Moving the HME Industry Forward


Selling Assets and Transferring Patient Files – What HIPAA Requires

December 30, 2013

AMARILLO, TX – Competitive bidding is ill conceived and illogical on many different levels. In my mind, the most illogical (and unfair) component of competitive bidding is that fact that a DME supplier can never plan ahead for more than three years.

What bank would feel comfortable lending working capital to a DME supplier if the bank knows that in three years, the supplier’s business model may disappear? Nevertheless, until competitive bidding is replaced or modified, we have to deal with it.

Competitive bidding is resulting in an upheaval in the industry. A number of suppliers, large and small, are either selling their assets (and transferring their patient files) or they are simply closing their doors. Assume that ABC Medical Equipment, Inc. is not awarded a CB contract and desires to sell out. Further assume that ABC desires to sell assets as opposed to having its stock sold. At the same time that ABC sells its hard assets (inventory, computers, delivery vans, etc.), ABC will also transfer its patient files. Patient files are “protected health information” (or “PHI”) under HIPAA.

Assume that XYZ, Inc. is the purchaser. For ABC to be able to transfer PHI to XYZ, XYZ needs to be a “covered entity” under HIPAA. If XYZ is simply a “straw man company” that does not fall within the HIPAA definition of a “covered entity,” then ABC’s patient files cannot be transferred to XYZ without the authorization of each of ABC’s patients. On the other hand, if XYZ is a covered entity (e.g., XYZ is another DME supplier that will assume responsibility for ABC’s patients), then HIPAA will allow the transfer without authorization.

A “covered entity” includes a health care provider that transmits health information in electronic form in connection with a covered transaction. “A covered entity may use or disclose protected health information for its own…health care operations.” 45 C.F.R. 164.506(c)(1). The term “health care operations” includes “the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity…..” Id. at 164.501.

The Final Rule that modified the definition of health care operations, to include language about the sale of a covered entity, contains a description of the intent behind the addition of that language. The Final Rule states that the prior version of the Privacy Rule only explicitly stated that uses or disclosures of PHI for due diligence purposes, when a sale is contemplated, were permissible. 67 FR 53182, 53190 (Aug. 14, 2002).

Because the intent was “to include in the definition of health care operations the actual transfer of protected health information to a successor in interest upon a sale or transfer of [a covered entity’s] assets,” the Privacy Rule language was modified so as to eliminate any confusion. Id. Therefore, it is clear that a covered entity may disclose PHI in order to facilitate the sale of its assets to another covered entity.

The rule that a covered entity can transfer its patient files to another covered entity, but cannot transfer the files to a non-covered entity without patient authorization, is exemplified in a recent bankruptcy case in Delaware, In re: Laboratory Partners, Inc. et. al., Case No. 13-12769 (PJW). In this case, the United States filed a Protective Objection to Debtors’ Motion for Sale of Substantially All of the Debtors’ Assets.

In its objection, the government pointed out that “[a]s covered entities, the Debtors must comply with the requirements of HIPAA. HIPAA regulations provide that covered entities who seek to sell their customers’ protected health information can only do so with their customers’ authorization.” However, the objection points out: “Counsel for the United States has advised Debtors’ counsel that, if the purchaser…is a “Covered Entity” under HIPAA, the sale of the Acquired Assets would not necessarily require the authorization of the beneficiaries as it would be considered a disclosure for the purposes of health care operations. 45 C.F.R. 164.501. However, Debtors’ counsel has been unable to assure the United States that the purchaser will be a Covered Entity.”

The “takeaway” for the DME supplier (that desires to sell its assets and transfer its patient files) is that the transferee of the files needs to be a “covered entity” as defined by HIPAA. If the transferee is not a covered entity, then patient authorizations will be required before their files are transferred.

Baird will be presenting at Medtrade Spring 2014 in Las Vegas, where he will share his expertise, advice, and ideas. CLICK HERE to register for Medtrade Spring, held from March 10-12, 2014, at the Mandalay Bay Convention Center, Las Vegas. Early bird rates end on December 31, 2013. 

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or