PHR Phreesia, Inc. - 10-K

Item 1A.    Risk Factors

Risk factors

A description of the risks and uncertainties associated with our business and industry is set forth below. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including our consolidated financial statements and notes thereto and the “Management’s discussion and analysis of financial condition and results of operations” section of this Annual Report on Form 10-K, before deciding whether to purchase shares of our common stock. If any of the following risks are realized, our business, financial condition, operating results and prospects could be materially and adversely affected. In that event, the price of our common stock could decline, perhaps significantly. Additional risks and uncertainties not presently known to us or that we currently deem immaterial also may impair our business operations. Certain statements in this Annual Report on Form 10-K are forward-looking statements. See the section of this Annual Report on Form 10-K titled “Special Note Regarding Forward-Looking Statements.”

Risks relating to our business and industry

We operate in a highly competitive industry, and if we are not able to compete effectively, including with the EHR and PM systems with which we integrate, our business and results of operations may be harmed.

The market for our solutions and services is fragmented, competitive and characterized by rapidly evolving technology standards, evolving regulatory requirements, changes in client needs and the frequent introduction of new products and services, including as a result of AI technologies. Our competitors range from smaller niche companies to large, well-financed and technologically-sophisticated entities, including the EHR and PM systems with which we integrate. As costs fall and technology improves, increased market saturation may change the competitive landscape in favor of competitors with greater scale than we currently possess, including as a result of new or better use of evolving AI technologies.

In order to remain competitive, we are continually involved in a number of projects to compete with new market entrants by developing new services, expanding offerings to our existing client base, growing our client base and penetrating new markets. These projects carry risks, such as cost overruns, delays in delivery, performance problems and lack of acceptance by our clients.

The success of our business and growth strategy depend upon our continued ability to maintain and expand a network of healthcare services clients, which also requires us to provide and develop new high-quality products and services that are helpful to our clients and used and positively received by patients. If we are unable to attract and retain healthcare services clients, including because we are unable to adapt to new industry standards in

developing new solutions and services, it would have a material adverse effect on our business and ability to grow and would adversely affect our results of operations. Additionally, if we do not maintain our current client network, or if we have to renegotiate existing contracts on terms less favorable to us, our business, financial condition and results of operations may be harmed.

We believe demand for our solutions and services has been driven in large part by increasing patient responsibility, engagement and consumerism. Our ability to streamline critical workflows in order to improve healthcare services clients’ operations and patient engagement to allow for optimal allocation of resources will be critical to our business. Our success also depends on the ability of our solutions to increase patient engagement, and our ability to demonstrate the value of our solutions to healthcare services clients, patients and life sciences companies. If our existing clients do not recognize or acknowledge the benefits of our solutions or our solutions do not drive patient engagement, then the market for our products and services might develop more slowly than we expect, which could adversely affect our operating results.

In addition, as we and the EHR and PM solutions with which we integrate, grow and expand product offerings, the EHR and PM solutions with which we integrate could offer more competitive services or make it more cost prohibitive to do business with them. Some of these EHR and PM systems offer, or may begin to offer, services, including patient intake and engagement services, payment processing tools, patient financing options and direct patient communication services, in the same or similar manner as we do. Although there are many potential opportunities for, and applications of, these services, these EHR and PM systems may seek opportunities or target new clients in areas that may overlap with those that we have chosen to pursue. Such competition from these EHR and PM systems may adversely affect our business, market share and results from operations.

We compete on the basis of several factors. Some of our competitors have greater name recognition, longer operating histories and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies (including evolving AI technologies), standards or client requirements or provide faster implementations. Additionally, AI technologies may make it easier for competitors to enter our market due to lower up-front costs. As a result, even if our solutions are more effective than the products and services that our competitors offer, potential clients might select competitive products and services in lieu of purchasing our solutions. In addition, current and potential competitors have established, and may in the future establish, cooperative relationships with vendors of complementary products, technologies or services to increase the availability of their products to the marketplace. Accordingly, new competitors or providers of EHR and PM solutions may emerge that have greater market share, larger client bases, more widely adopted proprietary technologies, greater marketing expertise, new or better AI technologies, greater financial resources and larger sales forces than we have, which could put us at a competitive disadvantage and could render our existing or future products less competitive or obsolete. We also may be subject to pricing pressures as a result of, among other things, competition within the industry, consolidation of healthcare industry participants, practices of managed care organizations, government action and financial stress experienced by our clients. If our pricing experiences significant downward pressure, our business will be less profitable and our results of operations will be adversely affected. We cannot be certain that we will be able to retain our current client base in this competitive environment. If we do not retain current clients or expand our client base, or if we have to renegotiate existing contracts unfavorably, our business, financial condition and results of operations will be harmed. Moreover, we expect that competition will continue to increase as a result of consolidation in both the healthcare information technology and healthcare industries. If one or more of our competitors or potential competitors were to merge or partner with another of our competitors, the change in the competitive landscape could also adversely affect our ability to compete effectively and could harm our business, financial condition and results of operations.

If we fail to manage our future growth effectively, our revenue may not increase, and we may be unable to implement our business strategy.

We have experienced significant growth in the past. Rapid expansion has historically placed, and may in the future place, strain on our business, operations and employees. We anticipate that our operations will continue to expand. As we continue to grow, both organically and through acquisitions, we must effectively integrate, develop, and manage an increasingly distributed employee base in a fully remote working environment. We may find it challenging to maintain the same level of employee productivity while executing our growth plan, fostering collaboration, and maintaining the beneficial aspects of our culture, and any such failures could negatively affect our future success, including our ability to attract and retain highly qualified employees and to achieve our business objectives. If we do not manage the demands of our growing operations effectively, our efficiency may decline, our operations could be disrupted, and we may not be able to meet our financial projections, which could adversely affect our business performance and stock price.

In addition, to manage our current and anticipated future growth effectively, we must continue to maintain and enhance our IT infrastructure, financial and accounting systems and controls and continue to build our qualified workforce in key areas of our company. A key element of how we manage our growth is our ability to scale our capabilities and satisfactorily implement solutions for our clients’ needs. Our healthcare services clients often require specific features or functions unique to their organizational structure, which, at a time of significant growth or during periods of high demand, may strain our implementation capacity and hinder our ability to successfully implement our solutions for our clients in a timely manner. If we are unable to address the needs of our healthcare services clients or our healthcare services clients are unsatisfied with the quality of our solutions or our services due to our inability to manage our rapid growth, they may not renew their contracts, seek to cancel or terminate their relationship with us or renew on less favorable terms, any of which could adversely affect our business. Additionally, our ability to grow our financing business is in part dependent on our access to capital for the securitization of cardholder receivables. If we are unable to maintain or expand our access to capital on favorable terms or at all, we may be unable to offer our financing solutions to a greater number of existing or potential healthcare services clients.

Failure to effectively manage our growth could also lead us to over-invest or under-invest in development and operations, result in weaknesses in our infrastructure, systems or controls, give rise to operational mistakes, financial losses, loss of productivity or business opportunities and result in loss of employees and reduced productivity of remaining employees. If our management is unable to effectively manage our growth, our revenue may not increase (including sufficiently to offset our expenses) or may grow more slowly than expected, and we may be unable to implement our business strategy.

Our operating results have fluctuated and may continue to fluctuate significantly and if we fail to meet the expectations of analysts or investors, our stock price and the value of your investment could decline substantially.

Our operating results are likely to fluctuate, and if we fail to meet or exceed the expectations of securities analysts or investors, the trading price of our common stock could decline. Moreover, our stock price may be based on expectations of our future performance that may be unrealistic or that may not be met. Some of the important factors that could cause our revenues and operating results to fluctuate from quarter to quarter include:

• the timing, size and integration success of recent and potential future acquisitions, including the AccessOne Acquisition;

• the extent to which our products and services achieve or maintain market acceptance;

• our ability to introduce new products and services and enhancements to our existing products and services on a timely basis;

• new competitors and the introduction of enhanced products and services from new or existing competitors;

• the extent to which developments in AI may reduce demand for our solutions;

• the length of our contracting and implementation cycles;

• the financial condition of our current and potential clients;

• our ability to integrate our solutions with the systems utilized by our healthcare services clients, including but not limited to, EHR and PM systems;

• changes in client budgets and procurement policies;

• patients' desires to receive communications from Phreesia and/or our partners, the extent to which they opt-in to such communications, and our ability to deliver a consistent volume of such communications;

• amount and timing of our investment in research and development activities and other areas of our business;

• technical difficulties or interruptions in our services, like the one we experienced with ConnectOnCall in 2024;

• our ability to hire and retain qualified personnel;

• changes in the healthcare regulatory and policy environment;

• changes in healthcare, utilization and spending trends, including as a result of changes to healthcare policy and the One Big Beautiful Bill Act (“OBBBA”);

• regulatory compliance costs;

• unforeseen legal expenses, including litigation and settlement costs; and

• buying patterns of our clients and the related seasonality impacts on our business.

Many of these factors are not within our control, and the occurrence of one or more of them might cause our operating results to vary widely. As such, we believe that quarter-to-quarter comparisons of our revenues and operating results may not be meaningful and should not be relied upon as an indication of future performance.

A significant portion of our operating expense is relatively fixed in nature, and planned expenditures are based in part on expectations regarding future revenue. Accordingly, unexpected revenue shortfalls may decrease our margins and could cause significant changes in our operating results from quarter to quarter.

Privacy concerns, cyber-attacks, data breaches or cybersecurity incidents relating to our solutions could result in economic loss, damage to our reputation, deterrence of users from using our products, and exposure to legal penalties and liability.

We collect, process and store significant amounts of sensitive, confidential and proprietary information, including personally identifiable information, such as payment data and protected health information, of patients received in connection with the utilization of our solutions. Attacks on information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, they are being conducted by increasingly sophisticated and organized groups and individuals with a wide range of motives and expertise, and they may remain undetected for an extended period of time. For instance, as AI technologies, including generative AI models, develop rapidly, threat actors are using these technologies to create sophisticated new attack methods that are increasingly automated, targeted, coordinated and difficult to defend against. Like other companies in our industry, we, and our third-party vendors, have experienced threats and cybersecurity incidents relating to our information technology systems and infrastructure. For example, in 2024, we experienced a cybersecurity incident which impacted our ConnectOnCall product. Although we do not believe this, or any other cybersecurity incident, has had a material impact on our business to date, any interruption in our business or disclosure, loss, processing or other compromise of personal information or individually identifiable health information (implicating certain privacy laws such as the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information and Technology for Economic and Clinical Health Act (“HITECH Act”) and their implementing regulations, collectively referred to as “HIPAA”) or confidential information, or event that jeopardizes the confidentiality, integrity, or availability of our solutions, could result in a material disruption to our solutions and our business operations, require us to expend significant resources and subject us to litigation, fines and penalties. In addition to extracting sensitive information, such attacks could include the deployment of harmful malware, ransomware, denial-of-service attacks, social engineering fraud (including phishing attacks), and other means to affect service reliability and threaten the confidentiality, integrity and availability of information. While we maintain a security program that is designed to protect our products and such data, techniques used to gain unauthorized access to data and systems, disable or degrade service, or sabotage systems, are constantly evolving, and may be the result of criminal groups, state sponsored or other malicious actors. We may be unable to anticipate such techniques or implement adequate preventative measures to avoid unauthorized access or other adverse impacts to such data or our systems.

In addition, some of our third-party service providers and partners, such as Change Healthcare and other clearinghouses or vendors, also collect and/or store our sensitive information and our clients' data on our behalf, and these service providers and partners have in the past, and may in the future be subject to similar threats of cyber-attacks and other malicious internet-based activities, which could also expose us to risk of loss, litigation, and potential liability. Even though we may have contractual protections with such vendors, contractors, or other organizations, notifications and follow-up actions related to a cybersecurity incident or data breach could impact our reputation, cause us to incur significant costs, including legal expenses, harm client confidence, expose us to government enforcement action, hurt our expansion into new markets, cause us to incur remediation costs, or cause us to lose existing clients. The risk of state-supported and geopolitical-related cyber-attacks may increase in connection with political unrest or wars and any related political or economic responses and counter-responses. We may not discover all such cybersecurity incidents, data breaches, or other activity or be able to respond or otherwise address them promptly, in sufficient respects or at all.

We are subject to state laws requiring notification of affected individuals and state regulators in the event of a cybersecurity incident or breach of personal information. Furthermore, certain health privacy laws, data breach notification laws, consumer protection laws and genetic testing laws may apply directly to our business and/or those of our collaborators and may impose restrictions on our collection, use and dissemination of individuals’ health information. Patients about whom we obtain health information, as well as the healthcare services clients who share this information with us, may have statutory or contractual rights that limit our ability to use and disclose the information. Additionally, our subsidiary, AccessOne MedCard, Inc. (“AccessOne MedCard”) is subject to regulation and supervision of cybersecurity and data privacy matters by state and federal regulators, including state financial regulatory agencies, the FTC and the CFPB, including the NYDFS Part 500 Requirements, and the GLBA and Regulation P and the FTC Safeguards Rule, as well as the FTC’s Identity Theft Red Flags Rule under the Fair Credit Reporting Act, which, among other things, require financial institutions to explain their information sharing practices to their customers, safeguard sensitive data and maintain an identity theft prevention program. We may be required to expend significant capital and other resources to ensure ongoing compliance with applicable privacy and data security laws and regulatory requirements. Claims that we have violated individuals’ privacy rights, violated

applicable privacy laws and regulations or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business, or enforcement and other supervisory actions. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy and data security obligations. Further, although we maintain cyber liability insurance, this insurance may not provide adequate coverage against potential liabilities related to any experienced cybersecurity incident or breach.

Like all internet services, our service, and the services of our third-party service providers, are vulnerable to software bugs, computer viruses, internet worms, break-ins, phishing attacks, attempts to overload servers with denial-of-service, wrongful or inadvertent conduct by insider employees or vendors, or other attacks or similar disruptions from unauthorized use of our and third-party computer systems, any of which could lead to system interruptions, delays, or shutdowns, causing loss of critical data or the unauthorized access of data. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, any failure to maintain performance, reliability, security and availability of our products, or failure to prevent software bugs, to the satisfaction of our clients or the health and safety of their patients, may harm our reputation and our ability to retain existing clients, and negatively affect our clients and their patients. We have in place systems and processes that are designed to protect our data, prevent data loss, disable undesirable accounts and activities on our platform and prevent or detect cybersecurity incidents or data breaches, however, we cannot assure you that such measures will provide absolute security.

Further, the security systems in place at our employees’ and service providers’ offices and homes may be less secure than those used in a corporate office, and while we have implemented technical and administrative safeguards to help protect our systems as our employees and service providers work from their offices, homes and other remote locations, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss, and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees and service providers accessing company data and systems remotely. If an actual or perceived cybersecurity incident or data breach occurs to our systems or a third-party’s systems, such as one that affected our ConnectOnCall product in 2024, we also could be required to expend significant resources to mitigate the breach of security, pay any applicable fines and address matters related to any such breach, including notifying users or regulators, defend against claims related to the breach and address reputational harm.

Our operations in India subject us to additional risks which could have an adverse effect on our business, operating results, and financial condition.

We have a subsidiary in India that performs a number of functions that were previously performed by outside contractors. While we believe our Indian operations are advantageous to our business, they also create risks that we must effectively manage. Conducting business abroad subjects us to increased legal and regulatory compliance and oversight. A failure to comply with applicable laws and regulations could result in regulatory enforcement actions, as well as substantial civil and criminal penalties assessed against us and our employees. The management of our Indian operations has, and will continue to, require significant management attention and financial resources that could adversely affect our operating performance. Wages in India are increasing at a faster rate than those in many countries, including the United States. In addition, with the significant increase in the numbers of foreign businesses that have established operations in India, the competition to attract and retain employees there has increased significantly. As a result, we may be unable to cost-effectively retain our current employee base in India or hire additional new talent. In addition, India has experienced, and may in the future experience, significant inflation, low growth in gross domestic product and shortages of foreign exchange. India also has experienced civil unrest and terrorism and, in the past, has been involved in conflicts with neighboring countries which may escalate in the future. The occurrence of any of these circumstances could result in disruptions to our India operations, which, if continued for an extended period of time, could have a material adverse effect on our business.

Our operating expenses incurred outside the United States and denominated in foreign currencies would increase to the extent we expand our operations in India. Transactions denominated in foreign currencies are subject to fluctuations due to changes in foreign currency exchange rates. If we are not able to successfully hedge against the risks associated with foreign currency fluctuations, our financial condition and operating results could be adversely affected.

We typically incur significant upfront costs in our client relationships, and if we are unable to develop or grow these relationships over time, we are unlikely to recover these costs and our operating results may suffer.

We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. Our efforts involve educating our clients and patients about the use, technical capabilities and benefits of our products and services. We do not provide access to our solutions and do not charge fees during this initial sales period. For healthcare services clients that decide to enter into a software subscription contract with us, most of these contracts may provide for a preliminary trial period where a subset of the client’s healthcare services locations is granted access to our solutions. Following any such trial period, we aim to increase the number of the client’s healthcare services locations that utilize our solutions. Accordingly, our operating results depend in substantial part on our ability to deliver a successful client and patient experience and persuade our clients to continue and grow their relationship with us over time. If we are unable to do so, we are unlikely to recover these costs and our operating results may suffer.

As a result of our variable sales and implementation cycles, we may be unable to recognize revenue to offset expenditures, which could result in fluctuations in our quarterly results of operations or otherwise harm our future operating results.

The sales cycle for our solutions can be variable, typically ranging from three to twelve months from initial contact to contract execution for healthcare services clients, and up to 18 months for financing contracts with large health systems. Network Solutions sales cycles align with annual life sciences marketing budget cycles, with contracts typically negotiated during the fourth quarter of the calendar year. During the sales cycle, we expend time and resources, and we do not recognize any revenue to offset such expenditures. Our implementation cycle is also variable, typically ranging from one to 24 months from contract execution to completion of implementation. The variability of our sales and implementation cycle is dependent on numerous factors, including the discretionary nature of potential clients' purchasing and budget decisions and the size and complexity of the applicable client. Some of our new client set-up projects are complex and require a considerable time commitment and significant implementation work, including educating prospective clients about the uses and benefits of our solutions. Each client’s situation is different, and unanticipated difficulties and delays may arise as a result of failure by us or by the client to meet our respective implementation responsibilities. During the implementation cycle, we expend substantial time, effort and financial resources implementing our service, but accounting principles do not allow us to recognize the resulting revenue until the service has been implemented, at which time we begin recognition of subscription and related implementation revenue over the life of the contract. This could harm our future operating results. If implementation periods are extended, our revenue cycle will be delayed and our financial condition may be adversely affected. In addition, cancellation of any implementation after it has begun may involve loss to us of time, effort and expenses invested in the cancelled implementation process and lost opportunity for implementing paying clients in that same period of time.

These factors may contribute to substantial fluctuations in our quarterly operating results, particularly during any period in which our sales volume is relatively low. As a result, in future quarters our operating results could fall below the expectations of securities analysts or investors, in which event our stock price would likely decrease.

The growth of our business relies, in part, on the growth and success of our clients and certain revenues from our engagements, which is difficult to predict and is subject to factors outside of our control.

We primarily generate three revenue streams. For example, we enter into agreements with our healthcare services clients, under which a significant portion of our fees are variable, including fees which are dependent upon the number of add-on features subscribed for by our clients and the number of patients utilizing our payment processing tools or financing services offered by our subsidiary, AccessOne MedCard. If there is a general reduction in spending by healthcare services organizations on healthcare technology solutions, it may result in a reduction in fees generated from our healthcare services clients or a reduction in the number of add-on features subscribed for by our healthcare services clients. This could lead to a decrease in our revenue, which could harm our business, financial condition and results of operations.

In addition, we generate revenue from payment processing fees based on patient payment volume and from financing fees that primarily consist of finance charges and servicing fees on cardholder receivables. The number of patients utilizing our payment processing tools or financing options offered by our subsidiary, AccessOne MedCard, and the amounts those patients pay directly to our healthcare services clients for services or choose to finance with extended payment plans, are often impacted by factors outside of our control. For example, macroeconomic conditions and changes in healthcare policy may decrease the number of insured patients and result in reduced healthcare utilization and spending. In addition to economic trends impacting overall healthcare spending, the CFPB

and various state attorneys general, state legislatures and state agencies have increased scrutiny of third-party providers of financing for medical services. State governments or specific healthcare institutions may review and amend criteria for charity care eligibility and may enact debt mitigation policies that expand the pool of patients qualifying for free or discounted care, reducing the amount of patient payments processed through our solutions or the demand for extended financing options offered by AccessOne MedCard. Accordingly, revenue under these agreements can be uncertain and unpredictable. If the number of patients utilizing our payment systems, or the aggregate amounts paid by such patients directly to our healthcare services clients through our solutions or financed through AccessOne MedCard, were to be reduced by a material amount, such decrease would lead to a decrease in our revenue, which could harm our business, financial condition and results of operations.

We also generate network solutions revenue through fees charged to life sciences companies and other clients by delivering direct communications to help activate, engage and educate patients who provide consent for the delivery of such communications about topics critical to their health. The growth of our revenue stream from life sciences companies and other clients is driven, in part, by our ability to grow our network of healthcare services clients and available population of patients to engage, the desirability of optional communications to patients, the number of newly approved drugs, the success of newly launched drugs, and the continued success of certain types of drugs, each of which is impacted by factors outside of our control. For example, governmental actions taken by the U.S. federal government, such as changes in the leadership of the FDA, mass layoffs within the federal government, and executive orders, legislation or rulemaking initiatives related to drug pricing and pharmaceutical marketing and advertising, have affected the ability of life sciences companies to successfully develop and market drugs. If there is a reduction or delay in newly approved drugs, newly launched drugs are not successful, certain drugs’ popularity or profitability decreases (including as a result of loss of patent exclusivity), or the ability to engage in drug marketing and advertising is restricted or limited, this could negatively affect the ability of our life sciences clients to deliver relevant messages to patients. As a result, our life sciences clients have taken, and may continue to take, actions such as decreasing marketing budgets, redirecting spend to other marketing channels, seeking more flexible contract terms and increasing expectations regarding campaign performance. Any of these factors could lead to a decrease in our network solutions revenue, which could harm our business, financial condition and results of operations.

If our existing clients are not satisfied with our services, it could have a material adverse effect on our business, financial condition, results of operations and reputation.

We depend on our existing clients’ satisfaction with our products and services. We expect to derive a significant portion of our revenue from renewal of existing clients’ contracts and sales of additional solutions and services to existing clients. As part of our growth strategy, we have focused on expanding our services amongst current clients. As a result, achieving a high client retention rate and selling additional solutions and services to existing clients are critical to our future business, revenue growth and results of operations. We also believe that maintaining and enhancing our reputation and brand recognition is critical to our relationships with existing clients and the patients that they serve and to our ability to attract new clients. The promotion of our brand may require us to make substantial investments, and we anticipate that, as our market becomes increasingly competitive, these marketing initiatives may become increasingly difficult and expensive. In addition, the loss or dissatisfaction of any client could substantially harm our brand and reputation, inhibit widespread adoption of our solutions and impair our ability to attract new clients.

Factors that may affect our client satisfaction and our ability to sell additional applications and services include, but are not limited to, the following:

• the price, performance and functionality of our solutions;

• patient acceptance and adoption of services and utilization of our payment processing tools and payment plans;

• the availability, price, performance and functionality of competing solutions;

• our ability to develop and sell complimentary solutions and services;

• our access to capital;

• the stability, performance and security of our hosting infrastructure and hosting services;

• changes in healthcare laws, regulations or trends;

• the business environment of our clients including healthcare staffing shortages and headcount reductions by our clients; and

• our ability to maintain and enhance our reputation and brand recognition.

We typically enter into annual contracts for our software solutions with our healthcare services clients, which have a stated initial term of one year and automatically renew for one-year subsequent terms. For most of our software solutions, our clients have no obligation to renew their subscriptions after the initial term expires. In addition, we

typically enter into annual contracts with our network solutions clients with a term of one year, which do not auto-renew and must be renegotiated annually. Our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue from these clients and may decrease our annual revenue. Additionally, our financing contracts with healthcare services clients are “evergreen” contracts that allow termination for convenience. If our clients fail to renew their contracts, renew their contracts upon less favorable terms or at lower fee levels, terminate their contracts or fail to purchase new products and services from us, our revenue may decline or our future revenue growth may be constrained. Should any of our clients terminate their relationship with us after implementation has begun, we would not only lose our time, effort and resources invested in that implementation, but we would also have lost the opportunity to leverage those resources to build a relationship with other clients over that same period of time.

The estimates and assumptions we use to determine the size of our target market may prove to be inaccurate, and even if the markets in which we compete meet our size estimates and forecasted growth, our business may not grow at similar rates, or at all.

Market estimates and growth forecasts that we disclose are subject to significant uncertainty and are based on assumptions and estimates that may not prove to be accurate. The estimates and forecasts relating to the size and expected growth of the markets for our services may prove to be inaccurate. These estimates and forecasts may be impacted by economic uncertainty that is outside our control, including international conflicts that may impact international trade and global economic performance and other macroeconomic trends, such as tariffs and other trade restrictions and trade protection measures, capital market disruptions, changes in governmental agencies, economic sanctions, economic slowdowns or recessions, international and domestic supply chain risks, inflationary pressure, interest rate increases and declines in consumer confidence that impact our clients.

The principal assumptions relating to our market opportunity include the number of healthcare services organizations currently taking appointments, the amount of annual out of pocket consumer spend and out of pocket financed consumer spend for healthcare-related services, and the amount of annual spend by life sciences companies and other organizations on direct communications to patients at the point of care and to healthcare providers. Our market opportunity is also based on the assumption that the strategic approach that Phreesia enables for our potential clients will be more attractive in creating efficiencies in patient care than competing solutions. If these assumptions prove inaccurate, our business, financial condition and results of operations could be adversely affected.

If we cannot implement our solutions for clients or resolve any technical issues in a timely manner, we may incur costs in the form of service credits or other remedial steps and/or lose clients, and our reputation may be harmed.

Our clients utilize a variety of data formats, applications and infrastructure and we must support our clients’ data formats. Furthermore, the healthcare industry has shifted towards digitalized record keeping, and accordingly, many of our healthcare services clients have developed their own software, or utilize third-party software, for practice management and secure storage of electronic medical records. Our ability to develop and maintain logic-based and scalable technology for patient intake management and engagement, payment processing and financing that successfully integrates with our clients’ software systems for practice management and storage of electronic medical records is critical. If we do not currently support a client’s required data format or appropriately integrate with clients’ systems, then we must configure our solutions to do so, which could increase our expenses. Additionally, we do not control our clients’ implementation schedules. As a result, if our clients do not allocate the internal resources necessary to meet their implementation responsibilities or if we face unanticipated implementation difficulties, the implementation may be delayed. If the client implementation process is not executed successfully or if execution is delayed, we could incur significant costs, clients could become dissatisfied and decide not to increase utilization of our services or not to implement our solutions beyond an initial period prior to their term commitment or, in some cases, revenue recognition could be delayed. In addition, competitors with more efficient operating models with lower implementation costs could jeopardize our client relationships.

Our clients and patients depend on our support services to resolve any technical issues relating to our solutions and our services, and we may be unable to respond quickly enough to accommodate short-term increases in demand for support services, particularly as we increase the size of our client bases (including healthcare services clients and the number of patients that they serve). In addition, we may experience unexpected service interruptions due to cyber-attacks or other cybersecurity incidents or data breaches, such as one that affected our ConnectOnCall product in 2024. In such cases, we may be unable to restore service in a timely manner, if at all. We also may be unable to modify the format of our support services to compete with changes in support services provided by competitors. It is difficult to predict client and patient demand for technical support services, and if client or patient demand increases significantly, we may be unable to provide satisfactory support services to our clients. Further, if

we are unable to address the needs of our clients and their patients in a timely fashion or further develop and enhance our solutions, or if a client or patient is not satisfied with the quality of work performed by us or with the technical support services rendered, then we could incur additional costs to address the situation or be required to issue credits or refunds for amounts related to unused services, and our profitability may be impaired and clients’ or patients’ dissatisfaction with our solutions could damage our ability to expand the number of applications and services purchased by such clients. These clients may not renew their contracts, seek to terminate their relationships with us or renew on less favorable terms. Moreover, negative publicity related to our client and patient relationships, or regarding patient confidentiality and privacy in the context of technology-enabled healthcare, regardless of its accuracy, may further damage our business by affecting our reputation or ability to compete for new business with current and prospective clients. If any of these were to occur, our revenue may decline and our business, financial condition and results of operations could be adversely affected.

We historically derive a significant portion of our revenues from our largest clients.

Historically, we have relied on a limited number of clients for a substantial portion of our total revenue and accounts receivable. The sudden loss of any of our larger clients, or the renegotiation of any of their contracts on less favorable terms, could adversely affect our operating results. Because we rely on a limited number of clients for a significant portion of our revenues, we depend on the creditworthiness of these clients. If the financial condition of our larger clients declines, our credit risk could increase. Should one or more of our significant clients declare bankruptcy, it could adversely affect the collectability of our accounts receivable and affect our bad debt reserves and net income.

We have experienced net losses in the past and we may not maintain positive net income in the future.

We have incurred significant operating losses for most of our history. For the years ended January 31, 2026 and January 31, 2025, we had net income of $2.3 million and net loss of $58.5 million, respectively, and losses from operations of $6.6 million and $58.1 million, respectively. Our operating expenses may increase in the foreseeable future as we continue to invest to grow our business, including through acquisitions, and build relationships with our clients and partners, develop new solutions and operate as a public company. In addition, to the extent we are successful in increasing our client base, we could incur increased losses because significant costs associated with entering into client agreements are generally incurred up front, while revenue is generally recognized ratably over the term of the agreement. As a result, we may need to raise additional capital through equity and debt financings in order to fund our operations, which may not be available to us on favorable terms or at all. If we are unable to effectively manage these risks and difficulties as we encounter them or effectively access the capital markets, our business, financial condition and results of operations may suffer.

We depend on our senior management team and certain key employees, and the loss of one or more of our executive officers or key employees or an inability to attract and retain highly skilled employees could adversely affect our business.

Our success depends, in part, on the skills, working relationships and continued services of our founders, Chaim Indig (Chief Executive Officer) and Evan Roberts (President, Provider Solutions), and our senior management team and other key personnel. From time to time, there may be changes in our senior management team resulting from the hiring or departure of executives, which could disrupt our business.

In addition, we must attract, train and retain a significant number of highly skilled employees in the U.S., India and Canada, including sales and marketing personnel, client support personnel, professional services personnel, software engineers, technical personnel and management personnel, and the availability of such personnel, in particular software engineers, may be constrained. We also believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. If we are unable to hire and develop sufficient numbers of productive direct sales personnel or if new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time, sales of our services will suffer and our growth will be impeded.

Competition for qualified management and employees in our industry is intense, and identifying and recruiting qualified personnel and training them requires significant time, expense and attention. Many of the companies with which we compete for personnel have greater financial and other resources than we do. Our North American employees are employed on a contract-employment basis or are “at-will” employees, and, in most cases, their employment can be terminated by us or them at any time, for any reason and without notice, subject, in certain cases, to severance payment rights. The departure and replacement of one or more of our executive officers or other key employees would likely involve significant time and costs, may significantly delay or prevent the achievement of our business objectives and could materially harm our business. In addition, volatility or lack of performance in our stock price may affect our ability to attract replacements should key personnel depart.

We have made, and may in the future make, acquisitions and investments which may be difficult to integrate, divert management resources, result in unanticipated costs or dilute our stockholders.

We have in the past acquired, and we may continue to acquire or invest in, businesses, products or technologies that we believe could complement or expand our products and services, enhance our market coverage or technical capabilities or otherwise offer growth opportunities, such as the AccessOne Acquisition. This may include acquiring or investing in companies, businesses, products or technologies that are tangential to our current business and/or in which we have limited or no prior operating experience.

There are inherent risks in integrating and managing acquisitions, and the pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses related to identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated. We cannot assure you that we will realize the anticipated benefits of the AccessOne Acquisition or any future acquisitions. We also may not achieve the anticipated benefits from an acquired business due to a number of factors, including, without limitation:

• difficulty integrating the purchased operations, products or technologies and maintaining the quality and security standards consistent with our brand;

• the need to integrate or implement additional controls, procedures and policies;

• privacy concerns, cyber-attacks, data breaches or cybersecurity incidents relating to the acquired businesses, such as the security incident we experienced with ConnectOnCall in 2024;

• our inability to comply with legal and regulatory requirements applicable to the acquired business;

• assimilation of the acquired businesses, which may divert significant management attention and financial resources from our other operations and could disrupt our ongoing business;

• the use of substantial portions of our available cash, issuance of our equity securities or incurrence of debt to consummate the acquisition;

• the loss of key employees, particularly those of the acquired operations; difficulty retaining or developing the acquired business’ customers;

• adverse effects on our existing business relationships;

• failure to realize the potential cost savings or other financial benefits or the strategic benefits of the acquisitions, including failure to consummate any proposed or contemplated transaction; and

• liabilities from the acquired businesses for infringement of intellectual property rights or other claims and failure to obtain indemnification for such liabilities or claims.

Acquisitions also increase the risk of unforeseen legal liability, including for potential violations of applicable law or industry rules and regulations, arising from prior or ongoing acts or omissions by the acquired businesses which are not discovered by due diligence during the acquisition process. Acquisitions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our business, results of operations or financial condition. Even if we are successful in completing and integrating an acquired business, it may not perform as we expect or enhance the value of our business as a whole.

We may be unable to successfully integrate the business acquired in the AccessOne Acquisition, integration may be more difficult, costly or time-consuming than expected, and we may fail to realize all of the anticipated benefits of the AccessOne Acquisition on the anticipated time frame or at all.

We believe that there are significant benefits that may be realized through the AccessOne Acquisition. However, the efforts to realize these benefits is a complex process and may disrupt both companies’ existing operations if not implemented in a timely and efficient manner. The integration may be more difficult, costly or time-consuming than expected. We have incurred substantial expenses in connection with the AccessOne Acquisition, including legal, financial advisory, accounting, consulting, and other advisory fees, employee benefit-related costs, filing fees and other regulatory fees, closing, integration and other related costs. The anticipated benefits of the AccessOne Acquisition, including anticipated sales or growth opportunities and cross-selling opportunities, may not be realized as expected or may not be achieved within the anticipated time frame or at all. In addition, we are required to devote significant attention and resources to successfully integrate the operations of the acquired business. This process may disrupt the businesses and, if ineffective, would limit the anticipated benefits of the AccessOne Acquisition.

Additionally, the success of the AccessOne Acquisition will depend in part on our ability to retain key employees of the acquired business. If we are unable to retain key employees, including management, whose contributions are important to the successful integration and future operations of the companies, we could face disruptions in AccessOne’s operations, loss of existing clients, loss of key information, expertise or know-how and unanticipated additional recruitment costs. We may not be able to locate or retain suitable replacements for any key employees who decide not to remain employed with us.

Failure to successfully integrate or achieve the anticipated benefits of the AccessOne Acquisition could adversely affect our business, results of operations and financial condition, decrease or delay any accretive effects of the AccessOne Acquisition and negatively impact the price of our common stock.

Certain of our operating results and financial metrics, including the key metrics included in this report, may be difficult to predict as a result of seasonality.

We believe there are significant seasonal factors that may cause us to record higher revenue in some quarters compared with others. We believe this variability is largely due to our focus on the healthcare industry. For example, with respect to our healthcare services clients, we receive a disproportionate increase in payment solutions revenue from such clients during the first two to three months of the calendar year relative to the other months of the year, which is driven, in part, by the resetting of patient deductibles at the beginning of each calendar year. Sales for our network solutions are also seasonal, primarily due to the annual spending patterns of our clients. This portion of our sales is usually the highest in the fourth quarter of each calendar year. While we believe we have visibility into the seasonality of our business, our rapid growth rate over the last several years may have made seasonal fluctuations more difficult to detect, and market dynamics affecting our network solutions clients have resulted in shorter visibility into spending commitments, particularly for the second half of the fiscal year. If our rate of growth slows over time, seasonal or cyclical variations in our operations may become more pronounced, and our business, results of operations and financial position may be adversely affected.

Business or economic disruptions or global health concerns could harm our business and increase our costs and expenses.

Broad-based business or economic disruptions or global health concerns could materially and adversely impact our business and results of operations due to, among other factors:

• a general decline in business activity;

• a potentially disproportionate impact on the healthcare services clients with whom we contract;

• disruptions to our supply chains and our third-party vendors, partners, and suppliers;

• difficulty accessing the capital and credit markets on favorable terms, or at all, and a severe disruption and instability in the global financial markets, or deteriorations in credit and financing conditions that could affect our access to capital necessary to fund business operations or address maturing liabilities on a timely basis; and

• social, economic, and labor instability in the countries in which we or the third parties with whom we engage operate.

In addition, macroeconomic challenges (including tariffs and other trade restrictions and changes in inflation and interest rates) and a tight labor market have adversely affected, and may continue to adversely affect, workforces, organizations, governments, clients, economies, and financial markets globally and have disrupted the normal operations of many businesses, including our business, making it potentially very difficult for our clients and us to accurately forecast and plan future business activities. Additionally, increasing scrutiny of various aspects of the healthcare industry, such as drug pricing and advertising practices, the treatment of medical debt and charity care thresholds, and healthcare coverage eligibility and reimbursement practices, have resulted in, and may result in, changes to U.S. healthcare policy. These factors have and could further decrease healthcare industry spending, adversely affect demand for our products and services, impair the ability of our clients to pay for the products and services they have already purchased from us, cause one or more of our clients to file for bankruptcy protection or go out of business, cause one or more of our clients to fail to renew, terminate, or renegotiate their contracts, impact expected spending from new clients, negatively impact collections of accounts receivable, and harm our business, results of operations, and financial condition.

If our internal controls over financial reporting or our disclosure controls and procedures are not effective, we may not be able to accurately report our financial results, prevent fraud or file our periodic reports in a timely manner, which may cause investors to lose confidence in our reported financial information and may lead to a decline in our stock price.

As a public company, we are required to maintain internal control over financial reporting and disclosure controls and procedures. Section 404 of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act") requires that we evaluate and determine the effectiveness of our internal control over financial reporting and provide a management report on the internal control over financial reporting. Our testing, or the subsequent testing by our independent public accounting firm, may reveal deficiencies in our internal control over financial reporting that are deemed to be

material weaknesses. If we are not able to comply with the requirements of Section 404 in a timely manner, or if we or our accounting firm identify deficiencies in our internal control over financial reporting that are deemed to be material weaknesses, the market price of our stock would likely decline and we could be subject to lawsuits, sanctions or investigations by regulatory authorities, including SEC enforcement actions, and we could be required to restate our financial results, any of which would require additional financial and management resources.

If material weaknesses in our internal control over financial reporting are discovered or occur in the future, our consolidated financial statements may contain material misstatements and we could be required to restate our financial results, which could materially and adversely affect our business, results of operations and financial condition, restrict our ability to access the capital markets, require us to expend significant resources to correct the material weakness, subject us to fines, penalties or judgments, harm our reputation or otherwise cause a decline in investor confidence.

We continue to invest in more robust technology and resources to manage our reporting requirements. Implementing the appropriate changes to our internal controls may distract our officers and employees, result in substantial costs and require significant time to complete. Any difficulties or delays in implementing these controls could impact our ability to timely report our financial results. For these reasons, we may encounter difficulties in the timely and accurate reporting of our financial results, which would impact our ability to provide our investors with information in a timely manner. As a result, our investors could lose confidence in our reported financial information, and our stock price could decline. In addition, any such changes do not guarantee that we will be effective in maintaining the adequacy of our internal controls, and any failure to maintain that adequacy could prevent us from accurately reporting our financial results. See Item 9A “Controls and Procedures” in this Annual Report on Form 10-K for more information.

From time to time, we are subject to various legal proceedings that could adversely affect our business, financial condition and results of operations.

From time to time, we are or may become involved in claims, lawsuits (whether class actions or individual lawsuits), arbitration proceedings, governmental investigations, and other legal or regulatory proceedings involving commercial, corporate and securities matters; privacy, marketing and communications practices; labor and employment matters; alleged infringement of third-party patents and other intellectual property rights; matters involving compliance with regulatory requirements on lending and consumer protection laws; and other matters. The results of any such claims, lawsuits, arbitration proceedings, government investigations, or other legal or regulatory proceedings cannot be predicted with any degree of certainty. Any claims against us, whether meritorious or not, could be time-consuming, result in costly litigation, require significant management attention, and divert significant resources. Determining reserves for our pending litigation is a complex and fact-intensive process that requires significant subjective judgment and speculation. It is possible that a resolution of one or more such proceedings could result in substantial damages, settlement costs, fines, and penalties. These proceedings could also result in harm to our reputation and brand, sanctions, consent decrees, injunctions, or other orders requiring a change in our business practices. Any of these consequences could adversely affect our business, financial condition, and results of operations. Further, under certain circumstances, we have contractual and other legal obligations to indemnify and to incur legal expenses on behalf of our business, clients, and commercial partners and current and former directors and officers. In addition, certain litigation or the resolution of certain litigation may affect the availability or cost of some of our insurance coverage, which could adversely impact our results of operations and cash flows, expose us to increased risks that would be uninsured, and adversely impact our ability to attract directors and officers. Notwithstanding the terms of our agreements with our clients, it is possible that one or more of our clients could breach their obligations, which in the aggregate, could adversely affect our business, financial condition, or results of operations. For example, if a client defaults on its obligations under a client agreement or terminates a client agreement prior to the contractual termination date, we may be required to assert a claim to acquire the amount in full due under the client agreement, which we may choose not to pursue. However, if we choose to pursue any such claim, we may incur substantial costs to resolve claims or enter into litigation or arbitration, and even if we were to prevail in the event of claims, litigation or arbitration, such claims, litigation, or arbitration could be costly and time-consuming and divert the attention of our management and other employees from our business operations.

We are a fully remote company, which subjects us to unique operational risks.

Being a fully remote company subjects us to unique operational risks. For example, technologies in our employees’ homes may not be as robust as in a corporate office and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in a corporate office. Further, the security systems in place at our employees’ homes may be less secure than those used in a corporate office, and while we have implemented technical and administrative safeguards to help protect

our systems as our employees and service providers work from home, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees accessing company data and systems remotely. In addition, operating remotely may negatively impact our corporate culture, including employee engagement and productivity.

Risks relating to our payment processing business

If our payment processing platform is limited, restricted, curtailed or degraded in any way, or if we fail to continue to grow and develop our payments platform, our business may be materially and adversely affected.

Our payment processing platform is a core element of our business. For each of the fiscal years ended January 31, 2026 and January 31, 2025, payment processing fees generated 24% of our total revenue. Our future success depends in part on the continued growth and development of our payment processing platform. If such activities are limited, restricted, curtailed or degraded in any way, or if we fail to continue to grow and develop our payment processing platform, our business may be materially and adversely affected. The utilization of our payment processing tools may be impacted by factors outside of our control, such as changes in laws governing medical bill payments or disruptions in the payment processing industry generally. If the number of patients utilizing our payments platform, the aggregate amounts paid by such patients directly to our healthcare services clients through our payments platform, or the credit card interchange fees we receive from such payments were to be reduced as a result of disruptions in the payment processing industry, laws discouraging the use of credit card payments for medical services or other factors, it could result in a decrease to our revenue. In addition, some potential or existing clients may not desire to use our payment processing services or to switch from their existing payment processing vendors for a variety of reasons, such as transition costs, business disruption, and loss of accustomed functionality. There can be no assurance that our efforts to overcome these factors will be successful, and this resistance may adversely affect our growth.

The attractiveness of our payment processing services may also depend on our ability to integrate emerging payment technologies, including crypto-currencies, other emerging or alternative payment methods, and credit card systems that we or our processing partners may not adequately support or for which we or they do not provide adequate processing rates . In the event such methods become popular among consumers, any failure to timely integrate emerging payment methods into our software, anticipate client behavior changes, or contract with payment processing partners that support such emerging payment technologies could reduce the attractiveness of our payment processing services, potentially resulting in a corresponding loss of revenue.

If we fail to comply with the applicable requirements of card networks, they could seek to fine us, suspend us or terminate our payment facilitator status. If our clients or sales partners incur fines or penalties that we cannot collect from them, we may have to bear the cost of such fines or penalties.

We provide a payments solution for the secure processing of patient payments. Our payment processing tools can connect to multiple clearinghouses and can also connect directly with patients. We have developed partnerships with primary credit card processors in the United States to facilitate payment processing, and we are registered with Visa, MasterCard, American Express, Discover and other card networks as a service provider (payment facilitator or the equivalent) for acquiring member institutions. These card networks set the operating rules and standards with which we must comply. The termination of our status as a certified service provider, a decision by the card networks to disallow payment facilitators or bar us from serving as such, or any changes in network rules or standards, including interpretation and implementation of the operating rules or standards, that increase the cost of doing business or limit our ability to provide transaction processing services to our clients or partners, could adversely affect our business, financial condition or results of operations.

We and our clients are subject to card network rules that could subject us or our clients to a variety of fines or penalties that may be levied by card networks for certain acts or omissions by us or our clients. If a client fails to comply with the applicable requirements of card networks, we could be subject to a variety of fines or penalties that may be levied by card networks. We may have to bear the cost of such fines or penalties if we cannot collect them from the applicable client, resulting in lower earnings or losses for us. A violation of the network rules may result in the termination or suspension of our registration with the affected network. The termination of our registration, including a card network barring us from acting as a payment facilitator, or any changes in card network rules that would impair our registration, could require us to stop providing payment processing services relating to the affected card network, which would adversely affect our ability to conduct our business.

In addition, the rules of card networks are set by their boards, which may be influenced by card issuers. Many banks directly or indirectly sell processing services to clients in competition with us. These banks could attempt, by virtue of their influence on the networks, to alter the networks’ rules or policies to the detriment of non-members, including us.

Changes in laws and regulations relating to interchange fees on payment card transactions, or increases in card network fees and other changes to fee arrangements, may result in the loss of clients who use our payment processing services and would adversely affect our revenue and results of operations.

We pay interchange fees to the card networks or the card issuers for each transaction we process. The card networks, including Visa, MasterCard, American Express and Discover, may increase, from time to time, the interchange fees that they charge members or service providers, or the fees that they charge acquirers, which would be passed down to processors, payment facilitators and merchants. Although we may attempt to pass these increases along to our clients, this may result in the loss of clients to our competitors that do not pass along the increases. If competitive practices prevent us from passing along the higher fees to our clients in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our earnings. Additionally, provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act") known as the Durbin Amendment empowered the Board of Governors of the Federal Reserve System ("FRS"), to establish and regulate a cap on the interchange fees that issuers (e.g. banks) may charge or receive for electronic clearing of debit card transactions. The original regulations implementing the Durbin Amendment established standards for assessing whether debit card interchange fees received by debit card issuers were reasonable and proportional to the costs incurred by issuers for electronic debit transactions, and it established a maximum permissible interchange fee that an issuer may receive for an electronic debit transaction, limiting the fee revenue to debit card issuers and payment processors. If the maximum permissible interchange fee for debit cards, credit cards, or other payment cards is changed or the exempt status of HSA-linked payment cards from such maximum interchange rate caps is lost as a result of amendment to Regulation II by the FRS or any other new rulemaking, legislation, or private litigation challenge, our revenue and profit from payment card transactions processed through our payments platform could decrease, and there could be a material adverse effect on our financial condition and results of operations.

Risk relating to our data and intellectual property

If our intellectual property is not adequately protected, we may not be able to build name recognition, protect our technology and products, and our business may be adversely affected.

Our business depends on proprietary technology and content, including software, databases, confidential information and know-how, the protection of which is crucial to the success of our business. We rely on a combination of trademark, trade-secret and copyright laws, confidentiality procedures and contractual provisions to protect our intellectual property rights in our proprietary technology, content and brand. We may, over time, increase our investment in protecting our intellectual property through additional trademark, patent and other intellectual property filings that could be expensive and time-consuming. Effective trademark, trade-secret and copyright protection is expensive to develop and maintain, both in terms of initial and ongoing registration requirements and the costs of defending our rights. These measures, however, may not be sufficient to offer us meaningful protection. If we are unable to protect our intellectual property and other proprietary rights, our brand, competitive position and business could be harmed, as third parties may be able to dilute our brand or commercialize and use technologies and software products that are substantially the same as ours without incurring the development and licensing costs that we have incurred. Any of our owned or licensed intellectual property rights could be challenged, invalidated, circumvented, infringed or misappropriated, our trade secrets and other confidential information could be disclosed in an unauthorized manner to third parties, or our intellectual property rights may not be sufficient to permit us to take advantage of current market trends or otherwise provide us with competitive advantages, which could result in costly redesign efforts, discontinuance of certain offerings or other competitive harm.

Monitoring unauthorized use of our intellectual property is difficult and costly. From time to time, we seek to analyze our competitors’ products and services, and may in the future seek to enforce our rights against potential infringement. However, the steps we have taken to protect our proprietary rights may not be adequate to prevent infringement or misappropriation of our intellectual property. We may not be able to detect unauthorized use of, or take appropriate steps to enforce, our intellectual property rights. Any inability to meaningfully protect our intellectual property rights could result in harm to our brand or our ability to compete and reduce demand for our technology and products. Moreover, our failure to develop and properly manage new intellectual property could adversely affect our market positions and business opportunities. Also, some of our products and services rely on technologies and software developed by or licensed from third parties. Any disruption or disturbance in such third-party products or services, which we have experienced in the past, could interrupt the operation of our solutions. We may not be able

to maintain our relationships with such third parties or enter into similar relationships in the future on reasonable terms or at all.

We may also be required to protect our proprietary technology and content in an increasing number of jurisdictions, a process that is expensive and may not be successful, or which we may not pursue in every location. In addition, effective intellectual property protection may not be available to us in every country, and the laws of some foreign countries may not be as protective of intellectual property rights as those in the United States. Additional uncertainty may result from changes to intellectual property legislation enacted in the United States and elsewhere, and from interpretations of intellectual property laws by applicable courts and agencies. Accordingly, despite our efforts, we may be unable to obtain and maintain the intellectual property rights necessary to provide us with a competitive advantage. Our failure to obtain, maintain and enforce our intellectual property rights could therefore have a material adverse effect on our business, financial condition and results of operations.

Any restrictions on our use of, or ability to license and integrate, third-party technologies could have a material adverse effect on our business, financial condition and results of operations.

We integrate into our proprietary applications and use third-party software to maintain and enhance, among other things, content generation and delivery, and to support our technology infrastructure. Some of this software is proprietary and some is open source software. Our use of third-party technologies and open source software exposes us to increased risks, including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs. These technologies may not be available to us in the future on commercially reasonable terms or at all and could be difficult to replace once integrated into our own proprietary applications. Most of these licenses can be renewed only by mutual consent and may be terminated if we breach the terms of the license and fail to cure the breach within a specified period of time. Our inability to obtain, maintain or comply with any of these licenses could delay development until equivalent technology can be identified, licensed and integrated, which would harm our business, financial condition and results of operations.

Most of our third-party licenses are non-exclusive and our competitors may obtain the right to use any of the technology covered by these licenses to compete directly with us. If our data suppliers choose to discontinue support of the licensed technology in the future, we might not be able to modify or adapt our own solutions.

Third parties may initiate legal proceedings alleging that we are infringing or otherwise violating their intellectual property rights, the outcome of which would be uncertain and could have a material adverse effect on our business, financial condition and results of operations.

Our commercial success depends on our ability to develop and commercialize our services and use our proprietary technology without infringing the intellectual property or proprietary rights of third parties. Intellectual property disputes can be costly to defend and may cause our business, operating results and financial condition to suffer. As the market for healthcare in the United States expands and more patents are issued, the risk increases that there may be patents issued to third parties that relate to our products and technology of which we are not aware or that we must challenge to continue our operations as currently contemplated. Whether merited or not, we may face allegations that we, our partners, our licensees or parties indemnified by us have infringed or otherwise violated the patents, trademarks, copyrights or other intellectual property rights of third parties. Such claims may be made by competitors seeking to obtain a competitive advantage or by other parties. Additionally, in recent years, individuals and groups have begun purchasing intellectual property assets for the purpose of making claims of infringement and attempting to extract settlements from companies like ours. We may also face allegations that our employees have misappropriated the intellectual property or proprietary rights of their former employers or other third parties. It may be necessary for us to initiate litigation to defend ourselves in order to determine the scope, enforceability and validity of third-party intellectual property or proprietary rights, or to establish our respective rights. Additionally, the intellectual property ownership and license rights, including copyright, surrounding AI technologies, which we are increasingly incorporating into our product offerings, has not been fully addressed by U.S. courts or other federal or state laws or regulations, and the use or adoption of AI technologies in our products and services may expose us to copyright infringement or other intellectual property misappropriation claims related to AI training or output. Regardless of whether claims that we are infringing patents or other intellectual property rights have merit, such claims can be time-consuming, divert management’s attention and financial resources and can be costly to evaluate and defend. Results of any such litigation are difficult to predict and may require us to stop commercializing or using our products or technology, obtain licenses, modify our services and technology while we develop non-infringing substitutes or incur substantial damages, settlement costs or face a temporary or permanent injunction prohibiting us from marketing or providing the affected products and services. If we require a third-party license, it may not be available on reasonable terms or at all, and we may have to pay substantial royalties, upfront fees or grant cross-

licenses to intellectual property rights for our products and services. We may also have to redesign our products or services so they do not infringe third-party intellectual property rights, which may not be possible or may require substantial monetary expenditures and time, during which our technology and products may not be available for commercialization or use. Even if we have an agreement to indemnify us against such costs, the indemnifying party may be unable to uphold its contractual obligations. If we cannot or do not obtain a third-party license to the infringed technology, license the technology on reasonable terms or obtain similar technology from another source, our revenue and earnings could be adversely impacted.

From time to time, we may be subject to legal proceedings and claims in the ordinary course of business with respect to intellectual property. We are not currently subject to any claims from third parties asserting infringement of their intellectual property rights. Some third parties may be able to sustain the costs of complex litigation more effectively than we can because they have substantially greater resources. Even if resolved in our favor, litigation or other legal proceedings relating to intellectual property claims may cause us to incur significant expenses and could distract our technical and management personnel from their normal responsibilities. In addition, there could be public announcements of the results of hearings, motions or other interim proceedings or developments, and if securities analysts or investors perceive these results to be negative, it could have a material adverse effect on the price of our common stock. Moreover, any uncertainties resulting from the initiation and continuation of any legal proceedings could have a material adverse effect on our ability to raise the funds necessary to continue our operations. Assertions by third parties that we violate their intellectual property rights could therefore have a material adverse effect on our business, financial condition and results of operations.

Interruption or failure of our information technology and communications systems could impair our ability to effectively deliver our products and services, which could cause us to lose clients and harm our operating results.

Our business depends on the continuing operation of our technology infrastructure and systems. Proprietary software development is time-consuming, expensive and complex, and may involve unforeseen difficulties. We may encounter technical obstacles in enhancing our existing software and developing new software, and it is possible that we may discover additional problems that prevent our proprietary applications from operating properly. In addition, any damage to or failure of our existing systems, or the systems of our third-party providers, could result in interruptions in our ability to deliver our products and services. Interruptions in our service, such as one that affected our ConnectOnCall product in 2024, have in the past and could in the future reduce our revenue and profits, and our reputation could be damaged if people believe our systems are unreliable.

Our systems and operations, and those of our third-party providers, are vulnerable to damage or interruption from natural disasters or man-made problems, such as earthquakes, floods, fires, political unrest, acts of terrorism, armed conflict or war (such as the ongoing Russian invasion of Ukraine and the conflict in the Middle East), power loss, break-ins, hardware or software failures, telecommunications failures, computer viruses, cyber-attacks or other attempts to harm our systems and similar events. Any unscheduled interruption in our service would result in an immediate loss of revenue. Frequent or persistent system failures that result in the unavailability of our solutions or slower response times could reduce our clients’ ability to access our solutions, impair our delivery of our products and services and harm the perception of our solutions as reliable, trustworthy and consistent. Our insurance policies provide only limited coverage for service interruptions and may not adequately compensate us for any losses that may occur due to any failures or interruptions in our systems.

If our solutions fail to provide accurate and timely information, or if the content delivered to clients and patients or any other element of our service is associated with errors or malfunctions, we could have liability to clients or patients which could adversely affect our results of operations.

Our solutions are used to help healthcare organizations and patients streamline the process of finding, scheduling, receiving and paying for care, and to empower patients and healthcare organizations as they navigate the challenges of an evolving healthcare system. If our solutions or the content delivered to clients and patients fail to provide accurate and timely information or are associated with errors or malfunctions, then healthcare services clients or patients could assert claims against us that could result in substantial costs to us, harm our reputation in the industry and cause demand for our services to decline.

We attempt to limit by contract our liability for damages and to require that our clients assume responsibility for medical care and approve key system rules, protocols and data. Despite these precautions, the allocations of responsibility and limitations of liability set forth in our contracts may not be enforceable, may not be binding upon patients or may not otherwise protect us from liability for damages.

Our proprietary software may contain errors or failures that are not detected until after the software is introduced or updates and new versions are released. It is challenging for us to test our software for all potential problems

because it is difficult to simulate the wide variety of computing environments or methodologies that our clients may deploy or rely upon. From time to time we have discovered defects or errors in our software, and such defects or errors can be expected to appear in the future. Defects and errors that are not timely detected and remedied could expose us to risk of liability to healthcare services clients and patients and cause delays in introduction of new services, result in increased costs and diversion of development resources, require design modifications or decrease market acceptance or client satisfaction with our services. If any of these risks occur, they could materially and adversely affect our business, financial condition or results of operations.

We may be liable for use of incorrect or incomplete data we provide, which could harm our business, financial condition and results of operations.

We collect, store and display data, including patient health information, for use by healthcare services clients in handling patient intake, payments and engagement and to deliver clinically relevant content to patients. Our clients, their patients, or third parties provide us with most of this data. If this data is incorrect or incomplete, or if we make mistakes in the capture or input of this data, adverse consequences may occur and give rise to product liability and other claims against us. In addition, a court or government agency may take the position that our storage and display of health information exposes us to liability arising out of our intake, storage and display of erroneous health information. While we maintain insurance coverage, we cannot be certain that this coverage will prove to be adequate or will continue to be available on acceptable terms, if at all. Even unsuccessful claims could result in substantial costs and diversion of management resources. A claim brought against us that is uninsured or under-insured could harm our business, financial condition and results of operations.

Our use of “open source” software could adversely affect our ability to offer our services and subject us to possible litigation.

We may use open source software in connection with our products and services. Companies that incorporate open source software into their products have, from time to time, faced claims challenging the use of open source software and/or compliance with open source license terms. As a result, we could be subject to suits by parties claiming ownership of what we believe to be open source software or claiming noncompliance with open source licensing terms. Some open source software licenses require users who distribute software containing open source software to publicly disclose all or part of the source code to such software and/or make available any derivative works of the open source code, which could include valuable proprietary code of the user, on unfavorable terms or at no cost. While we monitor the use of open source software and try to ensure that none is used in a manner that would require us to disclose our proprietary source code or that would otherwise breach the terms of an open source agreement, such use could inadvertently occur, in part because open source license terms are often ambiguous. Any requirement to disclose our proprietary source code or pay damages for breach of contract could have a material adverse effect on our business, financial condition and results of operations and could help our competitors develop products and services that are similar to or better than ours.

Risks relating to laws and regulations applicable to our industry

We are subject to healthcare laws and data privacy and security laws and regulations governing our collection, use, disclosure, storage and transmission of personally identifiable information, including protected health information and payment card data, which may impose restrictions on us and our operations, require us to change our business practices and put in place additional compliance mechanisms, and subject us to fines, penalties, lawsuits, adverse publicity, reputational harm, loss of client trust or government enforcement actions if we are unable to fully comply with such laws.

Numerous complex federal and state laws and regulations govern the collection, use, disclosure, storage and transmission of personally identifiable information, including protected health information, and account holder information collected by our subsidiary AccessOne MedCard pursuant to its role as a consumer lender. State laws may be even more restrictive and not preempted by HIPAA, and may be subject to varying interpretations by the courts and government agencies. In addition, our subsidiary AccessOne MedCard is subject to certain federal and state regulations applicable to financial institutions related to cybersecurity, including the NYDFS Part 500 Requirements, and the GLBA and its implementing regulations, including Regulation P and the FTC Safeguards Rule, as well as the FTC’s Identity Theft Red Flags Rule under the Fair Credit Reporting Act. These regulations, among other things, require financial institutions to explain their information sharing practices to their customers, safeguard sensitive data and maintain an identity theft prevention program. These laws and regulations, including their interpretation by governmental agencies, are subject to frequent change and could have a negative impact on our business. Further, these varying interpretations could create complex compliance issues for us and our partners and potentially expose us to additional expense, liability, penalties, negatively impact our client relationships, and lead to adverse publicity, and all of these risks could adversely affect our business in the short and long term. In

addition, contractual obligations and legislation may limit, forbid or regulate the use or transmission of health information outside of the United States or across other national borders. These developments, if adopted, could render our use of Indian employees and other non-U.S. resources for work related to such data impracticable or substantially more expensive.

With respect to certain of our solutions, we are a “business associate” as defined under HIPAA. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights may impose civil penalties on a business associate for a failure to comply with HIPAA requirements. The U.S. Department of Justice is responsible for criminal prosecutions under HIPAA. Penalties can vary significantly depending on a number of factors, such as whether the business associate’s failure to comply was due to willful neglect. State attorneys general also have the right to prosecute HIPAA violations in their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court, its standards have been used as the basis for the duty of care in state civil suits, such as those for recklessness in misusing individuals’ health information. If we are subject to investigation or litigation related to an alleged violation of HIPAA, such as the ConnectonCall Case, then we may elect to resolve the matter through a settlement. Such settlement could require payment of a civil penalty or damages, corrective action and/or monitoring of our business by a third party.

Like other companies in our industry, we and our third-party vendors have experienced and will likely experience threats and security incidents that could affect our information or systems. The security measures that we and our third-party vendors have in place are designed to ensure compliance with privacy and data protection laws, but we cannot guarantee that we and our subcontractors will not experience cyber-attacks, acts of vandalism or theft, computer viruses, misplaced or lost data, malfeasance, programming and human errors or other similar events. Under the HITECH Act, as a business associate we may also be liable for privacy and security breaches and failures of our subcontractors. Even though we provide for appropriate protections through our agreements with our subcontractors, we still have limited control over their actions and practices. A breach of privacy or security of individually identifiable health information by a subcontractor may result in an enforcement action, including criminal and civil liability, against us. We are not able to predict the extent of the impact such incidents may have on our business. Enforcement actions against us could be costly and could interrupt regular operations, which may adversely affect our business. While we are not aware of any non-compliance or violations of any applicable privacy and data protection laws that have not been addressed, and we believe we are in compliance with such laws, there can be no assurance that we will not receive notices of non-compliance or violations in the future.

Even when HIPAA does not apply, according to the FTC, failing to take appropriate steps to keep consumers’ personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (“FTCA”). The FTC’s current guidance for appropriately securing consumers’ personal information is similar to what is required by the HIPAA security regulations, but this guidance may change in the future, resulting in increased complexity and the need to expend additional resources to ensure we are complying with the FTCA.

Federal and state consumer protection laws are increasingly being applied by the FTC and states’ attorneys general to regulate the collection, use, storage and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. The FTC has authority to initiate enforcement actions against entities that mislead customers about HIPAA compliance, make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5(a) of the FTCA, and has brought enforcement actions against companies in the healthcare space in recent years. As a result of regulatory enforcement proceedings, we may be subject to related litigation, settlements or enforcement actions that could include monetary penalties and/or compliance requirements that (1) impose significant and material costs, (2) require us to make modifications to our data practices and our marketing programs, (3) result in negative publicity, or (4) have a negative impact on consumer demand for our products and services, or on our commercial or industry relationships. Even an unsuccessful challenge of our privacy practices by our consumers, regulatory authorities or other third parties could result in negative publicity and could require a costly response from and defense by us. Any of these events could adversely affect our ability to operate our business and our financial results.

Other federal and state laws restrict the use and protect the privacy and security of personally identifiable information, in many cases are not preempted by HIPAA and may be subject to varying interpretations by courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity and liability, any of which could adversely affect our business. States continue to introduce and adopt new and amended laws, regulations and industry standards concerning privacy, data protection and information security. The first of these was the CCPA, as amended by the

CPRA, which amendments went into effect on January 1, 2023. The CCPA created specific obligations with respect to processing and storing personal information, and the CPRA amendments created a state agency that is vested with authority to implement and enforce the CCPA. In addition to the CCPA, similar privacy and data security laws have been enacted in numerous other states. These new laws have and will impose similar, additional, and in some cases more restrictive requirements than the CCPA created.

Furthermore, other states have proposed or enacted legislation that is focused on more narrow aspects of privacy. For example, a small number of states, including Illinois and Texas, have passed laws that protect biometric information and other states have passed or are considering laws that are specifically focused upon health privacy, such as Washington’s My Health My Data Act. The My Health My Data Act imposed state restrictions and requirements on the processing and sale of consumer health data and created a private right of action, which further increases our relevant compliance risk. Connecticut and Nevada have also passed similar laws regulating consumer health data. The effects of state and federal privacy laws are potentially significant and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation.

We cannot yet determine the full impact these laws or other such future laws, regulations and standards may have on our current or future business. Any of these laws may broaden their scope in the future, and similar laws have been proposed on both a federal level and in various states in the U.S. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country, and the heightened scrutiny associated with the enforcement of such laws, could make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. State laws are changing rapidly and there have been discussions in the U.S. Congress of new comprehensive federal data privacy laws to which we could become subject, if enacted.

While we primarily process data of consumers located within the United States, we process data of consumers located in other jurisdictions and have employees outside of the United States that may be subject to foreign laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our clients must comply. Cross-border data transfers and other future developments regarding local data residency and access could increase the cost and complexity of delivering our services in some markets and may lead to governmental enforcement actions, litigation, fines and penalties or adverse publicity, which could adversely affect our business and financial position could greatly increase our cost of providing our solutions and services, require significant changes to our operations or even prevent us from offering certain services in specific jurisdictions. In addition, limitations on our ability to use or transmit health information outside of the U.S. make our compliance obligations more complex and could impose restrictions on our ability to recruit and maintain employees residing outside of the U.S., which could, in turn, adversely affect our business.

Specifically, regulators and legislators in the U.S. are increasingly scrutinizing and restricting certain personal data transfers and transactions involving foreign countries. For example, the Department of Justice’s January 8, 2025, rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” as implemented by Department of Justice regulations issued in December 2024, prohibits data brokerage transactions involving certain sensitive personal data categories, including health data, genetic data, and biospecimens, to countries of concern, including China. The regulations also restrict certain investment agreements, employment agreements, and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Actual or alleged violations of these regulations may be punishable by criminal and/or civil sanctions, and may result in exclusion from participation in federal and state programs. While Phreesia does not currently transfer data to these countries of concern, we are continuing to monitor the applicability of these new regulations and similar rules that may be enacted from time to time.

We expect that there will continue to be new or amended laws, regulations, standards and obligations proposed and enacted in various foreign jurisdictions. Many countries around the world have enacted comprehensive privacy and data protection laws that can impact our business. Some of the businesses we have acquired are subject to additional laws and regulations in jurisdictions outside of the U.S. For example, in Europe, organizations that collect or otherwise process personal data in connection with (a) the activities of a business establishment within the European Economic Area/United Kingdom; or (b) offering goods or services to/monitoring the behavior of individuals within these territories are subject to the EU General Data Protection Regulation, or EU GDPR, and the EU GDPR as incorporated into the laws of the United Kingdom following Brexit (“UK GDPR”, together with the EU GDPR, “GDPR”). The GDPR, alongside supplementary local data protection laws in the EU and the UK, impose stringent

requirements on the processing of personal data, with heightened obligations for health and other sensitive data. These requirements include: (i) providing information to individuals regarding data processing activities; (ii) ensuring a legal basis or condition applies to the processing of personal data and, where applicable, obtaining consent from individuals to whom the data processing relates; (iii) responding to data subject requests; (iv) imposing requirements to notify the competent national data protection authorities and data subjects of personal data breaches; (v) implementing safeguards in connection with the security and confidentiality of the personal data; (vi) accountability requirements; and (vii) taking certain measures when engaging third-party processors. The GDPR also restricts the transfer of personal data to countries outside of the EEA/UK that do not ensure an adequate level of protection, including the United States in certain circumstances, unless a valid transfer mechanism is in place, and where required, a transfer impact assessment has been completed. Compliance with such laws and regulations, including any new or evolving regulations relating to the use of data in AI and machine learning technologies, such as the EU AI Act, requires resources and could be more costly and take more time than we anticipate, and could involve regulatory investigations, fines (which under the GDPR can be substantial), or other penalties for non-compliance, all of which could adversely affect our business.

We have operations in Canada, where our collection, use, disclosure and management of personal information must comply with both federal and provincial privacy laws, which impose separate requirements, but may overlap in some instances. The Personal Information Protection and Electronic Documents Act ("PIPEDA") applies in all Canadian provinces except Alberta, British Columbia and Québec, as well as to the transfer of consumer data across provincial borders. PIPEDA imposes stringent consumer data protection obligations, requires privacy breach reporting and limits the purposes for which organizations may collect, use, and disclose consumer data. The provinces of Alberta, British Columbia and Québec have enacted separate data privacy laws that are substantially similar to PIPEDA, but all three additionally apply to our handling of our own employees’ personal data within their respective provinces. Notably, Québec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”), was amended by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, which introduced major amendments to the Private Sector Act, notably, to impose significant and stringent new obligations on Québec businesses while increasing the powers of Quebec’s supervisory authority. We may incur additional costs and expenses related to compliance with these laws and may incur significant liability if we are not able to comply with these laws. We are also subject to Canada’s anti-spam legislation, or CASL, which includes rules governing commercial electronic messages, which include marketing emails, text messages and social media advertisements. Under these rules, we must follow certain standards when sending marketing communications, are prohibited from sending them to customers without their consent and can be held liable for violations.

Certain of our products and services are also subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS"), AICPA Security Organization Control 2 ("SOC 2") and HITRUST certification, which apply to or are maintained by certain of our solutions. In the event we fail to comply with the PCI-DSS or fail to maintain our SOC 2 or HITRUST certification, we could be in breach of our obligations under client and other contracts, penalties could result, and we may suffer reputational harm and damage to our business. Further, certain of our clients expect us to comply with more stringent privacy, data storage and data security requirements than those imposed by laws, regulations or self-regulatory requirements, and in some cases we are obligated contractually to comply with additional or different standards relating to our handling or protection of data.

All of these evolving compliance and operational requirements impose significant costs, such as costs related to organizational changes, implementing additional protection technologies, training employees and engaging consultants and legal advisors, which are likely to increase over time. In addition, such requirements may require us to modify our data processing practices and policies, utilize management’s time and/or divert resources from other initiatives and projects. Any failure or perceived failure by us to comply with domestic or foreign laws or regulations, industry standards or other legal obligations, or any actual or suspected data breach or privacy or security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personally identifiable information or other data, may result in governmental enforcement actions and prosecutions, private litigation (such as the ConnectonCall Case, fines and penalties or adverse publicity and could cause our clients to lose trust in us, which could have an adverse effect on our reputation and business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited. Any of these developments could harm our business, financial condition and results of operations. Privacy and data security concerns, whether valid or not valid, may inhibit retention of services by existing clients or adoption of our services by new clients.

Existing laws regulate our ability to engage in direct marketing, and changes in privacy laws could adversely affect our ability to market our products effectively and could impact our results from operations or result in costs and fines.

We rely on a variety of direct marketing techniques, including email marketing. These activities are regulated by legislation such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”). Any failure by us to comply fully with the CAN-SPAM Act may leave us subject to substantial fines and penalties. In addition, any future restrictions in laws such as the CAN-SPAM Act, and various United States state laws, or new federal laws regarding marketing and solicitation or international data protection laws that govern these activities could adversely affect the continuing effectiveness of our marketing efforts and could force changes in our marketing strategies. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could have a material adverse impact on our results of operations.

Additionally, while we do not allow any third-party cookies, tags or trackers (collectively, “cookies”) to be placed in the content on our platform, we utilize cookies on some of our public websites to collect data about visitors to our websites in order to administer our sites, enhance users’ web-browsing experience, analyze trends and gather information about users’ activities on our sites. Our ability to collect, analyze, use and share information collected via cookies is governed by U.S. and foreign laws and regulations which change from time to time, such as those regulating the level of consumer notice and consent required before a company can employ cookies to collect data about interactions with users online.

In recent years, there has been increasing public and regulatory scrutiny of the use of cookies by companies in the healthcare space. For example, the FTC has brought enforcement actions against online healthcare services and service providers, and there has been an increase in litigation alleging the unauthorized collection and sharing of sensitive health information in violation of federal and state privacy laws. While we do not collect HIPAA-regulated PHI via the use of cookies on our websites, and we believe our use of cookies on those websites complies with all applicable laws, we may from time to time receive public or regulatory inquiries about our use of tracking technologies. Continued regulation of cookies, changes in the interpretation and enforcement of existing laws and regulations, and increased scrutiny of the use of cookies by healthcare technology companies could restrict our ability to engage in certain activities or require changes to our practices. If we are believed or found to have not complied with our obligations under applicable laws, we may also be subject to litigation, substantial financial penalties, injunctive actions and reputational harm. All of the above could impact our business, financial condition or results of operations.

Any failure by us to comply fully with website accessibility standards could result in us being subject to considerable fines and penalties.

We conduct business through various Internet websites and web-based applications that are subject to accessibility requirements. Courts have ruled that the Americans with Disabilities Act (“ADA”) applies to Internet websites and other digital experiences, and litigation related to ADA website accessibility has soared in recent years. Failing to comply with those requirements could leave us subject to claims, litigation, lawsuits and, ultimately, substantial fines and penalties.

The healthcare regulatory and political framework is uncertain and evolving.

Healthcare laws and regulations are rapidly evolving and may change significantly in the future, which could adversely affect our financial condition and results of operations. For example, in 2020, the HHS, Office of the National Coordinator for Health Information Technology ("ONC") and Centers for Medicare & Medicaid Services (“CMS”) promulgated final rules to clarify and operationalize provisions of the 21st Century Cures Act ("Cures Act"), regarding interoperability and “information blocking,” and create significant new requirements for healthcare industry participants. Information blocking is defined as activity that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, where a health information technology developer, health information network or health information exchange knows or should know that such practice is likely to interfere with access to, exchange or use of EHI. On January 9, 2024, the ONC issued a final rule modifying certain components of the existing information blocking regulations, including modifying and expanding certain exceptions to the information blocking regulations, which are intended to support information sharing.

While these rules benefit us in that certain EHR vendors will no longer be permitted to interfere with our attempts at integration, they may also make it easier for other similar companies to enter the market, creating increased competition and reducing our market share.

In addition, on December 27, 2024, HHS-OCR issued a Notice of Proposed Rulemaking to modify the HIPAA Security Rule to enhance cybersecurity protections for electronic protected health information. The proposed rule would modify the HIPAA Security Rule to require covered entities and business associates to strengthen cybersecurity protections for individuals’ protected health information. Key proposals include removing the distinction between “required” and “addressable” implementation specifications and mandating the development and revision of a technology asset inventory and a network map. Given the recent change in presidential administration, it is difficult to anticipate when the proposed rule will be finalized or if the NPRM will be withdrawn. If the NPRM is finalized, we may be subject to additional compliance obligations and incur additional costs in connection with compliance.

In addition, we are subject to various other laws and regulations, including, among others, anti-kickback laws, antitrust laws, financial services laws and the privacy and data protection laws described below.

We conduct business in a heavily regulated industry in an uncertain and evolving political and regulatory environment, and any failure to comply with applicable healthcare laws and government regulations could result in financial penalties, adverse regulatory action and adverse publicity, or could require us to make significant operational changes, any of which could harm our business.

Our current and future arrangements with healthcare services clients, life sciences companies and patients subject us to various federal and state fraud and abuse laws and other healthcare laws, including, without limitation, the federal Anti-Kickback Statute, the federal civil and criminal false claims laws, HIPAA and regulations promulgated under such laws. These laws impact, among other things, proposed sales, marketing and educational programs, and other interactions with healthcare providers and patients. For more information regarding the risks related to these laws and regulations please see “ Business – Regulatory Matters ” in this Annual Report on Form 10-K.

The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment. Federal and state enforcement bodies have increased their scrutiny of interactions between healthcare industry participants, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Because of the breadth of these laws and the narrowness of their statutory or regulatory exceptions and safe harbors, some of our business activities may be subject to challenge under one or more of them.

Ensuring that our internal operations and future business arrangements with third parties comply with applicable healthcare laws and regulations involves substantial costs. The risk of our being found in violation of healthcare laws and regulations is increased by the fact that their provisions are sometimes complex and open to a variety of interpretations. Executive orders and other governmental actions, particularly from the U.S. presidential administration, have increased and may further increase uncertainty about how laws and regulations will be interpreted and applied, and there has been an increase in legal challenges to healthcare regulations and agency guidance and decisions, including but not limited to those issued by HHS and certain of its agencies, such as the CMS, FDA, and Office of Inspector General.

Additionally, our subsidiary, AccessOne MedCard offers medical financing products, which are subject to extensive and evolving federal and state consumer protection, fair lending and other laws and regulations. In recent years, the CFPB and various state attorneys general have increased scrutiny of third-party providers of financing for medical services, and have conducted investigations and brought enforcement actions alleging abusive or otherwise improper lending practices. Heightened scrutiny of, or any additional laws, rules or regulations applicable to, third-party medical financing arrangements could result in increased administrative and compliance costs, exposure to governmental investigations, enforcement actions, fines, penalties or private litigation, and require AccessOne MedCard to modify or limit its products and marketing practices, reducing its ability to participate competitively in this market.It is possible that governmental authorities will conclude that our business practices do not comply with current or future statutes, regulations, agency guidance or case law involving applicable fraud and abuse or other healthcare laws and regulations. If our operations are found to be in violation of any of the laws described above or any other governmental laws and regulations that may apply to us, we may be subject to significant penalties, including administrative, civil and criminal penalties, damages, fines, disgorgement, the exclusion from participation in federal and state healthcare programs, individual imprisonment, reputational harm, and the curtailment or restructuring of our operations, as well as additional reporting obligations and oversight if we become subject to a corporate integrity agreement or other agreement to resolve allegations of non-compliance with these laws. Likewise, if any of the healthcare providers or entities with whom we do business are found to not be in compliance with applicable laws, they may be subject to criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs and imprisonment. Further, defending against any such actions can be costly and time-consuming, and may require significant financial and personnel resources. Therefore, even if we are

successful in defending against any such actions that may be brought against us, our business may be impaired. If any of the above occur, our ability to operate our business and our results of operations could be adversely affected.

We may be subject to risks related to government contracts and related procurement regulations.

We derive revenues from contracts with the U.S. federal government, state and local governments. Our contracts with federal, state, local and foreign government entities are subject to various procurement regulations and other requirements relating to their formation, administration and performance. We are from time to time subject to audits and investigations relating to our government contracts, and any violations could result in various civil and criminal penalties and administrative sanctions, including termination of contracts, refunding or suspending of payments, forfeiture of profits, payment of fines and suspension or debarment from future government business. In addition, such contracts may provide for termination by the government at any time, without cause. In addition, many federal, state, local and foreign governments and their agencies are have undertaken, or face pressure to undertake, significant spending reductions, and demand and payment for our services may be impacted by public sector budgetary cycles and funding authorizations. These factors may combine to potentially limit the revenue we derive from government contracts in the future. Additionally, government contracts generally have requirements that are more complex than those found in commercial enterprise agreements and therefore are more costly to comply with. Any of these risks related to contracting with government entities could adversely impact our future sales and operating results.

The U.S. Food and Drug Administration (“FDA”) may in the future determine that our technology solutions are subject to the Federal Food, Drug, and Cosmetic Act and we may face additional costs and risks as a result.

The FDA may promulgate a policy or regulation that affects our products and services. FDA regulations govern, among other things, product development, testing, manufacture, packaging, labeling, storage, clearance or approval, advertising and promotion, sales and distribution and import and export for regulated drugs, biologics and devices. Non-compliance with applicable FDA requirements can result in, among other things, public warning letters, fines, injunctions, civil penalties, recall or seizure of products, total or partial suspension of production, failure of the FDA to grant marketing approvals, withdrawal of marketing approvals, criminal prosecutions or a recommendation by the FDA to disallow us from entering into government contracts. The FDA also has the authority to request repair, replace or refund of the cost of any device.

Individuals may claim our calling or text messaging services are subject to, and are not compliant with, the Telephone Consumer Protection Act or similar state laws.

Our clients may use our products to place various short message service, or SMS, text messages and calls to patients. Additionally, we place certain calls and text messages as part of our operations. There are a number of federal and state statutes and regulations that govern certain of these telecommunications, including the Telephone Consumer Protection Act (“TCPA”), the Telemarketing Sales Rule (“TSR”), and various state laws similar in scope to the TCPA and TSR. The U.S. Federal Communications Commission (“FCC”), and the FTC have responsibility for regulating various aspects of some of the TCPA, TSR and other federal laws. The FCC has recognized that certain healthcare-related telecommunications from or on behalf a healthcare provider to a patient are exempt from some TCPA restrictions if the calls or text messages meet certain requirements. For certain informational calls and text messages that do not qualify as a healthcare-related telecommunication, the TCPA requires callers to obtain prior express consent from the call recipient. Further, for calls and texts for telemarketing purposes, the TCPA requires callers to obtain prior express written consent from the call recipient and to adhere to “do-not-call” registry requirements which, in part, mandate that callers maintain and regularly update lists of consumers who have chosen not to be called and restrict calls to consumers who are on the national do-not-call list. Florida, Oklahoma and other states also have mini-TCPA and other similar consumer protection laws regulating calls and texts directed to their residents. As currently construed, the TCPA does not distinguish between voice and data, and, as such, text and SMS/MMS messages are also “calls” for the purpose of TCPA (and, in some cases, state mini-TCPA) obligations and restrictions.

For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary damages of $500 for each call or text made in violation of the prohibitions on certain calls made using an artificial or pre-recorded voice or an ATDS and certain calls made to numbers properly registered on the federal “do-not-call” list. A court may treble the $500 amount upon a finding of a willful or knowing violation. There is no statutory cap on maximum aggregate exposure (although some courts have applied in TCPA class actions constitutional limits on excessive penalties). An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. As with the TCPA, Florida’s mini-TCPA, for example, restricts certain calls and calls and texts made using an automated system to Florida residents without prior consent, allows a plaintiff to

obtain $500 for each call or text made in violation of its prohibitions, and permits a court to treble the $500 amount for willful or knowing violations of the statute. The TCPA, TSR, mini-TCPA laws and other similar state laws are subject to interpretations that may change. We regularly evaluate how they may apply to our business. The FCC, FTC, a state attorney general or other regulator, or a court, however, may disagree with our interpretation of these laws and conclude that we are not in compliance and impose damages, civil penalties and other consequences upon us for noncompliance. Determination by a court or regulatory agency that our services did not comply may also invalidate all or portions of some of our client contracts, could require us to change or terminate some portions of our business, could require us to refund portions of our services fees, and could have an adverse effect on our business. Further, we could be subject to putative class action lawsuits alleging violations of the TCPA, state mini-TCPA laws and other similar state laws. Our call and SMS texting services are potential sources of risk for class action lawsuits and liability for us. Numerous class-action suits under federal and state laws have been filed in recent years against companies who conduct call and SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. Even an unsuccessful challenge by consumers or regulatory authorities of our activities could result in adverse publicity and could require a costly response from us.

If in the future we are found to have violated such laws in a class action, the amount of damages and potential liability could be extensive and adversely impact our business. Accordingly, were such a class certified or if we are unable to successfully defend such a suit, then the damages could have a material adverse effect on our results of operations and financial condition.

Our business is dependent in part on phone, email and text messaging channels, and any technical, legal or other restrictions on the sending of such correspondence or a decrease in consumer willingness to receive such correspondence could adversely affect our business.

Our business is dependent in part on phone, email and other messaging channels, such as text messages. Actions taken by third parties that block, impose restrictions on or charge more for the delivery of these communications could harm our business. For example, from time to time, internet service providers or other third parties may block bulk communications or otherwise experience difficulties that result in our inability to successfully deliver communications to patients. In addition, our use of email and text messaging channels to send communications to patients, potential patients, clients and potential clients may result in legal claims against us, which if successful might limit or prohibit our ability to send such communications.

Our solutions rely on a third-party service provider for delivery of calls, emails, text messages and other forms of electronic communication. If we were unable to use any one of our current service providers, alternate providers are available; however, we believe our revenue could be impacted for some period as we transition to a new provider, and the new provider may be unable to provide equivalent or satisfactory services. Any disruption or restriction on the distribution of our communications, termination or disruption of our relationships with our third-party service providers or any increase in the associated costs, may be beyond our control and would adversely affect our business.

Artificial intelligence presents risks and challenges that can impact our business, including by increasing competition, posing security risks to our confidential information, proprietary information and personal data, and increasing our regulatory and compliance burden.

As with many technological innovations, AI presents opportunities for enhanced productivity and innovation but also presents risks and challenges that could impact our business. Issues in the development and use of AI, combined with an uncertain regulatory environment and emerging ethical issues, may result in competitive disadvantage, reputational harm, liability or other adverse consequences to our business operations.

Developments in AI have impacted the software industry and we expect this impact to continue. AI has become increasingly prevalent in the markets in which we operate and may result in changes in the demand for our solutions, including, but not limited to, reducing the difficulty and cost for competitors to build and launch competitive products or by making aspects of our solutions obsolete. Our competitive position could be harmed if we fail to adopt and integrate AI effectively into our operations and product offerings. The successful implementation of AI technologies requires significant investment in talent, infrastructure, and ongoing research and development. While we have made, and expect to continue to make, significant investments to integrate AI into our solutions and operations, AI technologies are rapidly evolving and there can be no guarantee that our solutions will remain competitive as new AI technologies are developed and adopted. Market acceptance, understanding, and valuation and consumer perceptions of platforms, products, and programs that incorporate AI technologies is uncertain, and the perceived value of AI technologies could be inaccurate. Developing, testing and deploying AI systems may also increase the cost profile of our solutions due to the nature of the computing costs involved in such systems.

Misjudging the convergence of AI with our business needs may lead to inefficiencies or obsolescence of our services or solutions.

We use AI technologies licensed from third parties, including in our solutions, and our ability to continue to use such third-party AI technologies at the scale we need may be dependent on access to specific third-party software and infrastructure. We cannot control the availability or pricing of such third-party AI technologies, especially in a highly competitive environment, and we may be unable to negotiate favorable economic terms with the applicable providers. Additionally, we, or our clients, may choose, or be required, not to use certain AI technologies due to security, compliance, reputational or other considerations. If our use of such AI technologies is restricted, if such AI technologies become incompatible with our solutions and programs or unavailable for use, or if the providers of such models unfavorably change the terms on which their AI technologies are offered or terminate their relationship with us, and no comparable alternative is available, our solutions may become less appealing to our clients and our business may be adversely affected. In addition, to the extent any third-party AI technologies are used as a hosted service, any disruption, outage, or loss of information through such hosted services could disrupt our operations or solutions, damage our reputation, cause a loss of confidence in our solutions, or result in legal claims or proceedings, for which we may be unable to recover damages from the affected AI provider.

Additionally, our employees, vendors and third-party partners use AI to perform their work. Certain of our vendors incorporate AI tools into their offerings, and the providers of these AI tools may not meet existing or rapidly evolving regulatory or industry standards, including with respect to privacy and data security. If we, our vendors, or our third-party partners experience an actual or perceived data breach or cybersecurity incident because of the use of generative AI, we may lose valuable intellectual property, personal data and/or confidential information, and our reputation and the public perception of the effectiveness of our security measures could be harmed. Further, bad actors around the world use increasingly sophisticated methods, including the use of AI, to engage in illegal activities involving the theft and misuse of personal information, confidential information, and intellectual property. In addition, the use of generative AI models in our internal or third-party systems may create new attack surfaces or methods for adversaries, which could impact us and our vendors. Any of these outcomes could damage our reputation, subject us to legal liability, result in the loss of valuable property and information, and adversely impact our business.

A growing number of legislators and regulators are adopting laws and regulations and have focused enforcement efforts on the use of AI in compliance with ethical standards and societal expectations. These developments may increase our compliance burden and costs in connection with the use of AI and lead to legal liability if we fail to meet evolving legal standards or if use of such technologies results in harms or other causes of action we did not predict. For example, the EU began implementing the Artificial Intelligence Act (the “AI Act”) on August 1, 2024, with a significant part of the law scheduled to come into effect in August 2026. As currently enacted, the AI Act, which may be amended as part of the EU’s Digital Omnibus, imposes significant obligations on providers and deployers of high-risk artificial intelligence systems, and encourages providers and deployers of artificial intelligence systems to account for EU ethical principles in their development and use of these systems. The scope of requirements depends on judicial interpretations and forthcoming legislative amendments, and non-compliance can lead to significant fines. In the United States, the AI regulatory environment is complex and uncertain. Over the past year, states have advanced, and in some cases passed, dozens of laws focusing on AI governance and regulation, including on deployment of AI in healthcare settings. At the federal level, the Trump Administration has endorsed a federal moratorium on the enforcement of state AI laws, including through a December 11, 2025, executive order on “Ensuring a National Policy Framework for Artificial Intelligence.” So far, these efforts have not been successful at curtailing state action on AI regulation, contributing to a complicated legislative patchwork, which may be litigated in state and federal courts. If we develop or use AI systems that are governed by the these laws or regulations, we will need to meet higher standards of data quality, transparency, and human oversight, and we would need to adhere to specific and potentially burdensome and costly ethical, accountability, and administrative requirements. we may also be subject to significant enforcement or litigation in the event of any perceived non-compliance.

The rapid evolution of AI will require the application of significant resources to help ensure that AI is implemented in accordance with applicable law and regulation and in a socially responsible manner and to minimize any real or perceived unintended harmful impacts. Use of this technology could pose cybersecurity, data privacy, IT, intellectual property, regulatory, legal, operational, competitive, reputational and other risks and challenges that could affect our business. Specifically, AI systems can present risks related to accuracy, bias, errors, discrimination, harmful content, misinformation, fraud, scams, targeted attacks (including model poisoning or data poisoning), surveillance, data leakage, inequality, environmental harms, false or “hallucinatory” inferences or outputs, and other harms may flow from our development, use, or deployment of AI technologies. For example, if the content, analyses, or recommendations that AI systems assist in producing are, or are alleged or perceived to be inaccurate, deficient, or biased, our reputation, competitive position, business, financial condition, and results of operations may be

adversely affected. The use of certain AI technologies can also give rise to intellectual property risks, including by disclosing or otherwise compromising our confidential or proprietary intellectual property, or by undermining our ability to assert or defend ownership rights in intellectual property created with the assistance of AI tools. Any of these effects could damage our reputation, result in the loss of valuable property and information, and adversely impact our business.

Our future success will depend, in part, on our ability to leverage AI responsibly, effectively and in compliance with laws and regulations. Because AI technology is highly complex and rapidly developing, it is not possible to predict all of the legal, operational, competitive or technological risks that may arise relating to the use of AI.

We may be adversely affected by the operation of laws in non-U.S. jurisdictions.

Our employment practices and corporate activities in non-U.S. jurisdictions, such as Canada and India, where certain of our employees are based, are in many cases subject to the laws of those jurisdictions rather than U.S. law. Laws in some jurisdictions differ in significant respects from those in the U.S. and may impose additional requirements, particularly with respect to employment and tax matters, which can make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. These differences can also affect our ability to react to changes in our business, and our rights or ability to enforce rights may be different than would be expected under U.S. law. Moreover, enforcement of laws in some overseas jurisdictions can be inconsistent and unpredictable, which can affect both our ability to enforce our rights and to undertake activities that we believe are beneficial to our business. In addition, the business and political climate in some jurisdictions may encourage corruption, which could reduce our ability to compete successfully in those jurisdictions while remaining in compliance with local laws or U.S. anti-corruption laws applicable to our businesses.

Due to the particular nature of certain services we provide or the manner in which we provide them, we may be subject to additional government regulation and foreign government regulation.

While our solutions are primarily subject to government regulations pertaining to healthcare, certain aspects of our solutions require, or may require, us to comply with regulatory schema from other areas. Examples of such regulatory schema include:

• Financial services regulation. Our payment solutions must comply with certain laws, including the BSA, as amended by the PATRIOT Act, the Customer Due Diligence Rule, and the AMLA, which, among other things, contain anti-money laundering and financial transparency laws and mandate the implementation of various regulations applicable to all financial institutions, including standards for verifying client identification at account opening, and obligations to monitor client transactions and report suspicious activities. Additionally, our subsidiary, AccessOne MedCard receives a portion of its revenue from consumer lending activities. AccessOne MedCard is licensed or registered to engage in consumer lending in multiple states in the United States, subjecting it to extensive state regulatory oversight. For example, AccessOne MedCard must comply with consumer lending laws and regulations governing aspects of its operations, including disclosures, interest and fee limitations, and reporting obligations in each relevant state, creating significant compliance complexity and costs. Changes in state-level consumer lending laws, or changes in or additions to AccessOne MedCard’s product offerings, could require AccessOne MedCard to obtain licenses in additional states, increasing our compliance costs. AccessOne MedCard’s consumer lending activities are also subject to federal lending regulations, including the Truth in Lending Act, the Equal Credit Opportunity Act, the Fair Credit Billing Act, the Military Lending Act and the Servicemembers’ Civil Relief Act, among others, and rules promulgated by the CFPB. Failure to comply with applicable state or federal requirements could result in regulatory investigations, enforcement actions, civil or criminal penalties, license suspension or revocation, reputational harm, and increased compliance costs, any of which could materially adversely affect our business, financial condition, and results of operations. State attorneys general may also exercise enforcement authority under both state and federal law. Additionally, financial regulatory bodies may enact new laws or promulgate new regulations or interpret laws and regulations differently than they have in the past, or commence investigations or inquiries into our business practices. Potential new laws, regulations or interpretive guidance, such as stricter standards regarding the marketing, origination, or servicing of medical financing products, enacted at either the state or federal level could impose significant compliance costs and legal risks, or require AccessOne MedCard to alter its product offerings, modify fee structures or change its relationships with healthcare provider clients. Further, heightened regulatory scrutiny or negative publicity surrounding medical financing products could make AccessOne MedCard’s solutions less attractive to potential clients or cause existing clients to discontinue use of the solutions to avoid perceived regulatory risks or reputational harm.

• Foreign Corrupt Practices Act ("FCPA") and foreign anti-bribery laws . The FCPA makes it illegal for U.S. persons, including U.S. companies, and their subsidiaries, directors, officers, employees, and agents, to promise, authorize or make any corrupt payment, or otherwise provide anything of value, directly or indirectly, to any foreign official, any foreign political party or party official, or candidate for foreign political office to obtain or retain business. Violations of the FCPA can also result in violations of other U.S. laws, including anti-money laundering, mail and wire fraud, and conspiracy laws. There are severe penalties for violating the FCPA. The Company may also be subject to other non-U.S. anti-corruption or anti-bribery laws, such as the U.K. Bribery Act 2010. In many foreign countries, particularly in those with developing economies, it may be common to engage in business practices that are prohibited by laws and regulations applicable to us, such as the FCPA and other anti-bribery laws. Any violations of the FCPA or local anti-corruption laws by us, our subsidiaries or our local agents in India or elsewhere could have a material adverse effect on our business, financial condition, results of operations, and prospects, as well as our reputation, and result in substantial financial penalties or other sanctions.

• Economic sanctions and export controls . Economic and trade sanctions programs that are administered by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) prohibit or restrict transactions to or from, and dealings with specified countries and territories, their governments, and in certain circumstances, with individuals and entities that are located in or nationals of those countries, and other sanctioned persons, including specially designated nationals, narcotics traffickers and terrorists or terrorist organizations. As federal, state and foreign legislative regulatory scrutiny and enforcement actions in these areas increase, we expect our costs to comply with these requirements will increase as well. Failure to comply with any of these requirements could result in the limitation, suspension or termination of our services, imposition of significant civil and criminal penalties, including fines, and/or the seizure and/or forfeiture of our assets.

• Further, our solutions incorporate encryption technology. The U.S. Export Administration Regulations require authorization for the export of certain encryption items, including by a license, a license exception or other appropriate government authorizations. Such solutions may also be subject to certain regulatory reporting requirements. While we believe our products meet certain exceptions that reduce the scope of export control restrictions applicable to such products, these exceptions may be determined not to apply to our products and our products and underlying technology may become subject to export control restrictions.

• Our subsidiary, Insignia, receives a portion of its revenue from customers that are governmental agencies or funded by government programs. As a federal government contractor, Insignia’s government contracts and subcontracts subject Insignia to the Federal Acquisition Regulation (“FAR”) and, among other requirements, the following: (a) termination when appropriated funding for the current fiscal year is exhausted; (b) termination for the governmental customer’s convenience, subject to a negotiated settlement for costs incurred and profit on work completed, along with the right to place contracts out for bid before completion of the full contract term, as well as the right to make unilateral changes in contract requirements, subject to negotiated price adjustments; (c) compliance and reporting requirements related to, among other things, agency-specific policies and regulations, information security, subcontracting requirements, equal employment opportunity, affirmative action for veterans and workers with disabilities and accessibility for the disabled; (d) broad audit rights; (e) specialized remedies for breach and default, including setoff rights, retroactive price adjustments and civil or criminal fraud penalties under the False Claims Act (as described below), re-procurement expenses, as well as mandatory administrative dispute resolution procedures instead of state contract law remedies; and (f) requirements to calculate overhead rates in accordance with the accounting procedures and internal controls required under the FAR standards.

• In addition, our subsidiary in India could increase our risk of violations of the aforementioned laws and regulations. Despite our policies, procedures and compliance programs, our internal controls and compliance systems may not be able to protect us from prohibited acts willfully committed by our employees, agents or business partners that would violate such applicable laws and regulations.

Risks relating to our dependence on third parties

We rely on our third-party contractors, vendors and partners, including some outside of the United States, to execute our business strategy. Replacing them could be difficult and disruptive to our business. If we are unsuccessful in forming or maintaining such relationships on terms favorable to us, our business may not succeed.

We have entered into contracts with third-party contractors and vendors to provide critical services relating to our business, including initial software development and cloud hosting. We also rely on third-party providers to enable

automated eligibility and benefits verification through our solutions, and we outsource certain of our software development and design, quality assurance and operations activities to third-party contractors that have employees and consultants in international locations that may be subject to political and economic instability, including India and Ukraine.

Our dependence on third-party contractors to support key functions of our business creates numerous risks, in particular, the risk that we may not maintain service quality, control or effective management with respect to these operations. In the event that these service providers fail to maintain adequate levels of support, do not provide high quality service, increase the fees they charge us, discontinue their lines of business, terminate our contractual arrangements or cease or reduce operations, we may suffer additional costs and be required to pursue new third-party relationships, which could materially disrupt our operations and our ability to provide our solutions and services, and could divert management’s time and resources. Our reputation and our clients’ willingness to purchase our solutions and partners’ willingness to use our products depend, in part, on our third-party contractors’ compliance with ethical employment practices, such as with respect to child labor, wages and benefits, forced labor, discrimination, safe and healthy working conditions, and with all legal and regulatory requirements relating to the conduct of their businesses. If our third-party contractors fail to comply with applicable laws, regulations, safety codes, employment practices, human rights standards, quality standards, environmental standards, production practices, or other obligations, norms, or ethical standards, our reputation and brand image could be harmed and we could be exposed to litigation and additional costs that would harm our business, reputation, and results of operations.

These third-party contractors, some of which handle sensitive data on our behalf, could be non-compliant with regulatory requirements or our contractual provisions regarding the handling of sensitive data, despite our best efforts to monitor their compliance and mitigate risks in our contractual cost-shifting provisions. Even if these third parties are compliant, they still could be the victims of sophisticated cyber-attacks or other unforeseeable events, such as the cyber-attack affecting Change Healthcare in 2024. The ability of our third-party contractors to effectively satisfy our business requirements could be impacted by financial difficulty of our third-party contractors or damage to their operations caused by fire, terrorist attack, natural disaster, or other events. It would be difficult to replace some of our third-party contractors and third-party vendors in a timely manner if they were unwilling or unable to provide us with these services in the future, and our business and operations could be adversely affected. If these services fail or are of poor quality, our business, reputation and operating results could be harmed. For example, the ongoing Russian war against Ukraine has, and may continue to, impact macroeconomic conditions, give rise to regional instability, increase the threat of cyberwarfare and result in heightened economic sanctions from the U.S. and the international community in a manner that adversely affects us and our third-party contractors that have employees and consultants located in Ukraine. Further, although the length and impact of the continuing conflict are highly unpredictable, individuals located in these areas have been and could continue to be forced to evacuate or voluntarily choose to relocate, making them unavailable to provide services, such as software engineering, to support our business. It could also disrupt or delay our communications with such resources or the flow of funds to support their operations, or otherwise render some of our resources unavailable. While we have risk mitigation efforts in place, the realization of any of these risks could adversely affect our product development, operations, business and/or financial results and may require us to shift some of our development activities to other jurisdictions and/or third-party contractors, which may result in significant disruption, including delays in releases of new versions or updates of our software and incurrence of additional costs. We anticipate that we will continue to depend on these and other third-party relationships in order to grow our business for the foreseeable future. If we are unsuccessful in maintaining existing and, if needed, establishing new relationships with third parties, our ability to efficiently operate existing services or develop new services could be impaired, and, as a result, our competitive position or our results of operations could suffer.

We also depend on our third-party processing partners to perform payment processing services, which generate the majority of our payment solutions revenue. Our processing partners may go out of business or otherwise be unable or unwilling to continue providing such services, which could significantly and materially reduce our payments revenue and disrupt our business. A number of our processing contracts require us to assume liability for any losses our processing partners may suffer as a result of losses caused by our healthcare services clients and their patients, including losses caused by chargebacks and fraud. Thus, in the event of a significant loss by our processing partners, we may be required to pay-out a large amount of cash in one or two business days following such event and, if we do not have sufficient cash on hand, may be deemed in breach of such contracts. A contractual dispute with our processing partners could adversely impact our revenue. Certain contracts may expire or be terminated, and we may not be able to enter into a new payment processor relationship that replicates the associated revenue for a considerable period of time. Further, a portion of our payment solutions revenue is generated through finance charges and servicing fees on cardholder receivables. A portion of these cardholder

receivables are sold to an unaffiliated financial institution pursuant to the Securitization Program. If we are unable to maintain the Securitization Program or enter into a new securitization relationship with another third-party financial institution, our financing fees revenue could be adversely affected.

In addition, we have entered into contracts with providers of EHR and PM solutions, and we intend to pursue such agreements in the future. These contracts are typically structured as commercial and technical agreements, pursuant to which we integrate certain of our solutions into the EHR and PM systems that are utilized by many of our clients, for agreed payments or provision of services to such providers of EHR and PM solutions. Our ability to form and maintain these agreements in order to facilitate the integration of our solutions into the EHR and PM systems used by our healthcare services clients and their patients is important to the success of our business. We or the providers of EHR and PM solutions with which we contract may terminate or seek to amend our agreements in response to future laws or regulations, such as those involving the access, exchange, and use of EHI, or for competitive reasons. If providers of EHR or PM solutions amend, terminate or fail to perform their obligations under their agreements with us, we may need to seek other ways of integrating our solutions with the EHR and PM systems of our healthcare services clients, which could be costly and time-consuming, and could adversely affect our business results.

We may also seek to enter into new agreements in the future, and we may not be successful in entering into future agreements on terms favorable to us. Any delay in entering agreements with providers of EHR or PM solutions or other technology providers could either delay the development and adoption of our products and services and reduce their competitiveness. Any such delay could adversely affect our business.

We rely on a limited number of third-party suppliers and contract manufacturers to support our products, and a loss or degradation in performance of these suppliers and contract manufacturers could have a negative effect on our business, financial condition and results of operations.

We rely on third-party suppliers and contract manufacturers for the materials and components used to operate our solutions and product offerings, and to manufacture and assemble our hardware, including the PhreesiaPad and our on-site kiosks, which we refer to as Arrivals Kiosks. We rely on various third-party suppliers and a contract manufacturer, for example, as the manufacturer of our PhreesiaPads and Arrivals Kiosks, which help drive our business and support our subscription, payment solutions and network solutions offerings. In connection with these services, our contract manufacturer builds new hardware for us and refurbishes and maintains existing hardware.

Any of our other suppliers or third-party contract manufacturers may be unwilling or unable to supply the necessary materials and components or manufacture and assemble our products reliably and at the levels we anticipate or that are required by the market. If we are required to change contract manufacturers due to any change in or termination of our relationships with these third parties, or if our manufacturers are unable to obtain the materials they need to produce our products at consistent prices or at all, (including, without limitation, because of the effect of tariffs or other trade restrictions), we may lose sales, incur increased costs or otherwise experience impairment to our client relationships. We cannot guarantee that we will be able to establish alternative relationships on similar terms, without delay or at all.

If our third-party suppliers fail to deliver the required quantities of materials on a timely basis and at commercially reasonable prices, and we are unable to find one or more replacement suppliers capable of production at a substantially equivalent cost in substantially equivalent volumes and quality on a timely basis, the supply of our products to clients and the development of any future products will be delayed, limited or prevented, which could have material adverse effect on our business, financial condition and results of operations.

We rely on Internet infrastructure, bandwidth providers, data center providers, other third parties and our own systems for providing services to our clients, and any failure or interruption in the services provided by these third parties or our own systems could expose us to litigation and negatively impact our relationships with clients, adversely affecting our brand and our business.

Our ability to deliver our products and services, particularly our cloud-based solutions, is dependent on the development and maintenance of the infrastructure of the Internet and other telecommunications services by third parties. This includes maintenance of a reliable network connection with the necessary speed, data capacity and security for providing reliable Internet access and services and reliable telephone and facsimile services. Our services are designed to operate without interruption in accordance with our service level commitments.

However, we have experienced limited interruptions in these systems in the past, including server failures that temporarily slow down the performance of our services, and we may experience more significant interruptions in the future. We rely on internal systems as well as third-party suppliers, including bandwidth and telecommunications equipment providers, to provide our services. We do not maintain redundant systems or facilities for some of these

services. Interruptions in these systems, whether due to system failures, computer viruses, physical or electronic attacks or other catastrophic events, could affect the security or availability of our services, compromise the data we handle on behalf of our partners and prevent or inhibit the ability of our partners to access our services. In the event of a catastrophic event with respect to one or more of these systems or facilities, we may experience an extended period of system unavailability, which could result in substantial costs to remedy those problems or negatively impact our relationship with our clients, our business, results of operations and financial condition.

Any disruption in the network access, telecommunications or co-location services provided by third-party providers or any failure of or by third-party providers’ systems or our own systems to handle current or higher volume of use could significantly harm our business. We exercise limited control over third-parties, which increases our vulnerability to problems with services they provide. We have experienced failures by third-party providers’ systems which resulted in a limited interruption of our system. For example, in February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and the largest clearinghouse for medical claims in the U.S., was the subject of a cyber-attack that required it to take offline its computer systems that handled electronic payments and insurance claims. One of our clearinghouse clients, for whom we act as merchant processor for patient payments, contracted with Change Healthcare to operate their online payment portal and handle print communications. As a result of the outage, the online payment portal was impacted, resulting in a decline in our patient payment volume during the three months ended April 30, 2024. Similar events could occur in the future, and the impact to our business could be material. Any errors, failures, interruptions or delays experienced in connection with these third-party technologies and information services or our own systems could negatively impact our relationships with clients and adversely affect our business and could expose us to third-party liabilities.

The reliability and performance of our Internet connection may be harmed by increased usage or by denial-of-service attacks. The Internet has experienced a variety of outages and other delays as a result of damages to portions of its infrastructure, and it could face outages and delays in the future. These outages and delays could reduce the level of Internet usage as well as the availability of the Internet to us for delivery of our Internet-based services.

Risks relating to taxes and accounting standards

Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. Changes in related judgments or assumptions, or changes in accounting standards and tax regulations could materially impact our financial position and results of operations.

The preparation of financial statements in conformity with U.S. generally accepted accounting principles (“GAAP”) and our key metrics requires management to make estimates and assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes and amounts reported in our key metrics. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in Management’s Discussion and Analysis of Financial Condition and Results of Operations – Critical Accounting Policies and Estimates. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to, but not limited to, revenue recognition, business combinations, capitalized internal-use software, transfers and servicing of financial assets, assets and liabilities measured at fair value on a recurring basis using significant unobservable inputs, the grant-date fair value of stock-based compensation awards, and the fair value of identifiable assets acquired and liabilities assumed in business combinations. Changes in accounting rules and interpretations or in our accounting assumptions, estimates and/or judgments could significantly impact our consolidated financial statements. In some cases, we could be required to delay the filing of our consolidated financial statements, or to apply a new or revised standard retroactively, resulting in restating prior period consolidated financial statements. Any of these circumstances could have a material adverse effect on our business, prospects, liquidity, financial condition and results of operations.

Furthermore, we are subject to federal and state income, sales, use, value added and other taxes in the United States and other countries in which we conduct business, and such laws and rates vary by jurisdiction. We are registered in all states that assess sales and use taxes on our services. Although we believe our tax practices and provisions are reasonable, the final determination of tax audits and any related litigation, changes in the taxation of our operations and proposed changes in tax laws could cause the ultimate settlement of our tax liabilities to be materially different from our historical tax practices, provisions and accruals. If we receive an adverse ruling as a result of an audit, or we unilaterally determine that we have misinterpreted provisions of the tax regulations to which we are subject, there could be a material effect on our tax provision, net income or cash flows in the period or periods for which that determination is made, which could materially impact our financial results. Further, any changes in the taxation of our operations, including certain proposed changes in U.S. tax laws, may increase our

effective tax rate and adversely affect our financial position and results of operations. In addition, liabilities associated with taxes are often subject to an extended or indefinite statute of limitations period. Therefore, we may be subject to additional tax liability (including penalties and interest) for a particular year for extended periods of time.

Our ability to use our net operating losses to offset future taxable income may be subject to certain limitations.

As of January 31, 2026, we had U.S. federal and state net operating loss carryforwards ("NOLs") of $587.2 million due to prior period losses, which, subject to the following discussion, are generally available to be carried forward to offset a portion of our future taxable income, if any, until such NOLs are used or expire. In general, under Section 382 ("Section 382") of the Internal Revenue Code of 1986, as amended (the "Code"), a corporation that undergoes an “ownership change” is subject to limitations on its ability to utilize its pre-ownership change NOLs to offset future taxable income. Similar rules may apply under state tax laws. The Company has completed a Section 382 study through January 31, 2026 and as a result the analysis identified ownership changes on November 30, 2006, February 2, 2009 and April 30, 2020. The ownership change in 2006 resulted in approximately $316 of NOLs that were generated in 2005 and 2006 that have or will expire unutilized due to Section 382 annual limitations. The ownership changes in 2009 and 2020 resulted in limitation of approximately $12,388 and $136,020 NOLs, respectively, but those NOLs are now available to use. Future changes in our stock ownership, some of which are outside of our control, could result in an ownership change under Section 382 of the Code. In addition, under the Tax Cuts and Jobs Act of 2017, as amended by The Coronavirus Aid, Relief, and Economic Security Act of 2020, the amount of post-2017 NOLs that we are permitted to utilize in any taxable year is limited to 80% of our taxable income in such year, where taxable income is determined without regard to the NOL deduction itself. For these reasons, we may not be able to realize a tax benefit from the use of our NOLs. We have a valuation allowance related to our NOLs to recognize only the portion of the deferred tax asset that is more likely than not to be realized.

Risks relating to our financing needs

Our cash and cash equivalents could be adversely affected if the financial institutions in which we hold our cash and cash equivalents fail.

We regularly maintain cash balances at third-party financial institutions in excess of the Federal Deposit Insurance Corporation ("FDIC") insurance limit, and there can be no assurance that we will be able to access uninsured funds in a timely manner or at all in the event of a failure of these financial institutions. If any such depositary institution fails to return our deposits, or if a depository institution is subject to other adverse conditions in the financial or credit markets, this could further impact access to our invested cash or cash equivalents and could adversely impact our operating liquidity and financial performance.

In order to support the growth of our business, we may need to incur additional indebtedness under our current credit facility or seek capital through new equity or debt financings, which sources of additional capital may not be available to us on acceptable terms or at all.

Our operations have consumed substantial amounts of cash since inception and we intend to continue to make significant investments to support our business growth, respond to business challenges or opportunities, develop new applications and services, enhance our existing solutions and services, enhance our operating infrastructure and potentially acquire complementary businesses and technologies. For the year ended January 31, 2026, our net cash provided by operating activities was $78.8 million. As of January 31, 2026, we had $73.8 million of cash and cash equivalents, which are held for working capital purposes.

In connection with the closing of the AccessOne Acquisition, we entered into the Bridge Loan and used the net proceeds thereof to fund a portion of the consideration for the AccessOne Acquisition. As of January 31, 2026, we had $90 million outstanding principal balance under the Bridge Loan, and no outstanding borrowings under the Existing Capital One Credit Facility, with available borrowing capacity of $50.0 million. On March 13, 2026, subsequent to the end of the fiscal year, we completed the Refinancing, pursuant to which we entered into the New Capital One Credit Facility and repaid all outstanding indebtedness and obligations under the Bridge Loan, and terminated the Bridge Loan and the Existing Capital One Credit Facility without penalty. The unused borrowing capacity of the New Capital One Credit Facility is available to the Company for working capital, capital expenditures, permitted acquisitions and other general corporate purposes.

Our future capital requirements may be significantly different from our current estimates and will depend on many factors, including the need to:

• finance unanticipated working capital requirements;

• develop or enhance our technological infrastructure and our existing products and services;

• fund strategic relationships, including joint ventures and co-investments;

• fund additional implementation engagements;

• respond to competitive pressures; and

• acquire complementary businesses, technologies, products or services.

Accordingly, we may need to engage in equity or debt financings or collaborative arrangements to secure additional funds. Additional financing may not be available on terms favorable to us, or at all. If we raise additional funds through further issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing secured by us in the future could involve additional restrictive covenants relating to our capital-raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. In addition, during times of economic instability, it has been difficult for many companies to obtain financing in the public markets or to obtain debt financing, and we may not be able to obtain additional financing on commercially reasonable terms, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us, it could have a material adverse effect on our business, financial condition and results of operations.

Restrictive covenants in the agreements governing our New Capital One Credit Facility may restrict our ability to pursue our business strategies.

The New Capital One Credit Agreement contains various restrictive covenants that limit our ability to take certain actions, including, but not limited to, our ability to grant or incur liens, dispose of assets, incur additional indebtedness, make certain investments, restricted payments (including dividends) and restricted debt payments, enter into certain mergers and acquisitions, subject in each case to certain customary exclusions, exceptions and baskets. In addition, the New Capital One Credit Facility contains financial covenants applicable from time to time, which include Total Net Leverage Ratio and Fixed Charge Coverage Ratio, as such terms are defined in the New Capital One Credit Agreement.

Our ability to comply with these covenants and meet these financial ratios and tests may be affected by events beyond our control, and we may not be able to meet those covenants. A breach of any such covenants could result in a default under the applicable loan agreement, which could cause all of the outstanding indebtedness under such credit facility to become immediately due and payable and terminate all commitments to extend further credit. These covenants could also limit our ability to seek capital through the incurrence of new indebtedness or, if we are unable to meet our obligations, require us to repay any outstanding amounts with sources of capital we may otherwise use to fund our business, operations and strategy.

Adverse developments affecting the financial services industry, such as actual events or concerns involving liquidity, defaults or non-performance by financial institutions or transactional counterparties, could adversely affect our current and projected business operations and our financial condition and results of operations.

Adverse developments that affect financial institutions, transactional counterparties or other third parties, or concerns or rumors about any events of these kinds or other similar risks, have in the past and may in the future lead to market-wide liquidity problems. For example, in early 2023, several financial institutions closed and were taken into receivership by the FDIC. There is no guarantee that the U.S. Department of Treasury, FDIC and Federal Reserve Board will provide access to uninsured funds in the future in the event of the closure of other banks or financial institutions, stabilize financial institutions through access to loans or other liquidity or support programs, or that they would do so in a timely fashion.

Although we assess our banking relationships as we believe necessary or appropriate, our access to cash in amounts adequate to finance or capitalize our current and projected future business operations could be significantly impaired by factors that affect us, the financial institutions with which we have banking relationships, or the financial services industry or economy in general. Further, investor concerns regarding domestic or international financial systems could result in less favorable commercial financing terms, including higher interest rates or costs and tighter financial and operating covenants, or systemic limitations on access to credit and liquidity sources, thereby making it more difficult for us to acquire financing on acceptable terms or at all. Any decline in available funding or access to cash and liquidity resources could, among other risks, adversely impact our ability to meet our financial obligations, which could have material adverse impacts on our liquidity and our business, financial condition, or results of operations.

In addition, a partner or supplier could be adversely affected by any of the liquidity or other risks that are described above as factors that could result in material adverse impacts on us, including but not limited to delayed access or loss of access to uninsured deposits or loss of the ability to draw on existing credit facilities involving a troubled or failed financial institution. Any partner or supplier bankruptcy or insolvency, or the failure of any partner to make

payments when due, or any breach or default by a partner or supplier, or the loss of any significant supplier relationships, may have a material adverse impact on our business.

Risks relating to ownership of our common stock

Our share price has been and may in the future be volatile, and you could lose all or part of your investment.

The trading price of our common stock has been and may be volatile and subject to wide price fluctuations in response to various factors, including, but not limited to:

• market conditions in the broader stock market in general, or in our industry in particular, which create highly variable and unpredictable pricing of equity securities;

• actual or anticipated fluctuations in our quarterly financial reports and results of operations;

• changes in the financial projections we provide to the public or our failure to meet these projections;

• our ability to satisfy our ongoing capital needs and unanticipated cash requirements;

• indebtedness incurred in the future;

• actual or anticipated developments in our business, our competitors' businesses, or the competitive landscape generally, including developments in AI technologies and the introduction of new products and services by us or our competitors;

• the timing, size and integration success of recent and potential future acquisitions, including the AccessOne Acquisition;

• issuance of new or changed securities analysts’ reports or recommendations;

• additions or departures of key personnel;

• new laws or regulations or new interpretations of existing laws or regulations applicable to our business or the healthcare industry generally;

• regulatory developments;

• litigation and governmental investigations;

• the impact of public health concerns, on the economy, our company, our clients, suppliers or employees;

• macroeconomic conditions, such as international tariffs and other trade restrictions, changes in interest rates and economic slowdowns and recessions, and political conditions or events including from the U.S. federal government and those resulting from geopolitical uncertainty and instability or war, such as the ongoing military conflict between Russia and Ukraine and the conflict in the Middle East;

• trading activity by stockholders who together beneficially own a significant portion of our outstanding common stock, as well as other institutional or activist investors; and

• our sale of common stock or other securities in the future.

These and other factors may cause the market price and demand for our common stock to fluctuate substantially, which may limit or prevent investors from readily selling their shares of common stock and may otherwise negatively affect the liquidity of our common stock. In addition, in the past, when the market price of a stock has been volatile, holders of that stock have instituted securities class action litigation against the company that issued the stock. If any of our stockholders brought a lawsuit against us, we could incur substantial costs defending the lawsuit. Such a lawsuit could also divert the time and attention of our management from our business.

The trading market for our common stock is also influenced by the research and reports that industry or securities analysts publish about us or our business. If one or more securities or industry analysts cease coverage of our company or fail to publish reports on us regularly, we could lose visibility in the financial markets, which in turn could cause our stock price or trading volume to decline. If one or more of the analysts who cover us downgrades our common stock or provides more favorable recommendations about our competitors, or if our results of operations do not meet their expectations, our stock price could decline.

We do not currently intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not currently intend to do so for the foreseeable future. We currently intend to invest our future earnings, if any, to fund our growth. Therefore, you are not likely to receive any dividends on your common stock for the foreseeable future and the success of an investment in shares of our common stock will depend upon any future appreciation in its value. There is no guarantee that shares of our common stock will appreciate in value or even maintain the price at which you have purchased your shares.

We cannot guarantee that our stock repurchase program will enhance long-term stockholder value. Share repurchases could also increase the volatility of our stock price and diminish our cash reserves.

On March 12, 2025, our Board of Directors authorized a stock repurchase program. Under the program, we may repurchase up to 2.5 million shares of our common stock from time to time. The stock repurchase program does not obligate us to repurchase a specified number or dollar value of shares, and the program may be modified, suspended or discontinued at any time without prior notice. Our ability to return capital to stockholders through stock repurchases principally depends upon the amount of cash we generate from our operations, which will fluctuate from quarter to quarter based on, among other things, cash received from clients and cash paid to employees and suppliers, and other factors impacting our financial condition, some of which are beyond our control. The existence of the stock repurchase program could cause our common stock to trade at a higher price than it otherwise would. Although the program is intended to enhance long-term stockholder value, there is no assurance it will do so because the market price of our common stock may decline below the levels at which we repurchased shares and short-term stock price fluctuations could reduce the effectiveness of the program. Any failure to repurchase our common stock after we have announced our intention to do so may negatively impact our reputation and investor confidence in us and may negatively impact our stock price. Repurchasing our common stock will reduce the amount of cash we have available to fund working capital, capital expenditures, strategic acquisitions, or business opportunities and other general corporate purposes, and we may fail to realize the anticipated long-term stockholder value of the stock repurchase program. Further, the timing and amount of any repurchases, if any, will be subject to liquidity, market and economic conditions, compliance with applicable legal requirements such as Delaware surplus and solvency tests and other relevant factors. In addition, our stock repurchase program may be suspended or discontinued at any time and may not enhance long-term stockholder value. Additionally, the Inflation Reduction Act of 2022 added Section 4501 of the Code, which generally imposes a 1% non-deductible U.S. federal excise tax (the “Stock Buyback Tax”) on certain repurchases of stock by publicly traded U.S. corporations.

Risks relating to our bylaws and certificate of incorporation

Anti-takeover provisions under our incorporation documents and Delaware law could delay or prevent a change of control, which could limit the market price of our common stock and may prevent or frustrate attempts by our stockholders to replace or remove our current management.

Our seventh amended and restated certificate of incorporation (as amended, our "certificate of incorporation") and our fourth amended and restated by-laws ("bylaws") contain provisions that could delay or prevent a change of control of our company or changes in our board of directors that our stockholders might consider favorable. Some of these provisions include:

• a board of directors divided into three classes serving staggered three-year terms, such that not all members of the board will be elected at one time;

• a prohibition on stockholder action through written consent, which requires that all stockholder actions be taken at a meeting of our stockholders;

• a requirement that special meetings of stockholders be called only by the board of directors acting pursuant to a resolution approved by the affirmative vote of a majority of the directors then in office;

• advance notice requirements for stockholder proposals and nominations for election to our board of directors;

• a requirement that no member of our board of directors may be removed from office by our stockholders except for cause and, in addition to any other vote required by law, upon the approval of not less than 75% of all outstanding shares of our voting stock then entitled to vote in the election of directors;

• a requirement of approval of not less than 75% of all outstanding shares of our voting stock to amend any bylaws by stockholder action or to amend specific provisions of our certificate of incorporation; and

• the authority of the board of directors to issue preferred stock on terms determined by the board of directors without stockholder approval and which preferred stock may include rights superior to the rights of the holders of common stock.

In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporate Law ("DGCL"), which may prohibit certain business combinations with stockholders owning 15% or more of our outstanding voting stock. These anti-takeover provisions and other provisions in our certificate of incorporation and our bylaws could make it more difficult for stockholders or potential acquirers to obtain control of our board of directors or initiate actions that are opposed by the then-current board of directors and could also delay or impede a merger, tender offer or proxy contest involving our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors or cause us to take other corporate actions. Any delay or prevention of a change of control transaction or changes in our board of directors could cause the market price of our common stock to decline.

Our bylaws designate certain specified courts as the sole and exclusive forums for certain disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers or employees.

Our bylaws provide that, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware (the "Chancery Court") will be the sole and exclusive forum for state law claims for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action asserting a claim pursuant to any provision of the DGCL, our certificate of incorporation or our bylaws, (iv) any action to interpret, apply, enforce or determine the validity of our certificate of incorporation or bylaws, or (v) any action asserting a claim governed by the internal affairs doctrine (the "Delaware Forum Provision"). The Delaware Forum Provision will not apply to any causes of action arising under the Securities Act or the Exchange Act. Our bylaws further provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States will be the sole and exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act (the "Federal Forum Provision"). Our bylaws provide that any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock is deemed to have notice of and consented to the foregoing Delaware Forum Provision and the Federal Forum Provision; provided, however, that stockholders cannot and will not be deemed to have waived our compliance with the federal securities laws and the rules and regulations thereunder.

The Delaware Forum Provision and the Federal Forum Provision in our bylaws may impose additional litigation costs on stockholders in pursuing any such claims. Additionally, these forum selection clauses may limit our stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other employees, which may discourage the filing of lawsuits against us and our directors, officers and employees, even though an action, if successful, might benefit our stockholders. In addition, while the Delaware Supreme Court and other states courts have upheld the validity of federal forum selection provisions purporting to require claims under the Securities Act be brought in federal court, there is uncertainty as to whether other courts will enforce our Federal Forum Provision. If the Federal Forum Provision is found to be unenforceable in an action, we may incur additional costs associated with resolving such an action. The Federal Forum Provision may also impose additional litigation costs on stockholders who assert that the provision is not enforceable or invalid. The Chancery Court or the federal district courts of the United States may also reach different judgments or results than would other courts, including courts where a stockholder considering an action may be located or would otherwise choose to bring the action, and such judgments may be more or less favorable to us than our stockholders.

Item 7. Management’s discussion and analysis of financial condition and results of operations

You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and related notes and other financial information appearing elsewhere in this Annual Report on Form 10-K. Some of the information contained in this discussion and analysis or set forth elsewhere in this Annual Report on Form 10-K, including information with respect to our plans and strategy for our business, includes forward-looking statements based upon current plans, expectations and beliefs that involve risks and uncertainties. As a result of many factors, including those factors set forth in the “Risk Factors” and “Special Note Regarding Forward-Looking Statements” section of this Annual Report on Form 10-K, our actual results could differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis. Our fiscal year ends January 31. References to fiscal 2026 and 2025 refer to the fiscal years ended January 31, 2026 and 2025, respectively. When we use the terms “we,” “us,” “our,” “Phreesia,” the “Company” or similar words in this report, we are referring to, as the context may require, (i) for periods prior to November 12, 2025, Phreesia, Inc., a Delaware corporation, together with its subsidiaries Access eForms, LLC, a Texas limited liability company; ConnectOnCall.com, LLC, a New York limited liability company; Insignia Health, LLC, an Oregon limited liability company; MediFind, Inc., a Delaware corporation; Phreesia International LLC , a Delaware limited liability company; and Phreesia India Private Limited, an India private limited company and (ii) for periods on or after November 12, 2025, this also includes AccessOne Parent Holdings, Inc., a Delaware corporation, and its subsidiaries (“AccessOne”).

Basis of Presentation

This management's discussion and analysis discusses our financial condition and results of operations for the years ended January 31, 2026 and 2025. Please refer to Part II - Item 7, "Management's Discussion and Analysis of Financial Condition and Results of Operations" in our Annual Report on Form 10-K for the year ended January 31, 2025 for a comparison of the year ended January 31, 2025 to the year ended January 31, 2024.

Financial Highlights

Fiscal 2026

• Total revenue increased 14% to $480.6 million in fiscal 2026, as compared to $419.8 million in fiscal 2025.

• Net income was $2.3 million in fiscal 2026, as compared to net loss of $58.5 million in fiscal 2025.

• Adjusted EBITDA was $101.5 million in fiscal 2026, as compared to $36.8 million in fiscal 2025.

• Cash provided by operating activities was $78.8 million in fiscal 2026, as compared to $32.4 million in fiscal 2025.

• Free cash flow was $54.4 million in fiscal 2026, as compared to $8.3 million in fiscal 2025.

• Cash, cash equivalents and restricted cash was $73.8 million as of January 31, 2026, as compared to $84.2 million as of January 31, 2025.

Adjusted EBITDA and Free cash flow are Non-GAAP measures. For a reconciliation of Adjusted EBITDA to net loss and a reconciliation of free cash flow to net cash provided by operating activities, and for more information as to how we define and calculate such measures, see the section below titled “Non-GAAP financial measures.”

Overview

We provide an integrated software, payments, and engagement platform designed to address three foundational challenges in healthcare delivery: access to care, affordability of care, and health patient outcomes. Our platform is embedded directly into provider workflows and patient interactions, enabling healthcare organizations to activate patients, streamline administrative processes, and improve financial performance across the care continuum. Our integrated platform is designed to address challenges patients and healthcare providers face in three core areas: Access, Affordability, and Outcomes.

Access: Our solutions facilitate access to care by reducing friction in how patients find, schedule, and register for care, while enabling providers to improve capacity utilization and reduce administrative burden. Key capabilities include care discovery and scheduling through MediFind, our online provider directory, and self-scheduling tools; appointment optimization and referral management using AI-enabled workflows; and our AI-based smart answering solution patient communications supported by voice and messaging solutions.

Affordability: Our solutions directly address affordability challenges and improve the patient experience while helping providers improve collections, accelerate cash flow, and reduce revenue cycle friction. Capabilities include eligibility and cost transparency tools, integrated payment solutions embedded in intake and post-visit workflows, and financing solutions that enable healthcare organizations to accelerate cash collections while offering flexible payment options to patients.

Outcomes: Our solutions are designed to improve patient outcomes by promoting patient engagement, treatment adherence and satisfaction, while enabling healthcare stakeholders, including providers and life sciences organizations, to measure and influence patient behavior in a compliant and scalable manner. Capabilities include digital intake and clinical data capture, patient engagement and activation tools, and measurement and analytics solutions.

We serve a diverse group of healthcare organizations including ambulatory practices, health systems, and hospitals, as well as life sciences companies, government entities, patient advocacy, public interest and not-for-profit and other organizations. Our solutions support the patient journey from care discovery and scheduling through intake, payment, and post-visit follow-up. In fiscal year 2026, our platform facilitated approximately 180 million patient visits, representing approximately one in six ambulatory patient visits in the United States.

We generate revenue through a diversified model that includes three revenue streams: subscription and related services; payment solutions, which include payment processing fees and financing fees; and Network Solutions, which provides a channel for life sciences companies and other organizations to deliver compliant, personalized engagement to patients and providers who use our solutions.

Subscription and related services revenue is relatively consistent throughout the fiscal year due to the recurring nature of our contracts. Payment solutions revenue is typically higher during the first two to three months of the calendar year, driven in part by the resetting of patient deductibles. Network Solutions revenue is primarily generated through annual contracts priced on a per-engagement basis, supported by closed-loop reporting and third-party measurement, and is typically higher in the second half of our fiscal year, reflecting life sciences marketing budget cycles. Phreesia creates high-intent engagement opportunities delivered at critical moments in the care journey.

Since our inception, we have focused substantially all of our sales efforts within the United States. Accordingly, substantially all of our revenue from historical periods has come from the United States, and our current strategy is to continue to focus substantially all of our sales efforts within the United States.

Our revenue growth has been primarily organic and reflects our significant addition of new healthcare services clients. New healthcare services clients are defined as clients that go live in the applicable period and existing healthcare services clients are defined as clients that go live in any period before the applicable period.

Recent developments and current economic conditions

AccessOne Acquisition

On August 29, 2025, the Company entered into a definitive agreement (the “Merger Agreement”) to acquire AccessOne for the base purchase price of approximately $160.0 million, subject to customary closing and post-closing adjustments (such transactions contemplated by the agreement, the “AccessOne Acquisition”). On November 12, 2025 (the "Closing Date"), we completed the transactions contemplated by the Merger Agreement, pursuant to which, upon the terms and subject to the conditions set forth therein, Ace Merger Sub, Inc. merged with and into AccessOne, with AccessOne continuing as the surviving corporation and becoming a wholly owned subsidiary of the Company. The purchase price was funded with a combination of cash and the net proceeds from a new, 364-day $110.0 million secured term loan (the “Bridge Loan”) entered into on the Closing Date.

The AccessOne Acquisition expands our addressable market for healthcare payments. Our payment solutions now offer healthcare providers a trusted, scalable, compliant and operationally efficient healthcare payment card that accelerates cash flow.

Bridge Loan

On the Closing Date, in connection with the closing of the AccessOne Acquisition, the Company entered into a bridge loan credit agreement (the “Bridge Credit Agreement”) by and among the Company, the lenders from time to time party thereto, and Goldman Sachs Bank USA, as administrative agent, collateral agent, sole lead arranger and bookrunner, with respect to the Bridge Loan. The Bridge Loan had an outstanding principal amount of $110.0 million and bore interest at a fluctuating rate per annum equal to, at the Company’s option, the forward-looking Secured Overnight Financing Rate (such borrowings, “SOFR Loans”) plus an applicable margin. The Bridge Loan had a

maturity date of November 11, 2026. The interest rate applicable to the Bridge Loan would have increased by 0.5% every three months following the closing date of November 12, 2025.

During the three months ended January 31, 2026, the Company repaid $20.0 million of the outstanding principal balance of the Bridge Loan. As of January 31, 2026, the Company had $90.0 million outstanding under the Bridge Loan.

Subsequent to the end of the fiscal year, in connection with the Refinancing (as defined below), the Company terminated without penalty, and repaid all outstanding indebtedness and obligations under, the Bridge Credit Agreement. See “--New Capital One Credit Facility and Refinancing.”

First Amendment to the Existing Capital One Credit Facility

On the Closing Date, in connection with the closing of the AccessOne Acquisition and entry into the Bridge Credit Agreement, the Company entered into an amendment (the “First Amendment”) to its 5-year, $50.0 million senior secured asset-based revolving credit facility (as amended, the “Existing Capital One Credit Facility”). The First Amendment amended the covenant limiting acquisitions to permit the acquisition of AccessOne, amended the covenant limiting additional indebtedness to accommodate the Bridge Loan, and amended the security interest supporting the Existing Capital One Credit Facility to permit the security interests granted in connection with the Bridge Loan. The amendment included further changes to sections governing mandatory and voluntary prepayments, negative covenants and events of default to accommodate the existence of the Bridge Loan.

Subsequent to the end of the fiscal year, the Existing Capital One Credit Facility was terminated without penalty in connection with the Refinancing. See “--New Capital One Credit Facility and Refinancing.”

New Capital One Credit Facility and Refinancing

Subsequent to the end of the fiscal year, on March 13, 2026 (the “Refinancing Date”), the Company and certain of its subsidiaries (collectively, the “Credit Parties”) entered into a Credit Agreement (the “New Capital One Credit Agreement”) by and among the Company, as the borrower, the other Credit Parties, as guarantors, the financial institutions from time to time party thereto as lenders, and Capital One as agent for the lenders and for itself as lender, providing for a senior secured revolving credit facility (the “New Capital One Credit Facility”) up to an aggregate principal amount of $275.0 million, of which $92.0 million was borrowed on the Refinancing Date, and which includes a swingline sublimit of $20.0 million and a letter of credit sublimit of $10.0 million. The unused borrowing capacity on the facility is available to the Company for working capital, capital expenditures, permitted acquisitions and general corporate purposes.

The New Capital One Credit Agreement bears interest at a rate per annum based on SOFR or a Base Rate as specified in the New Capital One Credit Agreement. Swingline loans must be Base Rate loans. The Company is permitted to repay the Credit Facility, in whole or in part, without penalty or premium, subject to certain notice periods.

The Company will pay an unused line fee equal to the product of (i) a commitment fee percentage ranging from 0.25% to 0.40% per annum based on the applicable total net leverage ratio and (ii) the unused portion of the revolving commitments under the Credit Facility.

On the Refinancing Date, in connection with the entry into the New Capital One Credit Facility, the Company terminated without penalty, and repaid all outstanding indebtedness and obligations under, the Bridge Loan and the Existing Capital One Credit Facility. All security agreements and related financing arrangements entered into with the Company’s former lenders under the Bridge Loan and the Existing Capital One Credit Facility were terminated substantially concurrently with the effectiveness of the New Capital One Credit Agreement. The transactions that occurred on the Refinancing Date are referred to collectively as the “Refinancing.”

Macroeconomic environment and geopolitical conditions

Our business is directly and indirectly affected by macroeconomic conditions, geopolitical conditions and the state of global financial markets. Geopolitical uncertainty resulting, in part, from the military conflict between Russia and Ukraine and the conflict in the Middle East, as well as other macro-economic conditions, such as the impact of pandemics, changes in interest rates, inflation in the cost of goods, services and labor, tariff and trade issues, or a recession or an economic slowdown in the U.S. or internationally, have contributed to significant volatility and declines in global financial markets. The uncertainty over the extent and duration of the ongoing conflicts and these macroeconomic conditions continues to cause disruptions to businesses and markets worldwide. Additionally, the U.S. federal government has caused, and may continue to cause, additional geopolitical and macroeconomic uncertainty. For example, certain of our network solutions clients are committing fewer dollars due to brand-specific dynamics and the impact of regulatory policies, though we do not believe these developments are signaling a

structural shift in demand for our solutions. While none of these factors individually has had a material impact on our business to date, it is difficult to predict the potential impact these factors may have on our future business results or in the financial condition or purchasing patterns of our customers, partners and suppliers, and each could adversely impact our business operations, financial performance and results of operations. We continue to closely monitor these macroeconomic and geopolitical developments and their potential impact on our business and financial condition.

Key Metrics

We regularly review the following key metrics to measure our performance, identify trends affecting our business, formulate financial projections, make strategic business decisions and assess working capital needs.

For the fiscal years ended January 31,

Change

Amount

Average number of healthcare services clients ("AHSCs")

Total revenue per AHSC

• AHSCs . We define AHSCs as the average number of clients that generate subscription and related services or payment solutions revenue each month during the applicable period. In cases where we act as a subcontractor providing white-label services to our partner's clients, we treat the contractual relationship as a single healthcare services client. We believe growth in AHSCs is a key indicator of the performance of our business and depends, in part, on our ability to successfully develop and market our solutions to healthcare services organizations that are not yet clients. We believe growth in AHSCs provides useful information to investors as an important indicator of expected revenue growth. In addition, growth in AHSCs informs our management of the areas of our business that will require further investment to support expected future AHSC growth. For example, as AHSCs increase, we may need to add to our customer support team and invest to maintain effectiveness and performance of our solutions for our healthcare services clients and their patients.

• Total revenue per AHSC. We define total revenue per AHSC as total revenue in a given period divided by the number of AHSCs during that same period. Our healthcare services clients directly generate subscription and related services and payment solutions revenue. Additionally, our relationships with healthcare services clients who subscribe to our solutions give us the opportunity to engage with life sciences companies, government entities, patient advocacy, public interest and not-for-profit and other organizations who deliver direct communication to patients through our solutions. As a result, we believe that our ability to increase total revenue per AHSC provides useful information to investors as an indicator of the long-term value of our solutions. Total revenue per AHSC was $106,467 for the year ended January 31, 2026 compared to $99,884 for the year ended January 31, 2025, an increase of 7%. The increase was primarily driven by network solutions revenue growth that outpaced AHSC growth.

Additional Information

For the fiscal years ended January 31,

Change

Amount

Patient payment volume (in millions)

Payment facilitator volume percentage

The information above reflects our payment processing operations and does not reflect the operations acquired in the AccessOne Acquisition. As of January 31, 2026, AccessOne had a managed portfolio of cardholder receivables of approximately $419 million. For the fourth quarter of fiscal 2026, AccessOne’s business generated revenues equal to approximately 2.3% of the portfolio.

• Patient payment volume . We believe that patient payment volume is an indicator of both the underlying health of our healthcare services clients’ businesses and the continuing shift of healthcare costs to patients. We measure patient payment volume as the total dollar volume of transactions between our healthcare services clients and their patients utilizing our payment platform, including via credit and debit cards that we process as a payment facilitator as well as cash and check payments and credit and debit transactions for which we act as a gateway to other payment processors.

• Payment facilitator volume percentage . We define payment facilitator volume percentage as the volume of credit and debit card patient payments that we process as a payment facilitator as a percentage of total patient payment volume. Payment facilitator volume is a major driver of our payment solutions revenue.

Results of operations

The following tables set forth our results of operations for the periods presented and as a percentage of revenue for those periods:

For the fiscal years ended January 31,

(in thousands)

Revenue

Subscription and related services

Payment solutions (1)

Network solutions

Total revenues

Expenses

Cost of revenue (excluding depreciation and amortization)

Payment solutions expense (1)

Sales and marketing

Research and development

General and administrative

Depreciation

Amortization

Total expenses

Operating loss

Other income, net

Loss on extinguishment of debt

Interest expense

Interest income

Total other (expense) income, net

Loss before income tax expense

Income tax benefit (expense)

Net income (loss)

(1) The revenue line previously labeled “Payment processing fees” has been relabeled “Payment solutions” to reflect the expanded scope of our payments offerings following the AccessOne Acquisition, which closed on November 12, 2025. Additionally, “Payment processing expense” has been relabeled “Payment solutions expense.” Prior period amounts have not been reclassified, as the Company did not own the acquired operations in prior periods and the change in presentation did not affect any previously reported amounts. See Note 2 - Basis of presentation.

Components of consolidated statements of operations

Revenue

We generate revenue primarily from providing an integrated SaaS-based software and payment platform for the healthcare industry. We derive revenue from subscription fees and related services generated from our healthcare services clients for access to our solutions, payment solutions fees based on patient payment processing volume and financing fees based on a portfolio of cardholder receivables; and from fees from life sciences companies and other organizations for delivering direct communications to help activate, engage and educate patients about topics critical to their health.

Our total revenue consists of the following:

• Subscription and related services. We primarily generate subscription fees from our healthcare services clients based on the number of healthcare services clients that subscribe to and utilize our solutions. Our healthcare services clients are typically billed monthly in arrears, though in some instances, healthcare services clients may opt to be billed quarterly or annually in advance. Subscription fees are typically auto-debited from

healthcare services clients’ accounts every month. As we target and add larger enterprise healthcare services clients, these clients may choose to contract differently than our typical per healthcare services client subscription model. To the extent we charge in an alternative manner with larger enterprise healthcare services clients, we expect that such a pricing model will recur and, combined with our per healthcare services client subscription fees, will increase as a percentage of our total revenue. In addition, we receive certain fees from healthcare services clients for professional services associated with our implementation services as well as travel and expense reimbursements, shipping and handling fees, leasing and sales of hardware (PhreesiaPads and Arrivals Kiosks), on-site support and training.

• Payment solutions. We generate revenue from patient payment processing fees and financing fees.

◦ We generate revenue from payment processing fees based on the number of transactions and the levels of patient payment volume processed through our solutions. Payment processing fees are generally calculated as a percentage of the total transaction dollar value processed and/or a fee per transaction. The remainder of our patient payment volume is composed of credit and debit transactions for which Phreesia acts as a gateway to another payment processor, and cash and check transactions. Patient payment responsibility typically declines as a share of total spending as the calendar year progresses due to benefit design. Consistent with that trend, payment volume on a per client basis has historically been lower in the second half of our fiscal year as compared to the first half of our fiscal year.

◦ Financing fees primarily consist of finance charges earned on cardholder receivables and fees for servicing cardholder receivables. Finance charges include interest, late fees and other service charges assessed on patient accounts. Servicing fees are assessed based on payment balances collected

• Network solutions. We generate revenue from life sciences companies and other organizations for delivering direct communications to patients. As we expand our healthcare services client base, we increase the number of new patients we can reach to deliver our direct communications to help activate, engage and educate patients about topics critical to their health on behalf of life sciences companies and other organizations.

Cost of revenue (excluding depreciation and amortization)

Our cost of revenue (excluding depreciation and amortization) primarily consists of labor costs, including salaries, stock-based compensation, benefits and bonuses for implementation and technical support, as well as outside services costs. Cost of revenue (excluding depreciation and amortization) also includes infrastructure costs to operate our solutions such as hosting fees and fees paid to various third-party providers for access to their technology, as well as costs to verify insurance eligibility and benefits.

Payment solutions expense

Payment solutions expense consists primarily of interchange fees set by payment card networks that are ultimately paid to the card-issuing financial institution, assessment fees paid to payment card networks, and fees paid to third-party payment processors and gateways. Payment solutions expense may increase as a percentage of payment solutions revenue if card networks raise pricing for interchange and assessment fees or if we reduce pricing to our clients. Payment solutions expense also includes fees payable in connection with the securitization, as well as direct costs of servicing cardholder receivables.

Sales and marketing

Sales and marketing expense consists primarily of labor costs, including salaries, stock-based compensation, benefits, bonuses and commission costs for our sales and marketing personnel, as well as outside services costs. Sales and marketing expense also includes costs for advertising, promotional and other marketing activities, as well as certain fees paid to various third-party partners for sales and lead generation. Advertising is expensed as incurred.

Research and development

Research and development expense consists of costs to develop our products and services that do not meet the criteria for capitalization as internal-use software. These costs consist primarily of labor costs, including salaries, stock-based compensation and benefits for our development personnel, as well as outside services costs. Research and development expense also includes third-party partner fees and third-party consulting fees.

General and administrative

General and administrative expense consists primarily of labor costs, including salaries, stock-based compensation and benefits for our executive, finance, legal, security, human resources, information technology and other

administrative personnel, as well as outside services costs. General and administrative expense also includes software costs to support our finance, legal and human resources operations, insurance costs as well as fees to third-party providers for accounting, legal and consulting services, costs for various non income-based taxes and software costs.

Depreciation

Depreciation represents depreciation expense for PhreesiaPads and Arrivals Kiosks, data center and other computer hardware, purchased computer software, furniture and fixtures and leasehold improvements.

Amortization

Amortization primarily represents amortization of our capitalized internal-use software related to our solutions as well as amortization of acquired intangible assets.

Other income, net

Our other income and expense line items consist of the following:

• Other income, net . Other income, net consists of foreign currency related losses and gains and other miscellaneous income (expense).

• Loss on extinguishment of debt. Loss on extinguishment of debt represents the difference between the amount paid on extinguishment of debt (including any directly related fees) and the net carrying amount of debt being extinguished.

• Interest expense . Interest expense consists primarily of the interest incurred on our financing obligations as well as amortization of discounts and deferred financing costs.

• Interest income . Interest income consists of interest earned on our cash and cash equivalent balances.

Income tax benefit (expense)

Based upon our cumulative pre-tax losses in recent years and available evidence, we have determined that it is more likely than not that the majority of our U.S. deferred tax assets as of January 31, 2026 will not be realized in the near term. Consequently, we have established a valuation allowance against our deferred tax assets that are not more likely than not to be realized. In periods when we conclude we will have future taxable income sufficient to realize the deferred tax assets, we reduce the valuation allowance. Income tax expense also includes U.S. state and local income taxes and foreign income taxes. We record unrecognized tax benefits as liabilities or as reductions to deferred tax assets and adjust these balances when our judgment changes as a result of the evaluation of new information previously not available.

On July 4, 2025, President Trump signed into law the One Big Beautiful Bill Act (OBBBA). The OBBBA includes several significant tax provisions, such as the permanent extension of certain expiring provisions of the Tax Cuts and Jobs Act, modifications to the international tax framework and the restoration of certain business provisions. The legislation has multiple effective dates, with certain provisions effective in the year ended January 2026 and others implemented through fiscal year ending January 2028. The Company will no longer be required to capitalize its domestic research and experimental costs under Section 174 of the Internal Revenue Code beginning with the tax year ended January 31, 2026. The Company evaluated the impact of the OBBBA and determined that it did not have a material impact on the Company’s consolidated financial statements for the year ended January 31, 2026.

Comparison of fiscal 2026 versus fiscal 2025

Revenue

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Subscription and related services

Payment solutions

Network solutions

Total revenue

• Subscription and related services. Our subscription and related services revenue from healthcare services organizations increased $23.0 million to $219.5 million for fiscal 2026, as compared to $196.5 million for fiscal 2025, primarily due to new healthcare services clients as well as expansion of and cross-selling to existing healthcare services clients.

• Payment solutions. Our payment solutions revenue increased $19.7 million to $121.5 million for fiscal 2026, as compared to $101.7 million for fiscal 2025, due to the addition of new healthcare services clients, which drove increases in patient visits and patient payments processed through our platform, and the AccessOne Acquisition, which contributed revenue beginning on November 12, 2025.

• Network solutions. Our revenue from life sciences clients and other organizations increased $18.1 million to $139.7 million for fiscal 2026, as compared to $121.6 million for fiscal 2025 due to an increase in engagement, education programs and deeper patient outreach among the existing programs.

Cost of revenue (excluding depreciation and amortization)

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Cost of revenue (excluding depreciation and amortization)

Cost of revenue (excluding depreciation and amortization) increased $5.1 million to $71.4 million for fiscal 2026, as compared to $66.2 million for fiscal 2025. The increase resulted primarily from a $10.4 million increase in other third-party costs driven by growth in revenue, as well as additional cost of revenue (excluding depreciation and amortization) recognized for AccessOne, partially offset by a $5.3 million decrease in labor costs.

Stock compensation incurred related to cost of revenue was $3.9 million and $4.9 million for fiscal 2026 and fiscal 2025, respectively.

Payment solutions expense

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Payment solutions expense

Payment solutions expense increased $14.1 million to $82.8 million for fiscal 2026, as compared to $68.7 million for fiscal 2025. The increase resulted primarily from the increase in payment processing revenue and patient payments processed through our solutions, each driven by an increase in patient visits over the prior year, as well as additional payment solutions expense recognized for AccessOne.

Sales and marketing

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Sales and marketing

Sales and marketing expense decreased $20.9 million to $100.2 million for fiscal 2026, as compared to $121.1 million for fiscal 2025. The decrease resulted primarily from a $23.5 million decrease in labor costs, partially offset by a $2.6 million increase in other third-party sales and marketing costs.

Stock compensation incurred related to sales and marketing expense was $20.2 million and $22.0 million for fiscal 2026 and fiscal 2025, respectively.

Research and development

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Research and development

Research and development expense increased $4.1 million to $121.5 million for fiscal 2026, as compared to $117.4 million for fiscal 2025. The increase resulted primarily from a $3.3 million increase in software costs, a $0.7 million increase in other third-party costs and a $0.2 million increase in labor costs.

Stock compensation incurred related to research and development expense was $17.0 million and $15.3 million in fiscal 2026 and fiscal 2025, respectively.

General and administrative

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

General and administrative

General and administrative expense increased $3.3 million to $79.9 million for fiscal 2026, as compared to $76.6 million for fiscal 2025. The increase primarily resulted from a $9.2 million increase in third-party costs associated with the AccessOne Acquisition, partially offset by a $2.8 million decrease in other third-party general and administrative expenses and a $3.1 million decrease in labor costs.

Stock compensation incurred related to general and administrative expense was $26.3 million and $24.8 million in fiscal 2026 and fiscal 2025, respectively.

Depreciation

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Depreciation

Depreciation expense decreased $1.2 million to $13.0 million for fiscal 2026, as compared to $14.2 million for fiscal 2025. The decrease was primarily attributable to lower computer equipment depreciation.

Amortization

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Amortization

Amortization expense increased $4.8 million to $18.5 million for fiscal 2026, as compared to $13.7 million for fiscal 2025. The increase was primarily driven by higher amortization of capitalized internal-use software development costs as well as amortization of intangible assets acquired through the AccessOne Acquisition.

Other income, net

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Other income, net

Other income, net was income of $3.0 million for fiscal 2026 as compared to $2.0 million for fiscal 2025. The increase was driven primarily by $1.0 million of unrealized gains on the fair value of financial instruments, partially offset by a gain recorded in fiscal 2025 in connection with a settlement with the former equity holders of ConnectOnCall. Other income, net in fiscal 2026 is comprised primarily of other miscellaneous income and expense, gains on the fair value of financial instruments and foreign exchange gains and losses due to changes in rates.

Loss on extinguishment of debt

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Loss on extinguishment of debt

During fiscal 2026, we recorded a $0.5 million loss on extinguishment of debt in connection with the write-off of deferred financing costs in connection with the First Amendment to the Capital One Credit Facility.

Interest expense

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Interest expense

Interest expense increased by $4.6 million to $7.0 million for fiscal 2026, as compared to $2.3 million for fiscal 2025. The increase is primarily attributable to interest expense recorded in connection with the Bridge Loan.

Interest income

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Interest income

Interest income decreased by $0.5 million to $2.2 million for fiscal 2026, as compared to $2.7 million for fiscal 2025. The decrease is primarily attributable to lower interest income earned from our cash and cash equivalent balances.

Income tax benefit (expense)

Fiscal years ended January 31,

(in thousands)

$ Change

% Change

Income tax benefit (expense)

We recognized an income tax benefit of $11.2 million for fiscal 2026, as compared to income tax expense of $2.7 million for fiscal 2025. The income tax benefit for fiscal 2026 was driven primarily by the release of $13.1 million of valuation allowance of our U.S. federal deferred tax assets, as deferred tax liabilities recorded in connection with the AccessOne Acquisition provided a source of income to realize a portion of our U.S. federal deferred tax assets.

Non-GAAP financial measures

Adjusted EBITDA is a supplemental measure of our performance that is not required by, or presented in accordance with, GAAP. Adjusted EBITDA is not a measurement of our financial performance under GAAP and should not be considered as an alternative to net income or loss or any other performance measure derived in accordance with

GAAP, or as an alternative to cash flows from operating activities as a measure of our liquidity. We calculate Adjusted EBITDA as net income or loss before interest expense, interest income, income tax (benefit) expense, depreciation and amortization, stock-based compensation expense, loss on extinguishment of debt, other income, net and certain other items that are not considered to reflect our operating activities and performance within the ordinary course of business, such as acquisition- and restructuring-related costs.

The calculation of Adjusted EBITDA was updated beginning in the three months ended October 31, 2025 to include an adjustment for acquisition-related costs, which consist primarily of legal, advisory and other professional fees and integration costs related to acquisitions. Management believes adjusting for these acquisition-related costs provides investors with a more consistent period-to-period comparison of our core operating performance and trends. For periods prior to the three months ended October 31, 2025, the calculation of Adjusted EBITDA did not adjust for acquisition-related costs, and prior periods have not been retroactively adjusted.

We have provided below a reconciliation of Adjusted EBITDA to net income (loss), the most directly comparable GAAP financial measure. We have presented Adjusted EBITDA in this Annual Report on Form 10-K because it is a key measure used by our management and board of directors to understand and evaluate our core operating performance and trends, to prepare and approve our annual budget, and to develop short and long-term operational plans. In particular, we believe that the exclusion of the amounts eliminated in calculating Adjusted EBITDA can provide a useful measure for period-to-period comparisons of our core business. Accordingly, we believe that Adjusted EBITDA provides useful information to investors and others in understanding and evaluating our operating results in the same manner as our management and board of directors.

Our use of Adjusted EBITDA has limitations as an analytical tool, and should not be considered in isolation or as a substitute for analysis of our financial results as reported under GAAP. Some of these limitations are as follows:

• Although depreciation and amortization expense are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future, and Adjusted EBITDA does not reflect cash capital expenditure requirements for such replacements or for new capital expenditure requirements;

• Adjusted EBITDA does not reflect: (1) changes in, or cash requirements for, our working capital needs; (2) the potentially dilutive impact of non-cash stock-based compensation; (3) tax payments that may represent a reduction in cash available to us; (4) loss on extinguishment of debt; (5) interest expense; (6) interest income; (7) other income, net; or (8) certain other items that are not considered to reflect our operating activities and performance within the ordinary course of business, such as acquisition- and restructuring-related costs; and

• Other companies, including companies in our industry, may calculate Adjusted EBITDA or similarly titled measures differently, which reduces its usefulness as a comparative measure.

Because of these and other limitations, you should consider Adjusted EBITDA along with other GAAP-based financial performance measures, including various cash flow metrics, net income (loss) and our GAAP financial results.

The following table presents a reconciliation of Adjusted EBITDA to net income (loss), the most directly comparable GAAP financial measure, for each of the periods indicated:

For the fiscal years ended January 31,

(in thousands)

Net income (loss)

Interest expense

Interest income

Income tax (benefit) expense

Depreciation and amortization

Stock-based compensation expense

Loss on extinguishment of debt

Other income, net

Other items affecting comparability (1)

Adjusted EBITDA

(1) Consists primarily of legal, advisory and other professional fees and integration costs related to acquisitions, including the AccessOne Acquisition.

We calculate free cash flow as net cash provided by operating activities less capitalized internal-use software development costs and purchases of property and equipment.

Additionally, free cash flow is a supplemental measure of our performance that is not required by, or presented in accordance with, GAAP. We consider free cash flow to be a liquidity measure that provides useful information to management and investors about the amount of cash generated by our business that can be used for strategic opportunities, including investing in our business, making strategic investments, partnerships and acquisitions and strengthening our financial position.

The following table presents a reconciliation of free cash flow from net cash provided by operating activities, the most directly comparable GAAP financial measure, for each of the periods indicated:

For the fiscal years ended January 31,

(in thousands)

Net cash provided by operating activities

Less:

Capitalized internal-use software

Purchases of property and equipment

Free cash flow

Liquidity and capital resources

As of January 31, 2026 and 2025, we had cash, cash equivalents and restricted cash of $73.8 million and $84.2 million, respectively. Cash, cash equivalents and restricted cash consist of money market mutual funds and cash on deposit.

We believe that our existing cash, cash equivalents and restricted cash, along with cash generated in the normal course of business, will be sufficient to meet our needs for at least the next 12 months.

We also have additional borrowing capacity under the New Capital One Credit Facility, subject to certain restrictive covenants.

Our future capital requirements and the adequacy of available funds will depend on many factors, including those set forth under “Risk Factors.”

In the event that additional financing is required from outside sources, we may be unable to raise the funds on acceptable terms, if at all. If we are unable to raise additional capital when desired, our business, operating results and financial condition could be adversely affected.

AccessOne Acquisition

On the Closing Date, we acquired AccessOne for a consideration transferred of approximately $163.7 million, including post-closing adjustments. The purchase price was funded with a combination of cash and the net proceeds from the Bridge Loan entered into on the Closing Date.

Bridge Loan

On the Closing Date, in connection with the AccessOne Acquisition, we entered into the Bridge Credit Agreement with respect to a new, 364-day $110.0 million secured term loan. The net proceeds of the Bridge Loan were used to fund a portion of the purchase price of the AccessOne Acquisition. The Bridge Loan had an outstanding principal amount of $110.0 million and a maturity date of November 11, 2026 and could be prepaid at any time without penalty.

During the three months ended January 31, 2026, we repaid $20.0 million of the outstanding principal balance of the Bridge Loan. As of January 31, 2026, the outstanding principal balance of the Bridge Loan was $90.0 million.

Subsequent to the end of the fiscal year, in connection with the Refinancing, we terminated without penalty, and repaid all outstanding indebtedness and obligations under, the Bridge Loan. All security agreements and related financing arrangements entered into with our former lenders under the Bridge Loan were terminated substantially concurrently with the effectiveness of the New Capital One Credit Agreement.

Existing Capital One Credit Facility

In December 2023, we entered into a 5-year, $50.0 million senior secured asset-based revolving credit facility (as amended, the “Existing Capital One Credit Facility") maturing in December 2028, which included a swingline sub-limit of at least $5.0 million and a letter of credit sub-limit of at least $5.0 million.

On the Closing Date, in connection with the closing of the AccessOne Acquisition and entry into the Bridge Credit Agreement, the Company entered into an amendment to the Existing Capital One Credit Facility, which amended the covenant limiting acquisitions to permit the AccessOne Acquisition, amended the covenant limiting additional indebtedness to accommodate the Bridge Loan, and amended the security interest supporting the Existing Capital One Credit Facility to permit the security interests granted in connection with the Bridge Loan. The amendment included further changes to sections governing mandatory and voluntary prepayments, negative covenants and events of default to accommodate the existence of the Bridge Loan.

The Existing Capital One Credit Facility contained financial covenants that, among other things, required us to maintain minimum Consolidated EBITDA, minimum Liquidity, and a minimum Consolidated Fixed Charge Coverage Ratio, as well as a restriction on the amount of dividends, limitations on incurring additional indebtedness, limitations on acquisitions and limitations on the amount of cash and cash equivalents we held outside Capital One, each as defined in the Existing Capital One Credit Agreement. We were in compliance with all covenants related to the Existing Capital One Credit Facility as of January 31, 2026.

Subsequent to the end of the fiscal year, the Existing Capital One Credit Facility was terminated without penalty in connection with the Refinancing.

New Capital One Credit Facility and Refinancing

Subsequent to the end of the fiscal year, on March 13, 2026 (the “Refinancing Date”), we and certain of our subsidiaries (collectively, the “Credit Parties”) entered into a Credit Agreement (the “New Capital One Credit Agreement”) providing for a senior secured revolving credit facility (the “New Capital One Credit Facility”) up to an aggregate principal amount of $275.0 million, of which $92.0 million was borrowed on the Refinancing Date, and which includes a swingline sublimit of $20.0 million and a letter of credit sublimit of $10.0 million. The unused

borrowing capacity on the facility is available to us for working capital, capital expenditures, permitted acquisitions and general corporate purposes.

The New Capital One Credit Agreement bears interest at a rate per annum based on SOFR or a Base Rate as specified in the New Capital One Credit Agreement. Swingline loans must be Base Rate loans. We are permitted to repay the Credit Facility, in whole or in part, without penalty or premium, subject to certain notice periods.

The Company will pay an unused line fee equal to the product of (i) a commitment fee percentage ranging from 0.25% to 0.40% per annum based on the applicable total net leverage ratio and (ii) the unused portion of the revolving commitments under the Credit Facility.

On the Refinancing Date, in connection with the entry into the New Capital One Credit Facility, the Company terminated without penalty, and repaid all outstanding indebtedness and obligations under, the Bridge Loan and the Existing Capital One Credit Facility. All security agreements and related financing arrangements entered into with the Company’s former lenders under the Bridge Loan and the Existing Capital One Credit Facility were terminated substantially concurrently with the effectiveness of the New Capital One Credit Agreement. The transactions that occurred on the Refinancing Date are referred to collectively as the “Refinancing.”

The New Capital One Credit Facility contains financial covenants that, among other things, require us to maintain a maximum Total Net Leverage Ratio and a minimum Fixed Charged Coverage Ratio, each as defined in the New Capital One Credit Agreement, as well as various restrictive covenants that limit our ability to take certain actions, including, but not limited to, our ability to grant or incur liens, dispose of assets, incur additional indebtedness, make certain investments, restricted payments (including dividends) and restricted debt payments, enter into certain mergers and acquisitions, subject in each case to certain customary exclusions, exceptions and baskets.

See Note 6 - Debt and finance leases and Note 20 - Subsequent events in Part II, Item 8 of this Annual Report on Form 10-K for more information regarding the Bridge Loan, the New Capital One Credit Facility and the Refinancing.

Financing agreements

In June 2023, we entered into a financing agreement to obtain financing for internal-use software and related software support. As of January 31, 2026, there was $0.6 million in outstanding principal and interest due under the agreement. The financing agreement requires us to pay $0.1 million per month for 36 months beginning August 2023. The effective interest rate on the agreement is 10.5% per annum.

Cash Flows

The following table summarizes our sources and uses of cash for each of the periods presented:

For the fiscal years ended January 31,

(in thousands)

Net cash provided by operating activities

Net cash used in investing activities

Net cash provided by (used in) financing activities

Effect of exchange rate changes on cash, cash equivalents and restricted cash

Net decrease in cash, cash equivalents and restricted cash

Operating activities

The primary sources of cash from operating activities are cash received from our customers and interest earned on our money market mutual funds. The primary uses of cash for operating activities are for payroll, payments to suppliers, payments for operating leases, as well as cash paid for interest on our borrowings and finance leases and cash paid for various sales, property and income taxes.

During the fiscal year ended January 31, 2026 and 2025, net cash provided by operating activities was $78.8 million and $32.4 million, respectively, as our cash received from customers in connection with our normal operations exceeded our cash paid to employees and suppliers.

The change in net cash provided by operating activities was driven primarily by an increase in cash received from customers driven by higher revenues during the year ended January 31, 2026.

Investing activities

During the fiscal year ended January 31, 2026, net cash used in investing activities was $161.9 million, principally resulting from $153.2 million of cash paid for the AccessOne acquisition, $13.3 million of cash paid for capitalized internal-use software, $11.1 million of purchases of property and equipment, primarily computer equipment, partially offset by $15.7 million provided by collections of cardholder receivables held for investment and deferred purchase price.

During the fiscal year ended January 31, 2025, net cash used in investing activities was $24.1 million, including $15.4 million of cash paid for capitalized internal-use software, as well as $8.7 million of purchases of property and equipment, primarily computer equipment.

Financing activities

During the fiscal year ended January 31, 2026, net cash provided by financing activities was $72.9 million, primarily consisting of $110.0 million in proceeds from the Bridge Loan and $3.8 million in proceeds from our equity compensation plans, partially offset by $20.0 million used for principal payments against the Bridge Loan, $9.6 million used for payments due to providers for unfunded receivables, $8.2 million used for principal payments on finance leases and financing arrangements, and $3.2 million used for debt issuance costs, facility fees and debt extinguishment costs.

During the fiscal year ended January 31, 2025, net cash used in financing activities was $11.5 million, primarily consisting of $9.0 million used for principal payments on finance leases and financing arrangements, $6.3 million used for principal payments of acquisition-related liabilities and $0.2 million used for debt issuance costs, facility fees and debt extinguishment costs, partially offset by $3.9 million in proceeds from our equity compensation plans.

Material Cash Requirements

Our material cash requirements relate to human capital, contractual purchase commitments, leases and financing arrangements, and repayment of borrowings under the New Capital One Credit Facility. Refer to Note 4 - Composition of certain financial statement accounts in Part II - Item 8 of this Annual Report on Form 10-K for additional information on accrued payroll related liabilities. Refer to Note 6 - Debt and finance leases, Note 10 - Leases and Note 11 - Commitments and contingencies in Part II - Item 8 of this Annual Report on Form 10-K for additional information on cash requirements for debt, leases, financing arrangements and contractual purchase commitments.

Critical accounting policies and estimates

The preparation of the consolidated financial statements in conformity with GAAP requires us to make certain estimates and assumptions. These estimates and assumptions affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities as of the balance sheet date, as well as reported amounts of revenue and expenses during the reporting period. Our most significant estimates and judgments involve revenue recognition, the fair value of assets acquired in business combinations, capitalized internal-use software, income taxes, and valuation of our stock-based compensation. Actual results may differ from these estimates. To the extent that there are differences between our estimates and actual results, our future financial statement presentation, financial condition, results of operations and cash flows will be affected.

We believe that the accounting policies described below involve a greater degree of judgment and complexity. Accordingly, these are the policies we believe are the most critical to aid in fully understanding and evaluating our financial condition and results of operations.

Revenue recognition

We account for revenue from contracts with clients by applying the requirements of Topic 606, which includes the following steps:

• Identification of the contract, or contracts, with a client

• Identification of the performance obligations in a contract

• Determination of the transaction price

• Allocation of the transaction price to the performance obligations in the contract

• Recognition of revenue when, or as, performance obligations are satisfied

Revenues are recognized when control of these services is transferred to our clients, in an amount that reflects the consideration we expect to be entitled to in exchange for those services.

We believe the areas in which we apply significant judgments when determining revenue recognition relate to the identification of distinct performance obligations, the assessment of the standalone selling price (“SSP”) for each performance obligation identified, the determination of the amount of variable consideration to include in the transaction price of our contracts with customers and the determination of whether we are the principal or the agent for certain performance obligations.

Determination of Performance Obligations

A performance obligation is a promise in a contract with a customer to transfer products or services that are distinct. Our contracts with customers may include multiple promises to transfer services to a customer. Determining whether products and services are distinct performance obligations that should be accounted for separately or combined as a single performance obligation may require significant judgment that requires us to assess the nature of the promise and the value delivered to the customer.

Our subscription and related services revenue includes certain fees from clients for professional services associated with implementation services.

In determining whether professional services for implementation are distinct, we consider the following factors for each professional services agreement: availability of the services from other vendors, the nature of the professional services and the complexity of interfaces created between systems.

We determined that the majority of implementation services were not distinct from the related subscription service because they are proprietary such that they cannot be performed by another entity, because we generally do not sell professional services on a stand-alone basis, and because they are integral to the customer’s ability to derive the intended benefit of the subscription service, indicating that the implementation services and related subscription are inputs to a combined output.

Determination of Standalone Selling Prices

We allocate the transaction price of our customer contracts to the performance obligations within those contracts based on the relative SSP of the performance obligations.

The SSP is the price that we would sell a product separately to a customer. The best evidence of this is an observable price from stand-alone sales of that product to similarly situated customers. However, as we do not typically transfer our performance obligations on a standalone basis, but rather we transfer bundles of performance obligations, we use an adjusted market assessment approach to estimate the price a customer would be willing to pay for our performance obligations using historical price information as priced in previous bundled contracts.

In determining SSPs, we stratify the population of customer transactions by product, type, size of customer and geographic area. We typically establish a range of SSPs for each of our performance obligations.

The prices we charge for digital messaging solutions provided to life sciences companies have historically been highly variable. We consider pricing to be highly variable if we have a history of selling the services at a wide range of prices to similar customers in similar geographic areas within the same time periods. As the pricing of our digital messaging solutions has historically been highly variable, we use the residual method to estimate the SSP of performance obligations for digital messaging solutions. We estimate the residual SSP of our digital messaging solutions as the total transaction price of the customer contract less the SSPs of the remaining performance obligations pursuant to the contract.

Variable Consideration

We estimate the transaction price at contract inception, including any variable consideration, and we update the estimate each reporting period for any changes in circumstances. When determining the transaction price, we assume the products will be transferred to the customer based on the terms of the existing contract and our assumption does not take into consideration the possibility of a contract being canceled, renewed, or modified.

We occasionally provide credits to customers representing adjustments to the transaction price. Known and estimable credits and adjustments represent a form of variable consideration, which are estimated at contract inception and generally result in reductions to revenues recognized for a particular contract. These estimates are updated at the end of each reporting period as additional information becomes available. We estimate the amount of variable consideration based on its expected probability-weighted value or its most likely amount. We include variable consideration in the transaction price to the extent it is probable there will not be a significant reversal of

revenue when the uncertainty with respect to the variable consideration is resolved. We believe that there will not be significant changes to our estimates of variable consideration as of January 31, 2026.

Principal vs Agent Considerations

As part of our revenue recognition process, we evaluate whether we are the principal or agent for the performance obligations in our contracts with customers. When we determine that we are the principal for a performance obligation, we recognize revenue for that performance obligation on a gross basis. When we determine that we are an agent for a performance obligation, we recognize revenue for that performance obligation net of the related costs. In determining whether we are the principal or the agent, we evaluate whether we have control of the services before we transfer the services to the customer by considering whether we are primarily obligated for transferring the services to the customer, whether we have inventory risk for the services before the services are transferred to the customer, and whether we have latitude in establishing prices. We recognize payment processing fees collected from customers as revenue on a gross basis because, as the merchant of record, we control the services before delivery to the customer, we are primarily responsible for the delivery of the services to our customers, we have latitude in establishing pricing with respect to the customer and other terms of service, we have sole discretion in selecting the third-party to perform the settlement, and we assume the credit risk for the transaction processed. We also have the unilateral ability to accept or reject a transaction based on our established criteria.

Business combinations

We use our best estimates and assumptions to accurately assign fair value to the tangible and intangible assets acquired and liabilities assumed at the acquisition date. With the assistance of third-party appraisers, we assess the fair value of the assets acquired in business combinations. The fair value of the acquired licenses and technology was estimated using the relief from royalty method. The fair value of customer relationships was estimated using a multi-period excess earnings method. To calculate fair value, we used cash flows discounted at a rate considered appropriate given the inherent risks associated with each client grouping. Our estimates are inherently uncertain and subject to refinement. During the measurement period, which may be up to one year from the acquisition date, we may record adjustments to the fair value of these tangible and intangible assets acquired and liabilities assumed, with the corresponding offset to goodwill. We continue to collect information and reevaluate these estimates and assumptions quarterly and record any adjustments to our estimates to goodwill provided that we are within the measurement period. Upon the conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, any subsequent adjustments are recorded to our consolidated statements of operations.

Capitalized internal-use software

We capitalize certain costs incurred for the development of computer software for internal use . These costs relate to the development of our solutions. We capitalize the costs during the development of the project, when it is determined that it is probable that the project will be completed, and the software will be used as intended. Costs related to preliminary project activities, post-implementation activities, training and maintenance are expensed as incurred. Internal-use software is amortized on a straight-line basis over its estimated useful life, which is generally three to five years. We evaluate the useful lives of these assets on an annual basis and tests for impairment whenever events or changes in circumstances occur that could impact the recoverability of these assets. We exercise judgment in determining the point at which various projects may be capitalized, in assessing the ongoing value of the capitalized costs and in determining the estimated useful lives over which the costs are amortized. To the extent that we change the manner in which we develop and test new features and functionalities related to our solutions, assess the ongoing value of capitalized assets or determine the estimated useful lives over which the costs are amortized, the amount of internal-use software development costs we capitalize and amortize could change in future periods.

Transfers and servicing of financial assets

The Company sells eligible cardholder receivables through a securitization program (the “Securitization Program”). Cardholder receivables are originated by AccessOne MedCard and then sold to AccessOne Funding, LLC (“AccessOne Funding”), a bankruptcy-remote special‑purpose entity, for an amount equal to their face value. AccessOne Funding is a variable interest entity (“VIE”) for which the Company is the primary beneficiary. AccessOne Funding sells cardholder receivables to an unaffiliated financial institution for an initial cash purchase price (equal to the nominal amount of such receivables) and the right to receive a deferred purchase price, pursuant to the Securitization Program.

Transfers of an entire financial asset are accounted for as sales when control over the assets has been surrendered in accordance with the sale criteria of ASC 860. Control over transferred assets is deemed to be surrendered when the ASC 860 criteria for a sale of financial assets has been met.

Upon a qualifying sale, the transferred assets are derecognized, and any assets obtained or liabilities incurred are initially recognized at fair value, including any retained beneficial interests (e.g., deferred purchase price receivable). Transfers that do not meet the sale criteria are accounted for as secured borrowings with a pledge of collateral.

The determination of whether transfers of financial assets qualify as sales requires significant judgment. The most significant judgments included in the determination of whether financial assets qualify as sales, and thus can be removed from the Company’s consolidated balance sheets, are set forth below:

• Legal isolation: The Company determines whether the assets have been legally isolated from the Company by obtaining a true sale opinion from qualified legal counsel, confirming that the transferred assets have been legally isolated from AccessOne MedCard. The Company also obtains a legal opinion confirming that AccessOne Funding would not be consolidated into the bankruptcy estate of AccessOne MedCard in the event of AccessOne MedCard’s bankruptcy.

• Actual control: In order qualify as a sale of financial assets, the transferee, must have the right to pledge or exchange the financial assets without constraints. If the transferee is constrained from pledging or exchanging the financial assets, the Company must not benefit from that constraint.

• Effective control: In order to qualify as a sale of financial assets, the Company cannot maintain effective control over the transferred assets through an agreement to repurchase them before their maturity.

The determination of whether transfers of financial assets qualify as sales requires significant judgment.

Assets and Liabilities Measured at Fair Value on a Recurring Basis using Significant Unobservable Inputs (Level 3)

The Company’s cardholder receivables, deferred purchase price receivable, and amounts due to healthcare providers do not trade in active markets with readily observable prices. Accordingly, fair value is determined using valuation techniques that incorporate significant unobservable inputs and require significant management judgment. These assets and liabilities are classified as Level 3 within the fair value hierarchy.

Cardholder receivables

The fair value of cardholder receivables is estimated using a discounted cash flow model incorporating key input and risk‑adjustment factors.

The most critical and judgmental assumptions used to estimate the fair value of the deferred purchase price receivable are set forth below:

• Discount rate: The discount rate represents a market‑based applied yield based on current personal loan market rates.

• Patient Default rate: When cardholder receivables become over 90 days past due, a Patient Default occurs, and the cardholder receivables are returned to the healthcare provider in exchange for extinguishing the due to provider liability. As a result, increases in the Patient Default rate decrease the value of of the cardholder receivables.

Because the valuation incorporates significant unobservable inputs, cardholder receivables are classified as Level 3 within the fair value hierarchy.

Deferred purchase price receivable

The fair value of the deferred purchase price receivable is estimated using a discounted cash flow model. The most critical and judgmental assumptions used to estimate the fair value of the deferred purchase price receivable are set forth below:

• Discount rate: The discount rate represents a market‑based applied yield informed by the deferred purchase price receivable’s relative risk/return profile and return requirements for comparable market investments.

• Expected repayment rate: Increases in the repayment rate increase the value of the deferred purchase price receivable because it recovers purchase discounts more quickly and residual cash flows are returned to the deferred purchase price receivable.

Because significant unobservable inputs are used, the deferred purchase price receivable is classified as Level 3 within the fair value hierarchy.

Due to healthcare providers

The fair value of due to healthcare providers is estimated using a discounted cash flow model incorporating key input and risk‑adjustment factors similar to the related cardholder receivables.

The most critical and judgmental assumptions used to estimate the fair value of the deferred purchase price receivable are set forth below:

• Discount rate: The discount rate represents a market‑based applied yield informed by the due to healthcare provider’s relative risk/return profile and return requirements for comparable market investments.

• Patient Default rate: When cardholder receivables are returned to providers as a result of Patient Default, the related due to provider liability is extinguished. As a result, increases in the Patient Default rate decrease the value of of the due to healthcare providers liability.

Because the valuation incorporates significant unobservable inputs, due to healthcare providers are classified as Level 3 within the fair value hierarchy.

Stock-based compensation for market-based performance stock units ("PSUs")

We granted market-based PSUs during fiscal 2024, 2025 and 2026.

PSUs vest in between 0% and 220% of the number of PSUs originally granted based on our total stockholder return ("TSR"), relative to a peer group of companies on the Russell 3000 stock index. PSUs granted during fiscal 2026, 2025 and 2024 vest in a maximum of 220% of the number of PSUs originally granted. We estimate the fair value of the PSUs using a Monte Carlo Simulation model which projects TSR for Phreesia and each member of the peer group over a performance period of approximately three years. The most critical and judgmental assumptions used in the Monte Carlo Simulation to estimate the fair value of the PSUs are set forth below:

• Correlation coefficient: The correlation coefficient measures the correlation of our stock to the stock of the companies in the peer group. This coefficient is used to project the performance of our stock against our peers to estimate projected performance under the plan.

• Expected volatility: For PSUs granted during the years ended January 31, 2026, 2025 and 2024, the expected volatility is based on the historical volatility of our stock price over a term commensurate with the simulation term assumption.

We recognize the grant-date fair value of stock-based awards issued as compensation expense on a straight-line basis over the requisite service period, which is generally the vesting period of the award.

Recent accounting pronouncements

In November 2024, the FASB issued ASU 2024-03, Income Statement - Reporting Comprehensive Income - Expense Disaggregation Disclosures (Subtopic 220-40): Disaggregation of Income Statement Expenses. In January 2025, the FASB issued ASU 2025-01, Income Statement - Reporting Comprehensive Income - Expense Disaggregation Disclosures (Subtopic 220-40): Disaggregation of Income Statement Expenses, Clarifying the Effective Date. The new standards require companies to disclose disaggregated information about certain income statement expense line items. The provisions of ASU 2024-03, as amended by ASU 2025-01, are effective for annual periods beginning after December 15, 2026, and interim reporting periods in fiscal years beginning after December 15, 2027. Early adoption is permitted. The Company plans to adopt ASU 2024-03 and ASU 2025-01 for

annual periods beginning in the fiscal year ending January 31, 2028 and for interim periods beginning in the fiscal year ending January 31, 2029. The Company is currently evaluating the impact that ASU 2024-03 and ASU 2025-01 will have on its financial statements and related disclosures. The Company does not expect the disclosure changes that result from the adoption of ASU 2024-03 and ASU 2025-01 to materially impact its consolidated financial statements.

In July 2025, the FASB issued ASU 2025‑05, Financial Instruments - Credit Losses (Topic 326): Measurement of Credit Losses for Accounts Receivable and Contract Assets, which amends ASC 326‑20 to introduce a practical expedient available to all entities that permits entities to assume that current economic conditions as of the balance‑sheet date do not change over the remaining life of current accounts receivable and current contract assets arising from transactions within the scope of ASC 606. The amendments are effective for annual periods beginning after December 15, 2025, and interim periods within those years, with early adoption permitted. The Company is currently evaluating the impact that ASU 2025-05 will have on its consolidated financial statements and related disclosures.

In September 2025, the FASB issued ASU 2025-06, Intangibles - Goodwill and Other-Internal-Use Software (Subtopic 350-40): Targeted Improvements to the Accounting for Internal-Use Software. The ASU amends the existing standard to remove all references to prescriptive and sequential software development project stages. Under this guidance, eligible software development costs will begin capitalization when management has authorized and committed to funding the software project, and it is probable that the project will be completed and the software will be used to perform the function intended. In evaluating whether it is probable the project will be completed; management is required to consider whether there is significant uncertainty associated with the development activities of the software. This guidance is effective for all annual periods beginning after December 15, 2027, and for interim periods within those annual reporting periods, with early adoption permitted. The guidance may be applied on a prospective basis, a modified basis for in-process projects, or a retrospective basis. The Company is currently evaluating the impact of this ASU to determine the impact on the consolidated financial statements and related disclosures.

See Note 3 - Summary of significant accounting policies in Part II - Item 8 of this Annual Report on Form 10-K for a discussion of recent accounting pronouncements.