Skip to main content

Nixon Peabody LLP

Article

Due Diligence for Health Tech M&A: Identifying organizational, regulatory, and data governance red flags

May 5, 2026

With health tech deal activity accelerating, investors must balance the complexities associated with operating in a highly regulated environment with the opportunities provided by developing or expanding cutting-edge technology.

Authors

As health tech companies continue to flood the market with products and services designed to optimize healthcare delivery, improve patient outcomes, and increase operational efficiencies, dealmakers must account for potential areas of risk that extend beyond the traditional due diligence framework for healthcare M&A deals, particularly in the areas of management and organization, regulatory and compliance, and data governance and information technology infrastructure. Legal counsel must adapt current diligence processes and utilize more stringent scrutiny, where appropriate, to identify red flags unique to this sector to put clients in the best position to invest in this burgeoning industry.

Management and organization

The strength and composition of the leadership team can be a telling indicator of broader organizational health. Investors want to confirm that founders or key personnel possess meaningful experience in both healthcare and technology; that turnover is low in clinical, regulatory, and engineering leadership; and that the organization has a dedicated compliance officer, chief medical officer, and chief information security officer. Pending or prior litigation involving officers and former investors should be flagged and discussed early on in the diligence process.

Questions to ask during diligence:

  • Request organizational charts and the duration of employment for those in leadership roles.
  • Conduct background checks on key officers and ask directly about any departures from the leadership team over the past two years and the circumstances surrounding them.
  • Confirm that key personnel in clinical roles do not have any disciplinary actions against them by regulatory agencies in the states in which such personnel are licensed.
  • Identify whether any current or former employees have filed whistleblower complaints or raised internal compliance concerns that went unaddressed.

Regulatory and compliance

As discussed further below, health tech companies operate under layers of overlapping regulation, and compliance gaps could be consequential if not uncovered during the diligence process.

Health information Technology

On the health information technology front, incomplete or nonexistent Health Insurance Portability and Accountability Act of 1996 (HIPAA) policies and procedures, no designation of Privacy or Security Officers, infrequent or inadequate training of workforce members, lack of security risk analyses, no prior data incident analysis or breach notification history, insufficient documentation of business associate agreements (BAA) with vendors or customers, and inadequate safeguards for protected health information (PHI) or other regulated data should raise immediate concern. If the target is not required to comply with HIPAA, they are likely still subject to state-level health data laws. Additionally, compliance with General Data Protection Regulation (GDPR) obligations for targets handling patient data for European Union (EU) residents is critical, as the target may otherwise be subject to extensive fines. This will involve identifying whether the target has identified a lawful basis for processing health data, whether cross-border data transfer mechanisms (e.g., Standard Contractual Clauses) are in place, and whether a Data Protection Officer has been designated. Moreover, if the target provides services in a state that has enacted a law governing Artificial Intelligence’s (AI) usage in healthcare, diligence should address compliance with these obligations if applicable to the technology at issue.

Food and Drug Administration (FDA)

Where applicable, investors should scrutinize whether a target’s software has been properly classified under the Food and Drug Administration’s (FDA) medical device software framework. This will involve an extensive review of warning letters, 510(k) and premarket approval (PMA) documentation, as well as the target’s correspondence with the FDA.

Telehealth implications

With the rise in health tech companies offering platforms for telehealth services, it is essential that those companies comply with state and federal telehealth laws. This includes ensuring that any practitioners maintain all necessary state and federal-level licenses and certifications. Further, it is important to understand that scopes of practice vary among the respective clinician levels and can vary by state; therefore, it is essential to confirm that clinicians are providing services consistent with their education and experience to prevent potential disciplinary action. Finally, some states have requirements governing the formation of provider-patient relationships, informed consent, prescribing, particularly with respect to controlled substances, via telehealth that must be taken into account when reviewing telehealth compliance.

Reimbursement models

If the target receives payment from federal payors, such as Medicare and Medicaid, its reimbursement model and referral arrangements should be examined for potential exposure under the Anti-Kickback Statute, Stark Law, and False Claims Act to confirm that improper remuneration is not being received, physician owners (or their family members) are not parties to improper referral arrangements, and that claims are being properly submitted.

Questions to ask during diligence:

  • Ask whether the entity is required to comply with HIPAA.
  • Request a catalogue of the target’s HIPAA policies and procedures.
  • Confirm that the target has identified a HIPAA Privacy and/or Security Officer.
  • Request a complete inventory of BAAs.
  • Ask that the target provide a log of any data incidents and how they were remediated for the past three years.
  • Request documentation of the target’s privacy and security training records and security risk analyses.
  • Confirm whether the target provides services to EU residents.
  • Request a complete regulatory submission history, including any correspondence with the FDA, a history of warning letters, 510(k) or PMA, and ask whether the company has received formal or informal feedback from the FDA that remains unaddressed.
  • Ask whether a target’s product roadmap could trigger reclassification or require new regulatory submissions.
  • Request a list of states where the target provides services and the types of clinicians it utilizes within each state.
  • Clarify whether the target receives payment from federal payors.
  • Ask whether any compensation arrangements with referral sources are tied to volume or value of referrals.
  • Determine if the target has obtained any advisory opinions or structured its arrangements to fall within recognized safe harbors.
  • Ask whether the target has been subject to any government investigations or audits.

Data governance and information technology infrastructure

Given the sensitivity of health data and the risk of security incidents, sound data governance and information technology (IT) infrastructure are crucial for the success of any target operating in this space. Recognizing that it is nearly impossible for a network to be impenetrable to threat actors, having adequate safeguards to quickly identify and remediate risks, particularly in a tech-focused space, is critical for health tech companies. Once a risk is identified, a health tech company must possess the ability to implement patches, bring its servers back online if they are impacted, and assess whether patient information has been impermissibly accessed or exfiltrated. It is important to examine whether the target has sufficient incident response plans in place, and to investigate any history of cybersecurity incidents, unpatched vulnerabilities, or poor incident response documentation or remediation.

With the rise of AI and vendors seeking to use data to train their models, it is more important than ever to confirm that contracts do not contain broad or ambiguous data ownership rights. Insufficient de-identification practices or re-identification risks compound that concern. Investors should verify whether the target complies with industry standards, including Systems and Organization Controls (SOC) 2 Type II certification, Health Information Trust Alliance (HITRUST) Cybersecurity Framework (CSF) validation, or equivalent security attestations.

Questions to ask during diligence :

  • Confirm whether the target’s data use agreements and terms of service clearly authorize the ways in which data is actually being used.
  • Investigate whether customers or other applicable parties consented to secondary uses of data.
  • For targets that must comply with HIPAA, examine whether the BAAs address de-identification and limit what vendors can do with such data.
  • Request documentation of the target’s de-identification methodology and ask whether it has been validated against current re-identification techniques.
  • Confirm whether the target conducts penetration testing. If so, request the findings.
  • If required to comply with HIPAA, confirm whether the target takes the vulnerabilities identified from a security risk analysis and incorporates them into a risk management plan with defined timelines. If so, confirm that the risk management plan is maintained based on new security risk analyses, other forms of internal testing, or significant cyber events.
  • Establish whether the target carries cyber insurance and, if so, what the coverage amounts are and whether any claims have been made.

Additional considerations

While outside of the scope of this alert, one of the key differences between a traditional healthcare M&A deal and a health tech deal is that a health tech company’s value often hinges on its intellectual property (IP), making this a critical area of focus. Beyond the IP itself, the underlying technology and product also merit close inspection. Additionally, financial and commercial risks must be taken into account when revenue is not adequately diversified.

From an ethical and reputational perspective, investors should request information on any patient safety incidents and investigate the target’s reputation in the industry, including with clinicians, as applicable.

Takeaways

The red flags outlined above are likely to signal deeper organizational issues that could bring potential liability and reputational harm to investors. Accordingly, health tech due diligence demands specialized clinical, technical, and regulatory expertise. As the landscape for health tech continues to evolve, the best positioned investors will be those that recognize these evolving dynamics and update their diligence practices to most effectively avoid significant risk to their investment.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe