Signify Health (SGFY) Risk Analysis

Signify, through its Caravan subsidiary which was acquired in March 2022, is the owner of, and/or provider of management services to, a number of accountable care organizations ("ACOs") that participate in the Medicare Shared Savings Program ("MSSP") and a similar arrangement with a commercial payor. The MSSP is a voluntary program that encourages various healthcare providers to come together as an ACO to provide high quality, coordinated care to Medicare beneficiaries who are assigned or voluntarily aligned to the ACO. The ACO and its participating providers agree to be accountable for the quality, cost and experience of care of each such Medicare fee-for-service beneficiary in its population. The MSSP offers different participation options (known as tracks) that allow ACOs and their participating providers to assume various levels of risk. Under the MSSP, participating providers continue to receive traditional Medicare fee-for-service payments under Medicare Parts A and B. ACOs that successfully meet quality and savings requirements share a percentage of the savings with Medicare. ACOs under two-sided performance-based risk tracks, including Levels C, D, or E of the BASIC track and the ENHANCED track, may also be required to repay Medicare for a certain percentage of the losses. Shared savings and shared losses are determined by comparing actual Medicare expenditures under Parts A and B for Medicare beneficiaries assigned to the ACO to certain benchmarks established by CMS. We and our ACOs rely on CMS for guidance with respect to various aspects of our participation in the MSSP and are dependent on CMS to provide us with accurate data, claims benchmarking and calculations, timely payments, and to conduct periodic process reviews and other audits. Should issues arise with respect to CMS performing these functions, this could adversely affect our ACO's ability to achieve savings and as a result, our business, financial condition and results of operations. Certain aspects of the participation of our ACOs and their participants in the MSSP rely on waivers of certain of the federal fraud and abuse laws that were jointly issued by the OIG and CMS. We have invested significant time, effort and resources in structuring our business and organizational arrangements and in establishing related infrastructure to comply with the myriad requirements under the MSSP, including the requirements set forth in the waivers. Should those requirements change or the MSSP be terminated, this could adversely affect our business, financial condition and results of operations. In addition, if, in the future, we or our ACOs or their participants are found to have not complied with various aspects of the MSSP, including the waivers, we could be subject to a variety of monetary sanctions or other penalties, any of which could adversely affect our business, financial condition and results of operations. As currently structured, our financial returns from the participation of our ACOs in the MSSP are largely or solely dependent on the ACOs meeting certain quality objectives while achieving shared savings. We enter into contracts with our customers to provide services around the management of ACOs. These services include population health software, analytics, practice improvement, compliance, marketing, governance, and formation, application and filing support. The purpose of these services is to help our customers receive shared savings from CMS. If we provide incorrect data to our customers upon which our customers act, or if through our services, we encourage our customers to invest in projects or take actions that do not produce the results that we or our customers expected, the ACO may not achieve shared savings or may incur shared losses. We, in turn, enter into contracts with our customers wherein we receive a contracted percentage of each customer's portion of shared savings if earned or, if applicable, shared losses. Although we work with the ACO participants to meet quality objectives while achieving shared savings, we do not solely control the achievement of shared savings. ACOs may fail to achieve shared savings, or may incur shared losses, or may be terminated in their entirety for a variety of reasons, including factors beyond our control, such as governmental or regulatory action, natural disasters, the potential effects of climate change, major epidemics, pandemics (such as COVID-19), or newly emergent viruses. We also rely on our ACO provider customers to provide us with data to inform our provision of services to them, and to submit for quality reporting to CMS. If the data provided to us by our customers is incorrect, incomplete or untimely, we may be unable to timely and accurately perform our services, or submit required reporting to CMS on behalf of the ACO,which may negatively affect our ACOs' ability to achieve shared savings or even cause CMS to terminate an ACO's participation in the MSSP. Should the ACOs fail to achieve shared savings or suffer shared losses where the ACO has assumed responsibility for certain shared losses, this could adversely affect our business, financial condition and results of operations We recognize shared savings revenue as performance obligations which are satisfied over time, commensurate with the recurring ACO services provided to the customer over a 12-month calendar year period. The shared savings transaction price is variable, and therefore, we estimate an amount we expect to receive for each 12-month calendar year performance obligation period. There are significant risks associated with estimating the anticipated amount of shared savings or shared losses from our ACOs. To estimate this variable consideration, we initially use estimates of historical performance of the ACOs. We consider inputs such as assigned patients, expenditures, benchmarks and inflation factors, and we adjust our estimates at the end of each reporting period to the extent new information indicates a change is needed. Although our estimates are based on the information available to us at each reporting date, new and material information may cause actual revenue earned to differ from the estimates recorded each period. These include, among others, Hierarchical Conditional Category ("HCC") coding information, quarterly reports from CMS with information on the inputs described above, unexpected changes in assigned patients, and/or other limitations of the program beyond our control. We receive final reconciliations from CMS and collect our portion of shared savings, if any, in the third or fourth quarter of each year for the preceding calendar year. If our estimates of revenue are materially inaccurate, it could impact the timing and amount of our revenue recognition or have a material adverse effect on our business, results of operations, financial condition and cash flows.

Because we support our health plan customers' participation in Medicare and Medicaid, and other state and federal health care programs, we are subject to inspections, reviews, audits and investigations by them to verify our compliance with these programs and applicable laws and regulations. We also periodically conduct internal audits and reviews of our regulatory compliance. An adverse inspection, review, audit or investigation could result in: - refunding amounts we have been paid by health plans;- state or federal agencies imposing fines, penalties and other sanctions on us;- decertification or exclusion from participation in one or more health plan networks;- self-disclosure of violations to applicable regulatory authorities;- damage to our reputation; and - loss of certain rights under, or termination of, our contracts with health plans. We have in the past and will likely in the future be required to refund amounts we have been paid and/or pay fines and penalties as a result of these inspections, reviews, audits and investigations. If adverse inspections, reviews, audits or investigations occur and any of the results noted above occur, it could have a material adverse effect on our business and operating results. Furthermore, the legal, document production and other costs associated with complying with these inspections, reviews, audits or investigations could be significant.

We acquired certain favorable tax attributes in connection with the Reorganization Transactions. In addition, past and future taxable redemptions or exchanges by the members of Cure TopCo of LLC Units for shares of our Class A common stock or cash, as well as other transactions described herein, are expected to result in favorable tax attributes for us. These tax attributes would not be available to us in the absence of those transactions and are expected to reduce the amount of tax that we would otherwise be required to pay in the future. In connection with the IPO, we entered into the Tax Receivable Agreement with certain direct and indirect equity holders of Cure TopCo, among others (the "TRA Parties"), under which we generally are required to pay to the TRA Parties, in the aggregate, 85% of the amount of cash savings, if any, in U.S. federal, state and local income tax that we actually realize as a result of (i) certain favorable tax attributes we acquired in connection with the Reorganization Transactions, (ii) increases in our allocable share of existing tax basis and tax basis adjustments that may result from redemptions or exchanges of LLC Units by members of Cure TopCo for cash or Class A common stock, and certain payments made under the Tax Receivable Agreement and (iii) deductions in respect of interest and certain compensatory payments made under the Tax Receivable Agreement. The payment obligations under the Tax Receivable Agreement are our obligations and not the obligations of Cure TopCo. On September 2, 2022, we amended the Tax Receivable Agreement in connection with our entry into the Merger Agreement with CVS which, among other things, suspended all payments under the Tax Receivable Agreement. In the event the Merger Agreement is terminated, the amendment to the Tax Receivable Agreement will become null and void. We expect that payments we will be required to make under the Tax Receivable Agreement will be substantial. The actual tax basis adjustments that may result from future taxable redemptions or exchanges of LLC Units, as well as the amount and timing of the payments we are required to make under the Tax Receivable Agreement will depend on a number of factors, including the market value of our Class A common stock at the time of such redemptions or exchanges, the prevailing federal tax rates applicable to us over the life of the Tax Receivable Agreement (plus the assumed combined state and local tax rate) and the amount and timing of the taxable income that we generate in the future. Payments under the Tax Receivable Agreement are not conditioned on our existing owners' continued ownership of us. Payments under the Tax Receivable Agreement are based on the tax reporting positions we determine, and the IRS or another tax authority may challenge all or a part of the deductions, existing tax basis, tax basis increases, NOLs or other tax attributes subject to the Tax Receivable Agreement, and a court could sustain such challenge. Payments we will be required to make under the Tax Receivable Agreement generally will not be reduced as a result of any taxes imposed on us, Cure TopCo or any direct or indirect subsidiary thereof that are attributable to a tax period (or portion thereof) ending on the date of the Reorganization Transactions or the completion of the IPO. Further, TRA Parties will not reimburse us for any payments previously made if such tax attributes are subsequently disallowed, except that any excess payments made to a TRA Party will be netted against future payments otherwise to be made to such TRA Party under the Tax Receivable Agreement, if any, after our determination of such excess. In addition, the actual state or local tax savings we may realize may be different than the amount of such tax savings we are deemed to realize under the Tax Receivable Agreement, which will be based on an assumed combined state and local tax rate applied to our reduction in taxable income as determined for U.S. federal income tax purposes as a result of the tax attributes subject to the Tax Receivable Agreement. In both such circumstances, we could make payments to the TRA Parties that are greater than our actual cash tax savings and we may not be able to recoup those payments, which could negatively impact our liquidity. The Tax Receivable Agreement provides that (1) in the event that we breach any of our material obligations under the Tax Receivable Agreement, (2) at the election of the TRA Parties, upon certain changes of control or (3) if, at any time, we elect an early termination of the Tax Receivable Agreement, our obligations under the Tax Receivable Agreement (with respect to all LLC Units, whether or not LLC Units have been exchanged or acquired before or after such transaction) would accelerate and become payable in a lump sum amount equal to the present value of the anticipated future tax benefits calculated based on certain assumptions, including that we would have sufficient taxable income to fully utilize the deductions arising from the tax deductions, tax basis and other tax attributes subject to the Tax Receivable Agreement. The change of control provisions in the Tax Receivable Agreement may result in situations where the stockholders who are TRA Parties have interests that differ from or are in addition to those of our other stockholders. Finally, because we are a holding company with no operations of our own, our ability to make payments under the Tax Receivable Agreement depends on the ability of Cure TopCo to make distributions to us. To the extent that we are unable to make payments under the Tax Receivable Agreement for any reason, such payments will be deferred and will accrue interest until paid; provided, however, that nonpayment for a specified period may constitute a breach of a material obligation under the Tax Receivable Agreement and therefore accelerate payments due under the Tax Receivable Agreement, which could negatively impact our results of operations and could also affect our liquidity in periods in which such payments are made.

Numerous state and federal laws and regulations govern the collection, dissemination, use, privacy, confidentiality, security, availability, integrity, creation, receipt, transmission, storage and other processing of data we hold, including PHI and PII. These laws and regulations include HIPAA, 42 C.F.R. Part 2, and a range of other federal and state laws and regulations that protect data pertaining to specific conditions, such as substance abuse disorder information, HIV/AIDS, genetic disorders, mental and behavioral health. These laws and regulations continue to evolve, and the cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. HIPAA establishes a set of national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services. We may be acting as a covered entity in certain instances and as a business associate in other instances. As a business associate to our customers, we are also obligated to additional contractual requirements. HIPAA extensively regulates the use and disclosure of PHI and requires us to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. Covered entities must report breaches of unsecured PHI without unreasonable delay to affected individuals, HHS and, in the case of larger breaches, the media. As a result of the COVID-19 pandemic, HHS's Office for Civil Rights ("OCR"), which enforces HIPAA, has issued a notice of enforcement discretion for telehealth remote communications, which states that OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under HIPAA against HIPAA-covered healthcare providers in connection with the good-faith provision of telehealth during the COVID-19 nationwide public health emergency. During the COVID-19 pandemic, our vIHEs have at times been conducted using several applications that allow for audio-video communications, such as Apple Face Time. OCR has stated that covered healthcare providers may use such applications without risk that OCR might seek to impose a penalty for noncompliance with HIPAA. OCR has also stated that it will not impose penalties against covered healthcare providers for the lack of a HIPAA Business Associate Agreement with video communication vendors (such as Apple) or any other noncompliance with HIPAA that relates to the good-faith provision of telehealth services during the COVID-19 nationwide public health emergency. Once the COVID-19 public health emergency ends, OCR's enforcement discretion will terminate, and ensuring full compliance may cause us to incur substantial costs or require us to change our business practices, systems or procedures in a manner that is adverse to our business. The failure to comply with HIPAA can result in civil monetary penalties and, in certain circumstances, criminal penalties including fines and/or imprisonment. A covered entity may be subject to penalties as a result of a business associate violating HIPAA, if the business associate is found to be an agent of the covered entity. HHS is required to perform compliance audits, and state attorneys general may enforce the HIPAA privacy and security regulations in response to violations that threaten the privacy of state residents. Although, HIPAA does not create a private right of action allowing individuals to sue us in civil court for alleged violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI or PII. Moreover, many state laws create state-specific private rights of action for conduct that would otherwise violate HIPAA or state law obligations. Class-action lawsuits are becoming an expected and more common occurrence in cases of breaches. In addition to HIPAA, numerous other federal and state laws and regulations designed to protect the collection, use, confidentiality, privacy, availability, creation, receipt, transmission, storage, integrity and security of PII have been enacted. For example, California Consumer Privacy Act ("CCPA"), which became effective on January 1, 2020, and was significantly modified by the California Privacy Rights Act ("CPRA"), which changes became fully effective January 1, 2023, extends expanded privacy rights and protections for California residents. The CCPA and the CPRA apply broadly to information that identifies or is associated with any California household or individual, and require that we implement several operational changes, including processes to respond to individuals' requests. The CPRA creates a new enforcement agency to enforce the CCPA and CPRA and imposes additional requirements on organizations that are subject to the legislation, including privacy risk assessments, audits and vendor contractual requirements for data sharing, license and access arrangements. The CCPA and CPRA provide for civil penalties for violations and allow private rights of action for data breaches. Other states are also considering enacting or have already enacted data privacy legislation. Privacy and data security statutes and regulations vary from state to state, and these laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and its implementing rules. These laws and regulations are often uncertain, contradictory, and subject to changing or differing interpretations. In addition, laws in all 50 states and other United States territories require businesses to provide notice to individuals whose PII has been disclosed as a result of a data breach. As we look to expand our workforce into Ireland, we may be subject to international data protection regulations related to the collection, transmission, storage and use of employee data. For example, the General Data Protection Regulation ("GDPR"), which became effective on May 25, 2018, imposes strict compliance obligations on the collection, use, retention, security, processing, transfer and deletion of PII and creates enhanced rights for individuals. The GDPR includes requirements to provide detailed notices about how personal data is collected and processed, demonstrating that an appropriate legal basis is in place or otherwise exists to justify data processing activities, granting rights for data subjects in regard to their personal data, the obligation to notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches and other compliance obligations. Under the GDPR, data protection authorities have the power to impose significant administrative fines for violations, up to the greater of €20 million or 4% of worldwide annual revenues, which may also lead to damages claims by data controllers and data subjects. The GDPR also requires that personal information transferred outside of the European Economic Area to jurisdictions that have not been deemed adequate by the European Commission, including the United States, be subject to certain safeguards taken to legitimize those data transfers. Recent legal developments in the E.U. have created complexity and uncertainty regarding such transfers. As a result, we may find it necessary to establish systems to maintain personal data originating from the E.U., which may involve substantial expense and may cause us to need to divert resources from other aspects of our business. In addition, as required by certain laws, we publicly post documentation regarding our privacy practices concerning the collection, processing, use and disclosure of certain data. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. In addition, although we endeavor to comply with our published policies and documentation, individuals could allege we have failed to do so, or we may at times actually fail to do so despite our efforts. We expect new laws, rules and regulations regarding privacy, data protection, and information security to be proposed and enacted in the future, and the interpretations of existing laws to change. In the event that new privacy and data security laws are implemented or requirements otherwise change, we may not be able to timely comply with such requirements, compliance with such requirements could require expending significant resources, or such requirements may not be compatible with our current processes. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems or compliance procedures in a manner that is adverse to our business. In addition to government regulation, privacy advocates and industry groups may propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards or to facilitate our customers' compliance with such standards. In addition, our failure to adequately train or monitor our workforce with respect to the requirements of applicable privacy and data security laws and regulations, and our own policies and procedures, has exposed, and may in the future expose, us to risks, including risks resulting from inadvertent disclosures or unintentional acquisitions of, access to, or uses of PHI or PII. Although we have implemented data privacy and security measures in an effort to comply with applicable laws and regulations relating to privacy, data protection, and information security, some PHI and other PII or confidential information is transmitted to us by third parties (including, but not limited to, vendors and other service providers), who may not implement adequate security and privacy measures. We may be negatively impacted if such third parties fail to comply with security and privacy laws. In addition, health care providers and industry participants are also subject to a growing number of requirements intended to promote the interoperability and exchange of patient health information. For example, beginning April 5, 2021, health care providers and certain other entities are subject to information blocking restrictions pursuant to the 21st Century Cures Act that prohibit practices that are likely to interfere with the access, exchange or use of electronic health information, except as required by law or specified by HHS as a reasonable and necessary activity. We may also face audits or investigations by one or more domestic or foreign government agencies relating to our compliance with these laws and regulations. Any failure or perceived failure by us to comply with applicable laws or regulations governing the privacy, security and exchange of PII, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, significant fines or civil penalties, private claims, including class actions and claims of unfair or deceptive business practices, and damage to our reputation, any of which could have a material adverse effect on our business and our financial results.

The healthcare industry is subject to changing political, regulatory and other influences, including various scientific and technological innovations. In recent years, the U.S. Congress and certain state legislatures have passed and implemented a large number of laws and regulations intended to effect significant change within the U.S. healthcare system, including the Patient Protection and Affordable Care Act, as amended by the Health Care Education and Reconciliation Act of 2010 (collectively, the "ACA"), which affects how healthcare services are covered, delivered and reimbursed through expanded health insurance coverage, reduced growth in Medicare program spending, and the establishment of programs that tie reimbursement to quality and integration. A number of reforms implemented through the ACA impact our business and operations. For example, the ACA established the CMS Innovation Center, which supports the development and testing of innovative healthcare payment and service delivery models. If the ACA were repealed, replaced, or modified, in whole or in part, it could have an adverse effect on our business, results of operations, and financial condition. There is also uncertainty regarding whether, when and what other health reform measures will be adopted at the federal, state or local levels and the impacts of such provisions on providers and other healthcare industry participants. For example, some members of Congress have proposed measures that would expand government-funded coverage, and some states are considering or have implemented public health insurance options. CMS administrators may grant states certain additional flexibility in the administration of state Medicaid programs and may deny others. CMS administrators may also make changes to Medicaid payment models. The CMS Innovation Center has noted the need to accelerate the movement to value-based care and drive broader system transformation and indicated that it intends to streamline its payment model portfolio. In addition, several private third-party payers are increasingly employing alternative payment models, which may shift financial risk to healthcare providers. Private third-party payers, large employer groups and their affiliates and other healthcare industry participants may introduce other additional financial or delivery system reforms. We are unable to predict the nature and success of such initiatives. Healthcare reform initiatives could negatively impact demand for our solutions, such as IHEs, or decrease participation in government programs like MSSP. Further, federal and state health reform efforts could impose new and/or more stringent regulatory requirements on our activities. Any of these developments could have a material adverse effect on our business, financial condition and results of operations. While we believe that we have structured our agreements and operations in material compliance with applicable healthcare laws and regulations, there can be no assurance that we will be able to successfully address changes in the current regulatory environment. We believe that our business operations materially comply with applicable healthcare laws and regulations. However, some of the healthcare laws and regulations applicable to us are subject to limited or evolving interpretations, and a review of our business or operations by a court, law enforcement, or a regulatory authority might result in a determination that could have a material adverse effect on us. Furthermore, the healthcare laws and regulations applicable to us may be amended or interpreted in a manner that could have a material adverse effect on our business, prospects, results of operations and financial condition.

We may be party to lawsuits and legal proceedings in the ordinary course of business. These matters are often expensive and disruptive to normal business operations. We have in the past and may in the future face allegations, lawsuits, regulatory inquiries, audits or investigations regarding, among other things, data privacy, data security, personal injury, malpractice, breach of contract or intellectual property infringement, including claims related to privacy, patents, publicity, trademarks, copyrights, trade secrets or other rights. We have in the past and may in the future be subject to allegations, lawsuits or inquiries relating to labor and employment, in the case of the past in particular, with respect to our characterization of independent contractor relationships. See "-Risks related to governmental regulation-If our providers are characterized as employees, we would be subject to adverse effects on our business and employment and withholding liabilities." We may also face allegations or litigation related to our acquisitions, securities issuances or business practices, including public disclosures about our business. See "Item 3. Legal Proceedings." Litigation and regulatory proceedings may be protracted and expensive, and the results are difficult to predict. Certain of these matters may include speculative claims for substantial or indeterminate amounts of damages or for injunctive relief. Additionally, our litigation costs could be significant and are difficult to predict. Adverse outcomes with respect to allegations, lawsuits, regulatory inquiries, audits, or investigations may result in significant settlement costs or judgments, penalties and fines, or require us to modify our services or require us to stop serving certain customers or geographies, any of which could negatively impact our business. We have also in the past been subject to information requests and subpoenas in connection with investigations by government agencies into some of our customers. Complying with these requests can be costly and time consuming. Managing legal proceedings, litigation and audits, even if we achieve favorable outcomes, is time consuming and diverts management's attention from our business. The results of regulatory proceedings, lawsuits, regulatory inquiries, audits and investigations cannot be predicted with certainty, and determining reserves for pending litigation and other legal, regulatory and audit matters requires significant judgment. There can be no assurance that our expectations will prove correct, and even if these matters are resolved in our favor or without significant cash settlements, these matters, and the time and resources necessary to litigate or resolve them, could harm our reputation, business, financial condition, results of operations and the market price of our Class A shares. We also may be subject to lawsuits under the FCA and comparable state laws if the government or a whistleblower alleges that services provided by us caused a health plan to submit allegedly false or fraudulent risk adjustment information to CMS or other governmental authorities, among other potential legal theories under the FCA. These lawsuits can involve significant monetary damages, civil penalties, attorney fees and costs, monetary awards to private plaintiffs who successfully bring these lawsuits, and may lead to our exclusion from federal healthcare programs in which we or our customers participate. In recent years, there has been heightened governmental scrutiny and law enforcement has become increasingly active and aggressive in investigating and taking legal action against potential fraud and abuse, including in relation to Medicare Advantage plans and their submission of risk adjustment information and other data. If a health plan customer is found liable under the FCA and/or similar state laws for submitting false claims or making false statements to CMS and other governmental authorities, it may seek contractual indemnification or contribution from us to the extent it believes the liability was caused by errors in the information we provided. Furthermore, our business exposes us to professional negligence, personal injury and other related actions or claims that are inherent in the managing of healthcare services or a network of traveling personnel. These claims, with or without merit, could cause us to incur substantial costs, and could place a significant strain on our financial resources, divert the attention of management from our core business, harm our reputation and adversely affect our ability to attract and retain customers, any of which could have a material adverse effect on our business, financial condition and results of operations. Although we maintain third-party liability insurance coverage, it is possible that claims against us may exceed the coverage limits of our insurance policies or may not be covered by our liability insurance coverage. Even if any professional liability loss is covered by an insurance policy, these policies typically have substantial deductibles for which we are responsible. Professional liability claims in excess of applicable insurance coverage could have a material adverse effect on our business, financial condition and results of operations. In addition, any professional liability claim brought against us, with or without merit, could result in an increase of our professional liability insurance premiums. Insurance coverage varies in cost and can be difficult to obtain, and we cannot guarantee that we will be able to obtain insurance coverage in the future on terms acceptable to us or at all. If our costs of insurance and claims increase, then our earnings could decline.

We rely heavily on the communications and information systems of third parties to conduct our business. For instance, we rely on computing infrastructure operated by Amazon Web Services ("AWS") and Microsoft Azure ("Azure") to host or operate some or all of certain key products or functions of our business. Leveraging these technologies supports our customers' need to be able to access our platform at any time, without interruption or degradation of performance. Our platform depends, in part, on the virtual cloud infrastructure hosted in AWS and Azure. Although we have disaster recovery plans that utilize multiple AWS and Azure locations and leveraged redundancy of architecture inherent in cloud services, any incident materially affecting their infrastructure could adversely affect our cloud-native platform. A prolonged AWS or Azure service disruption affecting our cloud-native platform would adversely impact our ability to service our customers and could damage our reputation with current and potential customers, expose us to liability, result in substantial costs for remediation, could cause us to lose customers, or otherwise harm our business, financial condition and results of operations. We may also incur significant costs for using alternative hosting sources or taking other actions in preparation for, or in reaction to, events that damage the AWS or Azure services we use. In the event that our AWS or Azure service agreements are terminated, or there is a lapse of service, elimination of AWS or Azure services or features that we utilize, or damage to such facilities supporting our environment, we may experience interruptions in access to our platform as well as significant delays and additional expenses in arranging for or creating new facilities or re-architecting our platform for deployment on a different cloud infrastructure service provider, which would adversely affect our business, financial condition, and results of operations. As expectations regarding operational and information security practices have increased, our operating systems and infrastructure, and those of our third-party service providers, must continue to be safeguarded and monitored for potential failures, disruptions, breakdowns, and attacks. Our data processing systems, or other operating systems and facilities, and those of our third-party service providers, may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our and our third-party service providers' control. For example, there could be electrical or telecommunication outages, natural disasters such as earthquakes, tornadoes, or hurricanes; disease pandemics and related government orders; events arising from local or larger scale political or social matters, including terrorist acts; cyberattacks and other data security incidents, including ransomware, malware, phishing, social engineering, including some of the foregoing that target healthcare systems in particular. These incidents can range from individual attempts to gain unauthorized access to information technology systems to more sophisticated security threats involving cyber criminals, hacktivists, cyber terrorists, nation state actors, or the targeting of commercial financial accounts. These events can also result from internal compromises, such as human error or malicious internal actors, of our workforce or our vendors' personnel. While we have business continuity, disaster recovery and other policies and procedures designed to prevent or limit the effect of the failure, interruption or security breach of our information systems, there can be no assurance that any such failures, interruptions or security breaches will not occur or, if they do occur, that they will be adequately addressed. Furthermore, if such failures, interruptions or security breaches are not detected immediately, their effect could be compounded. Our risk and exposure to these matters remains heightened because of the evolving nature of these threats and our use of third-party service providers with access to our systems and data. As a result, cybersecurity and the continued development and enhancement of our controls, processes, and practices designed to protect our systems, computers, software, data, and networks from attack, damage or unauthorized access remain a focus for us. Disruptions or failures in the physical infrastructure or operating systems that support our businesses and customers, or cyberattacks or security breaches of our networks, systems or devices, or those that our customers or third-party service providers use to access our products and services, could result in customer attrition, financial loss, reputational damage, reimbursement or other compensation costs, and/or remediation costs, any of which could have a material effect on our results of operations or financial condition.

We structure the majority of our relationships with our providers in a manner that we believe results in an independent contractor relationship, not an employee relationship. An independent contractor is generally distinguished from an employee by his or her degree of autonomy and independence in providing services. A high degree of autonomy and independence is generally indicative of a contractor relationship, while a high degree of control is generally indicative of an employment relationship. A further complicating factor is there is no single independent contractor test or standard which applies in every jurisdiction, and the test in some jurisdictions is more stringent than in others. Although we believe that our providers are properly characterized as independent contractors, individuals, interest groups, tax or other regulatory authorities have in the past and may in the future challenge our characterization of these relationships. For example, we have been subject to allegations, a lawsuit and inquiries challenging our characterization of these relationships in the past. While these past challenges have not had a material impact on us, there can be no assurance that similar challenges in the future will not have a material impact on our business. If regulatory authorities or state or federal courts were to determine that our providers are employees, and not independent contractors, our mobile network of providers would be disrupted and we would be required to withhold income taxes, to withhold and pay Social Security, Medicare and similar taxes and to pay unemployment and other related payroll taxes. We would also be liable for unpaid past taxes, subject to penalties and increased operating costs moving forward. As a result, any determination that our providers are our employees could have a material adverse effect on our business, financial condition and results of operations.

We depend upon licenses from third parties for some of the technology and data used in our technology and services. We expect that we may need to obtain additional licenses from third parties in the future in connection with the development of our technology and services. In addition, we obtain a portion of the data that we use from government entities, public records and from our partners for specific partner engagements. We take reasonable steps to identify and secure necessary rights to use the data that is incorporated into our services. We cannot, however, assure you that our licenses for information will allow us to use that information for all potential or contemplated applications. In addition, our ability to continue to support integrated healthcare for individuals depends on maintaining our database, which is partially populated with information disclosed to us by our partners with their consent. If these partners revoke their consent for us to maintain, use, de-identify and share this data, consistent with applicable law, our data assets could be degraded. In the future, data providers could withdraw their data from us or restrict our usage for any reason, including if there is a competitive reason to do so, or if legislation is passed restricting the use of the data or if judicial interpretations are issued restricting use of the data that we currently use to support our services. In addition, data providers could fail to adhere to our quality control standards in the future, causing us to incur additional expense to appropriately use such data. If a substantial number of data providers were to withdraw or restrict our use of their data, or if they fail to adhere to our quality control standards, and if we are unable to identify and contract with suitable alternative data suppliers and integrate these data sources into our service offerings, our ability to provide services to our customers would be materially and adversely impacted, which could have a material adverse effect on our business, financial condition and results of operations. We also integrate third-party applications into our internally developed applications and use third-party software to support our technology infrastructure. Some of this software is proprietary and some is open source software. These technologies may not be available to us in the future on commercially reasonable terms or at all and could be difficult to replace once integrated into our own internally developed applications. Many of these licenses can be renewed only by mutual consent and most may be terminated if we breach the terms of the license and fail to cure the breach within a specified period of time. Our inability to obtain, maintain or comply with any of these licenses could delay development until equivalent technology can be identified, licensed and integrated, which would harm our business, financial condition and results of operations. Most of our third-party licenses are nonexclusive and our competitors may obtain the right to use any of the technology covered by these licenses to compete directly with us. Our use of third-party technologies exposes us to increased risks, including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own internally developed technology and the potential inability to generate revenue from licensed technology sufficient to offset associated acquisition, use and maintenance costs. In addition, if our third-party licensors choose to discontinue support of their licensed technology in the future, we might not be able to modify or adapt our own solutions to compensate for that loss.

We expect to derive a significant portion of our revenue from renewal of existing customer contracts and sales of additional services to existing customers. As part of our growth strategy, for instance, we have recently focused on expanding our services among current customers, both in terms of the number of distinct services an existing customer uses and expanding the existing customer's use of a particular service. As a result, selling additional services and expanding use of current services are critical to our future business, revenue growth and results of operations. Factors that may affect our ability to sell additional services and expand use of current services include the following: - the price, performance and functionality of our services;- the availability, price, performance and functionality of competing or replacement services;- our ability to develop and sell complementary services;- changes in healthcare laws, regulations or trends;- the business environment of our customers; and - the government programs in which our customers participate. Our contracts with our health plan customers for IHEs generally have stated initial terms of one to two years with automatic renewal at the end of each term unless terminated by the customer. We are paid a flat fee per IHE completed. Our ability to complete IHEs depends on the plan members (identified by our customers for outreach) agreeing to an IHE. However, our customers typically have no obligation to accept such automatic renewal. In addition, our customers may negotiate terms less advantageous to us upon renewal, which may reduce our revenue from these customers. Our future results of operations also depend, in part, on our ability to expand across the continuum of care. If our customers fail to renew their contracts, renew their contracts upon less favorable terms or at lower fee levels or fail to purchase new services from us, our revenue may decline, or our future revenue growth may be constrained. In addition, a significant number of our customer contracts (including contracts with many of our top 10 customers) allow health plans to terminate such agreements for convenience, typically with one to three months advance notice. If a customer terminates its contract early and revenue and cash flows expected from a customer are not realized in the time period expected or not realized at all, our business, financial condition and results of operations could be adversely affected.

The timing of our sales, revenue, and cash flows is difficult to predict, in particular with respect to our new sales and cross-sell efforts, because of the length and unpredictability of our sales cycle. The sales cycle for our services from initial contact to implementation of services varies widely by potential customer. Some of our potential customers undertake a significant and prolonged evaluation process to determine whether our services meet the specific needs of their organization, as well as other goals, which frequently involves evaluation of not only our services but also an evaluation of other available services. Such evaluations have in the past resulted in extended sales cycles that, due to changes in corporate objectives or leadership involved in the selection process and other factors, may result in delayed or suspended decision-making in awarding the sale. In addition, when the government programs that we participate in change, it can take a significant period of time for existing customers to familiarize themselves with new programs and for us to engage new customers in these programs. As we introduce new products, we also expect there to be a lengthy onboarding process with our customers as they learn more about our services and choose when and how to adopt them. In addition, our sales cycle may become more lengthy and difficult if prospective customers slow down their decision-making about purchasing new services due to the effects of public health crises, such as COVID-19. During the sales cycle, we expend significant time and money on sales and marketing activities, which lowers our operating margins, particularly if no sale occurs. For example, there may be unexpected delays in a potential customer's internal processes, which involve intensive technological, legal, financial, operational, and security reviews. In addition, our services represent a significant purchase and require customers to take on risk and the significance and timing of our offering enhancements, and the introduction of new products by our competitors, may also affect our potential customers' purchases. For all of these reasons, it is difficult to predict whether a sale will be completed, the particular period in which a sale will be completed, or the period in which revenue from a sale will be recognized.