Item 1A.
Risk Factors
Risks Related to Our Operations and Service Offering
We operate in a highly competitive industry, and our current or future competitors may be able to compete more effectively than we do, which could have a material adverse effect on our operating results, growth rates and market share.
The market for our solutions is and will continue to be highly competitive. The rapid changes in the U.S. healthcare market resulting from pressures to reduce healthcare cost inflation and regulatory and legislative initiatives are increasing the level of competition. We face competition from healthcare systems’ internal RCM departments and external participants. External participants that are our competitors include end-to-end RCM providers, software vendors and other technology-supported RCM business process outsourcing companies, traditional consultants, and information technology outsourcers. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, regulations, or customer requirements. We may not be able to compete successfully with these companies, and these or other competitors may introduce technologies or services that render our technologies or services obsolete or less marketable. Even if our technologies and services are more effective than the offerings of our competitors, our competitors may offer similar solutions at a lower price, which may cause our customers to choose our competitors’ solutions over ours. Increased competition is likely to result in pricing pressures, which could adversely affect our operating results, growth rate, or market share. Even if we have a good relationship and strong performance history with a customer, open and competitive bidding practices mean we may not be awarded renewal business or may have to aggressively price our services to be successful.
The markets for our RCM service offering may develop more slowly than we expect.
Our success depends, in part, on the willingness of healthcare organizations to implement integrated solutions for the areas in which we provide services. Some organizations may be reluctant or unwilling to implement our solutions for a number of reasons, including failure to perceive the need for improved revenue cycle operations, lack of knowledge about the potential benefits our solutions provide, concerns over the cost of using an external solution, or as a result of investments or planned investments in internally developed solutions, choosing to continue to rely on their own internal resources.
Delayed or unsuccessful implementation of our technologies or services with our customers or implementation costs that exceed our expectations may adversely affect our operating results.
In periods during which we add new customers, our operating costs are typically higher because we incur expenses to integrate our solutions with our customers’ existing patient accounting and clinical systems. The implementation process varies from customer to customer, and we may face unanticipated challenges, including failure to obtain approvals or access rights from our customers’ vendors in a timely manner or at all. If the implementation process is not executed successfully or is delayed, as we have experienced from time to time, our relationships with our customers and our operating results may be adversely affected. Implementation of certain of our solutions also requires us to integrate our employees into customer’s operations. Depending on our customers’ implementation needs, we may be required to devote a larger number of our employees than anticipated, which may increase our costs and adversely affect operating results.
Errors may occur during the provision of our services, which could result in liabilities to our customers or third parties, or we may earn lower net services revenue due to failure to maintain service levels.
The services we offer are complex and involve numerous manual and automated touchpoints with patients, providers and payers, which inherently creates a higher error risk. Errors can result from the interface of our proprietary technology applications and a customer’s existing technologies, or we may make human errors in any aspect of our service offerings. The costs incurred in correcting any significant errors may be substantial and could adversely affect our operating results. Our customers, or third parties such as our customers’ patients, may assert claims against us alleging that they suffered damages due to our errors, and such claims could subject us to significant legal defense costs in excess of our existing insurance coverage and adverse publicity regardless of the merits or eventual outcome of such claims. In addition, if we are unable to maintain high service levels and our customers fail to achieve agreed upon improvement in financial or operating metrics, the incentive fee payments to us from such customers may be lower than anticipated.
The development and use of AI in connection with our products may result in reputational harm or liability, which could adversely affect our business and operating results.
R1 employs machine learning and AI technologies, including generative AI, in our offerings, and research into and continued development of such technologies remains ongoing. As AI represents a rapidly evolving field, it inherently carries a spectrum of risks typical to emerging technologies. We anticipate the enactment of new regulations and laws pertaining to AI usage, potentially placing us under increased regulatory oversight, escalating litigation risks, and augmenting our existing obligations regarding confidentiality and privacy. Such developments could negatively impact our business operations. Moreover, AI technologies introduce heightened cybersecurity risks and ethical considerations, potentially affecting our reputation and operational performance. Should we introduce solutions that generate content that is misleading, biased, harmful or controversial due to perceived or actual societal impact, we may face potential harm to our brand and reputation, competitive disadvantages, or even legal liabilities. AI algorithms and training methodologies may be flawed. ineffective or inadequate. AI development or deployment practices by us or others could result in incidents that impair the acceptance of AI solutions or cause harm to individuals or society.
Further, the legal landscape regarding IP rights in AI technologies remains unsettled in the U.S., both in legislation and judicial precedent. Consequently, our engagement with AI technologies and features might lead to allegations of infringement or misappropriation of third-party IP rights. This risk is intensified by the current trend of entities swiftly seeking patents and other IP protections in AI to gain a competitive edge. Additionally, generative AI has the capacity to yield inaccurate or misleading results, promote discriminatory outcomes, or perpetuate unintended biases. Despite our efforts to implement measures and develop our AI tools in a manner that enhances security and fairness, these issues may arise due to the direct interaction of users with generative AI models and the inherent unpredictability and power of these technologies. Litigation or government regulation related to the use of AI may also adversely impact our ability to develop and offer products that use AI, as well as increase the cost and complexity of doing so. If we enable or offer solutions that draw controversy due to their perceived or actual impact on society, we may experience brand or reputational harm, competitive harm, or legal liability. Potential government regulation related to AI use and ethics may also increase the burden and cost in this area, and failure to properly remediate AI usage or ethics issues may cause public confidence in AI to be undermined. Such outcomes can result in reputational damage, legal liabilities, and adverse effects on our operational results.
Negative public perception, customer policies, and proposed legislation in the U.S. regarding offshore outsourcing may increase the cost of delivering our services or prevent us from realizing cost savings in the future.
Offshore outsourcing is a politically sensitive topic in the U.S. For example, various organizations and public figures in the U.S. have expressed concern about a perceived association between offshore outsourcing providers and the loss of jobs in the U.S. Current or prospective customers may elect to perform such RCM services themselves or may be discouraged from transferring these services from onshore to offshore providers to avoid negative perceptions that may be associated with using an offshore provider or may have internal policies restricting use of offshore resources. Any slowdown or reversal of existing industry trends towards offshore outsourcing, and the resulting need to relocate aspects of our services from our global business services operations to the U.S. where operating costs are higher, would increase the cost of delivering our services.
In the U.S., federal and state legislation has been proposed, and in several states enacted, to restrict or discourage U.S. companies from outsourcing their services to companies outside the U.S. Further, through rule making or executive action, some states have imposed limitations on offshore outsourcing of administrative services for the Medicaid program. It is possible that additional legislation be enacted or regulatory guidance issued that would restrict U.S. private sector companies that have federal or state government contracts, or that receive government funding or reimbursement, such as Medicare or Medicaid payments, from outsourcing their services to offshore service providers. Any changes to existing laws or the enactment of new legislation restricting offshore outsourcing in the U.S. may adversely affect our ability to do business, particularly if these changes are widespread, and could have a material adverse effect on our business, operating results, financial condition, and cash flows.
Risks Related to Our Customers
If we are unable to retain our existing customers or acquire new customers, our operating results could be adversely affected.
Our future financial performance depends upon the retention of our customers and our ability to acquire new customers. We earn net services revenue primarily from managed services agreements pursuant to which we receive performance-based fees. Our profitability on customer agreements increases over time, as we integrate our systems, processes, and procedures with our customers. Customers can elect not to renew their managed services agreements with us upon expiration. Certain customer agreements permit early termination for convenience, subject to a notice period. If a customer does not renew or terminates a managed services agreement for any reason, we may not recognize sufficient revenue from that customer prior to the non-renewal or termination to offset the implementation costs associated with that customer.
Some of our managed services agreements require us to adhere to extensive, complex data security, network access, and other institutional procedures and requirements of our customers, and customers may in the future allege that we have not complied with all such procedures and requirements. Factors external to us and beyond our control, including but not limited to cyber attacks, failures of a contracted vendor, or regulatory changes, may cause a failure to perform under a contract. If a breach of a managed services agreement occurs or if there is an actual or perceived service level performance failure, we may be liable to the customer for damages or may need to allocate additional resources or incur additional costs to resolve the breach. Further, we or the customer may generally terminate an agreement for a material uncured breach by the other.
If consolidation or divestitures (including as a result of increased financial pressure) increase within the healthcare provider industry, it may also make it more difficult for us to acquire new customers, retain existing customers, or grow service revenues from existing customers, as consolidated healthcare systems may be more likely to have incumbent RCM providers or significant internal revenue cycle capabilities. For example, certain of our smaller customers ceased to be customers after being acquired by larger healthcare systems with an existing RCM program. In addition, if our customers with operating partnership agreements divest facilities within their hospital systems, our service revenues may be reduced and our opportunity to grow profitability based on scale may be diluted.
We face a selling cycle of variable length to secure new agreements, making it difficult to predict the timing of specific new customer relationships and related revenue.
We face a selling cycle of variable length, typically spanning six to 18 months or longer, to secure a new managed services agreement, and two to six months for modular solutions. Even if we succeed in developing a relationship with a potential new customer, we may not be successful in entering into an agreement with that customer within our anticipated timeframe or at all. In addition, we cannot accurately predict the timing of entering into agreements with new customers due to the complex procurement decision processes of most healthcare providers, which often involve high-level management or board committee approvals. Due to our variable selling cycle length, we have only a limited ability to predict the timing of specific new customer relationships, which affects our ability to predict future revenues and cash flows.
Risks Related to Our Cybersecurity and Technology
If our information technology security measures are breached or fail, including as a result of a successful ransomware attack, resulting in unauthorized access to customer or proprietary data, our service may be perceived as not being secure, which could impact our ability to attract new customers, cause a loss of revenues from current customers due to penalties or contract termination, or cause us to incur significant liabilities.
Our services involve the storage and transmission of our and our customers’ proprietary information and protected health, financial, payment, and other personal information of patients. We rely on proprietary and commercially available systems, software, tools, and monitoring, as well as other processes, to provide the security for processing, transmission, and storage of such information. Due to the sensitivity of this information, the effectiveness of such security efforts is very important. The breach of our systems or failure of our security measures, including as a result of third-party action, employee error, malfeasance, defective design, or otherwise, may lead to unauthorized access to customer or patient data or our proprietary data. Improper activities by third parties, advances in computer and software capabilities and encryption technology, new tools and discoveries, and other events or developments may facilitate or result in a compromise or breach of our information technology systems. Techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until launched against a target, and we may be unable to anticipate these techniques or to implement adequate preventive measures. Our security measures may not be effective in preventing these types of activities, and the information technology security measures of our third-party data centers and service providers may not be adequate.
In 2023, the healthcare industry suffered its highest occurrence of cyber incidents, with an average of 52 organizations each month impacted by one or more incidents, according to an October 2023 report by Atlas VPN, which utilized publicly available healthcare security incident data from the HHS. The Atlas VPN report reveals there were 480 healthcare data breaches through September 2023, with over 87 million Americans impacted, compared to 37 million in 2022.
To date, cyber attacks have not had a material impact on our business, operating results, or financial condition; however, we could suffer material losses in the future as a result of cyber attacks. We may not be able to predict the timing or severity of these attacks. Our exposure to cyber attacks remains heightened because of, among other things, the evolving nature of cyber threats, the ongoing shortage of qualified cybersecurity professionals, and connectivity and interdependence among our systems and those of third parties. In addition, ransomware attacks are a common threat impacting healthcare organizations. The occurrence of a cyber attack, breach, ransomware attack, unauthorized access, misuse, computer virus or other malicious code, or other cybersecurity event could jeopardize or result in the unauthorized disclosure, gathering, monitoring, misuse, corruption, loss, or destruction of confidential information that belongs to us or our customers or PHI that is processed and stored in, and transmitted through, our computer systems and networks. The occurrence of a cybersecurity event could also result in damage to our software, computers, or systems, or otherwise cause interruptions or malfunctions in our, our customers’, or third parties’ operations.
If a breach of our information technology security occurs, we could face damages for contract breach, penalties for violation of applicable laws or regulations, possible lawsuits by individuals affected by the breach, and significant remediation costs and efforts to prevent future occurrences. Although we currently carry insurance coverage to protect ourselves against some of these risks, our inability to continue to obtain such insurance coverage at a reasonable cost, or the lack of coverage for particular cybersecurity incidents under the terms of the applicable insurance policies, could also have a material adverse effect on us. In addition, if there is an actual or a perceived breach of our information technology security, the market perception of the effectiveness of our security measures could be harmed, and we could lose current or potential customers.
Additionally, cybersecurity has become a top priority for regulators around the world, and every state in the U.S. has laws in place requiring companies to notify users if there is a security breach that compromises certain categories of their personal identifiable information (“PII”). In addition, in the U.S., the SEC adopted rules in 2023 for mandatory disclosure of material cybersecurity incidents suffered by public companies, as well as cybersecurity governance and risk management. Any failure or perceived failure by us to comply with these laws and regulations may subject us to enforcement action or litigation, which could harm our business.
Disruptions in service, including failure of business continuity plans, or damage to our global business services centers or third-party operated data centers, could adversely affect our business.
Our global business services centers and third-party operated data centers are essential to our business. Our operations depend on the availability of our global business service centers and their operating effectiveness in maintaining and protecting our applications, which are located in data centers that are operated and controlled by third parties. In addition, our information technologies and systems, as well as our data centers and global business services centers, are vulnerable to damage or interruption from various causes, including natural disasters, war, acts of terrorism, public health events, (including pandemics), power losses, computer systems failures, internet and telecommunications or data network failures, operator error, loss or corruption of data, and other events. We have a global business resiliency program and maintain insurance against fires, floods, other natural disasters, and general business interruptions to mitigate the adverse effects of a disruption, relocation, or change in operating environment at one of our data centers or global business services centers, but the situations we plan for and the amount of insurance coverage we maintain may not be adequate in every case. In addition, the occurrence of any of these events could result in interruptions, delays, or cessations in service to our customers, or in the direct connections we establish between our customers and payers. Any of these events could impair or inhibit our ability to provide our services, reduce the attractiveness of our services to current or potential customers, and adversely affect our financial condition and operating results.
In addition, despite the implementation of security measures, our infrastructure, data centers, global business services centers, or systems that we interface with, including the internet and related systems, may be vulnerable to intrusion, improper employee or contractor access, programming errors, computer viruses, malicious code, phishing attacks, denial-of-service attacks, or other cyber attacks and information security threats by third parties seeking to disrupt operations or misappropriate information or similar physical or electronic breaches of security. Any such attack could cause system failure, including network, software, or hardware failure, and could result in service disruptions. Further, our network and information systems are subject to various risks related to third parties and other parties we may not fully control. We use encryption and authentication technology licensed from third parties to provide secure transmission of confidential information, including our business data and customer information. In addition, we rely on employees in our data centers and global business services centers to follow our procedures when handling sensitive information. While we select our employees and third-party business partners carefully, we do not control their actions, which could expose us to cybersecurity and other risks. As a result, we may be required to expend significant capital and other resources to protect against security breaches and hackers or to alleviate problems caused by such breaches.
We rely on third-party providers, such as Microsoft Azure, for cloud infrastructure and other technology services, and any disruptions in or interference with our use of such services could adversely affect our business, operating results, and financial condition.
We face risks associated with utilizing cloud-based infrastructure. Failure of third-party providers to provide adequate cloud-based data infrastructure and other technology-related services to us, or frequent or prolonged interruptions of these services, could result in significant loss of revenue. Interruptions could also cause users to perceive our services as not functioning properly. While we manage and track third-party risks, we have limited control over third parties and cannot guarantee that we will be able to maintain satisfactory relationships with such third parties on acceptable commercial terms or that the quality of their services and offerings will enable us to continue to conduct our business effectively, which could adversely affect our business, operating results, and financial condition.
Moreover, our cloud infrastructure providers and other providers of services, systems and technologies have no obligations to renew their agreements with us on commercially reasonable terms, or at all, and it is possible that we will not be able to switch our operations to another provider in a timely and cost-effective manner should the need arise. If we are unable to renew our agreements with these providers on commercially reasonable terms, or if in the future we add new data center facility or other providers, we may face additional costs, expenses or downtime, which could adversely impact our business, operating results, and financial condition.
In addition, we invest in and deploy automation and technology capabilities, including the expansion of our collaboration with Microsoft to accelerate the development and integration of generative AI into our RCM platform. We also delivered our first large language model application, integrating tools from Azure AI Studio. Our ability to deploy certain AI technologies critical for our products and services and for our business strategy depends on the availability and pricing of third-party equipment and technical infrastructure.
Risks Related to Our Employees
If we are unable to attract, hire, integrate, and retain key personnel and other necessary employees, our business could be harmed.
Our future success depends in part on the continued contributions of our executive officers and other key personnel, each of whom may be difficult to replace. The loss of services of any of our executive officers or key personnel, or the inability to continue to attract qualified personnel, could have a material adverse effect on our business.
To manage potential future growth, we will need to hire, integrate, and retain highly skilled and motivated employees, and will need to work effectively with a growing number of customer employees engaged in revenue cycle operations. Competition for the caliber and number of employees we require is intense. We may face difficulty identifying and hiring qualified personnel at compensation levels consistent with our existing compensation and salary structure. In addition, we invest significant time and expense in training each of our employees, which increases their value to competitors who may seek to recruit them. Under the terms of our operating partner model agreements, we expect to transition a significant number of our customers’ RCM employees to our employment. We may experience difficulties in integrating and retaining these employees. In addition, we employ a significant number of personnel internationally and expect continued international growth. Significant growth in the technology sector in India has increased competition to attract and retain skilled employees and has led to a commensurate increase in compensation expense arising from our India operations. As we expand our patient entry workforce in the Philippines, there is risk regarding the technical, cultural and U.S. healthcare system training at an appropriate pace to match the hiring requirements aligned to growth. For all locations, if we fail to retain our employees, we could incur significant expenses in hiring, integrating, and training their replacements, and the quality of our services and our ability to serve our customers could diminish, resulting in a material adverse effect on our business.
Our growing global business services operations expose us to risks that could have a material adverse effect on our operating costs.
Our reliance on an international workforce exposes us to business disruptions caused by the political and economic environment in those regions. Terrorist attacks, acts of violence or war, and climate-related disasters may directly affect our facilities and workforce or contribute to general instability. Our global business services operations require us to comply with local laws and regulatory requirements, which are complex, and expose us to foreign currency exchange rate risk. Our global business services operations may also subject us to trade restrictions, reduced or inadequate protection for IP rights, increased risk of physical or electronic security breaches, and public health events (including pandemics), and other factors that may adversely affect our business. Negative developments in any of these areas could increase our operating costs or otherwise harm our business.
Risks Related to Ascension
Healthcare providers affiliated with Ascension are currently our largest customer group by net services revenue. The early termination of our A&R MPSA with Ascension would have a material adverse effect on our business, operating results, and financial condition.
As part of the ten-year Master Professional Services Agreement (“A&R MPSA”) with Ascension effective February 16, 2016, we are the exclusive provider of RCM services and PAS with respect to acute care services provided by the hospitals affiliated with Ascension. Healthcare providers affiliated with Ascension have been our largest customer group in terms of net services revenue each year since our formation. In 2023, 2022, and 2021, net services revenue from healthcare providers affiliated with Ascension represented 40%, 49%, and 61% of our total net services revenue, respectively. The early termination of the A&R MPSA or a reduction in our fees due to reduced business at Ascension could have a material adverse effect on our business, operating results, and financial condition.
Our agreement with Ascension requires us to offer to Ascension service fees that are at least as low as the fees we charge any other customer receiving comparable services at comparable or lower volumes.
Our A&R MPSA with Ascension requires us to offer to Ascension's affiliated healthcare providers fees for our services that are at least as low as the fees we charge any other customer receiving comparable services at lower volumes. If we were to charge lower service fees to any other customer receiving comparable services at lower volumes, we would be obligated to charge such lower fees to the hospital systems affiliated with Ascension effective as of the date such lower charges were first implemented for such other customer. If we offer customers lower rates as discussed above, it could have a material adverse effect on our operating results and financial condition.
Risks Related to Ownership of Our Common Stock
TCP-ASC and New Mountain Capital are significant shareholders in R1 and may have conflicts of interest with us or other stockholders in the future.
TCP-ASC ACHI Series LLLP (“TCP-ASC”) and certain entities affiliated with New Mountain Capital, L.L.C. (collectively, the “Principal Stockholders”) beneficially own approximately 62% of our common stock as of February 23, 2024, which means that the Principal Stockholders control the vote of all matters submitted to a vote of our Board of Directors (the “Board”) or stockholders, which will enable them to control the election of the members of the Board and certain significant corporate decisions. Even when the Principal Stockholders cease to own shares of our common stock representing a majority of the total voting power, for so long as the Principal Stockholders continue to own a significant portion of our common stock, they will have significant influence with respect to our management, business plans and policies, including the appointment and removal of our officers, raising capital and amending our charter and bylaws, which govern the rights attached to our common stock. The concentration of ownership could deprive our other stockholders of an opportunity to receive a premium for their shares of common stock as part of a sale of us and ultimately might affect the market price of our common stock.
The interests of the Principal Stockholders and their affiliates may differ from our other stockholders in material respects. For example, the Principal Stockholders may have an interest in pursuing acquisitions, divestitures, financings, or other transactions that, in their judgment, could enhance their equity investments, even though such transactions might involve risks to other stockholders. Additionally, Ascension is an affiliate of TCP-ASC and as our largest customer Ascension’s interests may differ from other stockholders’ interests. The Principal Stockholders, their affiliates, and their advisors are also in the business of making or advising on investments in companies, and may from time to time acquire interests in, or provide advice to, companies that directly or indirectly compete with certain portions of our business or are suppliers or customers of ours. They may pursue acquisition opportunities that may be complementary to our business and, as a result, those acquisition opportunities may not be available to us. Due to the Principal Stockholders’ ownership level, certain actions of the Principal Stockholders or their affiliates could negatively impact our stock price. Other stockholders should consider that the interests of the Principal Stockholders or their affiliates may differ from theirs in material respects.
The trading price of our common stock has been and may continue to be highly volatile.
During 2023, our common stock has traded at a price per share as high as $18.71 and as low as $9.55. The trading price of our common stock may be highly volatile in the future and could be subject to wide fluctuations in response to various factors. In addition to the risks described in this section, factors that have caused, and may in the future cause, the market price of our common stock to fluctuate include: fluctuations in our quarterly financial results or the quarterly financial results of companies perceived to be similar to us; changes in estimates of our financial results or recommendations by securities analysts, if any, who cover our common stock, or failure to meet expectations of such securities analysts; the loss of service agreements with customers; lawsuits filed against us by governmental authorities or stockholders; unfavorable publicity concerning our operations or business practices; investors’ general perception of us; changes in local, regional or national economic conditions; changes in demographic trends; increased labor costs, including healthcare, unemployment insurance, and minimum wage requirements; the entry into, or termination of, material agreements; changes in general economic, industry, regulatory, and market conditions not related to us or our business; the availability of experienced management and hourly-paid employees; issues in operating the company; future sales of our securities, including sales by our significant stockholders; and other potentially negative financial announcements, including delisting of our common stock from The Nasdaq Global Select Market, changes in accounting treatment or restatement of previously reported financial results, delays in our filings with the SEC or failure to maintain effective internal control over financial reporting.
In addition, the stock markets have experienced extreme price and volume fluctuations that have affected, and continue to affect, the market prices of equity securities of many companies. In the past, stockholders have instituted securities class action litigation or launched activist campaigns following periods of market volatility. If we were involved in securities litigation or an activist campaign, we could incur substantial costs, and our resources and the attention of management could be diverted from our business.
Risks Related to Our Business
Our business is significantly impacted by general macroeconomic conditions, and as a result, our business, results of operations and financial condition could be materially affected by further deterioration or a protracted extension of current macroeconomic challenges.
Geopolitical instability, actual and potential shifts in U.S. and foreign, trade, economic and other policies, and other global events, have significantly increased macroeconomic uncertainty at a global level. Such economic volatility could adversely affect our business, financial condition, results of operations and cash flows, and future market disruptions could negatively impact us. Further, adverse macroeconomic conditions may affect our customers’ and prospective customers’ operations and financial condition and make it difficult for our customers and prospective customers to accurately forecast and plan future business activities, which may in turn cause our customers to elect not to renew their managed services agreements or affect their ability to pay amounts owed to us in a timely manner or at all, or adversely affect prospective customers’ ability or willingness to enter into managed services agreements with us.
An economic downturn or increased uncertainty may also lead to increased credit and collectability risks, higher borrowing costs or reduced availability of capital and credit markets, reduced liquidity, adverse impacts on our suppliers, failures of counterparties including financial institutions and insurers, asset impairments, and declines in the value of our financial instruments.
In 2023, we worked closely with our provider partners to address revenue optimization and workforce management needs more effectively. Such needs continue to impact our provider partners’ performance because of changes to payer timeframes, increased coding complexity, regulatory shifts, and macroeconomic pressures. On the modular side, we continued to see positive booking trends in 2023 because of macroeconomic pressures and the same performance-related pressures noted above.
In 2023, we also increased the allowance for credit losses as a result of a few specific customers that have been experiencing financial challenges. As inflation and high interest rates continue, along with the industry dynamics described above, we will continue to monitor the financial health of our customers, we may be required to continue to increase our allowance for credit losses.
Significant disruptions and volatility in the global capital markets could increase the cost of capital and adversely impact our ability to access capital.
We may fail to realize the success of acquisitions, strategic initiatives and other investments.
The benefits we achieve from acquisitions, including the acquisition of the RCM business (“Acclara”) of Providence Health & Services – Washington (“Providence”) and certain of its affiliates (the “Acclara Acquisition”), strategic initiatives, and other investments depend on, among other things, our ability to realize anticipated synergies, cost savings, and operational benefits of corresponding activity, which benefits are subject to, among others, the following risks:
• the incurrence of additional indebtedness in connection with the financing of an acquisition may have an adverse effect on our liquidity;
• we may fail to retain key employees of the acquired company;
• we may be unable to successfully integrate personnel from acquired companies, while at the same time attempting to provide consistent, high-quality services;
• we may fail to realize the anticipated synergies and cost savings we expect from an acquisition;
• future developments may impair the value of our purchased goodwill or intangible assets;
• we may face difficulties establishing, integrating, or combining operations and systems;
• we may face challenges retaining the customers of an acquired business;
• we may encounter unforeseen internal control, regulatory or compliance issues; and
• we may face other additional risks related to regulatory matters, legal proceedings, or tax laws or positions.
If any of these risks occurs, we may not be able to realize the anticipated benefits of an acquisition, or they may take longer to realize than expected. The integration process could result in the distraction of our management, the disruption of our ongoing business, or inconsistencies in our services, standards, controls, procedures, and policies, any of which could adversely affect our ability to maintain relationships with customers, vendors, and employees or to achieve the anticipated benefits of an acquisition, or could otherwise adversely affect our business and operating results.
If we do not realize the anticipated benefits from the Acclara Acquisition, which closed on January 17, 2024, and commercial agreements with Providence, our business could suffer materially and our stock price could decline.
We expect the Acclara Acquisition, and 10-year commercial agreements with Providence, to result in financial and operational benefits, including enhanced revenue, earnings, and cash flows. If we are unable to achieve these objectives within the anticipated timeframe or at all, the anticipated benefits may not be realized in full or at all, our financial results may differ from our expectations or the expectations of the investment community, and the value of our common stock may decline as a result.
We have a substantial amount of indebtedness, which could adversely affect us, including by decreasing our business flexibility. The agreement that governs our indebtedness contains covenants that could impact our ability to perform certain transactions without obtaining pre-approval from our lenders.
Our consolidated indebtedness as of December 31, 2023 was approximately $1.7 billion. In conjunction with the Acclara Acquisition on January 17, 2024, we entered into Amendment No. 2 (the “Second Amendment”) to the Second Amended and Restated Credit Agreement, dated as of June 21, 2022, by and among the Company and certain of its subsidiaries, Bank of America, N.A., as administrative agent, and the lenders named therein (the “Second A&R Credit Agreement”), which, combined with borrowings of $80 million under our senior secured revolving credit facility (the “Senior Revolver”) to finance the acquisition, increased our consolidated indebtedness by $655.0 million.
The loan agreement for this indebtedness contains certain customary representations and warranties, affirmative and negative financial covenants, indemnity obligations, and events of default. The amount of debt and related covenants could have significant consequences to us, including:
• affecting our ability to obtain additional financing, if necessary, for working capital, capital expenditures, acquisitions, share repurchases and dividends, or other purposes may be impaired or such financing may not be available on favorable terms, or at all;
• negative financial covenants contained in the debt agreement require us to meet financial tests that may affect our flexibility in planning for, and reacting to, changes in our business, including possible acquisition opportunities;
• a substantial portion of our cash flow is required to make principal and interest payments on our indebtedness, reducing the funds that would otherwise be available for operations and future business opportunities; and
• level of indebtedness makes us more vulnerable than our less leveraged competitors to competitive pressures or a downturn in our business or the economy generally.
Our ability to comply with the provisions of the debt agreement may be affected by events beyond our control. Failure to comply with these covenants could result in an event of default, which, if not cured or waived, could accelerate our debt repayment obligations.
Litigation could materially adversely affect our business, financial condition, operating results, and cash flows and cause reputational damage from the view of current and potential customers and shareholders.
We have been and in the future may become subject to lawsuits, claims, audits, and investigations related to our business, which may lead to unfavorable publicity for us and could materially adversely affect our business, financial condition, operating results, and cash flows in various ways, including subjecting us to significant liability, resulting in significant settlement payments, or having a disruptive effect upon the operation of our business and consuming the time and attention of our senior management. In addition, we may incur substantial expenses in connection with these litigation matters, including substantial fees for attorneys. Although we maintain insurance that may provide coverage for some or all of these expenses, our insurers have rights under the policies to deny coverage under various policy exclusions. There is risk that the insurers will rescind the policies, that some or all claims will not be covered by such policies, or that, even if covered, our ultimate liability will exceed the available insurance. For further details on our litigation matters, refer to Note 18, Commitments and Contingencies, to our consolidated financial statements included in this Annual Report on Form 10-K.
We are unable to predict the outcome of pending legal actions. The ultimate resolutions of our pending litigation could have a material adverse effect on our operating results, financial condition or liquidity, and on the trading price of our common stock.
Regulatory Risks
The healthcare industry is heavily regulated. Our failure to comply with regulatory requirements could create liability for us, result in adverse publicity, and adversely affect our business.
The healthcare industry is heavily regulated and is subject to changing political, legislative, regulatory, and other influences. Many healthcare laws are complex, and their application to specific services and relationships may be unclear. In particular, many existing healthcare laws and regulations, when enacted, did not anticipate the services we provide. There can be no assurance that our operations will not be challenged or adversely affected by enforcement initiatives. Our failure to anticipate the application of these laws and regulations to our business, or any other failure to comply with regulatory requirements, could create liability for us, result in adverse publicity, and adversely affect the attractiveness of our services to existing customers and our ability to market new services. We are unable to predict what changes to laws or regulations might be made in the future or how those changes could affect our business or our operating costs.
If we violate HIPAA, the HITECH Act or state or foreign health information privacy laws, we may incur significant liabilities, and any such violations could make it more difficult to retain existing customers or attract new customers, extend the time it takes to enter into service agreements with new customers, or result in a material adverse effect on our business, operating results, and financial condition.
As described in Item 1 above, HIPAA contains substantial restrictions and requirements with respect to the use and disclosure of individuals’ PHI. Since the passage of the HITECH Act in 2009, enforcement of HIPAA violations has increased, as reflected by the announcement of a number of significant settlement agreements and sanctions by federal authorities, the pursuit of HIPAA violations by state attorneys general, and the roll-out of a federal audit program for covered entities and business associates. HHS may resolve HIPAA violations through informal means, such as allowing a covered entity to implement a corrective action plan, but HHS also has the discretion to move directly to impose monetary penalties and is required to impose penalties for violations resulting from willful neglect. In addition to enforcement by HHS, state attorneys general may bring civil actions in response to violations of HIPAA privacy and security regulations or state privacy and security laws that threaten the privacy of state residents.
We and our customers also are subject to federal and state privacy-related laws that are more restrictive than the privacy regulations issued under HIPAA. These laws vary and could impose additional penalties and subject us to additional privacy and security restrictions. In addition, legislation has been proposed or implemented at various times at both the federal and the state levels that would limit, forbid, or regulate the use or transmission of medical information pertaining to U.S. patients outside of the U.S. In addition, various states recently have enacted, and other states are considering, new laws and regulations concerning the privacy and security of consumer and other personal information, such as health data. To the extent we are subject to such requirements, these laws and regulations often have far-reaching effects, may require us to modify our data processing practices and policies, may require us to incur substantial costs and expenses to comply, and may render our international operations impracticable or make them substantially more expensive. These laws and regulations often provide for civil penalties for violations, as well as a private right of action for data breaches, which may increase the likelihood or impact of data breach litigation.
Along with state and federal laws, international laws may impact our operations. The GDPR, for example, imposes obligations on us as well as our customers, depending on the operations at issue. The GDPR and related international laws also may restrict how we can store, transfer, and process personal information of our customers’ patients and other data subjects. These laws are constantly changing, and may impact how we may transfer or store information in the U.S. or abroad.
We have implemented and maintain commercially reasonable physical, technical, and administrative safeguards intended to protect all personal data and have processes in place to assist us in complying with applicable laws and regulations regarding the protection of this data and properly responding to any security incidents or breaches. Nonetheless, a knowing breach of HIPAA’s requirements could expose us to criminal liability, and a breach of our safeguards and processes that is not due to reasonable cause or involves willful neglect could expose us to significant civil penalties and the possibility of civil litigation under HIPAA and applicable state law.
In addition, given the omnipresent threat of potential cybersecurity incidents or security breaches, we, or our customers, could be required to report such breaches to affected consumers or regulatory authorities, leading to disclosures that could damage our reputation or harm our business, financial position, and operating results. We have been the victim of theft of company property containing patient data in the past, and we may face similar incidents in the future. During the current COVID-19 pandemic, we shifted many employees to work from home environments, which involves additional risk surrounding theft of company property and access to PHI. Cybersecurity incidents or allegations of deficiencies regarding our data security practices could require us to change aspects of our business practices, make it more difficult to retain existing customers or attract new customers, extend the time it takes to enter into service agreements with new customers, or result in a material adverse effect on our business, operating results, and financial condition.
Developments in the healthcare industry, including national healthcare reform, could adversely affect our business.
The healthcare industry has changed significantly in recent years, and we expect this to continue. We are unable to predict each healthcare initiative that will be implemented at the federal or state level, or what the ultimate effect these initiatives may have on us. For example, changes to Medicare and Medicaid reimbursement are implemented periodically and may cause a reduction in the amounts received by our customers and may have an indirect adverse effect on our business. The ongoing implementation of the No Surprises Act, which took effect on January 1, 2022, also may result in a reduction in the amounts received by our customers and may have an adverse effect on our business and operating results.
In addition, healthcare reform is causing some payers to transition from volume to value-based reimbursement models, which can include risk-sharing, bundled payment, and other innovative approaches. While these models may provide us with opportunities to provide new or additional services (e.g., our value-based reimbursement capabilities within our RCM service offering) and to participate in incentive-based payment arrangements, there can be no assurance that such new models and approaches will prove to be profitable to our customers or us. Further, new models and approaches may require investment by us to develop technology or expertise to offer necessary and appropriate services or support to our customers, and the amount of such investment and the timing for return of such investment are not fully known at this time. In addition, some of these new models are being offered as pilot programs and there is no assurance that they will continue or be renewed. Further, adoption of such new models and approaches may require compliance with a range of federal and state laws relating to fraud and abuse, insurance, reinsurance and managed care regulation, billing and collection, corporate practice of medicine, and licensing, among others. Many states in which these new value-based structures are being developed lack regulatory guidance or a well-developed body of law for these new models and approaches, or may not have updated their laws or enacted legislation yet to reflect the new healthcare reform models. As a result, although we have attempted to structure and conduct our operations in accordance with our interpretation of current laws and regulations, new and existing laws, regulations, or guidance could have a material adverse effect on our current and future operations and could subject us to the risk of restructuring or terminating our customer agreements and arrangements, as well as the risk of regulatory enforcement, penalties, and sanctions if state enforcement agencies disagree with our interpretation of state laws.
If we fail to comply with federal and state laws governing submission of false or fraudulent claims to government healthcare programs and financial relationships among healthcare providers, we may be subject to civil and criminal penalties or loss of eligibility to participate in government healthcare programs.
Healthcare is one of the largest industries in the country and one of the costliest line items in the federal budget. As a result, the healthcare industry continues to attract attention from legislators and regulators. As described in Item 1 above, a number of healthcare fraud and abuse laws, including but not limited to the AKS, FCA, Stark Law, and EMTALA, and their state counterparts, apply to hospitals, physicians, and others who (i) furnish healthcare services to patients and submit claims for reimbursement to government programs or commercial insurers, and (ii) refer patients to one another. Federal and state regulatory and law enforcement authorities continue to focus on enforcement activities with respect to Medicare and Medicaid fraud and abuse regulations and other healthcare reimbursement laws and rules in an effort to reduce overall healthcare spending.
These laws are complex, may change rapidly, and their application to our specific services and relationships may not be clear and may be applied to our business in ways we do not anticipate. New and evolving payment structures, for example, such as accountable care organizations, value-based enterprises, and other arrangements involving combinations of healthcare providers who share savings, potentially implicate anti-kickback and other fraud and abuse laws. In addition, errors created by our proprietary applications or services that relate to entry, formatting, preparation, or transmission of claims, reporting of quality or other data pursuant to value-based purchasing initiatives, or cost report information may be alleged or determined to cause the submission of false claims or otherwise be in violation of these laws. Further, the continued growth of our coding and billing services provided from a global business services environment necessitates comprehensive monitoring and oversight of these services to promote quality control and regulatory compliance.
While we seek to structure our business relationships and activities to avoid any activity that could be construed to implicate federal and state fraud and abuse laws, we cannot assure you that our arrangements and activities will be deemed outside the scope of these laws or that increased enforcement activities will not directly or indirectly have a material adverse effect on our business, financial condition, or operating results. Any determination that we have violated any of these laws could, for example (i) subject us to civil or criminal penalties (ii) require us to change or terminate some portions of our operations or business (iii) disqualify us from providing services to healthcare providers doing business with government programs, (iv) give our customers the right to terminate our managed services agreements with them, and/or (v) require us to refund portions of our revenues, any of which could have a material adverse effect on our business and operating results. Moreover, any violations by, and resulting penalties or exclusions imposed upon, our customers could adversely affect their financial condition and, in turn, have a material adverse effect on our business and operating results. Finally, even absent an alleged violation of the law by us, participants in the healthcare industry receive inquiries, demands, or subpoenas to produce documents and provide testimony in connection with government investigations. We could be required to expend significant time and resources to comply with these requests, and the attention of our management team could be diverted by these efforts.
Our failure to comply with debt collection and other consumer protection laws and regulations could subject us to fines and other liabilities, which could harm our reputation and business, and could make it more difficult to retain existing customers or attract new customers, extend the time it takes to enter into service agreements with new customers, or result in a material adverse effect on our business, operating results, and financial condition.
Our business practices involve collecting or assisting our customers in collecting non-defaulted amounts owed by patients for current and prior services activities, which may subject us to the FDCPA. The FDCPA and the TCPA restrict the methods that we may use to contact and seek payment from consumer debtors regarding past due accounts. Many states impose additional requirements on debt collection practices, and some of those requirements may be more stringent than the federal requirements. Moreover, regulations governing debt collection are subject to changing interpretations that may be inconsistent among different jurisdictions. We could incur costs or could be subject to fines or other penalties under the TCPA, the FDCPA and the FTC Act if we are determined to have violated the provisions of those authorities during the course of conducting our operations. Any perceived breach of the FDCPA could result in us being required to change aspects of our business practices, make it more difficult to retain existing customers or attract new customers, extend the time it takes to enter into service agreements with new customers, or result in a material adverse effect on our business, operating results, and financial condition.
We cannot be certain that governmental officials responsible for enforcing EMTALA, or other parties, will not assert that our customers are in violation of EMTALA, and defending and settling allegations of EMTALA violations could have a material adverse effect on our business even if we are ultimately not found to have contributed to such violations.
Although EMTALA is not directly applicable to us because we are not a Medicare participating hospital, we cannot be certain that governmental officials responsible for enforcing EMTALA, or other parties, will not assert that our customers are in violation of EMTALA. If our customers are found to have violated EMTALA, they may assert claims that our management practices contributed to the violation. Defending and settling allegations of EMTALA violations could have a material adverse effect on our business even if we ultimately are not found guilty of a violation.
Risks Related to Our Control Environment
If we fail to maintain proper and effective internal control and remediate any future material weaknesses or significant deficiencies, our ability to produce accurate and timely financial statements could be impaired, which could harm our operating results, our ability to operate our business and our reputation with investors.
In 2023, we identified a material weakness in the design and operating effectiveness of our internal controls over financial reporting relating to the controls over business combinations impacting the accounting for acquiree compensation arrangements, and also determined that our disclosure controls and procedures were not effective, as of December 31, 2022 and 2021. Although such material weakness has been remediated at December 31, 2023, there can be no assurance that similar internal control issues will not be identified in the future. If we cannot remediate future material weaknesses or significant deficiencies in a timely manner, or if we identify additional control deficiencies that individually or together constitute significant deficiencies or material weaknesses, our ability to accurately record, process, and report financial information, and our ability to prepare financial statements within required time periods, could be adversely affected. Failure to maintain effective internal controls could result in violations of applicable securities laws, stock exchange listing requirements, and the covenants under our debt agreements, subject us to litigation and investigations, negatively affect investor confidence in our financial statements, and adversely impact our stock price and our ability to access capital markets.
As a result of the delayed filing of our Quarterly Report on Form 10-Q for the quarter ended September 30, 2023, we face limitations in registering securities for a public offering or acquisitions, which could adversely affect our business.
Due to our inability to file our Quarterly Report on Form 10-Q for the quarter ended September 30, 2023 on or prior to its due date, we generally are ineligible to use “short-form” registration statements, or Form S-3, that would allow us to incorporate by reference our SEC reports into our registration statements, or to use automatic shelf registration statements, until we have filed all of our periodic reports in a timely manner for a period of 12 months. Our inability to register our securities on Form S-3 could increase the costs of selling securities publicly, significantly delay such sales and adversely affect our business.
We face risks related to the restatement of our previously issued financial statements.
In December 2023, we restated certain information in our previously issued consolidated financial statements for the years ended December 31, 2022 and 2021, for each of the quarters within 2022 and 2021, and for the quarters ended June 30, 2023 and March 31, 2023. As a result, we could be subject to additional risks and uncertainties, which could affect investor confidence in the accuracy of our financial disclosures. We could face litigation under the federal and state securities laws or other claims arising from the restatements. The cost of defending against any such claims and the ultimate outcome of any such litigation could materially affect our results of operations. In addition, we could discover additional material or immaterial errors in our financial statements, and our financial statements remain subject to the risk of future restatement.
Risks Related to Intellectual Property
We may be unable to adequately protect our IP.
Our success depends, in part, upon our ability to establish, protect and enforce our IP and other proprietary rights. If we fail to establish or protect our IP rights, we may lose an important advantage in the market in which we compete. We rely upon a combination of patent, trademark, copyright and trade secret law and contractual terms and conditions to protect our IP rights, all of which provide only limited protection. We cannot assure you that our IP rights are sufficient to protect our competitive advantages. We cannot assure you that any patents issued or that will be issued from current or future applications will provide us with the protection that we seek or that any current or future patents issued to us will not be challenged, invalidated or circumvented. Legal standards relating to the validity, enforceability and scope of protection of patents are uncertain. Also, we cannot assure you that any trademark registrations will be issued for pending or future applications or that any of our trademarks will be enforceable or provide adequate protection of our proprietary rights.
We also rely in some circumstances on trade secrets to protect our technology. Trade secrets may lose their value if not properly protected. We endeavor to enter into non-disclosure agreements with our employees, customers, contractors, and business partners to limit access to and disclosure of our proprietary information. The steps we have taken, however, may not prevent unauthorized use of our technology, and adequate remedies may not be available in the event of unauthorized use or disclosure of our trade secrets and proprietary technology. Moreover, others may reverse engineer or independently develop technologies that are competitive to ours or infringe our IP.
Accordingly, despite our efforts, we may be unable to prevent third parties from infringing or misappropriating our IP and using our technology for their competitive advantage. Any such infringement or misappropriation could have a material adverse effect on our business, operating results, and financial condition. Monitoring infringement of our IP rights can be difficult and costly, and enforcement of our IP rights may require us to bring legal actions against infringers. Infringement actions are inherently uncertain and therefore may not be successful, even when our rights have been infringed, and even if successful, may require a substantial amount of resources and divert our management’s attention.
Claims by others that we infringe their IP could force us to incur significant costs or revise the way we conduct our business.
Our competitors protect their IP rights by means such as patents, trade secrets, copyrights, and trademarks. We have not conducted an independent review of patents issued to third parties. Additionally, because patent applications in the U.S. and many other jurisdictions are kept confidential for 18 months before they are published, we may be unaware of pending patent applications that relate to our proprietary technology. Any party asserting that we infringe its proprietary rights would force us to defend ourselves, and possibly our customers, against the alleged infringement. These claims and any resulting lawsuit, if successful, could subject us to significant liability for damages and invalidation of our proprietary rights; cause interruption or cessation of our operations; require us to enter into royalty or licensing agreements with third parties; and consume time which would otherwise be spent on our core business. Even if we prevail, the cost of such litigation could deplete our financial resources. Furthermore, during the course of litigation, confidential information may be disclosed in the form of documents or testimony in connection with discovery requests, depositions, or trial testimony. The software and technology industries are characterized by the existence of a large number of patents, copyrights, trademarks and trade secrets and by frequent litigation based on allegations of infringement or other violations of IP rights. Moreover, the risk of such a lawsuit will likely increase as our size and scope of our services and technology platforms increase, as our geographic presence and market share expand and as the number of competitors in our market increases. Any of the foregoing could disrupt our business and have a material adverse effect on our operating results and financial condition.
