A portion of the data that we obtain and handle for or on behalf of our customers is considered PHI, subject to HIPAA. We are also required to maintain similar business associate agreements with our subcontractors that have access to PHI of our customers in rendering services to us or on our behalf. Under HIPAA and our contractual agreements with our HIPAA-covered entity health plan customers, we are considered a “business associate” to those customers and are required to maintain the privacy and security of PHI in accordance with HIPAA and the terms of our business associate agreements with our customers, including by implementing HIPAA-required administrative, technical and physical safeguards. We have incurred, and will continue to incur, significant costs to establish and maintain these safeguards and, if additional safeguards are required to comply with HIPAA, other laws or regulations relating to health information privacy or security, or our customers’ requirements, our costs could increase further, which would negatively affect our operating results. Furthermore, we cannot guarantee that such safeguards have been and will continue to be adequate. If we have failed, or fail in the future, to maintain adequate safeguards, or we or our agents or subcontractors use or disclose PHI in a manner prohibited or not permitted by HIPAA or other laws or regulations relating to health information privacy or security, our subcontractor business associate agreements, or our business associate agreements with our customers, or if the privacy or security of PHI that we obtain and handle is otherwise compromised, or if any of the foregoing is perceived or believed to have occurred, we could be subject to significant liabilities and consequences, including, without limitation: • actual or asserted breach of our contractual obligations to customers, which may cause our customers to terminate their relationship with us and may result in potentially significant financial obligations to our customers; • investigation by the federal and state regulatory authorities empowered to enforce HIPAA and other data privacy and security laws, which include the U.S. Department of Health and Human Services, or HHS, the Federal Trade Commission and state attorneys general, and the possible imposition of civil and criminal penalties; • private claims and litigation, including by individuals adversely affected by any misuse of their personal health information for which we are or are asserted to be responsible; and • negative publicity, which may decrease the willingness of current and potential future customers to work with us and negatively affect our sales and operating results. Further, we publish statements to end users of our services that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, damage to our reputation and costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders. Federal or state governmental authorities may impose additional data security standards or additional privacy or other restrictions on the collection, use, maintenance, transmission and other disclosures of health information. Legislation has been proposed at various times at both the federal and the state level that would limit, forbid or regulate the use or transmission of medical information outside of the United States. Such legislation, if adopted, may render our use of off-shore partners for work related to such data impracticable or substantially more expensive. Alternative processing of such information within the United States may involve substantial delay in implementation and increased cost. We may be, or may become, subject to laws and regulations relating to privacy, data protections and cybersecurity, and our failure to comply with such laws and regulations could lead to government enforcement actions and significant penalties against us, and adversely impact our operating results. The regulatory framework for privacy, data protection, and cybersecurity issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The U.S. federal and various state, local and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations regarding, the collection, distribution, use, disclosure, storage, security, and other processing of data relating to individuals. For example, the California Consumer Privacy Act of 2018 ("CCPA"), which went into effect on January 1, 2020, requires covered businesses to provide substantial disclosures to California residents and honor such residents’ data protection and privacy rights, including the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the compromise of highly sensitive personal information, which may increase the likelihood of, and risks associated with, data breach litigation. The CCPA has been amended several times, including by the California Privacy Rights Act ("CPRA"), a ballot initiative that passed in November 2020 that, among other things, created a new state agency vested with authority to implement and enforce the CCPA and the CPRA. Effective in most material aspects starting on January 1, 2023, the CPRA will, among other things, expand California residents’ rights with respect to certain sensitive personal information and give California residents’ a right to opt out of the sharing of certain personal information for targeted online advertising. - 56 -
RkJQdWJsaXNoZXIy NTIzOTM0