a 50-state review may be advisable. The U.S. Supreme Court in J. McIntyre Machinery, Ltd. v. Nicastro, 564 U.S. 873 (2011), limited jurisdiction of state courts to companies that “purposefully avail themselves” of the markets in that state. But jurisdiction for litigation purposes is not the same thing as statutory or regulatory compliance, and so an acquirer would be well advised to consider the laws of all U.S. states in which the company has done or may do business, either by physical presence or over the Internet. In Pablo Star Ltd. v. Welsh Government, No. 16-CV-1167, 2016 U.S. Dist. LEXIS 33846, *19–*20 (S.D.N.Y. Mar. 16, 2016), the court held that Internet presence alone would not provide a basis for personal jurisdiction, but the question remains open as to how much more is required for “purposeful availment” of a state market by electronic commerce.
Health Information: Strong Federal Regulation, but Ignore State Law at Your Peril
Most non-U.S. acquirers, particularly those from European Union countries, are familiar with the U.S. health privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Regulations under HIPAA provide requirements for privacy and security safeguards regarding medical treatment, condition, or payment that can be traced to an identifiable individual by one or more of 18 specified identifiers. These regulations affect not only healthcare providers and health insurance plans, but also, since the adoption of the Omnibus Final Rule in 2013, certain mobile health IT developers, consultancies and other entities that access identifiable patient information in order to provide a service to a healthcare provider or plan now fall under the jurisdiction of the HIPAA regulations. For the rules updated through March 26, 2013, see HIPAA Administrative Simplification Regulation Text.
While HIPAA regulations are enforced by the Office for Civil Rights of the United States Department of Health and Human Services (OCR), the Omnibus Final Rule provides that state attorneys general may bring HIPAA violation proceedings if OCR declines to do so; therefore, acquirers need to conduct diligence about pending state health privacy actions as well. Attorneys general in Connecticut, Illinois, and California have brought such proceedings and, with the ongoing epidemic of healthcare breaches, more state attorneys general will undoubtedly do so. In addition, states that permit claims based on a common law right of privacy may use the standards in the HIPAA regulations as a metric for standard of care. In 2014, the Connecticut Supreme Court, in Byrne v. Avery Center for Obstetrics and Gynecology, 102 A.3d 32, 49 (Conn. 2014), held that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records.” The reach of state privacy laws, which would cover health information, may also extend beyond traditional healthcare organizations. In Pierre-Paul v. ESPN, Inc., 2016 U.S. Dist. LEXIS 119597 (S. D. Fla. Aug. 29, 2016), a federal court in Florida recently allowed a claim of negligence for violation of medical privacy brought by New York Giants football player Jason Pierre-Paul against the sports television network ESPN, which had released medical records photographed and tweeted by a reporter that described Pierre-Paul’s treatment for a fireworks-related accident.
State litigation, though, may not be the most significant exposure for an acquirer of a healthcare entity. A number of states have explicit medical privacy regulations that are enforced by administrative agencies. State attorneys general may commence litigation or investigations, but state departments of health may also commence proceedings for violations against patient or health insurance plan subscribers. Florida recently passed an Information Protection Act, under which the Florida Attorney General may bring violation proceedings and California’s Confidentiality of Medical Information Act (CMIA) has been extant for many years and has been enforced in proceedings by the Office of the Attorney General of the State of California.
State Financial Information Safeguard Requirements Multiply