which healthcare providers, health IT developers, health information exchanges/health information networks, or HIEs/HINs, and health plans share patient information, and create significant new requirements for healthcare industry participants. For example, the ONC rule, which went into effect on April 5, 2021, prohibits healthcare providers, health IT developers of certified health IT, and HIEs/HINs from engaging in practices that are likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of electronic health information, or EHI, also known as “information blocking.” To further support access and exchange of EHI, the ONC rule identifies eight “reasonable and necessary activities” as exceptions to information blocking activities, as long as specific conditions are met. Any failure to comply with these rules could have a material adverse effect on our business, results of operations and financial condition.
Actual or perceived failures to comply with applicable data protection, privacy and security, advertising and consumer protection laws, regulations, standards and other requirements could adversely affect our business, financial condition and results of operations.
We and the TOI PCs collect, receive, generate, use, process, and store significant and increasing volumes of sensitive information, such as employee, individually identifiable health information and other personally identifiable information. We and the TOI PCs are subject to a variety of federal and state laws and regulations, as well as contractual obligations, relating to the collection, use, storage, retention, security, disclosure, transfer, return, destruction and other processing of personal information, including health-related information. Enforcement actions and consequences for noncompliance with such laws, directives and regulations are rising, and the regulatory framework for privacy, data protection and data transfers is complex and rapidly evolving and is likely to remain uncertain for the foreseeable future.
In the United States, numerous such federal and state laws and regulations, including data breach notification laws, health information privacy laws, and consumer protection laws and regulations, including those that govern the collection, use, disclosure, and protection of health-related and other personal information, could apply to our operations or the operations of the TOI PCs. For example, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder, which we refer to collectively as HIPAA, imposes privacy, security and breach notification obligations on certain health care providers, health plans, and health care clearinghouses, known as covered entities, as well as business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities. HIPAA requires covered entities, such as the TOI PCs, and business associates, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of protected health information, or PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a data breach.
Entities that are found to be in violation of HIPAA as the result of a breach of unsecured protected health information, or PHI, a complaint about privacy practices or an audit by HHS, may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys’ fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI.
Numerous other state and federal laws, including consumer protection laws and regulations, govern the collection, dissemination, use, access to, confidentiality, security and processing of personal information, including health-related information, some of which are more stringent than HIPAA and many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. In addition, these laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and may be subject to varying interpretations by courts and government agencies. Laws in all 50 states and other United States territories require businesses to provide notice to individuals whose personal information has been disclosed as a result of a data breach. Such laws are not always consistent, and compliance in the event of a widespread data breach is costly and may be challenging.