The privacy and security of PII stored, maintained, received or transmitted electronically is a significant issue in the United States. While we strive to comply with all applicable privacy and security laws and regulations, as well as our own posted privacy policies, legal standards for privacy, including but not limited to "unfairness" and "deception," as enforced by the Federal Trade Commission and state attorneys general and comprehensive privacy laws in more than 20 states, continue to evolve. Our failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, or could cause us to lose customers, which could have a material adverse effect on our business. Recently, there has been an increase in public awareness of privacy issues and in the number of private privacy-related lawsuits filed against companies. Any allegations about us, our supported practices or our supported clinicians with regard to the collection, processing, use, disclosure, or security of PII or other privacy-related matters, even if unfounded, could damage our reputation and harm our business.
We also publish statements to our patients and stakeholders that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be deceptive or misleading, either by what was said or what is omitted, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders.
Numerous federal and state laws and regulations govern collection, dissemination, use and confidentiality of personally identifiable health information, including state privacy and confidentiality laws (including state laws requiring notification of data breaches) and HIPAA.
HIPAA establishes a set of baseline national privacy and security standards for the protection of PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, which includes us. Certain of our entities and supported practices are covered entities, while our management service entities are business associates.
HIPAA requires covered entities and business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims.
HIPAA imposes mandatory penalties for certain violations. Penalties for violations of HIPAA and its implementing regulations include civil monetary penalties of up to $71,162 per violation, not to exceed $2,134,831 for violations of the same standard in a single calendar year (as of 2024, and subject to periodic adjustments for inflation). However, a single breach incident can result in violations of multiple standards, which could result in significant fines. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a criminal penalty of up to $50,000 and up to one-year of imprisonment. The criminal penalties increase if the wrongful conduct involves false pretenses or the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm, with a maximum fine of $250,000 and maximum imprisonment of ten years. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. While HIPAA does not create a private right of action allowing individuals to bring lawsuits in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Any such penalties or lawsuits could harm our business, financial condition, results of operations and prospects.
In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator.
HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Further, the HHS OCR published a proposed rule in January of 2021, which, among other things calls for greater care coordination and an individual's rights to access patient records. The proposed rule specifically encourages the disclosure of PHI when needed to help individuals experiencing substance use disorder, serious mental illness and in emergency circumstances. The proposed rule is subject to a regulatory suspension announced by the Biden administration and we do not know when (or if) the final rule will be published or whether there may be additional changes to the regulations, but when it is, we will need to evaluate and potentially update our HIPAA regulatory programs and documentation to ensure compliance with such requirements.
Additionally, online tracking technologies generally used to collect and analyze information about user behavior and enhance the user experience may qualify as HIPAA violations and result in sanction. In December 2022, OCR issued a bulletin titled, "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," which sets forth broad-reaching guidance for HIPAA covered entities and their business associates that utilize online tracking technologies on their webpages and applications. In the guidance, OCR takes the position that when individuals use regulated entities' websites, the individual information gleaned from that use (including, in certain circumstances, IP address, geographic location, or other unique identifying code) may include PHI, and such information cannot be disclosed to a tracking vendor in a manner that would constitute an impermissible disclosure under HIPAA (e.g., disclosure without a valid HIPAA authorization or business associate agreement ("BAA")). In March 2024, the OCR updated its 2023 guidance on the use of online tracking technologies on webpages and applications by HIPAA covered entities and business associates to address the disclosure of individually identifiable health information through unauthenticated, public-facing webpages. The guidance was subject to court challenge, and its interpretation and enforcement remain subject to ongoing developments. There have been several class action lawsuits, including against LifeStance, asserting that HIPAA covered entities and business associates improperly used or disclosed PHI through online tracking technologies. See "-Risks Related to Our Business and
Our Industry-Litigation, including in connection with commercial disputes or employment claims, against us could be costly and time-consuming to defend."
HHS OCR additionally published a final rule in April 2024 modifying existing standards permitting uses and disclosures of PHI when the PHI pertains to reproductive healthcare, which is defined broadly and may capture mental health treatment provided to women surrounding subjects such as pregnancy, miscarriage, abortion, and fertility. The final rule became effective June 25, 2024, with compliance required by December 23, 2024, and generally prohibits the use or disclosure of PHI by a covered entity when said use or disclosure is to be used to conduct a criminal, civil, or administrative investigation into or impose a related liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive healthcare, when such healthcare is lawful under the circumstances in which it is provided. Covered entities are similarly prohibited from disclosing PHI to identify any person for the purpose of conducting such investigation or imposing such liability. To implement this prohibition, covered entities that receive a request for PHI potentially related to reproductive healthcare are required to obtain a signed attestation that the use or disclosure of said PHI is not for a prohibited purpose, when said request is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. Compliance with this new rule will require careful monitoring of the evolving landscape of state laws surrounding reproductive healthcare so that we may remain compliant with both state and federal laws.
We may also be required to comply with the Federal Substance Abuse Confidentiality Regulations, known as 42 C.F.R. Part 2. In July 2020, new regulations overhauled these laws to better align with HIPAA and to facilitate better coordination of care in response to the opioid epidemic. On December 2, 2022, HHS OCR published a proposed rule containing proposals to implement the CARES Act provisions, which bring Part 2 in alignment with HIPAA including, among other things, expanding the scope of permitted disclosures of substance use disorder treatment records and applying HIPAA's breach notification standards to breaches of records protected by Part 2. Notice of Privacy Practices and arrangements with business associates and qualified service organizations will also need to be adjusted accordingly.
The Final Rule, which was published in February 2024, aligned Part 2 penalties with civil and criminal enforcement authorities that apply to HIPAA violations. Under the Final Rule, the penalties for Part 2 violations have increased, rising from up to $5,000 for individuals and $10,000 for organizations on a per-violation basis to a $50,000 maximum penalty for failure to comply with the Part 2 requirements and a $250,000 maximum penalty for wrongful disclosure of individually identifiable health information. Additional changes in the Final Rule further harmonize Part 2 with HIPAA and include aligning data breach notification protocols with the HIPAA Breach Notification Rule; allowing single consents for disclosures related to treatment, payment and healthcare operations; and aligning Part 2 Patient Notice requirements with requirements of the HIPAA Notice of Privacy Practices. We will have until February 2026 to comply.
Further, the U.S. federal government and various states and governmental agencies have adopted or are considering adopting various laws, regulations and standards regarding the collection, use, retention, security, disclosure, transfer and other processing of sensitive and personal information. For example, California implemented the California Confidentiality of Medical Information Act, which imposes restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. These laws and regulations are not necessarily preempted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA. Where state laws are more protective, we have to comply with the stricter provisions. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA") gives California residents certain privacy rights in the collection and use of their personal information, and take certain other acts in furtherance of those rights. Failure to comply with the CCPA may result in, among other things, civil penalties of up to $7,500 per violation, as well as a private right of action for certain data breaches. Additionally, California created a data protection agency authorized to implement and enforce the CCPA, which could result in increased enforcement. While the CCPA contains an exemption for PHI subject to HIPAA, we may process other personal information that is subject to the CCPA. In addition, almost 20 other states have now passed comprehensive privacy laws that have taken effect or will come into effect at various times over the next few years.
These comprehensive state privacy laws also provide exemptions for PHI subject to HIPAA or exempt covered entities and business associates entirely. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we may be subject. We will need to continue to evaluate our privacy program as the implementation of the law evolves and may need to make further modifications to our programs, which, if we fail to do so as required, may expose us to liability.
There are many other federal and state-based data privacy and security laws and regulations that may impact our business. For example, federal, state and local privacy and consumer protection laws also govern specific technologies that we employ or how we market to, and otherwise communicate with, individuals. For example, the Controlling the Assault of Non-Solicited Pornography and
Marketing Act and the Telephone Consumer Protection Act ("TCPA") impose specific requirements on communications with consumers. The TCPA and analogous state laws, for instance, impose various consumer consent requirements and other restrictions on communications with consumers by phone, fax or text message. TCPA violations can result in significant financial penalties, including penalties or criminal fines imposed by the Federal Communications Commission or fines of up to $1,500 per violation imposed through private litigation or by state authorities. The TCPA provides for substantial penalties and statutory damages and has generated significant class action activity. The costs of litigating and/or settling a TCPA or similar legal claim could be significant.
The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. Changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as PHI or PII, along with increased customer demands for enhanced data security, could greatly increase our cost of providing our services, decrease demand for our services, reduce our revenue and/or subject us to additional liabilities.
In addition to the applicable federal and state laws, we are also subject to PCI DSS, a self-regulatory standard that requires companies that process payment card data to implement certain data security measures. If we or our payment processor fail to comply with the PCI DSS, we may incur significant fines or liability and lose access to major payment card systems. Our systems are subject to annual review under the PCI DSS requirements, and we have historically had, may now have, and may have in the future have items that require improvement. Industry groups may in the future adopt additional self-regulatory standards by which we are legally or contractually bound.
The evolving patchwork of differing state and federal privacy and data security laws increases the cost and complexity of operating our business and increases our exposure to liability, including from third-party litigation and regulatory investigations, enforcement, fines and penalties. The scope and enforcement of each of these laws is uncertain and subject to rapid change, particularly, in the current environment of healthcare reform. Federal and state enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Any such investigations, prosecutions, convictions or settlements could result in significant financial penalties, damage to our brand and reputation, and a loss of customers, any of which could have an adverse effect on our business.