The healthcare industry is highly regulated and is subject to changing political, legislative, regulatory, and other influences. Existing and new laws and regulations affecting the healthcare industry, or changes to existing laws and regulations, including the potential amendment or repeal of all or parts of the Affordable Care Act (ACA), could create unexpected liabilities for us, cause us to incur additional costs, and restrict our operations. Reforming the healthcare industry has been a priority for U.S. politicians, and key members of the legislative and executive branches have proposed a wide variety of potential changes and policy goals. Certain changes to laws impacting our industry, or perceived intentions to do so, could affect our business and results of operations.
Many healthcare laws are complex, and their application to specific services and relationships may not be clear. In particular, many existing healthcare laws and regulations, when enacted, did not anticipate the data analytics and improvement services that we provide, and these laws and regulations may be applied to our Solution in ways that we do not anticipate, particularly as we develop and release new and more sophisticated solutions. Our failure to accurately anticipate the application of these laws and regulations, or our other failure to comply with them, could create significant liability for us, result in adverse publicity, and negatively affect our business. Some of the risks we face from healthcare regulation are described below:
- False Claims Laws. There are numerous federal and state laws that prohibit submission of false information, or the failure to disclose information, in connection with submission and payment of physician claims for reimbursement. For example, the federal civil False Claims Act prohibits, among other things, individuals or entities from knowingly presenting, or causing to be presented, to the U.S. federal government, claims for payment or approval that are false or fraudulent, or knowingly making, using or causing to be made or used, a false record or statement material to a false or fraudulent claim. In addition, the government may assert that a claim including items and services resulting from a violation of the U.S. federal Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the civil False Claims Act. If our advisory services to customers are associated with action by customers that is determined or alleged to be in violation of these laws and regulations, it is possible that an enforcement agency would also try to hold us accountable. Any determination by a court or regulatory agency that we have violated these laws could subject us to significant civil or criminal penalties, invalidate all or portions of some of our customer contracts, require us to change or terminate some portions of our business, require us to refund portions of our services fees, subject us to additional reporting requirements and oversight under a corporate integrity agreement or similar agreement to resolve allegations of noncompliance with these laws, cause us to be disqualified from serving customers doing business with government payors, and have an adverse effect on our business. Our customers' failure to comply with these laws and regulations in connection with our services could result in substantial liability (including, but not limited to, criminal liability), adversely affect demand for our Solution, and force us to expend significant capital, research and development, and other resources to address the failure.
- Health Data Privacy Laws. There are numerous federal and state laws related to health information privacy. In particular, the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and their implementing regulations, which we collectively refer to as HIPAA, include privacy standards that protect individual privacy by limiting the uses and disclosures of PHI and implementing data security standards that require covered entities to implement administrative, physical, and technological safeguards to ensure the confidentiality, integrity, availability, and security of PHI in electronic form. HIPAA also specifies formats that must be used in certain electronic transactions, such as admission and discharge messages. By processing and maintaining PHI on behalf of our covered entity customers, we are a HIPAA business associate and mandated by HIPAA to enter into written agreements with our covered entity clients – known as BAAs – that require us to safeguard PHI. BAAs typically include:
?a description of our permitted uses of PHI;?a covenant not to disclose that information except as permitted under the BAA and to require that our subcontractors, if any, are subject to the substantially similar restrictions;?assurances that reasonable and appropriate administrative, physical, and technical safeguards are in place to prevent misuse of PHI;?an obligation to report to our customer any use or disclosure of PHI other than as provided for in the BAA;?a prohibition against our use or disclosure of PHI if a similar use or disclosure by our customer would violate the HIPAA standards;?the ability of our customers to terminate the underlying support agreement if we breach a material term of the BAA and are unable to cure the breach;?the requirement to return or destroy all PHI at the end of our services agreement; and ?access by the Department of Health and Human Services (HHS) to our internal practices, books, and records to validate that we are safeguarding PHI.
In addition, we are also required to maintain BAAs, which contain similar provisions, with our subcontractors that access or otherwise process PHI on our behalf.
We may not be able to adequately address the business risks created by HIPAA implementation. Furthermore, we are unable to predict what changes to HIPAA or other laws or regulations might be made in the future or how those changes could affect our business or the costs of compliance. For example, in 2018, the HHS Office for Civil Rights published a Request for Information in the Federal Register seeking comments on a number of areas in which HHS is considering making both minor and significant modifications to the HIPAA privacy and security standards to, among other things, improve care coordination. We are unable to predict what, if any, impact the changes in such standards will have on our compliance costs or our Solution.
Finally, some of our analytics applications, for example one of our benchmarking applications, require that we obtain permissions consistent with HIPAA to provide "data aggregation services" and the right to create de-identified information and to use and disclose such de-identified information. We will also require large sets of de-identified information to enable us to continue to develop machine learning algorithms that enhance our Solution. If we are unable to secure these rights in customer BAAs or as a result of any future changes to HIPAA or other applicable laws, we may face limitations on the use of PHI and our ability to use de-identified information that could negatively affect the scope of our Solution as well as impair our ability to provide upgrades and enhancements to our Solution.
We outsource important aspects of the storage and transmission of customer and member information, and thus rely on third parties to manage functions that have material cyber-security risks. We attempt to address these risks by requiring outsourcing subcontractors who handle customer information to sign BAAs contractually requiring those subcontractors to adequately safeguard PHI in a similar manner that applies to us and in some cases by requiring such outsourcing subcontractors to undergo third-party security examinations as well as to protect the confidentiality of other sensitive customer information. In addition, we periodically hire third-party security experts to assess and test our security measures. However, we cannot be assured that these contractual measures and other safeguards will adequately protect us from the risks associated with the storage and transmission of customer proprietary information and PHI.
In addition to the HIPAA privacy and security standards, most states have enacted patient confidentiality laws that protect against the disclosure of confidential medical and other personally identifiable information (PII) and many states have adopted or are considering new privacy laws, including legislation that would mandate new privacy safeguards, security standards, and data security breach notification requirements. Such state laws, if more stringent than HIPAA requirements, are not preempted by the federal requirements, and we are required to comply with them.
Failure by us to comply with any of the federal and state standards regarding patient privacy and/or privacy more generally may subject us to penalties, including significant civil monetary penalties and, in some circumstances, criminal penalties. In addition, such failure may injure our reputation and adversely affect our ability to retain customers and attract new customers.
Even an unsuccessful challenge by regulatory authorities of our activities could result in adverse publicity and could require a costly response from us.
- Anti-Kickback and Anti-Bribery Laws. There are federal and state laws that prohibit payment for patient referrals, patient brokering, remuneration of patients, or billing based on referrals between individuals or entities that have various financial, ownership, or other business relationships with healthcare providers. In particular, the federal Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving anything of value, directly or indirectly, for the referral of patients covered by Medicare, Medicaid, and other federal healthcare programs or the leasing, purchasing, ordering, or arranging for or recommending the lease, purchase, or order of any item, good, facility, or service covered by these programs. A person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation. Some enforcement activities focus on below or above market payments for federally reimbursable health care items or services as evidence of the intent to provide a kickback. Many states also have similar anti-kickback laws that are not necessarily limited to items or services for which payment is made by a federal healthcare program. In addition, the federal anti-referral law-the Stark Law-is very complex in its application, and prohibits physicians (and certain other healthcare professionals) from making a referral for a designated health service to a provider in which the referring healthcare professional (or spouse or any immediate family member) has a financial or ownership interest, unless an enumerated exception applies. The Stark Law also prohibits the billing for services rendered resulting from an impermissible referral. Many states also have similar anti-referral laws that are not necessarily limited to items or services for which payment is made by a federal healthcare program and may include patient disclosure requirements. Moreover, both federal and state laws prohibit bribery and similar behavior. Any determination by a state or federal regulatory agency that we or any of our customers, vendors, or partners violate or have violated any of these laws could subject us to significant civil or criminal penalties, require us to change or terminate some portions of our business, require us to refund portions of our services fees, subject us to additional reporting requirements and oversight under a corporate integrity agreement or similar agreement to resolve allegations of noncompliance with these laws, cause us to be disqualified from serving customers doing business with government payors, and have an adverse effect on our business. Even an unsuccessful challenge by regulatory authorities of our activities could result in adverse publicity and could require a costly response from us.
- Corporate Practice of Medicine Laws and Fee-Splitting Laws. Many states have laws prohibiting physicians from practicing medicine in partnership with non-physicians, such as business corporations. In some states, including New York, these take the form of laws or regulations prohibiting splitting of physician fees with non-physicians or others. Any determination by a state court or regulatory agency that our service contracts with our clients violate these laws could subject us to civil or criminal penalties, invalidate all or portions of some of those contracts, require us to change or terminate some portions of our business, require us to refund portions of our services fees, and have an adverse effect on our business. Even an unsuccessful challenge by regulatory authorities of our activities could result in adverse publicity and could require a costly response from us.
- Medical Professional Regulation. The practice of most healthcare professions requires licensing under applicable state law. In addition, the laws in some states prohibit business entities from practicing medicine. We employ and contract with physicians who assist our customers with the customers' care coordination, care management, population health management, and patient safety activities. We do not intend to provide medical care, treatment, or advice. However, any determination that we are acting in the capacity of a healthcare provider and acted improperly as a healthcare provider may result in additional compliance requirements, expense, and liability to us, and require us to change or terminate some portions of our business.
- Medical Device Laws. The FDA may regulate medical or health-related software, including machine learning functionality and predictive algorithms, if such software falls within the definition of a "device" under the federal Food, Drug, and Cosmetic Act (FDCA). However, the FDA exercises enforcement discretion for certain low-risk software, as described in its guidance documents for Mobile Medical Applications, General Wellness: Policy for Low Risk Devices, and Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices. In addition, in December of 2016, President Obama signed into law the 21st Century Cures Act, which included exemptions for certain medical-related software, including software used for administrative support functions at a healthcare facility, software intended for maintaining or encouraging a healthy lifestyle, EHR software, software for transferring, storing, or displaying medical device data or in vitro diagnostic data, and certain clinical decision support software. The FDA has also issued draft guidance documents to clarify how it intends to interpret and apply the new exemptions under the 21st Century Cures Act. Although we believe that our software products are currently not subject to active FDA regulation, we continue to follow the FDA's developments in this area. There is a risk that the FDA could disagree with our determination or that the FDA could develop new final guidance documents that would subject our Solution to active FDA oversight. If the FDA determines that any of our current or future analytics applications are regulated as medical devices, we would become subject to various requirements under the FDCA and the FDA's implementing regulations. Depending on the functionality and FDA classification of our analytics applications, we may be required to:
?register and list our analytics applications with the FDA;?notify the FDA and demonstrate substantial equivalence to other products on the market before marketing our analytics applications;?submit a de novo request to the FDA to down-classify our analytics applications prior to marketing; or ?obtain FDA approval by demonstrating safety and effectiveness before marketing our analytics applications.
The FDA can impose extensive requirements governing pre- and post-market conditions, such as service investigation and others relating to approval, labeling, and manufacturing. In addition, the FDA can impose extensive requirements governing software development controls and quality assurance processes.
These laws and regulations may change rapidly, and it is frequently unclear how they apply to our business. Any failure of our products or services to comply with these laws and regulations could result in substantial civil or criminal liability and could, among other things, adversely affect demand for our services, force us to expend significant capital, research and development, and other resources to address the failure, invalidate all or portions of some of our contracts with our customers, require us to change or terminate some portions of our business, require us to refund portions of our revenue, cause us to be disqualified from serving customers doing business with government payors, and give our customers the right to terminate our contracts with them, any one of which could have an adverse effect on our business. Additionally, the introduction of new services may require us to comply with additional, yet undetermined, laws and regulations.
The security measures that we and our third-party vendors and subcontractors have in place to ensure compliance with privacy and data protection laws may not protect our facilities and systems from security breaches, acts of vandalism or theft, computer viruses, misplaced or lost data, programming and human errors, or other similar events. Under the HITECH Act, as a business associate, we may also be liable for privacy and security breaches and failures of our subcontractors. Even though we provide for appropriate protections through our agreements with our subcontractors, we still have limited control over their actions and practices. A breach of privacy or security of individually identifiable health information by a subcontractor may result in an enforcement action, including criminal and civil liability, against us. We are not able to predict the extent of the impact such incidents may have on our business.
Our failure to comply may result in criminal and civil liability because the potential for enforcement action against business associates is now greater. Enforcement actions against us could be costly and could interrupt regular operations, which may adversely affect our business. While we have not received any notices of violation of the applicable privacy and data protection laws and believe we are in compliance with such laws, there can be no assurance that we will not receive such notices in the future.
There is ongoing concern from privacy advocates, regulators, and others regarding data protection and privacy issues, and the number of jurisdictions with data protection and privacy laws has been increasing. Also, there are ongoing public policy discussions regarding whether the standards for deidentified, anonymous, or pseudonymized health information are sufficient, and the risk of re-identification sufficiently small, to adequately protect patient privacy. We expect that there will continue to be new proposed laws, regulations, and industry standards concerning privacy, data protection, and information security in the United States, including the California Consumer Privacy Act, which went into effect January 1, 2020, and we cannot yet determine the impact such laws, regulations, and standards may have on our business. Future laws, regulations, standards, and other obligations, and changes in the interpretation of existing laws, regulations, standards, and other obligations could impair our or our customers' ability to collect, use, or disclose information relating to consumers, which could decrease demand for our platform, increase our costs, and impair our ability to maintain and grow our customer base and increase our revenue. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations, and other obligations may require us to incur additional costs and restrict our business operations. In view of new or modified federal, state, or foreign laws and regulations, industry standards, contractual obligations, and other legal obligations, or any changes in their interpretation, we may find it necessary or desirable to fundamentally change our business activities and practices or to expend significant resources to modify our software or platform and otherwise adapt to these changes.
Any failure or perceived failure by us to comply with federal or state laws or regulations, industry standards, or other legal obligations, or any actual or suspected security incident, whether or not resulting in unauthorized access to, or acquisition, release, or transfer of personally identifiable information or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines, and penalties or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited. Any of these developments could harm our business, financial condition, and results of operations. Privacy and data security concerns, whether valid or not valid, may inhibit market adoption of our platform.
Further, on May 1, 2020, ONC and CMS finalized and published complementary new rules to support access, exchange, and use of EHI, referred to as the Final Rule. The Final Rule is intended to clarify provisions of the 21st Century Cures Act regarding interoperability and information blocking, and, subject to the interpretations of the Final Rule and exceptions to what constitutes information blocking, may create significant new requirements for health care industry participants. The Final Rule requires certain electronic health record technology to incorporate standardized application programming interfaces (APIs) to allow individuals to securely and easily access structured EHI using smartphone applications. The Final Rule also implements provisions of the 21st Century Cures Act requiring that patients be provided with electronic access to all of their EHI (structured and/or unstructured) at no cost.
Finally, the Final Rule also implements the information blocking provisions of the 21st Century Cures Act, subject to eight exceptions that will not be considered information blocking as long as specific conditions are met. The impact of the Final Rule on our business is unclear at this time, due to, among other things, uncertainty regarding the interpretation of safe harbors and exceptions to the Final Rule by industry participants and regulators.
The Final Rule focuses on health plans, payors, and health care providers and proposes measures to enable patients to move from health plan to health plan, provider to provider, and have both their clinical and administrative information travel with them.
It is unclear whether the Final Rule may benefit us in that certain EHR vendors will no longer be permitted to interfere with our attempts at integration, but the rules may also make it easier for other similar companies to enter the market, creating increased competition, and reducing our market share. It is unclear at this time what the costs of compliance with the proposed rules, if adopted, would be, and what additional risks there may be to our business.