Healthcare Compliance Due Diligence Checklist: Key Steps, Requirements, and Documents to Review

A rigorous healthcare compliance due diligence checklist helps you reveal regulatory gaps, quantify financial risk, and validate operational readiness before an acquisition, partnership, or internal review. This guide walks you through the essential steps, requirements, and documents to review so you can make confident, defensible decisions.

Use the sections below in order—verifying legal standing, testing financial integrity, scrutinizing contracts, evaluating quality, analyzing policies, inspecting operations, and confirming data privacy and security. Each section includes focused actions, document requests, and practical red flags.

Legal Compliance Verification

Objectives

• Confirm the entity and professionals hold all required federal, state, and local licenses and registrations.
• Validate enrollment and good standing with the Centers for Medicare & Medicaid Services (CMS) and other payers.
• Assess survey history, sanctions, exclusions, and pending investigations.

Documents to Request

• Facility and professional licenses; CLIA certificates; DEA registrations; controlled substance logs.
• Medicare/Medicaid enrollments (PECOS printouts), CMS revalidation records, and change-of-ownership filings.
• Accreditation decisions, state survey reports, corrective action plans, and complaint logs.
• For California sites, current licenses and survey correspondence from the California Department of Public Health (CDPH).

Verification Steps

• Match legal names, DBAs, NPIs, and addresses across licenses, payers, and corporate records.
• Screen all owners, executives, and billable staff against federal and state exclusion lists.
• Review scope-of-practice compliance, supervision requirements, and telehealth rules for each discipline.

Red Flags

• Expired or mismatched licenses, lapsed CMS revalidation, or enrollment under the wrong taxonomy.
• Open survey deficiencies without proof of remediation or repeat findings across cycles.
• Undisclosed settlements, integrity agreements, or government subpoenas.

Financial Health Assessment

Focus Areas

• Revenue cycle management effectiveness: charge capture, coding accuracy, denial trends, and underpayment recovery.
• Payer mix, reimbursement volatility, and exposure to recoupments, offsets, or extrapolated audits.
• Liquidity, debt covenants, and sustainability of margins under current case mix and volumes.

Documents to Review

• Five-year financials, trailing 12-month P&L, cash flow, AR aging by payer, and write-off policies.
• Coder and auditor reports, DRG/HCPCS utilization, denial root-cause analyses, and refund reserves.
• Payer contracts, fee schedules, rate letters, and value-based performance scorecards.

Analytics to Run

• Net-to-gross ratios by payer and service line; avoidable denial rate; late charge rate; clean claim rate.
• Case-mix index stability and revenue integrity audits to detect upcoding or undercoding patterns.
• Stress tests on reimbursement cuts and shifts in authorizations or medical necessity criteria.

Red Flags

• Rapid AR growth in 90+ buckets, high takeback frequency, or chronic underpayments not pursued.
• Material audit adjustments, weak documentation supporting medical necessity, or missing refund reserves.
• Overreliance on one payer or short-term grants to mask structural deficits.

Contracts and Agreements Review

Scope

• Payer agreements, network participation contracts, and delegated credentialing arrangements.
• Physician employment and professional services agreements (Stark/AKS considerations), leases, and MSAs.
• Business Associate Agreements (BAAs) and vendor contracts affecting PHI, IT, labs, pharmacy, and revenue cycle.

Key Terms to Evaluate

• Assignment, change-of-control, termination, and cure provisions; audit and most-favored-nation clauses.
• Indemnities, limitation of liability, insurance requirements, performance guarantees, and SLAs.
• Data ownership, permitted use, de-identification standards, and breach notification timelines.

Red Flags

• Missing BAAs for vendors handling PHI or inadequate downstream subcontractor flow-downs.
• Compensation structures that may implicate fraud and abuse laws or volume/value-based referrals.
• Non-assignable payer contracts that jeopardize post-transaction revenue continuity.

Patient Care and Quality Metrics Evaluation

Core Measures

• Clinical outcomes, readmissions, infection rates, adverse events, and sentinel event handling.
• Patient experience (e.g., HCAHPS), access metrics, and timeliness of follow-up and test result communication.
• Medication safety, antimicrobial stewardship, and care transitions coordination.

Documents to Review

• Quality dashboards, QAPI or PI plans, peer review files, privileging criteria, and credentialing verifications.
• Infection prevention risk assessments, sterilization logs, and incident reporting trend analyses.
• Grievance files, mortality reviews, and clinical pathway adherence audits.

Red Flags

• Declining risk-adjusted outcomes, incomplete root-cause analyses, or stagnant corrective actions.
• Repeated medication errors, unsafe staffing ratios, or inconsistent competencies and privileging.
• Backlogs in diagnostic follow-up or discharge summaries leading to avoidable readmissions.

Compliance Policies and Procedures Analysis

Program Maturity

• Assess the compliance program against recognized elements: governance, risk assessment, education, lines of communication, monitoring/auditing, enforcement, and response/prevention.
• Test alignment with enterprise risk management frameworks to prioritize high-impact regulatory risks.

Documents to Review

• Code of conduct, annual work plan, policy library with version control, and documented training completion.
• Hotline intake procedures, investigation files, corrective action plans, and board compliance reports.
• Written fraud prevention protocols for billing, referral arrangements, gifts, and conflicts of interest.

Red Flags

• Outdated or duplicative policies, missing attestations, or low training completion rates.
• No evidence of independent auditing, trend analysis, or closure of corrective actions.
• Board minutes that lack substantive compliance oversight or risk escalation.

Operational Compliance Inspection

Environment of Care and Safety

• Life safety, fire safety, emergency management, and equipment maintenance (PM schedules and documentation).
• Sterilization, high-level disinfection, and environmental cleaning with product efficacy validation.
• Waste segregation and disposal practices aligned with environmental hazardous waste regulations.

Clinical and Support Operations

• Pharmacy controls, chain-of-custody for medications, and controlled substance reconciliation.
• Laboratory quality systems, proficiency testing participation, and specimen handling integrity.
• Scheduling, registration, prior authorization workflows, and point-of-service collections.

Vendor and Facility Oversight

• Onsite vendor credentialing, immunization verification, and badge access controls.
• Service-level compliance for linen, dietary, biomedical, and environmental services.

Red Flags

• Missed preventive maintenance, unlabeled or expired supplies, or unsecured medications.
• Improper waste handling, inadequate spill response kits, or incomplete safety drills.
• Gaps between written procedures and observed staff practices.

Data Privacy and Security Compliance

Program Foundations

• Verify policies meet the HIPAA privacy rule and security rule, including minimum necessary and role-based access.
• Confirm enterprise security governance, asset inventories, and documented risk analyses with remediation plans.

Documents to Review

• Privacy notices, BAAs, access control matrices, audit log review procedures, and data retention schedules.
• Security architecture diagrams, encryption standards, vulnerability scans, and incident response playbooks.
• Training curricula, phishing simulations, and corrective actions after privacy or security events.

Technical and Administrative Controls

• MFA for remote and privileged access, encryption of ePHI in transit and at rest, and endpoint hardening.
• DLP, MDM, patch management, secure configuration baselines, and third-party risk assessments.
• Breach notification workflows, sanctioned user monitoring, and periodic access recertifications.

Red Flags

• Unlogged access to ePHI, weak identity controls, or stale user accounts after terminations.
• Unremediated critical vulnerabilities, missing BAAs, or unclear data ownership with vendors.
• No tabletop exercises for incident response or incomplete evidence of risk mitigation.

Conclusion

Effective healthcare compliance due diligence integrates legal verifications, robust revenue cycle management testing, disciplined contract analyses, quality validation, mature policies, operational walkthroughs, and enforceable privacy and security controls. Use the document lists, steps, and red flags above to focus effort, surface material risks early, and accelerate remediation before closing or go-live.

FAQs

What licenses are required for healthcare compliance due diligence?

Confirm facility and professional licenses, CLIA certificates, and DEA registrations as applicable. Validate CMS enrollment status, NPIs, and payer-specific credentials. For California operations, include licensure and survey records from the California Department of Public Health (CDPH). Ensure all supervising and telehealth requirements align with state law.

How is financial stability assessed during due diligence?

Analyze audited financials, cash flow, and AR aging alongside revenue cycle management metrics such as denial rates, net-to-gross ratios, and charge capture effectiveness. Review payer contracts, extrapolated audit exposure, refund reserves, and scenario tests on reimbursement changes to quantify sustainability.

What are the key compliance policies to review?

Prioritize the code of conduct; billing, documentation, and referral policies; conflicts of interest; hotline and investigation procedures; and written fraud prevention protocols. Validate training evidence, monitoring and auditing plans, governance reporting, and alignment with risk management frameworks for consistent implementation.

How is patient data privacy ensured under HIPAA?

Implement policies meeting the HIPAA privacy rule and security rule, enforce role-based access, and apply encryption in transit and at rest. Maintain BAAs, audit logs, and incident response playbooks, conduct periodic risk analyses, and perform access recertifications and vendor risk reviews to prevent and detect unauthorized use or disclosure.