Phreesia (PHR) Risk Factors

Healthcare laws and regulations are rapidly evolving and may change significantly in the future, which could adversely affect our financial condition and results of operations. For example, in 2010, the Patient Protection and Affordable Care Act ("ACA") was adopted, which is a healthcare reform measure that provides healthcare insurance for millions of Americans. The ACA includes a variety of healthcare reform provisions and requirements that became effective at varying times through 2018 and substantially changes the way healthcare is financed by both governmental and private insurers, which may significantly impact our industry and our business. Since its enactment, there have been numerous judicial, administrative, executive, and legislative challenges to certain aspects of the ACA. It is unclear how other healthcare reform measures of the Biden administration or other efforts, if any, to challenge, repeal or replace the ACA will impact our business. Further, in 2020, the HHS, Office of the National Coordinator for Health Information Technology ("ONC") and CMS promulgated final rules aimed at supporting seamless and secure access, exchange, and use of electronic health information ("EHI"), referred to as the Final Rule, by increasing innovation and competition by giving patients and their healthcare service providers secure access to health information and new tools, allowing for more choice in care and treatment. The Final Rules is intended to clarify and operationalize provisions of the 21st Century Cures Act ("Cures Act"), regarding interoperability and "information blocking," and create significant new requirements for health care industry participants. Information blocking is defined as activity that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, where a health information technology developer, health information network or health information exchange knows or should know that such practice is likely to interfere with access to, exchange or use of EHI. In April 2023, the ONC issued a notice of proposed rulemaking that would modify certain components of the Final Rule, including modifying and expanding certain exceptions to the information blocking regulations, which are intended to support information sharing. The Final Rule focuses on patients enrolled in Medicare Advantage plans, Medicaid and Children's Health Insurance Program ("CHIP") fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans on the federally-facilitated exchanges, and enacts measures to enable patients to have both their clinical and administrative information travel with them. Recent regulatory reform constitutes a significant departure from previous regulations regarding patient data. While these rules benefit us in that certain EHR vendors will no longer be permitted to interfere with our attempts at integration, they may also make it easier for other similar companies to enter the market, creating increased competition and reducing our market share. It is unclear at this time what the costs of compliance with the Final Rule will be, and what additional risks there may be to our business. In addition, we are subject to various other laws and regulations, including, among others, anti-kickback laws, antitrust laws and the privacy and data protection laws described below.

Our current and future arrangements with healthcare professionals, principal investigators, consultants, customers and third-party payors subject us to various federal and state fraud and abuse laws and other healthcare laws, including, without limitation, the federal Anti-Kickback Statute, the federal civil and criminal false claims laws, HIPAA and regulations promulgated under such laws. These laws will impact, among other things, our clinical research, proposed sales, marketing and educational programs, and other interactions with healthcare professionals. For more information regarding the risks related to these laws and regulations please see "Business – Regulatory Matters – U.S. Federal and State Fraud and Abuse Laws." The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform. Federal and state enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Because of the breadth of these laws and the narrowness of their statutory or regulatory exceptions and safe harbors, some of our business activities may be subject to challenge under one or more of them. Ensuring that our internal operations and future business arrangements with third parties comply with applicable healthcare laws and regulations will involve substantial costs. Achieving and sustaining compliance requires us to implement controls across our entire organization which may prove costly and challenging to monitor and enforce. The risk of our being found in violation of healthcare laws and regulations is increased by the fact that their provisions are sometimes complex and open to a variety of interpretations. It is possible that governmental authorities will conclude that our business practices do not comply with current or future statutes, regulations, agency guidance or case law involving applicable fraud and abuse or other healthcare laws and regulations. If our operations are found to be in violation of any of the laws described above or any other governmental laws and regulations that may apply to us, we may be subject to significant penalties, including administrative, civil and criminal penalties, damages, fines, disgorgement, the exclusion from participation in federal and state healthcare programs, individual imprisonment, reputational harm, and the curtailment or restructuring of our operations, as well as additional reporting obligations and oversight if we become subject to a corporate integrity agreement or other agreement to resolve allegations of non-compliance with these laws. Likewise, if any of the physicians or other providers or entities with whom we expect to do business are found to not be in compliance with applicable laws, they may be subject to criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs and imprisonment as well. Further, defending against any such actions can be costly and time consuming, and may require significant financial and personnel resources. Therefore, even if we are successful in defending against any such actions that may be brought against us, our business may be impaired. If any of the above occur, our ability to operate our business and our results of operations could be adversely affected.

The FDA may promulgate a policy or regulation that affects our products and services. FDA regulations govern among other things, product development, testing, manufacture, packaging, labeling, storage, clearance or approval, advertising and promotion, sales and distribution and import and export for regulated drugs, biologics and devices. Non-compliance with applicable FDA requirements can result in, among other things, public warning letters, fines, injunctions, civil penalties, recall or seizure of products, total or partial suspension of production, failure of the FDA to grant marketing approvals, withdrawal of marketing approvals, a recommendation by the FDA to disallow us from entering into government contracts and criminal prosecutions. The FDA also has the authority to request repair, replace or refund of the cost of any device.

Our clients may use our products to place various short message service, or SMS, text messages and calls to patients. The Telephone Consumer Protection Act ("TCPA") is a federal statute that protects consumers from unwanted telephone calls, faxes and text messages. There are a number of federal and state statutes and regulations that govern such telecommunications, the use of automatic telephone dialing systems ("ATDS") or other automated systems to make such telecommunications, and the use of artificial voice or pre-recorded messages in certain telecommunications. These laws include the Telephone Consumer Protection Act (TCPA), Telemarketing Sales Rule (TSR), and various other state laws. The U.S. Federal Communications Commission (FCC), and the Federal Trade Commissions have responsibility for regulating various aspects of some of the TCPA, TSR and other federal laws. Among other requirements, the TCPA requires callers to obtain prior express written consent for certain telemarketing calls and to adhere to "do-not-call" registry requirements which, in part, mandate that callers maintain and regularly update lists of consumers who have chosen not to be called and restrict calls to consumers who are on the national do-not-call list. Florida, Oklahoma and other states also have mini-TCPA and other similar consumer protection laws regulating calls and texts directed to their residents. As currently construed, the TCPA does not distinguish between voice and data, and, as such, text and SMS/MMS messages are also "calls" for the purpose of TCPA (and, in some cases, state mini-TCPA) obligations and restrictions. For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary damages of $500 for each call or text made in violation of the prohibitions on certain calls made using an artificial or pre-recorded voice or an ATDS and certain calls made to numbers properly registered on the federal "do-not-call" list. A court may treble the $500 amount upon a finding of a willful or knowing violation. There is no statutory cap on maximum aggregate exposure (although some courts have applied in TCPA class actions constitutional limits on excessive penalties). An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. As with the TCPA, Florida's mini-TCPA, for example, restricts certain calls and calls and texts made using an automated system to Florida residents without prior consent, allows a plaintiff to obtain $500 for each call or text made in violation of its prohibitions, and permits a court to treble the $500 amount for willful or knowing violations of the statute. The TCPA, TSR, mini-TCPA laws and other similar state laws are subject to interpretations that may change. We regularly evaluate how they may apply to our business. The FCC, FTC, a state attorney general or other regulator, or a court, however, may disagree with our interpretation of these laws and conclude that we are not in compliance and impose damages, civil penalties and other consequences upon us for noncompliance. Determination by a court or regulatory agency that our services did not comply also invalidate all or portions of some of our client contracts, could require us to change or terminate some portions of our business, could require us to refund portions of our services fees, and could have an adverse effect on our business. Further, we could be subject to putative class action lawsuits alleging violations of the TCPA, state mini-TCPA laws and other similar state laws. Our call and SMS texting services are potential sources of risk for class action lawsuits and liability for our Company. Numerous class-action suits under federal and state laws have been filed in recent years against companies who conduct call and SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. Even an unsuccessful challenge by consumers or regulatory authorities of our activities could result in adverse publicity and could require a costly response from us. If in the future we are found to have violated such laws in a class action, the amount of damages and potential liability could be extensive and adversely impact our business. Accordingly, were such a class certified or if we are unable to successfully defend such a suit, then the damages could have a material adverse effect on our results of operations and financial condition.

While our solutions are primarily subject to government regulations pertaining to healthcare, certain aspects of our solutions may require us to comply with regulatory schema from other areas. Examples of such regulatory schema include: - Foreign Corrupt Practices Act ("FCPA") and foreign anti-bribery laws. The FCPA makes it illegal for U.S. persons, including U.S. companies, and their subsidiaries, directors, officers, employees, and agents, to promise, authorize or make any corrupt payment, or otherwise provide anything of value, directly or indirectly, to any foreign official, any foreign political party or party official, or candidate for foreign political office to obtain or retain business. Violations of the FCPA can also result in violations of other U.S. laws, including anti-money laundering, mail and wire fraud, and conspiracy laws. There are severe penalties for violating the FCPA. The Company may also be subject to other non-U.S. anti-corruption or anti-bribery laws, such as the U.K. Bribery Act 2010. In many foreign countries, particularly in those with developing economies, it may be common to engage in business practices that are prohibited by laws and regulations applicable to us, such as the FCPA and other anti-bribery laws. Any violations of the FCPA?or local anti-corruption laws by us, our subsidiaries or our local agents in India?or elsewhere could have a material adverse effect on our business, financial condition, results of operations, and prospects, as well as our reputation, and result in substantial financial penalties or other sanctions. - Economic sanctions and export controls. Economic and trade sanctions programs that are administered by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) prohibit or restrict transactions to or from, and dealings with specified countries and territories, their governments, and in certain circumstances, with individuals and entities that are located in or nationals of those countries, and other sanctioned persons, including specially designated nationals, narcotics traffickers and terrorists or terrorist organizations. As federal, state and foreign legislative regulatory scrutiny and enforcement actions in these areas increase, we expect our costs to comply with these requirements will increase as well. Failure to comply with any of these requirements could result in the limitation, suspension or termination of our services, imposition of significant civil and criminal penalties, including fines, and/or the seizure and/or forfeiture of our assets. - Further, our solutions incorporate encryption technology. The U.S. Export Administration Regulations require authorization for the export of certain encryption items, including by a license, a license exception or other appropriate government authorizations. Such solutions may also be subject to certain regulatory reporting requirements. While we believe our products meet certain exceptions that reduce the scope of export control restrictions applicable to such products, these exceptions may be determined not to apply to our products and our products and underlying technology may become subject to export control restrictions. - In addition, our recent establishment of a subsidiary in India to bring outside services in-house could increase our risk of violations of such laws and regulations. Despite our policies, procedures and compliance programs, our internal controls and compliance systems may not be able to protect us from prohibited acts willfully committed by our employees, agents or business partners that would violate such applicable laws and regulations.

Numerous complex federal and state laws and regulations govern the collection, use, disclosure, storage and transmission of personally identifiable information, including protected health information. State laws may be even more restrictive and not preempted by HIPAA (as defined below), and may be subject to varying interpretations by the courts and government agencies. These laws and regulations, including their interpretation by governmental agencies, are subject to frequent change and could have a negative impact on our business. Further, these varying interpretations could create complex compliance issues for us and our partners and potentially expose us to additional expense, liability, penalties, negatively impact our client relationships, and lead to adverse publicity, and all of these risks could adversely affect our business in the short and long term. In addition, contractual obligations and in the future, legislation may limit, forbid or regulate the use or transmission of health information outside of the United States or across other national borders. These developments, if adopted, could render our use of Canadian employees and other non-U.S. resources for work related to such data impracticable or substantially more expensive. We are a "Business Associate" as defined under the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and their implementing regulations, collectively referred to as HIPAA. The U.S. Department of Health and Human Services, ("HHS"), Office for Civil Rights, may impose civil penalties on a Business Associate for a failure to comply with HIPAA requirements. The U.S. Department of Justice is responsible for criminal prosecutions under HIPAA. Penalties can vary significantly depending on a number of factors, such as whether the Business Associate's failure to comply was due to willful neglect. State attorneys general also have the right to prosecute HIPAA violations committed against residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for HIPAA violations, its standards have been used as the basis for the duty of care in state civil suits, such as those for recklessness in misusing individuals' health information. If we are subject to investigation or litigation related to an alleged violation of HIPAA, then we may elect to resolve the matter through a settlement. Such settlement could require payment of a civil penalty or damages, corrective action and/or monitoring of our business by a third party. The security measures that we and our third-party vendors and subcontractors have in place to ensure compliance with privacy and data protection laws are not guarantees that we and our subcontractors will not be the victims of cybersecurity attacks, acts of vandalism or theft, computer viruses, misplaced or lost data, malfeasance, programming and human errors or other similar events. Under the HITECH Act, as a Business Associate we may also be liable for privacy and security breaches and failures of our subcontractors. Even though we provide for appropriate protections through our agreements with our subcontractors, we still have limited control over their actions and practices. A breach of privacy or security of individually identifiable health information by a subcontractor may result in an enforcement action, including criminal and civil liability, against us. We are not able to predict the extent of the impact such incidents may have on our business. Our failure to comply may result in criminal and civil liability because the potential for enforcement action against Business Associates is now greater. Enforcement actions against us could be costly and could interrupt regular operations, which may adversely affect our business. While we have not received any notices of violation of the applicable privacy and data protection laws and believe we are in compliance with such laws, there can be no assurance that we will not receive such notices in the future. Even when HIPAA does not apply, according to the Federal Trade Commission, or the FTC, failing to take appropriate steps to keep consumers' personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, or the FTCA, 15 U.S.C. § 45(a). The FTC's current guidance for appropriately securing consumers' personal information is similar to what is required by the HIPAA security regulations, but this guidance may change in the future, resulting in increased complexity and the need to expend additional resources to ensure we are complying with the FTCA. Other federal and state laws restrict the use and protect the privacy and security of personally identifiable information, in many cases, are not preempted by HIPAA and may be subject to varying interpretations by the courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity and liability, any of which could adversely affect our business. Federal and state consumer protection laws are increasingly being applied by the United States Federal Trade Commission and states' attorneys general to regulate the collection, use, storage and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. We expect that there will continue to be new proposed and amended laws, regulations and industry standards concerning privacy, data protection and information security in the United States, such as the CCPA, as amended by the California Privacy Rights Act, or CPRA, which amendments went into effect on January 1, 2023. The CCPA creates specific obligations with respect to processing and storing personal information, and the CPRA amendments created a new state agency that is vested with authority to implement and enforce the CCPA. In addition to the CCPA, new privacy and data security laws have been enacted in numerous states and have been proposed in even more states as well as the U.S. Congress. If passed, these new laws could impose similar or more restrictive requirements than these recently enacted laws. Furthermore, other states have proposed or enacted legislation that is focused on more narrow aspects of privacy. For example, a number of states have passed laws that protect biometric information and a smaller number of states have passed or are considering laws that are specifically focused upon health privacy, such as Washington's My Health My Data Act. The My Health My Data Act imposes new state restrictions and requirements on the processing and sale of consumer health data and creates a private right of action. The effects of state and federal privacy laws are potentially significant and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation. We cannot yet determine the full impact these laws or other such future laws, regulations and standards may have on our current or future business. Any of these laws may broaden their scope in the future, and similar laws have been proposed on both a federal level and in various states in the U.S. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country, and the heightened scrutiny associated with the enforcement of such laws, could make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. We also expect that there will continue to be new or amended laws, regulations, standards and obligations proposed and enacted in various jurisdictions. Many countries around the world have enacted comprehensive privacy and data protection laws that can impact our business. For example, with respect to Europe, organizations that are collecting or otherwise processing personal data in connection with (a) the activities of a business establishment within the European Economic Area/United Kingdom; or (b) offering goods or services to/monitoring the behavior of individuals within the European Economic Area/United Kingdom, are subject to, the General Data Protection Regulation, or EU GDPR (with respect to EEA personal data) and the UK General Data Protection Regulation UK GDPR, or UK GDPR (with respect to UK personal data), as well as other supplementary national data protection legislation in force in EEA member states and the UK (including the UK Data Protection Act 2018), together referred to as the "GDPR" in this Quarterly Report. The GDPR imposes stringent data protection requirements and requires businesses subject to it to give more detailed disclosures about how they collect, use, and share personal information; contractually commit to data protection measures in contracts; maintain adequate data security measures; notify regulators and affected individuals of certain data breaches; obtain consent to collect sensitive personal information such as health information or ensuring another appropriate legal basis or condition applies to the processing of personal information; meet extensive privacy governance and documentation requirements; and honor individuals' data protection rights. The GDPR also prohibits the transfer of personal information to countries outside of the European Economic Area, or EEA and United Kingdom, or UK to jurisdictions that do not have "adequate" data protection laws by appropriate authorities, including the United States in certain circumstances. Unless a valid transfer mechanism is implemented, such as the Standard Contractual Clauses (SCCs) published by the EC, the UK International Data Transfer Agreement (UK IDTA) published by the ICO binding corporate rules or certification to the EU-U.S. Data Privacy Framework that the EC adopted on July 10, 2023 (along with its UK and Swiss extensions.) Where relying on the SCCs or UK IDTA for data transfers, we may also be required to carry out transfer impact assessments to assess whether the recipient is subject to local laws which allow public authority access to personal data. Evolving laws and decisions surrounding transfers of EU personal information have increased the legal risks and liabilities, and compliance and operational costs, of lawfully making such transfers. Companies that violate the GDPR can face private litigation, restrictions, or prohibitions on data processing, and fines of up to the greater of 20 million Euros (17.5 million GBP for the UK) or 4% of worldwide annual revenue. Although the EU GDPR and the UK GDPR currently impose substantially similar obligations, it is possible that over time the UK GDPR could become less aligned with the EU GDPR. The UK government has announced plans to reform the data protection legal framework in the UK in its Data Reform Bill, which will introduce significant changes from the EU GDPR. This may lead to additional compliance costs and could increase our overall risk exposure as we may no longer be able to take a unified approach across the EEA and the UK. This lack of clarity on future UK laws and regulations and their interaction with EU laws and regulations could add legal risk, uncertainty, complexity and cost to our handling of EU personal information and our privacy and data security compliance programs and could require us to implement different compliance measures for the UK and the EU. Although the UK is regarded as a third country under the EU's GDPR, the European Commission (the "EC"), has now issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. Some of the businesses we have acquired are subject to additional laws and regulations in jurisdictions outside of the United States, including those in the EEA and UK, such as the GDPR and UK GDPR. Compliance with such laws and regulations requires resources and could be more costly and take more time than we anticipate, and could involve new fines or penalties for non-compliance, all of which could adversely affect our business. In addition to the GDPR and UK GDPR, the EU e-Privacy Directive (2002/58/EC) and the UK Privacy and Electronic Communications Regulations 2003 govern marketing messages we send to customers based in the EEA and UK. We have operations in Canada, where our collection, use, disclosure, and management of personal information must comply with both federal and provincial privacy laws, which impose separate requirements, but may overlap in some instances. The Personal Information Protection and Electronic Documents Act ("PIPEDA") applies in all Canadian provinces except Alberta, British Columbia and Québec, as well as to the transfer of consumer data across provincial borders. PIPEDA imposes stringent consumer data protection obligations, requires privacy breach reporting, and limits the purposes for which organizations may collect, use, and disclose consumer data. The provinces of Alberta, British Columbia, and Québec have enacted separate data privacy laws that are substantially similar to PIPEDA, but all three additionally apply to our handling of our own employees' personal data within their respective provinces. Notably, Québec's Act respecting the protection of personal information in the private sector, or the Private Sector Act, was amended by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, which introduced major amendments to the Private Sector Act, notably, to impose significant and stringent new obligations on Québec businesses while increasing the powers of Quebec's supervisory authority. We may incur additional costs and expenses related to compliance with these laws and may incur significant liability if we are not able to comply with these laws. We are also subject to Canada's anti-spam legislation, or CASL, which includes rules governing commercial electronic messages, which include marketing emails, text messages, and social media advertisements. Under these rules, we must follow certain standards when sending marketing communications, are prohibited from sending them to customers without their consent and can be held liable for violations. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Cross-border data transfers and other future developments regarding local data residency and access could increase the cost and complexity of delivering our services in some markets and may lead to governmental enforcement actions, litigation, fines, and penalties or adverse publicity, which could adversely affect our business and financial position could greatly increase our cost of providing our products and services, require significant changes to our operations or even prevent us from offering certain services in specific jurisdictions. In addition, any limitation on our ability to use or transmit health information outside of the U.S. could impose restrictions on our ability to recruit and maintain employees residing outside of the U.S., which could, in turn, adversely affect our business. We are also subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS") and AICPA Security Organization Control 2 ("SOC 2"), with which we are currently compliant, and HITRUST certification, which we currently maintain. In the event we fail to comply with the PCI-DSS or fail to maintain our SOC 2 or HITRUST certification, we could be in breach of our obligations under customer and other contracts, fines and other penalties could result, and we may suffer reputational harm and damage to our business. Further, our clients may expect us to comply with more stringent privacy, data storage and data security requirements than those imposed by laws, regulations or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data. Any failure or perceived failure by us to comply with domestic or foreign laws or regulations, industry standards or other legal obligations, or any actual or suspected privacy or security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personally identifiable information or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity and could cause our clients to lose trust in us, which could have an adverse effect on our reputation and business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited. Any of these developments could harm our business, financial condition and results of operations. Privacy and data security concerns, whether valid or not valid, may inhibit retention of services by existing clients or adoption of our services by new clients.

We rely on a variety of direct marketing techniques, including email marketing. These activities are regulated by legislation such as the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. Any failure by us to comply fully with the CAN-SPAM Act may leave us subject to substantial fines and penalties. In addition, any future restrictions in laws such as the CAN-SPAM Act, and various United States state laws, or new federal laws regarding marketing and solicitation or international data protection laws that govern these activities could adversely affect the continuing effectiveness of our marketing efforts and could force changes in our marketing strategies. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could have a material adverse impact on our results of operations.

Our ability to deliver our products and services, particularly our cloud-based solutions, is dependent on the development and maintenance of the infrastructure of the Internet and other telecommunications services by third parties. This includes maintenance of a reliable network connection with the necessary speed, data capacity and security for providing reliable Internet access and services and reliable telephone and facsimile services. Our services are designed to operate without interruption in accordance with our service level commitments. However, we have experienced limited interruptions in these systems in the past, including server failures that temporarily slow down the performance of our services, and we may experience more significant interruptions in the future. We rely on internal systems as well as third-party suppliers, including bandwidth and telecommunications equipment providers, to provide our services. We do not maintain redundant systems or facilities for some of these services. Interruptions in these systems, whether due to system failures, computer viruses, physical or electronic attacks or other catastrophic events, could affect the security or availability of our services, compromise the data we handle on behalf of our partners and prevent or inhibit the ability of our partners to access our services. In the event of a catastrophic event with respect to one or more of these systems or facilities, we may experience an extended period of system unavailability, which could result in substantial costs to remedy those problems or negatively impact our relationship with our clients, our business, results of operations and financial condition. Any disruption in the network access, telecommunications or co-location services provided by third-party providers or any failure of or by third-party providers' systems or our own systems to handle current or higher volume of use could significantly harm our business. We exercise limited control over third-parties, which increases our vulnerability to problems with services they provide. We have experienced failures by third-party providers' systems which resulted in a limited interruption of our system. For example, in February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and the largest clearinghouse for medical claims in the U.S., was the subject of a cyberattack that required it to take offline its computer systems that handled electronic payments and insurance claims. One of our clearinghouse clients, for whom we act as merchant processor for patient payments, contracted with Change Healthcare to operate their online payment portal and handle print communications. As a result of the outage, the online payment portal was impacted, resulting in a decline in our patient payment volume during the three months ended April 30, 2024. Similar events could occur in the future, and the impact to our business could be material. Any errors, failures, interruptions or delays experienced in connection with these third-party technologies and information services or our own systems could negatively impact our relationships with clients and adversely affect our business and could expose us to third-party liabilities. The reliability and performance of our Internet connection may be harmed by increased usage or by denial-of-service attacks. The Internet has experienced a variety of outages and other delays as a result of damages to portions of its infrastructure, and it could face outages and delays in the future. These outages and delays could reduce the level of Internet usage as well as the availability of the Internet to us for delivery of our Internet-based services.

Our software, content and services are used to assist medical groups, health systems and payers with managing the patient intake process and to empower patients and healthcare organizations as they navigate the challenges of an evolving healthcare system. If our software, content or services fail to provide accurate and timely information or are associated with errors or malfunctions, then healthcare services clients or patients could assert claims against us that could result in substantial costs to us, harm our reputation in the industry and cause demand for our services to decline. Our proprietary service is utilized in patient intake and engagement and to help healthcare services organizations better understand patients through medical histories, insurance benefits and socio-economic indicators. If our service fails to provide accurate and timely information, or if our content or any other element of our service is associated with errors or malfunctions, we could have liability to healthcare services clients or patients. We attempt to limit by contract our liability for damages and to require that our clients assume responsibility for medical care and approve key system rules, protocols and data. Despite these precautions, the allocations of responsibility and limitations of liability set forth in our contracts may not be enforceable, may not be binding upon patients or may not otherwise protect us from liability for damages. Our proprietary software may contain errors or failures that are not detected until after the software is introduced or updates and new versions are released. It is challenging for us to test our software for all potential problems because it is difficult to simulate the wide variety of computing environments or methodologies that our clients may deploy or rely upon. From time to time we have discovered defects or errors in our software, and such defects or errors can be expected to appear in the future. Defects and errors that are not timely detected and remedied could expose us to risk of liability to healthcare services clients and patients and cause delays in introduction of new services, result in increased costs and diversion of development resources, require design modifications or decrease market acceptance or client satisfaction with our services. If any of these risks occur, they could materially adversely affect our business, financial condition or results of operations.

Our business depends on the continuing operation of our technology infrastructure and systems. Proprietary software development is time-consuming, expensive and complex, and may involve unforeseen difficulties. We may encounter technical obstacles in enhancing our existing software and developing new software, and it is possible that we may discover additional problems that prevent our proprietary applications from operating properly. In addition, any damage to or failure of our existing systems could result in interruptions in our ability to deliver our products and services. Interruptions in our service could reduce our revenue and profits, and our reputation could be damaged if people believe our systems are unreliable. Our systems and operations are vulnerable to damage or interruption from natural disasters or man-made problems, such as earthquakes, floods, fires, political unrest, acts of terrorism, armed conflict or war (such as the current Russian invasion of Ukraine and the conflict in the Middle East), power loss, break-ins, hardware or software failures, telecommunications failures, computer viruses or other attempts to harm our systems and similar events. Any unscheduled interruption in our service would result in an immediate loss of revenue. Frequent or persistent system failures that result in the unavailability of our solutions or slower response times could reduce our clients' ability to access our solutions, impair our delivery of our products and services and harm the perception of our solutions as reliable, trustworthy and consistent. Our insurance policies provide only limited coverage for service interruptions and may not adequately compensate us for any losses that may occur due to any failures or interruptions in our systems.

Issues in the development and use of artificial intelligence, combined with an uncertain regulatory environment, may result in reputational harm, liability, or other adverse consequences to our business operations. As with many technological innovations, artificial intelligence presents risks and challenges that could impact our business. We may adopt and integrate generative artificial intelligence tools into our systems for specific use cases reviewed by legal and information security. Our vendors may incorporate generative artificial intelligence tools into their offerings without disclosing this use to us, and the providers of these generative artificial intelligence tools may not meet existing or rapidly evolving regulatory or industry standards with respect to privacy and data protection and may inhibit our or our vendors' ability to maintain an adequate level of service and experience. If we, our vendors, or our third-party partners experience an actual or perceived breach or privacy or security incident because of the use of generative artificial intelligence, we may lose valuable intellectual property and confidential information and our reputation and the public perception of the effectiveness of our security measures could be harmed. Further, bad actors around the world use increasingly sophisticated methods, including the use of artificial intelligence, to engage in illegal activities involving the theft and misuse of personal information, confidential information, and intellectual property. Any of these outcomes could damage our reputation, result in the loss of valuable property and information, and adversely impact our business. In addition, our competitive position could be harmed if we fail to adopt and integrate AI effectively into our operations and product offerings. The successful implementation of AI technology requires significant investment in talent, infrastructure, and ongoing research and development. Misjudging the convergence of AI with our business needs may lead to inefficiencies or obsolescence of our services or products. Additionally, AI systems can present risks of unintended bias, errors, or regulatory compliance challenges that could affect our reputation and legal standing. Our future success will depend, in part, on our ability to leverage AI responsibly and effectively.

We depend on our existing clients' satisfaction with our products and services. We expect to derive a significant portion of our revenue from renewal of existing clients' contracts and sales of additional applications and services to existing clients. As part of our growth strategy, we have recently focused on expanding our services amongst current clients. As a result, achieving a high client retention rate, expanding within clients and selling additional applications and services are critical to our future business, revenue growth and results of operations. We also believe that maintaining and enhancing our reputation and brand recognition is critical to our relationships with existing clients and the patients that they serve and to our ability to attract new clients. The promotion of our brand may require us to make substantial investments, and we anticipate that, as our market becomes increasingly competitive, these marketing initiatives may become increasingly difficult and expensive. In addition, the loss or dissatisfaction of any client could substantially harm our brand and reputation, inhibit widespread adoption of our solutions and impair our ability to attract new clients. Factors that may affect our client satisfaction and our ability to sell additional applications and services include, but are not limited to, the following: - the price, performance and functionality of our solutions;- patient acceptance and adoption of services and utilization of our payment processing tools;- the availability, price, performance and functionality of competing solutions;- our ability to develop and sell complimentary applications and services;- the stability, performance and security of our hosting infrastructure and hosting services;- changes in healthcare laws, regulations or trends;- the business environment of our clients including healthcare staffing shortages and headcount reductions by our clients; and - our ability to maintain and enhance our reputation and brand recognition. We typically enter into annual contracts with our clients, which have a stated initial term of one year and automatically renew for one-year subsequent terms. Most of our clients have no obligation to renew their subscriptions for our solutions after the initial term expires. In addition, our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue from these clients and may decrease our annual revenue. If our clients fail to renew their contracts, renew their contracts upon less favorable terms or at lower fee levels or fail to purchase new products and services from us, our revenue may decline or our future revenue growth may be constrained. Should any of our clients terminate their relationship with us after implementation has begun, we would not only lose our time, effort and resources invested in that implementation, but we would also have lost the opportunity to leverage those resources to build a relationship with other clients over that same period of time.

We provide a payments solution for the secure processing of patient payments. Our payment processing tools can connect to multiple clearinghouses and can also connect directly with patients. We have developed partnerships with primary credit card processors in the United States to facilitate payment processing, and we are registered with Visa, MasterCard, American Express, Discover and other card networks as a service provider (payment facilitator or the equivalent) for acquiring member institutions. These card networks set the operating rules and standards with which we must comply. The termination of our status as a certified service provider, a decision by the card networks to disallow payment facilitators or bar us from serving as such, or any changes in network rules or standards, including interpretation and implementation of the operating rules or standards, that increase the cost of doing business or limit our ability to provide transaction processing services to our clients or partners, could adversely affect our business, financial condition or results of operations. We and our clients are subject to card network rules that could subject us or our clients to a variety of fines or penalties that may be levied by card networks for certain acts or omissions by us or our clients. If a client or sales partner fails to comply with the applicable requirements of card networks, we could be subject to a variety of fines or penalties that may be levied by card networks. We may have to bear the cost of such fines or penalties if we cannot collect them from the applicable client or sales partner, resulting in lower earnings or losses for us. Our violation of the network rules may result in the termination or suspension of our registration with the affected network. The termination of our registration, including a card network barring us from acting as a payment facilitator, or any changes in card network rules that would impair our registration, could require us to stop providing payment processing services relating to the affected card network, which would adversely affect our ability to conduct our business. In addition, the rules of card networks are set by their boards, which may be influenced by card issuers. Many banks directly or indirectly sell processing services to clients in competition with us. These banks could attempt, by virtue of their influence on the networks, to alter the networks' rules or policies to the detriment of non-members, including us.

We rely on third-party suppliers and contract manufacturers for the materials and components used to operate our solutions and product offerings, and to manufacture and assemble our hardware, including the PhreesiaPad and our on-site kiosks, which we refer to as Arrivals Kiosks. We rely on a sole supplier, for example, as the manufacturer of our PhreesiaPads and Arrivals Kiosks, which help drive our business and support our subscription, payment processing and life sciences offerings. In connection with these services, our supplier builds new hardware for us and refurbishes and maintains existing hardware. Any of our other suppliers or third-party contract manufacturers may be unwilling or unable to supply the necessary materials and components or manufacture and assemble our products reliably and at the levels we anticipate or that are required by the market. Our ability to supply our products commercially and to develop any future products depends, in part, on our ability to obtain these materials, components and products in accordance with regulatory requirements and in sufficient quantities for commercialization. If we are required to change contract manufacturers due to any change in or termination of our relationships with these third parties, or if our manufacturers are unable to obtain the materials they need to produce our products at consistent prices or at all, (including, without limitation, because of the effect of tariffs or other trade restrictions), we may lose sales, experience manufacturing or other delays, incur increased costs or otherwise experience impairment to our client relationships. We cannot guarantee that we will be able to establish alternative relationships on similar terms, without delay or at all. If our third-party suppliers fail to deliver the required quantities of materials on a timely basis and at commercially reasonable prices, and we are unable to find one or more replacement suppliers capable of production at a substantially equivalent cost in substantially equivalent volumes and quality on a timely basis, the supply of our products to clients and the development of any future products will be delayed, limited or prevented, which could have material adverse effect on our business, financial condition and results of operations.