Healthcare Practice Acquisition: The Complete Legal Framework

A healthcare staffing company owner received a $340K offer for her practice. The buyer's purchase agreement looked straightforward: asset purchase, standard representations and warranties, 90-day transition period. What the agreement did not address: the Medicare provider enrollment transfer (which can take 90 or more days and creates a billing gap if not handled proactively), the patient notification requirements under state law, the tail malpractice coverage the seller would need to purchase at her own expense, and the non-compete clause that restricted her from working in healthcare staffing anywhere within 50 miles for three years.

Healthcare practice acquisitions are not standard business transactions with a medical license attached. They are transactions where federal healthcare law, state regulatory frameworks, payer relationships, and patient care continuity create compounding layers of complexity that affect every document in the deal. The purchase agreement, the transition plan, the MSO structure, the post-closing employment arrangement, and the representations and warranties all require healthcare-specific legal analysis that goes well beyond general M&A practice.

This guide covers the complete legal framework for buying or selling a healthcare practice: the regulatory overlay, deal structure options, due diligence categories, and the specific compliance issues that determine whether a transaction closes cleanly or surfaces problems after the fact.

Every industry has regulatory considerations in M&A transactions. Healthcare is different in degree and in kind. In a standard business acquisition, the legal framework governs the transaction itself: whether the parties can contract, what representations survive, how disputes are resolved. In healthcare, the legal framework governs the underlying business model, and a transaction that violates it does not just create liability for the deal. It can unwind the business operations entirely.

The federal healthcare fraud and abuse statutes, primarily the Stark Law and the Anti-Kickback Statute, apply to virtually every financial arrangement between a healthcare practice and any entity that refers to it or receives referrals from it. These statutes reach into the acquisition itself: the purchase price, the transition employment arrangement, the management fee in an MSO structure, and any ongoing relationship between buyer and seller post-closing. An acquisition price that exceeds fair market value for a practice with substantial federal program volume can be characterized as a payment for referrals.

State law adds another layer. The Corporate Practice of Medicine doctrine restricts who can own a medical practice in most states, which means that the most common buyer class in other industries, private equity and non-operating investors, cannot simply acquire a medical practice directly. The transaction must route through a compliant MSO structure that satisfies both state CPOM requirements and federal fraud and abuse law simultaneously.

Provider enrollment, payer contracting, and patient record transfer all have mandatory processes with defined timelines that are not compressible by agreement between the parties. The closing date on a healthcare acquisition does not mean the buyer can immediately bill patients, prescribe controlled substances, or transfer patient records without regulatory action. The transaction timeline must be built around these regulatory processes, not the other way around.

This is why healthcare practice acquisitions require attorneys with depth in both M&A mechanics and healthcare regulatory law. Competence in one without the other produces agreements that are either commercially unworkable or legally non-compliant.

The Stark Law (formally the Ethics in Patient Referrals Act, 42 U.S.C. 1395nn) is a strict liability statute. It prohibits a physician from making a referral to an entity for the furnishing of designated health services (DHS) payable by Medicare or Medicaid if the physician has a financial relationship with that entity, unless a specific statutory or regulatory exception applies. There is no intent requirement. A transaction that violates Stark does not require proof that anyone knew it was improper.

Designated health services include clinical laboratory services, physical and occupational therapy, radiology, outpatient prescription drugs, inpatient and outpatient hospital services, and several other categories. For a practice that refers to any of these service lines and bills Medicare or Medicaid, Stark analysis is mandatory before finalizing the transaction structure.

In an acquisition, Stark issues arise in several places. The purchase price itself can be a Stark problem if it is set above fair market value for a practice with substantial Medicare referral volume. Transition employment arrangements, where the seller stays on as an employed physician after closing, must satisfy the bona fide employment exception. Any arrangement where the buyer will receive referrals from the selling physician post-closing, including a consulting arrangement or a lease of office space, must fit within a recognized exception. The Stark and Anti-Kickback framework applies to the ongoing business operations, not just the closing.

Penalties for Stark violations include denial of Medicare and Medicaid claims, repayment of amounts improperly received, civil monetary penalties, and exclusion from federal healthcare programs. Depending on accompanying conduct, violations can also trigger False Claims Act exposure with treble damages and significant per-claim penalties.

The Anti-Kickback Statute (42 U.S.C. 1320a-7b(b)) prohibits knowingly and willfully offering, paying, soliciting, or receiving any remuneration to induce or reward referrals of items or services covered by federal healthcare programs. Unlike the Stark Law, AKS is an intent-based criminal statute. A violation requires proof that the defendant knew the arrangement was improper and intended to induce referrals. This distinction matters in practice, but the consequences of an AKS violation are severe enough that the statute must be treated as a strict guardrail in transaction structuring.

The government has established a series of regulatory safe harbors that, if fully satisfied, immunize an arrangement from AKS liability. Key safe harbors for healthcare transactions include the sale of practice safe harbor, which protects payments made in connection with a legitimate sale of a practice where the seller is in a position to refer; the employee safe harbor, which covers bona fide employment relationships where compensation is for services actually performed; the personal services and management contracts safe harbor, which applies to management services agreements between MSOs and clinical entities; and the investment interests safe harbor, which covers certain investment arrangements.

Failure to satisfy every element of a safe harbor does not automatically create AKS liability, but it removes the immunity. Arrangements outside a safe harbor are evaluated under a totality-of-the-circumstances analysis. The central question is whether the arrangement has a purpose of inducing or rewarding referrals. An acquisition structured with an above-market purchase price, a below-market leaseback, or a compensation arrangement tied to referral volume will not survive that analysis.

In practice, every post-closing financial arrangement between the buyer entity and any physician who refers to the practice should be reviewed against applicable safe harbors. This includes employment compensation, management fee structures, and any ancillary service arrangements. The Stark and AKS compliance framework must be integrated into the deal structure documents, not addressed as a compliance afterthought.

The Corporate Practice of Medicine doctrine is a state law principle, not a federal statute. Its scope and enforcement vary significantly across states, but in most states with active CPOM law, the core prohibition is this: non-physician entities may not employ physicians to practice medicine, own a medical practice, or exercise control over clinical decisions. The theoretical basis is that allowing business entities to employ physicians creates incentives for commercial interests to override clinical judgment.

States with strong CPOM enforcement include California, Texas, New York, Illinois, and Michigan, among others. A few states, including New Jersey and Maryland, have relatively permissive frameworks that allow non-physician ownership under certain conditions. Most states fall somewhere in between, with CPOM principles recognized but enforcement focused on egregious cases.

The practical consequence for acquisitions is that non-physician buyers, including private equity firms, hospital systems in some states, and individual non-physician investors, cannot directly acquire a medical practice in most states. The transaction must route through an MSO structure where the non-physician entity owns the management services company and the non-clinical assets, while a physician-owned professional entity holds the clinical license and employs the physicians.

CPOM analysis must be conducted on a state-by-state basis for any transaction involving practices in multiple jurisdictions. A structure that is compliant in one state may violate CPOM in another, and multi-state practices require bespoke structuring for each state. Texas, notably, has tightened its CPOM enforcement posture in recent years and requires close analysis of MSO structure design for practices operating there.

The Management Services Organization structure is the standard vehicle for non-physician acquisition of medical practices in CPOM states. Understanding how it works, and where it can fail, is essential for anyone involved in healthcare M&A.

In a typical MSO structure, the transaction closes as follows. The non-physician buyer (or investment vehicle) acquires the non-clinical assets of the practice: equipment, furniture, leasehold interests, billing systems, technology infrastructure, trade name, and administrative staff. This entity becomes the MSO. A physician, or a physician-owned entity, either continues in place or is newly formed to hold the clinical license, employ the physicians, and provide medical services to patients.

The MSO and the physician-owned clinical entity (often called the PC or the OpCo) enter into a long-term management services agreement. The MSO provides facilities, staff, billing services, technology, and management expertise. The PC pays a management fee to the MSO for these services. The management fee is typically structured as a percentage of collections or a fixed fee with a variable component, and must be set at fair market value for the services provided.

The MSO structure must be designed so that the MSO does not exercise de facto control over clinical decisions. The management services agreement cannot give the MSO the right to direct patient care, override physician judgment, or control hiring and firing of clinical staff. These provisions, even if not exercised in practice, can undermine CPOM compliance if present in the documents. At the same time, the MSO needs sufficient contractual control to protect its economic interests and operational investment.

The management fee, the term of the management services agreement, the assignment provisions, and the rights of each party on termination are all negotiating points that require both CPOM compliance and commercial durability. An MSO structure that passes regulatory review but creates a commercially unstable arrangement will eventually produce a dispute that surfaces the compliance question in litigation.

The Health Insurance Portability and Accountability Act governs the use and disclosure of protected health information (PHI) and applies to every healthcare practice acquisition. HIPAA issues arise at three points in a transaction: during due diligence, at closing, and post-closing during the transition period.

During due diligence, the buyer needs access to financial and operational information that may be intertwined with patient data. Patient records must be de-identified before disclosure to the buyer. Practice management system reports, billing data, and clinical utilization analyses should be provided in aggregate or de-identified form. The data room setup for a healthcare acquisition requires more care than for a standard business transaction.

At closing, the treatment of patient records depends on deal structure. In an asset purchase, the buyer is not automatically the successor in interest to the seller's HIPAA covered entity status. The purchase agreement should include provisions establishing that the transfer of patient records complies with the HIPAA successor-in-interest rule or, where that rule does not apply, with applicable patient authorization requirements. State privacy laws may impose additional restrictions.

Business Associate Agreements require specific attention. A BAA is required for every third-party vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of the covered entity. At acquisition, the buyer should audit all existing BAAs, identify gaps and outdated terms, and execute updated agreements with current vendors under the buyer's entity. The transition to the buyer's EHR system, billing platform, and administrative software all generate BAA requirements. Any gap in BAA coverage creates regulatory exposure under the HIPAA enforcement framework.

The purchase agreement should include seller representations about HIPAA compliance status, breach notification history, and active BAAs. Indemnification obligations for pre-closing HIPAA violations should extend for the applicable statute of limitations period. For a detailed treatment of the HIPAA compliance requirements in acquisitions, see our guide on HIPAA compliance in healthcare acquisitions.

Provider credentialing is the process by which insurance payers verify that a provider meets their requirements and authorize them to bill under the payer contract. Credentialing is provider-specific and entity-specific. When a practice changes ownership, the buyer's providers must be credentialed with each payer under the new entity. This process does not happen at closing. It runs on payer timelines that typically range from 60 to 120 days and sometimes longer.

The credentialing gap is one of the most consistently underestimated issues in healthcare acquisitions. A buyer who closes on January 1 may not be able to bill a major commercial payer or Medicare under their own credentials until April. During that period, the practice is providing services that cannot be billed, or billing under the seller's credentials under a transition arrangement that has its own compliance requirements.

Credentialing applications should be submitted as early as possible, typically before the letter of intent stage for some payers. The transaction timeline should be set to allow credentialing to progress in parallel with the legal process so that payer approvals are in hand or imminent at closing. The deal structure should address the credentialing gap explicitly: who bears the revenue risk, how the transition billing arrangement works, and what happens if credentialing is delayed beyond the transition period.

Different payer types have different credentialing processes. Medicare enrollment through CMS follows a defined federal process with set timelines. Commercial payer credentialing is payer-specific, with each major carrier running its own process. Managed Medicaid credentialing is administered by state Medicaid managed care organizations and varies by state. A practice with 15 payer contracts may have 15 separate credentialing timelines running simultaneously. The acquisition team should track each one.

A Change of Ownership filing is required whenever a Medicare or Medicaid enrolled provider changes ownership in a way that constitutes a CHOW under CMS regulations. The CHOW rules differ between asset purchases and stock purchases, and getting this wrong creates either a billing gap or unintended assumption of the seller's Medicare liabilities.

In a stock purchase, the change of ownership is generally treated as a change of ownership by operation of law. The buyer steps into the seller's shoes as the provider of record, including assuming all existing Medicare billing history, compliance record, and any outstanding overpayment obligations. The provider agreement transfers automatically. This can be advantageous when the seller has strong payer relationships, but it exposes the buyer to any pre-existing compliance issues, including pending audits, recoupment demands, and extrapolation risk from prior billing patterns.

In an asset purchase, the buyer must enroll as a new provider because they are not the legal successor to the selling entity. The buyer files a new enrollment application with CMS (Form CMS-855A for institutional providers, Form CMS-855I for individual practitioners). Until enrollment is approved, the buyer cannot bill Medicare under their own enrollment. A transition arrangement, typically a temporary billing agreement with the seller, must bridge the gap.

State Medicaid CHOW processes run in parallel with Medicare and vary significantly by state. Each state Medicaid agency has its own enrollment forms, documentation requirements, and processing timelines. Multi-state practices face multiple simultaneous Medicaid CHOW processes, each with its own requirements. The post-closing billing plan must account for every state Medicaid program where the practice has enrolled providers.

CHOW filings are time-sensitive. CMS regulations require notification of a CHOW within a set period, and failure to timely notify can result in retroactive billing problems. The closing date, transition services agreement, and CHOW filing timeline must be coordinated carefully.

Healthcare practices operate under a matrix of state licenses, permits, and facility approvals that do not transfer automatically on a change of ownership. The buyer must identify all required licenses and permits for the practice, determine whether each requires notification, approval, or a new application at closing, and build the compliance timeline around those requirements.

Every state requires individual practitioners to hold state licenses issued by the relevant licensing board. These licenses are personal to the practitioner and are not affected by the practice's change of ownership. However, the practice entity itself may hold facility licenses, operating certificates, or specialty permits that are issued to the entity rather than the individual. These entity-level licenses may require notification or re-application at change of ownership.

Certificates of Need (CON) deserve special attention. CON states require regulatory approval before establishing or acquiring certain healthcare facilities. CON certificates are typically non-transferable, meaning that an acquisition that purports to transfer a CON may require regulatory approval that functions like a new CON application. If the target practice holds a CON, the transaction timeline and regulatory strategy must account for CON transfer or re-application.

Ambulatory surgical centers, clinical laboratories (under CLIA), radiological facilities, and substance abuse treatment programs each carry specialty licensing requirements that vary by state. Due diligence should identify every active license and permit held by the practice entity, assess the transfer requirements for each, and develop a pre-closing and post-closing compliance plan. States may impose fines or require suspension of operations for unlicensed operation during a transition period.

DEA registrations are not transferable. This is a hard rule with practical consequences for any healthcare practice that handles controlled substances. When a practice changes ownership, the new entity must obtain its own DEA registration before it can handle, dispense, or prescribe controlled substances under that entity's name. DEA registration applications are submitted to the DEA and processed at DEA timelines, which can run several weeks or longer.

The gap between closing and DEA registration approval requires a specific operational plan. The seller's DEA registration cannot be used by the buyer after the practice transfer. Controlled substance inventory must be handled through a defined process: either transferred to the seller (who retains their registration until their license terminates), disposed of in compliance with DEA disposal regulations, or managed under an interim arrangement that maintains clear chain of custody.

State-level controlled substance registration is a separate issue. Most states require practitioners and practice entities to hold state-level controlled substance registrations or authorizations in addition to federal DEA registration. These state registrations are also non-transferable and require new applications at change of ownership. The due diligence checklist should identify all active DEA and state controlled substance registrations, confirm they are current and in good standing, and plan for the transition period.

Practices where controlled substance prescribing is central to clinical operations, including pain management, addiction treatment, and some psychiatric practices, face the most significant operational risk during the DEA registration gap. The transition plan, including interim prescribing arrangements where individual physicians use their personal DEA registrations, must be documented and reviewed for compliance before closing.

Healthcare practice due diligence covers all standard business due diligence categories plus several industry-specific areas. Missing any of these creates post-closing compliance failures or revenue disruption that could have been priced into the deal or structured around.

A billing and coding audit is a standard component of healthcare practice due diligence and serves multiple purposes. It validates the revenue figures the buyer is relying on for valuation, identifies pre-existing compliance risk that the buyer may assume on closing, and establishes a baseline for post-closing billing practices.

The audit should review a statistically significant sample of claims across all major service lines and payer types. Reviewers examine whether services were documented at the level billed, whether modifiers were used appropriately, whether evaluation and management codes reflect the documented complexity, and whether any pattern of systematic upcoding or unbundling is present. Industry-standard audit methodologies use random sampling with extrapolation protocols developed by the OIG and CMS.

If the audit identifies material compliance issues, the buyer has several options. The problem can be priced into the deal through a purchase price reduction. A portion of the purchase price can be held in escrow pending resolution of identified compliance obligations. The seller can be required to self-disclose to the OIG before closing, which carries its own timeline and process. Or the buyer can walk away from the transaction if the risk is not quantifiable.

What the buyer should not do is close knowing of a billing compliance issue without addressing it. A buyer who closes with knowledge of systematic false claims and continues the billing practice inherits both the pre-closing exposure and generates new exposure. The False Claims Act's qui tam provisions allow employees and competitors to file whistleblower suits based on information they obtain after joining the practice, even if the original misconduct predates the acquisition.

The purchase agreement should require the seller to represent that billing practices have been conducted in material compliance with applicable laws, that no overpayment obligations are outstanding, and that no RAC, MAC, or OIG audits are pending. These representations should survive closing with an indemnification obligation that extends for the applicable statute of limitations.

Commercial payer contract review is a critical component of healthcare practice due diligence that is often underweighted. Payer contracts determine the actual revenue per service line, and they contain terms that can significantly affect the economics of the post-closing practice.

Key contract provisions to review include reimbursement rates and the methodology used to calculate them (fee schedule, percentage of Medicare, or reference-based pricing), termination provisions (notice periods, termination for convenience clauses, and automatic termination triggers), assignment and change-of-control provisions (whether the contract survives a change of ownership, requires payer consent, or terminates automatically), and most-favored-nation clauses that limit the practice's ability to offer better rates to other payers.

Reference-based pricing arrangements, where payers reimburse at a percentage of Medicare rates rather than a contracted fee schedule, require particular attention in acquisition diligence. The Medicare rate basis changes with annual fee schedule updates, meaning that a contract written as "120% of Medicare" will generate different revenue each year as CMS adjusts the fee schedule. Understanding the effective rates under reference-based pricing requires mapping each major service code to current Medicare rates.

Payer contracts that have assignment restrictions can create significant post-closing problems in an asset purchase. If a major commercial payer's contract prohibits assignment without payer consent, and consent is not obtained before closing, the buyer may find that the payer considers the contract terminated at closing and requires a new contracting process. New contracting with a major payer can take six to 12 months. During that period, the buyer is billing that payer as out-of-network, which typically results in significantly lower reimbursement and patient balance billing issues.

Patient records are simultaneously one of the most valuable assets in a healthcare practice acquisition and one of the most regulated. The transfer process requires compliance with HIPAA, state privacy laws, professional licensing requirements, and practical operational planning. Getting this wrong creates regulatory exposure, patient relations problems, and malpractice risk.

Non-compete agreements in healthcare practice sales occupy a different legal landscape than general commercial non-competes. Several states treat physician non-competes under specific statutory frameworks that differ from the general non-compete analysis. And courts evaluating physician non-competes consider a factor that does not arise in other industries: the impact of the restriction on patient access to care.

The enforceability analysis for a physician non-compete in a practice sale typically examines four factors: geographic scope (is the radius reasonably related to the practice's actual patient draw area?), duration (is the time period no longer than necessary to protect the buyer's legitimate interest?), scope of restricted activity (is the restriction limited to the physician's actual specialty or does it sweep in all healthcare?), and patient access considerations (does enforcement leave patients without a provider in an underserved area?).

For buyers, the non-compete protects the acquisition investment by preventing the seller from immediately reopening across the street and taking patients. The non-compete must be specific enough to be enforceable while broad enough to actually protect the investment. A 10-mile radius is meaningless in a rural market where patients drive 40 miles to see a specialist. A 50-mile radius may be unenforceable in an urban market where multiple competing providers operate within a smaller area.

For sellers, the non-compete directly affects post-sale career options. A physician who has spent a career in a specialty and a geography is agreeing, in the most extreme versions of these clauses, to either leave medicine for the duration or relocate. Negotiating the scope of the restriction, including carve-outs for teaching, research, administrative roles, consulting, and telehealth, is an important element of the seller's legal representation.

States with specific physician non-compete statutes or particularly restrictive case law include California (which does not enforce physician non-competes except in narrow circumstances), Delaware, Massachusetts (new restrictions on non-compete enforceability), and Texas (specific healthcare non-compete requirements). An agreement drafted under Michigan law may not function as intended for a physician who practices across state lines.

The representations and warranties section of a healthcare practice purchase agreement must go substantially beyond what appears in a standard business acquisition agreement. Healthcare-specific representations address regulatory compliance categories that have no equivalent in other industries and that carry liability exposure well beyond the purchase price in severe cases.

Standard healthcare acquisition representations include: regulatory compliance (the practice has operated in compliance with all applicable federal and state healthcare laws, including Stark, AKS, False Claims Act, and state equivalents); licensure (all required licenses, permits, and registrations are in good standing and no revocation or suspension is pending or threatened); provider enrollment (the practice and all providers are properly enrolled with Medicare and Medicaid and no enrollment sanction is in effect); exclusions (no provider or key employee is excluded from participation in federal healthcare programs); and billing practices (claims have been submitted accurately and in compliance with applicable billing rules).

The survival period for healthcare regulatory representations should be longer than the standard 12 to 18 months that applies to general business representations. Healthcare fraud claims can be filed for years after the underlying conduct. The purchase agreement should provide that healthcare regulatory representations survive for a period co-extensive with the applicable statute of limitations for the most serious applicable claims. Indemnification obligations for regulatory representation breaches should be subject to a higher cap than general warranty breaches, or uncapped for fraud.

Representation and warranty insurance is available for healthcare transactions but requires underwriters who understand healthcare regulatory risk. Standard R&W policies often exclude known HIPAA violations, pending government investigations, and specific billing compliance issues identified in due diligence. The exclusions must be reviewed carefully. A policy that excludes the primary risks in healthcare is not providing the coverage the buyer believes they are purchasing.

Fraud and abuse representations in a healthcare purchase agreement are a distinct category that addresses the specific federal healthcare fraud statutes. These representations go beyond general compliance warranties because the potential liability from healthcare fraud violations is categorically different from general contract or regulatory liability.

The purchase agreement should include seller representations covering: no pending or threatened investigation by the OIG, CMS, Department of Justice, or state healthcare fraud authority; no current or prior exclusion from Medicare, Medicaid, or any other federal healthcare program; no outstanding overpayment obligations or repayment agreements with CMS, state Medicaid agencies, or commercial payers; no billing practices that resulted in the knowing submission of false or fraudulent claims; no self-disclosure agreements with the OIG or CMS that are currently pending; and no current or prior participation in any government-identified fraud scheme or settlement.

The seller's representations about Stark Law and Anti-Kickback compliance should be specific. General compliance representations may not capture the specific arrangements that create Stark or AKS risk. The representation should address: all financial arrangements between the practice and referring physicians have been structured to satisfy applicable Stark exceptions; no arrangement with a referral source involves compensation tied to referral volume; all management fees and compensation arrangements have been set at fair market value based on documented methodology.

For transactions where due diligence revealed specific concerns, the purchase agreement may include a disclosure schedule that qualifies these representations. Disclosed items generally do not give rise to indemnification claims (because the buyer accepted known risk), but they may require escrowed funds, purchase price adjustments, or specific indemnification carve-outs depending on the severity of the disclosed issue.

The fundamental choice between an asset purchase and stock purchase applies in healthcare transactions with additional considerations that arise from the regulatory environment.

Asset purchases dominate healthcare practice acquisitions for several reasons. The buyer selectively assumes liabilities, which is critical in a sector where undisclosed compliance liabilities and malpractice exposure can be substantial. The buyer obtains a stepped-up tax basis in acquired assets. The buyer establishes new provider enrollment rather than inheriting the seller's billing history, compliance record, and potential outstanding overpayment obligations. And the buyer avoids successor liability for pre-closing malpractice claims, which in an occurrence-based malpractice policy environment means the seller is responsible for claims arising from pre-closing incidents.

Stock purchases are used when the practice holds non-assignable payer contracts that would be disrupted by an asset transfer and payer consent cannot be obtained in advance. They are also used when the entity holds a Certificate of Need or other non-transferable license, when the MSO structure requires the clinical PC to continue as a going concern, or when the tax analysis makes the stock purchase more efficient for both parties. The buyer in a stock purchase must be prepared to inherit the seller's full compliance history, including anything that due diligence did not surface.