Community Health (CYH) Risk Factors

We are subject to tax in the United States as well as those states in which we do business. Changes in tax laws, including increased rates, or interpretations of tax laws by taxing authorities or other standard setting bodies, could increase our tax obligations and materially and adversely impact our results of operations.

The data protection landscape is rapidly evolving, and we are subject to numerous state and federal laws, requirements and regulations governing the collection, use, storage, processing, disclosure, retention, privacy and security of health-related and other regulated, sensitive or confidential information, and may become subject to additional legal requirements of this nature in the future. For example, the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, each as amended, and the privacy and security regulations that implement these laws (collectively, "HIPAA"), establish national privacy and security standards for the protection of protected health information, or PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services. HIPAA requires covered entities like us to develop and maintain policies and procedures with respect to the privacy and security of PHI and to adopt administrative, physical and technical safeguards to protect such information. HIPAA also regulates permissible uses and disclosures of PHI; for example, HHS issued guidance indicating certain data collected on websites and mobile applications offered by HIPAA-regulated entities may be PHI and warning against the use of third-party tracking technologies such as pixels and cookies on such sites. Covered entities must notify affected individuals without unreasonable delay of breaches of unsecured PHI, the HHS Office for Civil Rights, or OCR, which enforces HIPAA, and, in the case of larger breaches, the media. Failure to comply with the HIPAA privacy and security standards can result in civil monetary penalties, resolution agreements, monitoring agreements, and, in certain circumstances, criminal penalties including fines and/or imprisonment. A covered entity may be subject to penalties as a result of a business associate violating HIPAA. In addition, state attorneys general may enforce the HIPAA privacy and security regulations in response to violations that threaten the privacy of state residents. Although HIPAA does not create a private right of action allowing individuals to sue in civil court for violations, the laws and regulations have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. There are numerous other laws and legislative and regulatory initiatives at the federal and state levels governing the confidentiality, privacy, availability, integrity and security of PHI and other types of personal information. Certain state laws may be more stringent, broader in scope or offer greater individual rights with respect to PHI than HIPAA, state laws may differ from each other, and the interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, all of which may complicate compliance efforts. Where state laws are more protective than HIPAA or apply more broadly, we have to comply with their stricter provisions. Not only do some of these state laws impose fines and other penalties upon violators, but some may afford private rights of action to individuals who believe their personal information has been misused. We may not remain in compliance with diverse privacy and security requirements in all of the jurisdictions in which we do business, particularly to the extent they are inconsistent, rapidly changing and/or ambiguous and uncertain as to their applicability to our business practices. To the extent we use, may use or permit the data we create, receive, maintain, and transmit to be used by any artificial intelligence, or AI, or machine learning, or ML, platforms, we may be subject to additional risks under health privacy and other laws and regulations. The regulatory framework for AI/ML, particularly in patient care (e.g., through the use of clinical decision support tools), is evolving and remains uncertain. For example, in December 2023, HHS finalized transparency requirements for AI and other predictive algorithms used in certified health information technology, such as decision support interventions. New laws, regulations, and policies may be adopted, including as a result of a recent executive order on AI, and existing laws and regulations may be interpreted in new ways that would affect our operations and the ways in which we may use AI technology. If we are unable to use AI/ML as the result of such laws and regulations, regulators restrict our ability to use AI/ML for certain purposes or our confidential information becomes part of a dataset that is accessible by other third-party AI/ML applications and uses, it could make our business less efficient, result in competitive disadvantages, increase our operating costs, hinder our ability to provide services, and subject us to potential liabilities. Further, the cost to comply with such laws and regulations could be significant and could adversely affect our business, financial condition and results of operations. Any failure or perceived failure by us to comply with AI laws and regulations could result in proceedings, investigations or actions against us by individuals, consumer rights groups, government agencies or others. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our technology and business. Further, to the extent that we rely on or use the output of AI/ML, any inaccuracies, biases or errors could hinder our ability to provide services and otherwise have adverse impacts on us, our business, our results of operations or financial condition. Further, any such proceedings and any subsequent adverse outcomes may subject us to significant negative publicity. While the full impact of regulatory and legal risks associated with AI/ML is unknown, if any of these events were to occur, our business, results of operations and financial condition could be materially adversely affected. In addition, we are subject to consumer protection laws and regulations in connection with our business activities. For example, the FTC uses its consumer protection authority to initiate enforcement actions in response to data breaches. Failing to take appropriate steps to keep consumers' personal information secure may violate the Federal Trade Commission Act, or the FTCA. For information that is not subject to HIPAA and deemed to be "personal health records," the FTC may also impose penalties for violations of the Health Breach Notification Rule, or HBNR, to the extent we are considered a "personal health record-related entity" or "third party service provider." The FTC has recently taken several enforcement actions under HBNR and indicated that the FTC will continue to protect consumer privacy through greater use of the agency's enforcement authorities. As a result, we expect scrutiny by federal and state regulators and others of our collection, use and disclosure of health information. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. Our marketing and patient engagement activities are subject to communications laws such as the Telephone Consumer Protection Act, or the TCPA, and the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM. Determination by a court or regulatory agency that our calling, texting or email practices violate the TCPA or CAN-SPAM could subject us to civil penalties and could require us to change some portions of our business. Even an unsuccessful challenge by patients or regulatory authorities of our activities could result in adverse publicity and could require a costly response from and defense by us. Other federal and state laws that restrict the use and protect the privacy and security of personally identifiable information may not be preempted by HIPAA, may apply to new categories of health information, such as "consumer health data", and may be subject to varying interpretations by the courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity, and liability, any of which could adversely affect our business. Although we strive to comply with applicable laws and regulations, the requirements related to the collection, use, storage, processing, disclosure, retention, privacy and security of health and other regulated, sensitive or confidential information are evolving rapidly and may be interpreted or applied in an inconsistent manner across jurisdictions. The cost of compliance with these laws and regulations is high and is likely to increase in the future. Any failure or perceived failure by us to comply with applicable data privacy and security laws or regulations, our internal policies and procedures or our contracts governing our processing of health and other regulated, sensitive or confidential information, or to otherwise adequately address privacy and security concerns, could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our business, operations, or financial results.

In recent years, the healthcare industry has undergone significant changes, many of which have been aimed at reducing costs and government spending. The U.S. Congress and certain state legislatures have introduced, considered or passed a large number of proposals and legislation affecting the healthcare system, including laws intended to impact access to health insurance. The Affordable Care Act is the most prominent of these legislative reform efforts. The law affects how healthcare services are covered, delivered, and reimbursed, and expanded health insurance coverage through a combination of public program expansion and private sector health insurance reforms. In addition, some states have imposed individual health insurance mandates, and other states have explored or offer public health insurance options. To increase access to health insurance during the COVID-19 pandemic, the ARPA enhanced subsidies for individuals eligible to purchase coverage through Affordable Care Act marketplaces. Subsequent legislation extended these enhanced subsidies through 2025. These changes and initiatives may impact the number of individuals that elect to obtain public or private health insurance or the scope of such coverage, if purchased. The Affordable Care Act has been, and continues to be, subject to legislative and regulatory changes and court challenges. There is uncertainty regarding whether, when, and how the Affordable Care Act will be further changed, whether the Affordable Care Act will be repealed or replaced, and how the Affordable Care Act will be interpreted and implemented. Changes to the interpretation or implementation of the Affordable Care Act could eliminate or alter provisions beneficial to us while leaving in place provisions reducing our reimbursement, or otherwise have an adverse effect on our business. Other recent reform initiatives and proposals at the federal and state levels include those focused on price transparency and out-of-network charges, which may impact prices, our competitive position, patient volumes and the relationships between hospitals, patients, payors, and ancillary providers (such as anesthesiologists, radiologists, and pathologists). For example, among other consumer protections, the No Surprises Act imposes various requirements on providers and health plans intended to prevent "surprise" medical bills. The CMS Care Compare website makes publicly available certain data on hospital performance on quality measures and patient satisfaction. Further, Medicare reimbursement for hospitals is adjusted based on quality and efficiency measures. There is also uncertainty regarding whether, when, and what other health reform measures will be adopted through governmental avenues and/or the private sector, the timing and implementation of any such efforts, and the impact of those efforts on providers as well as other healthcare industry participants. For example, some members of Congress have proposed measures that would expand government-funded coverage. CMS administrators may make changes to Medicaid payment models and grant states various flexibilities in the administration of state Medicaid programs, including changes encouraging the adoption of value-based care models. Some of these changes may result in coverage reductions or decreased enrollment. Reductions in the number of insured individuals or the scope of insurance coverage may have an adverse effect on our business. Other industry participants, such as private payors and large employer groups and their affiliates, may also introduce financial or delivery system reforms. It is difficult to predict the nature and/or success of current and future health reform initiatives, any of which may have an adverse impact on our business.

We license certain intellectual property, including technologies and software from third parties, that is important to our business, and in the future we may enter into additional agreements that provide us with licenses to valuable intellectual property or technology. If we fail to comply with any of the obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license. Termination by the licensor would cause us to lose valuable rights, and could prevent us from selling our solutions and services, or adversely impact our ability to commercialize future solutions and services. Our business would suffer if any current or future licenses terminate, if the licensors fail to abide by the terms of the license agreement, if the licensors fail to enforce licensed intellectual property against infringing third parties, if the licensed intellectual property are found to be invalid or unenforceable, or if we are unable to enter into necessary license agreements on acceptable terms or at all. Any of the foregoing could have an adverse effect on our business, financial condition or results of operations.

We rely extensively on information technology systems to manage clinical and financial data, to communicate with our patients, payors, vendors and other third parties, to summarize and analyze operating results, and for a number of other critical operational functions. We have made significant investments in technology to protect our systems, equipment and medical devices and information from cybersecurity risks. These risks include incidents involving ransomware and other malicious software, phishing, or other attempts by third parties to access, acquire, use, disclose, misappropriate or manipulate our information or disrupt our operations. Although we monitor and routinely test our security systems and processes and have redundancies as well as other proactive measures designed to protect the integrity, security and availability of the systems and data we manage and control, there can be no assurance that we, or our third-party vendors and providers, will not be subject to security breaches and other cybersecurity incidents. In this regard, we are frequently the target of cybersecurity attacks and other threats that could have a security impact, and we have experienced cybersecurity incidents from time to time. In particular, on February 13, 2023, we disclosed a security incident in which a third-party vendor who provides a secure file transfer software platform utilized by our subsidiaries experienced a security breach whereby PHI and personal information of certain patients of our healthcare facilities were exposed to an unauthorized third party. The current cyber threat environment presents increased risk for all companies, particularly companies in the healthcare industry, as the volume and intensity of cyber-attacks on hospitals and health systems has continued to increase, and we expect to experience an increase in cybersecurity threats in the future. Moreover, advanced new attacks against our information systems and devices or those of our third-party vendors create risk of cybersecurity incidents, including ransomware, malware and phishing incidents. The preventive actions we take to reduce the risk of such incidents and protect our systems and data may not be sufficient in the future. In addition, cybersecurity threats continue to evolve. For example, remote code execution vulnerabilities in certain applications have presented a new attack vector for potential malicious attackers. Additionally, the rapid evaluation and increased adoption of artificial intelligence technologies may heighten our cybersecurity risks by making cyber-attacks more difficult to detect, contain and mitigate. Because the techniques used in cyber-attacks change frequently and may not be immediately recognized, we may experience security or data breaches that remain undetected for an extended time. Cybersecurity and the continued development and enhancement of our controls, process and practices designed to protect our information systems from attack, damage or unauthorized access, acquisition, use or disclosure remain a priority for us. Our ability to recover from a ransomware or other cyber-attack is dependent on these practices, including successful backup systems and other recovery procedures. We may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities, and we still might not be able to anticipate or prevent certain attack methods. Further, cybersecurity threats, including those that result in a data or security breach, could impact the integrity, availability or security of PHI and other data subject to privacy laws and regulations, disrupt our information technology systems, equipment, medical devices or business, and threaten the access and utilization of critical information technology and data. Our ability to provide various healthcare services could be affected, particularly with respect to telehealth services. In addition, medical devices that connect to hospital networks or the internet may be vulnerable to cybersecurity incidents, which may impact patient safety. We may be at increased risk because we outsource certain services or functions to, or have systems that interface with, third parties. Some of these third parties' information systems are also subject to the risks outlined above and may store or have access to our data and may not have effective controls, processes, or practices to protect our information from attack, damage, or unauthorized access, acquisition, use or disclosure. A breach or attack affecting any of these third parties could harm our business. In addition, the definitive agreements we enter into in connection with the divestiture of hospitals routinely obligate us to provide transition services to the buyer, including access to our legacy information systems, for a defined transition period. By providing access to our information systems to non-employees, we may be exposed to cyber-attacks, ransomware or security or data breaches that originate outside of our internal processes and practices designed to prevent such threats from occurring. Further, consumer confidence in the integrity, availability and confidentiality of information systems and information, including patient information and operations data, in the healthcare industry generally could be impacted to the extent there are successful cyber-attacks at other healthcare services companies, which could have a material adverse effect on our business, operations, or financial results. If we or our information, systems are subject to cyber-attacks or security or data breaches in the future, or the information systems of third parties with whom we conduct business are subject to cyber-attacks or security or data breaches in the future in a manner which impacts us or our information systems, this could result in harm to patients; business and operational interruptions and delays; the loss, misappropriation, corruption or unauthorized access, acquisition, use or disclosure of data or inability to access data; litigation and potential liability under privacy, security, breach notification and consumer protection laws or other applicable laws, including HIPAA; reputational damage, federal and state governmental inquiries, civil monetary penalties, settlement agreements, corrective action plans and monitoring requirements, any of which could have an adverse effect on our business, financial condition or results of operations. Moreover, any significant cybersecurity event may require us to devote significant management time and resources to address and respond to any such event, interfere with the pursuit of other important business strategies and initiatives, and cause us to incur additional expenditures, which could be material, including to investigate such events, remedy cybersecurity problems, recover lost data, prevent future compromises and adapt systems and practices in response to such events. Moreover, there is no assurance that any remedial actions will meaningfully limit the success of future attempts to breach our information systems, particularly because malicious actors are increasingly sophisticated and utilize tools and techniques specifically designed to circumvent security measures, avoid detection and obfuscate forensic evidence, which means we may be unable to identify, investigate or remediate effectively or in a timely manner. Additionally, while we have insurance coverage in place designed to address certain aspects of cybersecurity risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise.

The healthcare industry is highly competitive among hospitals and other healthcare providers, such as urgent care centers and other outpatient providers and other industry participants, for patients, affiliations with physicians and acquisitions. Changes in licensure or other regulations, recognition of new provider types or payment models, and industry consolidation could negatively impact our competitive position. For example, in states with certificate of need or similar prior approval requirements, removal of these requirements could remove barriers to entry and increase competition in our service areas. Our hospitals, our competitors, and other healthcare industry participants are increasingly implementing physician alignment strategies, such as acquiring physician practice groups, employing physicians and participating in ACOs or other clinical integration models. Increasing consolidation within the payor industry, vertical integration efforts involving payors and healthcare providers, and cost-reduction strategies by payors, large employer groups and their affiliates may impact our ability to contract with payors on favorable terms, participate in favorable payment tiers or provider networks, and otherwise affect our competitive position. Legislative and regulatory initiatives, such as changes in Texas law that eliminated restrictions on tiered networks and steering patients to particular providers, may accelerate or otherwise impact these trends. The majority of our hospitals are located in generally larger non-urban service areas in which we believe we are the primary, if not the sole, provider of general acute care health services. As a result, the most significant competition for providers of general acute care services are hospitals outside of our primary service areas, typically hospitals in larger urban areas that provide more complex services. Patients in our primary service areas may travel to other hospitals because of physician referrals, payor networks that exclude our providers or the need for services we do not offer, among other reasons. Patients who receive services from these other hospitals may subsequently shift their preferences to those hospitals for the services we provide. Our other hospitals, in selected urban service areas, may face competition from hospitals that are more established than our hospitals. Some of our competitors offer services, including extensive medical research and medical education programs, that are not offered by our facilities. In addition, in certain markets where we operate, there are large teaching hospitals that provide highly specialized facilities, equipment and services that may not be available at our hospitals. We also face competition from other specialized care providers, including outpatient surgery, orthopedic, oncology and diagnostic centers. At December 31, 2023, 43 of our hospitals competed with one or more non-affiliated hospitals in their respective primary service areas. In most markets in which we are not the sole provider of general acute care health services, our primary competitor is a municipal or not-for-profit hospital. These hospitals are owned by tax-supported governmental agencies or not-for-profit entities supported by endowments and charitable contributions. These hospitals are exempt from sales, property and income taxes. Such exemptions and support are not available to our hospitals and may provide the tax-supported or not-for-profit entities an advantage in funding general and capital expenditures and offering services more specialized than those available at our hospitals. If our competitors are better able to attract patients with these offerings, we may experience an overall decline in patient volume. Trends toward transparency and value-based purchasing may have an impact on our competitive position, ability to obtain and maintain favorable contract terms, and patient volumes in ways that are difficult to predict. The CMS Care Compare website makes available to the public certain data that hospitals submit in connection with Medicare reimbursement claims, including performance data related to quality measures and patient satisfaction surveys. Further, every hospital must establish and update annually a public, online listing of the hospital's standard charges for all items and services, including discounted cash prices and payor-specific charges, and must also publish a consumer-friendly list of standard charges for certain "shoppable" services or, alternatively, maintain an online price estimator tool for the shoppable services. HHS also requires health insurers to publish online charges negotiated with providers for healthcare services, and health insurers must provide online price comparison tools to help individuals get personalized cost estimates for all covered items and services. If any of our hospitals achieve poor results (or results that are lower than our competitors) on the quality measures or on patient satisfaction surveys, or if our standard charges are higher than our competitors, we may attract fewer patients. The No Surprises Act creates additional price transparency requirements that may impact our competitive position, including requiring providers to send uninsured or self-pay patients and health plans of insured patients a good faith estimate of the expected charges and diagnostic codes prior to the scheduled date of the service or item or upon request. Until HHS issues additional regulations, HHS is deferring enforcement of portions of the good faith estimate requirements. It is unclear how price transparency requirements and similar initiatives will affect consumer behavior, our relationships with payors, or our ability to set and negotiate prices. We expect these competitive trends to continue. If we are unable to compete effectively with other hospitals and other healthcare providers, patients may seek healthcare services at providers other than our hospitals and affiliated businesses.

Our admissions and adjusted admissions as well as acuity trends may be impacted by factors beyond our control. For example, seasonal fluctuations in the severity of influenza and other critical illnesses, such as COVID-19, unplanned shutdowns or unavailability of our facilities due to weather or other unforeseen events, decreases in trends in high acuity service offerings, changes in competition from other service providers, turnover in physicians affiliated with our hospitals, or changes in medical technology can have an impact on the demand for services at our hospitals and affiliated providers. In addition, certain of our facilities are located in hurricane-prone coastal regions in Florida and other states, and our operations may be adversely impacted by hurricanes, tornadoes, winter storms, and other severe weather conditions, which adverse weather conditions may be more frequent and/or severe as the result of climate change. Moreover, we could be affected by climate change and other environmental issues to the extent such issues adversely affect the general economy or specific markets, adversely impact our supply chain or increase the costs of supplies needed for our operations, or otherwise result in disruptions impacting the communities in which our facilities are located. In addition, legal requirements regulating greenhouse gas emissions and energy inputs or otherwise associated with the transition to a lower carbon economy may increase in the future, which could increase our costs associated with compliance and otherwise disrupt and adversely affect our operations. The impact of these or other factors beyond our control could have an adverse effect on our business, financial position and results of operations.

As a provider of healthcare services, we were significantly impacted by the public health and economic effects of the COVID-19 pandemic. If public health conditions related to COVID-19 significantly worsen, our business and financial results could be adversely impacted. Moreover, conditions related to COVID-19 continue to evolve, and we may not be able to predict or effectively respond to future developments. In response to the COVID-19 pandemic, the federal government authorized financial relief for eligible healthcare providers through the Public Health and Social Services Emergency Fund, or PHSSEF. Although recipients are not required to repay funding received, provided they attest to and comply with certain terms and conditions, changes to interpretations of guidance on the underlying terms and conditions may result in the derecognition of amounts previously realized. To the extent that any unrecognized PHSSEF payments that have been received by us do not qualify for reimbursement, we may be required to return such payments. Further, we may be subject to or incur costs from related government actions including payment recoupment, audits and inquiries by governmental authorities, and criminal, civil or administrative penalties. In addition, if a future pandemic, epidemic, or outbreak of an infectious disease or other public health crisis were to affect our markets, our business could be adversely affected. Any such crisis could diminish the public trust in healthcare facilities, especially hospitals that fail to accurately or timely diagnose, or that are treating (or have treated) patients affected by, contagious diseases. If any of our facilities are involved, or perceived as being involved, in treating patients for such a contagious disease, other patients might cancel elective procedures or fail to seek needed care at our facilities. Patient volumes may decline or volumes of uninsured and underinsured patients may increase, depending on the economic circumstances surrounding the pandemic, epidemic, or outbreak. Further, a pandemic, epidemic, or outbreak might adversely impact our business by causing a temporary shutdown or diversion of patients, by causing disruption or delays in supply chains for materials and products or by causing staffing shortages in our facilities. Although we have contingency plans in place, including infection control and disaster plans, the potential impact of, as well as the public's and government's response to, any such future pandemic, epidemic or outbreak of an infectious disease with respect to our markets or our facilities is difficult to predict and could adversely impact our business.