On July 7, 2016, the Centers for Medicare and Medicaid Services (“CMS”) imposed several administrative penalties on Theranos, a clinical laboratory company that proposed to revolutionize the clinical laboratory business by performing multiple blood tests using a few drops of blood drawn from a finger rather than from a traditional blood draw that relies on needles and tubes. However, after inspecting the laboratory, CMS concluded that the company failed to comply with federal law and regulations governing clinical laboratories and it posed an immediate jeopardy to patient health and safety. CMS has revoked the CLIA certification of the company’s California lab, imposed a civil monetary penalty of $10,000 per day until all deficiencies are corrected, barred Medicare or Medicaid reimbursement for its services, and excluded its founder and CEO from owning or operating a clinical laboratory for two years.

Although Theranos’s history has received an outsize amount of media attention, its experience with regulatory agencies highlights several important issues for start-up and emerging health care entities:

What Do Regulators Want?

It is no surprise that health care is one of the most highly regulated sectors of the U.S. economy, and that noncompliance with health care laws and regulations can result in penalties that can cripple an organization or force it to shut down. As a result, even in an environment that encourages innovation, health care organizations must understand the scope of regulatory oversight at the federal and state levels, and the range of remedies available to regulators for noncompliance. Every organization should also have a protocol in place for responding to regulatory inquiries or inspections.

What Do Health Care Providers and Payors Want?

Adopting a new health care technology is an intensely data-driven process. This is especially the case with clinical laboratories, which are subject to rigorous requirements for proficiency, quality assurance, and training. This burden is greater for laboratory-developed tests, commonly known as “home brew” tests, because they are currently exempt from FDA oversight.

In most cases, the innovator sponsors clinical studies subject to peer review and publication to demonstrate the efficacy of the new technology. These trials can also generate the clinical and cost data needed to convince practitioners that the test has reliable diagnostic or clinical value, and to persuade payors that the test is medically necessary.

However, Theranos declined requests to sponsor studies or disclose data. This was a red flag for many clinicians. In the interim, a group of independent investigators published a study based on a small sample of patients and found that the Theranos’s results were more variable than the results obtained from the same blood samples sent to laboratories using standard equipment. These variations were significant enough that they had the potential to affect clinical decision-making and jeopardize patients.

Who Is Investing in the Venture?

For start-up companies, committed investors are indispensable. Although early-stage investors are accustomed to risk, they also depend on reliable data to gauge whether health care professionals will adopt a new technology, and whether health plans will cover and pay for that technology. In Theranos’s case, several investors with experience in health care start-ups did not invest in the company because it did not release data on its proprietary technology and did not conduct or sponsor well-controlled clinical trials.

Who’s on Board?

The critical role of health care regulations demands that a company’s management and board be familiar with the key challenges and potential barriers to entry under the applicable regulatory framework. Nevertheless, at the time of the CMS survey Theranos’s board reportedly lacked individuals with specific experience in health care operations or clinical laboratories; however, it included two former Secretaries of State (one of whom had also been the dean of a business school), two former U.S. senators, the CEO of a bank, and retired military officers. While it is unclear how much the board knew of potential regulatory risks, the fact that CMS determined that the company had not made a “credible allegation of compliance” in response to any of the deficiencies in the initial survey report is an indicator that CMS did not believe that the company’s management and directors may not have appreciated the regulatory requirements or how to avoid or minimize these significant risks.