Bidding for attractive businesses in the pharma services space continues to accelerate, with new interest emerging daily from investors who traditionally have not focused on the sector. With this influx comes an urgent need to quickly grasp the core due diligence considerations that drive risk allocation and, in some cases, valuation.
Differentiation based on speed to closing is difficult, if not impossible, without an innate sense of the significance of these concepts. This alert provides a roadmap for initial triage and identification of non-obvious landmines in legal diligence on contract research organizations (CROs). The pharmaceutical services industry is highly regulated — with significant potential for steep fines and reputational damage for regulatory noncompliance.
CROs range from large multifaceted, international businesses with a variety of service lines, to small operations focused on specific diseases or specialties. At their heart, CROs generally serve sponsors of clinical studies and trials and help reduce costs by providing study and trial support, including through managing trial sites or providing potential investigators. Although the scope and depth of legal due diligence may vary based on a range of factors, CROs share broad similarities.
1. Federal Anti-Kickback Statute. One of the
greatest sources of regulatory risk applicable to CROs stems from
the Federal Anti-Kickback Statute (AKS) and its state law
equivalents. In general, the AKS prohibits individuals and entities
from knowingly offering, paying, soliciting or receiving
remuneration to induce business for which payment may be made by
federal healthcare programs.
The Department of Justice (DOJ) enforces in this space by
scrutinizing clinical research grants or payments that are merely
disguised kickbacks. Specific areas of DOJ concern include research
that is never published, payments outside fair-market value,
payments to providers with high drug utilization for the sponsor
and research that is never actually completed. In 2022, the DOJ
identified clinical trial fraud as one of four key areas of
enforcement focus by its Consumer Protection Branch. Acquirers
can expect more enforcement actions in this space in the future, so
it is critical to identify any potential risk under the AKS during
due diligence.
For the acquirer to identify potential AKS compliance concerns, the target company should provide a general description of sponsor recruitment goals, payments (and any deviations therefrom), any incentives provided to participants, and all policies related to employee or contractor interactions with referral sources, including any "gifts and entertainment" policies. It also should be able to identify how and when it bills the federal government for services. Goods or services that are "cash pay only" are not necessarily exempt from regulation. For example, certain state laws apply without regard to payor and federal prosecutors may pursue different, novel theories in other cases. The acquirer should confirm that the CRO's studies are properly listed on Clinicaltrials.gov and review any relevant policies.
Finally, it is important for the acquirer to understand the target's compensation arrangements with principal investigators and any other physicians, as well as its pricing/fee structures. If any red flags are raised — such as compensation that is tied to the outcome of a trial, in excess of fair-market value, or paid to an investigator with a financial interest in the studied drug or device — the acquirer should scrutinize the arrangement closely to understand the potential risk under the AKS.
2. FDA Regulations. Also posing regulatory risk
for CROs are the regulations promulgated by the U.S. Food and Drug
Administration (FDA), including its good clinical practices (GCP)
and equivalent human subject protection and research data integrity
regulations. These regulations impose numerous requirements on
clinical trial sponsors and related institutions, such as CROs,
related to record-keeping, qualification of investigators and
monitors, and documenting any investigation compliance
deviations.
Failure to comply with these regulations can result in regulatory
and enforcement actions against the sponsor and/or the institution,
as well as other individuals and entities involved in clinical
research activities. The FDA's enforcement tools for
noncompliance include Form FDA-483 (inspectional observations),
which sets forth potential noncompliance observed by the FDA during
on-site inspections, FDA warning letters, and mandatory suspension
of clinical operations or investigations.
To assess a target company's compliance with FDA regulations, the acquirer should review copies of all Form FDA-483s, FDA warning letters and all documentation related to any mandatory suspension of clinical operations, or investigations, corrective actions or penalties the target has received. The acquirer also should review copies of all audits performed by the FDA and sponsors, including applicable findings and correction plans, and should determine whether data in support of a product application has ever been audited or disqualified because of noncompliance. Adverse findings from the sponsor or the FDA could impact the CRO's ability to retain clinical trials or obtain new ones. FDA has used failure to register a trial on Clinicaltrials.gov as a reason to enforce penalties and fines.
3. Other Regulatory Compliance. Although the
AKS and FDA regulations are two of the major sources of regulatory
risk for CROs, a myriad of other local, national and international
regulations should be considered during the due diligence process.
Additionally, acquirers should review all advertising and marketing
materials the target company uses and assess its compliance with
applicable medical marketing and advertising laws.
The acquirer should confirm that the CRO has all necessary
licenses, registrations and permits, such as waivers under the
Clinical Laboratory Improvement Amendments, state lab
registrations, and healthcare professional licenses, as applicable.
The acquirer should be aware of any upcoming expiration dates or
consents that may be required to transfer licenses or permits in
connection with the contemplated transaction.
The acquirer also should determine whether the target company has any contracts with governmental entities or provides services to any trial that is government-funded, as this may present an additional source of regulatory risk. For example, if the CRO receives research funding from the Department of Health and Human Services (HHS), it will be subject to the jurisdiction of the Office of Research Integrity and its regulations related to research misconduct. Thus, if the CRO receives government funding or has any contracts with governmental entities, this would be a direct reason to comply with HHS implementation of the common rules. Many studies have partial National Institutes of Health funding. If the CRO is performing any services for the federal government or is a recipient of any federal grant, further compliance with applicable federal grant and contracting rules may apply. The acquirer should review the terms and conditions of the grant.
Finally, it is also imperative for the acquirer to understand the scope of the target company's international operations, if any. If the target does have international operations, it should describe the status of all international trials and provide any relevant correspondence with foreign regulatory bodies. The acquirer must determine which foreign regulatory bodies have jurisdiction and assess the target's compliance with any applicable regulations. In addition, the acquirer should conduct a robust Foreign Corrupt Practices Act diligence process to identify any red flags, such as unusual payment patterns or operations in high-risk jurisdictions.
4. Corporate Compliance. In addition to assessing compliance with the regulatory frameworks already discussed, the acquirer should familiarize itself with the target CRO's internal corporate compliance controls. Doing so will provide an understanding of how the company manages compliance and mitigates risk, and can alert the acquirer to potential unidentified liabilities or provide confidence that the risk is low. Scrutinizing the CRO's internal controls is especially important in light of the DOJ's increasing focus on clinical trials.
The target company should provide an overview of its compliance
personnel, including a list of individuals holding chief compliance
officer, compliance committee member, privacy and security officer
or similar roles. The acquirer also should review the company's
compliance plan and all related policies and procedures, such as
policies addressing compliance with GCP regulations and
record-keeping and reporting for clinical trials, including any
adverse experiences.
The company should describe its process for confirming that none of
its employees, contractors or agents (including clinical
investigators, institutional review boards, laboratories or other
individuals involved with the trials) have been disqualified,
debarred, excluded from federal healthcare programs, or are the
subject of any other action or accusation of noncompliance with
federal or state law by the FDA, HHS or other domestic governmental
agency. Finally, the acquirer should review a list of any
compliance matters reported through the company's compliance
hotline (or otherwise) and any internal compliance investigations
or audits, and understand how any such matters were resolved.
5. Standard Operating Procedures. To supplement its review of the target company's corporate compliance controls, the acquirer should review the company's standard operating procedures (SOPs), including policies and procedures related to clinical activities, safety reporting, informed consents, auditing of clinical study databases and clinical study reports, investigator site audits, reporting of death or other serious injuries, and the selection of investigators. The target company also should provide a description of its policy for reviewing and updating its SOPs.
It is important for the acquirer to review the target's SOPs because they provide high-level insight into the institution's operations, compliance program and quality assurance program. SOPs should be clear, well-organized, and have easy-to-follow instructions. They should be reviewed and updated regularly by the CRO to reflect regulatory changes or new best practices. A review of the SOPs can reveal deficiencies in regulatory compliance and help the acquiring entity understand and mitigate potential operational risks and liabilities.
6. Institutional Review Boards. Institutional
review boards (IRBs) may be either for-profit or not-for-profit in
their duties to ethically oversee research and ensure human subject
protection. IRBs are required to oversee any non-exempt human
subject research in the United States under the implementation of
the "common rule" adopted by all federal agencies and,
separately, FDA's implementation. IRBs are required to oversee
any human research that poses a risk to human health and any
research that involves an investigational drug, device, biologic or
tobacco product.
IRBs should be accredited and should be registered with the HHS
Office of Human Research Protection. Instances where a study or
investigator is flagged or stopped for violations of informed
consent practices or serious adverse events should be carefully
reviewed.
Importantly, the type and location of IRB matter. IRBs in foreign
countries must comply with FDA's rules for data collected from
overseas clinical studies and must be accredited to internationally
harmonized rules on human subject protection. A target's
failure to ensure best practices here can impact data usability in
any investigative product and potentially result in either
non-approval or costly additional studies to show safety and
efficacy. For example, the CRO should disclose if an IRB has ever
terminated oversight or determined that it will not review a study,
or put the company or any of its employees, contractors or
investigators on a watchlist. If the CRO contracts directly with
IRBs, the acquirer should review all such contracts.
By developing a thorough understanding of the target company's
relationship with its IRBs, the acquirer can identify potential
operational or regulatory risks and liabilities. The acquirer
should look to see if any study is inactive or incomplete, or if
the target has ever had a sponsor remove a study or had an IRB
investigate the CRO for alleged recruitment violations. Clinical
trial risk for AKS sometimes can be identified by irregularities in
recruiting patients or sudden withdrawals of sponsors from trials.
The goal is to determine if the target is diligent in carrying out
the work in full compliance with applicable regulations and not
running a fraudulent billing scheme.
7. Contractual Diligence. The acquirer's
due diligence process should include a review of the target
CRO's material contracts, including clinical trial agreements
with sponsors; clinical investigation agreements with clinical
sites, clinical investigators or other third parties; master
service agreements; statements of work; study budgets; form service
agreements; and contracts with vendors and ancillary service
providers.
This review can help the acquirer identify potential risks from
business, transactional and regulatory perspectives. For example,
from a business perspective, the contract review can provide
valuable insight into the target's primary customer base, the
level of customer concentration, upcoming expirations, and any
pricing terms, restrictive covenants or ongoing indemnification
obligations that may affect the CRO's operations
post-acquisition. From a transactional perspective, a contract
review is necessary to determine the third-party consents and
notices required in connection with the acquisition. From a risk
perspective, a contract review can help confirm that the CRO is
protected from bad or negligent acts from, for example, a clinical
site. Finally, the contract review can reveal potential regulatory
risks. For example, to confirm they don't present any AKS
issues, clinical trial agreements should be reviewed to confirm
that aggregate compensation is set in advance, is consistent with
fair-market value and does not take volume or value of referrals
into account.
8. Data Privacy and Security. Data privacy and security due diligence is important in any acquisition, but especially so when the target handles sensitive personal and health data, as is the case with CROs. The acquirer should conduct a thorough review of the target company's data privacy and security policies, procedures and practices to identify any potential vulnerabilities. The target company should provide a description of any actual or alleged data breaches, unauthorized uses of its computer systems or data, any violations of its data- or privacy-related policies or procedures, and any other identified data or information security issues.
It is also important for the acquirer to understand what types
of protected health information or other personally identifiable
information the CRO collects and the measures it takes to protect
it. For example, the acquirer should consider whether the target
processes employee data, biometric data (such as fingerprints,
retinal scans or face recognition), COVID-19 data or website
interactions.
The target also should provide a description of how it ensures
compliance with data privacy and security obligations at the state,
federal and international levels (if applicable). For example, the
acquirer should determine whether the target company is subject to
the Health Insurance Portability and Accountability Act (HIPAA).
Although CROs often are not subject to HIPAA, the acquirer should
confirm that there is nothing in the target's operations that
may require it to comply. Even if the target is not subject to
HIPAA, CROs customarily are required by contract to protect the
privacy and security of research subject information and to use
such information only for the study-related purposes set forth in
the protocol. Acquirers should confirm that the target company is
in compliance with any such requirements. Additionally, acquirers
should determine if the CRO is subject to any state data privacy
laws and, if so, confirm that the CRO is in compliance.
9. Employment Diligence. CROs often are heavily dependent on a workforce that ramps up and down based on specific trials. Because of this, it is important to review a target CRO's usage of "employee" versus "independent contractor" classification to ensure the target CRO is differentiating between its workers in a compliant manner. This is an area where CROs historically have struggled with compliance, often because many of the individuals who work in this industry prefer to be classified as independent contractors even if they appear more as employees based on legal tests.
10. Litigation and Disputes. Finally, the
acquirer's due diligence process should include a comprehensive
request for information regarding any litigation, claims or
assessments, as well as any threatened claims involving the target
CRO. This should include a description of any state or federal
governmental administrative proceedings or inquiries (by agencies
such as those listed above and by the Equal Employment Opportunity
Commission, Environmental Protection Agency, Occupational Safety
and Health Administration, and Drug Enforcement Agency).
The acquirer should request information relating to any
workers' compensation claims, bankruptcy proceedings,
significant labor disputes or work stoppages, consent decrees or
injunctions. The target also should disclose any material customer
complaints or claims by any employee or clinical trial participant.
Such disclosures are critical as they not only help the acquirer
identify existing or potential liabilities, but also can provide
insight into regulatory noncompliance or operational deficiencies
that may need to be remedied.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.