Further, we are subject to additional similar U.S. state and foreign law equivalents of each of the above federal laws, which, in some cases, differ from each other in significant ways, and may not have the same effect, thus complicating compliance efforts. If our operations are found to be in violation of any of such laws or any other governmental regulations that apply, it may be subject to penalties, including, without limitation, civil, criminal and administrative penalties, damages, fines, exclusion from government-funded healthcare programs, such as Medicare and Medicaid or similar programs in other countries or jurisdictions, integrity oversight and reporting obligations to resolve allegations of non-compliance, disgorgement, individual imprisonment, contractual damages, reputational harm, diminished profits and the curtailment or restructuring of its operations.
Data Privacy and Security
Numerous state, federal and foreign laws govern the collection, dissemination, use, access to, confidentiality and security of personal information, including health-related information. As our operations and business grow, we may become subject to or affected by U.S. federal and state laws and regulations, including the Health Information Portability and Accountability Act of 1996, and its implementing regulations, as amended, or HIPAA, that govern the collection, use, disclosure, and protection of health-related and other personal information. In California the California Consumer Protection Act, or CCPA, which went into effect on January 1, 2020 and was amended effective January 1, 2023, establishes a new privacy framework for covered businesses by creating an expanded definition of personal information, establishing new data privacy rights for consumers in the State of California, imposing special rules on the collection of consumer data from minors, and creating a new and potentially severe statutory damages framework for violations of the CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches. While clinical trial data and information governed by HIPAA are currently exempt from the current version of the CCPA, other personal information may be applicable and possible changes to the CCPA may broaden its scope. Other states, including Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), and Utah (effective December 31, 2023) have passed privacy legislation and more states may do so in the future, including Iowa, where the Iowa state legislature passed a comprehensive privacy legislation on March 15, 2023. State and non-U.S. laws, including for example the EU General Data Protection Regulation, also govern the privacy and security of health information in some circumstances, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Failure to comply with these laws, where applicable, can result in the imposition of significant civil and/or criminal penalties and private litigation. Privacy and security laws, regulations, and other obligations are constantly evolving, may conflict with each other to complicate compliance efforts, and can result in investigations, proceedings, or actions that lead to significant civil and/or criminal penalties and restrictions on data processing.
Coverage and Reimbursement
In the United States and markets in other countries, patients generally rely on third-party payors to reimburse all or part of the costs associated with their treatment. Adequate coverage and reimbursement from governmental healthcare programs, such as Medicare and Medicaid, and commercial payors is critical to new product acceptance. Our ability to successfully commercialize our product candidates will depend in part on the extent to which coverage and adequate reimbursement for these products and related treatments will be available from government health administration authorities, private health insurers and other organizations. Even if coverage is provided, the approved reimbursement amount may not be high enough to allow it to establish or maintain pricing sufficient to realize a sufficient return on its investment. Government authorities and third-party payors, such as private health insurers and health maintenance organizations, decide which medications they will pay for and establish reimbursement levels.
Significant uncertainty exists as to the coverage and reimbursement status of any pharmaceutical or biological product for which we obtain regulatory approval. Sales of any product, if approved, depend, in part, on the extent to which such product will be covered by third-party payors, such as federal, state, and foreign government healthcare programs, commercial insurance and managed healthcare organizations, and the level of reimbursement, if any, for such product by third-party payors. Decisions regarding whether to cover any of our product candidates, if approved, the extent of coverage and amount of reimbursement to be provided are made on a plan-by-plan basis. Further, no uniform policy for coverage and reimbursement exists in the United States, and coverage and reimbursement can differ significantly from payor to payor. Third-party payors often rely upon Medicare coverage policy and payment limitations in setting their own reimbursement rates, but also have their own methods and approval process apart from Medicare determinations. As a result, the coverage determination process is often a time-consuming and costly
