Before acquiring an RCM business, verify revenue quality, compliance history, client stability, and technology infrastructure with this specialty-specific framework.
Acquiring a medical billing or revenue cycle management company in the $1M–$5M revenue range requires scrutiny well beyond standard financial review. Revenue quality depends on contract structures, payer mix, and collection rate performance — not just top-line numbers. HIPAA exposure, undocumented billing practices, and key-person dependency can erode value or create post-close liability. This checklist organizes the five critical due diligence tracks — financials, compliance, client relationships, technology, and staffing — to help buyers identify deal-killers and negotiate with confidence. Buyers using SBA 7(a) financing should pay particular attention to revenue concentration thresholds and compliance documentation, as lenders will flag both during underwriting.
Verify that reported revenue reflects durable, recurring contract income — not one-time billings or inflated gross collections.
Request 3 years of CPA-prepared P&Ls with revenue broken out by client and specialty.
Reveals true revenue concentration and whether earnings are recurring or lumpy.
Red flag: Revenue presented only at the aggregate level with no client-level breakdown available.
Calculate net collection rate by specialty and compare to industry benchmarks (95%+ target).
Net collection rate is the primary operational KPI signaling billing effectiveness and payer health.
Red flag: Net collection rates below 90% or declining trend over the past 24 months.
Distinguish percentage-of-collections contracts from flat-fee arrangements across the client base.
Percentage-of-collections revenue fluctuates with client volume; flat-fee contracts are more predictable.
Red flag: More than 50% of revenue is percentage-of-collections with no minimum guarantees in contracts.
Review accounts receivable aging and assess any deferred or unbilled revenue on the balance sheet.
Unbilled or aged AR can signal cash flow manipulation or billing workflow breakdowns.
Red flag: Significant unbilled AR or AR aging beyond 120 days without documented explanation.
Assess the company's compliance posture for HIPAA, payer audit history, and billing practice integrity to limit post-close liability.
Confirm signed Business Associate Agreements (BAAs) are on file with every client and covered vendor.
Missing BAAs are a direct HIPAA violation that creates regulatory exposure transferable to the buyer.
Red flag: Any client or vendor relationship with PHI access lacking a current, signed BAA.
Obtain documentation of all HIPAA security risk assessments conducted in the past three years.
Annual risk assessments are required by law; absence signals systemic compliance neglect.
Red flag: No formal security risk assessment has been completed or documented in the past 24 months.
Review any history of OIG audits, payer audits, RAC audits, or billing dispute resolutions.
Audit history reveals whether billing practices have attracted regulatory scrutiny or resulted in clawbacks.
Red flag: Unresolved payer audits, open OIG investigations, or undisclosed clawback settlements.
Evaluate coding practices and confirm use of current ICD-10, CPT, and payer-specific billing guidelines.
Outdated or upcoded claims create fraud and abuse exposure that survives the sale.
Red flag: Informal coding practices with no internal audit trail or compliance review process.
Evaluate the stability, tenure, and concentration of the client base to assess revenue durability post-acquisition.
Map revenue contribution by client and flag any single client exceeding 20% of total revenue.
Heavy concentration means one client departure can materially impair post-close cash flow.
Red flag: One or two clients represent more than 30% of total revenue with no long-term contract.
Review all client contracts for termination clauses, notice periods, and auto-renewal provisions.
Short notice periods or at-will termination rights reduce revenue predictability significantly.
Red flag: Majority of contracts allow 30-day termination without cause or are month-to-month agreements.
Calculate client churn rate over the past 36 months and document reasons for any lost accounts.
Historical churn predicts future attrition and reveals satisfaction or competitive vulnerability.
Red flag: Churn rate exceeding 15% annually or recent loss of a top-five client within 12 months.
Assess specialty diversity across the client base — single-specialty concentration adds payer risk.
Specialty diversification insulates revenue from payer reimbursement changes in any one area.
Red flag: More than 60% of revenue derived from a single specialty facing reimbursement compression.
Evaluate the billing software stack, EHR integrations, cybersecurity posture, and scalability of current technology.
Inventory all billing software licenses, practice management platforms, and clearinghouse agreements.
Unlicensed or expiring software creates immediate operational risk and unexpected upgrade costs.
Red flag: Core billing platform is end-of-life, unsupported by vendor, or lacks a current license agreement.
Document all active EHR integrations and assess the technical dependency of client relationships on them.
Proprietary EHR integrations create switching costs for clients, protecting revenue durability.
Red flag: No documented EHR integrations; all data exchange is manual, creating error and attrition risk.
Review cybersecurity controls including encryption, access management, and incident response protocols.
A PHI breach post-close is the buyer's liability; inadequate controls are an unacceptable risk.
Red flag: No documented cybersecurity policy, endpoint encryption, or employee access control framework.
Assess denial management workflows and whether technology automates tracking and resubmission.
Automated denial tracking directly impacts collection rates and operational scalability.
Red flag: Denial management is entirely manual with no reporting metrics or workflow documentation.
Identify dependency on the owner or specific employees and confirm coder credentials and staff retention likelihood.
Identify which client relationships are managed solely by the owner versus trained account managers.
Owner-controlled relationships are vulnerable to attrition if the seller exits quickly post-close.
Red flag: Owner is the sole point of contact for all top-ten clients with no warm handoff plan in place.
Verify CPC, CCS, or equivalent coding certifications for all billing and coding staff.
Certified coders reduce compliance risk and signal coding accuracy in complex specialty billing.
Red flag: No coding staff holds active CPC or CCS certification; certifications are lapsed or unverifiable.
Review employee tenure, compensation structure, and non-solicitation or non-compete agreements.
Long-tenured coders carry institutional knowledge; their departure can disrupt client service quality.
Red flag: High staff turnover in the past 24 months or no employment agreements with key coders.
Confirm documented SOPs exist for billing workflows, denial management, onboarding, and compliance.
Documented processes allow the business to operate without owner involvement post-close.
Red flag: All workflows are undocumented and exist only in the owner's or one employee's institutional knowledge.
Find Medical Billing Company Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Net collection rate is the single most telling operational metric. A rate of 95% or higher indicates effective claims processing and denial management, while rates below 90% signal billing workflow problems, payer relationship issues, or declining client quality. Review this metric by specialty and by client over at least 24 months to identify trends rather than relying on a single-period snapshot.
Request copies of all signed Business Associate Agreements with clients and vendors, the most recent HIPAA security risk assessment, any breach notification history, and internal compliance policies. Missing BAAs are a direct regulatory violation. If no formal risk assessment has been completed in the past year, budget for a third-party HIPAA audit before or shortly after close to establish your baseline liability position.
Most buyers use 30% as the threshold — if a single client represents more than 30% of revenue without a long-term contract in place, the revenue risk is significant. An earnout structure tying 15–25% of the purchase price to client retention over 12–24 months post-close is a common way to manage this risk without killing the deal entirely.
Yes. Medical billing companies are SBA-eligible, and SBA 7(a) loans can cover 80–90% of the purchase price with terms up to 10 years. Lenders will scrutinize client concentration, the quality of contracts, and compliance history during underwriting. Deals with high client concentration or unresolved HIPAA issues will face more friction. A seller note covering 5–10% of the purchase price alongside SBA financing is a common and lender-preferred structure.
More Medical Billing Company Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored Medical Billing Company targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers