requiring disclosure of breaches); federal and state consumer protection and employment laws; HIPAA; and European and other international data protection laws. These laws and regulations are increasing in complexity and number, may change frequently and sometimes conflict.
HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), establishes a set of U.S. national privacy and security standards for the protection of individually identifiable health information, including protected health information, or PHI, by health plans, certain healthcare clearinghouses and healthcare providers that submit certain covered transactions electronically, or covered entities, and their “business associates,” which are persons or entities that perform certain services for, or on behalf of, a covered entity that involve creating, receiving, maintaining or transmitting PHI. While we are not currently a covered entity or business associate under HIPAA, we may receive identifiable information from these entities. Failure to receive this information properly could subject us to HIPAA’s criminal penalties, which may include fines up to $50,000 per violation and/or imprisonment. In addition, responding to government investigations regarding alleged violations of these and other laws and regulations, even if ultimately concluded with no findings of violations or no penalties imposed, can consume company resources and impact our business and, if public, harm our reputation.
In the United States, various federal and state regulators, including governmental agencies like the Federal Trade Commission, have promulgated, or are considering promulgating, regulations concerning personal information and data securityIn addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. California’s patient privacy laws, for example, provide for penalties of up to $250,000 and permit injured parties to sue for damages. In addition, The California Consumer Privacy Act (“CCPA”) went into effect January 1, 2020, and is one of the most restrictive state privacy laws, protecting a wide variety of personal information and granting significant rights to California residents with respect to their personal information. Regulations under CCPA have been modified several times, and continue to be modified. Additionally, a new privacy law, the California Privacy Rights Act, (“CPRA”) was approved by California voters in the election of November 3, 2020 and went into effect in January of 2023. The CPRA modified the CCPA significantly, and may result in further uncertainty, additional costs and expenses stemming from efforts to comply with this law, and increases the potential for harm and liability for failure to comply. Among other things, the CPRA established a new regulatory authority, the California Privacy Protection Agency, which is enacting new regulations and has expanded enforcement authority. Other states have implemented similar laws protecting identifiable health and personal information, and most such laws differ from each other in significant ways and may not be preempted by HIPAA, thus complicating compliance efforts. In addition, various states, such as California, Colorado, Connecticut, New Jersey, Delaware, Utah, Virginia, Oregon, Indiana, Iowa, Tennessee, Montana, Florida and Texas , have implemented similar privacy laws and regulations.
The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify.
The legislative and regulatory landscape for privacy and data security continues to evolve, and there has been an increasing focus on privacy and data security issues which may affect our business. Failure to comply with current and future laws and regulations could result in government enforcement actions (including the imposition of significant penalties), criminal and civil liability for us and our officers and directors, private litigation and/or adverse publicity that negatively affects our business.
Defending against claims relating to improper handling, storage or disposal of hazardous chemical, radioactive or biological materials could be time consuming and expensive.
Our research and development involves the controlled use of hazardous materials, including chemicals, radioactive and biological materials such as chemical solvents, phosphorus and bacteria. Our operations produce hazardous waste products. We cannot eliminate the risk of accidental contamination or discharge and any resultant injury from those materials. Various laws and regulations govern the use, manufacture, storage, handling and disposal of hazardous
