Laws and regulations

What are some of the primary laws and regulations governing or implicated in healthcare-related business combinations? Are healthcare assets subject to specific regulation that would be material in a typical transaction? Is law and regulation of healthcare national or subnational?

The federal Stark Law prohibits the referral by a physician of certain designated health services paid for by Medicare or Medicaid to an entity with which he or she has a financial relationship unless an exception is met. Designated health services include clinical laboratory services; physical therapy, occupational therapy and outpatient speech-language pathology services; radiology and certain imaging services; durable medical equipment and supplies; parenteral and enteral nutrients, equipment and supplies; prosthetics, orthotics and prosthetics devices and supplies; home health services; outpatient prescription drugs; and inpatient and outpatient hospital services. A financial relationship includes ownership as well as compensation. A violation of the federal Stark Law may result in civil penalties.

The federal Anti-Kickback Statute prohibits the payment or offer or receipt or solicitation of remuneration with the intent to induce or reward patient referrals or the generation of business involving any item or service payable by a federal healthcare programme. Unlike the federal Stark Law, which applies only to referrals by physicians of designated health services payable by Medicare or Medicaid, the federal Anti-Kickback Statute applies to anyone who pays or offers to pay or receives or solicits remuneration consisting of anything of value, whether in cash or in kind, to induce or reward referrals of any item or services payable by any federal healthcare programme, not just Medicare or Medicaid. The Anti-Kickback Statute has certain safe harbours that, if met, prevent a financial relationship from being deemed in violation of the statute. However, failure to meet a safe harbour does not automatically result in a violation of the statute. Rather, the intent of the parties is a key factor in determining whether a violation of the statute has occurred. A violation of the federal Anti-Kickback Statute may result in criminal penalties.

The federal Civil Monetary Penalties Law authorises the Office of Inspector General to seek civil monetary penalties and potential exclusion from participation for fraud and abuse involving the Medicare and Medicaid programmes. Unlike the federal Anti-Kickback Statute, intent is not required to be proven. Negligence by a healthcare provider or its employees is sufficient for establishing liability. Civil monetary penalties may include an assessment of up to three times the amount claimed, offered, paid, solicited or received. Violations that may justify civil monetary penalties include presenting a claim that is known or should be known to be false and fraudulent; violating the federal Anti-Kickback Statute; and making false statements or misrepresentations on applications or contracts to participate in federal healthcare programmes.

In a coordinated effort, on 20 November 2020, the Centers for Medicare & Medicaid Services and the Office of Inspector General published final rules to modernise regulations implementing the Stark Law, the federal Anti-Kickback Statute, and the beneficiary inducement provisions of the Civil Monetary Penalties Law. On the same day, the OIG separately released a final rule to alter the way prescription drug discounts are handled and to protect certain drug-manufacturer payments to pharmacy benefit managers (PBMs). The changes in the final rules include new value-based exceptions and safe harbors; enabling technology infrastructure improvements; modernization of the federal Stark Law and Anti-Kickback Statue through new rules, definitions, and clarifications; and new Anti-Kickback Statute provisions regarding pharmaceutical rebates and pharmaceutical benefit management service fees.  The changes went into effect 19 January 2021, with certain exceptions become effective 1 January 2022.

The federal False Claims Act (FCA) makes it illegal to submit claims for payment to Medicare or Medicaid that you know or should know are false or fraudulent. No specific intent to defraud is required. The federal FCA also contains a whistle-blower provision that allows a private individual to file an action on behalf of the United States and recover a percentage of damages awarded to the government. A violation of the federal FCA may result in both civil and criminal penalties.

The federal Criminal Health Care Fraud Statute prohibits knowingly and willfully executing, or attempting to execute, a scheme or lie in connection with the delivery of, or payment for, health care benefits, items, or services to either defraud any health care benefit programme or obtain by means of false or fraudulent pretences, representations or promises any of money or property owned by, or under the control of, any health care benefit programme.  Penalties for violation include fines, imprisonment, or both.

The federal Exclusion Statute requires the Office of Inspector General to exclude individuals and entities convicted of any of the following from participation in all federal health care programmes: Medicare or Medicaid fraud, as well as any other offences related to the delivery of items or services under Medicare or Medicaid; patient abuse or neglect; felony convictions for other health care-related fraud, theft, or other financial misconduct; and felony convictions for unlawful manufacture, distribution, prescription, or dispensing  controlled substances.  The Office of Inspector General also may impose permissive exclusions on other grounds, including: misdemeanor convictions related to health care fraud other than Medicare or Medicaid fraud, or misdemeanor convictions for unlawfully manufacturing, distributing, prescribing, or dispensing controlled substances; suspension, revocation, or surrender of a licence to provide health care for reasons bearing on professional competence, professional performance, or financial integrity; providing unnecessary or substandard services; submitting false or fraudulent claims to a federal health care programme; engaging in unlawful kickback arrangements; and defaulting on health education loan or scholarship obligations.  Excluded providers cannot participate in federal health care programmes for a designated period. The Office of Inspector General maintains a list of excluded parties called the List of Excluded Individuals/Entities.

In addition, healthcare providers may be subject to prosecution under The Travel Act. The Travel Act provides that whoever travels in interstate or foreign commerce or uses the mail or any facility in interstate or foreign commerce, with intent to distribute the proceeds of any unlawful activity, commit any crime of violence to further any unlawful activity or otherwise promote, manage, establish, carry on, or facilitate the promotion, management, establishment, or carrying on, of any unlawful activity, and thereafter performs or attempts to perform such act is subject to fine, imprisonment or both.  The term 'unlawful activity' includes extortion and bribery, as defined by state law.

Among other purposes, the federal Health Insurance Portability and Accountability Act (HIPAA) was enacted to accomplish the following objectives:

  • improve portability and continuity of health insurance coverage in the group and individual markets;
  • combat waste, fraud and abuse in health insurance and healthcare delivery;
  • promote the use of medical savings accounts;
  • improve access to long-term care services and coverage; and
  • simplify the administration of health insurance.


HIPAA is most well known for its introduction of protections surrounding exchange and security of protected health information, which includes information personally identifiable about health status, the provision of healthcare services or payment for healthcare services that is created or collected by a covered entity or its business associate. Protected health information includes any part of a patient’s medical record or payment history. A violation of HIPAA may result in both civil and criminal penalties.

The federal Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to address the privacy and security of electronic health records and the effective implementation of technology among healthcare providers. The HITECH Act also contains certain enforcement provisions related to HIPAA, including civil and criminal penalties, and imposes notification requirements from data breaches involving the unauthorised use of protected health information. In addition, the HITECH Act directly imposes compliance requirements on business associates of covered entities.

The federal Emergency Medical Treatment and Active Labor Act requires that hospitals participating in Medicare offer emergency medical services regardless of the patient’s ability to pay. Patients must be provided with a medical screening examination when seeking medical treatment, and patients with emergency medical conditions must be stabilised prior to transfer or discharged, except with the informed consent of the patient, or when the condition requires a transfer to a hospital that has enhanced capabilities to treat the patient.

The federal Genetic Information Nondiscrimination Act of 2008 prevents health insurance plans and employers from discriminating against individuals based on genetic information. Under the Act, a health insurer may not deny coverage or charge higher premiums to an individual based on the individual’s genetic predisposition. The Act also prevents employers from using an individual’s genetic information when making employment decisions.

Although the above laws proliferate across most healthcare transactions, they are not inclusive of all United States federal healthcare laws that could apply to an individual transaction.  In addition, each of the 50 states in the United States has various laws that apply to the regulation of healthcare providers and insurers, which may include licensure requirements and laws that correspond to the federal laws cited above. In addition to analysing the implications of federal laws with respect to a transaction, it is important to analyse the laws of each state in which a target conducts business to determine the potential impact of various state laws on such transactions.

Consents, notification and filings

What regulatory and third-party consents, notifications and filings are typically required for a healthcare business combination?

For a healthcare provider that bills the federal Medicare programme under Part A (eg, hospital stays, home health, hospice care, skilled nursing facility care, transplants), a change of ownership application must be submitted within 30 days of the closing of a transaction if the transaction is an asset sale, while a change of information application must be submitted within 90 days following the closing of a transaction in a stock sale or merger in which the enrolled provider is a surviving entity. For a healthcare provider that bills the federal Medicare programme under Part B (eg, physician services; ambulance services; durable medical equipment; outpatient surgery; physical, occupational and speech therapy), with some limited exceptions, generally a new, initial enrolment application must be submitted to Medicare if the transaction is an asset sale before the buyer can bill the Medicare programme. This can result in the need to address potential cash flow issues. On the other hand, as with a Part A provider, a transaction involving a Part B provider that is structured as a stock sale or merger, in which the enrolled provider is a surviving entity, will require a change of information application to be submitted within 90 days of the closing of the transaction. Although the Medicaid programmes in many states follow the Medicare requirements, some states require pre-closing notification of any transaction and may require a new, initial enrolment application even in a stock sale or merger. Most types of healthcare providers also hold licences issued under the laws of their respective states. State licences generally are not transferable such that the buyer in an asset sale will be required to submit a new, initial enrolment application with the applicable state licensing agency. This application often must be submitted prior to the closing of the transaction, although the licence will not be issued until following the closing with a retroactive effective date of the actual closing date. In a stock sale or merger in which the licensed entity is the surviving entity, the state licensing agency may require notification or the submission of a change of information application, which, depending on the state, may be filed post-closing or required to be filed 30–60 days prior to closing. In addition, some states have certificate of need laws for certain types of healthcare providers (eg, hospitals, skilled nursing facilities, ambulatory surgery centres, home health agencies) that require the establishment of need in the service area prior to the establishment of a provider and, in some cases, the transfer of ownership or control of the provider. Separate and apart from approvals of governmental authorities, consents required under commercial insurance contracts may be necessary for assignment of the contract to a new provider entity or a change in control of the provider entity via a stock sale or merger.

Ownership restrictions

Are there any restrictions on the types of entities or individuals that can wholly or partly own healthcare businesses in your jurisdiction?

A majority of the states in the United States have restrictions on the ownership of physician practices and the employment of physicians by anyone other than licensed physicians. This is known as the prohibition on the corporate practice of medicine and has been established in some states by statute and in others by case law or pronouncements issued by a state attorney general or board of medical examiners. Some state laws have certain exceptions, such as the ability of a hospital to employ physicians.


Are there any restrictions on who can be director of healthcare businesses in your jurisdiction?

Many of the states that restrict ownership of physician practices to licensed physicians also have restrictions on who may serve as directors. State laws vary and range from requiring that a certain number of the directors be licensed physicians to requiring that all directors be licensed physicians.

Operating outside the home jurisdiction

What domestic regulatory issues might arise for a company based in your jurisdiction operating healthcare businesses in other jurisdictions?

A healthcare provider based in the United States that is operating outside the United States is subject to the federal Foreign Corrupt Practices Act, which prohibits United States persons (individuals and entities) from use of the mail or any means of interstate commerce to offer, pay, promise to pay, or authorise payment of money or anything of value to any person while knowing that all or any portion thereof will be offered, given or promised, directly or indirectly, to a foreign official to influence the foreign official in his or her official capacity; induce the foreign official to do or omit to do an act in violation of his or her lawful duty; or to secure any improper advantage to assist in obtaining or retaining business for or with, or directing business to, any person.

A healthcare provider entity operating in multiple states in the United States generally must be qualified to do business as a foreign entity when operating outside its jurisdiction of formation or organisation. In addition, a healthcare provider entity that treats patients from other states may be required to obtain a licence in those states. This is particularly true with healthcare providers such as physicians providing telemedicine services across state lines, mail order pharmacies that ship drugs across state lines; or laboratories that accept specimens from out of state patients. In addition, many states that require a physician practice to be owned by a licensed physician also require that at least one physician owner or, in some cases, all physician owners be licensed to practise medicine in the state in which the practice conducts operations.

Cross-border acquirers

What domestic regulatory issues arise when the acquirers of healthcare businesses are based outside the jurisdiction?

Any healthcare business based outside the United States that conducts operations in the United States, is generally subject to the same healthcare regulatory requirements as businesses that are formed or organised in the United States. In addition, pursuant to the Foreign Direct Investment and International Financial Data Improvements Act of 1990, a filing will be required with the US Bureau of Economic Analysis within 45 days after the closing of a transaction if a foreign entity acquires, directly or indirectly, a 10 per cent or more interest in a US entity if the total assets of the acquired business exceed US$3 million or the transaction involves the acquisition of more than 200 acres of land in the United States. The US$3 million threshold is measured based on the size of the business, without regard to the percentage ownership of the foreign entity in the business. Further, even if a transaction is exempt and below the threshold, an exemption claim form must be filed to validate the exemption for a transaction involving assets of less than US$3 million.

Competition and merger control

What specific competition or merger control issues may arise in healthcare business combinations?

The Hart-Scott-Rodino Antitrust Improvements Act of 1976 (the HSR Act) requires a pre-merger filing with the US Federal Trade Commission (FTC) and Department of Justice for certain transactions of a size of US$92 million or more (for 2021) where (1) one of the parties has annual sales or total assets of US$18.4 million (for 2021) or more and the other party has annual sales or total assets of US$184 million (for 2021) or more or (2) the amount of stock the acquirer has is valued at US$368 million (for 2021) or more. These thresholds are adjusted annually. These transactions must be approved before the parties can proceed with closing. In addition, the FTC regulates competition in the healthcare market and may review any transaction or arrangement for anticompetitive behaviour. State attorneys general also have the ability to intervene in any transaction that is viewed as anticompetitive or against public policy.

State and private healthcare combinations

Are there any differences for healthcare business combinations if the transaction relates solely to businesses servicing private clients rather than state-funded clients?

A transaction that does not involve a provider who bills a federal government healthcare programme is not subject to the Stark Law or the Anti-Kickback Statute. However, some states have ‘all payor’ physician self-referral laws and anti-kickback statutes that may be implicated, even if the provider services only private clients.