FDA Regulatory, Compliance, and Privacy Due Diligence — Finding Your Goldilocks Zone

August 07, 2023

by Mark Gardner, M.B.A., J.D.

The "Goldilocks Zone" is a term coined by NASA to describe the habitable zone around a star where liquid water can exist on the surface of surrounding planets. This is the "sweet spot" where it is neither too hot nor too cold, but just right for life to exist.

When it comes to due diligence in acquisitions of FDA-regulated companies, the "Goldilocks Zone" is the ideal place to be.

Click below to see an on-demand presentation on this topic at the Navigating the M&A Waters of FDA-Regulated Companies program.

Among other things, the presentation expands on the Top 20 due diligence questions/requests for FDA-regulated medical device and pharmaceutical companies, discusses what belongs in the data room, considers where buyers typically focus attention, and illustrates case studies.

Read below for a summary of the presentation.


FDA Goldilocks Zone


When conducting due diligence of an FDA-regulated company, there are several important questions that should be posed. These include questions relating to regulatory, compliance, and privacy matters. For example, questions about FDA, FTC, Anti-Kickback Statute, False Claims Act, CMP Law, Stark Law, Sunshine Act, HIPAA, GDPR, FTCA, state regulations, and more. Additionally, questions about the company's compliance program should be asked. This includes questions about the company's compliance policies and procedures, compliance officer and committee, auditing and monitoring reports, complaint handling process, and more.

When it comes to acquisitions, it is important to focus on the data room. This is where all the documents memorializing remunerative relationships with providers should be stored. These documents include physician consulting agreements, grant, royalty, and research agreements, physician ownership in the company, and joint marketing arrangements. Other documents commonly placed in the data room include customer agreements, GPO agreements, compliance and privacy policies and procedures, FDA quality-related materials, and more. It is important to note that attorney-client privileged materials, e.g., audit reports, should not be included in the data room.


Preparation on the seller's part is also important when it comes to acquisitions. This includes being prepared to talk about regulatory, compliance, and privacy issues. Of particular interest to buyers and underwriters are FDA quality issues, off-label promotion/use, reimbursement support, referral marketing practices, provider meal and expense policy, federal and state sunshine reporting, state licensures, the company's compliance program, privacy compliance (HIPAA, GDPR, FTC), remunerative relationships with providers, and more.


Below are our top twenty regulatory, compliance, and privacy questions/requests for buyers of FDA-regulated companies.

  1. Describe your compliance program.
  2. Have there been violations of your compliance policies?
  3. How do you vet consultants/employees for exclusion/debarment?
  4. Do you perform auditing and monitoring? If you answer "yes," expect to be asked for the reports (discussed later).
  5. Do you have a compliance hotline?
  6. Do you have a compliance officer?
  7. Do you have a compliance committee? Does it meet regularly?
  8. What is the ratio of HCP consultants to customers?
  9. Have you had any recalls, warning letters, MDRs, or other FDA issues?
  10. Describe your privacy program, policies, and procedures.
  11. What is your process for meeting federal, state, municipal sunshine requirements?
  12. Do you have all necessary state and federal, clearances, licenses, and permits?
  13. Describe your complaint handling process.
  14. Has the company every been subjected to a government investigation, received a CID, or other inquires?
  15. Apply the above to O-US activities.
  16. Do you perform an annual needs assessment for consultants?
  17. Describe the company's sales and marketing practices and does the company provide discounts or rebates?
  18. What sort of reimbursement support does the company provide and how does it work with payors?
  19. Does the company sign business associate agreements (BAA)?
  20. Describe company training practices for employees and consultants.

This is just a sample. There are many more questions/requests. Asking the right questions and being prepared are the keys to finding the "Goldilocks Zone" in acquisitions.

Finally, it is important for both buyers and sellers to carefully review what is being agreed to and editing contractual representations and warranties as necessary.

If you have questions about due diligence in acquisitions of FDA-regulated companies, the team at Gardner Law can help.

Contact Us Information provided on this website is not legal advice. Communications sent to or from this site do not establish an attorney-client relationship. © 2023 Gardner Law. All Rights Reserved.

Follow Gardner Law


Looking for regulatory assistance?

Contact Us

Looking for a compliance checklist?

Download Now