Confidential Treatment Requested by ZimVie Inc.
Pursuant to 17 C.F.R. Section 200.83
authorities of the EU countries separately regulate the clinical research for medical devices and the market surveillance of products once they are placed on the market. A new Medical Device Regulation was published by the EU in 2017 that imposes significant additional premarket and postmarket requirements (“MDR”). The regulation provided an implementation period and became effective on May 26, 2021. Medical devices marketed in the EU will require certification according to these new requirements, except that devices with valid CE certificates, issued pursuant to the MDD before May 2020, can be placed on the market until May 2024.
Our quality management system is based upon the requirements of ISO 13485, the QSR, the MDR and other applicable regulations for the markets in which we sell. Our principal manufacturing sites are certified to ISO 13485 and audited at regular intervals.
Further, we are subject to other supranational, national, regional, federal, state and local laws concerning healthcare fraud and abuse, including false claims and anti-kickback laws, as well as the U.S. Physician Payments Sunshine Act and similar state and foreign healthcare professional payment transparency laws. These laws are administered by, among others, the DOJ, the Office of Inspector General of the HHS, state attorneys general and various foreign government agencies. Many of these agencies have increased their enforcement activities with respect to medical products manufacturers in recent years. Violations of these laws are punishable by criminal and/or civil sanctions, including, in some instances, fines, imprisonment and, within the U.S., exclusion from participation in government healthcare programs, including Medicare, Medicaid and Veterans Administration health programs.
Our operations in foreign countries are subject to the extraterritorial application of the FCPA. Our global operations are also subject to foreign anti-corruption laws, such as the UK Bribery Act, among others. As part of our global compliance program, we seek to address anti-corruption risks proactively.
Our facilities and operations are also subject to complex federal, state, local and foreign environmental and occupational safety laws and regulations, including those relating to discharges of substances in the air, water and land, the handling, storage and disposal of wastes and the clean-up of properties contaminated by pollutants. We do not expect that the ongoing costs of compliance with these environmental requirements will have a material impact on our consolidated earnings, capital expenditures or competitive position.
In addition, we are subject to federal, state and international data privacy and security laws and regulations that govern the collection, use, disclosure, transfer, storage, disposal and protection of health-related and other personal information. The FDA has issued guidance to which we may be subject concerning data security for medical devices. The FDA and the DHS have issued urgent safety communications regarding cybersecurity vulnerabilities of certain medical devices.
In addition, certain of our affiliates are subject to privacy, security and breach notification regulations promulgated under HIPAA. HIPAA governs the use, disclosure, and security of protected health information by HIPAA “covered entities” and their “business associates.” Covered entities are health plans, health care clearinghouses and health care providers that engage in specific types of electronic transactions. A business associate is any person or entity (other than members of a covered entity’s workforce) that performs a service on behalf of a covered entity involving the use or disclosure of protected health information. HHS (through the Office for Civil Rights) has direct enforcement authority against covered entities and business associates with regard to compliance with HIPAA regulations. On December 10, 2020, HHS issued an NPR to modify the HIPAA privacy rule. The proposed modifications would remove communication barriers between providers and health plans, allow individuals more access to their health information and impose new requirements on entities that receive patient data requests. Separately, HHS (through the National Coordinator for Health Information Technology) issued a new rule, effective April 5, 2021, that seeks to limit “blocking” of electronic health information by imposing data access, software licensing and inter-operability requirements on healthcare providers and information technology vendors. We intend to monitor both the NPR and the “information blocking” rule and assess their impact on the use of data in our business.
In addition to the FDA guidance and HIPAA regulations described above, a number of U.S. states have also enacted data privacy and security laws and regulations that govern the processing, collection, use, disclosure, transfer,
