In the United States, numerous state and federal laws and rules govern the healthcare industry. Parties buying healthcare companies must comply with myriad regulations to avoid substantial penalties, though, making healthcare acquisitions a complicated process. The MSBA recently presented the 2021 Legal Summit Series: Regulatory & Privacy Issues in Healthcare Acquisitions, which addressed many of these issues as they pertain to healthcare corporate acquisitions. The program featured Reza Ghafoorian, Esq. of G2Z Law Group, PLLC, and  Stefan Shaibani, Esq. of The Law Firm of Stefan Shaibani, PLLC. 

Mr. Ghafoorian noted there has been an increase in acquisitions of healthcare companies in the last decade, in part due to the passage of the Affordable Care Act in 2010 and changes in payment models. He explained that there are three different types of acquisitions of for-profit companies: purchases of the ownership interest of the target company by the buyer; purchases of all or substantially all of the assets of the target company; and, purchases of the ownership interests in the company that owns and operates the target.

The acquisition of a licensed healthcare facility involves six regulatory issues: transfer of licenses (e.g., State, Medicare, Medicaid, CHIP); transfer of Certificate of Need; state Attorney General approval for nonprofit, charitable hospitals; gaps in Medicare or Medicaid billing submissions; “successor Liability” for pre-closing violations of  applicable federal and state program regulations; and, gaps in activity-specific licenses, certificates, permits and accreditations. 

The transfer of a license is a state regulatory issue. States generally prohibit the sale or transfer of a healthcare facility license. Most states permit “change of control” in stock purchase deals, subject to notices and approvals. Maryland generally does not allow change of control or ownership deals, however, except under limited circumstances. In asset purchase deals, buyers typically have to obtain new licenses and will require time to do so. It is also critical to determine whether facility lease agreements or management contracts impose contractual limitations on the transfer of a license.

At the federal level, Medicare’s licensing rules govern three issues: the obligation of parties to file Form CMS-855A; the buyer’s right to use existing Medicare provider number and agreement of the healthcare facility being acquired; and the scope of “successor liability” for the  buyer arising from seller’s pre-closing actions. The transfer of Medicaid licenses is governed by state rules which track the federal change of ownership definitions. Generally, buyers must complete the Medicare approval for a transfer before applying for Medicaid change of control. Successor liability is governed by contract law and may not allow buyers to reject the assignment of the seller’s Medicaid participation agreement.

States that require a Certificate of Need, such as Maryland, generally allow a transfer along with a change of ownership in a business entity. Thy often require prior notice and approval of the transaction, however. For example, Maryland requires 30 days’ notice before acquisitions. As a result, agreements must be drafted to allow sufficient time for the pre-disclosure and procurement of the Certificate of Need prior to closing. 

Other permits and approvals may be necessary depending on the type of facility being acquired. For example, there are numerous additional laws that may apply when acquiring physician practices, such as Corporate Practice of Medicine laws, fee-splitting rules, laws pertaining to covenants not to compete and transfer of patient records. There are also implications for  Medicare billing.

Mr. Ghafoorian then discussed the state and federal fraud and abuse laws that must be considered in healthcare acquisitions, such as anti-kickback laws, false claim laws, and the Stark Law.  

Anti-kickback laws are federal criminal statutes that apply to both sides of the transaction. It prohibits the offering, giving, soliciting, and/or receiving remuneration as an inducement to refer, or in return for referring, an individual for an item or service for which payment, in whole or in part, is made under a federal health care program. The government must prove that an act was done knowingly and willfully in order for it to be considered a violation. Additionally, there are numerous safe harbors, that can protect people from criminal charges. People who violate federal anti-kickback laws may face criminal and civil penalties. Maryland has anti-kickback statutes as well that apply to many healthcare providers. 

Due diligence with regard to anti-kickback laws requires the review of financial agreements for any non-employee physicians and payment arrangements related to volume of referrals. Parties must also identify any arrangements designed to comply with an anti-kickback statute safe harbor and receive supporting documents. 

The Stark Law is a strict liability statute that prohibits physicians from making referrals to entities for the furnishing of certain “designated health services” (“DHS”) if payment will be made by the Medicare or Medicaid programs and the physician has a direct or indirect financial relationship with the entity. Sales of practices create a direct financial relationship, and all violating claims must be paid back. There are over 30 exceptions under the Stark Law that may apply to protect parties from violations. 

Due diligence under the Stark Law requires confirmation that no entity or individual in the transaction has been excluded and no exclusion proceedings are pending. It also requires determining ownership structure or the entity to identify any physicians holding an ownership stake in the entity and cross-checking against the referral source for the entity. Parties must also identify arrangements the target entity believes are exceptions to the Stark Law with supporting documents. Maryland has self-referral prohibition laws as well, that are much more broad than the federal law. 

HIPAA and other privacy laws and regulations may apply in acquisitions as well, which may require review of policies and procedures, written business associate agreements, and notices of privacy practices.  Parties should also appoint privacy and security officers to oversee compliance, perform risk and compliance assessment audits, and institute administrative, technical and physical safeguards.

You can view the presentation here