TabularGrid view for first-pass diligenceMemoAuto-generated diligence memosRedlineIntelligent contract comparisonQuestionnaireAI-generated due diligence questionsSchedulesAuto-generated disclosure schedules
Capital MarketsComing Soon
Securities and derivatives analysis
Contract ReviewAI-powered contract analysisM&A DiligenceDue diligence in 48 hoursFor Law FirmsTransform M&A practice economicsFor Private EquityDue diligence at deal speedFor Corporate CounselIn-house legal AI
TechnologyResourcesCapital MarketsComing Soon
Sign InRequest Demo
Back to BlogDue Diligence

Healthcare M&A Due Diligence: Navigating HIPAA, Stark Law, and Regulatory Complexity

Mage
Mage TeamLegal AI Analyst
|
February 17, 2026·9 min read

Key Takeaways

  • Healthcare transactions require diligence across three overlapping regulatory regimes: federal (HIPAA, Stark, Anti-Kickback), state (licensing, CON, scope-of-practice), and payer-specific (Medicare/Medicaid enrollment, commercial payer contracts)
  • HIPAA compliance failures discovered post-closing become the buyer's liability, making pre-closing assessment of privacy practices, breach history, and business associate agreements a non-negotiable diligence item
  • Stark Law and Anti-Kickback Statute exposure often hides in physician compensation arrangements that appear routine but fall outside safe harbor protections
  • Payer contract assignment provisions and change-of-control triggers can threaten the target's revenue base if not identified and addressed before closing

Healthcare M&A due diligence is the process of evaluating the legal, regulatory, and operational risks specific to acquiring a healthcare business. It extends far beyond standard corporate diligence because healthcare targets operate under overlapping federal and state regulatory regimes that impose ongoing compliance obligations, restrict business arrangements, and create successor liability that follows the acquired entity through a change of ownership.

Federal Regulatory Diligence

HIPAA Compliance

The Health Insurance Portability and Accountability Act governs how covered entities and their business associates handle protected health information. In M&A, HIPAA creates two distinct diligence obligations: assessing the target's compliance posture and managing PHI during the diligence process itself.

Compliance assessment. Review the target's HIPAA compliance program comprehensively:

  • Privacy policies and procedures, including Notice of Privacy Practices
  • Security risk assessments and remediation plans
  • Breach notification history, including any incidents reported to HHS
  • Business associate agreements with all vendors that access PHI
  • Employee training records and compliance attestations
  • Physical, technical, and administrative safeguards in place

A target with a history of breaches, incomplete risk assessments, or missing business associate agreements represents a compliance liability that transfers to the buyer. Price adjustments, enhanced indemnification, or compliance remediation obligations should be negotiated based on findings.

Diligence process protections. The buyer's diligence team must handle PHI encountered during review in compliance with HIPAA. This typically means executing a business associate agreement before PHI is shared, limiting access to need-to-know personnel, and ensuring any PHI received is secured and returned or destroyed after the transaction.

Stark Law and the Anti-Kickback Statute

The Stark Law prohibits physician self-referrals for designated health services payable by Medicare or Medicaid. The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving anything of value to induce referrals for items or services reimbursable by federal healthcare programs.

These statutes create some of the most consequential risks in healthcare M&A because violations can result in False Claims Act liability, exclusion from federal healthcare programs, and civil monetary penalties.

Where to look:

  • Physician compensation arrangements including employment agreements, independent contractor agreements, medical director agreements, and personal services agreements. Evaluate whether compensation is at fair market value and commercially reasonable, and whether the arrangement meets an applicable exception or safe harbor.
  • Lease arrangements with referring physicians. Below-market or above-market rents can implicate both statutes.
  • Equipment and space sharing arrangements that lack formal written agreements.
  • Joint ventures and co-investment opportunities offered to referring physicians.
  • Recruitment and retention agreements that provide financial incentives tied to referral volume.

Structured contract extraction across the target's physician arrangements can identify compensation terms, referral obligations, and exclusivity provisions that require Stark and Anti-Kickback analysis. The volume of physician contracts in many healthcare targets makes manual review of every arrangement impractical without technology assistance.

Medicare and Medicaid Compliance

Beyond Stark and Anti-Kickback, review the target's compliance with Medicare and Medicaid program requirements:

  • Billing practices and coding accuracy (identify any history of overpayment demands or audit activity)
  • Compliance program effectiveness (existence and operation of a compliance officer, hotline, and training)
  • Government investigation history (subpoenas, Civil Investigative Demands, whistleblower actions)
  • Excluded individuals and entities (confirm no employees or contractors appear on the OIG exclusion list)

State Regulatory Diligence

Licensing and Permits

Healthcare businesses operate under state-issued licenses that may or may not transfer automatically in a change of control.

  • Facility licenses (hospitals, ambulatory surgery centers, nursing facilities, clinics)
  • Professional licenses (physician, nursing, pharmacy, laboratory)
  • State-specific health plan licenses (if the target operates a managed care organization)
  • Controlled substance registrations (DEA and state pharmacy board)

In asset acquisitions, new license applications are often required. In stock acquisitions, change-of-ownership notifications are typically mandatory. Either path adds time to the closing timeline and requires early identification during diligence.

Certificate of Need

Approximately 35 states maintain certificate of need programs that require regulatory approval before certain healthcare facilities can be established, expanded, or transferred. CON requirements vary significantly by state and by type of facility.

In M&A transactions, CON requirements can:

  • Require a new CON application for the change of ownership
  • Impose conditions on the approval (capital expenditure commitments, community benefit requirements)
  • Add months to the closing timeline due to application processing and public hearing requirements

Identify CON applicability in the first week of diligence. If a CON is required, it often becomes the longest item on the closing critical path.

Payer Contract Diligence

Payer contracts represent the target's revenue infrastructure. Commercial insurance agreements, Medicare participation, and Medicaid enrollment collectively determine the rates the target receives for services rendered.

Commercial Payer Agreements

Review all commercial payer contracts for:

  • Assignment and change-of-control provisions that could allow the payer to terminate or renegotiate upon a transaction
  • Rate terms and escalation mechanisms to assess revenue sustainability
  • Termination provisions including notice periods and without-cause termination rights
  • Most-favored-nation clauses that could be triggered by the combined entity's scale
  • Network participation requirements and exclusivity restrictions

Government Program Enrollment

Medicare and Medicaid enrollment does not automatically transfer in all deal structures.

  • Stock acquisitions generally preserve existing Medicare and Medicaid enrollment, subject to change-of-information reporting requirements
  • Asset acquisitions may require new enrollment applications, which can take months to process and create a gap in reimbursement eligibility
  • Provider numbers and NPIs must be evaluated for transferability based on the deal structure

The revenue impact of a gap in government program enrollment can be significant. Structure the transaction to minimize enrollment disruption, and identify enrollment requirements early enough to begin the application process before closing.

Employment and Workforce Considerations

Healthcare workforce diligence has unique dimensions beyond standard employment agreement review:

  • Physician non-compete agreements may be unenforceable in some states and create retention risk in others
  • Medical staff bylaws and credentialing requirements in hospital acquisitions
  • Union agreements covering nursing or support staff
  • Locum tenens and staffing agency agreements that represent ongoing operational costs
  • Professional liability insurance coverage and tail policy requirements

Putting It All Together

Healthcare M&A diligence is inherently more complex than standard corporate diligence because the regulatory overlay is thicker, the compliance consequences are more severe, and the revenue dependencies are more concentrated.

The deal teams that manage this complexity effectively share a common approach: they identify regulatory requirements early, run workstreams in parallel, and use technology to accelerate the document review phase so attorneys can spend their time on the regulatory analysis that requires professional judgment.

AI-powered contract review is particularly valuable in healthcare transactions because the volume of physician agreements, payer contracts, and vendor arrangements often exceeds what can be reviewed manually within a typical diligence timeline. Extracting key provisions across hundreds of agreements simultaneously gives the deal team the data foundation for the regulatory analysis that drives deal structure and pricing.

Frequently Asked Questions

What are the biggest regulatory risks in healthcare M&A?

The three largest regulatory risks in healthcare M&A are HIPAA compliance failures that create successor liability, Stark Law and Anti-Kickback Statute violations embedded in physician compensation and referral arrangements, and state licensing requirements that may not automatically transfer in a change of control. Each can result in significant financial penalties, exclusion from federal healthcare programs, or loss of the ability to operate. Identifying these risks during diligence is essential to accurate deal valuation.

Do HIPAA obligations transfer to the buyer in a healthcare acquisition?

Yes. In an asset acquisition, the buyer becomes a successor entity with obligations regarding the acquired protected health information (PHI). In a stock acquisition, the buyer inherits all existing HIPAA obligations and any liability for prior breaches. Due diligence should assess the target's HIPAA compliance program, breach notification history, business associate agreements, and data security practices. Purchase agreement representations should specifically address HIPAA compliance and known breaches.

How do payer contracts affect healthcare M&A transactions?

Payer contracts are often the target's largest revenue source. Many commercial payer agreements contain change-of-control provisions that allow the payer to terminate or renegotiate rates upon a transaction. Medicare and Medicaid enrollment may require new applications or reassignment. Diligence should identify all assignment restrictions, change-of-control triggers, rate renegotiation rights, and termination provisions across the target's payer mix to assess revenue continuity risk.

What is a certificate of need and how does it affect M&A?

A certificate of need (CON) is a state regulatory approval required before certain healthcare facilities can be established, expanded, or in some states, transferred through a change of ownership. Approximately 35 states maintain some form of CON program. In M&A transactions, CON requirements can add months to the closing timeline and may require regulatory filings, public hearings, and conditions on approval. Identifying CON requirements early in diligence is critical to realistic timeline planning.

due-diligencehealthcareregulatoryhipaaindustry-specific

Ready to transform your M&A due diligence?

See how Mage can help your legal team work faster and more accurately.

Request a Demo

Related Articles

Due Diligence

Technology M&A Due Diligence: Software Licenses, IP Chains, and Data Privacy

A practical guide to technology M&A due diligence for deal attorneys. Covers software license review, SaaS agreement analysis, IP assignment chain verification, open source compliance, and data privacy assessment.

9 min read
Due Diligence

Anti-Assignment Clauses in M&A: What Every Deal Attorney Should Know

Anti-assignment clauses can derail acquisitions when they go undetected in a data room. This guide covers the types of anti-assignment provisions, how they interact with change of control transactions, and what deal teams should flag during diligence.

7 min read
Due Diligence

Most Favored Nation Clauses in M&A: Pricing, Compliance, and Deal Impact

Most favored nation clauses obligate the target to offer its best pricing or terms to specific counterparties. This guide covers how MFN provisions work, why they matter in acquisitions, and how they create ongoing compliance obligations post-closing.

6 min read