CareCloud (CCLD) Risk Factors

Our clients are obligated by applicable law to provide necessary notices and to obtain necessary permission waivers for use and disclosure of the information that we receive. If they do not obtain necessary permissions and waivers, then our use and disclosure of information that we receive from them or on their behalf may be limited or prohibited by state or federal privacy laws or other laws. This could impair our functions, processes, and databases that reflect, contain, or are based upon such data and may prevent use of such data. In addition, this could interfere with or prevent creation or use of rules, and analyses or limit other data-driven activities that benefit us. Moreover, we may be subject to claims or liability for use or disclosure of information by reason of lack of valid notice, permission, or waiver. These claims or liabilities could subject us to unexpected costs and adversely affect our operating results.

The HITECH Act provides financial incentives for healthcare providers that demonstrate "meaningful use" of an EHR and mandates use of health information technology systems that are certified according to technical standards developed under the supervision of the U.S. Department of Health and Human Services ("HHS"). The HITECH Act also imposes certain requirements upon governmental agencies to use, and requires healthcare providers, health plans, and insurers contracting with such agencies to use, systems that are certified according to such standards. The healthcare IT industry continues to experience changes as a result of new laws, regulations, and changes to healthcare industry standards. For instance, the meaningful use incentive program has since expired and has been consolidated, among other incentive programs, within the Merit-based Incentive Payment System ("MIPS"), which was created as part of the Quality Payment Program ("QPP"), launched by CMS after passage of the Medicare Access and CHIP Reauthorization Act ("MACRA"). MACRA and regulations promulgated by it change the way CMS rewards clinicians in the healthcare industry by rewarding value-based care over volume-based care. MIPS requires substantial reporting mechanisms based on clinical quality measures that highly depend on reporting feature within EHR systems. The HITECH and Cures Acts (as described in more detail above) contain certification requirements which affect our business because we have invested and continue to invest in conforming our products and services to these standards. HHS has developed certification programs for electronic health records and health information exchanges. Our web-based EHR solutions have been certified as complete EHR systems by ICSA Labs or Drummond Group, non-governmental, independent certifying bodies. We must ensure that our EHR solutions continue to be certified according to applicable HITECH Act and Cures Act technical standards so that our customers qualify for any MIPS/MACRA incentive payments and are not subject to penalties for non-compliance. Failure to maintain this certification under the HITECH Act and Cures Act could jeopardize our relationships with customers who are relying upon us to provide certified software, and will make our products and services less attractive to customers than the offerings of other EHR vendors who maintain certification of their products.

The healthcare industry is heavily regulated and is constantly evolving due to the changing political, legislative, regulatory landscape and other factors. Many healthcare laws are complex, and their application to specific services and relationships may not be clear. In particular, many existing healthcare laws and regulations, when enacted, did not anticipate or address the services that we provide. Further, healthcare laws differ from state to state and it is difficult to ensure that our business, products and services comply with evolving laws in all states. By way of example, certain federal and state laws forbid billing based on referrals between individuals or entities that have various financial, ownership, or other business relationships with healthcare providers. These laws vary widely from state to state, and one of the federal laws governing these relationships, known as the Stark Law, is very complex in its application. Similarly, many states have laws forbidding physicians from practicing medicine in partnership with non-physicians, such as business corporations, as well as laws or regulations forbidding splitting of physician fees with non-physicians or others. Other federal and state laws restrict assignment of claims for reimbursement from government-funded programs, the manner in which business service companies may handle payments for such claims and the methodology under which business services companies may be compensated for such services. The 21st Century Cures Act (the "Cures Act"), passed by Congress in 2016, is meant to improve various aspects of the healthcare industry, including interoperability and information blocking. The Cures Act's interoperability provisions relate to Information Exchange and Certification administered by the ONC. The certification involves complex and specific requirements related to various types of requests for the access, exchange or use of Electronic Health Information. In addition, the information blocking rule aims to resolve concerns that individuals in the healthcare industry intentionally prevent the exchange of information between multiple stakeholders. The Cures Act allows for penalties for stakeholders, including but not limited to, health IT developers and providers who do not comply with same. While we remain committed to efficient exchange of information in the healthcare industry and continue meeting all new certification requirements, failure to comply with these regulatory requirements, could create liability for us, result in adverse publicity and negatively affect our business. The Office of Inspector General ("OIG") of the Department of Health and Human Services ("HHS") has a longstanding concern that percentage-based billing arrangements may increase the risk of improper billing practices. In addition, certain states have adopted laws or regulations forbidding splitting of fees with non-physicians which may be interpreted to prevent business service providers, including medical billing providers, from using a percentage-based billing arrangement. The OIG and HHS recommend that medical billing companies develop and implement comprehensive compliance programs to mitigate this risk. While we have developed and implemented a comprehensive billing compliance program that we believe is consistent with these recommendations, our failure to ensure compliance with controlling legal requirements, accurately anticipate the application of these laws and regulations to our business and contracting model, or other failure to comply with regulatory requirements, could create liability for us, result in adverse publicity and negatively affect our business. The federal Anti-Kickback Statute ("AKS") prohibits us from knowingly and willfully soliciting, receiving, offering or providing remuneration in exchange for referrals or recommendations for purposes of selling products or services which are paid for by federal healthcare programs such as Medicare and Medicaid. In addition, a claim including products or services resulting from a violation of AKS constitutes a violation of the federal False Claims Act ("FCA"). If we are determined to have violated the FCA, we may be required to pay up to three times the actual damages sustained by the government, plus mandatory civil penalties for each separate false claim. If we are found to be in violation of the FCA, AKS, ACA, or any other applicable state or any federal fraud and abuse laws, whether by our current practices or for the past practices of a company we acquire, we may be subject to substantial civil damages and criminal penalties and fines that could have a material adverse impact on our business. In addition, federal and state legislatures and agencies periodically consider proposals to revise aspects of the healthcare industry or to revise or create additional statutory and regulatory requirements. For instance, the current administration may make changes to the ACA, the nature and scope of which are presently unknown. Similarly, certain computer software products are regulated as medical devices under the Federal Food, Drug, and Cosmetic Act. While the Food and Drug Administration ("FDA") has sometimes chosen to disclaim authority to, or to refrain from actively regulating certain software products which are similar to our products, this area of medical device regulation remains in flux. We expect that the FDA will continue to be active in exploring legal regimes for regulating computer software intended for use in healthcare settings. Any additional regulation can be expected to impose additional overhead costs on us and should we fail to adequately meet these legal obligations, we could face potential regulatory action. Regulatory authorities such as the Centers for Medicare and Medicaid Services may also impose functionality standards with regard to electronic prescribing technologies. If implemented, proposals like these could impact our operations, the use of our services and our ability to market new services, or could create unexpected liabilities for us. We cannot predict what changes to laws or regulations might be made in the future or how those changes could affect our business or our operating costs. Further, our ability to provide our telehealth services in each state is dependent upon a state's treatment of telehealth and emerging technologies (such as digital health services), which are subject to changing political, regulatory and other influences. Many states have laws that limit or restrict the practice of telehealth, such as laws that require a provider to be licensed and/or physically located in the same state where the patient is located. For example, California, Massachusetts, and Oregon, among others, are not members of the Interstate Medical Licensure Compact, which streamlines the process by which physicians licensed in one state are able to practice in other participating states. Failure to comply with these laws could result in denials of reimbursement for services (to the extent such services are billed), recoupments of prior payments, professional discipline for providers or civil or criminal penalties.

Federal or state governmental authorities may impose additional data security standards or additional privacy or other restrictions on the collection, use, transmission, and other disclosures of medical information. Legislation has been proposed at various times at both the federal and the state level that would limit, forbid, or regulate the use or transmission of medical information outside of the United States. Such legislation, if adopted, may render our use of our servers in Offshore Offices for work related to such data impracticable or substantially more expensive. Alternative processing of such information within the United States may involve substantial delay in implementation and increased cost.

Our products and services may be significantly impacted by healthcare reform initiatives and will be subject to increasing regulatory requirements, either of which could negatively impact our business in a multitude of ways. If substantive healthcare reform or applicable regulatory requirements are adopted, we may have to change or adapt our products and services to comply. Reform or changing regulatory requirements may also render our products or services obsolete or may block us from accomplishing our work or from developing new products or services. This may in turn impose additional costs upon us to adapt to the new operating environment or to further develop or modify our products and services. Such reforms may also make the introduction of new products and service costlier or more time-consuming than we currently anticipate. These changes may also prevent our introduction of new products and services or make the continuation or maintenance of our existing products and services unprofitable or impossible.

Since inception, we have entered into several related-party transactions with our founder and Executive Chairman, Mahmud Haq, which subject us to significant contractual obligations. We believe these transactions reflect terms comparable to those that would be available from third parties. Our independent audit committee has reviewed these arrangements and continues to do so on an annual basis. Although we have procedures in place to identify related party transactions, it is possible that such transactions could occur without being contemporaneously identified, reviewed and approved by the Audit Committee.

We provide content for use by healthcare providers in treating patients. This content includes, among other things, patient education materials, coding and drug databases developed by third parties, and prepopulated templates providers can use to document visits and record patient health information. If content in the third-party databases we use is incorrect or incomplete, adverse consequences, including death, may give rise to product liability and other claims against us. A court or government agency may take the position that our delivery of health information directly, including through licensed practitioners, or delivery of information by a third-party site that a consumer accesses through our solutions, exposes us to personal injury liability, or other liability for wrongful delivery or handling of healthcare services or erroneous health information. Our liability insurance coverage may not be adequate or continue to be available on acceptable terms, if at all. A claim brought against us that is uninsured or under-insured could harm our business. Even unsuccessful claims could result in substantial costs and diversion of management resources.

The Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations that have been issued under it contain substantial restrictions and requirements with respect to the use, collection, storage and disclosure of individuals' protected health information. Under HIPAA, covered entities must establish administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information maintained or transmitted by them or by others on their behalf. In February 2009, HIPAA was amended by the HITECH Act to add provisions that impose certain of HIPAA's privacy and security requirements directly upon business associates of covered entities. Under HIPAA and the HITECH Act, our customers are covered entities and we are a business associate of our customers as a result of our contractual obligations to perform certain services for those customers. The HITECH Act transferred enforcement authority of the security rule from CMS to the Office for Civil Rights of HHS, thereby consolidating authority over the privacy and security rules under a single office within HHS. Further, HITECH empowered state attorneys' general to enforce HIPAA. The HITECH Act heightened enforcement of privacy and security rules, indicating that the imposition of penalties will be more common in the future and such penalties will be more severe. For example, the HITECH Act requires that the HHS fully investigate all complaints if a preliminary investigation of the facts indicates a possible violation due to "willful neglect" and imposes penalties if such neglect is found. Further, where our liability as a business associate to our customers was previously merely contractual in nature, the HITECH Act now treats the breach of duty under an agreement by a business associate to carry the same liability as if the covered entity engaged in the breach. In other words, as a business associate, we are now directly responsible for complying with HIPAA. We may find ourselves subject to increased liability as a possible liable party and we may incur increased costs as we perform our obligations to our customers under our agreements with them. Finally, regulations also require business associates to notify covered entities, who in turn must notify affected individuals and government authorities of data security breaches involving unsecured protected health information. We have performed an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic health information. In response to this risk analysis, we implemented and maintain physical, technical and administrative safeguards intended to protect all personal data and have processes in place to assist us in complying with applicable laws and regulations regarding the protection of this data and properly responding to any security incidents. If we knowingly breach the HITECH Act's requirements, we could be exposed to criminal liability. A breach of our safeguards and processes could expose us to civil penalties of up to $1.5 million for each incident and the possibility of civil litigation.

The telehealth market is characterized by rapid technological change, changing consumer requirements, short product lifecycles and evolving industry standards. Our success will depend on our ability to enhance our solution with next-generation technologies and to develop or to acquire and market new services to access new consumer populations. There is no guarantee that we will possess the resources, either financial or personnel, for the research, design and development of new applications or services, or that we will be able to utilize these resources successfully and avoid technological or market obsolescence. Further, there can be no assurance that technological advances by one or more of our competitors or future competitors will not result in our present or future applications and services becoming uncompetitive or obsolete.

We currently incorporate artificial intelligence ("AI") solutions into our intelligent cloud products, and these applications will become important in our operations over time. Our competitors or other third parties may incorporate AI into their products and offerings quicker or more successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations. Additionally, if the content, analyses, or recommendations that AI applications assist in producing are, or are alleged to be inaccurate, deficient, or biased, our business, financial condition, and results of operations may be adversely affected. The use of AI applications has resulted in, and may in the future result in, cybersecurity incidents that implicate the sensitive data of customers analyzed within such applications. Any such cybersecurity incidents related to our use of AI applications for analysis of sensitive data could adversely affect our reputation and results of operations. AI also presents emerging ethical issues and if our use of AI becomes controversial, we may experience brand or reputational harm, competitive harm, or legal liability. The rapid evolution of AI, including potential government regulation of AI and its various uses will require significant resources to develop, test and maintain our intelligence cloud platform, offerings, services, and features to help us implement AI ethically in order to minimize any unintended, harmful impact.

We may encounter human or technical obstacles that prevent our proprietary or acquired applications from operating properly. If our applications do not function reliably or fail to achieve customer expectations in terms of performance, customers could assert liability claims against us or attempt to cancel their contracts with us. This could damage our reputation and impair our ability to attract or maintain customers. There are particular risks when we inherit technologies through the companies we acquire. These technologies, often developed by distressed companies, were not created under our direct supervision and control and therefore may not have been developed in accordance with our standards. Such acquired technologies could, and at times do, contain operational deficiencies, defects, glitches or bugs that may not be discovered immediately or otherwise could have been avoided had we built the technology ourselves. Whether technology we develop or technology we acquire, we will need to replace certain components and remediate software defects or bugs from time to time. There can be no assurance that such defects or bugs, or the process of remediating them, will not have a material impact on our business. Our inability to promptly and cost-effectively correct a product defect could result in the Company having to withdraw an important product from market, damage to our reputation, and result in material costs and expenses, any of which could have a material impact on our revenue, margins, and operating results. Moreover, information services as complex as those we offer have in the past contained, and may in the future develop or contain, undetected defects or errors. We cannot assure you that material performance problems or defects in our products or services will not arise in the future. Errors may result from receipt, entry, or interpretation of patient information or from interface of our services with legacy systems and data that we did not develop and the function of which is outside of our control. Despite testing, defects or errors may arise in our existing or new software or service processes. Because changes in payer requirements and practices are frequent and sometimes difficult to determine except through trial and error, we are continuously discovering defects and errors in our software and service processes compared against these requirements and practices. These defects and errors and any failure by us to identify and address them could result in loss of revenue or market share, liability to customers or others, failure to achieve market acceptance or expansion, diversion of development resources, injury to our reputation, and increased service and maintenance costs. Defects or errors in our software might discourage existing or potential customers from purchasing our products and services. Correction of defects or errors could prove to be impossible or impracticable. The costs incurred in correcting any defects or errors or in responding to resulting claims or liability may be substantial and could adversely affect our operating results. In addition, customers relying on our services to collect, manage, and report clinical, business, and administrative data may have a greater sensitivity to service errors and security vulnerabilities than customers of software products in general. We market and sell services that, among other things, provide information to assist healthcare providers in tracking and treating patients. Any operational delay in or failure of our technology or service processes may result in the disruption of patient care and could cause harm to patients and thereby create unforeseen liabilities for our business. Our customers or their patients may assert claims against us alleging that they suffered damages due to a defect, error, or other failure of our software or service processes. A product liability claim or errors or omissions claim could subject us to significant legal defense costs and adverse publicity, regardless of the merits or eventual outcome of such a claim. Our physicians rely on our platforms (including the platforms we acquired) to be certified by the Office of the National Coordinator for Health Information Technology ("ONC"). If this certification were to be challenged, we might face liability related to any incentive that the physicians received in reliance upon such certification.

Our information technologies and systems are vulnerable to damage or interruption from various causes, including acts of God and other natural disasters, war and acts of terrorism and power losses, computer systems failures, internet and telecommunications or data network failures, operator error, losses of and corruption of data and similar events. Our customers' data, including patient health records, reside on our own servers located in the U.S., and our Offshore Offices. Although we conduct business continuity planning to protect against fires, floods, other natural disasters and general business interruptions to mitigate the adverse effects of a disruption, relocation or change in operating environment at our data centers, the situations we plan for and the amount of insurance coverage we maintain may not be adequate in any particular case. In addition, the occurrence of any of these events could result in interruptions, delays or cessations in service to our customers. Any of these events could impair or prohibit our ability to provide our services, reduce the attractiveness of our services to current or potential customers and adversely impact our financial condition and results of operations. In addition, despite the implementation of security measures, our infrastructure, data centers, or systems that we interface with or utilize, including the internet and related systems, may be vulnerable to physical break-ins, hackers, improper employee or contractor access, computer viruses, programming errors, denial-of-service attacks or other attacks by third-parties seeking to disrupt operations or misappropriate information or similar physical or electronic breaches of security. Any of these can cause system failure, including network, software or hardware failure, which can result in service disruptions. As a result, we may be required to expend significant capital and other resources to protect against security breaches and hackers or to alleviate problems caused by such breaches.

We offer electronic claims submission services for which we rely on content from customers, payers, and others. While we have implemented features and safeguards designed to maximize the accuracy and completeness of claims content, these features and safeguards may not be sufficient to prevent inaccurate claims data from being submitted to payers. Should inaccurate claims data be submitted to payers, we may experience poor operational results and be subject to liability claims, which could damage our reputation with customers and result in liability claims that increase our expenses.

The risks and challenges associated with our operations outside the United States include laws and business practices favoring local competitors; compliance with multiple, conflicting and changing governmental laws and regulations, including employment and tax laws and regulations; and fluctuations in foreign currency exchange rates. Foreign operations subject us to numerous stringent U.S. and foreign laws, including the Foreign Corrupt Practices Act ("FCPA"), and comparable foreign laws and regulations that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. Safeguards we implement to discourage these practices may prove to be less than effective and violations of the FCPA and other laws may result in severe criminal or civil sanctions, or other liabilities or proceedings against us, including class action lawsuits and enforcement actions from the SEC, Department of Justice and overseas regulators.