obligation to pay or transmit money or property to the federal government or knowingly concealing or knowingly and improperly avoiding or decreasing an obligation to pay money to the federal
government. Pharmaceutical and other healthcare companies have been prosecuted under these laws for engaging in a variety of different types of conduct that caused the submission of false claims to federal healthcare programs. Under the
AKS, for example, a claim resulting from a violation of the AKS is deemed to be a false or fraudulent claim for purposes of the FCA. The FCA also permits a private individual acting as a whistleblower to bring actions on behalf of the
federal government alleging violations of the FCA and to share in any monetary recovery.
HIPAA created additional federal criminal statutes that
prohibit, among other things, executing a scheme to defraud any healthcare benefit program, including private third-party payors, and knowingly and willfully falsifying, concealing or covering up by any trick or device a material fact or making any
materially false statements or representations relating to healthcare matters.
The FDCA addresses, among other things, the design, production, labeling,
promotion, manufacturing, and testing of drugs, biologics and medical devices, and prohibits such acts as the introduction into interstate commerce of adulterated or misbranded drugs or devices. The PHSA also prohibits the introduction into
interstate commerce of unlicensed or mislabeled biological products.
The United States federal Physician Payments Sunshine Act requires certain
manufacturers of drugs, devices, biologics and medical supplies for which payment is available under Medicare, Medicaid or the Childrens Health Insurance Program, with specific exceptions, to annually report to the Centers for
Medicaid & Medicare Services (CMS) information related to payments or other transfers of value made to various healthcare professionals including physicians, certain other licensed health care practitioners, and teaching
hospitals, as well as ownership and investment interests held by physicians and their immediate family members. Beginning on January 1, 2023, California Assembly Bill 1278 requires California physicians and surgeons to notify patients of the
Open Payments database established under the federal Physician Payments Sunshine Act.
We are also subject to additional similar United States state and
foreign law equivalents of each of the above federal laws, which, in some cases, differ from each other in significant ways, and may not have the same effect, thus complicating compliance efforts. If our operations are found to be in violation of
any of such laws or any other governmental regulations that apply, we may be subject to penalties, including, without limitation, civil, criminal and administrative penalties, damages, fines, exclusion from government-funded healthcare programs,
such as Medicare and Medicaid or similar programs in other countries or jurisdictions, integrity oversight and reporting obligations to resolve allegations of non-compliance, disgorgement, individual
imprisonment, contractual damages, reputational harm, diminished profits and the curtailment or restructuring of our operations.
Data Privacy and
Security
Numerous state, federal, and foreign laws govern the collection, dissemination, use, access to, confidentiality, and security of personal
information, including health-related information. In the United States, numerous federal and state laws and regulations, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection
laws and regulations, govern the collection, use, disclosure, and protection of health-related and other personal information could apply to our operations or the operations of our partners. For example, HIPAA, as amended by the Health Information
Technology for Economic and Clinical Health, and their respective implementing regulations imposes privacy, security, and breach notification obligations on certain health care providers, health plans, and health care clearinghouses, known as
covered entities, as well as their business associates and their covered subcontractors that perform certain services that involve using, disclosing, creating, receiving, maintaining, or transmitting individually identifiable health information for
or on behalf of such covered entities. Entities that are found to be in violation of HIPAA may be subject to significant civil, criminal, and administrative fines and penalties and/or additional reporting and oversight obligations if required to
enter into a resolution agreement and corrective action plan with the U.S. Department of Health and Human Services (HHS) to settle allegations of HIPAA non-compliance. Further,
70