When considering an acquisition, the due diligence process enables a buyer to make a “go/no-go” decision about closing the deal. Due diligence also helps a buyer develop strategies to mitigate risk, and allocate potential liabilities when deals close. Conducting due diligence in the acquisition of a healthcare facility or hospital system includes all the ordinary legal, corporate and financial due diligence activities, but also includes unique areas of inquiry. Here are just a few due diligence considerations for healthcare.
Compliance. Confirming that the target company has substantially been in compliance with applicable law is critical in healthcare due diligence. Healthcare is a highly regulated industry. A full survey of state and federal regulatory law and related penalties is far beyond the scope of this article. A few common areas of concern are worth touching on: Anti-kickback law, Stark Law, healthcare fraud and abuse. In general terms, the anti-kickback laws prohibit the exchange of anything of value in an effort to induce or reward the referral of healthcare services or the purchase of goods. Stark law prohibits physicians from making referrals of Medicare “designated health services” to any entity in which a physician or family member has a financial interest. Due diligence should begin with looking at the seller’s written policies, and determine if the medical facility has taken adequate steps to educate key personnel about applicable law, and protocols to ensure compliance. The buyer’s examination must go beyond written policies. The buyer should scrutinize whether the seller, its officers, directors and owners have entered into any unlawful financial arrangements, contracts, or other transactions.
Due diligence should also ensure that the seller does not have a track record of healthcare fraud or abuse. “Fraud” is the intentional deception and misrepresentation of material facts that can result in an unauthorized benefit of payment from a medical insurer or government payer. Some examples are, falsifying claims or medical records or misrepresentation of dates on services provided. “Abuse” involves provider practices that are inconsistent with sound financial and medical practices that result in unnecessary cost to the payer, or payment for care that is not medically necessary.
A sophisticated buyer will not be satisfied by merely looking at whether or not the seller has ever been investigated, prosecuted, or convicted of any of fraud or abuse. Rather, the buyer should do their own forensic analysis to see if unlawful practices exist, and whether the seller has taken remedial steps to address infractions, and to ensure ongoing compliance.
Litigation and malpractice. Litigation history is part of any due diligence. Healthcare providers face all the litigation risk of other businesses, such as employment discrimination, harassment, lease disputes, etc. However, malpractice will be the primary focus of any healthcare litigation due diligence. The buyer should understand the litigation history, culture of patient care, and crisis management in the target company. All the public relations in the world will not make up for medical horror stories or ineffective crisis communications from the healthcare provider.
Financial due diligence. A sophisticated healthcare buyer should do more than look at the audited financials of a healthcare facility. The buyer should understand the target’s payer mix. The streams of income from state and federal payers, employer health plans, and individual self-payers. For example, in addition to accepting Medicare and Medicaid, does the medical provider have existing contracts and reliable relationships with multiple healthcare insurance providers? Understanding the payer mix will allow the buyer a better understanding of the profit margins for the care being provided to different patients. This may be critical to the CFO of the buyer when conducting FP&A analysis.
Cyber security. Under Health Information Portability and Accountability Act of 1996 (“HIPAA”) and other applicable laws, medical providers are required to protect the personal medical history and financial data of patients. Civil and criminal penalties exist for violations of HIPAA. In addition, individual patients may sue the hospital for breaches of their personal data. Because of the potential financial exposure, it is becoming increasingly common for hackers to hold hospital’s protected patient data hostage in exchange for large ransoms.
The buyer should examine whether the hospital or healthcare provider has had any prior breach incidents, or suspicious activities. In addition, the buyer should conduct information technology and cybersecurity forensic due diligence to see if the target company has adopted best practices to prevent cyber-attacks. For instance, have personnel of the hospital been given adequate training about avoiding phishing and other attacks. At the end of the day the bar will need to make an assessment as to whether the target facilities practices have been so lax and vulnerable that remediating those vulnerabilities is cost-prohibitive.
Doug McCullough and Aaron Woo| McCullough Sudan, PLLC