accounting of their own health information and limiting most use and disclosures of health information to the minimum amount reasonably necessary to accomplish the intended purpose. The HIPAA security rules require the implementation of administrative, physical and technical safeguards to protect the security of PHI. HIPAA applies to health plans, health care providers who engage in certain standard healthcare transactions electronically, such as electronic billing, and healthcare clearinghouses, all of which are referred to as “covered entities.” HIPAA also applies to “business associates,” or organizations that provide services to covered entities involving the use or disclosure of PHI. Business associates, like us, are subject to direct liability for violations of HIPAA.
Penalties for HIPAA violations can be issued by the HHS’s Office for Civil Rights, the U.S. Department of Justice, and state attorneys general. Financial penalties can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violation, with penalties adjusted for inflation annually. HIPAA authorizes states attorneys’ general to file suit on behalf of state residents; in such cases, courts can award damages, costs and attorneys’ fees related to HIPAA violations in addition to the aforementioned financial penalties. While HIPAA does not create a private right of action allowing individuals to sue in civil court for HIPAA violations, the HIPAA rules have been used as the basis for a duty of care claim in state civil suits for negligence or recklessness in the misuse or breach of PHI. Further, to provide “covered entity” clients with services that involve access to PHI, HIPAA requires us to enter into business associate agreements that require us to safeguard PHI in accordance with HIPAA. If we fail to comply with the terms of our business associate agreements, we may also be liable contractually.
Additionally, we are subject to any state laws that are more restrictive than the rules issued under HIPAA. These laws vary by state and could impose stricter standards and additional penalties. If we are found to be in violation of these applicable state laws, we could be subject to additional civil or criminal penalties, which could increase our liabilities, harm our reputation and have a material adverse effect on our business, financial condition and results of operations.
We are subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, monetary penalties, increased cost of operations, or declines in customer growth or engagement, or otherwise harm our business.
We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, including laws and regulations relating to privacy, data sharing and data protection, AI and use of machine learning, rights of publicity, content, intellectual property, advertising, marketing, distribution, data security, data retention and deletion, personal information, electronic contracts and other communications, competition, protection of minors, consumer protection, telecommunications, product liability, taxation, economic or other trade prohibitions or sanctions, corrupt practices, fraud, waste and abuse restrictions, and securities law compliance. The introduction of new products or expansion of our activities in certain jurisdictions may subject us to additional laws and regulations. For example, both the federal and various state governments of the United States have adopted or are considering laws, guidelines or rules for the collection, distribution, use and storage of information collected from or about customers or their devices. The CCPA, for example, which became effective January 1, 2020, substantially expands privacy obligations of many businesses providing services to California residents, including us. The CCPA requires new disclosures to California consumers, imposes new rules for collecting or using information about minors, and affords consumers new rights, such as the right to know whether the data is sold or disclosed and to whom, the right to request that a company delete personal information collected, the right to opt out of the sale of personal information and the right to non-discrimination in terms of price or service when a consumer exercises a privacy right. If we fail to comply with these regulations, the CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Moreover, the CPRA, which became operational on January 1, 2023, expands on the CCPA, creating new consumer rights and protections, including: the right to correct personal information, the right to opt out of the use of personal information in automated decision making, the right to opt out of “sharing” consumer’s personal information for cross-context behavioral advertising, and the right to restrict use of and disclosure of sensitive personal information, including geolocation data to third parties. We will need to evaluate and potentially update our privacy program to ensure compliance with the CPRA and may incur additional costs and expenses in our effort to comply.
In addition, foreign data protection, privacy, and other laws and regulations can be more restrictive than those in the United States. For example, the GDPR and the UK GDPR impose stringent operational requirements for the collection, use,
