Telehealth Platform Buyer Due Diligence Checklist

Request all HIPAA security risk assessments conducted in the last 3 years and any remediation documentation.

Unaddressed security gaps create post-close liability that can exceed the purchase price.

Red flag: No formal risk assessment exists or findings were documented but never remediated.

Verify executed Business Associate Agreements with every vendor, subprocessor, and health system client.

Missing BAAs expose the acquirer to OCR enforcement actions and HHS penalties.

Red flag: BAAs are missing with cloud infrastructure providers, EHR vendors, or major clients.

Review any data breach history, OCR complaints, or state attorney general investigations.

Prior incidents signal compliance culture and create undisclosed indemnification exposure.

Red flag: Any unresolved breach notification obligations or active regulatory investigations exist.

Confirm state telehealth licensing, prescribing authority compliance, and provider credentialing documentation.

Operating without proper state licenses creates immediate shutdown risk post-close.

Red flag: Providers are practicing across state lines without valid licenses or credentialing files.

Map all revenue by reimbursement source: commercial insurance, Medicare Advantage, direct-to-employer, and self-pay.

Concentration in expiring COVID-era codes signals near-term revenue erosion risk.

Red flag: More than 50% of revenue relies on telehealth-specific CPT codes tied to emergency flexibilities.

Review executed payer contracts including term lengths, renewal options, and reimbursement rate schedules.

Month-to-month payer relationships can be terminated without warning after close.

Red flag: No multi-year payer contracts exist or rates are significantly below market benchmarks.

Analyze historical reimbursement denial rates and revenue cycle management performance metrics.

High denial rates indicate billing workflow problems that compress actual realized revenue.

Red flag: Denial rates exceed 15% or the platform lacks a documented appeals process.

Request documentation of any direct-to-employer or health system contracts with committed annual spend.

Contracted B2B revenue is more defensible and transferable than fee-for-service volume.

Red flag: No signed employer or health system contracts exist beyond informal purchase orders.

Obtain a technology architecture document covering hosting, APIs, third-party dependencies, and EHR integrations.

Undocumented architecture creates post-close integration risk and unexpected rebuild costs.

Red flag: No architecture documentation exists or core integrations rely on deprecated APIs.

Confirm all source code, algorithms, and clinical workflow IP is owned by the company via assignment agreements.

Offshore or contractor-developed code without IP assignment may not transfer with the sale.

Red flag: Offshore developers hold undocumented contributions with no signed IP assignment agreements.

Review software development practices including security testing, version control, and vulnerability patching history.

Poor security hygiene creates HIPAA liability and patient data exposure post-acquisition.

Red flag: No penetration testing history or critical vulnerabilities remain unpatched for over 90 days.

Assess EHR integration depth and any revenue-critical dependencies on single third-party platforms.

Single-vendor EHR lock-in can block growth or create contractual restrictions on acquisition.

Red flag: The platform cannot function without a single EHR vendor that has change-of-control provisions.

Request a full customer revenue breakdown identifying any client representing more than 20% of total revenue.

Single client dependency creates catastrophic downside if that relationship does not transfer.

Red flag: One health system or employer client accounts for more than 40% of annual revenue.

Review monthly cohort retention, gross revenue churn, and net revenue retention over the last 24 months.

Churn trends reveal whether post-pandemic utilization decline is stabilizing or accelerating.

Red flag: Gross revenue churn exceeds 20% annually or net revenue retention is below 90%.

Obtain NPS scores, patient satisfaction survey data, and any published clinical outcomes metrics.

Strong outcomes data supports payer contracting leverage and reduces post-close churn risk.

Red flag: No patient satisfaction or outcomes data has been collected or is unavailable for review.

Confirm that all major client contracts include assignment provisions allowing transfer to a new owner.

Non-assignable contracts may terminate automatically upon a change of control.

Red flag: Key health system or payer contracts contain change-of-control termination rights.

Review provider credentialing files confirming active licenses, malpractice coverage, and DEA registration where applicable.

Uncredentialed providers create immediate regulatory and liability exposure post-close.

Red flag: Provider files are incomplete, outdated, or credentialing has never been formally documented.

Evaluate whether clinical relationships and platform access are personally dependent on the founder or seller.

Founder-centric operations collapse provider networks and referral pipelines after transition.

Red flag: Key providers will not commit to staying post-close without the founder's personal involvement.

Assess geographic footprint of licensed providers and ability to expand into new states without significant cost.

Multi-state provider networks are a core competitive moat that take years to replicate.

Red flag: All providers are licensed in only one or two states with no expansion infrastructure in place.

Review clinical protocols, telehealth-specific informed consent procedures, and documented care coordination workflows.

Undocumented clinical protocols create liability and slow post-close operational scaling.

Red flag: No written clinical protocols exist or informed consent procedures are inconsistent across states.