OSI SYSTEMS INC

•

The definition of medical devices covered under the MDR will be significantly expanded to include devices that may not have a medical intended purpose, such as colored contact lenses. Also included in the scope of the regulation are devices designed for the purpose of "prediction and prognosis" of a disease or other health condition.

•

Device manufacturers will be required to identify at least one person within their organization who is ultimately responsible for all aspects of compliance with the requirements of the new MDR. The organization must document the specific qualifications of this individual relative to the required tasks.

•

The MDR requires rigorous post-market oversight of medical devices.

•

The MDR will allow the EU Commission or expert panels to publish "Common Specifications", such as requirements for technical documentation, risk management, or clinical evaluation, which devices shall be required to meet.

•

Devices will be reclassified according to risk, contact, duration, and invasiveness.

•

More rigorous clinical evidence will be required for Class III and implantable medical devices.

•

Systematic clinical evaluation will be required for Class IIa and Class IIb medical devices.

•

All currently approved devices must be recertified in accordance with the new MDR requirements.

        We must comply with extensive federal and state requirements regarding the use, retention, security, and re-disclosure of patient healthcare information. HIPAA and the regulations that have been issued under it contain substantial restrictions and complex requirements with respect to the use and disclosure of certain individually identifiable health information, referred to as "protected health information". The HIPAA Privacy Rule prohibits a covered entity or a business associate (essentially, a third party engaged to assist a covered entity with enumerated operational or compliance functions) from using or disclosing protected health information unless the use or disclosure is validly authorized by the individual or is specifically required or permitted under the HIPAA Privacy Rule and only if certain complex requirements are met. The HIPAA Security Rule establishes administrative, organizational, physical, and technical safeguards to protect the privacy, integrity, and availability of electronic protected health information maintained or transmitted by covered entities and business associates. The HIPAA Breach Notification Rule requires that covered entities and business associates, under certain circumstances, notify patients when there has been an improper use or disclosure of protected health information. Any failure or perceived failure of our Company or our products to meet HIPAA standards and related regulatory requirements could expose us to certain notification, penalty, and enforcement risks, damage our reputation, and adversely affect demand for our products and force us to expend significant capital and other resources to address the privacy and security requirements of HIPAA.

        In addition to our obligations under HIPAA, there are other federal laws that include specific privacy and security obligations, above and beyond HIPAA, for certain types of health information and impose additional sanctions and penalties. These rules are not preempted by HIPAA. All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring notice to individuals of security breaches involving protected health information, which is not uniformly defined among the breach notification laws. Organizations must review each state's definitions, mandates, and notification requirements and timelines to appropriately prepare and notify affected individuals and government agencies, including the attorney general, in compliance with such state laws. Further, most states have enacted patient confidentiality laws that protect against the disclosure of confidential medical information, and many states have adopted or are considering adopting further legislation in this area. These state laws may be more stringent than HIPAA requirements. On June 28, 2018, California passed the California Consumer Privacy Act, which imposes significant changes in data privacy regulation and is set to take effect on January 1, 2020, and New York has passed the Stop Hacks and Improve Electronic Data Security Act, which expands the state's existing privacy laws. It is too early to assess the impact that compliance with these laws will have on our business.

        Central banks around the world, including the Board of Governors of the Federal Reserve, have commissioned working groups of market participants and official sector representatives with the goal of finding suitable replacements for the London Interbank Offered Rate ("LIBOR") based on observable market transactions. It is expected that a transition away from the widespread use of LIBOR to alternative rates will occur over the course of the next few years. The U.K. Financial Conduct Authority, which regulates LIBOR, has announced that it has commitments from panel banks to continue to contribute to LIBOR through the end of 2021, but that it will not use its powers to compel contributions beyond such date. Accordingly, there is considerable uncertainty regarding the publication of such rates beyond 2021. The Federal Reserve Bank of New York and various other authorities have commenced the publication of reforms and actions relating to alternatives to U.S. dollar LIBOR. Although the full impact of such reforms and actions, together with any transition away from LIBOR, including the potential or actual discontinuance of LIBOR publication, remains unclear, these changes may have a material adverse impact on the availability of financing, including LIBOR-based loans, and on our financing costs.

        In February 2016, the FASB issued ASU 2016-02, Leases (Topic 842). This guidance requires lessees to recognize right of use ("ROU") assets and lease liabilities on the balance sheet for the rights and obligations created by leases with terms of more than 12 months. The ASU also requires qualitative and quantitative disclosures designed to give financial statement readers information on the amount, timing, and uncertainty of cash flows arising from leases. This ASU is effective for us in the first quarter of fiscal 2020. We adopted the new lease standard effective July 1, 2019 using the effective date method, under which an entity initially applies the new standard at the adoption date, versus at the beginning of the earliest period presented, and recognizes a cumulative-effect adjustment to the opening balance of retained earnings in the period of adoption. We reviewed existing contracts, implemented a new lease accounting and administration software solution, and modified our accounting policies, operational and financial reporting processes and relevant internal controls. We have elected to adopt certain practical expedients provided under ASC 842, including the option to not apply lease recognition for short-term leases, the package of transitional practical expedients relating to lease identification, lease classification, and initial direct costs of leases, and applying a single discount rate to a portfolio of leased assets with similar durations. The adoption of the new standard will result in the recognition of at least $28 million of ROU assets and lease liabilities to our balance sheet. We are continuing to assess the impact of adopting the new standard on our consolidated financial statements but do not expect a material impact on our consolidated statement of operations or consolidated statement of cash flows.