Progyny (PGNY) Risk Analysis

As part of our growth strategy, we are focused on retaining and expanding our services within our existing client base. A client can expand the fertility benefits they offer to their employees in a number of ways, including by adding egg freezing or increasing the number of Smart Cycle units under their benefits plan (i.e., from two to three Smart Cycles per household). In addition, our fertility benefits solution clients can purchase our add-on Progyny Rx solution. We went live with Progyny Rx in 2018 and 91% of our current clients have now launched this solution, including approximately 98% of the clients we signed in 2023. Factors that may affect our ability to retain our existing clients and sell additional solutions to them include, but are not limited to, the following: - the price, timeliness and outcomes of our solutions;- the availability, price, timeliness, outcome, performance and functionality of competing solutions;- our ability to maintain and appropriately expand our Center of Excellence network of high-quality fertility specialists;- our ability to offer complementary solutions and services that will enhance our comprehensive family building offering;- changes in healthcare laws, regulations or the enforcement of such laws and regulations, or trends;- any material increase in the unemployment rate;- global economic conditions and the business environment of our clients and, in particular, slowing growth or reduction in our clients' headcount; and - consolidation of our clients, resulting in a change to their benefits program or a shift to one of our competitors. Any of the above factors, alone or together, could negatively affect our ability to retain existing clients and sell additional solutions to them, which would have an adverse effect on our business, revenue growth and results of operations.

Our success is dependent upon our continued ability to maintain a selective Center of Excellence, our proprietary, credentialed network of high-quality fertility specialists. Fertility specialists and our other network providers could refuse to contract with us, demand higher payments or take other actions that could result in higher medical costs, less attractive service for our members or difficulty meeting regulatory or accreditation requirements. Identifying high-quality fertility specialists and other healthcare providers, credentialing and negotiating contracts with them and evaluating, monitoring and maintaining our network, requires significant time and resources. Our network provider arrangements generally may be terminated or not renewed by either party without cause upon prior written notice. We cannot provide any assurance that we will be able to continue to renew our existing contracts or enter into new contracts on a timely basis or under favorable terms enabling us to service our members profitably. If we are not successful in maintaining our relationships with top fertility specialists, these fertility specialists may refuse to renew their contracts with us, and potential competitors may be effective in onboarding these or other high-quality fertility specialists to create a similarly high-quality network. Any of these events could have a material adverse effect on the provision of services to our members and our operations. There may be additional shifts in the fertility specialty provider space as the fertility market matures, and high-quality fertility specialists may become more demanding in re-negotiating to remain in our network. Our ability to develop and maintain satisfactory relationships with high-quality fertility specialists and other healthcare providers also may be negatively impacted by other factors not associated with us, such as legal and regulatory changes, including changes in government enforcement priorities, impacting providers or consolidation activity among hospitals, physician groups and healthcare providers. In addition, in some markets and geographies, certain organizations of physicians or healthcare providers, such as practice management companies (which group together physician practices for administrative efficiency and marketing leverage), accountable care organizations, clinically integrated networks, independent practice associations, and other organizational structures that physicians and other healthcare providers choose may change the way in which these providers do business with us, and may change the competitive landscape. Such organizations or groups of healthcare providers may compete directly with us, which could adversely affect our operations, and our results of operations, financial position, and cash flows by impacting our relationships with these providers or affecting the way that we price our products and estimate our costs, which might require us to incur costs to change our operations. Healthcare providers in our network may consolidate or merge into other groups or healthcare systems, resulting in a reduction of providers in our network and in the competitive environment. In addition, if these providers refuse to contract with us, use their market position to negotiate contracts unfavorable to us or place us at a competitive disadvantage, our ability to market our solutions or to be profitable in those areas could be materially and adversely affected. From time to time, our network providers may assert, or threaten to assert, claims seeking to terminate our contractual arrangements. If enough provider agreements were terminated, such terminations could adversely impact the adequacy of our network to service our members, and may put us at risk of non-compliance with applicable federal and state laws. If we are unable to retain our current provider contract terms or enter into new provider contracts timely or on favorable terms, our profitability may be harmed. In addition, from time to time, we may in the future be subject to class action or other lawsuits by healthcare providers with respect to claims payment procedures, reimbursement policies, network participation, or similar matters. In addition, regardless of whether any such lawsuits brought against us are successful or have merit, they will be time-consuming and costly, and could have an adverse impact on our reputation. As a result, under such circumstances, we may be unable to operate our business effectively. In addition, the perceived value of our solutions and our reputation may be negatively impacted if the services provided by one or more of our fertility specialists or another network healthcare provider are not satisfactory to our members, including as a result of provider error that could result in litigation. For example, if a provider within our network experiences an issue with their cryopreservation techniques or releases sensitive information of our members, it could result in us incurring substantial additional expenses, expose us to public scrutiny, adversely affect our brand and reputation, expose us to litigation and/or regulatory action, and otherwise make our operations vulnerable. Further, if a fertility specialist provides services that result in less than favorable outcomes, this could cause us to fail to meet our contractually guaranteed specified service metrics, and we could be obligated to provide the client with a fee reduction. The failure to maintain our selective network of high-quality fertility specialists and other healthcare providers or the failure of those providers to meet and exceed our members' expectations, may result in a loss of or inability to grow or maintain our client base, which could adversely affect our business, financial condition and results of operations.

The health benefits industry may be subject to negative publicity, which can arise from, among other things, increases in premium rates, industry consolidation, cost of care initiatives, drug prices and the ongoing debate over the ACA. In addition, negative publicity may result in increased regulation and legislative review of industry practices, which may further increase our costs of doing business and adversely affect our profitability. For example, PBM programs and drug rebates have been criticized as leading to a lack of transparency about the true cost of a drug, and certain members of Congress as well as HHS's Office of Inspector General, or OIG, have proposed regulatory changes that could potentially affect our business and operations. Negative public perception or publicity of the health benefits industry in general, the insurance carriers with whom we integrate our solutions, our self-insured employer clients, or us could adversely affect our business, financial condition and results of operations.

We have attempted to structure our operations to comply with laws, regulations and other requirements applicable to us directly and to our clients and vendors, but there can be no assurance that our operations will not be challenged or impacted by regulatory authorities or enforcement initiatives. We have been, and in the future may become, involved in governmental investigations, audits, reviews and assessments. Any determination by a court or agency that our corporate structure, solutions or services violate, or cause our clients or network partners to violate, applicable laws, regulations or other requirements could subject us or our clients to significant administrative, civil or criminal penalties. Such a determination also could require us to change or terminate portions of our business, disqualify us from serving clients in certain states, or clients that do business with government entities, or cause us to refund some or all of our service fees or otherwise compensate our clients. In addition, failure to satisfy laws, regulations or other requirements could adversely affect demand for our solutions and could force us to expend significant capital, research and development and other resources to address the failure. Even an unsuccessful challenge by regulatory, judicial and other authorities or parties could be expensive and time-consuming, could result in loss of business, exposure to adverse publicity, and injury to our reputation and could adversely affect our ability to retain and attract clients. If we fail to comply with applicable laws, regulations and other requirements, our business, financial condition and results of operations could be adversely affected. Such non-compliance could also require significant investment to address and may prove costly. There are several additional federal and state statutes, regulations, guidance and contractual provisions related to or impacting the healthcare industry that may apply to our business activities directly or indirectly, including, but not limited to: - Licensing and Licensed Personnel. Many states have licensure or registration requirements for entities acting as a third-party administrator, or TPA, and/or PBMs. The scope of these laws differs from state to state, and the application of such laws to the activities of TPAs and/or PBMs is often unclear. Given the nature and scope of the solutions and services that we provide, we are required to maintain TPA and PBM licenses and registrations in certain jurisdictions and to ensure that such licenses and registrations are in good standing on an annual basis. We are licensed, have licensure applications pending before appropriate regulatory bodies, are exempt from licensure or registration, or believe that we are otherwise authorized under such laws in those states in which we provide our TPA and PBM services. These licenses require us to comply with the rules and regulations of the governmental bodies that issued such licenses, including maintaining certain solvency or bonds requirements. Our failure to comply with such rules and regulations could result in significant administrative penalties, the suspension of a license, or the loss of a license, all of which could negatively impact our business. Additionally, from time to time, legislation is considered that would purport to declare a PBM a fiduciary with respect to its clients. We cannot predict what effect, if any, such statutes, if enacted, may have on our business and financial results. Separately, states impose licensing requirements on insurers, risk-bearing entities, and insurance agents, as well as those entities that provide utilization review services. We do not believe that the nature of our services requires us to be licensed under applicable state law. We are unable to predict, however, how our services may be viewed by regulators over time, how these laws and regulations will be interpreted and enforced, or the full extent of their application. If a regulatory authority in any state determines that the nature of our business requires that we be licensed under applicable state laws, we may need to restructure our business to comply with any related requirements, such as maintaining adequate reserves, creating new compliance processes, hiring additional personnel to manage regulatory compliance, and paying additional regulatory fees or penalties, which could adversely affect our results of operation. Additionally, we may need to cease operations until we are able to obtain appropriate licensure, which may adversely affect our revenue for a period of time that we cannot estimate. In addition, we employ PCAs to support and guide our members as part of our fertility benefits management services. The PCAs do not provide any licensed healthcare services, and in turn, are not licensed by any regulatory body to provide these services. We otherwise do not employ individuals to provide any healthcare services requiring licensure. If a professional board in any state determines that the services provided by our employed PCAs require a license to be provided, we may need to conduct additional training and credentialing, replace staff, obtain additional insurance, and pay increased salaries, which could adversely affect our results of operations. We may additionally need to suspend the PCA services we provide while our personnel obtain the necessary licensure, which may adversely affect our relationships with our clients and members and cause us to be in breach of our contracts. - HIPAA Privacy and Security Requirements. Regulations promulgated pursuant to HIPAA, as amended, and regulations promulgated thereunder, or collectively, HIPAA establish privacy and security standards that limit the use and disclosure of certain individually identifiable health information (known as "protected health information") and require the implementation of administrative, physical and technological organizational safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. The privacy regulations established under HIPAA also provide patients with rights related to understanding and controlling how their protected health information is used and disclosed. As a provider of services to entities subject to HIPAA, we are directly subject to certain provisions of the regulations as a "Business Associate." When acting as a Business Associate under HIPAA, to the extent permitted by applicable privacy regulations and contracts and associated Business Associate Agreements with our clients, we are permitted to use and disclose protected health information to perform our services and for other limited purposes, but other uses and disclosures, such as marketing communications, require written authorization from the patient or must meet an exception specified under the privacy regulations. We also have downstream Business Associates, which provide us with services and are also subject to HIPAA regulations. If we, or any of our downstream Business Associates, are unable to properly protect the privacy and security of protected health information entrusted to us, we could be found to have breached our contracts with our clients and be subject to investigation by HHS, Office for Civil Rights, or OCR. In the event OCR finds that we have failed to comply with applicable HIPAA privacy and security standards, we could face civil and criminal penalties. In addition, OCR performs compliance audits of Covered Entities and Business Associates in order to proactively enforce the HIPAA privacy and security standards. OCR has become an increasingly active regulator and has signaled its intention to continue this trend. OCR has the discretion to impose penalties and may require companies to enter into resolution agreements and corrective action plans which impose ongoing compliance requirements. OCR enforcement activity, or a third-party audit related to a HIPAA incident regarding us or a third-party vendor, can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In addition to enforcement by OCR, state attorneys general are authorized to bring civil actions under either HIPAA or relevant state laws seeking either injunctions or damages in response to violations that threaten the privacy of state residents. Although we have implemented and maintain policies, processes and compliance program infrastructure to assist us in complying with these laws and regulations and our contractual obligations, we cannot provide assurance regarding how these laws and regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state levels also might require us to make costly system purchases and/or modifications or otherwise divert significant resources to HIPAA compliance initiatives from time to time. - Other Privacy and Security Requirements. In addition to HIPAA, numerous other federal and state laws govern the collection, dissemination, use, access to and confidentiality of personal information, some of which may be applicable to our business. Certain federal and state laws protect types of personal information that may be viewed as particularly sensitive. For example, New York's Public Health Law, Article 27-F protects information that could reveal confidential HIV-related information about an individual. In many cases, state laws are more restrictive than, and not preempted by, HIPAA, and may allow personal rights of action with respect to privacy or security breaches, as well as fines. State laws are contributing to increased enforcement activity and may also be subject to interpretation by various courts and other governmental authorities. Further, the California Consumer Privacy Act of 2018, or CCPA, went into effect on January 1, 2020, which gives California residents certain rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches, which has increased the likelihood and risks associated with data breach litigation. Further, the California Privacy Rights Act, or the CPRA, generally went into effect on January 1, 2023 and significantly amends the CCPA. It imposes additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also creates a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. Additional compliance investment and potential business process changes may be required. Similar laws have passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. Certain of our solutions and services involve the transmission and storage of client and member data in various jurisdictions, which subjects the operation of those solutions and services to privacy or data protection laws and regulations in those jurisdictions. There can be no assurance that such requirements will not change or that we will not otherwise be subject to legal or regulatory actions. These laws and regulations are rapidly evolving and changing, and could have an adverse impact on our operations. These laws and regulations are subject to uncertainty in how they may be interpreted and enforced by government authorities and regulators. The costs of compliance with, and the other burdens imposed by, these and other laws or regulatory actions may increase our operational costs, prevent us from providing our solutions, and/or impact our ability to invest in or jointly develop our solutions. We also may face audits or investigations by one or more government agencies relating to our compliance with these laws and regulations. An adverse outcome under any such investigation or audit could result in fines, penalties, other liability, or could result in adverse publicity or a loss of reputation, and adversely affect our business. Any failure or perceived failure by us or by our solutions to comply with these laws and regulations may subject us to legal or regulatory actions, damage our reputation or adversely affect our ability to provide our solutions in the jurisdiction that has enacted the applicable law or regulation. Moreover, if these laws and regulations change, or are interpreted and applied in a manner that is inconsistent with our policies and processes or the operation of our solutions, we may need to expend resources in order to change our business operations, policies and processes or the manner in which we provide our solutions. This could adversely affect our business, financial condition and results of operations. - Data Protection and Breaches. In recent years, there have been a number of well-publicized data breaches involving the improper dissemination of personal information of individuals both within and outside of the healthcare industry. Laws in all 50 states require businesses to provide notice to clients whose personally identifiable information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach is costly. States are also constantly amending existing laws, requiring attention to frequently changing regulatory requirements. Most states require holders of personal information to maintain safeguards and take certain actions in response to a data breach, such as providing prompt notification of the breach to affected individuals or the state's attorney general. In some states, these laws are limited to electronic data, but states increasingly are enacting or considering stricter and broader requirements. Additionally, under HIPAA, Covered Entities must report breaches of unsecured protected health information to affected individuals without unreasonable delay, not to exceed 60 days following discovery of the breach by a Covered Entity or its agents. Notification also must be made to OCR and, in certain circumstances involving large breaches, to the media. Business Associates must report breaches of unsecured protected health information to Covered Entities within 60 days of discovery of the breach by the Business Associate or its agents or such shorter period as set forth in the applicable Business Associate Agreement. A non-permitted use or disclosure of protected health information is presumed to be a breach under HIPAA unless the Covered Entity or Business Associate establishes that there is a low probability the information has been compromised consistent with requirements enumerated in HIPAA. Despite our security management efforts with respect to physical and technological safeguards, employee training, vendor (and sub-vendor) controls and contractual relationships, our infrastructure, data or other operation centers and systems used in our business operations, including the internet and related systems of our vendors (including vendors to whom we outsource data hosting, storage and processing functions) are vulnerable to and, from time to time, may experience unauthorized access to data and/or breaches of confidential information due to a variety of causes. Techniques used to obtain unauthorized access to or compromise systems change frequently, are becoming increasingly sophisticated and complex, and are often not detected until after an incident has occurred. As a result, we might not be able to anticipate these techniques, implement adequate preventive measures, or immediately detect a potential compromise. If our security measures, some of which are managed by third parties, or the security measures of our service providers or vendors, are breached or fail, it is possible that unauthorized or illegal access to or acquisition, disclosure, use or processing of personal information, confidential information, or other sensitive client, member, or employee data, including HIPAA-regulated protected health information, may occur. A security breach or failure could result from a variety of circumstances and events, including third-party action, human negligence or error, malfeasance, employee theft or misuse, phishing and other social engineering schemes, computer viruses, attacks by computer hackers, failures during the process of upgrading or replacing software, databases or components thereof, power outages, hardware failures, telecommunication failures, and catastrophic events. If our security measures, or those of our service providers or vendors, were to be breached or fail, our reputation could be severely damaged, adversely affecting client or investor confidence. As a result, clients may curtail their use of or stop using our offering, and our business may suffer. In addition, we could face litigation, damages for contract breach, penalties and regulatory actions for violation of HIPAA and other laws or regulations applicable to data protection and significant costs for remediation and for measures to prevent future occurrences. In addition, any potential security breach could result in increased costs associated with liability for stolen assets or information, repairing system damage that may have been caused by such breaches, incentives offered to clients or other business partners in an effort to maintain the business relationships after a breach and implementing measures to prevent future occurrences, including organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants. Negative publicity may also result from real, threatened or perceived security breaches affecting us or our industry or clients, which could cause us to lose clients or partners and adversely affect our operations and future prospects. While we maintain cyber insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and such insurance may not be available for renewal on acceptable terms or at all, and in any event, insurance coverage would not address the reputational damage that could result from a security incident. - HIPAA Transaction and Identifier Standards. HIPAA and its implementing regulations mandate format and data content standards and provider identifier standards (known as the National Provider Identifier) that must be used in certain electronic transactions, such as claims, payment advice and eligibility inquiries. HHS has established standards that health plans must use for electronic fund transfers with providers, has established operating rules for certain transactions, and is in the process of establishing operating rules to promote uniformity in the implementation of the remaining types of covered transactions. The ACA also requires HHS to establish standards for health claims attachment transactions. HHS has modified the standards for electronic healthcare transactions (such as, eligibility, claims submission and payment and electronic remittance) from Version 4010/4010A to Version 5010. Further, HHS now requires the use of updated standard code sets for diagnoses and procedures known as the ICD-10 code sets. Enforcement of compliance with these standards falls under HHS and is carried out by CMS. In the event new requirements are imposed, we will be required to modify our systems and processes to accommodate these changes. We will seek to modify our systems and processes as needed to prepare for and implement changes to the transaction standards, code sets operating rules and identifier requirements; however, we may not be successful in responding to these changes, and any responsive changes we make to our systems and processes may result in errors or otherwise negatively impact our service levels. In addition, the compliance dates for new or modified transaction standards, operating rules and identifiers may overlap, which may further burden our resources. - Fraud and Abuse Laws. Many of our clients, insurance carriers, and network healthcare providers are impacted directly and indirectly by certain fraud and abuse laws, including the federal Anti-Kickback Statute, the Physician Self-Referral Law, commonly referred to as the Stark Law, and the False Claims Act, as well as their state equivalents. Because the solutions and services we provide are not reimbursed by government healthcare payors, such fraud and abuse laws generally do not directly apply to our business; however, some laws may be applicable to us. For example, certain states have anti-kickback and false claims laws that may be broader in scope than analogous federal laws and may apply to items and services reimbursed by any third-party payor, including private insurers, self-insured employers and on a cash basis by patients. The laws, regulations and other requirements in this area are both broad and complex and judicial and regulatory interpretation can also be inconsistent. We review our practices with regulatory experts in an effort to comply with all applicable laws, regulatory and other requirements. However, we are unable to predict how these laws, regulations and other requirements will be interpreted or the full extent of their application, particularly to services that are not directly reimbursed by federal and state healthcare programs. Any determination by a federal or state regulatory authority that any of our activities or those of our clients or vendors violate any of these laws or regulations could subject us to significant administrative, civil or criminal penalties, damages, disgorgement, monetary fines or imprisonment, require us to enter into corporate integrity agreements or similar agreements with ongoing compliance obligations, disqualify us from providing services to clients that are, or do business with, government healthcare programs and/or have an adverse impact on our business, financial condition and results of operations. Even an unsuccessful challenge by a regulatory authority of our activities could result in adverse publicity and could require a costly response from us. - State Corporate Practice and Fee-Splitting Prohibitions. There is a risk that regulatory authorities in some jurisdictions may find that our contractual relationships with our fertility specialists violate laws prohibiting the corporate practice of medicine and/or fee-splitting. These laws generally prohibit non-physician entities from practicing medicine, exercising control over physicians or engaging in certain practices such as fee-splitting with physicians. There can be no assurance that these laws will be interpreted in a manner consistent with our practices or that other laws or regulations will not be enacted in the future that could have a material and adverse effect on our business, results of operations, and financial condition. Regulatory authorities, state medical boards, state attorneys general and other parties, including our network physicians, may assert that we are engaged in the prohibited corporate practice of medicine, and/or that our arrangement with our network providers constitutes unlawful fee-splitting. If a state's prohibition on corporate practice of medicine or fee-splitting law is interpreted in a manner that is inconsistent with our practices, we would be required to restructure or terminate our contractual relationship with our network providers to bring our activities into compliance with such laws, disciplinary action, penalties, damages, fines, and/or a loss of revenue, any of which could have a material and adverse effect on our business, results of operations, and financial condition. State corporate practice of medicine doctrines and fee-splitting prohibitions also often impose penalties on physicians themselves for aiding the corporate practice of medicine or unlawful fee-splitting, which could discourage physicians from participating in our network of providers. - ERISA Regulation. The Employee Retirement Income Security Act of 1974, or ERISA, regulates certain aspects of employee health plans, including both insured and self-funded health plans sponsored by our clients, with which we have agreements to provide TPA services. As part of our agreements with a number of these clients, we offer PBM services through Progyny Rx. Because we believe the conduct of our business vis-à-vis these plans is not of a fiduciary nature, it is not generally subject to the fiduciary obligations of ERISA. However, there can be no assurance the United States Department of Labor, or the DOL, which is the agency that enforces ERISA, would not in the future assert that the fiduciary obligations imposed by ERISA apply to certain aspects of our operations or courts would not reach such a ruling in private ERISA litigation. ERISA also imposes civil and criminal liability on service providers to health plans subject to ERISA and certain other persons with relationships to such plans if certain forms of illegal or prohibited remuneration are made or received by such service providers or other persons. These provisions of ERISA are similar, but not identical, to the healthcare anti-kickback laws described above, although ERISA lacks the statutory and regulatory "safe harbor" exceptions incorporated into the healthcare anti-kickback laws. Like the healthcare anti-kickback laws, the corresponding provisions of ERISA are broadly written and their application to particular cases can be uncertain. ERISA plans are subject to certain rules, published by the DOL, including certain reporting requirements for direct and indirect compensation received by plan service providers. Separately, although ERISA generally preempts state laws that relate to ERISA plans, the recent Supreme Court ruling in Rutledge v. Pharm. Care Mgmt. Ass'n established that ERISA does not preempt all state laws imposing transparency or other requirements on PBMs. - Prompt Pay Laws. Certain states have laws regulating the amount of time that may elapse from when a third-party payor receives a claim for services rendered to when those services are paid. These "prompt pay" laws may impact us as well as our self-insured clients and insurance carriers. Under these "prompt pay" laws, we may be obligated to pay healthcare providers within established time periods, and such time periods may be shorter than existing contracted terms and/or via electronic transfer. In many states, we are deemed to be exempt from the prompt pay laws, however, we seek to comply with them in each state in which we do business to the extent applicable, and our efforts include the use of controls such as policies and processing systems that ensure we pay claims as quickly as possible and contract language related to timeframes permitted by applicable law. If we do not make payments to healthcare providers in a timely fashion consistent with prompt pay laws, we may be required to pay interest in addition to any amounts owed to such providers. In addition, our reputation may be harmed and our contractual obligations to certain clients may be breached, causing us to lose revenue or otherwise pay penalties under such contracts. - Network Adequacy and Access Requirements. Network adequacy and access laws require health plans to maintain a network of healthcare providers sufficient to deliver the benefits they contract to provide to their enrollees. In light of the increase in "narrow networks," there has been a legislative push to ensure that commercial payors contract with a sufficient number of healthcare providers to create an "adequate network." Additionally, a majority of states now have some form of legislation affecting our payor clients' ability to limit access to a provider network or remove a provider from the network. Such legislation may require our clients to admit any healthcare provider, including any pharmacy provider willing to meet the plan's price and other terms for network participation, "any willing provider" legislation or may provide that a provider may not be removed from a network except in compliance with certain procedures "due process" legislation. Further, to ensure network adequacy and quality, a network may seek to accredit its healthcare providers through any number of accrediting bodies, such as the National Committee for Quality Assurance, or NCQA, and the Utilization Review Accreditation Commission. We follow NCQA standards to credential the health providers with whom we contract to provide services within our network, and engage Council for Affordable Quality Healthcare to conduct provider credentialing where required. Should any of the states we operate in determine that our network of providers does not meet adequacy or access requirements, we may be subject to administrative penalties and other administrative actions, as well as private litigation. In addition, if we are unable to contract with a sufficient number of providers, we may become subject to administrative penalties or enforcement actions from state regulatory agencies, litigation from consumers, and may be in breach of certain contractual covenants with our partners. - Consumer Protection Laws. Federal and state consumer protection laws are being applied increasingly by the Federal Trade Commission, or FTC, Federal Communications Commission and states' attorneys general to regulate the collection, use, storage and disclosure of personal or health information, through websites or otherwise, and to regulate the presentation of website content. Courts may also adopt the standards for fair information practices promulgated by the FTC, which concern consumer notice, choice, security and access. Consumer protection laws require us to publish statements to users of our services that describe how we handle personal information and choices consumers may have about the way we handle personal information. If such information that we publish is considered untrue, we may be subject to claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences, including costs of defending against litigation, settling claims and loss of willingness of current and future clients to work with us. - Restrictions on Communication. Communications with our members increasingly may be subject to and restricted by laws and regulations governing communications via telephone, fax, text, and email. We also use email and social media platforms as marketing tools. For example, we maintain social media accounts. As laws and regulations, including FTC enforcement, rapidly evolve to govern the use of these platforms and devices, the failure by us, our employees or third parties acting at our direction to abide by applicable laws and regulations in the use of these platforms and devices could adversely impact our business, financial condition and results of operations or subject us to fines or other penalties.

Our effective tax rate could be impacted due to several factors, including, but not limited to: - changes in the relative amounts of income before taxes in the various jurisdictions in which we operate that have differing statutory tax rates;- changes in tax laws, tax treaties, and regulations or the interpretation of them (such as the recent IRA, which, among other changes, introduced a 15% corporate minimum tax on certain United States corporations and a 1% excise tax on certain stock redemptions by United States corporations);- changes to our assessment about our ability to realize our deferred tax assets that are based on estimates of our future results, the prudence and feasibility of possible tax planning strategies, and the economic and political environments in which we do business;- the outcome of future tax audits, examinations, or administrative appeals;- limitations or adverse findings regarding our ability to do business in some jurisdictions; and - discrete impact tax items, including such items resulting from the amount and timing of equity exercises and our stock price. Any of these developments could have an adverse effect on our results of operations.

Our ability to increase our client base and achieve broader market acceptance of solutions we provide will depend to a significant extent on our ability to expand our marketing and sales capabilities. We plan to continue expanding our direct sales force and to dedicate significant resources to sales and marketing programs, including direct sales, inside sales, targeted direct marketing, advertising, digital marketing, e-newsletter and conference sponsorships. All of these efforts will require us to invest significant financial and other resources. Our business and results of operations could be harmed if our sales and marketing efforts do not generate significant increases in revenue. We may not achieve anticipated revenue growth from expanding our sales and marketing efforts if we are unable to hire, develop, integrate and retain talented and effective sales personnel, if our new and existing sales personnel, on the whole, are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective.

We do not control nor can we impact the level of utilization of our solutions or the mix of utilization of our solutions for each of our clients, in particular for newer clients. A significant reduction in the number of members using our solutions could adversely affect our business, financial condition and results of operations. Factors that have and could continue to contribute to a reduction in the use of our solutions include: reductions in workforce by existing clients; general economic downturn that results in business failures and high unemployment rates; impacts related to outbreaks and resurgence of contagious diseases and/or the worsening thereof, including the COVID-19 pandemic; employers no longer offering comprehensive health coverage or offering alternative solutions such as coverage on a voluntary, employee-funded basis; labor shortages at our clinics; federal and state legal and/or regulatory changes; changes to taxability of medical benefits; failure to adapt and respond effectively to the changing medical landscape, changing laws, regulations and government enforcement priorities, changing client needs, requirements or preferences; premium increases and benefits changes; or negative publicity, through social media or otherwise and news coverage. It is also difficult for us to predict the level or mix of utilization of our services at the member level nor do we have any control over the level or mix of utilization of our services. If the actual utilization of our services by members is significantly greater than budgeted, the client may be responsible for corresponding costs that exceed its planned expenditure. If we cannot help our clients accurately predict the level of utilization by their employees, our clients may turn to alternative solutions, and our business and profitability would be adversely impacted.

Market volatility and uncertainty related to general economic conditions remain widespread, making it very difficult for our clients and us to accurately forecast and plan future business activities. Negative conditions in the general economy in the United States and elsewhere, including conditions resulting from changes in gross domestic product growth, financial and credit market fluctuations, inflation, consumer confidence, international trade relations, geopolitical conflict, political turmoil, natural catastrophes, resurgences or outbreaks of contagious diseases or the worsening thereof, including the COVID-19 pandemic, warfare and terrorist attacks, could cause a decrease in business investments, including spending on employee benefits, and negatively affect the growth of our business. Economic conditions including inflation, interest rate fluctuations, changes in capital market conditions, disruptions in the banking industry and other parts of the financial services sector, and regulatory changes, such as the taxability of medical benefits like ours, may affect our ability to obtain necessary financing on acceptable terms. Unfavorable changes in our industry, including reductions in general healthcare spending, or in the United States and global economy could have a negative effect on our and our clients' and potential clients' results of operations. This could result in the delay or cancellation by certain clients, including if purchases of our solution are perceived by clients and potential clients to be discretionary, if they experience a reduction in their employee headcounts, whether due to reductions in force or turnover, or are unable to grow employee headcounts or there are material defaults by members on past amounts due. An increase in the cost of obtaining fertility medication or general medical cost inflation could also negatively impact our results of operation. In addition, the increased pace of consolidation in the healthcare industry may result in competitors with greater market power. Many economists believe the global economy will likely experience a recessionary environment in the near future. The Federal Reserve's efforts to tame inflation have led to, and may continue to lead to, increased interest rates. A significant escalation or expansion of economic disruption could have a material adverse effect on our results of operations. We cannot predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry, nor its impact on us or our clients.