As I have mentioned before, I teach a class on healthcare venture capital at UC Berkeley’s Haas School of Business. For the final, students are asked to pick a private company which they think would be a great investment and write, for all intents and purposes, an investment memo to justify their recommendation and highlight the positives and risks of the investment. Virtually all of the students have at least 4-5 years experience working in the healthcare field in some form.
This year, for the first time after about 11-12 years of teaching this class, several students selected companies focused on CRISPR gene editing technology as their target investments. It was an interesting development, though maybe not that surprising as CRISPR has been much in the news of late. For those of you not familiar with CRISPR, it is used to edit genes in the lab and in live organisms (e.g., crops, people) to prevent them from having particular diseases or disabilities or to rectify those that they may already have. For those much further out there on the edge, the technology could also be used to create designer babies or to customize humans in ways that aren’t about fixing medical risk (e.g., make babies “better” by programming them for greater physical acumen or big blue eyes, or whatever floats your particular boat).
In fact, the main reason CRISPR has been in the news of late is that a scientist in China has been experimenting in vivo with babies without regulatory approval to do so. Frankly, this did not go over well in the medical and scientific community (understatement of the year).
What struck me about the papers from the class was that not one of them raised this ethical risk, and, more importantly, the likely forthcoming regulatory impact it will create, as a deal risk. It was very surprising, as to me, as this risk is at least as big of a deal as perfecting the science itself.
The decision to overlook, not understand or otherwise not effectively manage regulatory risk was also demonstrated recently in the challenges faced by startup uBiome, which is accused of ignoring claims billing rules in a way that violates the law. Not a CRISPR issue to be sure, unless claims editing comes under the same category as people editing (God, I hope not), but another example of putting regulatory risk on the back burner when compliance should be on hard boil at the front of the stove.
So many companies have been in the news lately for their efforts to work around or flat out ignore regulatory compliance and they do so at massive peril. Aside from running out of cash, the fastest route to a rapid company shut down and the resulting immolation of all equity in the company is to have the government surprise you with a regulatory compliance audit when you have not been acting like they could show up any moment. FYI, they can, and they do, and they don’t send you advance notice – I have seen it close up and it isn’t pretty, even when you are in compliance. When you’re not, you will have an immediate and painful realization of the error of your ways. Not knowing is not considered a defense. Comedian Steve Martin once said, “I forgot armed robbery was against the law.” The Justice Department and their friends at the FDA and CMS would not think Steve Martin is funny.
When starting a company, entrepreneurs often think hard about protecting their intellectual property and then about speed to market. But failing fast by inadequate product testing is one thing; failing fast because you decided regulatory compliance is optional is fatal. Protecting your assets by getting good regulatory advice is as much an investment in your business as is an investment in IP or the right team or having the optimal artisanal coffee delivery system in your break room.
Regulatory risk comes in many flavors and you have to like all of the ones relevant to you – you don’t get to pick and choose. Among those on the list are things like FDA compliance, which is often in the front of entrepreneurs’ minds and should be. But many seek to skirt this requirement and sell products just short of what might need an FDA approval. Generally, this is short-sighted since it is often true that the FDA approval is as much a “good housekeeping seal of approval” for marketing as it is a regulatory requirement. “But wait,” I often hear from entrepreneurs, particularly in digital health, “it will take more time! It will cost more money!” To which I say, “Yep. If you came to play, you gotta suit up.” Oh by the way, ongoing regulatory compliance with FDA rules is also necessary post-approval. It is not one and done.
Another area of regulatory import often overlooked applies more to healthcare services, including the services that many health tech companies provide as ancillary to the technology itself. This includes regulations about physicians practicing across state lines (mostly not legal) and relating to the Corporate Practice of Medicine or Any Willing Provider laws , which can have a dramatic impact on how you accomplish service delivery in any given state. There are numerous regulatory requirements one must adhere to when serving and billing Medicaid and Medicare programs and when sharing data (e.g., HIPAA, GDPR, CCPA – are you a healthcare entrepreneur or investor and don’t know what these mean? Then run, don’t walk, to your nearest acronym dictionary). There are many more areas of healthcare regulation, too numerous to mention that apply to pharmacy operations, telemedicine, you name it. Running afoul of any of these is not advised under any circumstances. But I have definitely seen circumstances where entrepreneurs clearly didn’t understand the risks of non-compliance, and where that was evident in the product design and/or business model implementation. Their attitude often is “ask forgiveness, not permission.” To that I say, “Seller beware.”
We have barely begun to see the regulatory impact of CRISPR and comparable technologies. There was a time when it was illegal to do research on stem cells, which blunted the advancement of that science, at least in the US, for some time. I suspect we will see some of both the legitimate and silly paranoia about CRISPR find itself into law in the relatively near future. So, if you are building a company or investing in one in this area, you better keep one eye on your state capitol and the other on D.C. and take full account of the potential impact that evolving regulation can have on the business.
As to the other areas of regulatory compliance, here’s my advice to entrepreneurs: don’t skimp and don’t assume you understand it if you aren’t a regulatory expert; many of the laws are arcane and weirdly complex. It is very hard to get a do-over when you run afoul of the them. Understand them and comply with them from the get-go and you don’t have to lose speed by looking over your shoulder. If you don’t know this stuff yourself, hire lawyers and advisors who do. Yes, it may add cost and time, but at least it will allow you the luxury of failing for reasons other than those provided by law enforcement or succeeding without learning why orange is the new black.