P3 Health Partners (PIII) Risk Factors

The U.S. healthcare industry is heavily regulated and closely scrutinized by federal, state and local governments. Comprehensive statutes and regulations govern the manner in which we provide and bill for services and collect reimbursement from governmental programs and private payors, our contractual relationships and arrangements with healthcare providers and vendors, our marketing activities and other aspects of our operations. Of particular importance are: - the federal Anti-Kickback Statute (the "AKS"), which prohibits the knowing and willful offer, payment, solicitation or receipt of any bribe, kickback, rebate or other remuneration for referring an individual, in return for ordering, leasing, purchasing or recommending or arranging for or to induce the referral of an individual or the ordering, purchasing or leasing of items or services covered, in whole or in part, by any federal healthcare program, such as Medicare and Medicaid. Although there are several statutory exceptions and regulatory safe harbors protecting certain common activities from prosecution, the exceptions and safe harbors are drawn narrowly. By way of example, the AKS safe harbor for value-based arrangements requires,among other things, that the arrangement does not induce a person or entity to reduce or limit medically necessary items or services furnished to any patient. Failure to meet the requirements of a safe harbor, however, does not render an arrangement illegal, although such arrangements may be subject to greater scrutiny by government authorities. Further, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it to have committed a violation;- the federal physician self-referral law (the "Stark Law"), which, subject to limited exceptions, prohibits physicians from referring Medicare or Medicaid patients to an entity for the provision of certain designated health services ("DHS"), if the physician or a member of such physician's immediate family has a direct or indirect financial relationship (including an ownership interest or a compensation arrangement) with the entity, and prohibits the entity from billing Medicare or Medicaid for such DHS. Unlike the AKS, the Stark Law is violated if the financial arrangement does not meet an applicable exception, regardless of any intent by the parties to induce or reward referrals or the reasons for the financial relationship and the referral;- the federal False Claims Act (the "FCA"), which imposes civil and criminal liability on individuals or entities that knowingly submit false or fraudulent claims for payment to the government or knowingly make, or cause to be made, a false statement in order to have a false claim paid, including qui tam or whistleblower suits. There are many potential bases for liability under the FCA. The government has used the FCA to prosecute Medicare and other government healthcare program fraud; including alleged upcoding or improper coding of diagnosis codes under the risk-adjustment methodology, billing for services not provided, and providing care that is not medically necessary or that is substandard in quality. In addition, we could be held liable under the FCA if we are deemed to "cause" the submission of false or fraudulent claims by, for example, providing inaccurate billing, coding or risk adjustment information to our affiliated professional entities and other physician partners through Provider Portal and Analytic Management Tools, respectively. The government may also assert that a claim including items or services resulting from a violation of the AKS or Stark Law constitutes a false or fraudulent claim for purposes of the FCA;- the Civil Monetary Penalties Statute, which prohibits, among other things, an individual or entity from offering remuneration to a federal healthcare program beneficiary that the individual or entity knows or should know is likely to influence the beneficiary to order or receive healthcare items or services from a particular provider;- the criminal healthcare fraud provisions of HIPAA and related rules that prohibit knowingly and willfully executing a scheme or artifice to defraud any healthcare benefit program or falsifying, concealing or covering up a material fact or making any material false, fictitious or fraudulent statement in connection with the delivery of or payment for healthcare benefits, items or services. Similar to the AKS, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it to have committed a violation;- reassignment of payment rules that prohibit certain types of billing and collection practices in connection with claims payable by the Medicare or Medicaid programs;- similar state law provisions pertaining to anti-kickback, self-referral and false claims issues, some of which may apply to items or services reimbursed by any payor, including patients and commercial insurers;- laws that regulate debt collection practices;- a provision of the Social Security Act that imposes criminal penalties on healthcare providers who fail to disclose, or refund known overpayments;- federal and state laws that prohibit providers from billing and receiving payment from Medicare and Medicaid for services unless the services are medically necessary, adequately and accurately documented, and billed using codes that accurately reflect the type and level of services rendered; and - federal and state laws pertaining to the provision of services by nurse practitioners and physician assistants in certain settings, physician supervision of those services, and reimbursement requirements that depend on the types of services provided and documented and relationships between physician supervisors and nurse practitioners and physician assistants. The laws and regulations in these areas are complex, changing and often subject to varying interpretations. As a result, there is no guarantee that a government authority will find that we or our affiliated professional entities or other physician partners are in compliance with all such laws and regulations that apply to our business. Further, because of the breadth of these laws and the narrowness of the statutory exceptions and safe harbors available, it is possible that some of the business activities undertaken by us or our affiliated professional entities or other physician partners could be subject to challenge under one or more of these laws, including, without limitation, our patient assistance programs that waive or reduce the patient's obligation to pay copayments, coinsurance or deductible amounts owed for the services we provide to them if they meet certain financial need criteria. If our operations are found to be in violation of any of such laws or any other governmental regulations that apply, we may be subject to significant penalties, including, without limitation, administrative, civil and criminal penalties, damages, fines, disgorgement, the curtailment or restructuring of operations, integrity oversight and reporting obligations, exclusion from participation in federal and state healthcare programs and imprisonment. In addition, any action against us or our affiliated professional entities or other physician partners for violation of these laws or regulations, even if we successfully defend against it, could cause us to incur significant legal expenses, divert our management's attention from the operation of our business and result in adverse publicity, or otherwise experience a material adverse impact on our business, results of operations, financial condition, cash flows, reputation as a result.

As a result of our participation in the Medicare and Medicaid programs, we are subject to various governmental inspections, reviews, audits and investigations to verify our compliance with these programs and applicable laws and regulations. Other third-party payors may also reserve the right to conduct audits. We also periodically conduct internal audits and reviews of our regulatory compliance. An adverse inspection, review, audit or investigation could result in: - refunding amounts we have been paid pursuant to the Medicare or Medicaid programs or from payors;- state or federal agencies imposing fines, penalties and other sanctions on us;- temporary suspension of payment for new patients to the facility or agency;- decertification or exclusion from participation in the Medicare or Medicaid programs or one or more payor networks;- self-disclosure of violations to applicable regulatory authorities;- damage to our reputation;- the revocation of a facility's or agency's license;- criminal penalties;- a corporate integrity agreement with HHS's Office of Inspector General; and - loss of certain rights under, or termination of, our contracts with payors. We have in the past and will likely in the future be required to refund amounts we have been paid and/or pay fines and penalties as a result of these inspections, reviews, audits and investigations. If adverse inspections, reviews, audits or investigations occur and any of the results noted above occur, it could have a material adverse effect on our business and operating results. Furthermore, the legal, document production and other costs associated with complying with these inspections, reviews, audits or investigations could be significant.

We are subject to federal and state income and non-income taxes in the United States. Tax laws, regulations, and administrative practices in various jurisdictions may be subject to significant change, with or without notice, due to economic, political, and other conditions, and significant judgment is required in evaluating and estimating these taxes. Our effective tax rates could be affected by numerous factors, such as entry into new businesses and geographies, changes to our existing business and operations, acquisitions and investments and how they are financed, changes in our stock price, changes in our deferred tax assets and liabilities and their valuation, and changes in the relevant tax, accounting, and other laws, regulations, administrative practices, principles and interpretations. We are required to take positions regarding the interpretation of complex statutory and regulatory tax rules and on valuation matters that are subject to uncertainty, and tax authorities may challenge the positions that we take.

Numerous state and federal laws, regulations, standards and other legal obligations, including consumer protection laws and regulations, which govern the collection, dissemination, use, access to, confidentiality, security and processing of personal information, including health-related information, could apply to our operations or the operations of our partners. For example, HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder (collectively, "HIPAA"), imposes privacy, security and breach notification obligations on certain healthcare providers, health plans, and healthcare clearinghouses, known as covered entities, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities, and their covered subcontractors. HIPAA requires covered entities, such as the affiliated professional entities or other physician partners, and business associates, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a breach of unsecured PHI. Additionally, under HIPAA, covered entities must report breaches of unsecured PHI to affected individuals without unreasonable delay, not to exceed 60 days following discovery of the breach by a covered entity or its agents. Notification also must be made to the HHS Office for Civil Rights and, in certain circumstances involving large breaches, to the media. Business associates must report breaches of unsecured PHI to covered entities within 60 days of discovery of the breach by the business associate or its agents. A non-permitted use or disclosure of PHI is presumed to be a breach under HIPAA unless the covered entity or business associate establishes that there is a low probability the information has been compromised consistent with requirements enumerated in HIPAA. Entities that are found to be in violation of HIPAA as the result of a breach of unsecured PHI, a complaint about privacy practices or an audit by HHS may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. The Federal Trade Commission (the "FTC") also has authority to initiate enforcement actions against entities that mislead customers about HIPAA compliance, make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5(a) of the FTC Act. Even when HIPAA does not apply, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal information secure may constitute unfair and/or deceptive acts or practices in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. We expect even greater scrutiny by federal and state regulators, partners, and consumers of our collection, use and disclosure of health information. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal information, through websites or otherwise, and to regulate the presentation of website content. Further, certain states have also adopted comparable privacy and security laws and regulations which govern the privacy, processing and protection of health-related and other personal information. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. For example, the state of Nevada enacted a law that went into force on October 1, 2019 and requires companies to honor consumers' requests to no longer sell their data. Further, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA") requires covered businesses that process the personal information of California residents to, among other things: provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information, and enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. California's Confidentiality of Medical Information Act (the "CMIA") places restrictions on the use and disclosure of health information, including PHI, and other personal information, and can impose a significant compliance obligation. Violations of the CMIA can result in criminal, civil and administrative sanctions, and the CMIA also provides individuals a private right of action with respect to disclosures of their health information that violate CMIA. In the event that we are subject to or affected by HIPAA, the CCPA, or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. Washington State also enacted a broadly applicable law to protect the privacy of personal health information known as the "My Health My Data Act," which generally requires affirmative consent for the collection, use, or sharing of any "consumer health data." Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Nevada has also passed a similar consumer health data law, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business and results of operations.

Our business success depends on our ability to attract and retain members, which significantly depends on our marketing practices. Our future growth and profitability will depend in large part upon the effectiveness and efficiency of our marketing efforts, including our ability to: - create greater awareness of our brand;- identify the most effective and efficient levels of spending in each market, media and specific media vehicle;- determine the appropriate creative messages and media mix for advertising, marketing and promotional expenditures;- effectively manage marketing costs (including creative and media) to maintain acceptable consumer acquisition costs;- select the most effective markets, media and specific media vehicles in which to advertise; and - convert consumer inquiries into clients and members. We believe that developing and maintaining widespread awareness of our brand in a cost-effective manner is critical to achieving widespread adoption of our services and attracting new clients and members. Our brand promotion activities may not generate consumer awareness or increase revenue, and even if they do, any increase in revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in doing so, we may fail to attract or retain members necessary to realize a sufficient return on our brand-building efforts or to achieve the widespread brand awareness that is critical for broad adoption of our brands.

There is continued uncertainty about the scope, duration, severity, trajectory, and lasting impact of COVID-19. We continue to monitor the impact of COVID-19 on our business. The extent to which COVID-19 or a new pandemic, epidemic, or outbreak of an infectious disease may directly or indirectly impact our operations and results of operations will depend on multiple factors, including, but not limited to the ultimate geographic spread of the disease, the duration and scope of the outbreak, the emergence of variants, the availability and efficacy of vaccines, and government, social, business and other actions that are taken in response to the pandemic or outbreak. We may be unable to properly anticipate or prepare for these events and, as a result, our business may be materially adversely impacted. Due to COVID-19 or another pandemic or public health emergency, we have not been able to and in the future may not be able to document the health conditions of our members as completely as we have in the past. Medicare pays capitation using a "risk adjustment model," which compensates providers based on the health status (acuity) of each individual member. Payers with higher acuity members receive more, and those with lower acuity members receive less. Medicare requires that a patient's health issues be documented annually regardless of the permanence of the underlying causes. Historically, this documentation was required to be completed during an in-person visit with a patient. As part of the Coronavirus Aid, Relief and Economic Security Act ("CARES Act"), Medicare is now allowing documentation for conditions identified during video visits with patients. However, given the disruption caused by COVID-19, it is unclear whether we will be able to document the health conditions of our members as comprehensively as we did before COVID-19, which may adversely impact our revenue in future periods. Due to our recurring contracted revenue model, COVID-19 has not historically had a material impact on our revenue. Nearly 99% of our total revenue during the years ended December 31, 2023 and 2022 is recurring, consisting of fixed per member per month capitation payments received from MA health plans. Because of the nature of capitation arrangements, the full impact of the COVID-19 may not be fully reflected in our results of operations and overall financial condition until future periods. To the extent COVID-19 adversely affects our business and financial results, it may also have the effect of heightening many of the other risks described in this "Risk Factors" section, including but not limited to the fact that our platform and the other systems or networks used in our business may experience an increase in attempted cyberattacks or targeted intrusion, ransomware, and phishing campaigns seeking to take advantage of shifts to employees working remotely using their household or personal internet networks. The success of any of these unauthorized attempts could substantially impact our platform, the proprietary and other confidential data contained therein or otherwise stored or processed in our operations, and ultimately our business, including but not limited to increased expenses incurred to improve our security controls and to remediate security vulnerabilities.

The 21st Century Cures Act (the "Cures Act"), which was passed and signed into law in December 2016, includes provisions related to data interoperability, information blocking and patient access. In March 2020, the HHS, Office of the National Coordinator for Health Information Technology, ("ONC"), and CMS finalized and issued complementary rules that are intended to clarify provisions of the Cures Act regarding interoperability and information blocking, and include, among other things, requirements surrounding information blocking, changes to ONC's health IT certification program and requirements that CMS regulated payors make relevant claims/care data and provider directory information available through standardized patient access and provider directory application programming interfaces that connect to provider electronic health record systems. The companion rules will transform the way in which healthcare providers, health IT developers, health information exchanges/health information networks ("HIEs/HINs"), and health plans share patient information, and create significant new requirements for healthcare industry participants. For example, the ONC rule, which went into effect on April 5, 2021, prohibits healthcare providers, health IT developers of certified health IT, and HIEs/HINs from engaging in practices that are likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of electronic health information ("EHI"), also known as "information blocking." To further support access and exchange of EHI, the ONC rule identifies eight "reasonable and necessary activities" as exceptions to information blocking activities, as long as specific conditions are met. In June 2023, the HHS Office of Inspector General ("OIG") published its final rule implementing the statutory penalties for information blocking, which are up to $1 million per violation. Enforcement of information blocking penalties began on September 1, 2023. Further, in December 2023, ONC finalized its rule titled Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing ("HTI-1 Final Rule"). Among other things, the HTI-1 Final Rule narrows the scope of entities that qualify as certified health IT developers, makes updates to its Health IT Certification Program requirements, a voluntary program for certifying health IT, and modifies the information blocking exceptions. Any failure to comply with these rules could have a material adverse effect on our business, results of operations and financial condition.