We are subject to healthcare fraud and abuse regulation and enforcement by federal, state and foreign governments, as well as data privacy and security laws and regulations, which could significantly impact our business. In the United States, the laws that may affect our ability to operate include, but are not limited to:
- The federal Anti-Kickback Statute, which prohibits, among other things, persons and entities from knowingly and willfully soliciting, receiving, offering or paying remuneration, directly or indirectly, in cash or in kind, in exchange for or to induce either the referral of an individual for, or the purchase, lease, order or recommendation of, any good, facility, item or service for which payment may be made, in whole or in part, under federal healthcare programs such as Medicare and Medicaid. A person or entity does not need to have actual knowledge of this statute or specific intent to violate it in order to have committed a violation.
- Federal civil and criminal false claims laws, including the False Claims Act, that prohibit, among other things, knowingly presenting, or causing to be presented, claims for payment or approval to the federal government that are false or fraudulent, knowingly making a false statement material to an obligation to pay or transmit money or property to the federal government or knowingly concealing or knowingly and improperly avoiding or decreasing an obligation to pay or transmit money or property to the federal government. In addition, a claim including items or services resulting from a violation of the federal Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the federal civil False Claims Act.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), which created federal criminal laws that prohibit executing a scheme to defraud any federal healthcare benefit program or making false statements relating to healthcare matters submitted for payment. A person or entity does not need to have actual knowledge of these statutes or specific intent to violate them in order to have committed a violation.
- HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their respective implementing regulations, which impose requirements on certain covered healthcare providers, health plans and healthcare clearinghouses as well as their business associates that perform services for them that involve individually identifiable health information, relating to the privacy, security and transmission of individually identifiable health information without appropriate authorization, including mandatory contractual terms as well as directly applicable privacy and security standards and requirements.
- The federal physician sunshine requirements under the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act, collectively, the ACA, which require certain manufacturers of drugs, devices, biologics, and medical supplies to report annually to the U.S. Department of Health and Human Services information related to payments and other transfers of value to physicians (defined to include doctors, dentists, optometrists, podiatrists and chiropractors), certain other healthcare professionals (physician assistants, nurse practitioners, clinical nurse specialists, anesthesiologist assistants, certified registered nurse anesthetists, anesthesiology assistants and certified nurse midwives), and teaching hospitals, and ownership and investment interests held by physicians and their immediate family members.
- State and foreign law equivalents of each of the above federal laws, such as state anti-kickback and false claims laws that may apply to items or services reimbursed by any third-party payors, including commercial insurers; state laws that require device companies to comply with the industry's voluntary compliance guidelines and the relevant compliance guidance promulgated by the federal government, or otherwise restrict payments that may be made to healthcare providers and other potential referral sources; state laws that require device manufacturers to report information related to payments and other transfers of value to physicians and other healthcare providers or marketing expenditures; and state and foreign laws governing the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways and often are not preempted by HIPAA.
- Federal and state laws and regulations governing the collection, use, disclosure and protection of health-related and other personal information that could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws and regulations, that govern the collection, use, disclosure, and protection of health-related and other personal information. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA) requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Although there are limited exemptions for health-related information, including clinical trial data, the CCPA may increase our compliance costs and potential liability. Similar laws have been passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. Similar laws have been passed in other states, and are continuing to be proposed at the federal level and in other states. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, which may affect our business and is expected to increase our compliance costs and exposure to liability. In the event that we are subject to or affected by HIPAA, the CCPA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
- Section 5(a) of the Federal Trade Commission Act (FTC) Act. The FTC has authority to initiate enforcement actions against entities that fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5(a) of the FTC Act. According to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.
Additionally, federal and state consumer protection laws are increasingly being applied by the FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content.
- The Biden administration issued a broad Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (2023 AI Order), that sets out principles intended to guide artificial intelligence design and deployment for the public and private sector and signals the increase in governmental involvement and regulation over artificial intelligence technologies. The 2023 AI Order established certain new requirements for the training, testing and cybersecurity of sophisticated artificial intelligence models and large scale computer centers used to train artificial intelligence models. The 2023 AI Order also instructed several other federal agencies to promulgate additional regulations within specific timeframes from the date of the 2023 AI Order regarding the use and development of artificial intelligence technologies. Agencies such as the Department of Commerce and the FTC have issued proposed rules governing the use and development of artificial intelligence technologies. Legislation related to artificial intelligence technologies has also been introduced at the federal level and is advancing at the state level. For example, on March 13, 2024, Utah passed the Utah AI Policy Act, which took effect in May 2024, imposing certain disclosure requirements on the use of AI, and on May 17, 2024, Colorado enacted the Colorado AI Act, which will take effect in February 2026. Further, the California Privacy Protection Agency is currently in the process of finalizing regulations under the CCPA regarding the use of automated decision-making. Such additional regulations may impact our ability to develop, use and commercialize artificial intelligence technologies in the future.
- Foreign data privacy and security laws. Please see "Risk Factors - Senza is subject to extensive governmental regulation in foreign jurisdictions, such as Europe, and our failure to comply with applicable requirements could cause our business to suffer" for more information.
The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform, especially in light of the lack of applicable precedent and regulations. Federal and state enforcement bodies have increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. For example, we received a Civil Investigative Demand in December 2022 related to the marketing, promotion and billing practices of the Company's SCS system. Responding to investigations can be time-and resource-consuming and can divert management's attention from the business. Additionally, as a result of these investigations, healthcare providers and entities may have to agree to additional onerous compliance and reporting requirements as part of a consent decree or corporate integrity agreement. Any such investigation or settlement could increase our costs or otherwise have an adverse effect on our business.
If our operations are found to be in violation of any of the laws described above or any other governmental regulations that apply to us now or in the future, we may be subject to penalties, including civil and criminal penalties, damages, fines, disgorgement, exclusion from governmental health care programs, and the curtailment or restructuring of our operations, any of which could adversely affect our ability to operate our business and our financial results.