time. Should any of our managed clinics or TOI PCs be found to be noncompliant with these requirements, we could be assessed fines and penalties, could be required to refund reimbursement amounts or could lose our licensure or Medicare and/or Medicaid certification or accreditation so that we or the TOI PCs are unable to receive reimbursement from such programs and possibly from other third-party payors, any of which could materially adversely affect our business, financial condition, cash flows or results of operations.
If we or the TOI PCs fail to comply with applicable data interoperability and information blocking rules, our consolidated results of operations could be adversely affected.
The 21st Century Cures Act (the “Cures Act”), which was passed and signed into law in December 2016, includes provisions related to data interoperability, information blocking and patient access. In March 2020, the HHS Office of the National Coordinator for Health Information Technology, or ONC, and CMS finalized and issued complementary rules that are intended to clarify provisions of the Cures Act regarding interoperability and information blocking, and include, among other things, requirements surrounding information blocking, changes to ONC’s health IT certification program and requirements that CMS-regulated payors make relevant claims/care data and provider directory information available through standardized patient access and provider directory application programming interfaces, or APIs, that connect to provider electronic health record systems, or EHRs. The companion rules will transform the way in which healthcare providers, health IT developers, health information exchanges/health information networks, or HIEs/HINs, and health plans share patient information, and create significant new requirements for healthcare industry participants. For example, the ONC rule, which went into effect on April 5, 2021, prohibits healthcare providers, health IT developers of certified health IT, and HIEs/HINs from engaging in practices that are likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of electronic health information, or EHI, also known as “information blocking.” To further support access and exchange of EHI, the ONC rule identifies eight “reasonable and necessary activities” as exceptions to information blocking activities, as long as specific conditions are met. Any failure to comply with these rules could have a material adverse effect on our business, results of operations and financial condition.
Actual or perceived failures to comply with applicable data protection, privacy and security, advertising and consumer protection laws, regulations, standards and other requirements could adversely affect our business, financial condition and results of operations.
We and the TOI PCs collect, receive, generate, use, process, and store significant and increasing volumes of sensitive information, such as employee, individually identifiable health information and other personally identifiable information. We and the TOI PCs are subject to a variety of federal and state laws and regulations, as well as contractual obligations, relating to the collection, use, storage, retention, security, disclosure, transfer, return, destruction and other processing of personal information, including health-related information. Enforcement actions and consequences for noncompliance with such laws, directives and regulations are rising, and the regulatory framework for privacy, data protection and data transfers is complex and rapidly evolving and is likely to remain uncertain for the foreseeable future.
In the United States, numerous such federal and state laws and regulations, including data breach notification laws, health information privacy laws, and consumer protection laws and regulations, including those that govern the collection, use, disclosure, and protection of health-related and other personal information, could apply to our operations or the operations of the TOI PCs. For example, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder, which we refer to collectively as HIPAA, imposes privacy, security and breach notification obligations on certain health care providers, health plans, and health care clearinghouses, known as covered entities, as well as business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities. HIPAA requires covered entities, such as the TOI PCs, and business associates, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of protected health information, or PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a data breach.