In healthcare deals, the risk hides in the documents nobody had time to read
Dr. Alan Whitfield of Brightmoor Health Advisors on scoring regulatory risk with AI before a human opens the data room, and why accountability never moves to the machine.

Healthcare transactions carry a form of legal risk with no clean equivalent in ordinary M&A. The Stark Law imposes strict liability on improper physician financial relationships, the Anti-Kickback Statute adds criminal exposure, and a single mispriced medical directorship or below-market lease can unwind a deal's economics after closing. Diligence teams have historically read these documents by hand, under deadline, hoping nothing was missed. Dr. Alan Whitfield, Managing Director of Brightmoor Health Advisors, a boutique firm advising providers on transactions and regulatory strategy, describes how his team now uses AI to score and rank risk before a human ever opens the data room.
What is the underlying problem you set out to address?
In a healthcare acquisition, the buyer inherits the seller's regulatory history. If a physician employment agreement paid above fair market value, or a medical directorship was compensated without a matching scope of work, that exposure does not disappear at closing. It becomes the buyer's problem, and under the Stark Law it attaches without any need to prove intent. The commercial consequence is direct: findings move the purchase price, drive indemnity escrows, and occasionally end a deal.
The operational reality is that a mid-sized provider transaction can involve several hundred agreements: physician contracts, payer agreements, leases, service arrangements, and compliance records. Historically a small team read those under a compressed timeline, often two or three weeks, while other workstreams competed for the same hours. Reading quality degrades late at night in week two. The risk was never that our people lacked judgment. It was that manual review at that volume and speed left too much room for a consequential clause to go unread.
Contract-analysis software has existed for years. Why is this viable now and not five years ago?
Earlier tools were essentially keyword and pattern matching. They could find the word 'exclusivity' but not recognize an exclusivity arrangement written in unfamiliar language, and healthcare contracts are drafted by hundreds of different lawyers with no common template. The false-negative rate on non-standard drafting was too high to rely on, so we kept doing the work by hand.
What changed is the model's ability to read a clause for meaning rather than for exact words. A modern system recognizes that a compensation formula tied to 'total practice collections' may implicate referral value even though it never uses that term. It can hold our risk taxonomy in mind and match documents against categories, not strings. Two other things matter: retrieval that grounds the model in the actual data-room documents rather than its training data, and the ability to demand a citation to the source page for every finding. Without that grounding, the output would not be defensible.
Walk me through how the review actually works, concretely.
We load the data room into a workspace isolated to the single engagement. Documents are extracted and, where they are scanned, put through optical character recognition, because a large share of healthcare records still arrive as images. The system then indexes everything so the model reads from the actual files rather than answering from memory.
Against that corpus we run our risk taxonomy, a structured list of the issues that matter in these deals: compensation above fair market value, referral-linked bonuses, medical directorships without documented duties, below-market leases with referral sources, change-of-control and termination provisions in payer contracts, and missing or expired compliance documentation. For each document, the model identifies which categories apply, scores the severity, and cites the page it relied on. The output is a ranked issues list, worst first. An advisor then works down that list. The machine has done the reading and the triage; the human does the interpretation, decides what is genuinely a problem, and designs the mitigation.
These are among the most confidential documents a company owns, and some contain protected health information. How do you govern that?
The controls come before any efficiency claim. Each engagement runs in an isolated environment. The documents are not used to train the underlying model, and there is no retention beyond the matter; when it closes, the workspace is torn down. Access is scoped to the specific deal team and enforced at the system level rather than by policy alone, so someone staffed on one transaction cannot query another.
Where records contain protected health information, HIPAA obligations apply and we handle them under the appropriate agreements. For diligence we work with the minimum necessary and redact identifiers where the clinical detail is not relevant to the legal question. We do not route documents through consumer AI tools, which would mean exporting them outside our controls. Every finding carries a citation to its source, and the review produces an exportable audit trail. In regulated diligence, being able to show how a conclusion was reached matters as much as the conclusion itself.
Language models are known to produce confident, wrong answers. How do you keep that out of a legal work product?
We treat the model as a very fast reader, not as the analyst of record. It surfaces and ranks; a qualified advisor confirms every material finding against the cited source before it reaches a client. The queries that matter most in a deal, change-of-control language and unusual compensation terms, are exactly the ones where a model is most likely to overreach, so those get the closest human scrutiny.
Two design choices help. The system is grounded in the deal documents and returns a page citation, which makes verification quick: the reviewer reads the cited passage rather than trusting a summary. And the model is configured to abstain when the documents do not support an answer, because a flagged uncertainty is useful while a fabricated certainty is dangerous. Accountability does not move. A named advisor signs the analysis, the same as before we used any of this. The AI does not give regulatory advice and is never presented to the client as having done so.
“A flagged uncertainty is useful. A fabricated certainty is dangerous. We built the review around that difference.”
Dr. Alan Whitfield, Managing Director, Brightmoor Health Advisors
How did the team respond, and what went wrong early on?
The first reaction from experienced staff was reasonable skepticism. People who have built careers on careful reading are right to distrust a tool that claims to do it faster. I did not ask anyone to take the output on faith. We ran the system in parallel on a closed matter we had already completed by hand and compared what each approach caught.
The first real problem was over-flagging. Our initial taxonomy was too broad, so the model surfaced a large volume of low-consequence items and buried the serious ones. That erodes trust quickly, because reviewers start ignoring the list. We spent time tuning severity thresholds and sharpening the category definitions until the ranking reflected how an experienced advisor actually prioritizes. The workflow also had to change. Junior staff no longer read every page cold; they start from the ranked list and verify, which is a different skill. We had to teach verification and healthy suspicion of the machine, not just how to operate it.
What have you actually measured?
On the acquisition where we first ran this at scale, the review flagged roughly 31 percent more risk items than our manual process had surfaced on comparable prior deals. Most of that difference was not dramatic findings; it was completeness, the smaller lease and service arrangements that a tired reader can pass over in week two. A minority were consequential enough to affect the negotiation.
Document review time on that engagement compressed from about three weeks to four days. I want to be careful with both numbers. The 31 percent is a comparison against our own past work, not an independently audited figure, and it will vary with the quality of the data room. The time saving is real, but it is time to a reviewable draft, not time to a signed opinion; the human interpretation that follows is not compressed and should not be. What we mainly bought is earlier visibility into where the risk sits, which changes how we spend the human hours.
What would you say to a peer who thinks this is overhyped, or a client who is nervous about it?
To the skeptical peer, I would say the technology does not replace judgment, and anyone selling it that way is overreaching. It reads faster and more consistently than a person can at three in the morning, and it never gets bored on page four hundred. That is the honest claim. It still misreads genuinely novel deal structures, it is only as good as the completeness of the data room, and it can create false confidence if a team stops checking. Those are real limitations, not marketing caveats.
To the nervous client, I would say the accountability structure has not changed. A named advisor is responsible for the analysis and signs it, exactly as before. What has changed is that we spend fewer hours on mechanical reading and more on the questions that require a healthcare regulatory judgment: is this compensation defensible, and if not, how do we fix it before closing. The client is paying for that judgment, and they still get it.
Give me a specific moment where it mattered.
On one transaction, the system ranked near the top of the list a set of three medical-director agreements at an acquired practice. Individually each looked ordinary. Read together, which is what the ranking prompted us to do, the same physician was being paid under all three for overlapping administrative duties, with total hours that did not add up to a plausible workload. That pattern, several small arrangements that combine into a fair-market-value problem, is precisely what a manual reviewer misses, because the documents sit in different folders and different workstreams.
I should be clear that this is illustrative of the category of find, not a claim about a named client. Once we saw it, the interpretation was straightforward for a regulatory advisor: the arrangement needed restructuring and documentation before closing, and it affected the compensation representations in the agreement. The machine did not tell us it was a Stark problem. It put three documents next to each other and ranked them high enough that a human looked, which was the point.
What does this mean for your profession over the next few years?
The mechanical part of diligence, the reading and extraction, is becoming a commodity. That is not a threat to advisers who were selling judgment rather than hours; if anything it sharpens the distinction. A boutique like ours can now credibly take on the document volume of a much larger transaction without proportionally larger staffing, and compete on the quality of interpretation rather than the size of the team.
The client relationship shifts in a healthy direction. When less of the fee goes to mechanical review, the conversation moves earlier to strategy: how to structure compensation defensibly, how to remediate before closing rather than after. I also expect the expectation to run the other way in time. As these tools become standard, a buyer who missed a knowable compliance problem may find it harder to argue the review was reasonable. The responsible position is neither to avoid the technology nor to trust it blindly, but to build the controls, the verification, and the accountability around it deliberately.
Results in context
The figures below come from Brightmoor's own engagements and are described as the firm experienced them, not as independently audited benchmarks. They reflect one boutique advisory's workflow and will vary with the quality of each data room and the nature of the transaction.
• Roughly 31 percent more risk items flagged than the firm's comparable manual reviews, most of the gain coming from completeness on smaller lease and service arrangements rather than headline findings.
• Document review time on the initial large engagement compressed from about three weeks to four days, measured to a reviewable draft rather than to a signed opinion.
• Earlier visibility into where deal risk concentrates, which reallocates human hours toward interpretation and pre-closing mitigation instead of mechanical reading.
About Brightmoor Health Advisors
Brightmoor Health Advisors is a boutique advisory firm helping healthcare providers with transactions and regulatory strategy.