Imprimis Pharmaceuticals, Inc.

Presbyopia is the normal loss of near focusing ability that occurs with age. Most people begin to notice the effects of presbyopia sometime after age 40, when they start having trouble seeing small print clearly. According to an American Academy of Ophthalmology report from 2018, there are an estimated 1.8 billion people worldwide who suffer from presbyopia, with eye glasses (more commonly referred to as, “readers”) being the most common treatment option. Based on our understanding, there are currently four eyedrops currently undergoing clinical trials/development in the U.S. aiming to be first to market topical eye drops to treat the symptoms associated with presbyopia. We believe most of these are designed to enhance depth of field via a “pinhole effect” and in one case to reduce lens stiffening; and some of these medications could be synergistic with each other or combined with refractive surgery to enhance outcomes. However, as of the date of this Annual Report, none of these drug candidates has received market approval from the FDA.

In two recent California federal court decisions, Allergan USA, Inc. v. Prescribers Choice, Inc. and Allergan USA, Inc. v. Imprimis Pharmaceuticals, Inc., the Court made rulings which impact 503B and 503A facilities operating in and shipping to the state of California. In the Prescribers Choice case, the Court determined that while the FDA’s interim policies do not override the statutory obligations of the DQSA, the Court supported the FDA’s authority and flexibility as it determines what clinical needs exist and finalizes the bulk drug substances list. The Court would not hold a party liable under California’s Sherman Food, Drug and Cosmetic Law (“Sherman Law”) for selling, delivering, or giving away any new drug that has not been approved by the California Department of Health Services or FDA if that party has complied with the FDA’s Interim Policy. In other words, it is not unlawful in California to utilize bulk drugs appearing on the Category 1 list while the FDA finalizes its clinical needs list. In the Imprimis Pharmaceuticals case, the Court made clear that its rulings related to violations of California’s Unfair Competition Law (“UCL”) (Cal. Bus. Prof. Code §17200) were limited in geographical scope to drugs prepared in, dispensed from within or shipped to the State of California. With respect to 503A facilities, the Court followed FDA’s guidance allowing compounding pharmacies to ship more than 5% of its medications out of state while finalizing the MOUs. It further held that 503A facilities operating within or shipping into the state of California must follow statutory guidance found in 21 U.S.C. 353(a). With respect to the statutory guidance related to compounding in response to valid prescription orders, the Court added a requirement that the valid prescription order must contain language that “an FDA-approved drug is not medically appropriate.” The practical effect of these two rulings is that 503A and 503B facilities operating within or shipping drugs into the State of California now have clear guidance as to what is, and is not, lawful behavior with respect the California’s UCL and Sherman Law.

Our pharmacy operations involve the receipt, use and disclosure of confidential medical, pharmacy and other health-related information. In addition, we use aggregated and blinded (anonymous) data for research and analysis purposes. The federal privacy regulations under HIPAA are designed to protect the medical information of a healthcare patient or health plan enrollee that could be used to identify the individual. Among other things, HIPAA limits certain uses and disclosures of protected health information and requires compliance with federal security regulations regarding the storage, utilization and transmission of and access to electronic protected health information. The requirements imposed by HIPAA are extensive. In addition, most states and certain other countries have enacted privacy and security laws that protect identifiable patient information that is not health-related. For example, California recently enacted the California Consumer Privacy Act, or CCPA, that creates new individual privacy rights for consumers and places increased privacy and security obligations on entities handling personal data of consumers or households. Effective January 1, 2020, the CCPA gives California residents expanded privacy rights and protections, and provides civil penalties for violations and a private right of action for data breaches. The CCPA will likely impact our business activities and exemplifies the vulnerability of our business to not only cyber threats but also the evolving regulatory environment related to personal data and protected health information. Other countries also have, or are developing, laws governing the collection, use and transmission of personal information, such as the General Data Protection Regulation (“GDPR”) in the European Union (the “EU”) that became effective in May 2018 and the Personal Information Protection and Electronic Documents Act that became effective in Canada in April 2000. Further, several states have enacted more protective and comprehensive pharmacy-related privacy legislation that not only applies to patient records but also prohibits the transfer or use for commercial purposes of pharmacy data that identifies prescribers. These regulations impose substantial requirements on covered entities and their business associates regarding the storage, utilization and transmission of and access to personal health and non-health information. Many of these laws apply to our business.

Despite the implementation of security measures, our internal computer systems and those of any third parties with which we partner are vulnerable to damage from computer viruses, unauthorized access, natural disasters, terrorism, war and telecommunication and electrical failures. While we have not experienced any cybersecurity or system failure, accident or breach to date, if an event were to occur, it could result in a material disruption of our operations, substantial costs to rectify or correct the failure, if possible, and potentially violation of HIPAA and other privacy laws applicable to our operations. For example, the CCPA became effective on January 1, 2020 and gave California residents expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that may increase data breach litigation. Although the CCPA includes exemptions for certain clinical trials data, and HIPAA-protected health information, the law may increase our compliance costs and potential liability with respect to other personal information we collect about California residents. The CCPA has prompted a number of proposals for new federal and state privacy legislation. Other countries also have, or are developing, laws governing the collection, use and transmission of personal information, such as the GDPR in the EU that became effective in May 2018 and the Personal Information Protection and Electronic Documents Act that became effective in Canada in April 2000. We anticipate that over time we may expand our business to include operations outside of the United States. With such expansion, we would be subject to increased governmental regulation in the EU countries in which we might operate, including the GDPR. These laws and similar laws adopted in the future could increase our potential liability, increase our compliance costs and adversely affect our business. If any disruption or security breach resulted in a loss of or damage to our data or applications or inappropriate disclosure of confidential or protected information, we could incur liability, further development of our proprietary formulations could be delayed, and our pharmacy operations could be disrupted, subject to restriction or forced to terminate their operations, any of which could severely harm our business and prospects.

A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with accounting principles generally accepted in the United States of America. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.