Regulatory (Tech & Healthcare)
FDA (devices, SaMD), FTC, antitrust, healthcare fraud & abuse (Stark, Anti-Kickback), HIPAA enforcement
CLO Primer
Regulatory compliance is where tech and healthcare/medtech companies face their most existential legal risks. FDA, FTC, and DOJ/OIG enforcement actions can shut down products, impose massive fines, and trigger securities disclosure obligations. The CLO must understand the regulatory framework well enough to identify risk before it materializes and to work effectively with specialized regulatory counsel.
For medical device and digital health companies, FDA jurisdiction is the central regulatory question. The 21st Century Cures Act and FDA's evolving SaMD guidance have created a complex framework for determining when software is a "device" requiring regulatory clearance. AI/ML-based software as a medical device (AI/ML-SaMD) is subject to specific FDA guidance on predetermined change control plans — critical for companies building adaptive algorithms into their products.
The healthcare fraud and abuse framework — primarily the Anti-Kickback Statute (AKS) and Physician Self-Referral Law (Stark Law) — imposes strict limitations on financial relationships between healthcare companies and physicians. Violations can result in exclusion from Medicare/Medicaid, massive civil monetary penalties, and criminal prosecution. CLOs at healthcare companies must build compliance programs that screen all sales, marketing, and research arrangements involving healthcare providers.
FTC antitrust has become more aggressive, particularly in tech and healthcare sectors. Merger review is more rigorous, and the FTC's theory of "potential competition" harm has been applied to block acquisitions of nascent competitors. The CLO must factor antitrust risk into M&A strategy early — before significant transaction costs are sunk.
Key Concepts
Reference topics — deep-dive primers coming soon
- FDA device classification: Class I/II/III; 510(k) clearance, De Novo, PMA approval
- Software as a Medical Device (SaMD): FDA's 2023 final guidance, predetermined change control plans
- Digital health policy: FDA enforcement discretion, mobile medical applications
- Anti-Kickback Statute: "one-purpose" rule; safe harbors (employment, personal services, fair market value)
- Stark Law (Physician Self-Referral): designated health services, exceptions, strict liability
- False Claims Act: qui tam relators, treble damages, voluntary disclosure program
- OIG compliance guidance: elements of effective healthcare compliance programs
- Value-based care AKS safe harbors: VBE arrangements, outcomes-based arrangements
- FTC Act Section 5: unfair methods of competition; unfair/deceptive acts or practices
- Antitrust merger review: Clayton Act Section 7, DOJ/FTC guidelines (2023 revision)
- Sherman Act: per se vs. rule of reason; price-fixing, market allocation, tying
- State AG consumer protection enforcement — FTC Act state analogues
- HIPAA enforcement: OCR investigations, corrective action plans, civil monetary penalties
- CMS reimbursement: coding compliance, billing audits, coverage determinations
- Export controls (EAR/ITAR) for tech hardware and dual-use software