accreditation so that we or the TOI PCs are unable to receive reimbursement from such programs and possibly from other third-party payors, any of which could materially adversely affect our business, financial condition, cash flows or results of operations.
If we or the TOI PCs fail to comply with applicable data interoperability and information blocking rules, our consolidated results of operations could be adversely affected.
The 21st Century Cures Act (the “Cures Act”), which was passed and signed into law in December 2016, includes provisions related to data interoperability, information blocking and patient access. In March 2020, the HHS Office of the National Coordinator for Health Information Technology, or ONC, and CMS finalized and issued complementary rules that are intended to clarify provisions of the Cures Act regarding interoperability and information blocking, and include, among other things, requirements surrounding information blocking, changes to ONC’s health IT certification program and requirements that CMS- regulated payors make relevant claims/care data and provider directory information available through standardized patient access and provider directory application programming interfaces, or APIs, that connect to provider electronic health record systems, or EHRs. The companion rules will transform the way in which healthcare providers, health IT developers, health information exchanges/health information networks, or HIEs/HINs, and health plans share patient information, and create significant new requirements for healthcare industry participants. For example, the ONC rule, which went into effect on April 5, 2021, prohibits healthcare providers, health IT developers of certified health IT, and HIEs/HINs from engaging in practices that are likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of electronic health information, or EHI, also known as “information blocking.” To further support access and exchange of EHI, the ONC rule identifies eight “reasonable and necessary activities” as exceptions to information blocking activities, as long as specific conditions are met. Any failure to comply with these rules could have a material adverse effect on our business, results of operations and financial condition.
Actual or perceived failures to comply with applicable data protection, privacy and security, advertising and consumer protection laws, regulations, standards and other requirements could adversely affect our business, financial condition and results of operations.
We and the TOI PCs collect, receive, generate, use, process, and store significant and increasing volumes of sensitive information, such as employee, individually identifiable health information and other personally identifiable information. We and the TOI PCs are subject to a variety of federal and state laws and regulations, as well as contractual obligations, relating to the collection, use, storage, retention, security, disclosure, transfer, return, destruction and other processing of personal information, including health- related information. Enforcement actions and consequences for noncompliance with such laws, directives and regulations are rising, and the regulatory framework for privacy, data protection and data transfers is complex and rapidly evolving and is likely to remain uncertain for the foreseeable future.
In the United States, numerous such federal and state laws and regulations, including data breach notification laws, health information privacy laws, and consumer protection laws and regulations, including those that govern the collection, use, disclosure, and protection of health-related and other personal information, could apply to our operations or the operations of the TOI PCs. For example, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder, which we refer to collectively as HIPAA, imposes privacy, security and breach notification obligations on certain health care providers, health plans, and health care clearinghouses, known as covered entities, as well as business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities. HIPAA requires covered entities, such as the TOI PCs, and business associates, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of protected health information, or PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a data breach.
Entities that are found to be in violation of HIPAA as the result of a breach of unsecured protected health information, or PHI, a complaint about privacy practices or an audit by HHS, may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys’ fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI.
Numerous other state and federal laws, including consumer protection laws and regulations, govern the collection, dissemination, use, access to, confidentiality, security and processing of personal information, including health-related information, some of which