Health Care Due Diligence Checklist: What to Review for M&A, Compliance, and Risk

Your Health Care Due Diligence Checklist should surface issues that affect valuation, closing conditions, and post-close integration. By focusing on financial integrity, legal exposures, HIPAA Compliance, and operational resiliency, you reduce surprises and strengthen your negotiating position.

Financial Documentation Review

Quality of earnings and revenue integrity

Start with audited and interim financials, the quality-of-earnings report, and pro forma adjustments. Scrutinize revenue recognition, reserves, charity care, and contractual allowances to confirm sustainable earnings and identify one-time items.

Revenue cycle and payer dynamics

Analyze payer mix, reimbursement trends, denials, aged A/R, write-offs, and underpayments. Compare coding accuracy and charge capture to historical benchmarks to spot leakage that could materially change EBITDA.

Cash flow, capital structure, and obligations

Evaluate cash conversion, working-capital needs, debt covenants, leases, and capital expenditure backlogs. Flag off–balance sheet commitments, value-based risk pools, capitation exposures, and provider relief fund compliance.

• Reconcile Medicare/Medicaid settlements and cost reports.
• Verify physician compensation accruals and bonus methodologies.
• Confirm internal controls and preparedness for Regulatory Audits.

Material Contracts Analysis

Payer, vendor, and clinical relationships

Inventory all managed care agreements, vendor/MSA arrangements, group purchasing, pharmacy, lab, and imaging contracts. For Electronic Health Records and other mission-critical IT, review license terms, uptime SLAs, data portability, and exit rights.

Key legal and economic terms

• Change-of-control, anti-assignment, and termination-for-convenience clauses.
• Most-favored-nation, exclusivity, non-compete, and volume/rebate provisions.
• Indemnities, limitations of liability, insurance requirements, and audit rights.
• Business Associate Agreements and data processing addenda supporting HIPAA Compliance.

Quantify renewal cliffs, under-market pricing, and dependencies on sole-source vendors that could pressure post-close margins.

Compliance Policies and Licensing Verification

Programs, policies, and training

Assess the written compliance program, hotline management, investigations protocol, and board reporting cadence. Validate workforce training for privacy, security, billing, and clinical documentation aligned with HIPAA Compliance requirements.

Licensure, enrollment, and participation

Confirm facility and professional licenses, DEA registrations, CLIA certificates, and payer enrollments. For hospitals and other providers, verify adherence to Medicare Conditions of Participation and accreditation findings with remediation status.

• Review coding/billing policies, exclusion checks, and self-disclosure history.
• Evaluate prior Regulatory Audits, corrective action plans, and monitoring results.

Litigation and Regulatory History Assessment

Claims, investigations, and settlements

Catalog pending and threatened litigation, malpractice claims, employment disputes, and whistleblower matters. Examine government inquiries, subpoenas, and settlement agreements for ongoing obligations or reporting duties.

Enforcement and audit exposure

Review outcomes of RAC/UPIC audits, state AG actions, OCR investigations, and any Corporate Integrity Agreements. Analyze reserves, insurance coverage, and tail policies to measure residual risk and potential purchase price adjustments.

Technology and Data Security Evaluation

EHR functionality and interoperability

Evaluate Electronic Health Records usability, interoperability, and ONC certification where applicable. Confirm data quality, audit logging, change control, and the ability to extract and migrate data without vendor lock-in.

Security posture and resilience

• Assess policies and technical controls against the HIPAA Security Rule.
• Identify Cybersecurity Vulnerabilities through recent risk assessments, vulnerability scans, and penetration test results.
• Review incident response, breach history, backup/restore tests, and disaster recovery objectives.
• Map third-party access, medical device security, and Business Associate oversight.

Physician Financial Arrangements Examination

Regulatory alignment and documentation

Test compensation models, space/equipment leases, co-management, medical directorships, call coverage, and JV distributions for Stark Law exceptions and Anti-Kickback Statute safe harbors. Require fair market value and commercial reasonableness support with time records and duties.

• Trace remuneration flows to detect referral-linked incentives or carve-outs.
• Evaluate productivity metrics (e.g., wRVUs) and bonus criteria for compliance risks.
• Validate conflicts-of-interest disclosures, ownership interests, and exclusion checks.

Operational Risk Identification

Care delivery, quality, and workforce

Review patient safety metrics, sentinel events, readmissions, and quality dashboards to gauge clinical risk. Examine credentialing, privileging, staffing ratios, turnover, and leadership depth to assess operational stability.

Process performance and scalability

Map core workflows across access, scheduling, coding, billing, supply chain, and pharmacy. Measure denial rates, throughput, and backlog to estimate improvement potential and integration effort.

Regulatory and environmental readiness

Confirm emergency preparedness, infection prevention, and telehealth protocols against state rules and Medicare Conditions of Participation. Note open deficiencies from Regulatory Audits and verify remediation timelines and owners.

Conclusion

By structuring diligence around finances, contracts, compliance, litigation, technology, physician arrangements, and operations, you create a clear risk profile and targeted remediation plan. This Health Care Due Diligence Checklist helps you price accurately, negotiate protections, and accelerate integration.

FAQs.

What documents are essential for health care due diligence?

Prioritize audited and interim financials, quality-of-earnings, payer and vendor contracts, licensure and enrollment files, compliance policies, HIPAA Compliance materials, results of Regulatory Audits, litigation summaries, incident response reports, and key technology agreements for Electronic Health Records and other critical systems.

How do compliance policies impact M&A risk?

Strong, enforced policies reduce penalties, repayment risk, and post-close disruptions. Gaps in privacy/security or billing controls elevate exposure under HIPAA, Stark Law, the Anti-Kickback Statute, and payer rules, often requiring escrows, indemnities, price adjustments, or extended integration timelines.

What regulations are critical to review during health care due diligence?

Focus on HIPAA Compliance, Stark Law, the Anti-Kickback Statute, Medicare Conditions of Participation, state licensure and scope-of-practice rules, and any payer-specific participation standards. Also review enforcement histories and obligations arising from prior Regulatory Audits or settlements.

How can technology risks affect health care transactions?

Unaddressed Cybersecurity Vulnerabilities, EHR data portability limits, or missing Business Associate protections can drive remediation costs, delay closing, or trigger breach liabilities. A clear security roadmap and contractual protections help preserve value and ensure smoother post-close integration.