• Paul Peter Nicolai

Dealing With Healthcare Services Acquisition Risks

Updated: Oct 12, 2020

Healthcare is a significant portion of the U.S. economy and will be so for the foreseeable future. National health expenditures are expected to represent 19.7 percent of GDP by 2028. A large portion of that spending is for healthcare services.

Given the large portion of the economy that healthcare represents and the market interest in acquisition activity, understanding the material healthcare regulatory risks an acquirer might face is important. That understanding can assist an acquirer in either eliminating risk or at least mitigating it appropriately. This article will provide a summary of those major, material health regulatory risks, some basic diligence requests to address in pre-transaction diligence, and thoughts on representation and warranty issues in transaction documents.

Healthcare services includes businesses that provide professional/clinical healthcare services to patients; brick-and-mortar, in-patient and out-patient healthcare providers; and ancillary healthcare services.

Most of these businesses face material health regulatory risks. These material risks fall within five categories: (1) government reimbursement, (2) fraud and abuse, (3) licensure, (4) excluded parties, and (5) healthcare privacy-related issues.

Government Reimbursement

CMS, the administrator of Medicare and Medicaid programs, is the single largest payer for US healthcare services. CMS administers the Medicare program (Parts A, B, and D) through its administrative contractors and managed care plans (Part C). CMS partners with states to administer Medicaid programs. To participate in either Medicare or state Medicaid programs, healthcare services businesses agree to comply with a regulatory framework in the form of conditions or requirements for participation (Regulatory Condition) and specific requirements relating to submitting claims for services or supplies provided (Claim Submission Requirement).

Material risks can come from a significant failure to meet either s Regulatory Condition or a Claim Submission Requirement. Government inspections and complaints from patients or clients can result in a citation for a failure to meet a Regulatory Condition. Those citations can climax in civil fines that may carry per-day penalties. They can also result in termination from the Medicare or Medicaid program. Civil penalties can range from minor amounts to major material liabilities for the business.

Understanding what, if any, (i) inspections/citations a healthcare services business has been subject to historically; and (ii) what may be currently outstanding is important to assessing risk in a possible acquisition. Failures to pay civil fines may also result in termination of participation in Medicare or Medicaid.

Complying with Claim Submission Requirements is one of the most important issues for participants in government payment programs. Failure to comply can result in demands for recoupment or allegations of overpayments. What a business may see as a simple error, may be seen as an intentional act to defraud by the government or its agents. These failures can be minor or they can be significant and carry millions of dollars in repayment liability.

To assess these risks with a potential target, acquirers should look at documents relating to

  • investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors

  • corrective action plans imposed on the business or implemented by the business

  • unpaid civil monetary penalties or administrative penalties and civil settlements

  • any self-disclosures or voluntary disclosures made to any governmental authority

  • internal audit reports of billing and coding reviews or audits documents relating to any third-party reports and related deliverables from consultants engaged to conduct billing and coding audits or reviews

The agreement should have representations and warranties from the seller that broadly address: (i) compliance with healthcare laws; (ii) compliance with government programs and claims filing obligations; (iii) the absence of material overpayment or claims filing repayment obligations; and (iv) no affirmative inappropriate or illegal conduct.

Fraud and Abuse

Fraud and abuse in the healthcare system has been a concern of federal and state regulators. Major fraud and abuse laws include the Federal Anti-Kickback Statute (AKS), the Physician Self-Referral Prohibition (the Stark Law), and the Criminal and Civil False Claims Acts. These laws prohibit certain business practices as well as provide for penalties relating to fraudulent claims to government payment programs.

Fraud and abuse liability can create both civil and criminal liability depending on the conduct and issues. Fraud and abuse liability is rarely immaterial unless the target is a large business facing a civil liability. Even then the acquirer will likely not want to inherit the liability.

To assess these risks, acquirers should look at:

  • contracts between the target and other healthcare businesses or vendors

  • documents analyzing any arrangement the target believes fits into a safe harbor to the AKS or an exception to the Stark Law

  • business relationships with physicians and other healthcare professionals

  • business relationships with any anyone in a position to refer business paid for by governmental programs

  • marketing activities

  • bonus and compensation plans

The agreement should have representations and warranties on these matters that address: (i) specific compliance with fraud and abuse prohibitions; (ii) the absence of adverse criminal or civil settlements or civil penalties; and (iii) the absence of any threatened or current civil or criminal litigation relating to fraud and abuse matters.


Ensuring a target business has the correct licenses, has complied with all of the regulatory requirements relating to retention of those licenses, and has not been subject to any type of adverse finding by aa authority are critical to assessing any material risk in a potential transaction.

There are simple licensure risks that might result in immaterial fines. Multiple instances of immaterial fines might add up to revocation of a license needed to operate the business. Understanding the target’s regulatory compliance history is important to assessing risk.

To assess this risk, acquirers should look at:

  • all current regulatory permits, licenses, certifications, accreditations, certificates of need, and other required approvals that the target may have relating to its business

  • documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors

  • documents on corrective action plans imposed on the business or implemented by the business

  • documents on unpaid civil monetary penalties or administrative penalties and civil settlements

  • documents on any suspension, termination, or revocation of a license

  • documents on any refusal to approve a license

The agreement should have representations and warranties to the buyer that: (i) affirmatively say the seller has all of its required licenses; (ii) none of the required licenses have been suspended, revoked or terminated; and (iii) there is no current action to suspend, revoke, or terminate a required license.

Excluded Parties

Generally, excluded parties are persons or entities that have either been excluded from participation in federal healthcare programs or excluded from participation in federal contracts. HHS’ Office of the Inspector General (OIG) has the authority to exclude individuals and entities from participating in federal healthcare programs including Medicare, Medicaid, and any other healthcare program funded directly or indirectly by the federal government. Exclusion means no payment can be made for any items or services furnished, ordered, or prescribed by someone excluded.

In addition, the U.S. General Services Administration (GSA) maintains a list of those excluded from participation in federal contracts. The GSA’s list contains those who have been excluded by federal government agencies from receiving federal contracts or federally approved subcontracts, and from certain types of federal financial and nonfinancial assistance and benefits.

A target company that has or is employing an excluded individual or a contract with an excluded party can have material risks associated with it. If the excluded individual or contractor touched significant federal dollars, the entity could face material liability. Beyond repaying associated dollars, civil penalties can be assessed and can be significant. There is a general expectation that healthcare services companies check the appropriate databases periodically to screen for ineligible individuals and entities and steer clear of them.

To assess this risk, acquirers should examine whether the company has:

  • a process in place that screens for excluded parties

  • ever had exposure to an excluded party and how that exposure was handled

The agreement should contain specific statements that the seller has not hired an excluded party and periodically checks to ensure it is not associating with excluded parties.

Healthcare Privacy Issues

HIPAA establishes standards to protect individuals’ medical records and other personal health information (PHI). It also establishes physical and electronic security standards for PHI. HIPAA applies to covered entities which include healthcare providers, insurers, and other stakeholders that may use or disclose PHI. HIPAA requires them to develop and follow procedures that ensure PHI privacy and security and sets limits and conditions on the use and disclosure of PHI without patient authorization. Compliance with HIPAA is for covered entities and their business associates. Covered entities that must share PHI with a business associate should have written business associate agreement in place that requires third parties to comply with HIPAA requirements.

HIPAA violations can create civil or criminal liability. Civil penalties can range anywhere from $100 to $50,000 per violation. Covered entities must also provide notice of a privacy breach to affected individuals, the Secretary of HHS, and sometimes, the media. Acquirers should focus diligence efforts on existing HIPAA compliance processes and prior or ongoing privacy investigations to assess both the potential financial implications and reputational implications.

To assess this risk, acquirers should examine:

  • the company’s HIPAA compliance policies and procedures covering at least the last

  • three years

  • any HIPAA training materials and information on how personnel received HIPAA

  • training

  • all business associate agreements in place

  • documents on HIPAA compliance tracking and assessment

  • documents on security breaches or incidents, follow-up response, and

  • disclosure of breaches/incidents to individuals or third parties

  • list of complaints or allegations of privacy/security breaches involving the company

The agreement should have representations and warranties that address HIPAA privacy and security compliance as well as the absence of any privacy or security breaches.

Regulatory Compliance

Regulatory compliance programs are increasingly important in the healthcare industry. Although there is no significant regulatory requirement to have a compliance program, healthcare service providers are encouraged to make them a priority. U.S. Federal Sentencing Guidelines for Organizations and provide some sentencing mitigation for organizations with effective compliance and ethics programs.

Compliance programs help healthcare services providers develop controls for compliance with applicable law. They are designed to monitor compliance and correct issues before they become a significant problem. If a buyer finds a company has an effective program, they can get comfort with respect to the company’s overall regulatory compliance. As a result, most if not all buyers conduct some form of diligence relating to a seller’s regulatory compliance program.

To assess this, acquirers should examine:

  • whether the company has an established compliance committee and officer documents relating to regulatory compliance policies, procedures, and training materials

  • documents relating to corporate compliance tracking, assessment, and response meeting minutes from the company’s compliance committee, if applicable

The agreement should have a representation and warranty that addresses the sellers’ implementation of a regulatory compliance program that meets OIG guidance, the sentencing guidelines, or both.

Recent Posts

See All

Remote Work Legal Implications

Technological advancements and shifting societal preferences have made remote work programs possible for a significant segment of the workforce. Events related to COVID-19 have forced the wide-spread