The digitalisation of healthcare services requires adapting the due diligence process to ensure that the legal and business risks arising from investments in digital healthcare companies are duly identified and taken into account.

So, here is a simple list of six areas to be checked in advance of entering into the SPA: 

  1. Separation of IP: Ensuring business continuity for the target requires investigating whether the target has all the necessary IP. In cases where the seller and the target share rights in that key IP, it is necessary to go through a separation plan contemplating the assignment and/or license of certain rights to the target;
  2. Rights in data: Because digital healthcare businesses extensively rely on the use of data, it is key to assess how the data holder ensures exclusive access to, and rights in, that data as a result of a combination of legal tools (e.g. contractual protection, licensing) and technical measures (e.g. security measures, datalakes); 
  3. Privacy: The processing of health data is subject to very narrow conditions (e.g. exhaustive information and consent), triggering potential compliance and liability issues. It is necessary to ensure that the data controller is in a position to show compliance with the applicable regime. For example, in cases where the business relies on data analytics as a means to develop new products or services, data must be anonymised in advance of the data analytics phase in accordance with the data minimisation principle. Effective anonymisation is not straightforward to pursue and should be carefully evaluated from both a legal and technical standpoint;
  4. Use of AI: When data analytics is used, the user of AI must also ensure transparent and unbiased use of AI. Hence, the due diligence phase should also concern the existence of adequate policies outlining the rationale on which the AI software runs; 
  5. Cybersecurity: Where health data is processed and/or digital services are provided, cybersecurity is a key issue to be checked, in order to avoid business risks (e.g. the risk of a third party's unauthorized access) and liability risks (e.g. Data Protection Authorities' sanctions for failure to implement minimum data security measures and/or civil damages for loss of control over data). If data is stored in a data centre, a prospective investor may also want to assess the contractual regime governing the target's rights in its capacity as a party to the colocation agreement (e.g. are the service credits a sufficient means of pressure to ensure that the provider of colocation services constantly meets the agreed service levels?); and    
  6. Open Source Software: Proprietary software used by many digital businesses (including providers of healthcare services) often relies on Open Source Software (OSS) components. Use of those components may result in business risks (e.g. impossibility to commercially exploit a given software) and legal risks (e.g. risk of the user of an OSS component being compelled to grant a license over its software to the developer of the OSS component). Hence, transactions involving digital business require assessing the existence of adequate OSS policies, whereby the target shows to be aware of the implications of OSS software and implements measures aimed at erasing/mitigating the risks arising from that software.


Please note this blog post was written by a Clifford Chance LLP employee. Clifford Chance LLP is the parent company of Clifford Chance Applied Solutions (CCAS). The content within this post does not constitute legal advice.