CPSI 2017 Annual Report

21 claims. CMS has stated that it is concerned that percentage-based billing services may encourage billing companies to commit or to overlook fraudulent or abusive practices. A portion of our business involves billing Medicare claims on behalf of our clients. In an effort to combat fraudulent Medicare claims, the federal government offers rewards for reporting of Medicare fraud which could encourage others to subject us to a charge of fraudulent claims, including charges that are ultimately proved to be without merit. As discussed below, the HIPAA security and privacy standards also affect our claims transmission services, since those services must be structured and provided in a way that supports our clients’ HIPAA compliance obligations. Regulation of Medical Devices. The United States Food and Drug Administration (the "FDA") has determined that certain of our solutions, such as our ImageLink ® product, are medical devices that are actively regulated under the Federal Food, Drug and Cosmetic Act, as amended. If other of our solutions are deemed to be actively regulated medical devices by the FDA, we could be subject to extensive requirements governing pre- and post-marketing activities including pre-market notification clearance. Complying with these medical device regulations is time consuming and expensive, and our marketing and other sales activities could be subject to unanticipated and significant delays. Further, it is possible that the FDA may become more active in regulating software and medical devices that are used in the healthcare industry. If we are unable to obtain the required regulatory approvals for any such software or medical devices, our short- to long-term business plans for these solutions or medical devices could be delayed or canceled and we could face FDA refusal to grant pre-market clearance or approval of products; withdrawal of existing clearances and approvals; fines, injunctions or civil penalties; recalls or product corrections; production suspensions; and criminal prosecution. FDA regulation of our products could increase our operating costs, delay or prevent the marketing of new or existing products, and adversely affect our revenue growth. Security and Privacy of Patient Information. Federal, state and local laws regulate the privacy and security of patient records and the circumstances under which those records may be released. These regulations govern both the disclosure and use of confidential patient medical record information and require the users of such information to implement specified security and privacy measures. United States regulations currently in place governing electronic health data transmissions continue to evolve and are often unclear and difficult to apply. In the United States, HIPAA regulations require national standards for some types of electronic health information transactions and the data elements used in those transactions, security standards to ensure the integrity and confidentiality of health information, and standards to protect the privacy of individually identifiable health information. Covered entities under HIPAA, which include healthcare organizations such as our clients, and our claims processing, transmission and submission services, are required to comply with the privacy standards, transaction regulations and security regulations. Moreover, HITECH and associated regulatory requirements extend many of the HIPAA obligations, formerly imposed only upon covered entities, to business associates as well. As a business associate of our clients who are covered entities, we are in most instances already contractually required to ensure compliance with the HIPAA regulations as they pertain to the handling of covered client data. However, the extension of these HIPAA obligations to business associates by law has created a direct liability risk related to the privacy and security of individually identifiable health information. Evolving HIPAA and HITECH-related laws or regulations could restrict the ability of our clients to obtain, use or disseminate patient information. This could adversely affect demand for our solutions and devices if they are not re-designed in a timely manner in order to meet the requirements of any new interpretations or regulations that seek to protect the privacy and security of patient data or enable our clients to execute new or modified healthcare transactions. We may need to expend additional capital and software development and other resources to modify our solutions to address these evolving data security and privacy issues. Furthermore, our failure to maintain the confidentiality of sensitive personal information in accordance with the applicable regulatory requirements could damage our reputation and expose us to claims, fines and penalties. Federal and state statutes and regulations have granted broad enforcement powers to regulatory agencies to investigate and enforce compliance with these privacy and security laws and regulations. Federal and state enforcement personnel have substantial funding, powers and remedies to pursue suspected or perceived violations. If we fail to comply with any applicable laws or regulations, we could be subject to civil penalties, sanctions or other liability. Enforcement investigations, even if meritless, could have a negative impact on our reputation, cause us to lose existing clients or limit our ability to attract new clients. ARRA Meaningful Use Program . The ARRA requires "meaningful use of certified electronic health record technology" by healthcare providers by 2015 in order to receive limited incentive payments and to avoid related reduced reimbursement rates for Medicare claims. Related standards and specifications are subject to interpretation by the entities designated to certify such technology. While a combination of our solutions has been certified as meeting both stage one and stage two standards for certified electronic health record technology, the regulatory standards to achieve certification will continue to evolve over time.