Material Regulatory Risks in Healthcare Services Acquisitions

14 Min Read By: Ari J. Markenson, Cynthia Suarez


  • As transactions involving the acquisition of healthcare services providers increase, an understanding of the major areas of material risk will be an important tool for any business lawyer involved in such a transaction.
  • How can these areas of risk be categorized, and what are the basic diligence requests to address in pretransaction diligence?
  • How should transaction documents allocate risk appropriately through representations and warranties?

The healthcare industry remains a significant portion of the U.S. economy and will be so for the foreseeable future.* The U.S. Centers for Medicare and Medicaid Services (CMS) reported that in 2018, the overall share of U.S. gross domestic product (GDP) related to healthcare spending was 17.7 percent. Moreover, national health expenditures are projected to grow at an average annual rate of 5.4 percent for 2019–28 and to represent 19.7 percent of GDP by the end of the period. A large portion of that spending is related to payment for the provision of healthcare services. As such a large portion of the economy, both activity and interest in acquisitions of healthcare services companies has been incredibly robust for at least the last 25 years. There does not seem to be any indication of a significant slow-down any time soon. In middle-market private equity transactions alone, valuation of healthcare services companies continues to rise to unprecedented levels.

Given the large portion of the economy that healthcare represents and the market interest in acquisition activity, an understanding of the major, material healthcare regulatory risks that an acquirer might face is important to an effective and meaningful acquisition. That understanding can assist an acquirer in either eliminating risk or at least mitigating it appropriately. This article will provide a summary of those major, material health regulatory risks, some basic diligence requests to address in pretransaction diligence, and thoughts on representation and warranty issues in transaction documents.

Before discussing risks, a definition of “healthcare services” is important to understanding the types of businesses that face these risks in ways that can be material to the business. For purposes of this article, healthcare services includes businesses that provide professional/clinical healthcare services to patients; brick-and-mortar, in-patient and out-patient healthcare providers; and businesses that provide ancillary healthcare services. To be specific, these healthcare services businesses include, but are not limited to: hospitals and health systems, nursing homes, behavioral health providers, physicians and healthcare professional groups, home health and hospice providers, outpatient clinics, ambulatory surgery centers, out-patient rehabilitation, substance use disorder services, senior housing and services, and continuing-care retirement communities.

Most if not all of the aforementioned healthcare services businesses face a majority of certain material health regulatory risks. These material risks fall within five categories that include government reimbursement, fraud and abuse, licensure, excluded parties, and healthcare privacy-related issues. A summary discussion of each of these risks is contained in the sections that follow.

Category 1: Government Reimbursement

CMS, the administrator of the Medicare and Medicaid programs, is the single largest payer for healthcare services in the United States. The dollars it spends on healthcare services far exceed any other payer, including commercial payers. CMS administers the Medicare program (Parts A, B, and D) through its administrative contractors as well as through managed care plans (Part C). CMS partners with states, which partially fund Medicaid programs, to administer the Medicaid programs. In order to participate in either Medicare or state Medicaid programs, healthcare services businesses agree to comply with a significant regulatory framework mostly in the form of conditions or requirements for participation (a Regulatory Condition) as well as specific requirements relating to the submission of claims for services or supplies provided (a Claim Submission Requirement).

Material liability risks for healthcare services businesses can arise from a significant failure to meet a Regulatory Condition or a Claim Submission Requirement. Random or targeted government inspections and complaints from patients or clients can result in a citation for a failure to meet a Regulatory Condition. Those citations can culminate in civil fines that in some cases may carry per-day penalties. They can also result in potential termination from the Medicare or Medicaid program. Civil penalties can range from minor amounts to major material liabilities for the business. In that respect, understanding what, if any, (i) inspections/citations a healthcare services business has been subject to historically; and (ii) what may be currently outstanding is important to assessing risk in a possible acquisition. Failures to pay civil fines may also result in termination of participation in Medicare or Medicaid.

Complying with Claim Submission Requirements is likely one of the most important issues for healthcare services businesses that participate in government payment programs. Failures to comply can result in demands for recoupment or allegations of overpayments. In some cases, what a business may see as a simple error, the government or its contracted agents view as an intentional act to defraud. A missing provider signature or a failure to document a patient’s vital signs can result in a failure to meet a Claims Submission Requirement. These failures can be minor or they can be significant and carry millions of dollars in repayment liability.

Reimbursement diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:

  • documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
  • documents relating to corrective action plans imposed on the business or implemented by the business
  • documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
  • documents relating to any self-disclosures or voluntary disclosures made to any governmental authority
  • documents relating to internal audit reports of billing and coding reviews or audits
  • documents relating to any third-party reports and related deliverables from consultants engaged to billing and coding audits or reviews

In addition to conducting appropriate diligence, the material transaction document should contain representations and warranties from the seller that broadly address: (i) general compliance with healthcare laws; (ii) compliance with government programs and claims filing obligations; (iii) the absence of any material overpayment or claims filing repayment obligations; and (iv) no affirmative inappropriate or illegal conduct.

Category 2: Fraud and Abuse

Fraud and abuse in the healthcare system has been a concern of federal and state regulators almost since the inception of organized health care and certainly became a significant issue with the passage of legislation creating the Medicare and Medicaid programs. Major fraud and abuse laws include the Federal Anti-Kickback Statute (AKS), 42 U.S.C. §1320a-7b(b), the Physician Self-Referral Prohibition (the Stark Law), 42 U.S.C. §1395nn, and the Criminal and Civil False Claims Acts, 18 U.S.C. §287 and 31 U.S.C. § 3729. These laws prohibit certain business practices as well as provide for penalties relating to fraudulent claims to government payment programs.

Fraud and abuse liability can come in many forms and can result in both civil and criminal liability depending on the conduct and issues at hand. Moreover, fraud and abuse liability is rarely immaterial to a transaction unless the target involved is a large business facing a civil liability, and given the size of the target, the liability will not be material to its business operations. Even in those circumstances, however, the acquirer will likely not want to inherit the liability.

Fraud and abuse diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:

  • contracts between the target and other healthcare businesses or vendors
  • documents or memos analyzing any arrangement the target feels fits into a safe harbor to the AKS or exception to the Stark Law
  • business relationships with physicians and other healthcare professionals whether via ownership or compensation
  • business relationships with any individual or entity in a position to refer business paid for by governmental programs to the target business
  • marketing activities of the target
  • bonus and compensation plans
  • documents relating to governmental actions and other issues mentioned in the section on Claim Submission Requirements above

In addition to representations and warranties from the seller mentioned above in relation to government reimbursement, the material transaction document should contain representations and warranties with respect to fraud and abuse matters that address: (i) specific compliance with major federal and state fraud and abuse prohibitions; (ii) the absence of adverse criminal or civil settlements or civil monetary penalties; and (iii) the absence of any threatened or current civil or criminal litigation relating to fraud and abuse matters.

Category 3: Licensure

As one of the most regulated industries in the United States, an acquirer can expect that most, if not all, of the target companies they are looking to acquire have some type of license or permit to do what they do in health care. Ensuring that a target business has the correct licenses, has complied with all of the regulatory requirements relating to retention of those licenses, and has not been subject to any type of adverse finding by a licensure authority are integral to assessing any material risk in a potential transaction.

It is important to recognize that there are simple risks relating to licensure that might result in immaterial fines. However, multiple instances of immaterial fines might add up to revocation of a license that is necessary to operate the business. As a result, understanding the target’s regulatory compliance history through appropriate diligence is important to assessing risk.

Licensure diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

  • all current regulatory permits, licenses, certifications, accreditations, certificates of need, and other required approvals that the target may have relating to its business
  • documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
  • documents relating to corrective action plans imposed on the business or implemented by the business
  • documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
  • documents relating to any suspension, termination, or revocation of a license
  • documents relating to any refusal to approve a license

Relative to licensure, seller’s should also provide, via the material transaction document, representations and warranties to the buyer that: (i) affirmatively state the seller has all of its required licenses; (ii) none of those required licenses have been subject to suspension, revocation, or termination; and (iii) there is no current action to suspend, revoke, or terminate a required license.

Category 4: Excluded Parties

Generally, excluded parties in the healthcare context are persons or entities (i.e., businesses) that have either been excluded from participation in federal healthcare programs or excluded from participation in federal contracts. The U.S. Department of Health and Human Services’ Office of the Inspector General (OIG) has the authority to exclude individuals and entities from participating in federal healthcare programs, which include Medicare, Medicaid, and any other healthcare program funded directly or indirectly by the federal government. Exclusion in its most basic sense means that no payment can be made for any items or services furnished, ordered, or prescribed by an excluded individual or entity. The OIG maintains a searchable list of excluded individuals and entities on its website.

In addition to OIG exclusions, the U.S. General Services Administration (GSA) maintains a comprehensive list of individuals and entities that have been excluded from participation in federal contracts. The GSA’s excluded parties list system contains a list of persons and entities that have been excluded by federal government agencies from receiving federal contracts or federally approved subcontracts, and from certain types of federal financial and nonfinancial assistance and benefits.

A target company that has in the past or is currently employing an excluded individual or has had, or has, a contract with an excluded party can have material risks associated with it. If the excluded individual or contractor “touched” (i.e., was associated with) significant federal dollars, the target entity could face material liability. Beyond simply a repayment of those associated dollars, there are also potential civil penalties that can be assessed. The civil penalties can become significant. As a result, there is a general expectation that healthcare services companies will have checked the appropriate databases periodically to screen for ineligible individuals and entities and steer clear of them.

Excluded parties diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

  • whether the company has a process in place that screens for excluded parties
  • whether the company has ever had exposure to an excluded party and how that exposure was handled

In addition to the previously described representations and warranties, the material transaction document should contain one specific to exclusions that provides that the seller has not hired an excluded party and periodically checks to ensure it is not associating with excluded parties.

Category 5: Healthcare Privacy Issues

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national privacy standards to protect individuals’ medical records and other personal health information (PHI). It also establishes physical and electronic security standards for PHI. HIPAA applies to “Covered Entities,” which include healthcare providers, insurers, and other stakeholders that may use or disclose PHI. HIPAA requires Covered Entities to develop and follow procedures that ensure privacy and security of PHI and sets limits and conditions on the use and disclosure of PHI without patient authorization. Compliance with HIPAA is not only for Covered Entities, but also for their business associates (e.g., claims processors and bill collectors). Covered Entities that must share PHI with a business associate should have a written Business Associate Agreement (BAA) in place that requires the third party to comply with HIPAA requirements.

HIPAA violations can result in civil or criminal liability depending on the nature and extent of the violation. The civil penalties can end up being quite costly, ranging anywhere from $100 to $50,000 per violation. Additionally, Covered Entities must provide notification of a privacy breach to affected individuals, the Secretary of HHS, and in some circumstances, the media. Thus, acquirers should focus diligence efforts on existing HIPAA compliance processes and any prior or ongoing privacy-related investigations to assess not only the potential financial implications, but also the reputational implications.

Healthcare privacy diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

  • the company’s HIPAA compliance policies and procedures covering at least the last three years
  • any HIPAA training materials and information on how personnel received HIPAA training
  • all BAAs in place over the last three years
  • documents relating to HIPAA compliance tracking and assessment
  • documents relating to any security breaches or incidents, follow-up response, and disclosure of the breaches/incidents to individuals or third parties
  • list of complaints or allegations of privacy/security breaches involving the company

Given the increased scrutiny on privacy compliance, the material transaction document should contain targeted representations and warranties from the seller that address HIPAA privacy and security compliance as well as the absence of any privacy or security breaches.

An Additional Note on Regulatory Compliance Programs

Regulatory compliance programs have become an increasingly important part of the healthcare industry. Despite there not being a significant regulatory requirement to have a compliance program, healthcare service providers are strongly encouraged to make them a priority. Additionally, as providers often became subject to federal False Claims Act allegations in particular, they became more aware of the U.S. Federal Sentencing Guidelines for Organizations and the process by which the guidelines can provide some mitigation in sentencing for organizations with effective compliance and ethics programs. Moreover, the OIG embarked on a campaign to encourage healthcare services providers to voluntarily develop and implement programs through its compliance program guidance.

The purpose of compliance programs is to help healthcare services providers develop controls for adherence to applicable healthcare law. Regulatory compliance programs are designed to monitor compliance and correct compliance issues before they become a significant problem. Most importantly, well-developed and effective compliance programs have become the yard stick by which buyers can measure a target company’s “culture of compliance.” Essentially, if a buyer finds that a company has a well-developed and effective program, they can get some comfort with respect to the company’s overall regulatory compliance. As a result, most if not all buyers conduct some form of diligence relating to a seller’s regulatory compliance program.

Regulatory compliance diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

  • whether the company has an established compliance committee and officer
  • documents relating to regulatory compliance policies, procedures, and training materials
  • documents relating to corporate compliance tracking, assessment, and response
  • meeting minutes from the company’s compliance committee, if applicable

Although not a must-have, buyers should include in the material transaction document a targeted representation and warranty from the seller that specifically addresses the sellers implementation of a regulatory compliance program that meets OIG guidance, the federal sentencing guidelines, or both.

As transactions involving healthcare services providers increase, an understanding of the major areas of material risk discussed in this article will be an important tool for any business lawyer involved in such a transaction. This summary provides an outline for practitioners to help them ensure that important pretransaction regulatory diligence is conducted and the material transaction document allocates risk appropriately through representations and warranties.

*Ari J. Markenson, J.D., M.P.H., is a partner and co-chair of the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP. Cynthia Suarez, Esq., is an associate in the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP.

By: Ari J. Markenson, Cynthia Suarez


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.