Atlantic Health Strategies

The Hidden Risks of Behavioral Health M&A: Why a Compliance Audit Is Non-Negotiable

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The short answer: buyers who skip a pre-close compliance audit inherit the seller's liability

Buyers who close a behavioral health acquisition without a real compliance audit inherit the seller’s billing errors, HIPAA gaps, licensure defects, and False Claims Act exposure the moment the wire hits. That is not a scare tactic. It is settled federal doctrine, and the numbers behind it are getting worse, not better.

DOJ just told the market how serious this is. Settlements and judgments under the False Claims Act exceeded $6.8 billion in the fiscal year ending Sept. 30, 2025, the highest single-year total in the statute’s history, and more than $5.7 billion of that recovery involved the healthcare industry. Deputy Attorney General Todd Blanche called the FCA “one of the government’s most powerful weapons against fraud” in the announcement. Whistleblowers are driving it. Relators filed 1,297 qui tam suits in FY 2025, breaking the prior record of 980 set in 2024.

When our diligence team walks into a data room in Florida or Ohio, that $5.7 billion is the number we are pricing risk against. Not a checkbox. The difference between buying a business and buying a lawsuit.

Recoupment, successor liability, and the FCA: where deals actually die

Post-close recoupment is the first line item that blows up a pro forma. Medicaid, Medicare, TRICARE, and commercial payers audit backward. When they find claims that fail medical necessity, ASAM criteria documentation, or utilization management standards, they claw back.

The top exposures a behavioral health buyer inherits are Stark and Anti-Kickback Statute violations, False Claims Act exposure from improper billing, HIPAA and 42 CFR Part 2 failures, licensure or accreditation lapses, and unmet payer or government enrollment conditions. Sophisticated PE buyers still get surprised on successor liability. The Raytheon/Nightwing settlement made that point in an unforgettable way.

DOJ announced the resolution in May 2025. Raytheon, RTX Corporation, and Nightwing agreed to pay $8.4 million to resolve allegations that Raytheon failed to implement required cybersecurity controls between 2015 and 2021, prior to Nightwing’s acquisition of the business. Read that timeline again. The bad conduct ended years before Nightwing bought the unit. Nightwing paid anyway. As one analysis of the case put it, the conduct “occurred between 2015 and 2021. Years before Nightwing purchased RTX’s cybersecurity business in 2024”, which “illustrates the significant risk of successor liability” in M&A.

Pharma got the same lesson two weeks earlier. In January 2025, Pfizer agreed to pay $59,746,277 to resolve allegations that Biohaven, prior to Pfizer’s acquisition, caused the submission of false claims to Medicare by paying kickbacks to induce prescriptions of Nurtec ODT. Biohaven’s conduct pre-dated the deal. Pfizer paid anyway.

What a real compliance audit looks like in a behavioral health target

A compliance audit is not a policy binder review. HHS-OIG published its General Compliance Program Guidance on November 6, 2023, and it is the current federal reference point. OIG’s key new recommendation in the GCPG is that the compliance committee should conduct annual risk assessments to identify and address risk areas, and OIG names common risk areas as billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other providers, vendors, and other sources or recipients of referrals. Every one of those applies to a treatment center.

When AHS runs a pre-close audit for a buyer, the work looks like this:

  • Chart audit against ASAM Criteria, 4th Edition. Level-of-care documentation, medical necessity, and continued-stay justifications. Human reviewers, not AI-generated summaries. Algorithms miss what a trained auditor catches.
  • Licensure and accreditation status. Joint Commission or CARF findings, corrective action plans, and open state citations. LegitScript standing. Timelines to resolution.
  • Payer contracting and UM history. Denial rates, timely filing performance, SIU audit exposure, and any open recoupment demands.
  • HIPAA and 42 CFR Part 2 posture. Access controls, termination workflows, breach history.
  • Investigation history. Pending or historical inquiries from CMS or state health departments.
  • Referral arrangements. Anti-Kickback and Eliminating Kickbacks in Recovery Act exposure across marketing vendors, sober living relationships, and lab arrangements.

OIG also stated in the GCPG that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. Buyers who treat quality as separate from compliance underprice the risk.

State-level scrutiny is now a deal-timing problem, not just a compliance one

Buyers used to worry about federal enforcement. Now state Attorneys General are the choke point. Indiana was the first shot across the bow. Starting July 1, 2024, Indiana requires 90 days’ advance written notice to the Indiana Attorney General for a merger or acquisition involving a health care entity with total assets of at least $10 million. The definition of “health care entity” is broad and explicitly includes private equity firms, and the Indiana AG has authority to issue a civil investigative demand for additional information.

Massachusetts, Connecticut, and Maine have layered their own reporting and oversight regimes on private equity healthcare deals. Florida, Texas, and Massachusetts are the states our diligence team watches most closely on the behavioral health side. Build these timelines into your LOI. Do not discover them at signing.

The consolidation math is worth naming too. Every behavioral health deal that closes takes on a compliance history. The good buyers know what they are signing.

What operators should do before signing an LOI

If you are the seller, get your house in order before the data room opens. A clean compliance record keeps negotiations focused on value. A three-year probational CARF becomes a valuation problem overnight. A pending state investigation you never disclosed becomes a fraud claim.

If you are the buyer, four moves matter:

  1. Independent chart audit. Not the seller’s auditor. Not AI. A human sample tied to ASAM Criteria, 4th Edition and payer-specific medical necessity criteria.
  2. Successor liability mapping. Which entities, which contracts, which NPIs carry historical exposure. The Raytheon/Nightwing resolution proves the government will name the successor even when the conduct pre-dates the acquisition by years.
  3. State pre-close notice inventory. Every state the target operates in. Every applicable AG or health department filing. Build it into the closing checklist, not the closing week.
  4. Post-close 100-day plan. Immediate risk mapping, training, policy alignment, self-disclosure analysis where needed. DOJ rewards self-disclosure and cooperation with reduced penalties. Waiting for an anonymous tip is the expensive path.

Our team gets called into two kinds of rooms. The first is the buyer who wants an independent audit before wiring funds. The second is the buyer who did not, and now needs a turnaround team six months post-close. The first room is cheaper.

Frequently asked questions

Can a buyer be held liable for a behavioral health target’s pre-close False Claims Act violations?

Yes. Under current DOJ enforcement doctrine, successor liability applies when a buyer continues the target’s operations without addressing past misconduct. In May 2025, DOJ settled with Raytheon, RTX, and Nightwing for $8.4 million based on cybersecurity noncompliance that occurred between 2015 and 2021, before Nightwing acquired the business unit in 2024. Nightwing was named as a defendant and paid as the successor owner. Buyers who skip a pre-close compliance audit and self-disclosure analysis carry the most exposure.

How much are healthcare FCA settlements running now, and why does it matter for behavioral health M&A?

DOJ reported more than $6.8 billion in FCA settlements and judgments in fiscal year 2025, the highest single-year total in the statute’s history, with over $5.7 billion of that tied to healthcare. Whistleblower filings hit a record 1,297 qui tam suits in the same year. Behavioral health targets with medical necessity, ASAM documentation, or kickback exposure sit squarely in DOJ’s stated enforcement priorities, so recoupment and FCA risk needs to be priced into deal terms, escrow, and reps and warranties.

What state pre-closing notifications should a behavioral health buyer plan for?

It depends on the state footprint. Indiana requires 90-day pre-closing notice to the Attorney General for mergers or acquisitions where a health care entity has at least $10 million in total assets, and the definition of “health care entity” explicitly includes private equity firms. Massachusetts, Connecticut, and Maine have added their own reporting and oversight regimes on PE healthcare acquisitions. Build these timelines into the LOI, not the closing week.

What should a compliance audit actually cover in a behavioral health target?

At minimum: chart-level medical necessity and ASAM Criteria 4th Edition documentation, licensure and accreditation status with all open findings and corrective action plans, payer contracting and UM history including SIU audit exposure, HIPAA and 42 CFR Part 2 controls, and any pending inquiries from CMS or state health departments. The HHS-OIG General Compliance Program Guidance, published November 6, 2023, names billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians and other referral sources as common risk areas to test against.

Request a Free Consultation

Scroll to Top