Medtronic 2015 Annual Report Download - page 23

Download and view the complete annual report

Please find page 23 of the 2015 Medtronic annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 166

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166

sanctions laws and regulations when engaging in transactions involving our products, we may be subject to civil or criminal
enforcement action, and varying degrees of liability, dependent upon the nature of the violation and the extent of our culpability.
Similarly, such determinations may cause disruption or delays in the distribution and sales of our products, or result in
restrictions being placed upon our international distribution and sales of products which may materially impact our business
activities.
Anti-Boycott Laws
Under U.S. laws and regulations, U.S. companies and their controlled-in-fact foreign subsidiaries and affiliates are prohibited
from participating or agreeing to participate in unsanctioned foreign boycotts in connection with certain business activities,
including the sale, purchase, transfer, shipping or financing of goods or services within the U.S. or between the U.S. and a
foreign country. Currently, the U.S. considers the Arab League boycott of Israel to constitute an unsanctioned foreign boycott.
We are responsible for ensuring we comply with the requirements of U.S. anti-boycott laws for all transactions in which we are
involved. If we, or certain third parties through which we sell or provide goods or services, are determined to have violated U.S.
anti-boycott laws and regulations, we may be subject to civil or criminal enforcement action, and varying degrees of liability,
dependent upon the nature of the violation and the extent of our culpability. Penalties for any violations of anti-boycott laws and
regulations could include criminal penalties and civil sanctions such as fines, imprisonment, debarment from government
contracts, loss of export privileges and the denial of certain tax benefits, including foreign tax credits, and foreign subsidiary
deferrals.
Patient Privacy Laws
U.S. federal and state laws protect the confidentiality of certain patient health information, including patient medical records,
and restrict the use and disclosure of patient health information by health care providers. In particular, in April 2003, the U.S.
Department of Health and Human Services (HHS) published patient privacy rules under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and, in April 2005, published security rules for protected health information. The HIPAA
privacy and security rules govern the use, disclosure, and security of protected health information by “Covered Entities,” which
are health care providers that submit electronic claims, health plans, and health care clearinghouses. In 2009, Congress passed
the HITECH Act, which modified certain provisions of the HIPAA privacy and security rules for Covered Entities and their
Business Associates (which is anyone that performs a service on behalf of a Covered Entity involving the use or disclosure of
protected health information and is not a member of the Covered Entity’s workforce). These included directing HHS to publish
more specific security standards, and increasing breach notification requirements, as well as tightening certain aspects of the
privacy rules. HHS published the final versions of these new rules in January 2013, and Covered Entities and Business
Associates were expected to be in compliance by September 2013. In addition, the HITECH Act provided that Business
Associates will now be subject to the same security requirements as Covered Entities, and that with regard to both the security
and privacy rule, Business Associates will be subject to direct enforcement by HHS, including civil and criminal liability, just as
Covered Entities are. In the past, HIPAA has generally affected us indirectly. Medtronic is generally not a Covered Entity,
except for a few units such as our Diabetes business, Medtronic Monitoring, Inc. and our health insurance plans. Medtronic only
operates as a Business Associate to Covered Entities in a limited number of instances. In those cases, the patient data that we
receive and analyze may include protected health information. We are committed to maintaining the security and privacy of
patients’ health information and believe that we meet the expectations of the HIPAA rules. Some modifications to our systems
and policies may be necessary, but the framework is already in place. However, the potential for enforcement action against us
is now greater, as HHS can take action directly against Business Associates. Thus, while we believe we are and will be in
substantial compliance with HIPAA standards, there is no guarantee that the government will agree. Enforcement actions can be
costly and interrupt regular operations of our business. We believe the ongoing costs and impacts of assuring compliance with
the HIPAA privacy and security rules are not material to our business. In addition, there has been a developing trend of civil
lawsuits and class actions relating to breaches of consumer data held by large companies. While Medtronic has not been named
in any such suits, if a substantial breach or loss of data from our records were to occur, we could become a target of such
litigation.
We are also impacted by the privacy requirements of countries outside the United States. Privacy standards in Europe and Asia
are becoming increasingly strict. Enforcement action and financial penalties related to privacy in the EU are growing, and new
laws and restrictions are being passed. The management of cross border transfers of information among and outside of EU
member countries is becoming more complex, which may complicate our clinical research activities, as well as product
offerings that involve transmission or use of clinical data. China and Russia have passed so-called “data localization” laws,
which require multi-national companies that store certain individually identifiable data on their citizens to maintain that data on
servers located in their country. Restrictions on transfer or processing of that data may apply as well. These laws are new and
13