top of page
  • Writer's pictureSam Khan

Buyer Due Diligence: Health Care Transactions

Updated: Dec 17, 2023

Understanding Health Care Due Diligence

Due diligence is a comprehensive and multi-faceted process. This Article aims to walk you through some of the essentials of conducting due diligence as a health care Subject Matter Expert (SME). While it is not an exhaustive guide, it provides key insights into the depth and scope of due diligence regarding health care transactions including various strategies and practical tips for conducting it effectively. Keep in mind that your approach should vary based on a variety of factors relating to the specific deal at hand such as its size and complexity. To form the most effective approach that fits your situation, it’s best to consult your preferred health care lawyer(s). Due diligence often involves a team of lawyers, each with different areas of practice like tax, intellectual property, etc. This is to ensure that all angles are being addressed. That said, this Article’s scope is limited to due diligence by a health care SME.

There is generally a series of steps in the process of conducting due diligence. These steps are not always sequential in nature and sometimes occur concurrently. Typically, the buyer and seller engage each other on a potential business deal, begin to discuss the structure/type of deal, make initial requests for preliminary information, draft a term sheet or letter of intent, and continue to follow up on information they consider material to the potential transaction. For more on the lifecycle of a deal, check out this blog’s previously published article, “Anatomy of Health Care Transactions: The Ongoing Integration Mania.”

The point of conducting due diligence is not black and white–it’s not a matter of either going through with the deal or not. Instead, it sheds light on the value of the deal by highlighting certain aspects affecting the thing being sold. For example, if Company A is looking to buy Company B, and through due diligence, Company A finds out about Company B’s noncompliance with certain laws or regulations, then the value of Company B arguably decreases unless, of course, Company B agrees to mitigate such noncompliance before the closing. But even then, there are opportunity costs associated with such mitigation, which can be significant based on the anticipated timeline of the deal as well as the number and nature of such issues to be mitigated.

Delving a bit deeper, when there’s increased risk due to noncompliance, what typically happens is the buyer will either ask the seller, or "target” (a company that is the subject of an attempted acquisition by a potential buyer as in the example above) to become compliant prior to closing or, more commonly, the buyer will make the seller compliant immediately after closing. Which route to go depends on what the issue is and what the deal structure is. Regardless, there’s still liability out there for the noncompliance even after the target comes into compliance (e.g., lawsuit, audit, etc.). Usually, the Buyer will seek a special indemnity in the purchase agreement for that specific issue (more to come on this below). Notably, while it makes sense to mitigate certain identified risks before the closing, others are accounted for in determining the value of the thing being sold. After appreciating the risks involved, it may also be the case that the deal no longer makes sense. In other words, the magnitude and number of the risks discovered during due diligence may be so great as to cause the buyer to walk away.

Scope of Due Diligence

When embarking on due diligence, the questions asked and the materials requested largely depend on the type of deal in question–be it an acquisition, merger, or otherwise. For instance, the scope may be broad, so it may be necessary to scrutinize potential liabilities, evaluate various company products, and examine all relevant operations. On the other hand, the deal may be narrowly focused on the sale of one company product like a medical device. Depending on the nature of the deal, the scope of diligence will vary.

Conducting diligence requires a delicate balance between covering necessary ground and avoiding unnecessary ground. Many legal professionals use standard due diligence questionnaires and boilerplate templates for their due diligence reports as a starting point. It's critical, however, to tailor these to the deal at hand. This might involve removing irrelevant requests or adding requests that are specific to the transaction.

Keep in mind that this Article focuses on some of the important questions and issues that health care SMEs address as part of the health regulatory review of some health care transactions. Like any other business deal, though, health care deals typically involve a more comprehensive due diligence that, for example, should incorporate insights from a team of experts across diverse fields such as corporate law, commercial contracts, regulatory matters, employment, benefits, environmental laws, insurance, real estate, intellectual property, data privacy, and other regulatory matters typically reviewed as part of legal due diligence in the United States. On top of that, non-lawyers like company stakeholders and financial experts also play a crucial role in due diligence.

Getting the Ball Rollin’

At the onset of conducting due diligence, a Virtual Data Room (VDR) is typically created. VDRs, also known as deal rooms, are secure online platforms for storing and sharing documents, often used during the due diligence process in mergers or acquisitions. They provide a relatively secure platform for parties to simultaneously access, review, and exchange confidential and sensitive documents. They’re sometimes used in the formation and maintenance of business relationships–providing access and storage for contracts and documents essential for partnerships.

VDRs provide a central point of access for different advisors like attorneys, accountants, and internal and external regulators. Access is typically granted after the execution of a non-disclosure agreement and/or a business associate agreement (required in health care deals involving protected health information where there is a business associate relationship). VDRs are considered more secure than physical documents, minimizing the risk of loss during transit or accidental destruction. They often disable actions such as copying, printing, and forwarding. With the globalization of business, increasing focus on cost reduction, and growing security concerns, VDRs are a preferred alternative to physical data rooms.

But keep in mind that despite the numerous advantages of VDRs, they might not be suitable for every industry. For instance, some governments might prefer physical data rooms for highly confidential information exchange, where the risk of cyber-attacks and data breaches outweighs the benefits of VDRs. In other deals where outside counsel is not retained and the deal size is too small, setting up a VDR may not be justified given the cost of doing so. All things considered, in the realm of health care transactions, VDRs are the norm.

Due Diligence Questionnaire: Requests for Information

To begin the investigation, an initial round of a request for questions is customary followed by supplemental questions. These questions either ask for certain materials or information relating to specific issues identified in the initial responses or they ask for certain assurances from the seller that will either be confirmed through further documents or included as a representation/warranty in the purchase agreement. Often, questions do both. To ensure a thorough due diligence review, supplemental (follow-up) questions often become necessary. Let’s delve into the types of issues that are within the purview of a health regulatory SME.

Health Care Regulatory Material Issues

As mentioned above, identifying material issues in any given deal depends on the specifics of the deal. Therefore, the questions that the buyer’s counsel should ask the seller will vary accordingly. For example, if there is an international element to the deal, there will be additional considerations. But in general, due diligence as a health care SME has a core set of issues that are relevant to many deals. The following questions are examples of commonly used requests for information where there are elements relating to FDA, fraud and abuse, and privacy matters. Each question is designed to reveal potential areas of risk or concern that are not already discernable by the materials received or uploaded onto the VDR:

I. FDA Matters:

1. Are there any material risks associated with the 501(k) clearances for the buyer-company’s medical devices? Is the buyer-company’s registration up to date in accordance with the requirements of the annual FDA Establishment Registration?

2. Have any audits been performed, and were there any observations made during these audits? How did the company respond and address these observations? Are there any outstanding concerns (e.g., if the FDA made any observations pursuant to an audit, do they remain open or is there an accompanying FDA inspection closure letter)?

3. Has the company provided its procedures for reporting and handling product recalls? Have there been any recalls in a specified time period (e.g., in the last 5 years)?

4. Has the company recorded and responded to any customer or patient complaints within a specific timeframe (e.g., in the last 5 years)?

5. Has the company provided its quality manual and other documents pertaining to its quality systems regulation compliance program?

6. Are there any FDA actions taken against the company? Is there any correspondence from the FDA indicating any current or pending investigations or actions?

II. Health Care Fraud and Abuse/Privacy:

1. Request for copies of documents relating to the seller’s compliance program for HIPAA and other privacy and security laws, including but not limited to codes of conduct, risk assessments, training content, compliance handbooks, compliance policies, compliance committee minutes, implementation plans, audit plans, and similar materials.

2. Does the company have access to patient information? If so, do they comply with HIPAA guidelines? Has the company provided any evidence of HIPAA training for its employees?

3. Does the company have a code of ethics, compliance program, or written policies addressing interactions with health care professionals and/or other purchasers of its products?

4. Request for copies of any correspondence relating to any fraud and abuse claims or other audits, reviews, or inspection reports by, or correspondence with, CMS, OIG, DOJ, or any state agency that administers any state Medicaid programs, including any intermediary, carrier or other agent or contractor of such agencies.

5. Does the company enter into consulting or speaker agreements with clinicians or other healthcare professionals? If so, have these agreements been provided, and are the payment rates reasonable so as to not violate relevant laws and regulations? Are there specific terms and descriptions of services in the company’s agreements with health care professionals? This is necessary to accurately determine whether payment is proportionate to the nature of the services being rendered.

6. Request for copies of all consulting, advisory board, speaking engagements, consignment arrangements, and other compensation agreements with doctors, other health care practitioners, or other purchasers or prescribers of their products.

7. Does the company report all payments made to physicians or other healthcare professionals to the relevant authorities? The agreements may expressly outline the company’s obligation to report all payments made to physicians thereunder. Such payments should be reflected in the Open Payments website of CMS to avoid potentially subjecting the company to civil penalties. The buyer, as the client, should be advised to review these issues and ensure the buyer appropriately reports to CMS, prior to closing, all payments made to physicians under any of its consulting or speaker agreements.

8. Does the company bill any third-party payors or patients directly for its products? If not, how does it handle coding classifications for its products?

III. Miscellaneous

1. Request for the seller to provide all regulatory filings, licenses, permits, consents, and regulatory approvals required to enable the seller to conduct its business.

2. Request for a list of the renewal dates for any current licenses or permits required to operate the business, copies of such licenses, and a list of any permits/licenses that will require a new license or notice to the applicable agency as a result of the transaction.

3. Request for confirmation of any potential adverse regulatory agency action relating to the seller’s products or the manufacturers of the products.

The Due Diligence Report: An Important Deliverable

The due diligence process results in a diligence report that is delivered to the client. A due diligence report is a working document that typically has several iterations and is updated throughout the course of the diligence process. In the event of any changes in the proposed transaction structure, the report may require revisions. The body of the due diligence report provides a high-level summary of the legal due diligence review, outlining any material issues identified across all practice areas. More detailed information is typically included as exhibits to the report.

As part of the initial diligence requests, it's crucial to request all customer, vendor, and other material contracts. These contracts often highlight limitations or considerations that could impact the deal. The report highlights these findings. For example, the seller may have entered into contracts containing provisions that impact the current deal including those relating to required transaction approvals, contract notices, and consents (e.g., consent to assign, consent/notice of change of control), required regulatory approvals, restrictive covenants (e.g., exclusivity provisions, non-solicitation provisions, non-competition provisions), and various material issues. Taking a step back, this Article focuses on material issues relating to health care regulatory matters.

The buyer’s counsel should convey the following to their client that the diligence report is not a substitute for specific legal advice on particular issues relating to the transaction, nor should it replace the detailed contractual protections in the transaction documents. It should also be disclosed that because confidentiality is paramount, the report should only be addressed to the client and not passed on or relied upon by any third party, without entering into certain confidentiality agreements. For example, typically the buyer’s lender who is funding the deal wants to see the due diligence report, so they enter into a non-reliance letter that binds them to confidentiality but more importantly, makes it clear that the lender should not rely on the findings of the report.

Health Regulatory Compliance Warranties and Representations

Once the investigation is complete and the findings have been reported, what remains is whether the parties are aligned so as to move forward with the deal. Alignment doesn’t mean that both sides are fully satisfied–that’s rarely ever the case. The more practical and realistic question is whether, given all of the material issues discovered during the process of due diligence, it makes sense from a business perspective to move forward. If the answer to that is yes, then the buyer should proceed by obtaining from the seller certain assurances.

These assurances are twofold. The buyer is saying to the seller, “Okay, so you’ve given us responses to our questions along with the materials in the VDR, now put your money where your mouth is by putting them into a legally binding document (i.e., the purchase agreement). These are the representations. The buyer is also saying, “…and just in case there are some risks that didn’t come to light based on our investigation, you’ll back those up too, right?” These are the warranties. Together, representations and warranties act as a safety net for the buyer.

The following are some examples of representations and warranties relating to a medical device deal that a buyer (“Company”) may want to consider including in the purchase agreement:

• With respect to each Product that is a “device” within the meaning of Federal Food, Drug, and Cosmetic Act (“FDCA”) § 201(h) (each such Product a “Device,” and collectively the “Devices”): (i) the Company has obtained all material necessary and applicable approvals, clearances, authorizations, and registrations, including any premarket notification clearances under FDCA § 510(k) required by the U.S. Food and Drug Administration (“FDA”) or any other Governmental Body, to permit the design, development, pre-clinical and clinical testing, manufacturing, distribution, promotion, and sale of such Device as currently conducted by the Company with respect to each such Device (collectively, the “Regulatory Approvals”); (ii) the Company is in compliance in all material respects with all terms and conditions and applicable reporting requirements of each Regulatory Approval; (iii) the Company is in compliance in all material respects with all applicable Health Care Legal Requirements regarding registration, license and certification for each site at which such Product is manufactured, labeled, sold, or distributed; and (iv) the Company has conducted all design, development and manufacturing operations in material compliance with the Quality Systems Regulations of the FDA (21 C.F.R. Part 820), Good Manufacturing Practices at 21 C.F.R. 210, 211.

• The Regulatory Approvals constitute all Regulatory Approvals required to manufacture, market, distribute and sell the Products in the same manner as such Products are manufactured, marketed, distributed and sold immediately prior to the date of this Agreement. The Company is the sole and exclusive owner of all Regulatory Approvals. The Company has not previously sold or transferred in any manner, in whole or in part, directly or indirectly, any of the Regulatory Approvals.

• All Devices, including without limitation, all components, packaging, labelling and promotional materials for such Devices, comply in all material respects with applicable Health Care Legal Requirements, and no such Devices are misbranded or adulterated within the meaning of the FDCA.

• The Company is in material compliance with all applicable Health Care Legal Requirements applicable to the maintenance, compilation and filing of reports, including Medical Device Reports (as defined in 21 CFR Part 803), with regard to all Devices.

• The Company has not received from FDA or any other Governmental Body (i) any written notice contesting the pre-market clearance or approval of, the uses of or the labelling and promotion of any Device, or (ii) any notice of adverse findings, FDA Form 483s, notices of violations, warning letters, criminal proceeding notices under any Health Care Legal Requirement, or other similar communication from the FDA or other Governmental Body alleging or asserting material noncompliance with any Health Care Legal Requirement with regard to any Device.

• During the two (2) years prior to the date of this Agreement, there have been no recalls, corrections, removals, repairs, replacements, refunds, injunctions, field notifications, “dear doctor” letter, investigator notice, safety alert (or other notice relating to an alleged lack of safety, efficacy or regulatory compliance of any Device), or seizures ordered or adverse regulatory actions taken or threatened by the FDA or any other Governmental Body with respect to any Device or any facilities where any Device is produced, processed, packaged or stored and the Company has not within the last two years, either voluntarily or at the request of any Governmental Body, initiated or participated in a recall, market withdrawal, correction, removal or suspension of any Device or provided post-sale warnings regarding any Device. The Company is in material compliance with FDA’s registration and listing requirements to the extent required by applicable Health Care Legal Requirements, and the Devices, if so required, are in conformance in all material respects with applicable Health Care Legal Requirements.

• The Company has not notified, either voluntarily or as required by Health Care Legal Requirement, any affected individual, any Governmental Body, or the media of any breach of personally identifiable information involving the sale or promotion of any Products. The Company has not suffered any unauthorized acquisition, access, use, or disclosure of any personal information involving the sale or promotion of the Products that, individually or in the aggregate, materially compromises the security or privacy of such personal information.

• The Company has made available to Purchaser copies of material complaints and notices of alleged defect or adverse reaction with respect to any Product that has been received in writing by the Company during the two years prior to the date of this Agreement.

• During the six (6) years prior to the date of this Agreement, each Product distributed and sold by the Company has been manufactured and distributed in compliance with applicable Legal Requirements, except where the failure to comply therewith would not, individually or in the aggregate reasonably be expected to be material to the Business. None of the Company or, to the Knowledge of the Company, any third party engaged by the Company in connection with the manufacture of any Product for distribution and sale has received in the six (6) years prior to the date of this Agreement or is subject to, any notification from a Governmental Body having jurisdiction over the Business with respect to any facility manufacturing the Product for distribution and sale, in each case, that would, individually or in the aggregate reasonably be expected to be material to the Business.

• The Company (i) is and has in the two (2) years prior to the date of this Agreement been in compliance in all material respects with all Privacy Laws and all privacy policies posted on or otherwise applicable to the Company’s websites and mobile applications, (ii) requires and takes commercially reasonable actions to ensure that all vendors and other service providers who have access to, receive or process Personal Information from or on behalf of the Company comply in all material respects with all Privacy Laws and (iii) uses commercially reasonable efforts, consistent with all Privacy Laws, to protect the security, privacy, confidentiality and integrity of all Personal Information held by the Company. The Company has in place and has provided or published all privacy notices and policies required by Privacy Laws.

• The transfer of any Personal Information as part of the transactions contemplated by this Agreement is permitted under the Company’s privacy policies, and no further consent of any party is required to permit such transfer.

Now you’ve seen the full picture. While it’s true that due diligence has many parts and can seem daunting, it’s a crucial part of any transaction. With thorough preparation, a well-rounded team, and a solid approach, you can effectively navigate this process with confidence. For any health care deal, be sure to consult a health regulatory SME to ensure you’re tackling issues that are specific to such deals.


114 views0 comments


bottom of page