products on the market, we may be subject, and if our product candidates are approved and we begin commercialization will be subject, to additional healthcare laws and regulations enforced by the
federal government and by authorities in the states and foreign jurisdictions in which we conduct our business. These state and federal healthcare laws, commonly referred to as fraud and abuse laws, have been applied in recent years to
restrict certain marketing practices in the pharmaceutical industry, and include anti-kickback, false claims, data privacy and security and transparency statutes and regulations.
Federal false claims laws prohibit, among other things, any person from knowingly presenting, or causing to be presented, a false claim for payment to the
federal government or knowingly making, or causing to be made, a false statement to get a false claim paid. The federal healthcare program anti-kickback statute prohibits, among other things, knowingly and willfully offering, paying, soliciting or
receiving remuneration to induce, or in return for, purchasing, leasing, ordering or arranging for the purchase, lease or order of any healthcare item or service reimbursable under Medicare, Medicaid or other federally financed healthcare programs.
Most states also have statutes or regulations similar to the federal anti-kickback law and federal false claims laws, which may apply to items such as pharmaceutical products and services reimbursed by private insurers. Administrative, civil and
criminal sanctions may be imposed under these federal and state laws.
The federal civil monetary penalties statute imposes penalties against any person
or entity who, among other things, is determined to have presented or caused to be presented a claim to a federal health program that the person knows or should know is for an item or service that was not provided as claimed or is false or
fraudulent.
HIPAA created new federal criminal statutes that prohibit knowingly and willfully executing, or attempting to execute, a scheme to defraud or
obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any healthcare benefit program, including private third-party payors, and knowingly and
willfully falsifying, concealing or covering up a material fact or making any materially false, fictitious or fraudulent statement in connection with the delivery of, or payment for, healthcare benefits, items or services.
In addition, we may be subject to data privacy and security regulation by both the federal government and the states in which we conduct our business. HIPAA,
as amended by HITECH, and its implementing regulations, imposes certain requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAAs security standards
directly applicable to business associatesindependent contractors or agents of covered entities that receive or obtain protected health information in connection with providing a service on behalf of a covered entity. HITECH also created four
new tiers of civil monetary penalties, and newly empowered state attorneys general with the authority to enforce HIPAA. In January 2013, the Office for Civil Rights of the U.S. Department of Health and Human Services issued the Final Omnibus Rule
under HIPAA pursuant to HITECH that makes significant changes to the privacy, security and breach notification requirements and penalties. The Final Omnibus Rule generally took effect in September 2013 and enhances certain privacy and security
protections, and strengthens the governments ability to enforce HIPAA. The Final Omnibus Rule also enhanced requirements for both covered entities and business associates regarding notification of breaches of unsecured protected health
information. In addition, state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways. These state laws may not have the same effect and often are not preempted
by HIPAA, thus complicating compliance efforts.
Additionally, the PPACA also included the federal Physician Payments Sunshine Act, which requires
applicable group purchasing organizations and manufacturers of drugs, devices, biologics and medical supplies for which payment is available under Medicare, Medicaid or the Childrens Health Insurance Program (with certain exceptions) to report
annually information related to certain payments or other transfers of value made in the previous year to covered recipients, including physicians, as defined by law, and teaching hospitals and, effective
for data reported in 2022, expanded to include nurse practitioners, physician assistants, clinical nurse specialists, certified registered nurse anesthetists
and anesthesiologist assistants, and certified nurse-midwives, including
S-52