InnovAge Holding (INNV) Risk Factors

Most of our participants are dually-eligible, meaning they are qualified for coverage under both Medicare and Medicaid when enrolled in our PACE program, and nearly all our revenue is derived from government payors. Medicaid is a joint federal and state funded program for healthcare services for low income as well as certain higher-income individuals who qualify for nursing home level of care. Under broad federal criteria, states establish rules for eligibility, services and payment. PACE programs are administered at the state level and are financed by both state and federal funds. Medicaid spending has increased rapidly in recent years, becoming a significant component of state budgets. This increase, combined with slower state revenue growth, has led both the federal government and many states to institute measures aimed at controlling the growth of Medicaid spending, and in some instances reducing aggregate Medicaid spending. Due to budget constraints, including resulting from a potential economic downturn or recession, we may experience negative Medicaid capitated rate payment pressure from certain states where we operate, such as Colorado, where we conduct a significant percentage of our operations. In addition, as part of past attempts to repeal, replace or modify the ACA and as a means to reduce the federal budget deficit, there have in recent years been congressional efforts to move Medicaid from an open-ended program with coverage and benefits set by the federal government to one in which states receive a fixed amount of federal funds, either through block grants or per capita caps, and have more flexibility to determine benefits, eligibility or provider payments. If those changes are implemented, we cannot predict whether the amount of fixed federal funding to the states will be based on current payment amounts, or if it will be based on lower payment amounts, which would negatively impact those states that expanded their Medicaid programs in response to the ACA. We expect state and federal efforts to reduce healthcare spending to continue for the foreseeable future.

Numerous state and federal laws and regulations govern the collection, dissemination, use, disclosure, destruction, retention, privacy, confidentiality, security, availability, integrity and other processing of PHI/PII. These laws and regulations include HIPAA. HIPAA establishes a set of national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses, and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services. A business associate is any person or entity (other than members of a covered entity's workforce) that performs a service for or on behalf of a covered entity involving the use or disclosure of protected health information. HIPAA requires covered entities, such as ourselves, and their business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. HIPAA imposes mandatory penalties for certain violations. Under a notice of enforcement discretion issued by HHS in 2019, penalties for violations of HIPAA and its implementing regulations start at $100 (not adjusted for inflation) per violation and are not to exceed approximately $63,000 (not adjusted for inflation) per violation, subject to a cap of approximately $1.9 million (not adjusted for inflation) for violations of the same standard in a single calendar year. However, a single breach incident can result in violations of multiple standards. In addition, HIPAA provides for criminal penalties of up to $250,000 and ten years in prison, with the severest penalties for obtaining and disclosing PHI with the intent to sell, transfer or use such information for commercial advantage, personal gain or malicious harm. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities and business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the civil monetary penalty fine paid by the violator. HIPAA further requires that individuals be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 individuals or more, it must be reported to HHS without unreasonable delay, and in no case later than 60 calendar days after discovery, and HHS will automatically investigate the breach and post the name of the entity on its public breach portal. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Breaches affecting more than 500 residents in the same state or jurisdiction must also be reported to the local media. Looking ahead, it is possible that the ADPPA, a landmark federal privacy bill with significant bipartisan support, may gain traction. Although ADPPA would not apply to health data covered by HIPAA, it would apply to other health data, such as health data controlled by certain entities in the digital health space. In addition to HIPAA, numerous other federal and state laws and regulations protect the confidentiality, privacy, availability, integrity and security of individually identifiable information. State statutes and regulations vary from state to state, and these laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and its implementing rules. These laws and regulations are often uncertain, contradictory, and subject to changing or differing interpretations, and we expect new laws, rules and regulations regarding privacy, data protection, and information security to be proposed and enacted in the future. For example, the CCPA provides certain exceptions for PHI, but is still applicable to certain PII we process in the ordinary course of our business. The effects of the CCPA are wide-ranging and afford consumers certain rights with respect to PII, including a private right of action for data breaches involving certain personal information of California residents. In addition, the California Privacy Rights Act of 2020, or CPRA, which went into effect January 1, 2023, expands the CCPA's requirements, including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency to implement and enforce the law. Other states, including Colorado, Connecticut, Utah, and Virginia, have enacted similar privacy laws that impose new obligations or limitations in areas affecting our business and we continue to assess the impact of this state legislation on our business as additional information and guidance becomes available. Efforts at the federal level to enact similar laws have been ongoing. As new data security laws are implemented, we may not be able to timely comply with such requirements, or such requirements may not be compatible with our current processes. Changing our processes could be time consuming and expensive, and failure to implement required changes in a timely manner could subject us to liability for non-compliance. Consumers may also be afforded a private right of action for certain violations of privacy laws. This complex, dynamic legal landscape regarding privacy, data protection, and information security creates significant compliance issues for us and potentially restricts our ability to process data and may expose us to additional expense, adverse publicity, and liability. While we believe we have implemented data privacy and security measures in an effort to comply with applicable laws and regulations, and we have implemented measures to require our third-party service providers to maintain reasonable data privacy and security measures, we cannot guarantee that these efforts will be adequate, and we may be subject to cybersecurity, ransomware or other security incidents. Further, it is possible that laws, rules and regulations relating to privacy, data protection, or information security may be interpreted and applied in a manner that is inconsistent with our practices or those of our third-party service providers. If we or these third parties are found to have violated such laws, rules or regulations, it could result in regulatory investigations, litigation awards or settlements, government-imposed fines, orders requiring that we or these third parties change our or their practices, or criminal charges, which could adversely affect our business. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems and compliance procedures in a manner adverse to our business. We also publish statements to our participants that describe how we handle and protect PHI. If federal or state regulatory authorities, such as the FTC, or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims, and complying with regulatory or court orders. The FTC sets expectations for failing to take appropriate steps to keep consumers' personal information secure, or failing to provide a level of security commensurate to promises made to individual about the security of their personal information (such as in a privacy notice) may constitute unfair or deceptive acts or practices in violation of Section 5(a) of the Federal Trade Commission Act ("FTC Act"). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. With respect to privacy, the FTC also sets expectations that companies honor the privacy promises made to individuals about how the company handles consumers' personal information; any failure to honor promises, such as the statements made in a privacy policy or on a website, may also constitute unfair or deceptive acts or practices in violation of the FTC Act. While we do not intend to engage in unfair or deceptive acts or practices, the FTC has the power to enforce promises as it interprets them, and events that we cannot fully control, such as data breaches, may be result in FTC enforcement. Enforcement by the FTC under the FTC Act can result in civil penalties or enforcement actions. Any of the foregoing consequences could seriously harm our business and our financial results.

We have significant suppliers that may be the sole or primary source of products critical to the services we provide, or to which we have committed obligations to make purchases, sometimes at particular prices. If any of these suppliers do not meet our needs for the products they supply, including as a result of price increases, a product recall, product shortage or other supply chain issues, or a dispute, and we are not able to find adequate alternative sources, it could have a material adverse impact on our business, results of operations, financial condition and cash flows. In addition, the technology related to the products critical to the services we provide is subject to new developments which may result in the availability of superior products. If we are not able to access superior products or new medical products, including biopharmaceuticals or medical devices, on a cost-effective basis or if suppliers are not able to fulfill our requirements for such products, we could face attrition with respect to our participants or health care providers and other personnel and other negative consequences which could have a material adverse effect on our business, results of operations, financial condition and cash flows.

We compete directly with national, regional and local providers of healthcare for participants and clinical providers. We also compete directly with payors and other alternate managed care programs for participants. There are many other companies and individuals currently providing healthcare services, many of which have been in business longer and/or have substantially more resources. Given the regulatory environment, there may be high barriers to entry for PACE providers; however, since there are relatively modest capital expenditures required for providing healthcare services, there are less substantial financial barriers to entry in the healthcare industry generally. Other companies could enter the healthcare industry in the future and divert some or all of our business. Our ability to compete successfully varies from location to location and depends on a number of factors, including the number of payors who run competitive programs in the local market, our local reputation for quality participant care, the commitment and expertise of our medical staff or contracted healthcare providers, our local service offerings and community programs, the cost of care in each locality, and the physical appearance, location and condition of our centers. If we are unable to attract participants to our centers our revenue and profitability will be adversely affected. Some of our competitors may have greater brand recognition and be more established in their respective communities than we are, and may have greater financial and other resources than we have. Further, our current or potential competitors may be acquired by third parties with greater available resources. Competing providers may also offer different programs or services than we do, which, combined with the foregoing factors, may result in our competitors being more attractive to our current participants, potential participants and referral sources. Furthermore, while we budget for routine capital expenditures at our centers to keep them competitive in their respective markets, to the extent that competitive forces cause those expenditures to increase in the future, our financial condition may be negatively affected. In addition, our contracts with government payors are not exclusive for PACE programs in California, and competitors in California could seek to establish contracts with the state Medicaid agency and CMS to serve PACE eligible participants in our service areas. For example, the service area for our Sacramento, California center, opened July 1, 2020, overlaps with an existing PACE program in the region. Additionally, as we expand into new geographies, we may encounter competitors with stronger local community relationships or brand recognition, which could give those competitors an advantage in attracting new participants. Individual physicians, physician groups and companies in other healthcare industry segments, some of which have greater financial, marketing and staffing resources, may become competitors in providing healthcare services, and this competition may have a material adverse effect on our business operations and financial position.

Our operations are dependent on a limited number of government payors, particularly Medicare and Medicaid, with whom we directly contract to provide services to participants. We generally manage our contracts on a state-by-state basis, entering into a separate contract in each state. When aggregating the revenue associated with Medicare and Medicaid by state, Colorado, California and Virginia accounted for a total of approximately 83.0% and 83.3% of our capitation revenue for the years ended June 30, 2023 and 2022, respectively. We believe that majority of our revenues will continue to be derived from a limited number of key government payors, which may terminate their contracts with us upon the occurrence of certain events, including as a result of inspections, reviews, audits, requests for information or investigations with adverse findings. The sudden loss of any of our government contracts or the renegotiation of any of such contracts could adversely affect our operating results. In the ordinary course of business, we engage in active discussions and renegotiations with government payors in respect of the services we provide and the terms of our agreements. As the states respond to market dynamics and financial pressures, and as government payors make strategic budgetary decisions in respect of the programs in which they participate, certain government payors may seek to renegotiate or terminate their agreements with us. Any reduction in the budgetary appropriations for our services, whether as a result of fiscal constraints due to recession, or economic downturn, emergency situations such as the COVID-19 pandemic, changes in policy or otherwise, could result in a reduction in our capitated fee payments, changes to the scope of services and possibly loss of contracts and could negatively impact our revenues, business and prospects. See Item 1A. Risk Factors, "Risks Related to Our Business-A pandemic, epidemic or outbreak of an infectious disease in the United States or worldwide has and in the future could adversely affect our business" and "Risks Related to Our Business-We conduct a significant percentage of our operations in the State of Colorado and, as a result, we are particularly susceptible to any reduction in budget appropriations for our services or any other adverse developments in that state." Because we rely on a limited number of government-funded agencies, namely CMS and state Medicaid agencies, for a significant portion of our revenues, we depend on federal funding, as well as the financial condition of the states in which we operate, and each state's commitment to its participation in the PACE program. Government-funded healthcare programs in the states in which we operate face a number of risks, including higher than expected healthcare costs and lack of predictability of tax basis and budget needs. If the financial condition of the states in which we operate declines, our credit risk could increase.

Macroeconomic challenges, including labor shortages and high inflation, have impacted and may continue to impact our business operations and our overall business results. The COVID-19 pandemic exacerbated difficulties to hire healthcare professionals, and in fiscal year 2022, we experienced workforce and labor shortages within all of our centers. Even though this labor pressure eased slightly in fiscal year 2023, we continue to be affected by the increased competition in the labor market and market adjustments to increase retention and improve our ability to hire. These market adjustments contributed, in part, to an increase in cost of care and operating expenses for fiscal year 2023, further impacted by additional staffing related to compliance and remediation efforts. Continued workforce and labor shortages or increased wages, may continue to adversely affect our financial results. Further, if labor market conditions continue to disrupt our ability to recruit healthcare professionals , we may not be able to execute our growth plan and grow capacity in our existing centers or open de novo centers or we may have to do so at costs higher than originally budgeted, which, in turn, could increase our capital needs during a time of rising interest rates and when conditions in the credit and capital markets are volatile. During periods of high unemployment, governmental entities often experience budget deficits as a result of increased costs and lower than expected tax collections. These budget deficits at federal, state and local government entities have decreased, and may continue to decrease, spending for health and human service programs, including Medicare, Medicaid, PACE and similar programs, which represent nearly all of the payor sources for our centers and which may have a material effect on our results of operations and financial condition.

We currently operate in Colorado, California, New Mexico, Pennsylvania and Virginia and are moving forward with pursuit of licensure required to open two de novo centers in Florida and one de novo center in California. For the year ended June 30, 2023, approximately half of our revenue was driven by our businesses in Colorado. As a result, our exposure to many of the risks described in these risk factors are not mitigated by a diversification of geographic focus. To continue to expand our operations to other regions of the United States, we will have to devote resources to identifying and exploring such perceived opportunities. Thereafter, we will have to, among other things, recruit and retain qualified personnel, develop new centers and establish new relationships or contracts with physicians and other healthcare and services providers. In addition, we will be required to comply with laws and regulations of states that may differ from the ones in which we currently operate, and could face competitors with greater knowledge of such local markets. We anticipate that further geographic expansion will require us to make a substantial investment of management time, capital and/or other resources. There can be no assurance that we will be able to continue to expand our operations in any new geographic markets.

In the ordinary course of our business, we create, receive, maintain, transmit, collect, store, use, disclose, share and process (collectively, "Process") sensitive data, including protected health information ("PHI") and other types of personal data or personally identifiable information (collectively, "PII" and, together with PHI, "PHI/PII") relating to our employees, participants and others. We also Process and contract with third-party service providers to Process sensitive information, including PHI/PII, confidential information and other proprietary business information. We manage and maintain PHI/PII and other sensitive data and information using our on premise systems, and we plan to implement cloud-based computing center systems in the future. Third-party service providers that serve our participants may Process PHI/PII data either in their own on-site systems, at managed or co-located data centers, or in the cloud. We are highly dependent on information technology networks and systems, including the internet, to securely Process PHI/PII and other sensitive data and information. Security breaches of this infrastructure, whether ours or of our third-party service providers, including physical or electronic break-ins, computer viruses, ransomware, attacks by hackers and similar breaches, and employee or contractor error, negligence or malfeasance, have occurred in the past, and have in the past and could in the future, create system disruptions, shutdowns or unauthorized access, acquisition, use, disclosure or modifications of such data or information, and could cause PHI/PII to be accessed, acquired, used, disclosed or modified without authorization, to be made publicly available, or to be further accessed, acquired, used or disclosed. We use third-party service providers for important aspects of the Processing of employee and participant PHI/PII and other confidential and sensitive data and information, and therefore rely on third parties to manage functions that have material cybersecurity risks. Because of the sensitivity of the PHI/PII and other sensitive data and information that we and our service providers Process, the security of our technology platform and other aspects of our services, including those provided or facilitated by our third-party service providers, are important to our operations and business strategy. We have implemented certain administrative, physical and technological safeguards to address these risks; however, such policies and procedures may not address certain HIPAA requirements or address situations that could lead to increased privacy or security risks, and agreements with contractors and other third-party service providers who handle this PHI/PII and other sensitive data and information for us. However, some PACE organizations that we have acquired in the past or may acquire in the future may not have implemented such agreements with their third-party service providers, which may expose us to legal claims or proceedings, liability, and penalties. We may be required to expend significant capital and other resources to protect against security breaches, to safeguard the privacy, security, and confidentiality of PHI/PII and other sensitive data and information, to investigate, contain, remediate, and mitigate actual or potential security breaches, and/or to report security breaches to participants, employees, regulators, media, credit bureaus, and other third parties in accordance with applicable law and to offer complimentary credit monitoring, identity theft protection, and similar services to participants and/or employees where required by law or otherwise appropriate. Cyber-attacks are becoming more sophisticated, and frequent, and we or our third-party service providers may be unable to anticipate these techniques or to implement adequate protective measures against them or to prevent future attacks. The remote work environment has increased these risks. We exercise limited control over our third-party service providers and, in the case of some third-party service providers, may not have evaluated the adequacy of their security measures, which increases our vulnerability to problems with services they provide. A security breach, security incident, or privacy violation that leads to unauthorized use, disclosure, access, acquisition, loss or modification of, or that prevents access to or otherwise impacts the confidentiality, security, or integrity of, participant or employee information, including PHI/PII that we or our third-party service providers process, could harm our reputation and business, compel us to comply with breach notification laws, cause us to incur significant costs for investigation, containment, remediation, mitigation, fines, penalties, settlements, notification to individuals, regulators, media, credit bureaus, and other third parties, complimentary credit monitoring, identity theft protection, training and similar services to participants and/or employees where required by law or otherwise appropriate, for measures intended to repair or replace systems or technology and to prevent future occurrences. We may also be subject to potential increases in insurance premiums, resulting in increased costs or loss of revenue. In February 2021, we became aware that a former third-party service provider of acquired organizations was the victim of a ransomware attack that occurred in December 2020. We understand that this attack resulted in the unauthorized access and exfiltration of the PHI/PII of over 2,000 of our current and former participants. We confirmed that this former third-party service provider had removed the PHI/PII of our participants from its servers, and the service provider advised that all vulnerabilities in its environment and lack of security controls had been resolved. In attacks such as this, including to third-party service-providers, we remain responsible under HIPAA for our participant's PHI/PII, and any failure on our part to comply with HIPAA in connection with such data could subject us to civil penalties, resolution agreements, monitoring or similar agreements or other enforcement action. If we or our third-party service providers are unable to prevent or mitigate security breaches, security incidents or privacy violations in the future, or if we or our third-party service providers are unable to implement satisfactory remedial measures with respect to known or future security incidents, or if it is perceived that we have been unable to do so, our operations could be disrupted, we may be unable to provide access to our systems, and we could suffer a loss of participants, loss of reputation, adverse impacts on participant and investor confidence, financial loss, governmental investigations or other actions, regulatory or contractual penalties, and other claims and liability. In addition, security breaches and incidents and other compromise or inappropriate access to, or acquisition or processing of, PHI/PII or other sensitive data or information can be difficult to detect, and any delay in identifying such breaches or incidents or in providing timely notification of such incidents may lead to increased harm and increased penalties. While we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident.