Health Care Due Diligence: An Ounce of Prevention is Worth a Pound of Cure

Due diligence properly performed in connection with the purchase and sale of a health care entity is simply different—vastly so—than due diligence performed in other contexts. Failure to recognize this reality can lead to dire consequences for buyers and sellers in health care transactions.

In most industries, a (if not the) principal goal of a “for profit” business is to maximize profits. This is not to say that a “for profit” business cannot have non-financial aspirations as well, but on some level, and at least theoretically, the greater the profit that is realized by a “for profit” business, the greater the likelihood that any such non-financial (even altruistic) aspirations can be realized. Operating a “for profit” business with an unbridled intent to maximize profits in the highly regulated health care industry, however, can lead to ruinous legal liability for the “for profit” business and its owners.

Broadly speaking, the disparate regulatory treatment of profit maximization in the health care setting can be attributed to one overarching concern: the perceived detrimental effects associated with the overutilization of health care services. Underlying this concern is the volume-based, fee-for-service (FFS) payment model that remains prevalent in the health care industry.[i] As a result of this FFS payment model, the more health care services provided to patients, the more reimbursement the health care provider receives. It is this incentive to “sell” more health care services to increase profits that is the primary target of health care laws and regulations that seek to prevent, and often punish, patient referrals rooted in financial gain rather than sound medical judgment.

So, what does this have to do with due diligence in connection with the purchase and sale of a health care entity? In a word: Everything.

Because unlawful profit maximization in the health care context can result in crippling sanctions and operational restrictions, it is imperative for buyers to conduct thorough due diligence of a target health care entity’s historical compliance (or non-compliance) with health care laws and regulations. From a seller’s standpoint, regulatory due diligence conducted by a buyer may reveal otherwise unknown compliance concerns that may not only threaten the sale or cause a substantial reduction of the purchase price, but also shift more post-transaction risk to the seller. Under any circumstance, if the transaction does not close, the seller may be left with (now) known compliance concerns that must be self-disclosed to the government (together with payment of fines or penalties) or, alternatively, legally analyzed to support any decision not to self-disclose, likely at considerable cost.

Viewed through this regulatory lens, health care due diligence takes on a far different tint. Sellers and buyers of health care entities should be cognizant of the following points:

Recognize the gravity of the due diligence process in the health care context and proceed accordingly.

From the seller’s perspective, allowing the buyer to engage in due diligence effectively permits the buyer to conduct what, for all intents and purposes, is a compliance audit. Thus, the seller must be willing and able to deal with the findings. And the buyer should have serious concerns if the seller is not prepared to respond adequately to regulatory due diligence requests, as that may also be emblematic of a historical ambivalence toward regulatory compliance.

Strongly consider retaining qualified compliance consultants prior to undertaking due diligence.

Because buyer due diligence is effectively a compliance audit, the seller should strongly consider engaging a qualified consultant to conduct a compliance self-audit (sometimes referred to as “defensive” due diligence) before exploring the possibility of a sale. Without doing so, the seller risks learning in real-time—from its negotiating adversary—about existing regulatory concerns that may negatively impact its bargaining power and control of the negotiations. From the buyer’s perspective, that a seller is first learning of substantive compliance issues during due diligence is a red flag. However, if the buyer can identify corrective solutions with which it is comfortable, the buyer can likely gain the upper hand in negotiating concessions in connection with such compliance issues.

Properly handle PHI during the due diligence process.

Health care regulations also govern the exchange of information during the due diligence process. For example, the parties must determine if protected health information (“PHI”) as defined by HIPAA will be shared during due diligence and, if so, how such PHI can be shared. Most health care providers are “covered entities” under HIPAA, and HIPAA generally permits two covered entities to exchange PHI in connection with transactional due diligence without obtaining patient authorization to do so.[ii] Even in this situation, however, the disclosing entity is obligated to share only the minimum information needed for purposes of the transaction. Conversely, if a covered entity (such as a seller health care provider) and a non-covered entity (such as a private equity buyer) seek to share information in connection with a proposed transaction, consideration must be given to whether and how PHI may be shared between the parties, including whether a business associate agreement is required.

Be careful with competitively sensitive information during the due diligence process.

Both seller and buyer must also comply with applicable antitrust laws as construed by the Department of Justice (“DOJ”) and Federal Trade Commission. Recently, the DOJ has increased its scrutiny of collaborations and information exchanges in health care transactions due to the dramatic increase in health care provider consolidation over the last decade.[iii]  As a result, parties involved in a health care transaction should carefully assess any potential antitrust implications and create a strategy for sharing competitively sensitive information like payor rates and physician compensation, including sharing such information on a redacted basis. Alternatively, the parties may consider establishing an electronic “clean room” where a limited number of the buyer’s employees or advisors have access to competitively sensitive information.

Due diligence must include a detailed analysis of federal AKS, Stark, and FCA compliance as well as compliance with applicable state health care laws.

The principal federal health care laws and attendant regulations governing health care entities are well known in the industry: the Anti-Kickback Statute (the “AKS”), the Stark Law, and the False Claims Act. Yet, while well-known, the application of these statutes can prove vexing for even the most experienced health law practitioners. By way of example, the Stark Law has been described by courts as “ambiguous,” “arcane,” and “heaps of words in barely decipherable bureaucratese.”[iv] Judge Wynn of the United States Court of Appeals for the Fourth Circuit is even more pointed: “It seems as if, even for well-intentioned health care providers, the Stark law has become a booby trap rigged with strict liability and potentially ruinous exposure – especially when coupled with the False Claims Act.”[v]

In light of this difficult landscape, it is critical that regulatory issues are analyzed early in the due diligence process. The seller and buyer must also not forget to analyze whether the target entity has violated the state analogues to each of these federal statutes (colloquially referred to in most states as mini-AKS, mini-Stark Laws, and mini-FCAs), or other state health care laws, including those prohibiting the corporate practice of medicine, those prohibiting fee-splitting, and those setting forth state Medicaid requirements.

Determine appetite for risk only after proper due diligence is conducted.

As explained, the highly regulated nature of the health care industry inherently creates considerable risk for both parties. To be clear, however, the innate risk present in health care transactions should not be confused with the business risk that the parties are otherwise willing to accept after conducting comprehensive due diligence. The former risk can be reduced via thoughtful due diligence. The latter risk (e.g., the risk that a seller agrees to an indemnity cap that turns out to be too high, or the risk that a buyer pays too much for the entity) is a business judgment call that also carries risk. But this call can only sensibly be made in the health care context if proper, individualized health care due diligence has been conducted.

Craft due diligence requests and responses with care and accuracy.

Typically, the buyer drives the due diligence process. Accordingly, it is critical for the buyer to develop due diligence requests that will identify compliance issues if the seller accurately responds. While the buyer can also require the seller 1) to represent in the purchase agreement that the seller has not violated any health care law or regulations (with or without knowledge or materiality qualifiers) and 2) to indemnify the buyer should this representation prove inaccurate, the buyer should much prefer to identify and seek agreement with the seller on how to address any compliance concerns before the purchase agreement is executed. From the seller’s perspective, inaccurate compliance (or other) responses in the affirmative or by omission may lead to a misrepresentation assertion and even litigation.

Focus on the payor mix and, if applicable, the percentage of Medicare and Medicaid patients.

In any industry, the revenue sources of the target entity are critically important. In the health care industry, to the extent the revenue sources include governmental payors like Medicare or Medicaid, they are also critically important from a regulatory standpoint. If a health care entity is dependent on Medicare or Medicaid patients and has failed to comply with applicable Medicare or Medicaid laws and regulations, including applicable conditions of participation, the government may not only require repayment of funds, but may also exclude the target entity from further participation in these programs. Where the target entity is largely dependent on Medicare or Medicaid patients, such exclusion may represent the death knell for the entity. Obviously, then, it is important to identify through due diligence any such non-compliance and to determine, during negotiations, how and whether it can be addressed.

Be mindful of how the transaction structure is affected by health care regulations.

Generally speaking, transactions are structured as an asset purchase, equity purchase, or merger. In the health care context, the type of structure may impact whether the transaction is characterized as a change of ownership (“CHOW”), as is typically the case in an asset sale, or a change of information (“CHOI”), as is typically the case in an equity sale. If the transaction requires a CHOW filing, Medicare regulations provide for automatic assignment of the existing Medicare provider agreement to the new owner[vi] (unless the new owner affirmatively rejects the automatic assignment).[vii] This requires the new owner to accept successor liability for any Medicare overpayments caused by the seller pre-closing. Conversely, rejection of such automatic assignment requires the buyer to seek Medicare enrollment as a new Medicare provider, which typically results in a significant delay in both Medicare enrollment and the buyer’s Medicare cash flow. Comprehensive due diligence designed to reveal possible Medicare overpayment issues can greatly assist in determining whether the buyer should, or is willing to, accept assignment of the seller’s existing Medicare provider agreement.

Prepare for the possibility of a coding and billing audit and the results.

After the parties have engaged in meaningful due diligence and moved beyond preliminary negotiations, it is also not unusual for a potential buyer to request a coding and billing audit (which covers both private and governmental payors). The principal focus of such an audit, which is based on a sampling of claims submitted by the provider for reimbursement, is the error rate found in the sampling and the causes for this rate. Identification of a significant error rate (which is relative based on numerous factors, including the size of the health care entity, whether there is a singular, correctable cause for most errors identified, or whether the errors are attributable to a systemic failure in coding and billing) can kill a deal even if all other aspects of due diligence and negotiation up to that point have been positive. Of course, a negative coding and billing audit is not only problematic from a financial perspective but also substantially increases the risk that the target entity’s coding and billing violates applicable laws and regulations as well as the terms of payor contracts.

There are a host of other subjects that can and should be explored during a proper health care due diligence process, including the functionality and compatibility of (i.e., the ability to integrate medical records into) the provider’s electronic medical record system, confirmation of appropriate health care licensure and permitting, and the terms of relevant provider contracts (including, without limitation, the ability to transfer such contracts to the buyer). Of course, the “typical” corporate transaction due diligence subjects should also be examined.

Treating the health care due diligence process as simply adding a few health care requests to the standard due diligence request list or haphazardly responding to pointed health care due diligence requests, can leave both the seller and buyer with a disease that could have been prevented at the outset, and facing a cure (such as governmental sanctions and/or abandonment of the transaction itself) that may be worse than the ailment itself.

[i] In 2018, the Department of Health and Human Services launched the “Regulatory Sprint to Coordinated Care” in an effort to promote, and accelerate, the transition from FFS volume-based health care to value-based health care. While strides have been made towards this transition, many health care providers largely continue to rely on the FFS payment model.

[ii] 45 C.F.R. § 164.506(c)(1) permits “[a] covered entity [to] use or disclose PHI for its own treatment, payment, or health care operations.” 45 C.F.R. § 164.501 defines “health care operations” to include “[b]usiness management and general administrative activities of the [covered] entity,” which in turn, includes “[t]he sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity, and due diligence related to such activity.” (Emphasis added.)

[iii] On February 3, 2023, the DOJ Antitrust Division withdrew three long-standing antitrust policies regarding enforcement in the health care industry. The policies served as guidance for health care providers, including safe harbors for how to structure certain transactions in compliance with applicable antitrust laws. See Justice Department Withdraws Outdated Enforcement Policy Statements, DOJ (Feb. 3, 2023), which can be found here.

[iv] Steven D. Wales, The Stark Law: Boon or Boondoggle? An Analysis of the Prohibition on Physician Self–Referrals, 27 Law & Psychol. Rev. 1, 22–23 (2003).

[v] See U.S. ex rel. Drakeford v. Tuomey Healthcare System, Inc., 792 F.3d 364, 395 (4th Cir. 2012).

[vi] 42 C.F.R. § 489.18.

[vii] The new owner can reject the existing Medicare provider agreement in accordance with 42 C.F.R. § 489.52.