The FDCA addresses, among other things, the design, production, labeling, promotion, manufacturing, and testing of drugs, biologics and medical devices, and prohibits such acts as the introduction into interstate commerce of adulterated or misbranded drugs or devices. The PHSA also prohibits the introduction into interstate commerce of unlicensed or mislabeled biological products.
The U.S. federal Physician Payments Sunshine Act requires certain manufacturers of drugs, devices, biologics and medical supplies for which payment is available under Medicare, Medicaid or the Children’s Health Insurance Program, with specific exceptions, to annually report to the Centers for Medicaid & Medicare Services, or CMS, information related to payments or other transfers of value made to various healthcare professionals including physicians, certain other licensed health care practitioners, and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members.
We are also subject to federal price reporting laws and federal consumer protection and unfair competition laws. Federal price reporting laws require manufacturers to calculate and report complex pricing metrics to government programs, where such reported prices may be used in the calculation of reimbursement and/ or discounts on approved products. Federal consumer protection and unfair competition laws broadly regulate marketplace activities and activities that potentially harm consumers.
Further, we are subject to additional similar U.S. state and foreign law equivalents of each of the above federal laws, which, in some cases, differ from each other in significant ways, and may not have the same effect, thus complicating compliance efforts. If our operations are found to be in violation of any of such laws or any other governmental regulations that apply, it may be subject to penalties, including, without limitation, civil, criminal and administrative penalties, damages, fines, exclusion from government-funded healthcare programs, such as Medicare and Medicaid or similar programs in other countries or jurisdictions, integrity oversight and reporting obligations to resolve allegations of non-compliance, disgorgement, individual imprisonment, contractual damages, reputational harm, diminished profits and the curtailment or restructuring of its operations.
Data Privacy and Security
Numerous state, federal and foreign laws govern the collection, dissemination, use, access to, confidentiality and security of personal information, including health-related information. As our operations and business grow, we may become subject to or affected by U.S. federal and state laws and regulations, including the Health Information Portability and Accountability Act of 1996, and its implementing regulations, as amended, or HIPAA, that govern the collection, use, disclosure, and protection of health-related and other personal information. In California the California Consumer Protection Act, or CCPA, which went into effect on January 1, 2020 and was amended effective January 1, 2023, establishes a new privacy framework for covered businesses by creating an expanded definition of personal information, establishing new data privacy rights for consumers in the State of California, imposing special rules on the collection of consumer data from minors, and creating a new and potentially severe statutory damages framework for violations of the CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches. While clinical trial data and information governed by HIPAA are currently exempt from the current version of the CCPA, other personal information may be applicable and possible changes to the CCPA may broaden its scope. Other states, including Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), and Utah (effective December 31, 2023) have passed privacy legislation and more states may do so in the future, including Iowa, where the Iowa state legislature passed a comprehensive privacy legislation on March 15, 2023. State and non-U.S. laws, including for example the EU General Data Protection Regulation, also govern the privacy and security of health information in some circumstances, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Failure to comply with these laws, where applicable, can result in the imposition of significant civil and/or criminal penalties and private litigation. Privacy and security laws, regulations, and other obligations are constantly evolving, may conflict with each other to complicate compliance efforts, and can result in investigations, proceedings, or actions that lead to significant civil and/or criminal penalties and restrictions on data processing.
146