the potential for exclusion from participation in federal health care programs, and, although the federal civil False Claims Act is a civil statute, False Claims Act violations may also implicate various federal criminal statutes.
The federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, prohibits among other actions, knowingly and willfully executing, or attempting to execute, a scheme to defraud any health care benefit program, including private third-party payors, knowingly and willfully embezzling or stealing from a health care benefit program, willfully obstructing a criminal investigation of a health care offense, and knowingly and willfully falsifying, concealing or covering up a material fact or making any materially false, fictitious or fraudulent statement in connection with the delivery of or payment for health care benefits, items or services. Like the Anti-Kickback Statute, the Affordable Care Act amended the intent standard for the health care fraud statute under HIPAA such that a person or entity no longer needs to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation.
The civil monetary penalties statute imposes penalties against any person or entity that, among other things, is determined to have presented or caused to be presented a claim to a federal health program that the person knows or should know is for an item or service that was not provided as claimed or is false or fraudulent.
Also, many states have similar fraud and abuse statutes or regulations that may be broader in scope and may apply regardless of payor, in addition to items and services reimbursed under Medicaid and other state programs. Additionally, to the extent that a product is sold in a foreign country, the seller may be subject to similar foreign laws.
In addition, legislation imposing marketing restrictions and transparency requirements on pharmaceutical manufacturers has been enacted at the state and federal levels. For example, the Affordable Care Act imposed, among other things, annual reporting requirements to the Centers for Medicare & Medicaid Services, or CMS, for covered manufacturers for certain payments and other transfers of value provided to physicians (defined to include doctors, dentists, optometrists, podiatrists and chiropractors) and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members. Beginning in 2022, applicable manufacturers will also be required to report information regarding payments and other transfers of value provided during the previous year to physician assistants, nurse practitioners, clinical nurse specialists, certified nurse anesthetists, anesthesiologist assistants, and certified nurse-midwives. Failure to submit timely, accurately and completely the required information for all payments, transfers of value and ownership or investment interests may result in civil monetary penalties for “knowing failures.” Certain states also mandate implementation of compliance programs, impose restrictions on drug manufacturer marketing practices, require registration of certain employees engaged in marketing activities in the location, and/or require the tracking and reporting of gifts, compensation and other remuneration to physicians.
We have developed a comprehensive compliance program that establishes internal controls to facilitate adherence to the rules and program requirements to which we are subject. Although the development and implementation of compliance programs designed to establish internal controls and facilitate compliance can mitigate the risk of investigation, prosecution, and penalties assessed for violations of these laws, or any other laws that may apply to us, the risks cannot be entirely eliminated. If our operations are found to be in violation of any such laws or any other governmental regulations, we may be subject to significant penalties, including, without limitation, administrative, civil, and criminal penalties, damages, fines, disgorgement, imprisonment, contractual damages, reputational harm, diminished profits and future earnings, the curtailment or restructuring of our operations, exclusion from participation in federal and state health care programs, additional reporting requirements and oversight if we become subject to a corporate integrity agreement or similar agreement to resolve allegations of non-compliance with these laws and individual imprisonment, any of which could adversely affect our ability to operate our business and our financial results.
We may also be subject to data privacy and security regulation by both the federal government and the states in which we conduct our business. HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, and their implementing regulations, including the final omnibus rule published on January 25, 2013, mandates, among other things, the adoption of uniform standards for the electronic exchange of information in common health care transactions, as well as standards relating to the privacy and security of individually identifiable health information, which require the adoption of administrative, physical and technical safeguards to protect such information. Among other things, HITECH makes HIPAA’s security standards directly applicable to “business associates”, namely independent contractors or agents of HIPAA covered entities that create, receive or obtain protected health information in connection with providing a service for or on behalf of a covered entity and their subcontractors that use, disclose, access, or otherwise process protected health information. HITECH also increased the civil and criminal penalties that may be imposed against covered entities and business associates, and gave state attorneys general new authority to file civil actions