The privacy regulations cover the use and disclosure of protected health information by healthcare providers and other covered entities. They also set forth certain rights that an individual has with respect to his or her protected health information maintained by a covered entity, including the right to access or amend certain records containing protected health information, or to request restrictions on the use or disclosure of protected health information. The security regulations establish requirements for safeguarding the confidentiality, integrity, and availability of protected health information that is electronically transmitted or electronically stored. The HITECH Act, among other things, makes certain of HIPAA’s privacy and security standards applicable to business associates of covered entities, and established certain protected health information security breach notification requirements. A covered entity must notify affected individual(s) and the HHS when there is a breach of unsecured protected health information. The HIPAA privacy and security regulations establish a uniform federal “floor” that covered entities and their business associates must meet and do not supersede state laws that are more stringent or provide individuals with greater rights with respect to the privacy or security of, and access to, their records containing protected health information. These laws contain significant fines and other penalties for wrongful use or disclosure of protected health information. In addition to the federal privacy regulations, there are several state laws regarding the privacy and security of health information and personal data that are applicable to our operations. The compliance requirements of these laws, including additional breach reporting requirements, and the penalties for violation vary widely and new privacy and security laws in this area are evolving. Massachusetts, for example, has a state law that protects the privacy and security of personal information of Massachusetts residents that is more prescriptive than HIPAA. Requirements of these laws and penalties for violations vary widely. We believe that we have taken the steps required of us to comply with health information privacy and security statutes and regulations in all jurisdictions, both state and federal. However, we may not be able to maintain compliance in all jurisdictions where we do business. Failure to maintain compliance, or changes in state or federal laws regarding privacy or security, could result in civil and/or criminal penalties and could have a material adverse effect on our business. Federal, State and Foreign Fraud and Abuse Laws In the United States, there are various fraud and abuse laws with which we must comply and we are potentially subject to regulation by various federal, state and local authorities, including CMS, other divisions of the HHS (e.g., the Office of Inspector General), the U.S. Department of Justice, and individual U.S. Attorney offices within the Department of Justice, and state and local governments. We also may be subject to foreign fraud and abuse laws. In the United States, the federal Anti-Kickback Statute prohibits, among other things, knowingly and willfully offering, paying, soliciting or receiving remuneration to induce, or in return for patient referrals for, or purchasing, leasing, ordering, recommending or arranging for the purchase, lease or order of, any healthcare item or service reimbursable under a governmental payer program. Courts have stated that a financial arrangement may violate the Anti-Kickback Statute if any one purpose of the arrangement is to encourage patient referrals or other federal healthcare program business, regardless of whether there are other legitimate purposes for the arrangement. The definition of “remuneration” has been broadly interpreted to include anything of value, including gifts, discounts, credit arrangements, payments of cash, consulting fees, waivers of copayments, ownership interests, and providing anything at less than its fair market value. Recognizing that the Anti-Kickback Statute is broad and may technically prohibit many innocuous or beneficial arrangements within the healthcare industry, the HHS issued a series of regulatory “safe harbors.” These safe harbor regulations set forth certain provisions, which, if met, will assure healthcare providers and other parties that they will not be prosecuted under the federal Anti-Kickback Statute. Although full compliance with these safe harbor provisions ensures against prosecution under the federal Anti-Kickback Statute, the failure of a transaction or arrangement to fit within a specific safe harbor does not necessarily mean that the transaction or arrangement is illegal or that prosecution under the federal Anti-Kickback Statute will be pursued. That said, non-compliance with all the requirements of a safe harbor can increase the risk of the transaction or arrangement and may increase the risk of government scrutiny. Many states also have anti-kickback statutes, some of which may apply to items or services reimbursed by any thirdparty payer, including commercial insurers. In addition, federal false claims laws, including the federal civil False Claims Act, prohibit, among other things, any person or entity from knowingly presenting, or causing to be presented, a false claim for payment to, or approval by, the federal government or knowingly making, using, or causing to be made or used a false record or statement material to a false or fraudulent claim to the federal government. As a result of a modification made by the Fraud Enforcement and Recovery Act of 2009, a claim includes “any request or demand” for money or property presented to the U.S. government. Recently, several pharmaceutical and other healthcare companies have been prosecuted under these laws for allegedly providing free product to customers with the expectation that the customers would bill federal programs for the product. Other companies have been prosecuted for causing false claims to be submitted because of the companies’ marketing of the product for unapproved, and thus generally non-reimbursable, uses. The civil monetary penalties statute imposes penalties against any person or entity who, among other things, is determined to have presented or caused to be presented a claim to a federal health program that the person knows or should know is for an item or service that was not provided as claimed or is false or fraudulent. - 20 -
RkJQdWJsaXNoZXIy NTIzOTM0