Healthcare Business Acquisition Due Diligence Checklist: What to Verify Before You Close

Why Healthcare Due Diligence Is Different

The core difference between healthcare due diligence and standard business due diligence is that healthcare businesses operate under multiple overlapping regulatory regimes simultaneously — federal (CMS, OIG, DEA, HIPAA), state (licensing boards, Medicaid), and sometimes local (facility permits, zoning) — and the consequences of non-compliance are not just fines. They include exclusion from Medicare and Medicaid billing, which for most healthcare businesses means the revenue model ceases to exist.

This creates a due diligence dynamic that most business buyers have never encountered: the thing that could kill the business is not in the financial statements. It is in the compliance files, the payer contracts, the credentialing records, and the state licensure history. A practice generating $800K in annual revenue with clean books and a great patient base can still be a catastrophic acquisition if the billing practices have created liability under the False Claims Act or if the NPI numbers tied to the revenue belong to providers who are leaving post-close.

The checklist below is organized by category. Work through it systematically. Some items require outside specialists — a healthcare attorney for regulatory and Stark Law analysis, a medical billing auditor for payer compliance, and a healthcare-specific CPA for reimbursement verification. Budget for those. The cost is negligible relative to what you are buying.

If you are new to small business acquisition diligence entirely, start with the complete small business due diligence checklist first. The healthcare items below supplement a standard diligence process — they do not replace financial, operational, and legal review.

Licensing and Regulatory Compliance

This is the first thing to verify and the last thing most buyers check. Every healthcare business operates under a stack of licenses and permits. Your job is to verify each one exists, is current, is held in the right name, and is transferable to a new owner.

**State facility licenses.** Confirm the business holds a valid, current state facility license for the services it provides. For a physical therapy clinic, that is a PT facility license. For a behavioral health center, it may include a specific mental health or substance abuse facility license. Verify the license is tied to the business entity, not the individual owner, and confirm the transfer process with your state's health department — not the seller.

**Professional licenses.** Request copies of all current professional licenses for every clinical staff member — physicians, therapists, nurses, technicians. Verify each license is active and in good standing by checking your state licensing board directly. A license suspension or investigation that has not yet resulted in formal action may not appear in the seller's disclosure; it will appear in the board records.

**DEA registration.** If the practice prescribes or dispenses controlled substances, verify current DEA registration. DEA registrations are non-transferable — a new owner must obtain a new registration, which requires prior approval and may create a service gap.

**CLIA certification.** If the practice runs any laboratory tests — even simple point-of-care tests like urinalysis or blood glucose — it needs a CLIA certificate. Verify the certificate, the certificate level (waived vs. non-waived), and that the scope covers all tests currently being performed.

**Medicare and Medicaid enrollment.** Verify active enrollment in Medicare (Provider Enrollment, Chain, and Ownership System — PECOS) and Medicaid for all billing providers. Enrollment is tied to individual NPIs. If the business revenue depends on providers who will not be staying post-close, their billing authority goes with them. A change of ownership (CHOW) requires re-enrollment notification to CMS, and some enrollment types have processing timelines that can delay billing.

Billing, Coding, and Payer Compliance

Healthcare billing is where most of the undisclosed liability lives. The standard due diligence process reviews financial statements; healthcare due diligence requires a separate billing audit.

**Engage a medical billing auditor.** A specialized medical billing auditor (or a healthcare attorney with billing expertise) should pull a statistically significant sample of claims — typically 50–100 across CPT codes, payer types, and service dates — and verify that each claim was properly documented, correctly coded, and appropriately billed. What you are looking for: upcoding (billing a higher-complexity service than documented), unbundling (billing separately for services that should be bundled), billing for services not rendered, and billing under a provider's NPI for services delivered by someone else (incident-to billing violations).

**Review payer contracts.** Request copies of all current payer contracts — Medicare, Medicaid, and every commercial payer. Review the contract terms, reimbursement rates, and any specific credentialing requirements for the business entity or individual providers. Payer contracts are generally non-transferable by assignment — a change of ownership typically requires re-credentialing with each payer, which takes 60–120 days per payer and can create a billing gap during transition. Plan for this.

**Check OIG exclusion list.** Run every employee, contractor, and owner through the OIG List of Excluded Individuals/Entities (LEIE). Billing Medicare or Medicaid while employing an excluded individual — even unknowingly — creates direct liability for the business. This is a 15-minute check that should happen before any offer is made.

**Review accounts receivable aging.** Healthcare AR has specific collection dynamics. Request a full AR aging report by payer and ask about claim denial rates, appeals in progress, and any payer audits (RAC, MAC, or commercial payer). A large backlog of denied claims is a revenue quality issue, not just a collections issue — it may signal systemic billing problems that continue post-close.

HIPAA and Data Privacy Compliance

HIPAA compliance is not optional and a change of ownership does not reset liability for pre-close violations. If the seller's practice has had unreported data breaches, inadequate Business Associate Agreements (BAAs), or improper PHI handling, you may be acquiring that liability.

**Request the HIPAA Security Risk Assessment.** HIPAA requires covered entities to conduct a documented Security Risk Assessment (SRA) on a regular basis. Request the most recent SRA and verify it was conducted within the last two years. An absence of an SRA is itself a compliance failure.

**Review Business Associate Agreements.** Every vendor or contractor who handles Protected Health Information (PHI) needs a signed BAA. Request the full list of business associates and confirm BAAs are in place and current for all of them. Common gaps: billing companies, IT vendors, cloud storage providers, and telemedicine platforms.

**Verify breach history.** Ask whether the practice has ever filed a breach notification with HHS. Breaches affecting 500 or more individuals are public record on the HHS breach portal — check it directly. Smaller breaches may have been self-reported internally. A disclosed breach is not automatically disqualifying but needs to be understood and factored into valuation and reps/warranties negotiations.

Provider and Staff Due Diligence

In most healthcare businesses, the revenue is tied to people. The question you need to answer before closing is: which of those people are staying, and what happens to the revenue if they leave?

**Key man risk.** Identify the providers who generate the majority of revenue. In many small healthcare practices, 70–80% of revenue flows through one or two providers. If the seller is one of those providers and is not staying post-close, you need to understand the patient transition plan and have a realistic model for how many patients will follow a new provider versus leave. This is not a solvable problem through due diligence — it is a valuation and deal structure problem that needs to be addressed in the purchase agreement through a training and transition period, earnout provisions, or both.

**Employment agreements and non-competes.** Request all employment agreements, independent contractor agreements, and non-compete clauses for clinical staff. Verify that non-compete provisions are enforceable in your state and understand what happens if a key provider leaves immediately after close. Some states (California, Minnesota) do not enforce physician non-competes at all; others have significant limitations.

**Malpractice and claims-made coverage.** Verify current malpractice coverage for all providers and confirm whether the policies are claims-made or occurrence-based. Claims-made policies require a tail policy to cover claims filed after the policy period — confirm who is responsible for purchasing tail coverage as part of the transaction. Uninsured tail exposure is a material liability.

**Credentialing status.** Verify that all providers are credentialed with each payer they are currently billing. Credentialing is provider-specific; if you are hiring new providers or the seller's providers are leaving, their successor providers need to be credentialed before billing can begin.

Financial Verification Specific to Healthcare

Healthcare financials require verification steps that do not apply to standard service businesses.

**Reimbursement rate analysis.** Do not take the P&L at face value without understanding the reimbursement rates behind it. Request a payer mix breakdown (Medicare %, Medicaid %, commercial %, self-pay %) and verify the effective reimbursement rates against CMS fee schedules and commercial contract rates. If payer mix is shifting — more Medicaid, less commercial — revenue may be compressed in the near future even if current billings look strong.

**Medicare cost report (if applicable).** Skilled nursing facilities, home health agencies, and certain rehabilitation providers file annual Medicare cost reports. These are public. Review the last three cost reports and reconcile against the financial statements. Discrepancies are worth understanding.

**Accounts receivable quality.** Healthcare AR is fundamentally different from standard service AR. Verify the revenue recognition methodology — some practices record revenue on a cash basis, others on an accrual basis with contractual adjustments. Ask about write-off rates, contractual adjustment percentages, and bad debt as a percent of gross charges. A practice reporting strong gross revenue but high contractual adjustment rates has different net economics than the top-line suggests.

**Run your SBA financing model before you go too deep.** Healthcare businesses with strong cash flow are good SBA 7(a) candidates. Use the SBA Loan Calculator to verify the deal economics before investing weeks in due diligence on a purchase price the financing cannot support.

Corporate Structure and Ownership Compliance

Healthcare businesses carry corporate structure requirements that general businesses do not. In most states, clinical services must be owned by licensed professionals — a lay investor cannot directly own a medical practice. The specific rules vary by state and specialty, but the general principle creates legal structures you need to understand before you acquire. The behavioral health practice acquisition guide covers how MSO structures are typically set up for behavioral health and substance abuse treatment centers specifically.

**Corporate practice of medicine laws.** Most states prohibit lay corporations from employing physicians and providing medical services. Healthcare businesses structured for acquisition by a non-clinician typically use a Management Services Organization (MSO) structure: a licensed professional entity (PC or PLLC) holds the clinical licenses and provider relationships, and a separate MSO (which a lay investor can own) provides management services under a management services agreement. Verify this structure is in place if you are not a licensed clinician, and have a healthcare attorney review the MSO agreement before closing.

**Stark Law and Anti-Kickback review.** The Stark Law prohibits physician self-referrals to entities with which the physician has a financial relationship, with limited exceptions. The Anti-Kickback Statute prohibits arrangements that offer or receive payment for referrals of Medicare/Medicaid patients. Many common healthcare business arrangements — co-location agreements, equipment leases, medical director relationships, space rental between related parties — need to be reviewed against these statutes. This review requires a healthcare attorney.

**Change of ownership notification requirements.** Many state healthcare licenses and Medicare/Medicaid enrollments require advance notification of a pending change of ownership. Confirm all required notifications are filed and that the transaction is structured to comply with any pre-approval requirements.

Structuring the LOI for a Healthcare Acquisition

A healthcare LOI has contingencies that standard acquisitions do not. Before you submit an offer, make sure your Letter of Intent addresses the specific risk profile of healthcare transactions.

The LOI should include an explicit regulatory due diligence contingency — not just financial and legal — that gives you the right to walk away if the regulatory review uncovers material compliance issues. Healthcare regulatory problems discovered after exclusivity begins but before close are a negotiation point, but only if your LOI preserved your right to exit on that basis.

Address the provider transition explicitly. If key providers are leaving post-close, document the transition terms in the LOI: how long the seller or key providers will stay for transition, the compensation during that period, and what happens to the earnout or purchase price if patient attrition exceeds a defined threshold.

Include a payer re-credentialing protection provision. The 60–120 day credentialing timeline is a real operational risk. Your LOI should include language requiring the seller to cooperate fully with payer re-credentialing and establishing a mechanism for holding back a portion of purchase price if billing gaps occur due to credentialing delays.

The LOI Generator will produce a professional, customizable Letter of Intent that you can adapt for the healthcare-specific contingencies above.