Due diligence is a vital step in all types of mergers, acquisitions, and other transactions, including making large investments in a company (collectively referred to in this article as “transactions”). While due diligence is done in various areas (e.g., financial, tax, operations) in most transactions, healthcare transactions require special attention to healthcare regulatory compliance due diligence—which often is where the greatest risks to the buyer may be. Ultimately, buyers and/or merging parties use their healthcare regulatory compliance due diligence to assess risks, inform the purchase price and any reserves, determine the closing conditions, negotiate definitive agreements, and prepare for the integration of the parties post-closing.
Importance of due diligence
Asset purchase versus stock purchase
While due diligence is important for all transaction types, certain transactions make due diligence more significant than others. Accordingly, it is essential to understand the transaction structure—whether it is an asset purchase transaction, merger, or stock purchase transaction—to determine the materiality and impact of any noncompliance identified during due diligence. For example, there is a stark difference in the assumption of liabilities between asset purchase transactions and stock purchase transactions.
-
Asset purchase. The buyer obtains certain assets and liabilities but does not acquire the “legal entity” of the seller (i.e., does not “step into the shoes” of the seller). This allows the buyer to avoid incurring certain liabilities associated with the seller, such as noncompliance with state healthcare licensure requirements and generally protects the buyer. We note that even in an asset purchase transaction, most buyers assume Medicare and/or Medicaid provider agreements and do become responsible for any overpayments owed to the Medicare and/or Medicaid programs by the seller (although the buyer can seek reimbursement or use other terms in the purchase documents to be made financially whole for historical noncompliance).
-
Stock purchase. The buyer purchases the seller’s stock and thus “steps into the seller’s shoes,” meaning the buyer is now responsible for all the seller’s known and unknown liabilities.
General purpose of due diligence
Due diligence is vital for the following reasons in almost all transactions.
-
Transaction structure. Understanding the seller’s potential historical and future liabilities may inform the transaction structure; a buyer may decide after due diligence to change from a stock to an asset purchase or even some other kind of transaction structure (e.g., merger, joint venture, services agreement).
-
Mitigation of exposure. In addition, due diligence allows the buyer to perform an overall assessment of the seller’s key compliance areas, enabling the buyer to plan mitigation activities upon completion of the transaction, regardless of transaction type. For example, if the seller identifies through due diligence certain arrangements likely to implicate the Anti-Kickback Statute (AKS)[1] and that are unlikely to meet an AKS safe harbor, the buyer may require mitigation measures to be taken prior to or after closing.
-
Definitive agreement preparation and purchase price determinations. In relation to mitigation of exposure, due diligence provides the buyer a basis for certain negotiation points when negotiating the transaction’s definitive agreements and purchase price (as discussed later in this article). Due diligence may also inform what conditions to closing are set forth in the agreements, such as obtaining necessary healthcare regulatory approvals or submitting a Stark Law disclosure. It also may inform provisions regarding how the seller’s business must continue operating between sign and close, e.g., not surrendering or terminating a license or continuing key payer agreements.
-
Integration of the parties. Lastly, understanding the seller’s compliance posture and licensure structure is critical for developing an integration plan to ensure compliance post-closing. For example, if HIPAA risks were identified, the buyer may want to immediately transition the seller to be subject to the buyer’s HIPAA policies and procedures and provide a training program and IT security infrastructure.
Due diligence requests and review
Due diligence may occur in a variety of ways depending on the transaction structure. Usually, the buyer will submit a “due diligence request list,” pursuant to which the buyer will request certain information from the seller to better assess the seller’s healthcare regulatory compliance. Typically, the buyer’s legal counsel drafts the due diligence request list.
In response to the due diligence request list inquiries, the seller will produce certain documentation (e.g., policies, agreements) or draft narratives for the buyer’s review. It is crucial that the seller provide complete and true responses when responding to due diligence requests to ensure the buyer has a complete understanding of the seller and avoid post-closing litigation for failure to disclose any requested information.
After the seller provides initial diligence responses and the buyer has had the opportunity to review such responses, it is common for the parties to schedule a due diligence interview, according to which the buyer and its lawyers will interview key personnel, such as a chief compliance officer (CCO), from the seller.
Due diligence interview questions most often include (i) follow-up questions to previously provided diligence responses, (ii) questions from the due diligence request list not yet responded to, and (iii) questions better answered with discussion than document or narrative production.
While requests will differ depending on the entity being reviewed (e.g., health system vs. health insurer vs. health tech) and the transaction type, standard healthcare regulatory due diligence request lists typically include requests related to the review of the following areas of a seller:
Compliance program
The buyer should request and review the seller’s compliance program to assess whether it includes the key elements of an effective compliance program, as set forth by the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG).[2]
-
Policies and procedures. The buyer should see if the seller has established and implemented written policies and procedures, including a code of conduct for employees and vendors.
-
CCO and compliance committee. The seller should have a CCO and a board-level compliance committee in place.
-
Training and education. The seller should have certain compliance training and education materials for employees and other individuals involved with the seller (e.g., new hire training, annual training, and general education materials).
-
Lines of communication. The seller should maintain a compliance hotline that provides anonymous reporting options for employees and/or other individuals. In addition, the seller should have policies prohibiting retaliation for good faith reporting and maintain an “open door” policy that encourages communication, feedback, and discussion.
-
Auditing and monitoring. The seller should maintain certain auditing procedures, such as an annual auditing plan and targeted internal audits, to allow for the monitoring of key compliance areas.
-
Responding to compliance issues and disciplinary standards. The seller should have a procedure that effectively responds to issues reported or discovered during an investigation. Furthermore, disciplinary standards should be applied uniformly across the seller’s operations and well-publicized to the seller’s employees.
HIPAA
The buyer should request, review, and assess the seller’s HIPAA policies and procedures to ensure they are mature and meet all applicable requirements. The buyer will also want to request information that allows the buyer to understand whether the seller has reported any breaches or incidents, particularly those involving more than 500 individuals (triggering HHS’s Breach Notification Rule). Lastly, the buyer should request and review the seller’s breach and security impact assessment policies and procedures to ensure proper protection of protected health information (PHI) and prevent unauthorized access to PHI.
Fraud, waste, and abuse
The buyer will want to request information to better understand whether the seller has made any self-disclosures or the seller has been subject to or received notice of any investigations related to compliance with laws related to kickbacks, self-referrals, and fee-splitting (e.g., Stark Law, AKS, the False Claims Act, or the Centers for Medicare & Medicaid Services’s (CMS) conditions of billing noncompliance). In addition, the buyer will want to review and assess provider and vendor arrangements, such as, but not limited to, employment agreements, independent contractor arrangements, professional services agreements, and joint venture arrangements, for potential fraud, waste, and abuse implications.
Investigations/audits/settlements
The buyer should ensure it is aware of any past, pending, or threatened investigations or audits by federal entities (e.g., CMS, the U.S. Department of Justice, or OIG) or state or local agencies (e.g., Medicaid Fraud Control units or state Medicaid agencies). To better understand any related matters, the buyer should request all correspondence and documentation related to any such matter that may apply to the seller.
In addition, the buyer should request copies of any settlement agreements, court orders, and corporate integrity agreements entered into by the seller.
Healthcare state licensure changes of ownership and material transaction notice
The buyer should request and review the seller’s licenses, certifications, permits, etc., to assess general compliance with licensure requirements, as well as review for any implicated change of ownership requirements associated with such licenses, certifications, permits, etc. Relatedly, more and more states are implementing “material transaction” filing requirements (e.g., California,[3] New York,[4] Illinois,[5] Oregon[6] ), which expect the transacting parties to make certain filings prior to completing a transaction.
Licensure change of ownership filings and material transaction filings typically have requirements as to how far in advance of closing such filings must be made. Accordingly, the buyer and seller should ensure that any required filings are satisfied in time for the anticipated closing of the contemplated transaction.
Other key areas of review
-
Licensure surveys or audits
-
Payer and provider agreements
-
Independent contractor agreements
-
Marketing activities or arrangements
Protection against compliance issues and liabilities
Definitive agreement
In order to protect itself against potential liabilities related to any uncovered compliance issues during due diligence, the buyer can negotiate certain key terms to be included in the transaction’s definitive agreements, propose a holdback or escrow to cover the cost of any potential overpayment, or even negotiate an adjustment to the purchase price of the overall transaction.
Certain key terms to negotiate for the protection of the buyer include:
-
Representations and warranties. The buyer can negotiate certain assurances to be included in representations and warranties to protect the buyer from certain liabilities. For example, the buyer can negotiate for a representation and warranty that says the seller is not subject to any pending or threatened investigation and requires any exceptions to the representation and warranty to be scheduled. Any untrue representations and warranties can result in a breach of such agreement. Often, a buyer learns of certain audits or investigations when receiving the first round of disclosure schedules.
-
Closing conditions. Upon discovering a particular compliance issue, the buyer can require such issue to be resolved prior to the closing of the transaction.
-
Protection against liabilities. In an asset purchase transaction, the buyer can include a provision that the seller shall be liable for all liabilities resulting from the seller’s pre-closing actions or inaction. These protections are not usually available in a stock sale. In addition, the buyer can purchase representation and warranty insurance, which protects the buyer by compensating the buyer for the seller’s breaches of its representations and warranties. Due diligence is important for obtaining such representation and warranty insurance.
Pre-closing measures
In addition, upon discovering specific compliance issues, the parties can agree on certain pre-closing measures to mitigate further exposure. For example, if the buyer learns of a potential Stark Law violation based on their review of the materials provided in due diligence, the parties can agree that the seller will make a Stark Law self-referral disclosure before closing.
Post-closing measures
Furthermore, post-closing—to ensure the acquired entity is compliant in all relevant areas—the buyer can incorporate certain integration measures, such as implementing certain policies and procedures, having employees participate in specific training or education sessions, or transitioning over certain agreements of the seller to the buyer’s standard agreement form. In addition, the buyer can continue to review particular areas of concern to ensure compliance is met or mitigation efforts are applied.
Terminate transaction
If all else fails, and the parties cannot agree on specific terms to the definitive agreements that provide the buyer with certain protections or if the seller does not agree to certain pre- or post-closing measures to be taken to mitigate potential compliance risks, the buyer can decide not to move forward with the prospective transaction.
Takeaways
-
Healthcare regulatory compliance due diligence is critical to informing material deal terms of transactions.
-
The type of transaction structure (e.g., asset purchase vs. stock purchase) informs the scope of diligence and how material liability may be to the buyer.
-
Key areas of due diligence review include the seller’s compliance program, HIPAA, fraud, waste and abuse, government audits, investigations, litigation, healthcare licensures, and key healthcare-related contracts.
-
Due diligence can inform the closing timeline that may be driven by a change of ownership or similar filings.
-
Due diligence is essential for post-closing integration of the buyer and the seller.