SEC Filings

ARRAY BIOPHARMA INC filed this Form 10-K on 08/11/2017
Entire Document

and the manufacturing facilities are favorable, the FDA will either issue an approval letter or an approvable letter. The latter usually contains a number of conditions that must be met in order to secure final approval of the PMA. If the FDA’s evaluation of the PMA or manufacturing facilities is not favorable, the FDA will deny approval of the PMA or issue a not approvable letter. A not approvable letter will outline the deficiencies in the application and, where practical, will identify what is necessary to make the PMA approvable. The FDA may also determine that additional clinical trials are necessary, in which case the PMA approval may be delayed for several months or years while the trials are conducted and the data are submitted in an amendment to the PMA. Once granted, PMA approval may be withdrawn by the FDA if compliance with post approval requirements, conditions of approval, or other regulatory standards is not maintained or problems are identified following initial marketing.

In 2014, the FDA issued its final guidance document addressing the development and approval process for in vitro companion diagnostic devices. According to the guidance, for novel therapeutic products such as our product candidate binimetinib, the companion diagnostic device generally should be approved or cleared contemporaneously with the drug candidate, although the guidance allows for certain exceptions. We believe our program for the development of our lead products and its companion diagnostic is consistent with this guidance.

Biological Samples

In the course of our business, we handle, store and dispose of chemicals and biological samples. We are subject to various federal, state and local laws and regulations relating to the use, manufacture, storage, handling and disposal of hazardous materials and waste products. These environmental laws generally impose liability regardless of the negligence or fault of a party and may expose us to liability for the conduct of, or conditions caused by, others.

Most health care providers, including research institutions from which we or our partners obtain patient information, are subject to privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH. Our clinical research efforts are not directly regulated by HIPAA. However, depending on the facts and circumstances, we could face substantial criminal penalties if we knowingly obtain, use or disclose individually identifiable health information maintained by a HIPAA-covered entity in a manner that is not authorized or permitted by HIPAA In addition, we and our partners may be directly subject to certain data protection laws and regulations (i.e., laws and regulations that address privacy and data security).

In the U.S., numerous federal and state laws and regulations that govern the collection, use, disclosure, and protection of health-related and other personal information could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws, state genetic privacy laws, and federal and state consumer protection laws (e.g., Section 5 of the FTC Act). International data protection laws including the European Union, or EU, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the EU Data Protection Directive) may apply to some or all of the clinical data obtained outside of the U.S. The EU Data Protection Directive, as implemented into national laws by the EU Member States, imposes strict obligations and restrictions on the ability to collect, analyze and transfer personal data, including health data from clinical trials and adverse event reporting. The EU Data Protection Directive prohibits the transfer of personal data to countries outside of the European Economic Area, or EEA, such as the U.S., which are not considered by the European Commission to provide an adequate level of data protection. Switzerland has adopted similar restrictions. Although there are legal mechanisms to allow for the transfer of personal data from the EEA and Switzerland to the U.S., a recent decision of the European Court of Justice that invalidated the safe harbor framework has increased uncertainty around compliance with EU privacy law requirements. As a result of the decision, it will no longer be possible to rely on safe harbor certification as a legal basis for the transfer of personal data from the EU to entities in the U.S. In addition, data protection authorities from the different EU Member States may interpret the EU Data Protection Directive and national laws differently, and guidance on implementation and compliance practices are often updated or otherwise revised, which adds to the complexity of processing personal data in the EU. In February 2016, the European Commission announced an agreement with the U.S. Department of Commerce, or DOC, to replace the invalidated Safe Harbor framework with a new EU-U.S. “Privacy Shield.” On July 12, 2016, the European Commission adopted a decision on the adequacy of the protection provided by the Privacy Shield. The Privacy Shield is intended to address the requirements set out by the European Court of Justice in its recent ruling invalidating safe harbor by imposing more stringent obligations on companies,