Our business is subject to complex and evolving U.S. and international laws and regulation regarding privacy and data protection. If we fail to meet our compliance obligations under applicable privacy and data protection regulations, even if such compliance by us is inadvertent, or if we are unable to comply with changes to such requirements, we might be subject to fines, legal disputes, or other liabilities that could have a material adverse effect on our financial condition and results of operations.
Regulatory authorities around the world are considering legislative and regulatory proposals concerning data protection, and the interpretation and application of data protection laws in the U.S., the EU, and elsewhere are often uncertain and in flux. These laws may be interpreted and applied in a manner that is inconsistent with our data practices. If our data practices are found to be in conflict with privacy and data protection laws or regulations, we could face fines or orders requiring that we change our data practices, which could have an adverse effect on our business, financial condition and results of operations. We must comply with extensive federal and state requirements regarding the use, retention, security, and re-disclosure of patient healthcare information. HIPAA and the regulations that have been issued under it contain substantial restrictions and complex requirements with respect to the use and disclosure of certain individually identifiable health information, referred to as “protected health information”. Any failure or perceived failure of our Company or our products to meet HIPAA standards and related regulatory requirements could expose us to certain notification, penalty, and enforcement risks, damage our reputation, and adversely affect demand for our products and force us to expend significant capital and other resources to address the privacy and security requirements of HIPAA.
In addition, there are other federal laws that include specific privacy and security obligations for certain types of health information and impose additional sanctions and penalties. All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring notice to individuals of security breaches involving protected health information, which is not uniformly defined among the breach notification laws. Organizations must review each state’s definitions, mandates, and notification requirements and timelines to appropriately prepare and notify affected individuals and government agencies, including the attorney general, in compliance with such state laws. Further, most states have enacted patient confidentiality laws that protect against the disclosure of confidential medical information, and many states have adopted or are considering adopting further legislation in this area. These state laws may be more stringent than HIPAA requirements. California passed the California Consumer Privacy Act which came into effect January 1, 2020 and was amended and expanded by the California Privacy Rights Act, or CPRA, which came into effect on January 1, 2023, which imposes significant changes in data privacy regulation, and New York has passed the Stop Hacks and Improve Electronic Data Security Act, which expands the state’s existing privacy laws. GDPR, a regulation implemented in the EU on data protection and privacy for all individuals in the EU and the EEA, applies to all enterprises, regardless of location, that are doing business in the EU or that collect and analyze data tied to EU and EEA residents. GDPR creates a range of compliance obligations, including stringent technical and security controls surrounding the storage, use, and disclosure of personal information, and significantly increases financial penalties for noncompliance.
We are facing an increasingly complex international regulatory environment which is constantly changing and if we fail to comply with international regulatory requirements, or are unable to comply with changes to such requirements, our financial performance may be harmed.
Our international operations and sales subject us to an international regulatory environment which is becoming increasingly complex and is constantly changing due to factors beyond our control. Risks associated with our international operations and sales include, without limitation, those arising from differing: (i) legal and court systems and changes to such systems; (ii) labor laws and changes in those laws; (iii) tax laws and changes in those laws; (iv) environmental laws and changes in those laws; (v) laws governing our distributors and sales agents and changes in those laws; (vi) protection of intellectual property and changes in that protection; and (vii) differing import and export requirements and changes to those requirements. If we fail to comply with applicable international regulatory requirements our financial performance may be harmed.
Substantial government regulation in the United States and abroad may restrict our ability to sell our patient monitoring, cardiology and remote monitoring, and connected care systems, and failure to comply with such laws and regulations may have a material adverse impact on our business.
The FDA and comparable regulatory authorities in foreign countries extensively and rigorously regulate our patient monitoring, cardiology and remote monitoring, and connected care systems, including the research and development, design, testing, clinical trials, manufacturing, clearance or approval, safety and efficacy, labeling, advertising, promotion, pricing, recordkeeping, reporting, import and export, post-approval studies and sale and distribution of these products. In the United States, before we can market a new medical device, or a new use of, new claim for, or significant modification to, an existing product, we must first receive clearance under Section 510(k) of the Federal Food, Drug and Cosmetic Act as discussed under Part I, Item 1, “Business - Regulation of Medical Devices.” Some modifications made to products cleared through a 510(k) may require a new 510(k). The FDA can delay, limit or deny clearance or approval of a device for many reasons.