Avoiding ‘Asbestos’ Risks When Buying a Medical Device Company, as appeared in MX: Issues Update

Savvy buyers should examine the robustness of a potential acquisition's corporate compliance program.

In the field of real estate, the presence of asbestos in a building is a high-risk item, because it triggers a host of legal and regulatory concerns. When purchasing a building, buyers expect that it will be inspected for this risky substance, because having asbestos can fundamentally alter a buyer's interest in the deal.

In the same way, when seeking to purchase a medical device company, buyers should be looking for asbestos-like risks that could arise for such a company—and potentially alter the viability of the deal.

Historically, buyers of medical device companies have tended to focus on the intellectual property and regulatory aspects of the target company's operations. Due diligence is directed toward determining whether the device company truly owns the products it sells, or whether the labeling of those products is consistent with FDA regulations. Although these issues remain high on the list of topics to be considered in the course of such a purchase, new high-risk areas are emerging today that deserve similar priority.

Fraud and Abuse

These asbestos-like dangers are relevant because of an increased interest in healthcare fraud enforcement. The commercialization side of medical device companies is now under intense scrutiny by the healthcare enforcement community and private whistleblowers who can recover financial rewards for finding false claims relevant to federal and some state healthcare programs. Examples of recent cases include the five company settlements out of the U.S. Attorney's Office in Newark, NJ, related to financial relationships between prescribers and most medical device manufacturers of artificial hips and knees. Another example is the recent healthcare fraud settlement in connection with the promotion of spinal surgery products.

In order for medical device companies to enjoy coverage and receive payment under federal healthcare programs, they must comply with the Medical and Medicaid Anti-Kickback Act. This federal law prohibits offering or paying any remuneration in return for recommending or ordering a product covered by federal healthcare programs. Similar anti-kickback statutes exist as well in several states.

That means that all types of financial relationships that a medical device company has with prescribers and purchase decision-makers are regulated relationships that must fall within the rules and regulations related to these laws. This includes not only the formal contractual financial relationships between a medical device company and prescriber/purchase decision-makers-—such as royalties and teaching agreements--but also non-contractual financial relationships, such as free goods provided as promotional items in the context of sales and marketing activities.

The federal False Claims Act also is driving this enforcement action. Under this statute, and similar state statutes, a device company can be held responsible for violating the law when marketing and sales personnel inappropriately promote or sell a device potentially causing a false claim. Examples include the improper promotion of reimbursement advice to potential provider purchasers.

Reviewing Corporate Compliance

So, how does a buyer look for the health regulatory "asbestos" around these high-risk areas? At a minimum, the buyer's due diligence needs to include a thorough review of the target company's corporate compliance program. This program is recommended by the government as the best way to ensure that the target company is doing all it can to minimize and correct noncompliant behavior. It requires a compliance officer who is responsible for the program and written policies and procedures about these high-risk areas. It also requires employees and agents trained in the program's policies and procedures, a reporting mechanism such as an anonymous hotline, auditing and monitoring, and other related stipulations.

At the board level, it is considered good corporate governance to have an adequate compliance program in order to avoid personal liability. In one of the seminal cases on this point--the Caremark case-- the Delaware Court of Chancery held as follows:

[The Court is] of the view that a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director [personally] liable for losses caused by noncompliance with applicable legal standards.?... Obviously the level of detail that is appropriate for such an information system is a question of business judgment.1

At the government level, the Office of Inspector General (OIG) of the federal Department of Health and Human Services, which serves as the police of the Medicare and Medicaid programs, wants all direct and indirect providers of goods and services covered by these programs to have such a compliance regime in operation.

For those medical device companies that already have had a government enforcement "touch" that has resulted in a settlement, these compliance programs are required by contract with OIG. Some of the terms regarding how these programs operate are delineated in a corporate integrity agreement as a part of the settlement. (See www.oig.hhs.gov). OIG derives its authority to insist on contractual compliance as a condition of a settlement because violators of the relevant laws can incur both criminal and civil fines and penalties.

Such settlements also give OIG the authority to exclude the company and its products from future coverage and payment or from other participation in the Medicare and Medicaid programs. These corporate integrity agreements (CIAs) are the consideration provided by the targeted company to OIG in return for OIG's waiver of its permissive exclusion authority from future participation in federal healthcare programs.

In contrast, the deferred prosecution and nonprosecution agreements, or DPAs and NPAs, in the five Newark cases are agreements between the U.S. Department of Justice (DOJ) and the medical device companies. Each settlement includes integrity obligations that are specific to that agreement. In return for settling with DOJ, the department agrees not to seek an indictment. The types of integrity obligations in these agreements are different from the integrity obligations found in the CIAs.

As a prospective buyer, you should be able to get access to most aspects of a target device company's corporate compliance program. That assurance assumes that neither DOJ nor OIG has an investigation pending against the target firm at the time of your due diligence.

The goal is to determine whether the compliance program includes all seven elements that make these programs effective, as set forth by the government. This is called "benchmarking" the infrastructure of the corporate compliance program, or "conducting a gap analysis." Is the compliance program in its infancy? Or is it mature? Does the company take its compliance program seriously by dedicating sufficient resources? Answers to questions such as these will enable you to gauge the strength of the company's corporate compliance program. They are a great barometer of the extent to which the company may or may not have the equivalent of regulatory asbestos.

If there is a CIA, NPA, or DPA, the goal of your due diligence also should be to determine the extent to which the company is operating within the specific terms of these probationary types of agreements. Will the company pass the compliance test with these particular contract terms? It may be possible to interview any on-site monitor. There also may be an OIG correspondence file to review so you can see whether the company is in compliance.

Attorney-Client Privilege Questions

The more challenging circumstance is when the target company is under a government investigation that has not yet been resolved. The additional goal under these circumstances is to establish how the company is likely to settle the case with the government. Clearly, any correspondence between the company and the government in the company's defense of the case is not subject to attorney-client privilege and can be made available to the buyer as part of the due-diligence process. However, there may be topics and issues that are subject to this privilege that are important to the buyer, so there may be limits as to what the seller can share with you.

In addition, regardless of access, it is the role of buyer's counsel to estimate what may happen when the investigation is closed—one way or the other. In this context, there is very little case law. That is because the threat of exclusion from government health programs is a powerful tool for getting companies to settle even if the company has strong arguments to suggest that there is no liability. Instead, the government settlements in this area are like case law precedent in handicapping what the potential amount of settlement may be and in determining whether the integrity obligations will be palatable in the future. Under these circumstances the buyer needs to take into account the additional costs involved in operating the targeted company under some type of integrity obligations because these costs would not have been in place at the time of the purchase, and they can be significant.

Best practices in this sensitive health regulatory due-diligence area include:

  • Relying on documentation and record-keeping—not just oral responses—in order to determine whether the compliance program is effective.
  • Respecting denials of access because of attorney-client privileges—but only when the circumstances warrant it.
  • Considering potential strategic terms in your letter of intent, such as whether any new government enforcement actions or fundamental changes in a pending government action provide grounds to abandon the deal.
  • Interviewing the people who are responsible for operating the entire compliance program.
  • Recognizing that contractual integrity obligations may limit your ability to pest assets because the obligations are often tied to the same assets.
  • Considering the implications of government-imposed obligations for transactions that include assets outside the United States.
  • Determining whether the compliance program is focused only on the corporate office or has cascaded down through the entire company.
  • Making sure the answers regarding compliance correlate with answers from other company sectors.
  • Remembering the underlying objectives of both parties—as the purchaser, you are seeking compliance comfort and looking for reasons to drive down the asking price, and, as the seller, you are seeking to provide compliance comfort and looking to maintain the agreed-upon price.

Remember: An effective compliance program is a significant asset to both seller and buyer.

Your compliance program due-diligence checklist should include the following topics:

  • The scope of the program and any integrity obligations.
  • The written policies and procedures on all the right subjects.
  • A sense of the corporate culture and attitudes toward compliance by senior management.
  • Sufficient structure and resources to operate an integrity program.
  • A determination of the effectiveness of the company's risk assessment, particularly regarding high-risk areas.
  • A determination of how the company has resolved issues of noncompliance.
  • Frequent, content-rich training and good record-keeping showing that all employees have received training.
  • Conscientious auditing and monitoring.
  • The mechanisms for anonymous reporting that are in place and the extent they are used by employees.
  • The extent to which sales distributors, if any, are involved in the compliance program.


If potential healthcare fraud is the medical device industry's equivalent of hidden asbestos, then any company intent on purchasing a medical device manufacturer should focus on high-risk health regulatory issues while conducting due diligence. One excellent way to determine a medical device company's regulatory health is to examine the robustness of its corporate compliance program. These best practices will help you accomplish that goal.


1. Caremark International Inc. Derivative Litigation, 698 A. 2d 959 (Del. Ch. 1996).

Lynn Shapiro Snyder is a senior member in the law firm of Epstein Becker & Green PC (Washington, DC), which has one of the largest health-care and life sciences practices in the United States.