What makes HIPAA distinct in M&A

Three things separate M&A from ordinary compliance work. First is due diligence access: before a deal closes, the acquiring party often needs to review the target’s records, contracts, and breach history. PHI shared during diligence should be minimized, de-identified where possible, and governed by confidentiality terms — broad data-room access to full patient records is rarely justified under the minimum necessary standard.

Second is the BAA-versus-corporate-transaction distinction. Healthcare organizations sometimes assume a Business Associate Agreement (BAA) is needed between merging parties. In a genuine asset or stock acquisition where the acquirer becomes the covered entity, the transfer of PHI to a successor covered entity is generally treated as a permitted disclosure for the entity’s own operations, not a business-associate relationship. The analysis turns on deal structure, so it should be confirmed by counsel rather than assumed.

Third is successor liability. An acquirer can inherit the target’s unresolved compliance problems — an incomplete Security Risk Analysis, an unreported breach, an open OCR investigation. Those liabilities do not evaporate at closing; they transfer to the surviving entity. This is why diligence should examine the target’s compliance posture, not just its revenue.

Data migration and post-close integration

Closing is the start of the technical risk, not the end. Migrating ePHI between systems must be encrypted in transit and at rest, access must be re-provisioned on the principle of least privilege, and duplicate or legacy systems must be decommissioned securely rather than left online. Patients must also receive an updated Notice of Privacy Practices when the entity responsible for their records changes, and the combined organization needs one coherent set of policies rather than two conflicting ones.

The Security Risk Analysis is non-negotiable

Both before and after a deal, the HIPAA Security Rule requires a Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A) — an accurate, thorough assessment of risks to all electronic PHI. In diligence, reviewing the target’s SRA reveals whether it has met this baseline; post-close, the combined entity needs a fresh enterprise-wide SRA covering the newly merged systems. A missing or stale SRA is the most common finding in OCR enforcement, and inheriting one is inheriting a known deficiency.

The proposed 2026 Security Rule update

Acquirers should factor in the proposed HIPAA Security Rule update. OCR published a Notice of Proposed Rulemaking (NPRM) in December 2024 that would make currently “addressable” safeguards mandatory, including encryption of ePHI, multi-factor authentication, asset inventories, and network mapping. The rule is not final; if finalized, it is expected to allow a 240-day compliance window from the date the final rule is published. For a combining organization, that strengthens the case for building these controls into the integration plan from day one.

How Medcurity helps

Medcurity helps both sides of a transaction document a Security Risk Analysis, track BAAs, and standardize policies across newly combined entities — turning diligence findings into a concrete remediation plan. Pricing is $499/year (about $42/month) for a single organization; larger or multi-entity groups can request a quote. For the underlying program, see our HIPAA compliance checklist, and if you are absorbing a smaller clinic, our guide to HIPAA compliance for small practices covers the baseline you should expect them to meet.

Frequently Asked Questions

Do merging healthcare organizations need a BAA with each other?

Usually not in a true acquisition where the buyer becomes the successor covered entity, because the transfer is a permitted disclosure for the entity’s own operations. The right answer depends on deal structure, so confirm it with counsel.

Can we share full patient records during due diligence?

Only what is necessary. The minimum necessary standard applies; de-identify data where possible, limit data-room access, and govern any PHI exchanged with confidentiality terms.

Does the acquirer inherit the target’s HIPAA breaches?

Generally yes. Successor liability means unresolved breaches, open investigations, and compliance gaps transfer to the surviving entity, which is why compliance belongs in diligence.

What HIPAA steps come immediately after closing?

Run a fresh enterprise Security Risk Analysis, migrate ePHI securely, re-provision access on least privilege, unify policies, and issue an updated Notice of Privacy Practices to affected patients.