Express Scripts 2009 Annual Report Download - page 32

Download and view the complete annual report

Please find page 32 of the 2009 Express Scripts annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 108

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108

Express Scripts 2009 Annual Report 30
HIPAA and Other Privacy Legislation. Most of our activities involve the receipt or use of confidential medical
information concerning individuals. In addition, we use aggregated and anonymized data for research and analysis
purposes and in some cases provide access to such data to pharmaceutical manufacturers and third party data aggregators.
Various federal and state laws, including HIPAA, regulate and restrict the use, disclosure and security of confidential
medical information and new legislation is proposed from time to time in various states.
The Department of Health and Human Services privacy and security regulations included as part of HIPAA
impose restrictions on the use and disclosure of individually identifiable health information by certain entities. The security
regulations relate to the security of protected health information when it is maintained or transmitted electronically. Other
HIPAA requirements relate to electronic transaction standards and code sets for processing of pharmacy claims. We are
required to comply with certain aspects of the privacy, security and transaction standard regulations under HIPAA. As part
of the American Recovery and Reinvestment Act signed into law on February 17, 2009, Congress adopted the Health
Information Technology for Economic and Clinical Health Act (“HITECH”). HITECH significantly broadens many of the
existing federal and security requirements under HIPAA, and introduces more vigorous enforcement provisions and
penalties for HIPAA violations. Like many of companies subject to HIPAA, the new HITECH standards may have
significant operational and legal consequences for our business.
We believe that we are in compliance in all material respects with HIPAA and other state privacy laws, to the
extent they apply to us. To date, no patient privacy laws have been adopted that materially impact our ability to provide
services, but there can be no assurance that federal or state governments will not enact legislation, impose restrictions or
adopt interpretations of existing laws that could have a material adverse effect on our business and financial results.
In October of 2008, we received a letter from an unknown person or persons trying to extort money from the
company by threatening to expose millions of member records allegedly stolen from our system. The letter included
personal information of 75 members, including, in some instances, protected health information. Thereafter we became
aware of a small number of our clients who also received threatening letters which included personal information allegedly
stolen from our system. In late August of 2009, the perpetrator communicated with a law firm about the stolen records. In
this communication, the criminal provided personal data for approximately 800,000 members. We believe they were stolen
as part of the same incident. We continue to work with the Federal Bureau of Investigation in its investigation of the
threats. We have followed state data breach notification laws in notifying affected members and states’ attorneys general.
Further, we established a reward of $1 million for the person or persons who provide information resulting in the arrest and
conviction of those responsible for these criminal acts. While we have complied with all State and Federal reporting
requirements, there can be no assurance that the unauthorized access of personal information or protected health
information will not result in inquiries or action being taken by Federal or State officials, or additional private litigation.
EM Services. Many of the laws and regulations cited above with respect to our PBM activities also apply with
respect to our various EM services. Of particular relevance are the federal and state anti-kickback laws, state pharmacy
regulations and HIPAA, which are described above. In addition, as a condition to conducting our wholesale business, we
must maintain various permits and licenses with the appropriate state and federal agencies, and we are subject to various
wholesale distributor laws that regulate the conduct of wholesale distributors, including, but not limited to, maintaining
pedigree papers in certain instances. Finally, one of our lines of services, PMG, conducts certain activities, including the
distribution of drug samples, that are subject to the requirements of the federal Prescription Drug Marketing Act and many
of the other federal and state laws and regulations discussed above.
Service Marks and Trademarks
We, and our subsidiaries, have registered certain service marks including “EXPRESS SCRIPTS®,
CURASCRIPT®” and “CONNECTYOURCARE® with the United States Patent and Trademark Office. Our rights to
these marks will continue so long as we comply with the usage, renewal filings, and other legal requirements relating to the
usage and renewal of service marks.
Insurance
Our PBM operations, including the dispensing of pharmaceutical products by our home delivery pharmacies, our
EM operations, including the distribution of specialty drugs, and the services rendered in connection with our disease
management operations, may subject us to litigation and liability for damages. Commercial insurance coverage is difficult
to obtain and cost prohibitive, particularly for certain types of claims. As such, we may maintain significant self-insured
retentions when deemed most appropriate and cost effective. We have established certain self-insurance reserves to cover
potential claims. There can be no assurance we will be able to maintain our general, professional, or managed care errors
and omissions liability insurance coverage in the future or that such insurance coverage, together with our self-insurance