MNKD 2017 Annual Report

If we or any future marketing partner fails to comply with federal and state healthcare laws, including fraud and abuse and health information privacy and security laws, we could face substantial penalties and our business, results of operations, financial condition and prospects could be adversely affected. As a biopharmaceutical company, even though we do not and will not control referrals of healthcare services or bill directly to Medicare, Medicaid or other third-party payors, certain federal and state healthcare laws and regulations, including those pertaining to fraud and abuse and patients’ rights are and will be applicable to our business. For example, we could be subject to healthcare fraud and abuse and patient privacy regulation by both the federal government and the states in which we conduct our business. The laws that may affect our ability to operate include, among others: • The federal Anti-Kickback Statute (as amended by PPACA, which modified the intent requirement of the federal Anti-Kickback Statute so that a person or entity no longer needs to have actual knowledge of the Statute or specific intent to violate it to have committed a violation), which constrains our business activities, including our marketing practices, educational programs, pricing policies, and relationships with healthcare providers or other entities by prohibiting, among other things, knowingly and willfully soliciting, receiving, offering or paying remuneration, directly or indirectly, to induce, or in return for, either the referral of an individual or the purchase or recommendation of an item or service reimbursable under a federal healthcare program, such as the Medicare and Medicaid programs. • Federal civil and criminal false claims laws, including without limitation the civil False Claims Act, and civil monetary penalties laws, which prohibit, among other things, individuals or entities from knowingly presenting, or causing to be presented, claims for payment from Medicare, Medicaid, or other federal healthcare programs that are false or fraudulent, and knowingly making, or causing to be made, a false record or statement material to a false or fraudulent claim to avoid, decrease or conceal an obligation to pay money to the federal government, and under PPACA, the government may assert that a claim including items or services resulting from a violation of the federal Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the federal false claims laws. • HIPAA, which created new federal criminal statutes that prohibit, among other things, knowingly and willfully executing a scheme to defraud any healthcare benefit program or falsifying, concealing, or covering up a material fact in connection with the delivery of or payment for health care benefits. • HIPAA, as amended by HITECH, and their respective implementing regulations, which imposes certain requirements relating to the privacy, security and transmission of individually identifiable health information on entities subject to the law, such as healthcare providers, health plans, and healthcare clearinghouses and their respective business associates that perform services for them that involve the creation, use, maintenance or disclosure of, individually identifiable health information. In addition, the European Union, or EU, has established its own data security and privacy legal framework, including but not limited to Directive 95/46/EC, or the Data Protection Directive. The Data Protection Directive will be replaced starting in May 2018 with the recently adopted European General Data Protection Regulation, or GDPR, which contains new provisions specifically directed at the processing of health information, higher sanctions and extra-territoriality measures intended to bring non-EU companies under the regulation. We anticipate that over time we may expand our business operations to include additional operations in the EU, including potentially conducting preclinical and clinical trials. With such expansion, we would be subject to increased governmental regulation in the EU countries in which we might operate, including the GDPR. • The federal physician sunshine requirements under PPACA, which requires certain manufacturers of drugs, devices, biologics, and medical supplies to report annually to the CMS information related to payments and other transfers of value to physicians, other healthcare providers, and teaching hospitals, and ownership and investment interests held by physicians and other healthcare providers and their immediate family members. • State and foreign law equivalents of each of the above federal laws, such as anti-kickback and false claims laws which may apply to items or services reimbursed by any third-party payor, including 29