American Well (AMWL) Risk Factors

The impact on us of healthcare reform legislation and other changes in the healthcare industry and in healthcare spending is currently unknown, but may adversely affect our business, financial condition and results of operations. Our revenue is dependent on the healthcare industry and could be affected by changes in healthcare spending, reimbursement and policy. The healthcare industry is subject to changing political, regulatory and other influences. The Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act (the "Affordable Care Act" or the "ACA") in 2010 made major changes in how healthcare is delivered and reimbursed, and increased access to health insurance benefits to the uninsured and underinsured population of the United States. Since its enactment, there have been judicial challenges and executive efforts  to repeal, replace, modify or expand the ACA. We expect the current presidential administration and Congress will likely continue to seek to modify or expand the ACA. It is uncertain the extent to which any such changes may impact our business or financial condition. Other legislative changes have been proposed and adopted since the ACA was enacted. These changes include aggregate reductions to Medicare payments to providers of up to 2% per fiscal year pursuant to the Budget Control Act of 2011 and subsequent laws, which began in 2013 and due to subsequent legislative amendments, will stay in effect through 2030, with the exception of a temporary suspension from May 1, 2020 through December 31, 2021. In January 2013, the American Taxpayer Relief Act of 2012 was signed into law, which, among other things, further reduced Medicare payments to several types of providers, including hospitals, imaging centers and cancer treatment centers, and increased the statute of limitations period for the government to recover overpayments to providers from three to five years. New laws may result in additional reductions in Medicare and other healthcare funding, which may materially adversely affect customer demand and affordability for our products and, accordingly, the results of our financial operations. Additional changes that may affect our business include the expansion of new programs such as Medicare payment for performance initiatives for physicians under the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) which first affected physician payment in 2019. At this time, it is unclear how the introduction of the Medicare quality payment program will impact overall physician reimbursement. Such changes in the regulatory environment may also result in changes to our payer mix that may affect our operations and revenue. In addition, certain provisions of the ACA authorize voluntary demonstration projects, which include the development of bundling payments for acute, inpatient hospital services, physician services and post-acute services for episodes of hospital care. Further, the ACA may adversely affect payers by increasing medical costs generally, which could have an effect on the industry and potentially impact our business and revenue as payers seek to offset these increases by reducing costs in other areas. Certain of these provisions are still being implemented and the full impact of these changes on us cannot be determined at this time. Uncertainty regarding future amendments to the ACA as well as new legislative proposals to reform healthcare and government insurance programs, along with the trend toward managed healthcare in the United States, could result in reduced demand and prices for our services. We expect that additional state and federal healthcare reform measures will be adopted in the future, any of which could limit the amounts that federal and state governments and other third party payers will pay for healthcare products and services, which could adversely affect our business, financial condition and results of operations.

We may become subject, from time to time, to legal proceedings, payer audits, investigations, and claims that arise in the ordinary course of business such as claims brought by our clients in connection with commercial disputes or employment claims made by our current or former associates. Litigation and audits may result in substantial costs and may divert management's attention and resources, which may substantially harm our business, financial condition and results of operations. Insurance may not cover such claims, may not provide sufficient payments to cover all of the costs to resolve one or more such claims and may not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby reducing our earnings and leading analysts or potential investors to reduce their expectations of our performance, which could reduce the market price of our stock.

The United States recently enacted tax reform legislation (the "Tax Reform Legislation") that, among other things, reduces the U.S. federal corporate income tax rate to 21%, imposes significant limitations on the deductibility of interest and executive compensation, allows for the expensing of capital expenditures, limits the deduction for net operating losses ("NOLs") to 80% of current year taxable income in respect of losses arising in taxable years beginning after 2017, and modifies or repeals many business deductions and credits. The reduction in the U.S. federal corporate income tax rate is expected to be beneficial to us in future years in which we have net income subject to U.S. tax. The reduction in the U.S. federal corporate income tax rate also resulted in a remeasurement of our deferred tax assets and liabilities. There was no net impact as we maintain a full valuation allowance. On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security Act (the "CARES Act") was enacted in response to the COVID-19 pandemic. The CARES Act contains certain tax provisions, including provisions that retroactively and/or temporarily suspend or relax in certain respects the application of certain provisions, such as the limitations on the deduction of NOLs and interest, in the Tax Reform Legislation. There are a number of uncertainties and ambiguities as to the interpretation and application of many of the provisions in the Tax Reform Legislation and the CARES Act. In the absence of guidance on these issues, we will use what we believe are reasonable interpretations and assumptions in interpreting and applying the Tax Reform Legislation and the CARES Act, which may change as we receive additional clarification and implementation guidance. It is also possible that the Internal Revenue Service could issue subsequent guidance or take positions on audit that differ from the interpretations and assumptions that we previously made, which could have a material adverse effect on our cash tax liabilities, results of operations and financial condition.

The privacy and security of personally identifiable information ("PII") stored, maintained, received or transmitted electronically is a major issue in the United States and abroad. While we strive to comply with all applicable privacy and security laws and regulations, as well as our own posted privacy policies, legal standards for privacy, including but not limited to "unfairness" and "deception," as enforced by the FTC and state attorneys general, continue to evolve and any failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, or could cause us to lose customers, which could have a material adverse effect on our business. Recently, there has been an increase in public awareness of privacy issues in the wake of revelations about the activities of various government agencies and in the number of private privacy-related lawsuits filed against companies. Any allegations about our practices with regard to the collection, use, disclosure, or security of personally identifiable information or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws, could damage our reputation and harm our business. For example, we send short message service, or SMS, text messages to potential end users who are eligible to use our service through certain customers and partners. While we obtain consent from or on behalf of these individuals to send text messages, federal or state regulatory authorities or private litigants may claim that the notices and disclosures we provide, form of consents we obtain or our SMS texting practices, are not adequate. These SMS texting campaigns are potential sources of risk for class action lawsuits and liability for our company. Numerous class-actions suits under federal and state laws have been filed in the past year against companies who conduct SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. Any future such litigation against us could be costly and time-consuming to defend. We also publish statements to our customers and clients that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders Numerous foreign, federal and state laws and regulations govern collection, dissemination, use and confidentiality of personally identifiable health information, including (i) state privacy and confidentiality laws (including state laws requiring disclosure of breaches); (ii) HIPAA; and (iii) European and other foreign data protection laws. HIPAA establishes a set of basic national privacy and security standards for the protection of PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, which includes us. We are considered a business associate under HIPAA; AMG is considered a covered entity. HIPAA requires healthcare entities like us to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. Violations of HIPAA may result in significant civil and criminal penalties. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Any such penalties or lawsuits could harm our business, financial condition, results of operations and prospects. In addition, HIPAA mandates that the Secretary of the U.S. Department of Health and Human Services ("HHS") conduct periodic compliance audits of HIPAA covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator. HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public web site. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Further, the U.S. federal government and various states and governmental agencies have adopted or are considering adopting various laws, regulations and standards regarding the collection, use, retention, security, disclosure, transfer and other processing of sensitive and personal information. For example, California implemented the California Confidentiality of Medical Information Act, that imposes restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. These laws and regulations are not necessarily preempted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA. Where state laws are more protective, we have to comply with the stricter provisions. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. California has also implemented the California Consumer Privacy Act, or CCPA, which came into effect on January 1, 2020 and, which increases privacy rights for California residents and imposes obligations on companies that process their personal information. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and provide such consumers new data protection and privacy rights, including the ability to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. Further, the California Privacy Rights Act (CPRA), recently passed in California. The CPRA will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions will go into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. There are many other state-based data privacy and security laws and regulations that may impact our business. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we may be subject. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. Changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as PHI or PII, along with increased customer demands for enhanced data security infrastructure, could greatly increase our cost of providing our services, decrease demand for our services, reduce our revenue and/or subject us to additional liabilities. There are numerous foreign laws, regulations and directives regarding privacy and the collection, storage, transmission, use, processing, disclosure and protection of PII and other personal or customer data, the scope of which is continually evolving and subject to differing interpretations. If we provide telehealth services outside the United States, we must comply with such laws, regulations and directives and we may be subject to significant consequences, including penalties and fines, for our failure to comply. For example, the European Commission has enacted the General Data Protection Regulation ("GDPR"), which became effective in May 2018 for controllers and processors of personal data. The GDPR imposes stringent data protection requirements and provides for severe penalties for breach, which could be imposed directly in connection with future European operations. Failure to comply with the requirements of GDPR and the applicable national data protection laws of the EU and European Economic Area ("EEA") member states may result in fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, and other administrative penalties. To comply with the GDPR we may be required to put in place additional mechanisms ensuring compliance. European data protection law also imposes strict rules on the transfer of personal data out of the EEA to the United States; for example, in July 2020, the Court of Justice of the European Union limited how organizations could lawfully transfer personal data from the EEA to the United States by invalidating the EU-US Privacy Shield and imposing further restrictions on use of the standard contractual clauses, which could affect our ability to efficiently process personal data from the EEA. These obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. Moreover, following the United Kingdom's ("UK") withdrawal from the EU, and the expiry of the transition period, we would have to comply with the GDPR and separately the GDPR as implemented in the UK, each regime having the ability to fine up to the greater of €20 million (£17.5 million) or 4% of global turnover. The relationship between the UK and the EU in relation to certain aspects of data protection law remains unclear, e.g. how data transfers between EU member states and the UK will be treated. These changes may lead to additional compliance costs and could increase our overall risk. Furthermore, any failure, or perceived failure, by us to comply with or make effective modifications to our policies, or to comply with any federal, state, or international privacy, data-retention or data-protection-related laws, regulations, orders or industry self-regulatory principles could result in proceedings or actions against us by governmental entities or others, a loss of customer confidence, damage to our brand and reputation, and a loss of customers, any of which could have an adverse effect on our business. Because of the breadth of these laws and the narrowness of their exceptions and safe harbors, it is possible that our business activities can be subject to challenge under one or more of such laws. The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform. Federal, state and foreign enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Any such investigations, prosecutions, convictions or settlements could result in significant financial penalties, damage to our brand and reputation, and a loss of customers, any of which could have an adverse effect on our business.

Our success depends in part on our ability to maintain, protect and enforce our intellectual property and other proprietary rights. We rely upon a combination of patent, trademark and trade secret laws, as well as license and access agreements and other contractual provisions, to protect our patent portfolio as well as other intellectual property rights. These laws, procedures and agreements provide only limited protection and any of our intellectual property rights may be challenged, invalidated, circumvented, infringed, diluted or misappropriated. We attempt to protect our intellectual property and proprietary information by requiring our employees, consultants and certain of our contractors to execute confidentiality and assignment of inventions agreements. However, we may not obtain these agreements in all circumstances, and individuals with whom we have these agreements may not comply with their terms. The assignment of intellectual property rights under these agreements may not be self-executing or the assignment agreements may be breached, and we may be forced to bring claims against third parties, or defend claims that they may bring against us, to determine the ownership of what we regard as our intellectual property. In addition, we may not be able to prevent the unauthorized disclosure or use of our technical know-how or other trade secrets by the parties to these agreements despite the existence generally of confidentiality agreements and other contractual restrictions. Monitoring unauthorized uses and disclosures is difficult and we do not know whether the steps we have taken to protect our proprietary technologies will be effective. Additionally, if a competitor lawfully obtains or independently develops the technology we maintain as a trade secret, we would have no right to prevent such competitor from using that technology or information to compete with us, which could harm our competitive position. Despite our efforts to protect our trade secrets and proprietary technologies, third parties may gain access to our proprietary information. They may also develop and market solutions similar to ours or use trademarks similar to ours, each of which could materially harm our business. Unauthorized parties may also attempt to copy or obtain and use our technology to develop applications with the same functionality as our solutions, and policing unauthorized use of our technology and intellectual property rights is difficult and may not be effective. The failure to adequately protect our intellectual property and other proprietary rights could have a material adverse effect on our business, financial condition and results of operations. In addition, we use open-source software in connection with our proprietary software and expect to continue to use open-source software in the future. Some open-source licenses require licensors to provide source code to licensees upon request, or prohibit licensors from charging a fee to licensees. While we try to insulate our proprietary code from the effects of such open-source license provisions, we cannot guarantee we will be successful. Accordingly, we may face claims from others claiming ownership of, or seeking to enforce the license terms applicable to such open-source software, including by demanding release of the open-source software, derivative works or our proprietary source code that was developed or distributed with such software. These claims could also result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and results of operations. In addition, if the license terms for the open-source code change, we may be forced to re-engineer our software or incur additional costs. We cannot assure you that we have not incorporated open-source software into our proprietary software in a manner that may subject our proprietary software to an open-source license that requires disclosure, to customers or the public, of the source code to such proprietary software. Any such disclosure would have a negative effect on our business and the value of our proprietary software.

Our services involve the storage and transmission of clients' and our consumers' proprietary information, sensitive or confidential data, including valuable intellectual property and personal information of employees, clients, consumers and others, as well as the protected health information ("PHI"), of our consumers. We are subject to laws and regulations relating to the collection, use, retention, security and transfer of this information. Because of the extreme sensitivity of the information we store and transmit, the security features of our and our third-party vendors' computer, network, and communications systems infrastructure are critical to the success of our business. A breach or failure of our or our third-party vendors' network, hosted service providers or vendor systems could result from a variety of circumstances and events, including third-party action, employee negligence or error, malfeasance, computer viruses, cyber-attacks by computer hackers such as denial-of-service and phishing attacks, failures during the process of upgrading or replacing software and databases, power outages, hardware failures, telecommunication failures, user errors, or catastrophic events. Information security risks have generally increased in recent years because of the proliferation of new technologies and the increased sophistication and activities of perpetrators of cyber-attacks. Hackers and data thieves are increasingly sophisticated and operating large-scale and complex automated attacks, including on companies within the healthcare industry. As cyber threats continue to evolve, we may be required to expend additional resources to further enhance our information security measures and/or to investigate and remediate any information security vulnerabilities. If our or our third-party vendors' security measures fail or are breached, it could result in unauthorized persons accessing sensitive patient or member data (including PHI), a loss of or damage to our data, an inability to access data sources, or process data or provide our services to our clients. Such failures or breaches of our or our third-party vendors' security measures, or our or our third-party vendors' inability to effectively resolve such failures or breaches in a timely manner, could severely damage our reputation, adversely affect client, patient, member or investor confidence in us, and reduce the demand for our services from existing and potential clients. In addition, we could face litigation, damages for contract breach, monetary penalties, or regulatory actions for violation of applicable laws or regulations, and incur significant costs for remedial measures to prevent future occurrences and mitigate past violations. Although we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident. Data privacy is also subject to frequently changing laws, rules and regulations in the various jurisdictions in which we operate. Such initiatives around the country could increase the cost of developing, implementing or securing our servers and require us to allocate more resources to improved technologies, adding to our IT and compliance costs. Our Board of Directors is briefed periodically on cybersecurity and risk management issues by our Chief Information Officer and General Counsel and we have implemented a number of processes to avoid cyber threats and to protect privacy. However, the processes we have implemented in connection with such initiatives may be insufficient to prevent or detect improper access to confidential, proprietary or sensitive data, including personal data. In addition, the competition for talent in the data privacy and cybersecurity space is intense, and we may be unable to hire, develop or retain suitable talent capable of adequately detecting, mitigating or remediating these risks. Our failure to adhere to, or successfully implement processes in response to, changing legal or regulatory requirements in this area could result in legal liability or damage to our reputation in the marketplace. Should an attacker gain access to our network, including by way of example, using compromised credentials of an authorized user, we are at risk that the attacker might successfully leverage that access to compromise additional systems and data. Certain measures that could increase the security of our systems, such as data encryption (including data at rest encryption), heightened monitoring and logging, scanning for source code errors or deployment of multi-factor authentication, take significant time and resources to deploy broadly, and such measures may not be deployed in a timely manner or be effective against an attack. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. The inability to implement, maintain and upgrade adequate safeguards could have a material adverse effect on our business. Our information systems must be continually updated, patched and upgraded to protect against known vulnerabilities. The volume of new vulnerabilities has increased markedly, as has the criticality of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be continuously addressed. Accordingly, we are at risk that cyber-attackers exploit these known vulnerabilities before they have been addressed. Due to the large number of systems and platforms that we operate, the increased frequency at which vendors are issuing security patches to their products, the need to test patches and, in some cases coordinate with clients and vendors, before they can be deployed, we continuously face the substantial risk that we cannot deploy patches in a timely manner. We are also dependent on third-party vendors to keep their systems patched and secure in order to protect our information systems and data. Any failure related to these activities and any breach of our information systems could result in significant liability and/or have a material adverse effect on our business, reputation and financial condition.

We serve all of our U.S. based clients and consumers from two geographically dispersed data centers. While we control and have access to our servers, we do not control the operation of these facilities. The owners of our data center facilities have no obligation to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew these agreements on commercially reasonable terms, or if one of our data center operators is acquired, we may be required to transfer our servers and other infrastructure to new data center facilities, and we may incur significant costs and possible service interruption in connection with doing so. Problems faced by our third-party data center locations with the telecommunications network providers with whom we or they contract, or with the systems by which our telecommunications providers allocate capacity among their clients, including us, could adversely affect the experience of our clients and consumers. Our third-party data center operators could decide to close their facilities without adequate notice. In addition, any financial difficulties, such as bankruptcy faced by our third-party data centers operators or any of the service providers with whom we or they contract may have negative effects on our business, the nature and extent of which are difficult to predict. Additionally, if our data centers are unable to keep up with our growing needs for capacity, this could have an adverse effect on our business. For example, a rapid expansion of our business could affect the service levels at our data centers or cause such data centers and systems to fail. Any changes in third-party service levels at our data centers or any disruptions or other performance problems with our solution could adversely affect our reputation and may damage our clients and consumers' stored files or result in lengthy interruptions in our services. Interruptions in our services may reduce our revenue, cause us to issue refunds to clients for prepaid and unused subscriptions, as well as penalties related to service level credits and uptime, subject us to potential liability or adversely affect client renewal rates. In addition, our ability to deliver our Internet-based services depends on the development and maintenance of the infrastructure of the Internet by third parties. This includes maintenance of a reliable network backbone with the necessary speed, data capacity, bandwidth capacity and security. Our services are designed to operate without interruption in accordance with our service level commitments. However, we have experienced, including during the period immediately following the beginning of the COVID-19 pandemic, and expect that we may experience in the future, interruptions and delays in services and availability from time to time. In the event of a catastrophic event with respect to one or more of our systems, we may experience an extended period of system unavailability, which could negatively impact our relationship with clients and consumers. To operate without interruption, both we and our service providers must guard against: - damage from fire, power loss, natural disasters and other force majeure events outside our control;- communications failures;- software and hardware errors, failures and crashes;- security breaches, computer viruses, hacking, denial-of-service attacks and similar disruptive problems; and - other potential interruptions. We also rely on computer hardware purchased and software licensed from third parties in order to offer our services. These licenses are generally commercially available on varying terms. However, it is possible that this hardware and software may not continue to be available on commercially reasonable terms, or at all. Any loss of the right to use any of this hardware or software could result in delays in the provisioning of our services until equivalent technology is either developed by us, or, if available from third parties, is identified, obtained and integrated. We exercise limited control over third-party vendors, which increases our vulnerability to problems with technology and information services they provide. Interruptions in our network access and services may in connection with third-party technology and information services reduce our revenue, cause us to issue refunds to clients, subject us to potential liability or adversely affect client renewal rates. Although we maintain a security and privacy damages insurance policy, the coverage under our policies may not be adequate to compensate us for all losses that may occur related to the services provided by our third-party vendors. In addition, we may not be able to continue to obtain adequate insurance coverage at an acceptable cost, if at all. Our ability to rely on these services of third-party vendors could be impaired as a result of the failure of such providers to comply with applicable laws, regulations and contractual covenants, or as a result of events affecting such providers, such as power loss, telecommunication failures, software or hardware errors, computer viruses, cyber incidents and similar disruptive problems, fire, flood and natural disasters. Any such failure or event could adversely affect our relationships with our clients and damage our reputation. This could materially and adversely impact our business, financial condition and operating results.

We currently generate most of our revenues from customers who purchase access to our Platform. These contracts generally have stated initial terms of three years. Most of our clients have no obligation to renew their subscriptions for our solution after the initial term expires. In addition, our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue from these clients. Our future results of operations depend, in part, on our ability to expand into new clinical specialties and across care settings and use cases. If our clients fail to renew their contracts, renew their contracts upon less favorable terms or at lower fee levels or fail to purchase new products and services from us, our revenue may decline, or our future revenue growth may be constrained. Additional factors that could affect our ability to sell products and services include, but are not limited to: - failure of our clients to be successful offering our products;- changes in the nature or operations of our clients;- price, performance and functionality of our solution;- availability, price, performance and functionality of competing solutions;- our ability to develop and sell complementary products and services;- stability, performance and security of our hosting infrastructure and hosting services;- changes in healthcare laws, regulations or trends; and - the business environment of our clients and, in particular, headcount reductions by our clients. In addition, our marketing efforts depend significantly on our ability to call upon our current clients to provide positive references to new, potential clients. Given our limited number of long-term clients, the loss or dissatisfaction of any client could substantially harm our brand and reputation, inhibit widespread adoption of our solution and impair our ability to attract new clients and maintain existing clients. Any of these consequences could lower retention rate and have a material adverse effect on our business, financial condition and results of operations.

We believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. Identifying and recruiting qualified personnel and training them requires significant time, expense and attention. It can take six months or longer before a new sales representative is fully trained and productive. Our business may be adversely affected if our efforts to expand and train our direct sales force do not generate a corresponding increase in revenue. In particular, if we are unable to hire, develop and retain sufficient numbers of productive direct sales personnel or if new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time, sales of our services will suffer and our growth will be impeded.

AMG and American Well Corporation structure their relationships with the majority of their respective providers and experts in a manner that we believe results in an independent contractor relationship, not an employee relationship. An independent contractor is generally distinguished from an employee by his or her degree of autonomy and independence in providing services. A high degree of autonomy and independence is generally indicative of a contractor relationship, while a high degree of control is generally indicative of an employment relationship. Although we believe that AMG providers and experts and American Well Corporation experts are properly characterized as independent contractors, tax or other regulatory authorities may in the future challenge our characterization of these relationships. If such regulatory authorities or state, federal or foreign courts were to determine that AMG providers or experts or American Well Corporation experts are employees, and not independent contractors, AMG or American Well Corporation, as applicable, would be required to withhold income taxes, to withhold and pay social security, Medicare and similar taxes and to pay unemployment and other related payroll taxes. AMG or American Well Corporation, as applicable, would also be liable for unpaid past taxes and subject to penalties. As a result, any determination that AMG providers or experts and/or American Well experts are employees could have a material adverse effect on our business, financial condition and results of operations.