Medtronic 2016 Annual Report Download - page 15

Download and view the complete annual report

Please find page 15 of the 2016 Medtronic annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 158

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158

Table of Contents
12
finished products. If applicable government agencies were to determine that we or such third parties were not in compliance with
applicable U.S. FDA or customs laws and regulations when engaging in cross-border transactions involving our products, we may
be subject to civil or criminal enforcement action, and varying degrees of liability, depending on the nature of the violation and
the extent of our culpability. In addition, such determinations may cause supply chain disruptions and delays in the distribution
of our products that impact our business activities.
Many countries, including the U.S., control the export and re-export of goods, technology and services for reasons including public
health, national security, regional stability, antiterrorism policies and other reasons. In certain circumstances, approval from
governmental authorities may be required before goods, technology or services are exported or re-exported to certain destinations,
to certain end-users and for certain end-uses. In addition, international sales of our medical devices that have not received U.S.
FDA approval are subject to U.S. FDA export requirements. Some governments may also impose economic sanctions against
certain countries, persons or entities. In addition to our need to comply with such regulations in connection with our direct export
activities, we also sell and provide goods, technology and services to agents, representatives and distributors who may export such
items to customers and end-users. If applicable government agencies were to determine that we, or the third parties through which
we export goods, were not in compliance with applicable export control or economic sanctions laws and regulations when engaging
in transactions involving our products, we may be subject to civil or criminal enforcement action, and varying degrees of liability,
dependent upon the nature of the violation and the extent of our culpability. Similarly, such determinations may cause disruption
or delays in the distribution and sales of our products, or result in restrictions being placed upon our international distribution and
sales of products which may materially impact our business activities.
Anti-Boycott Laws
Under U.S. laws and regulations, U.S. companies and their controlled-in-fact subsidiaries and affiliates outside the U.S are
prohibited from participating or agreeing to participate in unsanctioned foreign boycotts in connection with certain business
activities, including the sale, purchase, transfer, shipping or financing of goods or services within the U.S. or between the U.S.
and a foreign country. Currently, the U.S. considers the Arab League boycott of Israel to constitute an unsanctioned foreign boycott.
We are responsible for ensuring we comply with the requirements of U.S. anti-boycott laws for all transactions in which we are
involved. If we, or certain third parties through which we sell or provide goods or services, are determined to have violated U.S.
anti-boycott laws and regulations, we may be subject to civil or criminal enforcement action, and varying degrees of liability,
dependent upon the nature of the violation and the extent of our culpability. Penalties for any violations of anti-boycott laws and
regulations could include criminal penalties and civil sanctions such as fines, imprisonment, debarment from government contracts,
loss of export privileges and the denial of certain tax benefits, including foreign tax credits, and outside U.S subsidiary deferrals.
Data Privacy and Security Laws and Regulations
The collection, maintenance, protection, use, transmission, disclosure and disposal of sensitive personal information are regulated
at the U.S. federal and state, international and industry levels. U.S. federal and state laws protect the confidentiality of certain
patient health information, including patient medical records, and restrict the use and disclosure of patient health information by
health care providers. For example, the U.S. FDA has issued guidance advising manufacturers to review their cybersecurity
practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their
medical devices or compromise of the security of the hospital network that may be connected to the device. Moreover, in April
2003, the U.S. Department of Health and Human Services (HHS) published patient privacy rules under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and, in April 2005, published security rules for protected health information.
The HIPAA privacy and security rules govern the use, disclosure, and security of protected health information by “Covered
Entities,” which are health care providers that submit electronic claims, health plans, and health care clearinghouses. In 2009,
Congress passed the HITECH Act, which modified certain provisions of the HIPAA privacy and security rules for Covered Entities
and their Business Associates (which is anyone that performs a service on behalf of a Covered Entity involving the use or disclosure
of protected health information and is not a member of the Covered Entity’s workforce). These included directing HHS to publish
more specific security standards, and increasing breach notification requirements, as well as tightening certain aspects of the
privacy rules. HHS published the final versions of these new rules in January 2013, and Covered Entities and Business Associates
were expected to be in compliance by September 2013. In addition, the HITECH Act provided that Business Associates will now
be subject to the same security requirements as Covered Entities, and that with regard to both the security and privacy rule, Business
Associates will be subject to direct enforcement by HHS, including civil and criminal liability, just as Covered Entities are. In the
past, HIPAA has generally affected us indirectly, but these modifications increase the potential for enforcement action against us
as a Business Associate. Medtronic is generally not a Covered Entity, except for our Diabetes business, Medtronic Monitoring,
Inc. and our health insurance plans. Medtronic only operates as a Business Associate to Covered Entities in a limited number of
instances. In those cases, the patient data that we receive and analyze may include protected health information.
A number of states have also adopted laws and regulations that may affect our privacy and security practices, such as state laws
that govern the use, disclosure and protection of social security numbers or that are designed to protect credit card account data.