Angela Gamalski (agamalski@honigman.com) is an Associate at Honigman LLP in Detroit, MI.
Companies operating in the healthcare industry may hold sensitive healthcare and financial data for thousands or millions of individuals. While specific healthcare data are protected by certain privacy requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as amended), this broader set of sensitive individual data is also a target for national security concerns, and as such, the risk of compromise should be evaluated and appropriate security and compliance measures enacted.
As this article will explain, routine business transactions, management changes, or investments can be subject to review by the US government for national security purposes if such sensitive individual data are at stake and non-US companies or individuals are involved. Compliance and privacy professionals should understand how these risks apply to their business and work with governance and compliance stakeholders to address these risks.
Background regarding national security transaction reviews
The Exon–Florio Amendments of 1988 first established the Committee on Foreign Investment in the United States (CFIUS) as an interagency committee empowered to review business transactions involving foreign companies acquiring sensitive or otherwise valuable US companies.[1] Twenty years later, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) yielded the first major regulatory overhaul of CFIUS and expanded its authority as to the types of transactions that could be reviewed as well as mandating review for certain types of transactions.[2] The CFIUS review process looks to understand the threat posed to national security by a foreign person, the extent to which a particular US business can influence national security, and potential national security issues that could be exploited as a consequence of a particular business transaction.
CFIUS is authorized to review a variety of transactions, including any merger, acquisition, partnership, joint venture, investment, or takeover by or with a foreign person that could result in foreign control of a US business; foreign access to information in the possession of, rights in, or involvement in the substantive decision-making of certain US businesses related to critical technologies, critical infrastructure, or sensitive personal data; or foreign ownership of property in close proximity to sensitive or strategic US locations. While CFIUS review is generally voluntary, CFIUS is also authorized to review any transaction involving foreign buyers that was not submitted for notice or any other transaction, transfer, agreement, or arrangement that was structured to evade or circumvent CFIUS authority. Failing to obtain a CFIUS review when such review was required can result in significant penalties, up to the value of a business transaction, and/or the unwinding of a deal (even years after the fact).
Whether a buyer or investor is deemed to be a foreign person is a fact-based analysis that considers the nationalities of the person or entity who is making the purchase or investment. In the case of a business entity, the analysis also considers the nationalities of those who control the business, whether the entity is backed by a foreign government, and other shareholder arrangements between the parties who comprise the entity.[3] While FIRRMA establishes a threshold investment amount for passive investment transactions, any investment equity interest with control or information rights is subject to scrutiny.[4] CFIUS has broad authority, and any scenario in which ownership, control, or information rights are granted to or could be asserted by a non-US person or entity, through management arrangements or significant customer or vendor relationships, could be the subject of CFIUS review.
