The Health Care Reform Law and Other Current or Future Legislative, Judicial or Regulatory Changes
The Patient Protection and Affordable Care Act and The Health Care and Education Reconciliation Act of 2010 (which we collectively refer to as the "Health Care Reform Law") enacted significant reforms to various aspects of the U.S. health insurance industry. Certain significant provisions of the Health Care Reform Law include, among others, mandated coverage requirements, mandated benefits and guarantee issuance associated with commercial medical insurance, rebates to policyholders based on minimum benefit ratios, adjustments to Medicare Advantage premiums, the establishment of federally facilitated or state-based exchanges coupled with programs designed to spread risk among insurers, and the introduction of plan designs based on set actuarial values. Some of these changes impact us and other entities that offer Medicate Advantage plans.
It is reasonably possible that the Health Care Reform Law and related regulations, as well as other current or future legislative, judicial or regulatory changes, including restrictions on our ability to manage our provider network or otherwise operate our business, or restrictions on profitability, including reviews by regulatory bodies that may compare the profitability of various products within our Medicare Advantage business and require that they remain within certain ranges of each other, increases in member benefits or changes to member eligibility criteria without corresponding increases in premium payments to us, may have a material adverse effect on our results of operations (including restricting revenue, enrollment and premium growth in certain products and market segments, restricting our ability to expand into new markets, increasing our medical and operating costs, further lowering our payment rates and increasing our expenses associated with assessments), our financial position and our cash flows.
Additionally, potential legislative changes or judicial determinations, including activities to repeal or replace the Health Care Reform Law or declare all or certain portions of the Health Care Reform Law unconstitutional, creates uncertainty for our business, and we cannot predict when, or in what form, such legislative changes or judicial determinations may occur.
Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act and Other Laws, Rules and Regulations Related to Data Privacy
We are subject to data privacy and protection laws and regulations that apply to the collection, transmission, storage and use of PHI and other PII, which among other things, impose certain requirements relating to the privacy, security and transmission of PII. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. Ongoing efforts to comply with evolving laws and regulations may be costly and require ongoing modifications to our policies, procedures and systems.
The use of individually identifiable health data by our business is regulated at federal and state levels. These laws and rules are changed frequently by legislation or administrative interpretation. Various state laws address the use and maintenance of PII. Among these state laws, which we describe in more detail below, we are most substantially affected by the California Consumer Privacy Act, which uniquely among general consumer privacy laws did not exempt employee information, business contact information, and only maintains narrow exemptions for data subject to HIPAA or the Gramm-Leach-Bliley Act. We may need to change the way we create, receive, maintain or transmit PII to comply with these state laws.
HIPAA includes administrative provisions directed at simplifying electronic data interchange through standardizing transactions, establishing uniform healthcare provider, payer, and employer identifiers, and establishing regulations aimed at protecting confidentiality and security of patient and member data. The rules preempt all inconsistent state laws unless the state law is more privacy-protective.
These regulations, in addition to other state laws, set standards for the security of electronic health information, including requirements that insurers provide customers with notice regarding how their PHI is used. Compliance with HIPAA regulations requires us to regularly monitor security risk, implement and regularly review administrative, technical and physical safeguards to protect electronic health information, and provide workforce training, among other administrative efforts. HIPAA can also expose us to additional liability for violations by our business associates (e.g., entities that provide services to health plans and providers).
The US Department of Health and Human Services, Office for Civil Rights announced on December 27, 2024, and published in the Federal Register on January 6, 2025, a Notice of Proposed Rulemaking proposing extensive modifications to the HIPAA security standards. If finalized, these modifications could entail significant additional compliance obligations and costs for HIPAA-regulated covered entities and business associates.
HIPAA imposes mandatory penalties for certain violations. In 2024, penalties for violations of HIPAA and its implementing regulations started at $141 per violation and could not exceed approximately $71,162 per violation, subject to a cap of approximately $2.1 million for violations of the same standard in a single calendar year. However, a single breach incident can result in violations of multiple standards. Additionally, the penalty amounts listed above are also due for inflation adjustments in 2025.
HIPAA also authorizes state attorneys general to file suit on behalf of their residents for statutory damages of up to $25,000. While HIPAA does not create a private right of action allowing individuals to sue in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI.
HIPAA further requires that members be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting more than 500 patients in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually.
We also publish statements to our members and partners that describe how we handle and protect PHI. If federal or state regulatory authorities or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims, and complying with regulatory or court orders. Any of the foregoing consequences could have a material adverse impact on our business and our financial results.
Data privacy and security at the state level remains an evolving landscape. For example, CCPA, which came into effect on January 1, 2020, requires companies that process information on California residents to make disclosures to consumers about their data collection, use and sharing practices, allow consumers to opt out of certain data sharing with third parties and provides a cause of action for data breaches. In addition, on November 3, 2020, California voters approved amendments to the CCPA, known as the CPRA, which significantly modifies the CCPA, including by expanding consumers' rights with respect to certain personal information and creating a state agency, the California Privacy Protection Agency ("CPPA"), to oversee implementation and enforcement efforts. The CPPA is able to finance operations through penalties issued and with the CPRA's removal of the mandatory cure period from CCPA, we will have less warning before compliance risk results in legal action. The CPRA's amendments became effective on January 1, 2023. The CCPA contains exemptions for medical information governed by the California Confidentiality of Medical Information Act, and for PHI collected by a covered entity or business associate governed by the privacy, security, and breach notification rule established pursuant to HIPAA.
The CPPA has released for public comment draft regulations on risk assessments, cybersecurity assessments, and automated decision-making technologies, which close on February 19, 2025. These regulations are the final components of the CPRA's amendments to the CCPA, which granted the CPPA the authority to pass additional regulations. These regulations in their draft form contain substantial new compliance obligations with respect to PII we process.
The CCPA has prompted a number of proposals for new federal and state-level privacy legislation. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. For example, the Virginia Consumer Data Protection Act, which became effective January 1, 2023, gives Virginia residents expanded rights to access and creates additional obligations on companies covered by the legislation, and the Nevada Privacy Law, which became effective on October 1, 2019, requires businesses to give website users the option to opt-out of the sale of their data, but is otherwise significantly more narrow than the other laws mentioned. As of February 1, 2025, general State privacy laws are in effect in California, Colorado, Connecticut, Utah, Texas, Oregon, Virginia, Montana, New Jersey, Delaware, Iowa, Nebraska, and New Hampshire. Additional general state privacy laws have been passed and will go into effect in 2025 in Tennessee, Minnesota, and Maryland, and in 2026, in Indiana, Kentucky, and Rhode Island.
While the CPRA/CCPA is an example of consumer privacy law, the NAIC's Model Insurance Data Security Law (the "Model law") is a different type of law focused on securing insurance licensees' information systems. Versions of this Model Law have been passed in many states and are expected to be passed in more states in the coming years. Similar to HIPAA, the Model Law requires the implementation of technical, administrative, and procedural information security practices and procedures and includes reporting requirements for data breaches. These Model Laws exist in a majority of states and are typically enforced by state insurance regulators.
It is possible that applicable laws may be interpreted and applied in a manner that is inconsistent with our practices and our efforts to comply with the evolving data protection rules may be unsuccessful. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with laws regarding privacy and security of PHI and other PII could expose us to penalties under such laws. Any such failure to comply with data protection and privacy laws could result in government-imposed fines or orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action, litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could have an adverse effect on our business, financial condition and results of operations.
As indicated above, there are numerous federal and state laws and regulations addressing patient and consumer privacy concerns, including notification requirements in the event of unauthorized access or theft of personal information. State statutes and regulations vary from state to state. Violations of HIPAA or applicable federal or state laws or regulations could subject us to significant criminal or civil penalties, including significant monetary penalties. We cannot yet fully determine the impact these or future laws, rules, regulations and industry standards may have on our business or operations. Any such laws, rules, regulations and industry standards may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our customers may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of various types of information and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business. As we expand our customer base, these requirements may vary from customer to customer, further increasing the cost of compliance and doing business.
Our business and operations may also be subject to federal, state, and local consumer protection laws governing marketing communications, including the Telephone Consumer Protection Act, "TCPA", which places restrictions on the use of automated tools and technologies to communicate with wireless telephone subscribers or communications services consumers generally and the CAN-SPAM Act, which regulates the transmission of marketing emails. Under the TCPA, entities using an automatic telephone dialing system to send communications must obtain prior express consent for non-marketing communications and prior express written consent for marketing communications. The TCPA has a private right of action, allowing individuals who have received unsolicited communications (phone calls, text messages or faxes) made using an "automatic telephone dialing system" to seek statutory damages of $500 per violation, or $1,500 if the violation was made willfully or knowingly. Despite our compliance efforts, we could nevertheless be forced to defend private class actions or government enforcement based on the communications we send to members.
In addition, certain of our businesses are also subject to the PCI DSS, which is a multifaceted industry security standard that is designed to protect credit card account data as mandated by payment brands and acquiring banks. We rely on vendors to assist us with PCI matters and to ensure PCI compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI DSS or other requirements of the payment card brands, based on past, present, or future business practices, which could have an adverse impact on our business and reputation, subject us to fines and/or have a negative impact on our ability to accept credit card payments.
As described above, substantially all of our relevant member data is maintained on our technology platform, AVA, which aggregates and provides us with access to extensive member datasets, including individually identifiable PHI. As a result, any breach of our technology platform could expose us to substantial liability under HIPAA, the HITECH Act and other applicable laws, regulations or rules. See "Risk Factors-Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our members, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation."
Corporate Practice of Medicine and Other Laws
As a corporate entity, we are not licensed to practice medicine. Many states in which we operate through our subsidiaries limit the practice of medicine to licensed individuals or professional organizations comprised of licensed individuals, and business corporations generally may not exercise control over the medical decisions of physicians. Statutes, regulations and court decisions relating to the practice of medicine, fee-splitting between physicians and referral sources, and similar issues vary widely from state to state. While we endeavor to comply with state corporate practice of medicine laws and regulations as we interpret them, the laws and regulations in these areas are complex, changing, and often subject to varying interpretations. The interpretation and enforcement of these laws vary significantly from state to state.
Under business support services agreements between certain of our subsidiaries and affiliated physician-owned professional groups, these groups retain sole responsibility for all medical decisions, as well as for hiring and managing physicians and other licensed healthcare providers, developing operating policies and procedures, implementing professional standards and controls, and maintaining malpractice insurance. Regulatory authorities and other parties may assert that, despite the business support services agreements and other arrangements through which we operate, we are engaged in the prohibited corporate practice of medicine or that our arrangements constitute unlawful fee-splitting. Penalties for violations of the corporate practice of medicine or fee-splitting laws vary by state and may result in physicians being subject to disciplinary action, as well as to forfeiture of revenue from payors for services rendered. For business entities such as us, violations may also bring both civil and, in more extreme cases, criminal liability for engaging in medical practice without a license, our agreements could be found legally invalid and unenforceable (in whole or in part) or we could be required to restructure our contractual arrangements.
We, our in-house and externally engaged physicians and the facilities in which they operate are subject to various federal, state and local licensing and certification laws and regulations and accreditation standards and other laws, relating to, among other things, the adequacy of medical care, equipment, privacy of member information, physician relationships, personnel and operating policies and procedures. Failure to comply with these licensing, certification and accreditation laws, regulations and standards could result in prior payments being subject to recoupment, requirements to make significant changes to our operations and can give rise to civil or, in extreme cases, criminal penalties. We routinely take the steps we believe are necessary to retain or obtain all requisite licensure and operating authorities. While we have made reasonable efforts to substantially comply with federal, state and local licensing and certification laws and regulations and standards as we interpret them, the agencies that administer these programs may find that we have failed to comply in some material respects. If this were to occur, we could be subject to civil and/or criminal penalties, or we could be required to close or limit our operations at relevant sites.
In jurisdictions where the corporate practice of medicine is prohibited, we have historically operated by maintaining long-term business support contracts with multiple associated professional medical entities that are wholly owned by physicians and, in turn, employ or contract with physicians to provide those professional medical services required by our members. Under these business support services agreements, our primary operating subsidiary performs only non-medical business support services, does not represent that it offers medical services and does not exercise influence or control over the practice of medicine by the physicians or the associated physician groups. In addition to the above business support services arrangements, we have certain contractual rights relating to the orderly transfer of equity interests in our associated physician practices through succession agreements and other arrangements with their physician equity holders. Such equity interests cannot, however, be transferred to or held by us or by any non-professional medical entity. Accordingly, neither we nor our direct subsidiaries directly own any equity interests in any of our physician practices. In the event that any of the physician owners of our associated physician practices fail to comply with the business support services arrangement, if any business support services arrangement is terminated and/or we are unable to enforce our contractual rights over the orderly transfer of equity interests in any of our associated physician practices, such events could have a material adverse effect on our business, results of operations, financial condition and cash flows.
It is possible that a state regulatory agency or a court could determine that our agreements with physician equity holders of our associated physician practices and the way we carry out these arrangements as described above, either independently or coupled with the business support services agreements with such associated physician practices, are in violation of prohibitions on the corporate practice of medicine. As a result, these arrangements could be deemed invalid. Such a determination could force a restructuring of our business support services arrangements with the affected practices, which might include revisions of the business support services agreements, including a modification of the services fee and/or establishing an alternative structure that would permit us to contract with a physician network without violating prohibitions on the corporate practice of medicine. Such a restructuring may not be feasible, or it may not be possible to accomplish it within a reasonable time frame without a material adverse effect on our business, results of operations, financial condition and cash flows. Additionally, a number of states have recently introduced or are planning to introduce legislation that would significantly increase the level of scrutiny that similarly structured organizations would face and could introduce additional penalties on business support services organizations similar to ours.
Anti-Kickback, Physician Self-Referral and Other Fraud and Abuse Laws
A federal law commonly referred to as the "Anti-Kickback Statute" prohibits the offer, payment, solicitation, or receipt of any form of remuneration to induce, or in return for, the referral of Medicare or other governmental health program patients or patient care opportunities, or in return for the purchase, lease or order of items or services that are covered by Medicare or other federal governmental health programs. Because the prohibitions contained in the Anti-Kickback Statute apply to the furnishing of items or services for which payment is made in "whole or in part," the Anti-Kickback Statute could be implicated if any portion of an item or service we provide is covered by any of the state or federal health benefit programs described above. Violation of these provisions constitutes a felony criminal offense and applicable sanctions could include exclusion from the Medicare and Medicaid programs.
Section 1877 of the Social Security Act, commonly known as the "Stark Law," prohibits physicians, subject to certain exceptions described below, from referring Medicare or Medicaid patients to an entity providing "designated health services" in which the physician, or an immediate family member, has an ownership or investment interest or with which the physician, or an immediate family member, has entered into a compensation arrangement. These prohibitions, contained in the Omnibus Budget Reconciliation Act of 1993, commonly known as "Stark II," amended prior federal physician self-referral legislation known as "Stark I" by expanding the list of designated health services to a total of 11 categories. The professional groups with which we are contracted or affiliated provide one or more of these designated health services. Persons or entities found to be in violation of the Stark Law are subject to denial of payment for services furnished pursuant to an improper referral, civil monetary penalties, and exclusion from the Medicare and Medicaid programs.
A federal law commonly referred to as the "False Claims Act" prohibits the submission of a false or fraudulent claim to the government for payment or approval. Qui tam relators and/or the government may take the position that we submit certain data or information that could form the basis of a claim for payment, thus subjecting us to allegations under the False Claims Act. In such events, we could be subject to treble damages and per-claim penalties.
Many states also have enacted laws similar in scope and purpose to the Anti-Kickback Statute and, in more limited instances, the Stark Law, that are not limited to services for which Medicare or Medicaid payment is made. In addition, most states have statutes, regulations, or professional codes that restrict a physician from accepting various kinds of remuneration in exchange for making referrals. These laws vary from state to state and have seldom been interpreted by the courts or regulatory agencies. In states that have enacted these statutes, we believe that regulatory authorities and state courts interpreting these statutes may regard federal law under the Anti-Kickback Statute and the Stark Law as persuasive.
In addition, these laws are subject to modification and changes in interpretation, and are enforced by authorities vested with broad discretion. We continually monitor developments in this area. If we or our third parties with which we contract fail to comply with these laws, or if these laws are interpreted in a manner contrary to our interpretation or are reinterpreted or amended, or if new legislation is enacted with respect to healthcare fraud and abuse, illegal remuneration, or similar issues, we may be required to restructure our affected operations to maintain compliance with applicable law and/or be subject to liability. Such restructuring may not be possible or, if possible, may have a material adverse effect on our results of operations, financial position, or cash flows.
Environmental
We are subject to various federal, state, and local laws and regulations relating to the protection of human health and the environment. If an environmental regulatory agency finds any of our facilities to be in violation of environmental laws, penalties and fines may be imposed for each day of violation and the affected facility could be forced to cease operations. We could also incur other significant costs, such as cleanup costs or claims by third parties, as a result of releases of hazardous substances or violations of, or other liabilities under, environmental laws. Although we believe that our environmental practices, including waste handling and disposal practices, are in material compliance with applicable laws, future claims or violations, or changes in environmental laws, could have a material adverse effect on our results of operations, financial position or cash flows.
State Regulation of Insurance-Related Products
Laws in each of the states in which we operate our business license and regulate entities that offer health plans to residents of that state. The products we offer are sold under licenses issued by the applicable insurance regulators. However, for entities offering Medicare Advantage plans, federal law preempts all state laws and regulations except those relating to licensing and financial solvency.
With respect to state regulation of financial solvency, certain of our licensed insurance subsidiaries are subject to regulation under state insurance holding company regulations. These regulations generally require, among other things, prior approval and/or notice of certain material transactions, including dividend payments, purchases or sales of assets, intercompany agreements, and the filing of various financial and operational reports. The amount of dividends that may be paid to us by these insurance subsidiaries, without prior approval by state regulatory authorities, or ordinary dividends, is limited based on the entity's level of statutory income and statutory capital and surplus. Actual dividends paid may vary due to consideration of excess statutory capital and surplus and expected future surplus requirements. We continue to maintain our levels of aggregate excess statutory capital and surplus in our state-regulated operating subsidiaries. Dividends from our non-insurance companies are generally not restricted by departments of insurance.
If any of our plans or operations are found to violate these or other applicable government laws or regulations, we could suffer severe consequences that would have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and stock price, including:
- suspension or termination of one or more of our plans;- refunds of amounts received in violation of law or applicable payment program requirements dating back to the applicable statute of limitation periods;- loss of our required government certifications;- loss of our licenses required to operate our clinics and in-house care delivery programs;- criminal or civil liability, fines, damages or monetary penalties for violations of healthcare fraud and abuse laws, including the federal Anti-Kickback Statute, Stark Law and FCA, or other failures to meet regulatory requirements;- enforcement actions by governmental agencies and/or state law claims for monetary damages by members who believe their PHI has been used, disclosed or not properly safeguarded in violation of federal or state patient privacy laws, including HIPAA and the Privacy Act of 1974;- mandated changes to our practices or procedures that significantly increase operating expenses;- imposition of and compliance with corporate integrity agreements that could subject us to ongoing audits and reporting requirements as well as increased scrutiny of our billing and business practices which could lead to potential fines, among other things;- termination of various relationships and/or contracts related to our business, including joint venture arrangements, medical director agreements, real estate leases and consulting agreements with physicians; and - harm to our reputation which could negatively impact our business relationships, affect our ability to attract and retain members and physicians, affect our ability to obtain financing and decrease access to new business opportunities, our ability to develop relationships with providers, among other things.