Clinigence Holdings (NUTX) Risk Factors

As a publicly traded company, we are subject to significant and increasing regulatory oversight and reporting obligations under federal securities laws. Laws pertaining to public companies, including new regulations proposed by the SEC, are increasingly complex and could force management to devote increasing amounts of time to the compliance with such laws and potentially impact time available to the management of our business. The Company may be required to continue to expand its employee base and hire additional employees to support its operations as a public company, which will increase operating costs in future periods.

The DMHC has instituted financial solvency regulations. The regulations are intended to provide a formal mechanism for monitoring the financial solvency of a RBO in California, including capitated physician groups. Under current DMHC regulations, our affiliated physician groups, as applicable, are required to, among other things: - Maintain, at all times, a minimum "cash-to-claims ratio" (which means the organization's cash, marketable securities, and certain qualified receivables, divided by the organization's total unpaid claims liability) of 0.75; and - Submit periodic reports to the DMHC containing various data and attestations regarding their performance and financial solvency, including IBNR calculations and documentation and attestations as to whether or not the organization (i) was in compliance with the "Knox-Keene Act" requirements related to claims payment timeliness, (ii) had maintained positive tangible net equity ("TNE"), and (iii) had maintained positive working capital. In the event that a physician group is not in compliance with any of the above criteria, it would be required to describe in a report submitted to the DMHC the reasons for non-compliance and actions to be taken to bring it into compliance. Under such regulations, the DMHC can also make some of the information contained in the reports, public, including, but not limited to, whether or not a particular physician organization met each of the criteria. In the event any of our affiliated physician groups are not able to meet certain of the financial solvency requirements, and fail to meet subsequent corrective action plans, it could be subject to sanctions, or limitations on, or removal of, its ability to do business in California. There can be no assurance that our affiliated physician group, such as our IPA, will remain in compliance with DMHC requirements or be able to timely and adequately rectify non-compliance. To the extent that we need to provide additional capital to our affiliated physician group in the future in order to comply with DMHC regulations, we would have less cash available for other parts of our operations.

The Knox-Keene Health Care Service Plan Act of 1975 was passed by the California State Legislature to regulate California managed care plans and is currently administered by the California Department of Managed Healthcare (DMHC). A Knox-Keene Act license is required to operate a healthcare service plan, e.g., an HMO, or an organization that accepts global risk, i.e., accepts full risk for a patient population, including risk related to institutional services, e.g., hospital, and professional services. Applying for and obtaining such a license is a time consuming and detail-oriented undertaking. We currently do not hold any Knox-Keene license. If the DMHC were to determine that we have been inappropriately taking risk for institutional and professional services as a result of our various hospital and physician arrangements without having any Knox-Keene license or applicable regulatory exemption, we may be required to obtain a Knox-Keene license and could be subject to civil and criminal liability, any of which could have a material adverse effect on our business, results of operations, and financial condition. A Knox-Keene Act license or exemption from licensure, where applicable, is required to operate a healthcare service plan, e.g., an HMO, or an organization that accepts global risk, i.e., accepts full risk for a patient population, including risk related to institutional services, e.g., hospital, and professional services.

We use third-party collection agencies whom we do not control to collect from patients any co-payments and other payments for services that our physicians provide. The federal Fair Debt Collection Practices Act of 1977 (the "FDCPA") restricts the methods that third-party collection companies may use to contact and seek payment from consumer debtors regarding past due accounts. State laws vary with respect to debt collection practices, although most state requirements are similar to those under the FDCPA. Therefore, such agencies may not be successful in collecting payments owed to us and our affiliated physician groups. If practices of collection agencies utilized by us are inconsistent with these standards, we may be subject to actual damages and penalties. These factors and events could have a material adverse effect on our business, results of operations, and financial condition.

The operations of our hospitals through partner physicians and other healthcare professionals are subject to extensive federal, state and local regulation relating to, among other things, the adequacy of medical care, equipment, personnel, operating policies and procedures and proof of financial ability to operate. Our hospitals and partner physicians and other healthcare professionals are also subject to extensive laws and regulation relating to facility and professional licensure, conduct of operations, including financial relationships among healthcare providers, Medicare, Medicaid and state fraud and abuse and physician self-referrals, and maintaining updates to our and our partner physicians' and other healthcare professionals' enrollment in the Medicare and Medicaid programs, including addition of new hospital locations, providers and other enrollment information. Our hospitals are subject to periodic inspection by licensing authorities to assure their continued compliance with these various standards. There can be no assurance that these regulatory authorities will determine that all applicable requirements are fully met at any given time. Should any of our hospitals be found to be noncompliant with these requirements, we could be assessed fines and penalties, could be required to refund reimbursement amounts or could lose our licensure or Medicare and/or Medicaid certification so that we or our partner physicians and other healthcare professionals are unable to receive reimbursement from such programs and possibly from other third-party payors, any of which could materially adversely affect our business, financial condition, cash flows or results of operations.

The U.S. healthcare industry is heavily regulated and closely scrutinized by federal, state and local governments. Comprehensive statutes and regulations govern the manner in which we provide and bill for services and collect reimbursement from governmental programs and private payors, our contractual relationships and arrangements with healthcare providers and vendors, our marketing activities and other aspects of our operations. Of particular importance are: - the federal Anti-Kickback Statute, or the AKS, which prohibits the knowing and willful offer, payment, solicitation or receipt of any bribe, kickback, rebate or other remuneration for referring an individual, in return for ordering, leasing, purchasing or recommending or arranging for or to induce the referral of an individual or the ordering, purchasing or leasing of items or services covered, in whole or in part, by any federal healthcare program, such as Medicare and Medicaid. Although there are several statutory exceptions and regulatory safe harbors protecting certain common activities from prosecution, the exceptions and safe harbors are drawn narrowly. By way of example, the AKS safe harbor for value-based arrangements requires, among other things, that the arrangement does not induce a person or entity to reduce or limit medically necessary items or services furnished to any patient. Failure to meet the requirements of a safe harbor, however, does not render an arrangement illegal, although such arrangements may be subject to greater scrutiny by government authorities. Further, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it to have committed a violation;- the federal physician self-referral law, or the Stark Law, which, subject to limited exceptions, prohibits physicians from referring Medicare or Medicaid patients to an entity for the provision of certain designated health services, or DHS, if the physician or a member of such physician's immediate family has a direct or indirect financial relationship (including an ownership interest or a compensation arrangement) with the entity, and prohibits the entity from billing Medicare or Medicaid for such DHS;- the federal False Claims Act, or the FCA, which imposes civil and criminal liability on individuals or entities that knowingly submit false or fraudulent claims for payment to the government or knowingly make, or cause to be made, a false statement in order to have a false claim paid, including qui tam or whistleblower suits. There are many potential bases for liability under the FCA. The government has used the FCA to prosecute Medicare and other government healthcare program fraud such as coding errors, billing for services not provided, and providing care that is not medically necessary or that is substandard in quality. In addition, we could be held liable under the FCA if we are deemed to "cause" the submission of false or fraudulent claims by, for example, providing inaccurate billing, coding or risk adjustment information to our physician partners through Provider Portal and Analytic Management Tools, respectively. The government may also assert that a claim including items or services resulting from a violation of the AKS or Stark Law constitutes a false or fraudulent claim for purposes of the FCA;- the Civil Monetary Penalties Statute, which prohibits, among other things, an individual or entity from offering remuneration to a federal healthcare program beneficiary that the individual or entity knows or should know is likely to influence the beneficiary to order or receive healthcare items or services from a particular provider;- the criminal healthcare fraud provisions of HIPAA and related rules that prohibit knowingly and willfully executing a scheme or artifice to defraud any healthcare benefit program or falsifying, concealing or covering up a material fact or making any material false, fictitious or fraudulent statement in connection with the delivery of or payment for healthcare benefits, items or services. Similar to the AKS, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it to have committed a violation;- reassignment of payment rules that prohibit certain types of billing and collection practices in connection with claims payable by the Medicare or Medicaid programs;- similar state law provisions pertaining to anti-kickback, self-referral and false claims issues, some of which may apply to items or services reimbursed by any payor, including patients and commercial insurers;- laws that regulate debt collection practices;- a provision of the Social Security Act that imposes criminal penalties on healthcare providers who fail to disclose, or refund known overpayments;- federal and state laws that prohibit providers from billing and receiving payment from Medicare and Medicaid for services unless the services are medically necessary, adequately and accurately documented, and billed using codes that accurately reflect the type and level of services rendered; and - federal and state laws pertaining to the provision of services by nurse practitioners and physician assistants in certain settings, physician supervision of those services, and reimbursement requirements that depend on the types of services provided and documented and relationships between physician supervisors and nurse practitioners and physician assistants. The laws and regulations in these areas are complex, changing and often subject to varying interpretations. As a result, there is no guarantee that a government authority will find that we or our partner physicians or other healthcare professionals are in compliance with all such laws and regulations that apply to our business. Further, because of the breadth of these laws and the narrowness of the statutory exceptions and safe harbors available, it is possible that some of the business activities undertaken by us or our partner physicians or other healthcare professionals could be subject to challenge under one or more of these laws, including, without limitation, our patient assistance programs that waive or reduce the patient's obligation to pay copayments, coinsurance or deductible amounts owed for the services we provide to them if they meet certain financial need criteria. If our operations are found to be in violation of any of such laws or any other governmental regulations that apply, we may be subject to significant penalties, including, without limitation, administrative, civil and criminal penalties, damages, fines, disgorgement, the curtailment or restructuring of operations, integrity oversight and reporting obligations, exclusion from participation in federal and state healthcare programs and imprisonment. In addition, any action against us or our partner physicians or other physician partners for violation of these laws or regulations, even if we successfully defend against it, could cause us to incur significant legal expenses, divert our management's attention from the operation of our business and result in adverse publicity, or otherwise experience a material adverse impact on our business, results of operations, financial condition, cash flows, reputation as a result.

We may become subject, from time to time, to legal proceedings, federal and state audits, government investigations, and payor audits, investigations, overpayments, and claims that arise in the ordinary course of business such as claims brought by our clients in connection with commercial disputes or employment claims made by our current or former associates. Litigation and audits may result in substantial costs and may divert management's attention and resources, which may substantially harm our business, financial condition and results of operations. Insurance may not cover such claims, may not provide sufficient payments to cover all of the costs to resolve one or more such claims and may not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby reducing our earnings and leading analysts or potential investors to reduce their expectations of our performance, which could reduce the market price of our Common Stock.

It is common in the medical services industry for primary care physicians to be affiliated with multiple IPAs. Our affiliated IPA therefore may enter into agreements with physicians who are also affiliated with our competitors. However, some of our competitors at times have agreements with physicians that require the physician to provide exclusive services. Our affiliated IPA often has no knowledge, and no way of knowing, whether a physician is subject to an exclusivity agreement without being informed by the physician. Competitors could initiate lawsuits against us alleging in part interference with such exclusivity arrangements. An adverse outcome from any such lawsuit could adversely affect our business, cash flows and financial condition.

Our success is dependent upon a continued ability to maintain an adequate staff of qualified providers to staff the facilities. If we are unable to recruit and retain physicians and other healthcare professionals, it would have a material adverse effect on its business and ability to grow and would adversely affect the results of operations. In any particular market, providers could demand higher payments or take other actions that could result in higher medical costs, less attractive service for our customers or difficulty meeting applicable regulatory or accreditation requirements. Our ability to develop and maintain satisfactory relationships with providers also may be negatively impacted by other factors not associated with us, such as changes in reimbursement levels and consolidation activity among hospitals, physician groups and healthcare providers, the continued private equity investment in physician practice management platforms and other market and operating pressures on healthcare providers. The failure to maintain or to secure new cost-effective provider contracts may result in a loss of or inability to staff existing or new facilities, higher costs, less attractive service for patients and/or difficulty in meeting applicable regulatory requirements, any of which could have a material adverse effect on our business, financial condition and results of operations.

Each time a new physician joins us or our affiliated IPA groups, we must enroll the physician under our applicable group identification number for Medicare and Medicaid programs and for certain managed care and private insurance programs before we can receive reimbursement for services the physician renders to beneficiaries of those programs. The estimated time to receive approval for the enrollment is sometimes difficult to predict and, in recent years, the Medicare program carriers often have not issued these numbers to our affiliated physicians in a timely manner. These practices result in delayed reimbursement that may adversely affect our cash flows.

Our success depends largely upon the continued services of key members of senior management, including our chief executive officer. We also rely on our leadership team in the areas of operations and general and administrative functions. From time to time, there may be changes in our management team resulting from the hiring or departure of executives, which could disrupt our business. The replacement of one or more of our executive officers or other key employees would likely involve significant time and costs and may significantly delay or prevent the achievement of our business objectives. Our business would also be adversely affected if we fail to adequately plan for succession of our executives and senior management; or if we fail to effectively recruit, integrate, retain and develop key talent and/or align our talent with our business needs, in light of the current rapidly changing environment. While we have succession plans in place and we have employment arrangements with our key executives, these do not guarantee that the services of these or suitable successor executives will continue to be available to us. Competition for qualified personnel in our field is intense due to the limited number of individuals who possess the skills and experience required by our industry. As a result, as we enter new geographies, it may be difficult for us to hire additional qualified personnel with the necessary skills to work in such geographies. If our hiring efforts in new or existing geographies are not successful, our business will be harmed. In addition, we have experienced employee turnover and expect to continue to experience employee turnover in the future. New hires require significant training and, in most cases, take significant time before they achieve full productivity. New employees may not become as productive as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals. If our retention efforts are not successful or our employee turnover rate increases in the future, our business, financial condition, cash flows and results of operations will be harmed. In addition, in making employment decisions, job candidates often consider the value of the stock options or other equity instruments they are to receive in connection with their employment. Volatility in the price of our stock may, therefore, adversely affect our ability to attract or retain highly skilled personnel. Further, the requirement to expense stock options and other equity instruments may discourage us from granting the size or type of stock option or equity awards that job candidates require to join our company. Failure to attract new personnel or failure to retain and motivate our current personnel, could have a material adverse effect on our business, financial condition and results of operations.

Our information technology systems facilitate our ability to conduct our business. While we have disaster recovery systems and business continuity plans in place, any disruptions in our disaster recovery systems or the failure of these systems to operate as expected could, depending on the magnitude of the problem, adversely affect our operating results by limiting our capacity to effectively monitor and control our operations. Despite our implementation of a variety of security measures, our information technology systems could be subject to physical or electronic break-ins, and similar disruptions from unauthorized tampering or any weather-related disruptions where our headquarters is located. In addition, in the event that a significant number of our management personnel were unavailable in the event of a disaster, our ability to effectively conduct business could be adversely affected. In the ordinary course of our business, we, our partner physicians or other physician partners collect and store sensitive data, including personally identifiable information, protected health information, or PHI, intellectual property and proprietary business information owned or controlled by us or our employees, members and other parties. We manage and maintain our applications and data utilizing a combination of on-site systems and cloud-based data centers. We utilize external security and infrastructure vendors to provide and manage parts of our information technology systems, including our data centers. These applications and data encompass a wide variety of business-critical information, including research and development information, customer information, commercial information and business and financial information. We face a number of risks with respect to the protection of this information, including loss of access, inappropriate use or disclosure, unauthorized access, inappropriate modification and the risk of being unable to adequately monitor and audit and modify our controls over our critical information. This risk extends to the third-party vendors and subcontractors we use to manage this sensitive data or otherwise process it on our behalf. A breach or failure of our or our third-party vendors' or subcontractors' network, hosted service providers or vendor systems could result from a variety of circumstances and events, including third-party action, employee negligence or error, malfeasance, computer viruses, cyber-attacks by computer hackers such as denial-of-service and phishing attacks, failures during the process of upgrading or replacing software and databases, power outages, hardware failures, telecommunication failures, user errors, or catastrophic events. If these third-party vendors or subcontractors fail to protect their information technology systems and our confidential and proprietary information, we may be vulnerable to disruptions in service and unauthorized access to our confidential or proprietary information and we could incur liability and reputational damage. The secure processing, storage, maintenance and transmission of information are vital to our operations and business strategy, and we devote significant resources to protecting such information. Although we take reasonable measures to protect sensitive data from unauthorized access, use or disclosure, our information technology and infrastructure may still be vulnerable to, and we have in the past experienced, low-threat attacks by hackers or breaches due to employee error, malfeasance or other malicious or inadvertent disruptions. Further, attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. We may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Any such breach or interruption could compromise our networks and the information stored there could be accessed by unauthorized parties, publicly disclosed, lost or stolen. Our information systems must also be continually updated, patched and upgraded to protect against known vulnerabilities. The volume of new vulnerabilities has increased markedly, as has the criticality of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be continuously addressed. Accordingly, we are at risk that cyber-attackers exploit these known vulnerabilities before they have been addressed. Any access, breach, or other loss of information could result in legal claims or proceedings, and liability under federal or state laws that protect the privacy of personal information, and corresponding regulatory penalties. In addition, we could face criminal liability, damages for contract breach and incur significant costs for remedial measures to prevent future occurrences and mitigate past violations. Notice of breaches may be required to be made to affected individuals or other state or federal regulators, and for extensive breaches, notice may need to be made to the media or State Attorneys General. Such a notice could harm our reputation and our ability to compete. Although we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident. Despite our implementation of security measures to prevent unauthorized access, our data is currently accessible through multiple channels, and there is no guarantee we can protect our data from breach. Unauthorized access, loss or dissemination could also disrupt our operations and damage our reputation, any of which could adversely affect our business.

Because we provide emergency medicine services, we do not have extensive relationships with large commercial payors and are generally out-of-network. Although some licensed facilities are in-network with payors, the Company's general payor contracting/government enrollment strategy is to remain out of network. Since we do not have any contractual arrangements with insurance companies, we cannot predict the timing and amount of the payments we ultimately receive for our services and estimates and assumptions, which are based on historical insurance payment amounts and timing. In addition, as a result of the NSA becoming effective on January 1, 2022, we experienced a significant decline in collections of patient claims for emergency services and have had only limited success at achieving collections at or higher than the established qualifying payment amount, which is the median in-network contracted rate for the same insurance market. Any sustained decline in the collections we receive for our emergency services could have a material adverse effect on our operations and financial performance and may negatively affect the trading value of our Common Stock. Further, our reimbursements may be delayed due to cyberattacks on electronic payment system providers. For example, as reported by United Health Group Incorporated in its Current Report on Form 8-K filed February 22, 2024, on February 21, 2024 a cyberattack was launched on the information technology systems of its subsidiary, Change Healthcare, one of the largest providers of healthcare payment systems in the United States, which continues to impact medical claims and payment systems nationwide. We are currently unable to estimate the extent of the delays such disruptions will have on our ability to collect payments.