Compliance with laws and regulations pertaining to the privacy and security of health information may be time consuming, difficult and costly, particularly in light of increased focus on privacy issues in countries around the world, including the U.S. and the EU.
We are subject to various domestic and international privacy and security regulations related to personal information, including health information, that are appliable to our business and associated data processing activities. The confidentiality, collection, use and disclosure of personal data, including clinical trial patient-specific information, are subject to governmental regulation generally in the country that the personal data were collected or used. In the United States, we are subject to various state and federal privacy and data security regulations, including but not limited to HIPAA and as amended by the HITECH Act. HIPAA imposes specified requirements relating to the privacy, security and transmission of individually identifiable health information, and mandates, among other things, the adoption of uniform standards for the electronic exchange of information in common health care transactions, as well as standards relating to the privacy and security of individually identifiable health information, which require the adoption of administrative, physical and technical safeguards to protect such information. We may also be subject to state security breach notification laws, state laws protecting the privacy and security of health and personal information, and federal and state consumer protections laws which regulate the collection, use, disclosure and transmission of personal information. These laws may overlap and conflict with each other, and each of these laws is subject to varying interpretations by courts and government agencies, creating complex compliance issues for us. In the EU, personal data includes any information that relates to an identified or identifiable natural person with health information carrying additional obligations, including obtaining the explicit consent from the individual for collection, use or disclosure of the information. We are also subject to the EU General Data Protection Regulation 2016/679 (“GDPR”). Violations of the GDPR can carry hefty fines. In addition, we may be subject to additional national laws and regulations that govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways, thus complicating compliance efforts. If we fail to comply with applicable data protection laws and regulations, we could be subject to penalties or sanctions, including criminal penalties. Furthermore, the legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing amount of focus on privacy and data protection issues.
Compliance with these laws may be time-consuming, difficult and costly. If we fail to comply with applicable laws, regulations or duties relating to the use, privacy or security of personal data we could be subject to the imposition of significant civil and criminal penalties, be forced to alter our business practices and suffer reputational harm.
Changes in health care law and implementing regulations, including government restrictions on pricing and reimbursement, as well as health care policy and other health care payor cost-containment initiatives, may have a material adverse effect on us.
In the United States and some foreign jurisdictions, there have been a number of legislative and regulatory changes and proposed changes regarding the regulatory system, health care system and efforts to control health care costs, including drug prices, that could have a significant negative impact on our business, including preventing, limiting or delay regulatory approval of our drug candidates and reducing the sales and profits derived from our products once they are approved. For example, in the United States, the ACA substantially changed the way health care is financed by both governmental and private insurers and significantly affects the pharmaceutical industry. Many provisions of ACA impact the biopharmaceutical industry, including that in order for a biopharmaceutical product to receive federal reimbursement under the Medicare Part B and Medicaid programs or to be sold directly to U.S. government agencies, the manufacturer must extend discounts to entities eligible to participate in the drug pricing program under the Public Health Services Act, or PHS. Since its enactment, there have been judicial and Congressional challenges and amendments to certain aspects of ACA. There is continued uncertainty about the implementation of ACA, including the potential for further amendments to the ACA and legal challenges to or efforts to repeal the ACA.
In addition, the Inflation Reduction Act of 2022, enacted in August 2022, empowers the Centers for Medicare and Medicaid Services to negotiate directly with pharmaceutical companies to set the prices for a limited set of high-cost drugs covered by Medicare, and puts penalties in place for drug manufacturers who increase their Medicare prices by more than the rate of inflation.
Other examples of proposed changes include, but are not limited to, expanding post-approval requirements, changing the Orphan Drug Act, and restricting sales and promotional activities for pharmaceutical products.
We cannot be sure whether additional legislative changes will be enacted, or whether government regulations, guidance or interpretations will be changed, or what the impact of such changes would be on the marketing approvals, sales, pricing, or reimbursement of our drug candidates or products, if any, may be.