Key Takeaways

• Understanding the difference between federal and state regulation.
• Which state first – it is important to choose the ‘formation state’ carefully as some states have stricter rules than others.
• Be prepared, new entrants should not underestimate the importance of complying with the relevant US rules and regulations nor the time it takes to do so.

The US healthtech market is thriving, attracting a wave of new entrants and record levels of venture capital funding. In the first half of 2021, VC investors ploughed just under $22bn into US healthtechs, dwarfing the $16.8bn raised across the whole of 2020, itself a record year.¹

From online doctors to virtual physiotherapy and teledentistry, the US healthtech sector has been accelerated by Covid-19 as more clinicians and their patients have turned to remote treatment during the pandemic.

Given this changing backdrop, it is little surprise that more and more European and UK healthtechs are launching their offerings in the US. Many others that have not had the US in their sights are now accelerating their US ambitions.

There are two key advantages to launching in the US. Firstly, healthtechs gain access to the largest telehealth market in the world. Secondly, they open the door to more investment opportunities: many US investors prefer to see some US traction before committing investment dollars to healthtech businesses.

But, for healthtechs looking to expand into the US, it is important that they pay close attention to the rules as they are notoriously complicated. Failure to properly prepare can lead to costly mistakes further down the line.

State of the market

So what should UK and European healthtechs consider before launching in the US?

Perhaps the most important point to recognize is the significance of state rules and regulations. While many federal rules apply to Medicare and Medicaid, the US government healthcare insurance schemes, many of the key regulations governing healthtechs are state ones and these can vary significantly across the country.

So, while a medical physician may pay a management services organization on a percentage of revenue basis in California, for example, such arrangement is an illegal fee split in New York. Healthtechs therefore need to ensure they have a good understanding of the relevant state laws before launching in a particular state. In extreme cases, healthtechs which don’t follow the rules could find that their operations are shut down overnight.

Keeping business at arm’s length

Perhaps the most important state requirement is the corporate practice of medicine (CPOM) restriction, a legal doctrine that bars business enterprises from directly employing medical physicians and providing medical services to the public.

In order to provide medical services in the US therefore, healthtechs need to set up a Management Services Organization (MSO) which provides services such as administration, marketing and technology and a separate professional corporation (PC, also known as a ‘Friendly PC’) which provides and manages all medical services to clients. In those states that recognize the CPOM restriction, the PC must be run and be owned by a state-registered medical professional who exerts full clinical control.

Up to around 40 states – including more popular states such as California, New York, Illinois and Texas – maintain CPOM restrictions in some form. This means that, for most states, healthtechs have to find a state-licensed physician to run and manage their PC.

Which state first?

One of the first decisions healthtechs intending to operate across more than one US state will need to make is whether they want to ‘slice and dice’ and run their separate regional divisions according to the different applicable state laws or whether they want to follow a ‘high water mark’ and adopt the stricter rules of a state like, say, California across all their divisions. For simplicity, many healthtechs choose this latter approach.

Equally, it is important to choose the ‘formation state’ carefully as some states have stricter rules than others. Healthtechs that choose the ‘wrong’ state of formation, for example, could find that the physician running their PC is unable to ‘foreign qualify’ in other states, meaning the healthtech will have to search out different physicians for different states.

The ‘friendly PC’

To keep things simple, some healthtechs opt for a “mega PC” run by a physician licensed or otherwise qualified in multiple states. Others choose a different physician for each state in which they operate to avoid placing too much control in the hands of one person. Remember the physician who serves as the sole shareholder for the affiliated medical practices run by the PC exercises great control.

Choosing the right physician to run a PC is therefore crucial. This means finding a physician who shares the philosophy of, and co-operates closely with, the healthtech business. Where one of the founders of the PC is unable to fulfil this key role, there are agencies and headhunters which can help in the search and selection. The relationship between the founders and management of a healthtech company with the physician is as important as the relationship between founders/management with an investor.

In any case, it is important to have a succession plan in place in the event that, for whatever reason, a physician leaves the PC. In most states, without a state-recognised physician running and owning the PC, all medical services must stop immediately so an unexpected departure of a physician can have a massive impact on a healthtech business.

Putting safeguards in place

Even where healthtechs have full confidence in their chosen physician for their PC, it is still vital to put structures in place to guard against potential pitfalls. Money should be regularly swept out of the PC back to the healthtech MSO so that only enough money to cover regular costs such as salaries and administration charges is ever held at the PC level.

Where possible, restrictive stock transfer agreements should also be drawn up to limit the shareholder’s (physician’s) ability to sell or transfer or assign his or her ownership to a third party without the consent of the MSO.

There also needs to be an administrative services agreement between the MSO and the PC as well as separate fee arrangements. If providing stock options to the physician out of the MSO, close attention needs to paid to anti-kickback and self-referral laws which vary state by state. Physicians will need to have a separate consulting agreement in place and provide bona fide non-clinical advisory services to the MSO.

Picking the right business model

Many healthtechs first launching in the US opt for a direct to consumer ‘out of pocket’ model where the PC does not receive payments from an insurance company or Medicare or Medicaid. This makes things much simpler, permitting healthtechs to avoid many stricter laws and regulations that apply to private and government insurance plans.

But, as their business gains traction, some can soon find they are working with healthcare plans or Medicare or Medicaid. So, from the outset, it makes sense for healthtechs to at least prepare for this tougher regulatory and compliance regime – even if they are only planning on providing a direct to consumer service from the beginning. The last thing any healthtech wants is to have to turn away an important customer simply because it can’t comply with required rules quickly enough.

Managing risks

It is also important not to overlook insurance, particularly given the often litigious nature of US medicine. In a rush to launch, this can be something that some healthtechs defer to another day. This can be a costly delay.

It is also a mistake to assume that your physician already has professional liability insurance. If he or she also works for a hospital, for example, that hospital will normally provide professional liability cover – but this will only be for medical services provided through that hospital. Healthtechs should factor in the cost of this insurance as well as for other insurances such as cybersecurity, which covers data privacy risks.

Data privacy risks, in particular, can be very high, especially if your business operates under HIPAA – the Health Insurance Portability and Accountability Act. HIPAA data privacy rules are designed to protect sensitive patient information and medical businesses subject to HIPAA frequently face unlimited indemnity so there can be sizeable risks in not having appropriate cover.

If a medical business is cash only, then HIPAA rules tend not to apply. But as soon as healthtechs start dealing with private insurers or Medicare or Medicaid, HIPAA rules will apply. So it can make sense for healthtechs to be HIPAA compliant from day one as this will allow them to avoid making costly and disruptive changes with key suppliers later on.

Be prepared

The opportunities for US healthtechs are huge. But new entrants should not underestimate the importance of complying with the relevant rules and regulations nor the time it takes to do so.

Choosing the right partners is key as is seeking out experienced advisers. If possible, healthtechs should look to speak to companies with prior experience of the US market. A good banker or lawyer should be willing to put healthtechs in touch with other relevant clients that have gone through / are going through this journey, allowing them to pick up valuable insights and thereby avoid significant costs and problems in the process. This applies both to companies launching in the US as well as those scaling.

Healthtechs that enter the US market with their eyes open can avoid costly mistakes further down the line and potentially steal a march on the growing number of competitors in this rapidly expanding space.

Originally published in Silicon Valley Bank, February 8, 2022