Irhythm Technologies (IRTC) Risk Factors

Before a new medical device or a new intended use for a medical device can be marketed in the United States, a company must first submit an application and receive either 510(k) clearance, De Novo marketing rights, or premarket approval from FDA, unless an exemption applies. All of these processes can be expensive, lengthy, and unpredictable. We may not be able to obtain the clearances or approvals we seek or may be unduly delayed in doing so, which could harm our business. Even if we are granted regulatory clearances or approvals, they may include significant limitations on the indicated uses for the product, which may limit the market for the product. Although we have obtained 510(k) clearances to market our Zio Systems, our clearances can be revoked if safety, efficacy, or significant regulatory compliance problems develop. Even planned changes and improvements to devices and their uses can trigger the need for a new submission. FDA requirements dictate that we must evaluate potential changes and document our decision-making regarding the need for additional submissions and clearances or approvals. Unless effectively planned for in advance, our desired commercial timeline may be impacted. Significant changes or modifications in design, components, method of manufacture, or the intended use or technological characteristics of our Zio Systems may require new or modified FDA marketing authorization, CE Mark certification (EU), or UKCA Mark certification (UK). In some instances, we have identified a need for, and sought and obtained new, 510(k) clearances from FDA for these changes or modifications. As permitted by applicable law, FDA allows device manufacturers to internally analyze and document a decision that a new clearance or approval is viewed by the manufacturer as unnecessary. Accordingly, we have made certain changes and modifications to our Zio Systems in the past that we believe did not require additional clearances or approvals by FDA. Such internal decisions are, however, subject to review by FDA, and may require additional action in the event FDA questions earlier internal decision-making. For example, FDA raised questions in the warning letter issued on May 25, 2023 regarding certain changes and modifications to the Zio AT System for which we did not make 510(k) submissions, and rather documented our analysis in letters to file. We have recently (following, and in alignment with, discussion with FDA) submitted an updated 510(k) to address Zio AT Device modifications that were, prior to our receipt of the warning letter, previously documented in letters to file. In instances where FDA or an EU/UK Notified/Approved Body disagrees with our internal analysis and decision that a new or additional approval or marketing authorization or certification is not needed for any such modifications, we may be required to recall and/or stop the distribution of the impacted Zio System and/or correct the labeling for such Zio System. We may be required to submit a new marketing application or certification, which could require additional testing or other supporting data, a redesign of a product, or otherwise impact the provision of services. In these circumstances, the process may require engagement with regulators to resolve concerns and reach a resolution for a product, and we may be subject to significant enforcement actions. We may not be able to obtain additional marketing authorizations in a timely fashion, or at all, which could harm our ability to introduce new or enhanced products in a timely manner and to meet market expectations for the provision of the services, which in turn could harm our future growth.

Our design and manufacturing facilities and processes and those of certain third-party suppliers are subject to FDA, state, and Notified/Approved Body regulatory inspections for compliance with various medical device regulations and standards, including the Quality System Regulation ("QSR"), also known as 21 CFR Part 820, European Union Medical Device Directive ("EU MDD"), New European Union's Medical Device Regulations ("EU MDR"), and UK Medical Device Regulations ("UK MDR") requirements. Developing and maintaining a compliant quality system is time consuming and investment intensive. Requirements and standards may change and evolve over time, and we will need to adapt. Failure to maintain compliance with, or not fully complying with, the requirements of FDA and state regulators could result in enforcement actions, which could include the issuance of warning letters, adverse publicity, seizures, prohibitions on product sales, recalls, and civil and criminal penalties, any one of which could significantly impact our manufacturing supply and provision of services and impair our financial results. Failure to maintain full compliance with the requirements of EU MDD, EU MDR, and UK MDR could result in similar disruptions in these markets. We are required to file various reports with FDA, and EU or UK regulators, including reports required by each jurisdiction's adverse event, certain malfunctions, and field action reporting regulations. These reports are often required if our Zio System may have caused or contributed to a death or serious injury or malfunctioned in a way that would likely cause or contribute to a death or serious injury if the malfunction were to recur. They may also be reasonable, necessary, or prudent for a range of other reasons relating to the importance of gathering information in the post marketing setting and managing risk throughout the product lifecycle, or to address requests from regulators to increase or expand the scope of reporting. For example, in the fourth quarter of 2023, as part of our commitments following the FDA Form 483 observations and FDA warning letter issued on May 25, 2023, we retrospectively submitted certain Medical Device Reports ("MDRs") to FDA. An increase in the reporting of events associated with the use of our products and services from us or others and any delays to the filing of reports may increase regulator and public scrutiny. Regulators may impose sanctions and we may be subject to product liability or regulatory enforcement actions, all of which could harm our business. These reports are typically publicly available information in most jurisdictions, including the United States. If we initiate a field action (whether a "correction" made relative to a device that remains in the field, which could be through a labeling or software update, or "removal" or "recall" and return of that device to us, or field advisory notices) to reduce a risk to health posed by our Zio System, we would be required to report the Correction or Removal to FDA and, in many cases, similar reports to other regulatory agencies. For example, on September 28, 2022, we initiated a Customer Advisory Notice to Zio AT customers regarding a Zio AT labeling correction; the labeling changes involve additions and modifications to the Zio AT labeling precautions relating to the device's maximum transmission limits during wear, and also to the need for healthcare providers to complete registration to initiate monitoring services. We reported this Customer Advisory Notice and related information to FDA under 21 C.F.R., Part 806 and FDA classified this field action as a Class II Recall following our initial 806 report. We have completed the distribution of the Advisory Notice to our identified impacted customers; and although the status remains open in FDA recall database, we requested the closure of this field action on March 31, 2023. This labeling correction followed our assessment of topics raised in the August 2022 FDA inspection focused on Zio AT. We were in dialogue with FDA in relation to the inspection process, and in connection with our Customer Advisory Notice and 806 report. FDA observation responses, field action or corrections and the 806 process can be unpredictable and can present regulatory and commercial risks and uncertainties relating to matters including product labeling, the scope and approach of the correction, and/or customer and patient perception of our technologies and services. Depending on the reason for the correction or removal and the potential severity of the impact to patient safety or the effectiveness of the device, FDA may require differing degrees of communication to alert those who may be in possession of an impacted device. We would generally be subject to similar requirements in jurisdictions outside the United States where the Zio products are used. Furthermore, even if we adhere to regulatory standards and expectations in our corrective actions, the public nature of such actions can result in broader negative publicity and perceptions, which could harm our reputation. If we assess a potential quality issue or complaint or product enhancement as not requiring either field action or notification, respectively, regulators may review documentation of that decision during a subsequent audit. If regulators disagree with our decision, or take issue with either our investigation process or the resulting documentation or course of action, we may be subject to a range of potential regulatory enforcement actions or required to take corrective actions, which depending on their nature and scope could harm our business. Additionally, on May 25, 2023, we received a warning letter from FDA, which alleged non-conformities to regulations for medical devices, including medical device reporting requirements, relating to our Zio AT System and medical device quality system requirements. We submitted a timely response to FDA on June 16, 2023 and are continuing to work with the agency to address the issues outlined in the warning letter. Although our belief based on the dialogue with FDA to date following our warning letter response is that we will be able to work through FDA's matters of concern relating to our Zio AT System, we cannot give any assurances that FDA will be satisfied with our response, the actions taken to resolve the concerns raised in the warning letter, or the expected date for the resolution of such matters. Until the issues identified in the warning letter are resolved to FDA's satisfaction, additional legal or regulatory action may be taken with or without further notice. The warning letter is publicly available on FDA's website and has been the subject of a high degree of media and industry attention, which subjects us to additional scrutiny. We have been providing FDA with updates on our progress on commitments made in the warning letter, and we are in continued dialogue with FDA on key topics and our planned path forward. On October 21, 2024, we were granted FDA clearance for one 510(k) encompassing design updates that had previously been documented through letters to file and on October 30, 2024 we were granted FDA clearance on a second 510(k) submission related to design modifications and labeling updates for the Zio AT device. On July 15, 2024, FDA initiated inspections of our Cypress and San Francisco FDA-registered facilities. We received Form 483 observations at the close of the inspections of our Cypress and San Francisco facilities. These inspections broadly evaluated medical device quality system requirements and other medical device regulatory topics, and the observations generally centered on complaint handling and medical device reporting, risk analysis regarding the involvement of the technicians to prepare the Zio ECG reports, the corrective and preventive action process, process controls and statistical techniques. We timely submitted our initial responses regarding the July 2024 483 Observations to FDA on August 21, 2024, and provided supplemental information on September 6, 2024. In these responses we committed to a number of follow-up actions, and intend to work with FDA to resolve the issues identified. Executing on our follow-up actions, commitments to FDA, and remediation activities will require significant time, attention, and resources that might otherwise be applied to future product development activities and initiatives, and could result in delays or changes to these plans. Our commitments will also require a high degree of attention to design strategy and compliance going forward. As we are already subject to an FDA warning letter associated with our Cypress facility, and in light of the 2024 inspection results, if we are unable to successfully execute follow-up actions consistent with our commitments to FDA, or if FDA determines that our follow-up commitments are insufficient or are not completed with sufficient promptness, we may face a greater risk of potential escalation, which could involve issuance of additional warning letters, or there is a possibility that FDA could initiate consent decree discussions.

The CPT codes used to report remote cardiac monitoring services, including those used to report our Zio Services, were drafted by the American Medical Association ("AMA") in a manufacturer- and specific technology-agnostic manner. Regulators or other third parties could assert that our technology does not support certain diagnostic procedures described by the CPT codes that we currently use to report our Zio Services. For example, a regulator or other third party could assert that the Zio AT System cannot support MCT services, which could jeopardize our ability to submit claims for reimbursement for services utilizing our Zio AT System and may require us to evaluate whether we have received any overpayments that must be reported and returned to third-party payors. Certain language in a warning letter we received from FDA on May 25, 2023 could increase the risk of inquiries regarding our historical or current use of CPT code 93229. Consistent with the AMA's definition of MCT and the technology categorization in FDA's outpatient cardiac telemetry product code, the Zio AT System's indications for use under our 510(k) clearance include uninterrupted ECG recording during normal day-to-day activities to capture, analyze, and report diagnostic information regarding asymptomatic arrhythmias, as well as other transient, non-critical symptoms (e.g., palpitations, pre-syncope, syncope, shortness of breath, or dizziness) for review by our IDTFs and escalation to the patient's treating healthcare professional, consistent with the healthcare professional's prescribed notification criteria, during the monitoring period.

During the three and nine months ended September 30, 2024, we received approximately 24% of our total revenue from the Medicare program (inclusive of Medicare Advantage). The Medicare program is administered by CMS, which imposes extensive and detailed requirements on diagnostic services providers, including IDTFs. These requirements include, but are not limited to, rules that govern how we structure our relationships with physicians, how we operate our IDTFs and market our Zio Services, when we may perform diagnostic tests, and how and when we submit reimbursement claims. Our failure to comply with the applicable Medicare rules and requirements could result in discontinuation of our reimbursement under the Medicare program, a requirement to return funds already paid to us, civil monetary penalties, criminal penalties, and/or exclusion from the Medicare program, which would have a material adverse impact on our reputation, business, and results of operations. CMS has acknowledged that the IDTF regulations were designed for "traditional" IDTFs that administer tests to patients in-person, at a single point in time, and from a single location, and only recently has CMS initiated changes to the regulations to address IDTFs like ours that furnish "indirect tests" that do not require in-person interaction and involve technicians performing computer analyses offsite or at another location. The changes, however, do not address all gaps identified by CMS relating to IDTF operations and the Medicare billing requirements. For example, CMS has not addressed billing for remote diagnostic tests that are performed from one or more IDTF or other remote locations. Our failure to comply with the applicable Medicare regulations, or regulators' disagreement with our interpretation of the regulations as applied to indirect tests, such as the Zio Services, could result in the discontinuation of our reimbursement under the Medicare program, a requirement to return funds already paid to us, civil monetary penalties, criminal penalties, and/or exclusion from the Medicare program. In addition, many commercial payors require our IDTFs to maintain enrollment with the Medicare program as well as accreditation and certification with the Joint Commission. If we fail to obtain and maintain IDTF enrollment or accreditation and certification, our Zio Services may no longer be reimbursed by those commercial payors, which could have a material adverse impact on our reputation, business, and results of operations.

As a public company, we are subject to laws and regulations relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the rules and regulations implemented by the SEC, and The Nasdaq Stock Market listing rules. Compliance with these laws and regulations, including new laws and regulations or revisions to existing laws and regulations, has required and will continue to require, substantial management time and oversight and the incurrence of significant accounting and legal costs. These laws, regulations, and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to continue to invest resources to comply with evolving laws, regulations, and standards, and this investment may result in increased general and administrative expenses and a diversion of management's time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations, and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate legal proceedings against us and our business may be adversely affected.

The services and related devices we offer are highly regulated, and the regulatory environment in which we operate may change significantly and adversely in the future. Our arrangements with physicians, hospitals, clinics, and other stakeholders in the healthcare industry may expose us to broadly applicable medical device laws and healthcare fraud and abuse and other laws and regulations that may restrict the financial arrangements and relationships through which we market, sell, distribute, and provide our services and related devices. Our employees, consultants, and commercial partners and collaborators may engage in misconduct or other improper activities, including non-compliance with regulatory standards and requirements. Federal and state healthcare laws and regulations that may affect our ability to conduct business, include, without limitation: - state licensure laws applicable to the manufacture, marketing, distribution, and sale of medical devices;- federal and state laws and regulations regarding billing, claims payment, and enrollment for participation in government healthcare programs;- the federal Anti-Kickback Statute, which prohibits, among other things, any person from knowingly and willfully offering, soliciting, receiving, or providing remuneration, directly or indirectly, in exchange for or to induce either the referral of an individual for, or the purchase, order or recommendation of, any good or service for which payment may be made under federal healthcare programs, such as the Medicare and Medicaid programs;- the federal FCA, which prohibits, among other things, individuals or entities from knowingly presenting, or causing to be presented, false claims, or knowingly using false statements, to obtain payment from the federal government;- federal criminal laws that prohibit executing a scheme to defraud any healthcare benefit program or making false statements relating to healthcare matters;- the FCPA, the UK Bribery Act of 2010, and other local anti-corruption, anti-kickback, and transparency laws that apply to our international activities;- the federal Physician Payment Sunshine Act, or Open Payments, and its implementing regulations, which requires us to report payments or other transfers of value made to licensed physicians and certain mid-level health practitioners and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members;- Health Insurance Portability and Accountability Act ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act, and its implementing regulations, which impose certain requirements relating to the privacy, security, and transmission of individually identifiable health information; HIPAA also created criminal liability for knowingly and willfully falsifying or concealing a material fact or making a materially false statement in connection with the delivery of or payment for healthcare benefits, items, or services;- the GDPR and the UK Data Protection Act 2018, which each provide legal requirements for the handling and disclosure (including across borders) of personal data collected in the EU and the UK, respectively;- the FDA's Code of Federal Regulations, including but not limited to, 21 CFR Parts 820, 803, 806, and 801, that outlines requirements for medical device design, testing, marketing authorization, manufacturing, labeling, distribution, and post-market surveillance requirements;- the EU MDD and EU MDR that outline requirements for medical device CE marking;- the UK MDR, which, post the UK's withdrawal from the EU, replaces the CE marking requirement for medical devices sold in the UK with a UKCA mark; and - state law equivalents of each of the above U.S. federal laws, such as anti-kickback and false claims laws which may apply to items or services reimbursed by any third-party payor, including commercial insurers, and state and foreign laws governing the privacy and security of individually identifiable information in certain circumstances (e.g., the Telephone Consumer Protection Act, the CAN-SPAM Act, and state privacy, consumer protection, and breach notification laws), many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. These laws are broad in scope and available exceptions and exemptions are narrow; it is possible that some of our activities could be subject to challenge under one or more of such laws. Any action brought against us for violations of these laws or regulations, even if successfully defended, could cause us to incur significant legal expenses and divert our management's attention from the operation of our business. We may be subject to private "qui tam" actions brought by individual whistleblowers on behalf of the federal or state governments, with potential liability under the federal FCA including mandatory treble damages and significant per-claim penalties, which were increased from $13,946 to $27,894 per false claim for violations assessed after February 12, 2024. For example, our industry has experienced recent FCA enforcement, including a December 2023 settlement by BioTelemetry, Inc. and its subsidiary LifeWatch Services Inc. involving allegations that these companies submitted claims to federal programs for a higher level of remote cardiac monitoring than physicians had intended to order or that was medically necessary, thus inflating the level of reimbursement paid, which highlights the importance of compliance with the rules and regulations governing claims submitted to federal healthcare programs. Although we have adopted policies and procedures designed to comply with these laws and regulations and conduct internal reviews of our compliance with these laws, our compliance is also subject to governmental review. The growth of our business and sales organization and our expansion outside of the United States may increase the potential of violating these laws or our internal policies and procedures. The risk of our being found in violation of these or other laws and regulations is further increased by the fact that many have not been fully interpreted by the regulatory authorities or the courts, and their provisions are open to a variety of interpretations. Any action brought against us for violation of these or other laws or regulations, even if we successfully defend against it, could cause us to incur significant legal expenses and divert our management's attention from the operation of our business. If our operations are found to be in violation of any of the federal, state, or foreign laws described above or any other current or future fraud and abuse or other healthcare laws and regulations that apply to us, we may be subject to penalties, including significant criminal, civil, and administrative penalties, damages, fines, imprisonment for individuals, exclusion from participation in government programs, such as Medicare, and we could be required to curtail or cease our operations. Any of the foregoing consequences could seriously harm our business and our financial results. Further, in June 2024, the U.S. Supreme Court reversed its longstanding approach under the Chevron doctrine, which provided for judicial deference to regulatory agencies, including the FDA. As a result of this decision, we cannot be sure whether there will be increased challenges to existing agency regulations or how lower courts will apply the decision in the context of other regulatory schemes without more specific guidance from the U.S. Supreme Court. For example, this decision may result in more companies bringing lawsuits against the FDA to challenge longstanding decisions and policies of the FDA, which could undermine the FDA's authority, lead to uncertainties in the industry, and disrupt the FDA's normal operations, which could impact the timely review of any regulatory filings or applications we submit to the FDA.

Healthcare laws and regulations, and interpretations of the same, change frequently and may change significantly in the future. We may not be able to adapt our operations to address every new regulation or interpretation, and new regulations or interpretations may adversely affect our business. We also cannot assure that a review of our business by courts or regulatory authorities would not result in a determination that adversely affects our revenue and operating results.

Our sales and marketing efforts and initiatives, as well as other communications with healthcare professionals ("HCPs"), may subject us to a high degree of scrutiny for compliance with applicable laws and regulations and our practices of effective communication of risk information, benefits, or claims will be subject to oversight by FDA, the Federal Trade Commission ("FTC") and others. In addition, FDA applies a heightened level of scrutiny to comparative claims when applying its statutory standards for advertising and promotion, including with regard to its requirement that promotional labeling be truthful and not misleading. There is potential for differing interpretations of whether certain communications are consistent with a product's FDA-required labeling, including with respect to communications that may reference or contemplate the use of the Zio devices with specified patient populations. FDA will evaluate communications, in context, on a fact-specific basis. This is a continued area of focus for regulators. In the fourth quarter of 2023, FDA issued final guidance focused on the presentation of quantitative risk and efficacy information to the consumer audience, with heightened focus on presenting such information in a manner that is accurate, understandable, and consumer-friendly. The FTC has also released updated guidance on health claims, with a high expectation for clinical data to support these claims. In addition, making comparative claims may draw scrutiny from our competitors. Where a company makes a claim in advertising or promotion that its product is superior to the product of a competitor (or that the competitor's product is inferior), this creates a risk of a lawsuit by the competitor under federal and state false advertising or unfair and deceptive trade practices law, and possibly also state libel law. Such a suit may seek injunctive relief against further advertising, a court order directing corrective advertising, and compensatory and punitive damages where permitted by law. If our compliance program and training and monitoring do not effectively keep pace with our sales and marketing growth, we may encounter increased risk in execution of activities by our personnel, potential enforcement and other exposure. We may also seek to communicate certain information with physicians and scientists and their practices and health systems or with payors and similar entities, and may rely on a range of laws, regulations, regulatory guidance governing topics, including scientific exchange, and communication of healthcare economic information and product information under the Preapproval Information Exchange Act. Recent FDA draft guidance on communication of scientific information on unapproved uses of cleared/approved medical products with HCPs further illustrates the agency's focus on ensuring that such communications to those in a position to order or prescribe products are consistent with available scientific data and subject to organizational controls maintaining separation and distinction from promotional marketing. For example, certain of our physicians may order the Zio Services for patients who are under 18, which is outside the cleared indications for use. While we do not intend for any personnel to promote our devices for pediatric use and we have policies addressing appropriate responses to unsolicited requests for information about pediatric use, our approach may be subject to ongoing scrutiny from FDA. If FDA or other federal, state, or foreign enforcement authorities determine that our labeling, advertising, promotional materials, or user training materials, or representations made by our personnel include the promotion of an off-label use for the device, or that we have made false or misleading or inadequately substantiated promotional claims, or claims that could potentially change the regulatory status of the product, FDA or other authorities could take the position that these materials have misbranded our devices and request that we modify our labeling, advertising, or user training or promotional materials and/or subject us to regulatory or legal enforcement actions, including the issuance of an Untitled Letter or a Warning Letter, injunction, seizure, recall, adverse publicity, civil penalties, criminal penalties, including substantial fines, or other adverse actions. In that event, we would be subject to extensive fines and penalties and our reputation could be damaged and adoption of the products would be impaired. Although we intend to refrain from statements that could be considered off-label promotion of our products, FDA or another regulatory agency could disagree and conclude that we have engaged in off-label promotion.

In the ordinary course of our business, we collect, use and store, and transmit sensitive data, such as our proprietary business information and that of our suppliers, contractors, customers, vendors and others, as well as personal information, including health information, of these parties and of our patients. As a result, we are subject to several foreign, federal and state laws and regulations protecting the use, disclosure and confidentiality of certain personal information, namely individually identifiable information (e.g., names, social security numbers, addresses, birth dates), and restricting the use and disclosure of that information. These laws include foreign, federal and state healthcare privacy laws, telehealth laws, breach notification laws and consumer protection laws. These frameworks impose stringent privacy and security standards and potentially significant non-compliance penalties and liability. In addition, a comprehensive federal privacy bill, which includes a private right of action for violations, has been proposed and is under review by the House of Representatives. Foreign data protection, privacy, and related laws and regulations can be more restrictive than those in the United States. For example, data localization laws in some countries generally mandate that certain types of data collected in a particular country be stored and/or processed solely within that country. In addition, both foreign and U.S. legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. Further, the SEC recently adopted new cybersecurity disclosure rules for public companies that require disclosure regarding cybersecurity risk management (including the board's role in overseeing cybersecurity risks, management's role and expertise in assessing and managing cybersecurity risks, and processes for assessing, identifying, and managing cybersecurity risks) in annual reports on Form 10-K. These new cybersecurity disclosure rules also require the disclosure of material cybersecurity incidents by Form 8-K, within four business days of determining an incident is material. These changes or increased costs could negatively impact our business and results of operations in material ways. Refer to "Cybersecurity" in Part I, Item 1C of our Annual Report on Form 10-K for the year ended December 31, 2023 for further details. The secure maintenance, processing, and transmission of this sensitive information is critical to our business operations and we are dependent on sophisticated information technology systems to operate our business. System failures or outages, including any potential disruptions due to significantly increased global demand on certain cloud-based systems, or failures to adequately scale our data platforms and architectures to support patient care could compromise our ability to perform these functions in a timely manner, which could harm our ability to conduct business or delay our financial reporting. We have implemented multiple layers of security measures and monitoring to protect the confidentiality, integrity, and availability of this data and the systems and devices that store and transmit such data. Despite our security measures and business controls, which undergo routine testing internally and by external parties, our information technology and infrastructure may be vulnerable to attacks by criminals and criminal enterprises, foreign governments and other state-sponsored actors, and terrorists and lone wolves; breaches due to employee, contractor, or vendor error; or malfeasance or other disruptions or subject to the inadvertent or intentional unauthorized release of information. Any such occurrence could compromise our data centers and networks and the information stored thereon could be inappropriately accessed, publicly disclosed, lost, or stolen. Further, any such access, disclosure, or other loss of information could result in legal claims or proceedings, and liability under laws that protect the privacy of personal information and regulatory penalties, increase in operating expenses, incurrence of expenses, including notification, mitigation, and remediation costs, disrupt our operations and the services we provide to our clients, or damage our reputation, any of which could adversely affect our profitability, revenue, and competitive position.

We receive a substantial portion of our revenue from Medicare and third-party commercial payors with which we contract, and we cannot predict whether and to what extent existing reimbursement rates will continue to be available. If CMS or any of our key commercial payors reduce reimbursement rates for our Zio Services, our business, operating results, and prospects would be adversely affected. CMS updates the reimbursement rates for diagnostic tests performed by IDTFs annually via the Medicare Physician Fee Schedule. Effective January 1, 2024, CMS updated the national payment rates for the CPT codes we use to report the long-term continuous monitoring services we perform with our Zio XT System and our Zio Monitor System: CPT codes 93247 (for wear-time of greater than 7 days and up to 15 days) and 93243 (for wear-time of greater than 48 hours and up to 7 days). On March 9, 2024, the Further Consolidated Appropriations Act, 2024, Pub. L. 118-47, was signed into law, which included an adjustment to the Medicare Physician Fee Schedule conversion factor for claims with dates of service after March 9, 2024. Based on the relative value units CMS assigned to CPT codes 93247 and 93243, from January 1, 2024 to March 8, 2024, the national reimbursement rates for our services were $230.52 and $219.71, respectively, and ranged from $231.34 to $326.79 and $220.51 to $311.46 for our Medicare-enrolled IDTF locations in Deerfield, Illinois, Houston, Texas, and San Francisco, California, when considering the geographic practice cost index for these locations. Currently, the national reimbursement rates for CPT codes 93247 and 93243 are $234.34 and $223.36, respectively, and range from $235.18 to $332.21 and from $224.16 to $316.62, respectively, for our IDTF locations. On July 10, 2024, CMS released its CY 2025 Medicare Physician Fee Schedule proposed rule, which includes proposed updates to the pricing for the extended external ECG patch, medical magnetic tape recorder (SD339) supply item used to perform our services. Specifically, based on the public submission of invoices following publication of the CY 2024 Medicare Physician Fee Schedule final rule, CMS proposes to increase the price for the SD339 supply item from $260.35 to $292.50 (i.e., a 12% increase) and to increase the relative value units for CPT codes 93247 and 93243 by 3.4% and 4.5%, respectively. There is no guarantee, however, that this proposed increase will become final, or that other changes ultimately will not be adopted that negatively impact the overall reimbursement available for our services. For example, CMS also proposes to decrease the relative value units for CPT code 93229 by 5.6%. Because remote cardiac monitoring technology, including the Zio System, is rapidly evolving, there is a continuing risk that relative value units assigned, and reimbursement rates set, by CMS may not adequately reflect the value and expense of this technology and associated monitoring services, and CMS may reduce these rates in the future, which would adversely affect our financial results. Additionally, commercial payors with which we contract may seek to reduce our reimbursement rate through further contract negotiations. For example, the actions taken by CMS in 2022 to establish national reimbursement rates for CPT Codes 93247 and 93243 effective January 1, 2023 reduced the Medicare reimbursement rates for these services performed at our Deerfield, Illinois location. Accordingly, we may observe certain commercial payors in this region seeking to adjust their reimbursement rates for these services as well. In addition, our agreements with commercial payors typically allow either party to terminate the contract at any time by providing prior written notice, in accordance with the agreement, to the other party, which means our commercial payors may elect to terminate their contracts with us for any reason. A commercial payor who terminates or does not renew their contract with us may, or may not, alter their coverage for the type of services we provide. In the event any of our key commercial payors terminate their agreements with us, elect not to renew or enter into new agreements with us upon expiration of their current agreements, or do not renew or establish new agreements on terms as favorable as are currently contracted, our business, operating results, and prospects would be adversely affected. Finally, government and commercial payors have and may, in the future, consider healthcare policies and proposals intended to limit or reduce perceived increases in healthcare costs, including those that could significantly affect reimbursement for healthcare products such as our systems and services. These policies have included, and may in the future include: basing reimbursement policies and rates on clinical outcomes, the comparative effectiveness, and costs, of different treatment technologies and services, as well as other measures. Future significant changes in the healthcare systems in the United States or elsewhere could also have a negative impact on the demand for our current and future products and services. These include changes that may reduce reimbursement rates for our products and changes that may be proposed or implemented by the current or future laws or regulations.

There is significant uncertainty concerning third-party reimbursement of any new service until a contracted rate is established for that service with the commercial payor. Reimbursement by a commercial payor may depend on several factors, including, but not limited to, a payor's determination that the ordered service is not experimental or investigational, medically necessary and appropriate for the specific patient, cost effective, supported by peer-reviewed publications, and accepted and used by physicians and other clinicians within their provider network. Since each payor decides whether to establish a policy concerning reimbursement or to contract with us to set the price of reimbursement, seeking reimbursement on a payor-by-payor basis is a time-consuming and costly process to which we dedicate substantial resources. If we do not dedicate sufficient resources to establishing contracts with commercial payors and supporting payors' reimbursement determinations by demonstrating the clinical value of our Zio Services through studies and physician adoption, we may encounter several adverse consequences that could compromise the commercial success of our business. Such adverse consequences may include an inability to secure additional contracts with commercial payors, reluctance by physicians to order our Zio Services due to concerns that patients may face significant out-of-pocket expenses associated with an out-of-network IDTF, a decline in the amount that we are reimbursed for our services, less predictable revenue, and an increase in the efforts and resources necessary to obtain reimbursement for our services on a claim-by-claim basis. Additionally, for our out-of-network or cash pay patients, we may be subject to state and federal surprise billing laws that impose limits on amounts that can be charged to such patients and/or the amount we can receive for out-of-network services from commercial payors as well as penalties for noncompliance. One such law, the federal No Surprises Act, requires covered providers to provide "good faith estimates" to uninsured and self-pay patients of their out-of-pocket responsibility and establishes a detailed and potentially costly independent dispute resolution process governing fee disputes between our IDTFs and payors. These laws and regulations may change and we anticipate these evolving, highly technical requirements may apply to our business in the future and could necessitate the dedication of additional resources to ensure compliance.

Beginning in the third quarter of 2022, we engaged Sutherland Healthcare Solutions, Inc. and Techindia Infoway Private Limited to support certain customer care and clinical operations of our IDTFs. We have developed operational and technical controls to limit the work performed by these vendors consistent with our interpretation of the Medicare coverage exclusion of services furnished outside the United States, other applicable laws and regulations, and any requirements imposed pursuant to our contracts with commercial payors. If these controls do not work as intended, or if regulators or commercial payors disagree with our interpretation of these requirements and their application to our operations, we may be subject to a requirement to return funds already paid to us, civil monetary penalties, other government enforcement, as highlighted by a recent enforcement action against our competitor, BioTelemetry, Inc., with respect to the support of certain clinical operations by vendors performing work outside the United States, and termination of contracts with commercial payors, as well as the loss of revenue associated with those contracts. In addition, we are currently engaging with other third-party service providers that have resources located outside the United States, and we have established company resources in the Philippines to provide services in support of our IDTFs. These services include benefits verification, billing, collections, and customer service, which require complex oversight and monitoring for appropriate capture and escalation of complaint information that may be relevant to the quality, performance, and safety of our medical devices or the quality of our clinical services. If we are unable to effectively manage this oversight and monitoring, we may be subject to regulatory enforcement action or inquiries which may be expensive and time consuming to resolve. In addition, certain contracts with commercial payors include restrictions related to accessing patient data outside the United States and we have implemented reasonable controls intended to prohibit unauthorized use of patient data by service providers and company resources located outside the United States for these commercial payors, as appropriate. If these controls do not work as intended, or if the payor information we receive from ordering healthcare providers is delayed or inaccurate, we may encounter the suspension or termination of contracts with commercial payors, as well as any contractual remedies such payors might pursue. The suspension or loss of any of our key commercial payor agreements would have an adverse impact on our revenue and our results of operations.