Bidding for attractive businesses in the pharma services space continues to accelerate, with new interest emerging daily from investors who traditionally have not focused on the sector. With this influx comes an urgent need to quickly grasp the core due diligence considerations that drive risk allocation and, in some cases, valuation.
Differentiation based on speed to closing is difficult, if not impossible, without an innate sense of the significance of these concepts. This alert provides a roadmap for initial triage and identification of non-obvious landmines in legal diligence on contract research organizations (CROs). The pharmaceutical services industry is highly regulated — with significant potential for steep fines and reputational damage for regulatory noncompliance.
CROs range from large multifaceted, international businesses with a variety of service lines, to small operations focused on specific diseases or specialties. At their heart, CROs generally serve sponsors of clinical studies and trials and help reduce costs by providing study and trial support, including through managing trial sites or providing potential investigators. Although the scope and depth of legal due diligence may vary based on a range of factors, CROs share broad similarities.
1. Federal Anti-Kickback Statute. One of the greatest sources of regulatory risk applicable to CROs stems from the Federal Anti-Kickback Statute (AKS) and its state law equivalents. In general, the AKS prohibits individuals and entities from knowingly offering, paying, soliciting or receiving remuneration to induce business for which payment may be made by federal healthcare programs.
The Department of Justice (DOJ) enforces in this space by scrutinizing clinical research grants or payments that are merely disguised kickbacks. Specific areas of DOJ concern include research that is never published, payments outside fair-market value, payments to providers with high drug utilization for the sponsor and research that is never actually completed. In 2022, the DOJ identified clinical trial fraud as one of four key areas of enforcement focus by its Consumer Protection Branch. Acquirers can expect more enforcement actions in this space in the future, so it is critical to identify any potential risk under the AKS during due diligence.
For the acquirer to identify potential AKS compliance concerns, the target company should provide a general description of sponsor recruitment goals, payments (and any deviations therefrom), any incentives provided to participants, and all policies related to employee or contractor interactions with referral sources, including any “gifts and entertainment” policies. It also should be able to identify how and when it bills the federal government for services. Goods or services that are “cash pay only” are not necessarily exempt from regulation. For example, certain state laws apply without regard to payor and federal prosecutors may pursue different, novel theories in other cases. The acquirer should confirm that the CRO’s studies are properly listed on Clinicaltrials.gov and review any relevant policies.
Finally, it is important for the acquirer to understand the target’s compensation arrangements with principal investigators and any other physicians, as well as its pricing/fee structures. If any red flags are raised — such as compensation that is tied to the outcome of a trial, in excess of fair-market value, or paid to an investigator with a financial interest in the studied drug or device — the acquirer should scrutinize the arrangement closely to understand the potential risk under the AKS.
2. FDA Regulations. Also posing regulatory risk for CROs are the regulations promulgated by the U.S. Food and Drug Administration (FDA), including its good clinical practices (GCP) and equivalent human subject protection and research data integrity regulations. These regulations impose numerous requirements on clinical trial sponsors and related institutions, such as CROs, related to record-keeping, qualification of investigators and monitors, and documenting any investigation compliance deviations.
Failure to comply with these regulations can result in regulatory and enforcement actions against the sponsor and/or the institution, as well as other individuals and entities involved in clinical research activities. The FDA’s enforcement tools for noncompliance include Form FDA-483 (inspectional observations), which sets forth potential noncompliance observed by the FDA during on-site inspections, FDA warning letters, and mandatory suspension of clinical operations or investigations.
To assess a target company’s compliance with FDA regulations, the acquirer should review copies of all Form FDA-483s, FDA warning letters and all documentation related to any mandatory suspension of clinical operations, or investigations, corrective actions or penalties the target has received. The acquirer also should review copies of all audits performed by the FDA and sponsors, including applicable findings and correction plans, and should determine whether data in support of a product application has ever been audited or disqualified because of noncompliance. Adverse findings from the sponsor or the FDA could impact the CRO’s ability to retain clinical trials or obtain new ones. FDA has used failure to register a trial on Clinicaltrials.gov as a reason to enforce penalties and fines.
3. Other Regulatory Compliance. Although the AKS and FDA regulations are two of the major sources of regulatory risk for CROs, a myriad of other local, national and international regulations should be considered during the due diligence process. Additionally, acquirers should review all advertising and marketing materials the target company uses and assess its compliance with applicable medical marketing and advertising laws.
The acquirer should confirm that the CRO has all necessary licenses, registrations and permits, such as waivers under the Clinical Laboratory Improvement Amendments, state lab registrations, and healthcare professional licenses, as applicable. The acquirer should be aware of any upcoming expiration dates or consents that may be required to transfer licenses or permits in connection with the contemplated transaction.
The acquirer also should determine whether the target company has any contracts with governmental entities or provides services to any trial that is government-funded, as this may present an additional source of regulatory risk. For example, if the CRO receives research funding from the Department of Health and Human Services (HHS), it will be subject to the jurisdiction of the Office of Research Integrity and its regulations related to research misconduct. Thus, if the CRO receives government funding or has any contracts with governmental entities, this would be a direct reason to comply with HHS implementation of the common rules. Many studies have partial National Institutes of Health funding. If the CRO is performing any services for the federal government or is a recipient of any federal grant, further compliance with applicable federal grant and contracting rules may apply. The acquirer should review the terms and conditions of the grant.
Finally, it is also imperative for the acquirer to understand the scope of the target company’s international operations, if any. If the target does have international operations, it should describe the status of all international trials and provide any relevant correspondence with foreign regulatory bodies. The acquirer must determine which foreign regulatory bodies have jurisdiction and assess the target’s compliance with any applicable regulations. In addition, the acquirer should conduct a robust Foreign Corrupt Practices Act diligence process to identify any red flags, such as unusual payment patterns or operations in high-risk jurisdictions.
4. Corporate Compliance. In addition to assessing compliance with the regulatory frameworks already discussed, the acquirer should familiarize itself with the target CRO’s internal corporate compliance controls. Doing so will provide an understanding of how the company manages compliance and mitigates risk, and can alert the acquirer to potential unidentified liabilities or provide confidence that the risk is low. Scrutinizing the CRO’s internal controls is especially important in light of the DOJ’s increasing focus on clinical trials.
The target company should provide an overview of its compliance personnel, including a list of individuals holding chief compliance officer, compliance committee member, privacy and security officer or similar roles. The acquirer also should review the company’s compliance plan and all related policies and procedures, such as policies addressing compliance with GCP regulations and record-keeping and reporting for clinical trials, including any adverse experiences.
The company should describe its process for confirming that none of its employees, contractors or agents (including clinical investigators, institutional review boards, laboratories or other individuals involved with the trials) have been disqualified, debarred, excluded from federal healthcare programs, or are the subject of any other action or accusation of noncompliance with federal or state law by the FDA, HHS or other domestic governmental agency. Finally, the acquirer should review a list of any compliance matters reported through the company’s compliance hotline (or otherwise) and any internal compliance investigations or audits, and understand how any such matters were resolved.
5. Standard Operating Procedures. To supplement its review of the target company’s corporate compliance controls, the acquirer should review the company’s standard operating procedures (SOPs), including policies and procedures related to clinical activities, safety reporting, informed consents, auditing of clinical study databases and clinical study reports, investigator site audits, reporting of death or other serious injuries, and the selection of investigators. The target company also should provide a description of its policy for reviewing and updating its SOPs.
It is important for the acquirer to review the target’s SOPs because they provide high-level insight into the institution’s operations, compliance program and quality assurance program. SOPs should be clear, well-organized, and have easy-to-follow instructions. They should be reviewed and updated regularly by the CRO to reflect regulatory changes or new best practices. A review of the SOPs can reveal deficiencies in regulatory compliance and help the acquiring entity understand and mitigate potential operational risks and liabilities.
6. Institutional Review Boards. Institutional review boards (IRBs) may be either for-profit or not-for-profit in their duties to ethically oversee research and ensure human subject protection. IRBs are required to oversee any non-exempt human subject research in the United States under the implementation of the “common rule” adopted by all federal agencies and, separately, FDA’s implementation. IRBs are required to oversee any human research that poses a risk to human health and any research that involves an investigational drug, device, biologic or tobacco product.
IRBs should be accredited and should be registered with the HHS Office of Human Research Protection. Instances where a study or investigator is flagged or stopped for violations of informed consent practices or serious adverse events should be carefully reviewed.
Importantly, the type and location of IRB matter. IRBs in foreign countries must comply with FDA’s rules for data collected from overseas clinical studies and must be accredited to internationally harmonized rules on human subject protection. A target’s failure to ensure best practices here can impact data usability in any investigative product and potentially result in either non-approval or costly additional studies to show safety and efficacy. For example, the CRO should disclose if an IRB has ever terminated oversight or determined that it will not review a study, or put the company or any of its employees, contractors or investigators on a watchlist. If the CRO contracts directly with IRBs, the acquirer should review all such contracts.
By developing a thorough understanding of the target company’s relationship with its IRBs, the acquirer can identify potential operational or regulatory risks and liabilities. The acquirer should look to see if any study is inactive or incomplete, or if the target has ever had a sponsor remove a study or had an IRB investigate the CRO for alleged recruitment violations. Clinical trial risk for AKS sometimes can be identified by irregularities in recruiting patients or sudden withdrawals of sponsors from trials. The goal is to determine if the target is diligent in carrying out the work in full compliance with applicable regulations and not running a fraudulent billing scheme.
7. Contractual Diligence. The acquirer’s due diligence process should include a review of the target CRO’s material contracts, including clinical trial agreements with sponsors; clinical investigation agreements with clinical sites, clinical investigators or other third parties; master service agreements; statements of work; study budgets; form service agreements; and contracts with vendors and ancillary service providers.
This review can help the acquirer identify potential risks from business, transactional and regulatory perspectives. For example, from a business perspective, the contract review can provide valuable insight into the target’s primary customer base, the level of customer concentration, upcoming expirations, and any pricing terms, restrictive covenants or ongoing indemnification obligations that may affect the CRO’s operations post-acquisition. From a transactional perspective, a contract review is necessary to determine the third-party consents and notices required in connection with the acquisition. From a risk perspective, a contract review can help confirm that the CRO is protected from bad or negligent acts from, for example, a clinical site. Finally, the contract review can reveal potential regulatory risks. For example, to confirm they don’t present any AKS issues, clinical trial agreements should be reviewed to confirm that aggregate compensation is set in advance, is consistent with fair-market value and does not take volume or value of referrals into account.
8. Data Privacy and Security. Data privacy and security due diligence is important in any acquisition, but especially so when the target handles sensitive personal and health data, as is the case with CROs. The acquirer should conduct a thorough review of the target company’s data privacy and security policies, procedures and practices to identify any potential vulnerabilities. The target company should provide a description of any actual or alleged data breaches, unauthorized uses of its computer systems or data, any violations of its data- or privacy-related policies or procedures, and any other identified data or information security issues.
It is also important for the acquirer to understand what types of protected health information or other personally identifiable information the CRO collects and the measures it takes to protect it. For example, the acquirer should consider whether the target processes employee data, biometric data (such as fingerprints, retinal scans or face recognition), COVID-19 data or website interactions.
The target also should provide a description of how it ensures compliance with data privacy and security obligations at the state, federal and international levels (if applicable). For example, the acquirer should determine whether the target company is subject to the Health Insurance Portability and Accountability Act (HIPAA). Although CROs often are not subject to HIPAA, the acquirer should confirm that there is nothing in the target’s operations that may require it to comply. Even if the target is not subject to HIPAA, CROs customarily are required by contract to protect the privacy and security of research subject information and to use such information only for the study-related purposes set forth in the protocol. Acquirers should confirm that the target company is in compliance with any such requirements. Additionally, acquirers should determine if the CRO is subject to any state data privacy laws and, if so, confirm that the CRO is in compliance.
9. Employment Diligence. CROs often are heavily dependent on a workforce that ramps up and down based on specific trials. Because of this, it is important to review a target CRO’s usage of “employee” versus “independent contractor” classification to ensure the target CRO is differentiating between its workers in a compliant manner. This is an area where CROs historically have struggled with compliance, often because many of the individuals who work in this industry prefer to be classified as independent contractors even if they appear more as employees based on legal tests.
10. Litigation and Disputes. Finally, the acquirer’s due diligence process should include a comprehensive request for information regarding any litigation, claims or assessments, as well as any threatened claims involving the target CRO. This should include a description of any state or federal governmental administrative proceedings or inquiries (by agencies such as those listed above and by the Equal Employment Opportunity Commission, Environmental Protection Agency, Occupational Safety and Health Administration, and Drug Enforcement Agency).
The acquirer should request information relating to any workers’ compensation claims, bankruptcy proceedings, significant labor disputes or work stoppages, consent decrees or injunctions. The target also should disclose any material customer complaints or claims by any employee or clinical trial participant. Such disclosures are critical as they not only help the acquirer identify existing or potential liabilities, but also can provide insight into regulatory noncompliance or operational deficiencies that may need to be remedied.