1. Introduction
According to the 2021 ABA Private Target Mergers Acquisitions Deal Points Study, 99% of the acquisition agreements studied included a “compliance with all laws” (Compliance) representation and warranty (RW). Within those RWs reviewed, 82% included some RW on whether the target received notice of a violation or law, 30% included some RW on whether the target received notice of an investigation of a violation of law, 19% were RWs that covered past and present compliance, and 2% included some type of knowledge qualifier. While the study includes health care deals (the largest portion of the deals, at 15.4%), it also included approximately 14 other industry sectors.
It isn’t surprising to see such a high level of Compliance RW inclusion in transaction documents. In fact, it would seem odd not to expect a seller or borrower to agree to the most basic of RWs, which often can be as simple as:
Compliance with Law. Seller has, since X, complied, in all material respects, with all provisions of all foreign, federal, state and local laws and regulations relating to Sellers and the Company’s business, including, but not limited to, those relating to Seller’s ownership of real or personal property, the conduct and licensing of the Company’s business, and all environmental matters.
However, there are significant reasons why, despite the generality and wide scope of most Compliance RWs, that such an RW just isn’t enough in a health care transaction.
The U.S. health care industry represents a significant portion of the U.S. economy. It is one of the largest portions of U.S. gross domestic product (GDP). The U.S. Centers for Medicare and Medicaid Services (CMS) reported that in 2020, the overall share of U.S. GDP related to health care spending was 19.7%. That figure is now likely a bit of an outlier because, according to Health Affairs, “[US] health care spending increased 9.7 percent to reach $4.1 trillion in 2020, a much faster rate than the 4.3 percent increase experienced in 2019.” The significant increase from 2019 to 2020 was the result of federal expenditures for health care that were mostly in response to the COVID-19 pandemic. However, while that 19.7% share may shrink a bit in the coming years to 18% or so, its still expected to come back to that level by 2030. All in all, the health care industry is a large portion of the U.S. economy and is steadily growing. Health care transactions continue to grow in number and size each year.
While health care is a large business in the United States, it is also personal; life and limb are literally at stake. In that respect, as the number of practitioners and treatment providers grew and as technology changed how care can be and is provided, government-imposed guard rails (i.e., regulation) grew and became more prevalent. Depending on what data is being used and the source of the data, the U.S. health care industry is the most, the second-most, or at least in the top 10 of the most regulated industries in the country. Often that estimation of how highly regulated the industry is includes the regulation of health care providers and suppliers and manufacturers of supplies, drugs, and medical devices.
While we address broader issues relating to the need for robust industry-specific RWs in health care–related transactions in this article, it’s important to note at the outset the two large issues that make transactions involving health care businesses different from, for example, the sale of a paper mill. First, as we’ve mentioned, health care involves life and limb, and most, if not all, health care businesses carry some level of special risk to the clients, consumers, patients, etc. associated with that business. Second, the significant regulation in the industry and risks relating to non-compliance call for different treatment of the promises and expectations agreed to between buyer and seller or lender and borrower.
2. Material Risks in a Highly Regulated Industry
A comprehensive discussion of every liability risk that could be present in a health care transaction is well beyond the scope of this article. However, an overview of some of the material risks that exist in health care transactions is important to understanding the need for robust industry-specific RWs. These material risks include government reimbursement, fraud and abuse, licensure, excluded parties, and health care privacy-related issues.
a. Government Reimbursement
To participate in federal health care programs (FHCPs), health care businesses agree to comply with a significant regulatory framework, mostly in the form of requirements for participation and specific requirements relating to the submission of claims for services or supplies provided.
Material liability risks for health care businesses can arise from a failure to meet one of the applicable regulatory requirements relating to participation in a FHCP or claims submissions. Citations for a failure to meet participation requirements can result in civil fines, which in some cases can be astronomical. A failure to pay civil fines may also result in termination of participation in one or more FHCPs. Non-compliance with claims submission requirements can also be serious. Non-compliance can result in demands for recoupment, allegations of overpayment, and in some cases federal False Claims Act (FCA) liability. Penalty multipliers built into enforcement statutes, such as the FCA, can turn an underlying $100,000 liability into a $20,000,000 obligation.
b. Fraud and Abuse
Fraud and abuse in FHCPs have been a concern since the enactment of major federal and state programs. Major fraud and abuse laws include the federal Anti-Kickback Statute (AKS), 42 U.S.C. §1320a-7b(b); the Physician Self-Referral Prohibition (the Stark Law), 42 U.S.C. §1395nn; and the Criminal and Civil False Claims Acts, 18 U.S.C. §287 and 31 U.S.C. §3729. These laws prohibit certain business practices and provide for penalties relating to fraudulent claims to FHCPs. Depending on the conduct involved, liability can be civil and/or criminal. Like the FCA liability described above, penalties and penalty multipliers built into these statutes can result in significant obligations and termination from one or more FHCPs. Moreover, actual or potential fraud and abuse liability is rarely immaterial to a transaction unless its civil and the target involved is so large that the liability is immaterial to its business operations.
c. Licensure
Practically all health care businesses require some type of license or permit to do what they do. Acquiring and maintaining those licenses and permits requires compliance with certain statutory and regulatory obligations. Material risks exist for an acquirer relating to permits and licenses when a target has either engaged in serious non-compliance or been the subject of multiple instances of immaterial non-compliance that in the aggregate become serious. Either scenario might result in possible suspension or revocation of a license or permit, an outcome that can wipe out a business’s value overnight.
d. Excluded Parties
Excluded parties are basically persons or entities that have been excluded from, directly or indirectly, doing business with the federal government. The U.S. Department of Health and Human Services Office of Inspector General (OIG) has the authority to exclude individuals and entities from participating in FHCPs. Exclusion in its most basic sense means that no payment can be made for any items or services furnished, ordered, or prescribed by an excluded individual or entity. In addition to OIG exclusions, the U.S. General Services Administration maintains a comprehensive list of individuals and entities that have been excluded from participation in federal contracts. A target that employs (or previously employed) an excluded individual or has (or previously had) a contract with an excluded party can have material risks associated with it. In addition to a possible repayment of the dollars connected to the excluded person, there are civil penalties that may also be assessed that can become significant.
e. Health Care Privacy Issues
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national privacy standards to protect individuals’ medical records and other personal health information (PHI). It also establishes physical and electronic security standards for PHI. Compliance responsibilities are primarily on “Covered Entities” under the law, but they also extend to a covered entity’s business associates. Enforcement relating to violations of HIPAA has grown exponentially since it was first enacted. HIPAA violations can result in civil or criminal liability, depending on the nature and extent of the violation. The civil penalties can end up being quite costly; with inflationary adjustments the numbers now range from $120 to $60,226 per violation. Additionally, Covered Entities must provide notification of a privacy breach to affected individuals, the secretary of HHS, and, in some circumstances, the media. The notification costs relating to a significant breach could be in the millions of dollars.