1. The Healthcare Deal Landscape
Healthcare M&A has accelerated substantially over the past decade, driven by two dominant forces: private equity roll-up activity in physician specialties and outpatient facilities, and health system consolidation at the regional and national level. PE-backed platforms have assembled large groups in dermatology, ophthalmology, orthopedics, gastroenterology, urology, dental, and behavioral health, often combining a management services organization structure with rapid add-on acquisitions of independent practices. Health systems have simultaneously pursued horizontal consolidation through hospital mergers, vertical integration through physician practice employment, and geographic expansion into adjacent markets through joint ventures and acquisitions.
Ambulatory surgery center transactions occupy their own segment of the market. ASCs offer surgical care at lower cost than hospital outpatient departments, and payers have actively encouraged the migration of procedures to the ASC setting. PE buyers, health systems, and specialty hospital management companies have all pursued ASC acquisitions and joint ventures with surgeons, creating a competitive market that commands premium valuations for well-run, accredited centers with a diversified procedure mix and strong surgeon relationships. ASC transactions involve a distinct set of regulatory issues compared with physician practice acquisitions, including CMS conditions of participation, state facility licensure, and AKS safe harbor compliance for physician co-ownership arrangements.
Health system consolidation raises antitrust considerations that do not arise in physician practice roll-ups below market-concentration thresholds. The Federal Trade Commission and the Department of Justice have actively challenged hospital mergers that the agencies determined would reduce competition in local markets for inpatient or outpatient services, and state attorneys general have played an increasing role in reviewing transactions involving not-for-profit health systems with charitable assets subject to state oversight. For health system transactions, antitrust counsel must be integrated into the deal team from the earliest stages of the transaction, and merger review timelines must be built into the closing schedule.
2. Stark Law: Physician Self-Referral
The Stark Law, codified at 42 U.S.C. Section 1395nn, prohibits a physician from making a referral to an entity for the furnishing of designated health services (DHS) payable by Medicare or Medicaid if the physician (or an immediate family member) has a financial relationship with that entity, unless a specific statutory or regulatory exception applies. The prohibition is absolute: if a financial relationship exists and no exception is met, the referral is prohibited, the DHS claim is not reimbursable, and the entity must refund any payments received. Stark is a strict-liability statute, meaning no intent to violate the law is required for liability to attach.
Designated health services covered by Stark include clinical laboratory services, physical therapy, occupational therapy, outpatient speech-language pathology, radiology and certain imaging services, radiation therapy, durable medical equipment and supplies, parenteral and enteral nutrients and equipment, prosthetics, orthotics and prosthetic devices, home health services, outpatient prescription drugs, and inpatient and outpatient hospital services. The scope of DHS is defined by regulation and has been refined through multiple rulemaking cycles. In diligence, every compensation arrangement, ownership interest, and space or equipment lease between physicians and entities that furnish DHS must be mapped against the Stark exceptions to confirm that the referral relationship is permissible.
The most commonly used Stark exceptions in the physician practice context are the bona fide employment exception, the personal services exception, the space rental exception, and the equipment rental exception. Each exception has specific requirements relating to the form of the agreement (generally required to be in writing), the duration of the arrangement (at least one year), the compensation structure (must be set in advance, consistent with fair market value, and not determined in a manner that takes into account the volume or value of referrals), and commercial reasonableness. The fair market value and commercial reasonableness requirements are not interchangeable: an arrangement can be at fair market value but still fail commercial reasonableness if no legitimate business purpose exists independent of the referral relationship.
3. Anti-Kickback Statute and Safe Harbors
The Anti-Kickback Statute, codified at 42 U.S.C. Section 1320a-7b(b), prohibits knowingly and willfully offering, paying, soliciting, or receiving any remuneration to induce or reward the referral of patients for items or services covered by any federal healthcare program. Unlike Stark Law, which is limited to Medicare and Medicaid DHS referrals, the AKS applies to all federal healthcare program business, including Medicaid, TRICARE, and federal employee health plans. The AKS is an intent-based criminal statute: conviction requires proof that the defendant acted knowingly and willfully, though courts have held that the government need not prove the defendant knew the conduct was illegal, only that the defendant was aware that the conduct was unlawful in some general sense.
OIG safe harbors define arrangements that will not be subject to prosecution even though they involve remuneration. Key safe harbors in the healthcare M&A context include: the employment safe harbor, which protects bona fide employment arrangements where remuneration is paid for legitimate services and does not exceed fair market value; the personal services and management contracts safe harbor, which protects written personal services arrangements meeting specified requirements; the space rental safe harbor and equipment rental safe harbor, which protect written leases at fair market value for commercially reasonable purposes; the ASC ownership safe harbor, which protects qualifying physician co-ownership of Medicare-certified ASCs; the discount safe harbor, which protects price reductions that are properly disclosed in cost reports; and the investment interests safe harbor, which protects ownership interests meeting specified small entity or publicly traded company criteria.
In M&A diligence, the acquirer's counsel must review every compensation arrangement, investment interest, and contractual relationship of the target for AKS compliance, and specifically assess whether arrangements satisfy applicable safe harbors. Arrangements that do not fit within a safe harbor are not automatically illegal, but they must be evaluated under the totality-of-circumstances analysis the OIG applies to assess AKS intent. The OIG has published advisory opinions that provide guidance on specific arrangements, and those opinions, while not binding on third parties, provide a useful framework for assessing risk in structures that do not fit neatly within a defined safe harbor. For a detailed analysis of Stark and AKS issues specific to healthcare M&A, see the companion guide to Stark Law and Anti-Kickback Statute compliance in healthcare transactions.
4. False Claims Act Exposure in Diligence
The False Claims Act, 31 U.S.C. Sections 3729-3733, imposes liability on any person who knowingly submits, or causes to be submitted, a false or fraudulent claim for payment to the United States government. In healthcare, every Medicare or Medicaid claim submitted in violation of Stark Law or the AKS is deemed a false claim under the FCA, because the Anti-Kickback Statute expressly provides that a claim arising from an AKS violation constitutes a false or fraudulent claim for FCA purposes. FCA liability carries per-claim civil penalties (currently adjusted for inflation above $27,000 per claim) plus treble damages, which in a high-volume billing practice can aggregate to amounts that exceed the enterprise value of the target.
The qui tam provisions of the FCA allow private parties, called relators, to bring FCA actions on behalf of the government and to receive a share of any recovery. Disgruntled employees, former business partners, and competing providers are common sources of qui tam actions in healthcare. In diligence, the acquirer must search federal court records for pending qui tam actions under seal, review OIG and CMS exclusion databases, and conduct thorough billing compliance reviews to identify patterns that could serve as the basis for a qui tam complaint. A pending qui tam action that is not disclosed to or discovered by the acquirer can become the acquirer's liability post-closing if the merger agreement does not contain appropriate representations and the escrow is not sized to address it.
FCA exposure is not limited to billing fraud in the traditional sense. Upcoding, unbundling of procedure codes, billing for services not rendered, improper use of modifiers, and submission of claims for services provided by excluded individuals are all recognized FCA theories. In the context of physician practice acquisitions, the acquirer must review billing data and coding patterns across the historical period, with particular attention to specialties with high Centers for Medicare and Medicaid Services audit activity and to any services for which the practice has received prior audit findings, repayment demands, or prepayment review notices. Billing compliance is not a checkbox: it requires substantive analysis of claims data by personnel with clinical coding expertise.
5. Corporate Practice of Medicine Doctrine
The corporate practice of medicine doctrine holds that the practice of medicine is a personal privilege that cannot be exercised by a corporation or other non-physician entity. The doctrine is rooted in the rationale that allowing corporations to employ physicians or control medical practice would subordinate clinical judgment to profit motives, undermine physician-patient relationships, and circumvent state medical licensing requirements. The doctrine is not a federal rule: it derives from state medical practice acts, state corporate statutes, state attorney general opinions, and judicial decisions, and its scope and enforcement vary substantially by state.
States with strong CPOM restrictions include California, Texas, New York, and New Jersey, among others. In these jurisdictions, a private equity buyer, an MSO, or a corporate health system cannot directly own a physician practice entity or employ physicians in a manner that gives the corporate entity control over clinical decisions. The consequence of violating CPOM restrictions extends beyond regulatory sanction: contracts entered into in violation of CPOM may be void or voidable, which can affect the enforceability of management services agreements and the validity of provider contracts with payers. State-by-state CPOM analysis is essential early in deal structuring because it determines what entity structure is permissible and what protections must be built into the management services agreement.
The standard workaround for CPOM restrictions is the management services organization combined with a physician-owned professional corporation. The physician PC retains ownership of the medical practice and employs (or contracts with) the physicians. The MSO, which may be owned by the PE sponsor or health system, provides all non-clinical management services, including billing, human resources, facilities management, information technology, and marketing, under a long-term management services agreement. The MSA grants the MSO operational control over non-clinical functions and typically includes economic rights, such as profit distributions and an option to purchase the PC's assets, structured to comply with applicable CPOM and fee-splitting restrictions. The validity of the structure depends on both the terms of the documents and the manner in which those terms are actually implemented.
6. Fee-Splitting Prohibitions
Fee-splitting prohibitions are closely related to the corporate practice of medicine doctrine and are codified in most state medical practice acts. These provisions prohibit physicians from splitting professional fees with non-physicians in exchange for referrals or as compensation for administrative services. The specific statutory language varies by state, but the general principle is that physicians may not share the revenue generated by professional medical services with lay persons or entities who are not licensed to practice medicine and who are compensated based on a percentage of professional revenue.
Fee-splitting analysis is critical to the validity of MSO management fee structures. A management fee calculated as a fixed percentage of practice revenue, if challenged by a state medical board or attorney general, can be characterized as an impermissible fee-splitting arrangement, particularly if the fee is set at a level that leaves the physician PC with minimal net income. Courts and regulators have scrutinized MSO arrangements where the management fee is so high relative to practice revenue that the physician has no meaningful economic interest in the practice, concluding that the arrangement effectively transfers the economic value of the practice to the corporate MSO in a manner that circumvents CPOM restrictions.
Structuring a compliant management fee requires analysis of both the rate and the compensation methodology. Fixed fees, per-encounter fees, and performance-based fees tied to operational metrics rather than physician revenue are generally less susceptible to fee-splitting characterization than simple percentage-of-revenue arrangements. The management services agreement should enumerate the specific services provided by the MSO and demonstrate that the fee reflects the fair market value of those services. Independent fair market value opinions from qualified healthcare valuation firms support the legitimacy of the compensation structure and provide documentation that can be used in the event of regulatory scrutiny.
7. Medicare Enrollment and Change of Ownership
Medicare provider enrollment and the change of ownership rules under 42 C.F.R. Part 489 are among the most operationally consequential regulatory requirements in healthcare M&A. CMS defines a change of ownership based on the type of transaction and the provider type. For asset purchases, a CHOW occurs when a provider's assets are acquired by a new owner who will continue to operate the provider. For stock sales or membership interest transfers in LLCs, a CHOW generally occurs when more than 50 percent of the ownership interest changes hands, which is nearly always the case in a control acquisition. Certain transactions, such as internal reorganizations within the same corporate family, may not constitute a CHOW if specific criteria are met.
The procedural requirements for a CHOW depend on whether the transaction is structured as an asset purchase or a stock sale. In an asset purchase, the buyer must submit a new CMS 855 enrollment application to obtain a new Medicare provider agreement before billing Medicare. The buyer cannot bill Medicare for services rendered prior to the effective date of its own provider agreement. A tie-in notice must be sent to the applicable Medicare Administrative Contractor notifying CMS of the change in ownership prior to or at closing. The MAC will then contact the new provider to verify enrollment and confirm the effective date of the new provider agreement. Delays in MAC processing can create gaps in Medicare billing authority that interrupt revenue collection post-closing.
In a stock sale or membership interest transfer constituting a CHOW, the buyer takes assignment of the seller's existing Medicare provider agreement by operation of law at the time the CHOW occurs, along with all associated Medicare billing privileges and all liabilities of the prior owner. The buyer must notify the MAC of the CHOW by submitting a CMS 855A, 855B, or 855I (depending on provider type) within 90 days of the change. The assignment of the provider agreement preserves billing continuity, which is a significant operational advantage of stock purchase structures in healthcare acquisitions, but it also brings forward all of the prior operator's Medicare compliance history. For a detailed treatment of Medicare and Medicaid enrollment issues in healthcare transactions, see the guide to Medicare and Medicaid provider transfers.
8. Medicaid Provider Agreements
Medicaid enrollment and provider agreement transfer requirements are governed by state law and vary significantly across the 50 states. Unlike Medicare, which is administered through a uniform federal framework, Medicaid is a joint federal-state program in which each state administers its own program under federal guidelines. Some states have adopted streamlined CHOW notification procedures modeled on the Medicare framework, while others require re-enrollment from scratch in the event of a change of ownership or require prior state agency approval before the transaction closes. For providers operating across multiple states, the Medicaid enrollment analysis must be conducted state by state.
Managed Medicaid adds another layer of complexity. The majority of Medicaid beneficiaries are enrolled in managed care plans rather than fee-for-service Medicaid, and managed Medicaid plans enter into separate provider contracts with participating providers. A change of ownership of a Medicaid-participating provider does not automatically transfer those managed care contracts to the new owner. The acquirer must contact each Medicaid managed care organization with which the target has a provider contract and initiate the process of transferring or re-executing those contracts, which can be time-consuming and in some cases requires the MCO's affirmative consent. Billing interruption risk from MCO contract transitions is a material operational consideration in physician practice acquisitions with high Medicaid patient volume.
States that have implemented Medicaid provider enrollment through state health department portals or Medicaid Management Information Systems impose their own timing requirements for CHOW notifications and re-enrollment applications. Some states require notification 30 to 90 days before a transaction closes; others allow notification within a specified period after closing. Failure to provide timely notification can result in a gap in Medicaid billing authorization or in liability for claims submitted without proper enrollment. The due diligence team should map the target's Medicaid participation in each state against the applicable state enrollment requirements and begin the notification and re-enrollment process on a coordinated timeline after signing.
9. HIPAA in Healthcare Transactions
The Health Insurance Portability and Accountability Act imposes specific requirements on the use and disclosure of protected health information in the context of healthcare transactions. When an acquirer conducts due diligence on a target that is a covered entity (such as a physician practice or hospital), the disclosure of PHI to the acquirer's team raises HIPAA compliance issues. Under the HIPAA Privacy Rule, a covered entity may disclose PHI without patient authorization for certain healthcare operations purposes, including due diligence in connection with a potential merger or acquisition, but the disclosure must be limited to the minimum necessary for the due diligence purpose and the receiving party must execute a business associate agreement if it is functioning as a business associate of the covered entity.
Business associate agreements must be in place before any PHI is disclosed to the acquirer, its legal counsel, financial advisors, or other third parties who will receive or have access to patient-level data during due diligence. The BAA must comply with the requirements of 45 C.F.R. Section 164.504(e), including provisions governing the permitted and required uses of PHI, the requirement to safeguard PHI, the obligation to report breaches, and the requirement to return or destroy PHI at the conclusion of the engagement. Using de-identified data where possible, and limiting access to identified PHI to the minimum number of individuals with a legitimate need, reduces the scope of BAA obligations during the diligence phase.
At and after closing, the acquirer must assess whether existing BAAs between the target and its business associates, including billing companies, IT vendors, electronic health record platforms, and other service providers, are assignable to the acquirer or must be renegotiated. BAAs that are not assignable create a gap in HIPAA compliance for the period during which the acquirer is using the vendor's services without a valid BAA in place. The purchase agreement should include a representation that the target has BAAs in place with all business associates to whom PHI has been disclosed, and the closing deliverables should include an inventory of existing BAAs and confirmation of their assignability. Post-closing HIPAA integration planning must also address the combination of the target's and acquirer's HIPAA compliance programs, policies, and training obligations.
10. State Licensure Transfer
Healthcare facilities and providers operate under a network of state-issued licenses that must be addressed in any acquisition. Facility licenses issued by state health departments, boards of pharmacy, state radiation control programs, and clinical laboratory regulatory bodies are typically not transferable by assignment: they are issued to a specific legal entity at a specific location, and a change of ownership frequently triggers the requirement to apply for a new license or to obtain the licensing authority's approval of the transfer of the existing license. The specific requirements vary by license type and by state.
Drug Enforcement Administration registration is a critical licensure issue in practices with controlled substance prescribing authority. DEA registrations are specific to the registrant and the registered location, and they may not be transferred to a new owner. In an asset purchase, the buyer must apply for new DEA registrations for each location, and controlled substances on hand at closing must be handled in accordance with DEA regulations governing transfers of controlled substance inventories. The DEA transfer process can take 60 to 90 days, and the practice cannot legally dispense controlled substances without valid DEA registration, which creates an operational gap that must be addressed in the transition planning.
State medical board approval is not typically required for physician employment transfers in a practice acquisition, but changes in the legal entity employing the physicians may require updated employment agreements and credentialing applications. Payer credentialing is a parallel process to state licensure that is often the critical path for revenue in physician practice acquisitions. Health plan provider contracts and credentialing are specific to the contracting provider entity: in an asset purchase, the acquirer must re-credential with each payer and potentially renegotiate payer contracts, a process that can take three to six months and during which the practice may be unable to receive in-network reimbursement from certain payers. For a detailed treatment of healthcare licensure and CON issues, see the guide to healthcare licensing and certificates of need.
11. Certificates of Need
Certificate of need programs require providers to obtain state regulatory approval before establishing, acquiring, or significantly expanding certain healthcare facilities or services. CON programs are intended to prevent duplication of expensive healthcare resources and to protect access to care in underserved areas. Approximately 35 states and the District of Columbia currently operate some form of CON program, though the scope varies widely. Some states require CON review for hospitals, nursing homes, and ASCs but exempt physician practices and diagnostic imaging centers. Other states impose CON requirements on a broader range of facilities, including long-term acute care hospitals, psychiatric facilities, and home health agencies.
CON requirements are triggered by specific events defined in each state's statute: typically the establishment of a new facility, a change of ownership of an existing facility, a significant increase in bed capacity, the addition of a major medical equipment item above a capital cost threshold, or the offering of a new health service. In healthcare acquisitions, the acquirer must determine whether the target's facilities are subject to CON regulation in their respective states, whether the proposed acquisition constitutes a CON-triggering event under the applicable state statute, and whether any previously obtained CON approvals contain conditions that could be affected by the change of ownership. Some states require the buyer to obtain a new CON or to apply for transfer of the seller's existing CON as a condition of closing.
CON proceedings vary in complexity and duration. In some states, a straightforward change of ownership notification can be processed in 30 to 60 days. In states with contested CON proceedings, where competing providers can challenge an application, the review process can take 12 to 18 months or longer. The competitive challenge process in CON proceedings can be used by incumbent health systems to delay or block entry by new competitors, which makes CON a strategic as well as a regulatory issue in certain markets. Deals that require CON approval must build regulatory timelines into the purchase agreement, and the parties must decide how to allocate closing risk if a CON application is denied or delayed beyond an agreed outside date.
12. 340B Drug Pricing Program
The 340B Drug Pricing Program, established under Section 340B of the Public Health Service Act, requires pharmaceutical manufacturers to provide outpatient drugs to covered entities at significantly reduced prices, in exchange for Medicaid drug rebate program participation. Covered entities eligible for 340B pricing include disproportionate share hospitals, federally qualified health centers, Ryan White HIV/AIDS Program grantees, and certain other safety-net providers. For eligible providers, 340B participation can generate substantial drug margin, and that margin is a meaningful component of financial performance for covered entities in oncology, infectious disease, and other drug-intensive specialties.
340B program participation is entity-specific and is subject to the Health Resources and Services Administration's oversight and compliance requirements. A change of ownership that results in a new legal entity operating the covered entity's program requires notification to HRSA and may require re-registration with the 340B program. HRSA's Office of Pharmacy Affairs maintains a covered entity database, and any change in the legal identity or ownership of a registered covered entity must be reported in a timely manner. Failure to notify HRSA of a CHOW can result in retroactive loss of 340B eligibility and repayment obligations to manufacturers for drugs purchased at 340B prices that should not have been dispensed by the post-CHOW entity.
In acquisitions of hospital systems or FQHCs with significant 340B programs, the 340B margin should be modeled explicitly in deal economics, and the risk of program loss or reduced access post-closing should be assessed as part of diligence. HRSA has increased its audit activity in the 340B program, and enforcement actions for patient definition violations, duplicate discounts, and diversion of 340B drugs to ineligible patients can result in repayment obligations and program termination. Understanding the target's 340B compliance posture and the robustness of its program integrity controls is an important component of healthcare transaction diligence for entities with meaningful 340B participation.
13. Medicare Advantage and Risk-Sharing Arrangements
Medicare Advantage plans and value-based care arrangements introduce a distinct set of contractual and regulatory issues in healthcare M&A. Provider organizations that participate in Medicare Advantage through risk-sharing arrangements, capitation contracts, or accountable care organization structures have financial performance characteristics and risk profiles that differ materially from fee-for-service practices. The acquirer must understand the target's MA contract terms, the basis on which it assumes risk, the risk adjustment mechanisms applicable to its patient population, and the quality metrics that determine any value-based bonuses or penalties.
Risk-sharing contracts in Medicare Advantage often contain change of ownership notification requirements and in some cases require plan consent to the transfer of the contract. A physician group that has taken on full or partial capitation risk for a defined patient population cannot simply transfer that risk obligation to a new owner without notifying the MA plan and potentially renegotiating the contract terms. The acquirer must review each risk contract for assignment restrictions, consent requirements, and termination triggers associated with a change of control, and must develop a plan for addressing those provisions before closing.
Risk adjustment accuracy is a compliance issue that arises frequently in MA diligence. MA plans are paid by CMS on a risk-adjusted basis, with payments tied to the hierarchical condition categories assigned to each enrollee based on documented diagnoses. Practices that have participated in risk adjustment programs face CMS audit risk under the Medicare Advantage Risk Adjustment Data Validation (RADV) program, which can result in recoupment of prior year payments if documented diagnoses are not supported by the medical record. The acquirer should assess the target's historical risk adjustment practices, the quality of diagnostic documentation, and any prior RADV audit findings or settlement history as part of MA diligence.
14. Stark/AKS Diligence and Self-Disclosure Protocols
Regulatory diligence for Stark Law and the Anti-Kickback Statute requires a systematic review of every financial relationship between the target entity (or entities) and referring physicians. The diligence protocol should begin with a complete inventory of all compensation arrangements, ownership interests, co-investment structures, space and equipment leases, and any other arrangements in which remuneration flows between the target and a physician who refers patients for DHS or other federal program-covered services. Each arrangement must be mapped against available Stark exceptions and AKS safe harbors, with a gap analysis identifying where the arrangement falls short of full exception or safe harbor compliance.
When diligence identifies a Stark or AKS compliance deficiency, the parties must assess the severity and quantum of potential liability before deciding how to proceed. Options include restructuring the arrangement before closing, requiring the seller to self-disclose to CMS or OIG as a condition of closing, escrowing a portion of the purchase price against the risk of government investigation, obtaining a purchase price reduction, or in extreme cases walking away from the transaction. The Stark Law Self-Referral Disclosure Protocol and the OIG Self-Disclosure Protocol provide formal mechanisms for voluntary disclosure, and self-disclosures resolved through these programs generally receive more favorable resolution terms than those that surface through government-initiated investigation. However, the decision to self-disclose is consequential and must be made with experienced healthcare regulatory counsel.
Post-closing, the acquirer inherits the compliance obligation to remediate any known deficiencies in the acquired entity's arrangements, restructure compensation and space agreements to fit within exceptions and safe harbors, and implement a compliance program that monitors ongoing regulatory compliance. CMS and OIG take the position that a buyer who acquires a business with known Stark or AKS violations and fails to remediate them post-closing may be liable not only for the pre-closing violations (under the 36-month rule for Medicare CHOW transactions) but also for any post-closing violations arising from the continuation of the same prohibited arrangement. Timely remediation is both a regulatory and a deal risk management obligation.
15. Healthcare-Specific Representations and Warranties
Healthcare M&A purchase agreements require a set of representations and warranties that go substantially beyond what appears in a standard commercial acquisition agreement. Healthcare-specific reps should address: the seller's compliance with Stark Law and the AKS with respect to all compensation arrangements and financial relationships; the absence of any known violations of the False Claims Act or state false claims statutes; the accuracy and completeness of Medicare and Medicaid enrollment information; the absence of any pending or threatened government investigations, OIG subpoenas, MAC audits, or ZPIC inquiries; the provider's compliance with HIPAA privacy, security, and breach notification requirements; and the accuracy of the provider's 340B program participation, if applicable.
Representations relating to billing and coding compliance are particularly important. The seller should represent that all claims submitted to Medicare, Medicaid, and other federal programs during a specified look-back period were properly coded and supported by the medical record, that the seller has not received any written notice of overpayment demands or repayment obligations that remain unresolved, and that the seller has not entered into any corporate integrity agreements, consent orders, or deferred prosecution agreements with the OIG or Department of Justice. Where the seller is unable to make unqualified representations, the parties should negotiate disclosure schedules that identify known exceptions and address them through price adjustments or escrow provisions.
The survival period for healthcare regulatory representations is typically longer than for general business representations. Stark Law violations are subject to a six-year statute of limitations for civil monetary penalties, and False Claims Act violations are subject to a six to ten-year limitations period depending on when the government knew or should have known of the violation. Purchase agreements in healthcare transactions often provide for survival of healthcare regulatory reps for five to six years post-closing, with a corresponding escrow or indemnity obligation held for the same period. Negotiating the length of survival, the size of the indemnity basket and cap, and the structure of the healthcare regulatory escrow are among the most contested points in a healthcare M&A negotiation.
16. Escrow Structures for Billing Risk
Billing-related escrow structures in healthcare transactions serve a different purpose than the standard indemnity escrow used in commercial M&A. In healthcare acquisitions, the primary billing risks are: post-closing RAC audit findings resulting in overpayment demands for claims submitted in the pre-closing period; payor recoupment for claims that are found to be improperly coded or unsupported by documentation; OIG or MAC prepayment review findings that interrupt revenue collection post-closing; and FCA settlement obligations arising from pre-closing billing conduct. Each of these risks has a different timing profile and magnitude, requiring the acquirer to think carefully about how much escrow protection is appropriate and for how long.
Recovery Audit Contractors audit Medicare claims on a rolling basis and can reach back up to three years for identifying overpayments. In a CHOW asset purchase governed by the 36-month rule, the acquirer assumes liability for RAC findings relating to the prior three years of billing. The escrow for RAC risk is typically sized based on historical RAC audit activity in the target's specialty and region, the volume of claims submitted in the at-risk period, and any known RAC inquiries or findings disclosed during diligence. Some acquirers choose to address RAC risk through a purchase price holdback rather than a traditional escrow, deferring a portion of the purchase price until the RAC audit window has closed or specific audit findings are resolved.
Payor recoupment risk is a shorter-cycle risk than RAC risk, because commercial payer and Medicaid managed care plan audits generally operate on a shorter look-back window and resolve more quickly than RAC proceedings. However, in practices with high commercial payer volume and complex billing arrangements, payer recoupment risk can be material. The purchase agreement should include representations about the absence of pending payer audits or recoupment notices, and the escrow should be sized to address both known disputes disclosed in diligence and the statistical likelihood of unresolved billing issues in the normal course of payer audit activity. Experienced healthcare M&A counsel works with the acquirer's billing compliance consultants to size the escrow appropriately based on a quantitative assessment of the historical claims data.
17. MSO, DSO, and Friendly PC Structures
Management services organization structures have become the dominant vehicle for private equity investment in physician-owned medical practices. The MSO acquires the non-clinical assets of the practice, including equipment, real property, contracts, and goodwill, and enters into a long-term management services agreement with the physician PC. The physician PC retains ownership of the practice's clinical operations and employs the physicians. The MSA gives the MSO control over non-clinical functions and economic rights over the PC's operations structured to comply with CPOM and fee-splitting restrictions in the relevant state. The MSO's economic interest in the practice is typically realized through the management fee, the practice's debt service on seller financing, and an option or right of first refusal to purchase the PC's assets upon the departure of the founding physician.
Dental service organization structures are the dental industry's analog to the MSO model and have been deployed extensively by private equity in dental practice consolidation. DSOs face the same CPOM and fee-splitting issues as medical MSOs, with the added complexity that dental licensing laws vary significantly across states in ways that affect whether the DSO can contract directly with payers, how clinical decisions must be documented, and what minimum standards apply to dentist employment arrangements. In states such as California and Texas, where CPOM restrictions apply to dentistry as well as medicine, the DSO-friendly PC structure is essential for PE-backed dental platform companies.
The friendly PC model raises specific enforcement risk when the physician serving as the nominal PC owner has no meaningful economic stake in the practice, exercises no genuine clinical decision-making authority, or has entered into side arrangements that effectively transfer all economic rights to the MSO. State medical boards and attorneys general have challenged MSO arrangements where the degree of corporate control over clinical operations is found to violate CPOM restrictions, and such challenges can result in the revocation of the physician's license, the invalidation of the management services agreement, and the loss of payer contracts. Robust MSO structuring requires not just correct documentation but active governance practices that preserve genuine physician authority over clinical decisions in the day-to-day operation of the practice.
18. Private Equity Platform and Add-On Strategy
Private equity healthcare platforms are built through a combination of platform acquisitions and add-on acquisitions, with the platform establishing the MSO infrastructure, compliance programs, management team, and payer contracts that subsequent add-ons plug into. Platform acquisitions are typically larger, more heavily negotiated transactions that establish the legal and operational framework for the platform, including the MSO entity structure, the form of management services agreement to be used for subsequent add-ons, the compliance program, and the payer contracting strategy. Add-on acquisitions of smaller practices are executed more rapidly, often within 30 to 60 days from letter of intent to closing when the platform is operational and the legal documentation is standardized.
Add-on acquisition velocity creates its own diligence and legal challenges. A PE platform executing multiple add-on acquisitions per year must maintain a disciplined diligence process that is fast enough to meet competitive transaction timelines but thorough enough to identify material Stark, AKS, and FCA risks before closing. Many platforms develop a standardized healthcare regulatory diligence checklist and engage healthcare regulatory counsel to conduct a streamlined review of each add-on against that checklist. High-volume add-on programs also require robust integration protocols that replicate the platform's compliance program at each acquired practice quickly enough to prevent inherited compliance deficiencies from propagating across the platform.
Payer contracting strategy is a central consideration in platform-building. A PE-backed platform can leverage its aggregated patient volume and geographic footprint to negotiate payer contracts on better terms than individual practices could achieve, which is one of the core economic rationales for physician practice consolidation. However, the transition from individual practice payer contracts to platform-level contracts requires careful management of credentialing timelines, contract assignments, and group billing number conversions. Payer consent to contract assignment is not always obtainable on the acquirer's preferred timeline, and revenue disruption during payer contract transitions is a material integration risk that the deal team should model and plan for before closing.
19. Integration Planning and Billing Compliance
Post-closing integration in healthcare M&A encompasses both operational and regulatory dimensions that must be managed on parallel tracks. Operationally, integration involves combining EHR systems, billing platforms, practice management software, and revenue cycle operations. Regulatory integration involves implementing the acquirer's compliance program at the acquired practice, remediating any inherited compliance deficiencies identified in diligence, transitioning compensation arrangements to structures that satisfy Stark exceptions and AKS safe harbors, and ensuring that all compensation paid to physicians post-closing is supported by fair market value opinions and commercially reasonable business purposes.
Billing system integration is a frequent source of post-closing compliance risk. When practices migrate from one billing platform to another, coding errors, duplicate claims, incorrect provider identifiers, and misapplied modifiers can be introduced systematically at the point of conversion. A billing system migration that introduces systematic coding errors can generate a pattern of false claims that creates FCA exposure for the acquirer in the post-closing period. The integration plan should include a billing audit conducted before and after any billing system conversion, with manual review of a statistically significant sample of converted claims to verify that the conversion has not introduced coding or billing errors.
Compliance program integration is an ongoing obligation, not a one-time event. The acquirer's compliance officer should conduct a compliance program assessment at each acquired location within 90 days of closing, identifying gaps between the practice's existing compliance practices and the platform's compliance program standards. Physician education on Stark Law, AKS, and billing compliance is a foundational integration activity that should occur at every acquired practice within the first 90 days. The compliance program should include ongoing monitoring of claims data for patterns indicative of billing irregularities, regular audits of compensation arrangements for continued Stark and AKS compliance, and a reporting mechanism that allows staff to raise compliance concerns without fear of retaliation.
20. Role of Healthcare Counsel
Healthcare M&A requires counsel with specific expertise in federal and state healthcare regulatory law, not just general M&A transactional experience. The regulatory issues in healthcare transactions, including Stark Law, the Anti-Kickback Statute, the False Claims Act, HIPAA, Medicare and Medicaid enrollment, state licensure, CPOM, fee-splitting, and certificates of need, are specialized enough that counsel without dedicated healthcare regulatory experience will not identify or adequately assess the relevant risks. The consequences of missed healthcare regulatory issues in M&A are not limited to indemnity claims: they include government investigation, loss of Medicare and Medicaid participation, physician licensure actions, and FCA liability that can dwarf the original transaction value.
Healthcare counsel advises on both deal structure and regulatory compliance. On deal structure, healthcare counsel determines which CPOM and fee-splitting restrictions apply in the relevant states, designs the MSO-friendly PC architecture, drafts the management services agreement and the option or purchase right that gives the MSO economic control, and ensures that all compensation arrangements are structured within applicable Stark exceptions and AKS safe harbors. On regulatory compliance, healthcare counsel conducts the Stark and AKS regulatory diligence, identifies disclosure obligations to CMS and OIG, advises on CHOW notification requirements, coordinates state licensure transfer processes, and advises on HIPAA compliance in the diligence and integration phases.
The role of healthcare counsel does not end at closing. Post-closing compliance program implementation, compensation arrangement restructuring, provider enrollment management, and ongoing regulatory monitoring are continuing legal needs for any healthcare platform. Establishing a relationship with healthcare counsel who understands the platform's structure, its payer contracting strategy, and its geographic footprint allows the platform to address compliance issues as they arise rather than on a reactive basis. Experienced healthcare M&A counsel is a long-term strategic partner in building and maintaining a compliant healthcare enterprise, not simply a transaction resource engaged for a specific deal.
Frequently Asked Questions
What is the difference between Stark Law and the Anti-Kickback Statute?
Stark Law is a strict-liability civil statute that prohibits a physician from referring Medicare or Medicaid patients for designated health services to an entity in which the physician (or an immediate family member) has a financial relationship, unless a specific statutory or regulatory exception applies. The Anti-Kickback Statute is an intent-based criminal statute that prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals of federal healthcare program business. In M&A, both statutes apply simultaneously: a transaction structure that satisfies a Stark exception may still violate the AKS if the parties have an improper intent, and safe harbor compliance under the AKS does not guarantee Stark compliance.
Why does safe harbor compliance matter in a healthcare acquisition?
Safe harbors under the Anti-Kickback Statute define arrangements that the OIG has determined will not be subject to prosecution even though they technically involve remuneration in connection with referral relationships. Structuring compensation arrangements, investment interests, and space or equipment leases within applicable safe harbors substantially reduces regulatory risk both before and after closing. In diligence, acquirers verify that the target's existing arrangements fit within safe harbors because inherited violations can create False Claims Act exposure that survives the transaction and falls on the acquirer.
What is the corporate practice of medicine doctrine and how does it affect a deal?
The corporate practice of medicine doctrine, recognized in varying forms in the majority of states, prohibits non-physician entities from employing physicians or controlling the clinical decisions of a medical practice. In states with strong CPOM restrictions, a private equity buyer or a management services organization cannot directly own or control the physician practice entity. The standard workaround is the MSO-friendly PC structure, where the physician practice remains owned by a licensed physician but enters a long-term management services agreement with the MSO that assigns economic benefits and operational control to the MSO to the extent permitted by state law.
What triggers a Medicare change of ownership filing?
Under CMS regulations, a change of ownership occurs when a provider undergoes a stock sale affecting more than 50 percent of the ownership interest, an asset sale, a merger, or a consolidation. An asset purchase triggers a CHOW, and the buyer must file a CMS 855 enrollment application to obtain a new Medicare provider agreement before billing Medicare for services. A stock sale of a corporation generally constitutes a change of ownership if more than 50 percent of the ownership changes hands, at which point the buyer assumes the seller's existing Medicare provider agreement along with all of its liabilities.
What is the 36-month rule in Medicare provider enrollment?
The 36-month rule under 42 C.F.R. Section 489.18(d) provides that when a provider undergoes a change of ownership via asset sale, the new owner takes assignment of the existing Medicare provider agreement and is liable for overpayments made to the prior owner during the 36 months preceding the CHOW. This rule is a significant diligence and deal-structuring issue because the buyer in an asset purchase cannot eliminate Medicare billing liability through corporate separateness: RAC audit findings, overpayment demands, and False Claims Act exposure from the prior three years ride with the provider agreement to the new owner.
When must a HIPAA business associate agreement be executed in connection with a healthcare transaction?
A business associate agreement is required whenever a party performs services on behalf of a covered entity or another business associate that involve the use or disclosure of protected health information. In M&A diligence, the acquirer's counsel and financial advisors who receive PHI during due diligence must execute BAAs with the target before accessing patient-level data. At closing, the acquirer must also assess whether existing BAAs with the target's vendors, billing companies, IT providers, and other service organizations are assignable or must be renegotiated, because BAA gaps post-closing create HIPAA compliance exposure.
How long does state licensure transfer take and when should the process begin?
State medical board, DEA, and facility licensure transfers vary substantially by jurisdiction, with processing times ranging from 30 days to more than six months for some state health department facility licenses. The process should begin as early as possible after signing, ideally immediately after the parties have executed a letter of intent, because licensure gaps at closing can prevent the acquirer from billing payers or operating certain services. In deals with certificate of need requirements, the regulatory timeline for CON approval must be built into the closing schedule from the outset because CON proceedings can take six to eighteen months.
Which states require a certificate of need for physician practices or ASCs?
Approximately 35 states and the District of Columbia maintain some form of CON program, though the scope of coverage varies widely. States including New York, Massachusetts, Maryland, Georgia, and North Carolina require CON review for the establishment or acquisition of hospitals, ASCs, nursing homes, and certain other facilities. Some states exempt physician practices from CON requirements while imposing them on ASCs or hospital-based outpatient departments. Diligence must map the target's facilities and services against the CON statutes of each relevant state to identify approval requirements before the transaction is structured.
What is the SRDP and OIG Self-Disclosure Protocol, and when should a party use them?
The Stark Law Self-Referral Disclosure Protocol (SRDP) is a CMS program that allows providers to voluntarily disclose actual or potential Stark Law violations and resolve them for less than the full statutory penalty. The OIG Self-Disclosure Protocol (SDP) provides a similar mechanism for resolving actual or potential Anti-Kickback Statute and False Claims Act violations. In M&A, when diligence uncovers a billing arrangement that does not fit within a Stark exception or AKS safe harbor, the parties must decide whether to disclose through SRDP or SDP, restructure the arrangement, or escrow proceeds pending resolution, because proceeding to close with known violations can extend liability to the acquirer.
Is representations and warranties insurance available for healthcare transactions?
R&W insurance is available for healthcare M&A but underwriters apply healthcare-specific exclusions and require more extensive diligence than in non-healthcare deals. Insurers typically exclude known Stark, AKS, and False Claims Act violations identified in diligence, and they scrutinize billing compliance, Medicare and Medicaid enrollment status, and HIPAA compliance before binding coverage. Retentions are often higher for healthcare transactions than for comparable commercial deals, reflecting the severity of government enforcement in the sector. Nonetheless, R&W insurance has become a meaningful tool for allocating healthcare regulatory risk between sellers and buyers when the diligence is thorough and the known risks are identified and priced.
Are MSO and friendly PC structures legally valid?
MSO and friendly PC structures are legally valid in states with corporate practice of medicine restrictions when they are properly documented and the physician retains genuine control over clinical decisions. The risk in a poorly structured MSO arrangement is that a court or regulator will look through the form to find that the non-physician entity is effectively practicing medicine or controlling referrals, which can void the management agreement, jeopardize licensure, and create AKS exposure. Validity depends on the specific terms of the management services agreement, the degree of physician autonomy preserved in clinical matters, and the consistency with which those terms are operated in practice.
What is a typical timeline for a healthcare M&A transaction?
A physician practice or ASC acquisition with regulatory complexity typically takes four to eight months from signed letter of intent to closing, compared to two to four months for a comparably sized non-healthcare business. The additional time reflects HIPAA diligence protocols, Stark and AKS compliance review, Medicare and Medicaid enrollment analysis, state licensure transfer preparation, and where applicable CON filings. Health system mergers involving hospital licensure, FTC or state antitrust review, and bond covenant compliance can take twelve to twenty-four months or longer. Building realistic regulatory timelines into the LOI and purchase agreement is essential to avoid closing failures.