Enliven may also be subject to federal consumer protection and unfair competition laws, which broadly regulate marketplace activities and activities that potentially harm consumers.
Efforts to ensure that Enliven’s current and future business arrangements with third parties will comply with applicable healthcare and data privacy and security laws and regulations will involve on-going substantial costs. Because of the breadth of these laws and the narrowness of the statutory exceptions and safe harbors available, it is possible that governmental authorities will conclude that Enliven’s business practices do not comply with current or future statutes, regulations, agency guidance or case law involving applicable fraud and abuse or other healthcare laws and regulations. If Enliven’s operations are found to be in violation of any of the federal and state healthcare laws described above or any other governmental regulations that apply to it, Enliven may be subject to significant penalties, including without limitation, civil, criminal and/or administrative penalties, damages, fines, disgorgement, imprisonment, exclusion from participation in government programs, such as Medicare and Medicaid, injunctions, private “qui tam” actions brought by individual whistleblowers in the name of the government, exclusion, debarment or refusal to allow Enliven to enter into government contracts, contractual damages, reputational harm, administrative burdens, diminished profits and future earnings, additional reporting requirements and/or oversight if Enliven becomes subject to a corporate integrity agreement or similar agreement to resolve allegations of non-compliance with these laws, and the curtailment or restructuring of Enliven’s operations, any of which could adversely affect Enliven’s ability to operate its business and its results of operations. Defending against any such actions can be costly, time-consuming and may require significant financial and personnel resources. Therefore, even if Enliven is successful in defending against any such actions that may be brought against it, its business may be impaired. Further, if any of the physicians or other healthcare providers or entities with whom Enliven expects to do business is found to be not in compliance with applicable laws, they may be subject to significant criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs.
Enliven is subject to stringent and changing privacy, data protection and data security laws, regulations and standards as well as policies, contracts and other obligations related to data privacy, data protection and data security. Enliven’s actual or perceived failure to comply with such obligations could lead to enforcement or litigation (that could result in fines or penalties), a disruption or cancellation of clinical trials or commercialization of products, reputational harm, or other adverse business effects.
Enliven collects, receives, retains, stores, uses, shares, discloses, transfers, makes accessible, disseminates, and otherwise processes data (including personal and clinical trial information) relating to its employees and contractors, and other persons. Accordingly, Enliven is, or may become, subject to numerous legal and contractual obligations regarding the privacy, security, protection and appropriate collection, storing, sharing, use, processing, transfer, and disclosure of certain data, including personal information. For example, Enliven is, or may become, subject to various federal, state, local, and foreign laws, directives, and regulations regarding privacy, data protection, and data security, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other legal and regulatory requirements. Enliven is also subject to certain contractual obligations to third parties related to privacy, data protection and data security and it strives to comply with its applicable policies and applicable laws, regulations, contractual obligations, and other legal obligations relating to privacy, data protection, and data security, to the extent possible. The regulatory framework for privacy, data protection and data security worldwide is evolving and is likely to remain complex and uncertain for the foreseeable future. Any perception of privacy, data security, or data protection concerns or an inability, by Enliven or third parties that it relies on, to comply with applicable laws, regulations, policies, industry standards, contractual obligations, or other legal obligations, even if unfounded, may result in additional cost and liability to Enliven, harm its reputation, and adversely affect its business, financial condition, and results of operations.
Enliven is not currently classified as a covered entity or business associate under HIPAA. Thus, Enliven is not directly subject to HIPAA’s requirements or penalties. The healthcare providers, including certain research institutions from which Enliven may obtain patient or subject health information, may be subject to privacy, security, and breach notification requirements under HIPAA. Additionally, any person may be prosecuted under HIPAA’s criminal provisions either directly or under aiding-and-abetting or conspiracy principles. Consequently, depending on the facts and circumstances, Enliven could face substantial penalties if it knowingly receives individually identifiable health
-31-
