GNPX 2017 Annual Report

39 Federal false claims and civil monetary penalties laws, including the federal civil False Claims Act, prohibit, among other things, any person or entity from knowingly presenting, or causing to be presented, a false, fictitious or fraudulent claim for payment to, or approval by, the federal government, or knowingly making, using, or causing to be made or used, a false statement to get a false claim paid. Several pharmaceutical and other health care companies have been prosecuted under these laws for allegedly providing free product to customers with the expectation that the customers would bill federal programs for the product. Other companies have been prosecuted for causing false claims to be submitted because of the company’s marketing of the product for unapproved, and thus non-reimbursable, uses. The majority of states also have statutes or regulations similar to the federal Anti-Kickback Statute and false claims laws, which apply to items and services, reimbursed under Medicaid and other state programs, or, in several states, apply regardless of the payer. We may also be subject to data privacy and security regulations by both the federal government and the states in which we conduct our business. HIPAA, as amended by HITECH, and their respective implementing regulations, including the final Omnibus Rule published in 2013, imposes requirements on certain types of entities, including mandatory contractual terms, relating to the privacy, security, and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s security standards and certain privacy standards directly applicable to business associates, which are independent contractors or agents of covered entities that create, receive, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity. HITECH also created four new tiers of civil monetary penalties, amended HIPAA to make civil and criminal penalties directly applicable to business associates, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, many state laws govern the privacy and security of health information in specified circumstances, many of which differ from each other and from HIPAA in significant ways and may not have the same requirements, thus complicating compliance efforts. Additionally, the federal Physician Payments Sunshine Act under the Affordable Care Act, and its implementing regulations, require that certain manufacturers of drugs, devices, biological and medical supplies for which payment is available under Medicare, Medicaid or the Children’s Health Insurance Program, with certain exceptions, annually report to CMS information related to certain payments or other transfers of value made or distributed to physicians and teaching hospitals, or to entities or individuals at the request of, or designated on behalf of, the physicians and teaching hospitals and to report annually certain ownership and investment interests held by physicians and their immediate family members. Failure to submit timely, accurately, and completely the required information may result in civil monetary penalties of up to an aggregate of $150,000 per year and up to an aggregate of $1 million per year for “knowing failures”. Certain states also mandate implementation of compliance programs, impose restrictions on pharmaceutical manufacturer marketing practices, and/or require the tracking and reporting of gifts, compensation, and other remuneration to healthcare providers and entities. Because of the breadth of these laws and the narrowness of the exceptions and safe harbors, it is possible that some of our business activities could be subject to challenge under one or more of such laws. Such a challenge could have a material adverse effect on our business, financial condition, and results of operations. If our operations are found to be in violation of any of these or any other health regulatory laws that may apply to us, we may be subject to, without limitation, significant penalties, including the imposition of significant civil, criminal and administrative penalties, damages, monetary fines, disgorgement, individual imprisonment, possible exclusion from participation in Medicare, Medicaid and other federal healthcare programs, contractual damages, reputational harm, diminished profits and future earnings, and curtailment or restructuring of our operations, any of which could adversely affect our ability to operate our business and our results of operations. In addition, as part of the sales and marketing process, pharmaceutical companies frequently provide samples of approved products to physicians. This practice is regulated by the FDA and other governmental authorities, including, in particular, requirements concerning record keeping and control procedures. Any failure to comply with the regulations may result in significant criminal and civil penalties as well as damage to our credibility in the marketplace. Coverage and Reimbursement In many of the markets where we may do business in the future, the prices of pharmaceutical products are subject to direct price controls (by law) and to reimbursement programs with varying price control mechanisms. In the United States, significant uncertainty exists as to the coverage and reimbursement status of any product candidates for which we obtain product approval. Often private payers follow the coverage and reimbursement decisions of the Medicare program, and it is difficult to predict how CMS may decide to cover and reimburse approved products, especially novel products, and those determinations are subject to change.