Medtronic 2014 Annual Report Download - page 25

Download and view the complete annual report

Please find page 25 of the 2014 Medtronic annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 147

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147

received U.S. FDA approval are subject to U.S. FDA export requirements. Some governments may also impose economic
sanctions against certain countries, persons or entities. In addition to our need to comply with such regulations in connection
with our direct export activities, we also sell and provide goods, technology and services to agents, representatives and
distributors who may export such items to customers and end-users. If third parties violate applicable export control and
economic sanctions laws and regulations when engaging in transactions involving our products, we may be subject to varying
degrees of liability dependent upon our participation in the transaction. The activities of our third parties may cause disruption
or delays in the distribution and sales of our products, or result in restrictions being placed upon our international distribution
and sales of products which may materially impact our business activities.
Anti-Boycott Laws
Under U.S. laws and regulations, U.S. companies and their controlled-in-fact foreign subsidiaries and affiliates are prohibited
from participating or agreeing to participate in unsanctioned foreign boycotts in connection with certain business activities,
including the sale, purchase, transfer, shipping or financing of goods or services within the U.S. or between the U.S. and a
foreign country. Currently, the U.S. considers the Arab League boycott of Israel to constitute an unsanctioned foreign boycott.
We are responsible for ensuring we comply with the requirements of U.S. anti-boycott laws for all transactions in which we are
involved. If we or third parties violate U.S. anti-boycott laws and regulations when engaging in transactions involving our
products, we may be subject to varying degrees of liability dependent upon the nature of the transaction and our participation in
the transaction. Penalties for any violations of anti-boycott laws and regulations could include criminal penalties and civil
sanctions such as fines, imprisonment, debarment from government contracts, loss of export privileges and the denial of certain
tax benefits, including foreign tax credits, and foreign subsidiary deferrals.
Patient Privacy Laws
U.S. federal and state laws protect the confidentiality of certain patient health information, including patient medical records,
and restrict the use and disclosure of patient health information by health care providers. In particular, in April 2003, the U.S.
Department of Health and Human Services (HHS) published patient privacy rules under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and, in April 2005, published security rules for protected health information. The HIPAA
privacy and security rules govern the use, disclosure, and security of protected health information by “Covered Entities,” which
are health care providers that submit electronic claims, health plans, and health care clearinghouses. In 2009, Congress passed
the HITECH Act, which modified certain provisions of the HIPAA privacy and security rules for Covered Entities and their
Business Associates (which is anyone that performs a service on behalf of a Covered Entity involving the use or disclosure of
protected health information and is not a member of the Covered Entity’s workforce). These included directing HHS to publish
more specific security standards, and increasing breach notification requirements, as well as tightening certain aspects of the
privacy rules. HHS published the final versions of these new rules in January 2013, and Covered Entities and Business
Associates were expected to be in compliance by September 2013. In addition, the HITECH Act provided that Business
Associates will now be subject to the same security requirements as Covered Entities, and that with regard to both the security
and privacy rule, Business Associates will be subject to direct enforcement by HHS, including civil and criminal liability, just as
Covered Entities are. In the past, HIPAA has generally affected us indirectly. Medtronic is generally not a Covered Entity,
except for a few units such as our Diabetes business and our health insurance plans. Medtronic only operates as a Business
Associate to Covered Entities in a limited number of instances. In those cases, the patient data that we receive and analyze may
include protected health information. We are committed to maintaining the security and privacy of patients’ health information
and believe that we meet the expectations of the HIPAA rules. Some modifications to our systems and policies may be
necessary, but the framework is already in place. However, the potential for enforcement action against us is now greater, as
HHS can take action directly against Business Associates. Thus, while we believe we are and will be in substantial compliance
with HIPAA standards, there is no guarantee that the government will not disagree. Enforcement actions can be costly and
interrupt regular operations of our business. Nonetheless, these requirements affect a limited subset of our business. We believe
the ongoing costs and impacts of assuring compliance with the HIPAA privacy and security rules are not material to our
business. In addition, there has been a developing trend of civil lawsuits and class actions brought relating to breaches of
consumer data held by large companies. While Medtronic has not been named in any such suits, if a substantial breach or loss of
data from our records were to occur, we could become a target of such litigation.
In 2013, Medtronic provided notification regarding certain records related to patients of our Diabetes business unit. While we
found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them for retrieval. The
HHS Office of Civil Rights contacted us following the disclosure, as is their regular practice, and we have provided them
information on the issue and our information security practices. In addition, Medtronic, along with two other large medical
device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia.
17