TruBridge (TBRG) Risk Analysis

We are increasingly dependent upon licenses for some of the technology used in our products as well as other products and services from third-party vendors, and the costs of these licenses have increased in recent years. Most of these arrangements can be continued/renewed only by mutual consent and may be terminated for any number of reasons. We may not be able to continue using the technology, products or services made available to us under these arrangements on commercially reasonable terms or at all. As a result, we may have to discontinue, delay or reduce product shipments or services provided until we can obtain equivalent technology or services. Most of our third-party licenses are non-exclusive. Our competitors may obtain the right to use any of the business elements covered by these arrangements and use these elements to compete directly with us. In addition, if our vendors choose to discontinue providing their technology, products or services in the future or are unsuccessful in their continued research and development efforts, we may not be able to modify or adapt our own products. The operation of our products would be impaired if errors occur in third party technology or content that we incorporate, and we may incur additional costs to repair or replace the defective technology or content. It may be difficult for us to correct any errors in third party products because the products are not within our control.

Highly complex software products such as ours sometimes contain undetected errors or failures when first introduced or when updates and new versions are released. Tests of our products may not detect bugs or errors because it is difficult to simulate our clients' wide variety of computing environments. Despite extensive testing, from time to time we have discovered defects or errors in our products. Defects or errors discovered in our products could cause delays in product introductions and shipments and unexpected service disruptions, result in increased costs and diversion of development resources, require design modifications, decrease market acceptance or client satisfaction with our products, cause a loss of revenue, result in legal actions by our clients and cause increased insurance costs.

The healthcare industry is heavily regulated and is constantly evolving due to the changing political, legislative and regulatory landscapes. In some instances, the impact of these regulations on our business is direct to the extent that we are subject to these laws and regulations ourselves. However, these regulations also impact our business indirectly as, in a number of circumstances, our solutions, devices and services must be capable of being used by our clients in a way that complies with those laws and regulations, even though we may not be directly regulated by the specific healthcare laws and regulations. There is a significant number of wide-ranging regulations, including regulations in the areas of healthcare fraud, e-prescribing, claims processing and transmission, medical devices, the security and privacy of patient data, the ARRA meaningful use program, patient access rights and interoperability standards, that may be directly or indirectly applicable to our operations and relationships or the business practices of our clients. Specific areas that are subject to increased regulation include, but are not limited to, the following: Healthcare Fraud. Federal and state governments continue to enhance regulation of and increase their scrutiny over practices potentially involving healthcare fraud, waste and abuse by healthcare providers whose services are reimbursed by Medicare, Medicaid and other government healthcare programs. Our healthcare provider clients are subject to laws and regulations regarding fraud and abuse that, among other things, prohibit the direct or indirect payment or receipt of any remuneration for patient referrals, or arranging for or recommending referrals or other business paid for in whole or in part by these federal or state healthcare programs. Federal enforcement personnel have substantial funding, powers and remedies to pursue suspected or perceived fraud and abuse. The effect of this government regulation on our clients is difficult to predict. Many of the regulations applicable to our clients and that may be applicable to us, including those relating to marketing incentives offered in connection with medical device sales may be interpreted or applied by a prosecutorial, regulatory or judicial authority in a manner that could broaden their applicability to us or require our clients to make changes in their operations or the way in which they deal with us. If such laws and regulations are determined to be applicable to us and if we fail to comply with any applicable laws and regulations, we could be subject to civil and criminal penalties, sanctions or other liabilities, including exclusion from government healthcare programs, which could have a material adverse effect on our business, results of operations and financial condition. Even an unsuccessful challenge by a regulatory or prosecutorial authority of our activities could result in adverse publicity, could require a costly response from us and could adversely affect our business, results of operations and financial condition. E-Prescribing. The use of our solutions by physicians for electronic prescribing and electronic routing of prescriptions via the Surescripts network to pharmacies is governed by federal and state laws. States have differing regulations that govern the electronic transmission of certain prescriptions and prescription requirements. Standards adopted by the National Council for Prescription Drug Programs and regulations adopted by the CMS related to "EPrescribing and the Prescription Drug Program" set forth implementation standards for the transmission of electronic prescriptions. These standards are detailed and broad, and cover not only routing transactions between prescribers and pharmacies, but also electronic eligibility, formulary and benefits inquiries. In general, regulations in this area can be burdensome and evolve regularly, meaning that any potential benefits to our clients from utilizing such solutions and services may be superseded by a newly-promulgated regulation that adversely affects our business model. Our efforts to provide solutions that enable our clients to comply with these regulations could be time consuming and expensive. Claims Processing and Transmission. Our system electronically transmits medical claims by physicians to patients' payors for immediate approval and reimbursement. In addition, we offer business management services that include the manual and electronic processing and submission of medical claims by healthcare providers to patients' payors for approval and reimbursement. Federal and state laws provide that it is a violation for any person to submit, or cause to be submitted, a claim to any payor, including, without limitation, Medicare, Medicaid and all private health plans and managed care plans, seeking payment for any service or product that overbills or bills for items that have not been provided to the patient. The federal civil False Claims Act, which may be enforced through civil whistleblower or qui tam actions and imposes significant civil penalties, treble damages and potential exclusion from government health care programs against individuals or entities for, among other things, knowingly presenting, or causing to be presented, to the federal government, claims for payment that are false or fraudulent or for making a false record or statement material to an obligation to pay the federal government or for knowingly and improperly avoiding, decreasing or concealing an obligation to pay money to the federal government. There is also the federal Criminal False Claims Act, which is similar to the federal Civil False Claims Act and imposes criminal liability on those that make or present a false, fictitious or fraudulent claim to the federal government. We have in place policies and procedures that we believe assure that all claims that are transmitted by our system and through our services are accurate and complete, provided that the information given to us by our clients is also accurate and complete. If, however, we do not follow those procedures and policies, or they are not sufficient to prevent inaccurate claims from being submitted, we could be subject to substantial liability including, but not limited to, civil and criminal liability. Additionally, any such failure of our billing and collection services to comply with these laws and regulations could adversely affect demand for our services and could force us to expend significant capital, research and development, and other resources to address the failure. Where we are permitted to do so, we calculate charges for our billing and collection services based on a percentage of the collections that our clients receive as a result of our services. To the extent that violations or liability for violations of these laws and regulations require intent, it may be alleged that this percentage calculation provides us or our employees with incentive to commit or overlook fraud or abuse in connection with submission and payment of reimbursement claims. CMS has stated that it is concerned that percentage-based billing services may encourage billing companies to commit or to overlook fraudulent or abusive practices. A portion of our business involves billing Medicare claims on behalf of our clients. In an effort to combat fraudulent Medicare claims, the federal government offers rewards for reporting of Medicare fraud which could encourage others to subject us to a charge of fraudulent claims, including charges that are ultimately proved to be without merit. As discussed below, the HIPAA security and privacy standards also affect our claims transmission services, since those services must be structured and provided in a way that supports our clients' HIPAA compliance obligations. Regulation of Medical Devices. The United States FDA has determined that certain of our solutions, such as our ImageLink and Blood Administration products, are medical devices that are actively regulated under the Federal Food, Drug and Cosmetic Act, as amended. If other of our solutions are deemed to be actively regulated medical devices by the FDA, we could be subject to extensive requirements governing pre- and post-marketing activities including registration of the applicable manufacturing facility and software and hardware products, application of detailed record-keeping and manufacturing standards, application of the medical device excise tax, and FDA approval or clearance prior to marketing. Complying with these medical device regulations is time consuming and expensive, and our marketing and other sales activities could be subject to unanticipated and significant delays. Further, it is possible that the FDA may become more active in regulating software and medical devices that are used in the healthcare industry. If we are unable to obtain the required regulatory approvals for any such software or medical devices, our short- to long-term business plans for these solutions or medical devices could be delayed or canceled and we could face FDA refusal to grant pre-market clearance or approval of products; withdrawal of existing clearances and approvals; fines, injunctions or civil penalties; recalls or product corrections; production suspensions; and criminal prosecution. FDA regulation of our products could increase our operating costs, delay or prevent the marketing of new or existing products, and adversely affect our revenue growth. Security and Privacy of Patient Information. Federal, state and local laws regulate the privacy and security of patient records and the circumstances under which those records may be released. These regulations govern both the disclosure and use of confidential patient medical record information and require the users of such information to implement specified security and privacy measures. United States regulations currently in place governing electronic health data transmissions continue to evolve and are often unclear and difficult to apply. In the United States, HIPAA regulations require national standards for some types of electronic health information transactions and the data elements used in those transactions, security standards to ensure the integrity and confidentiality of health information, and standards to protect the privacy of individually identifiable health information. Covered entities under HIPAA, which include healthcare organizations such as our clients, and our claims processing, transmission and submission services, are required to comply with the privacy standards, transaction regulations and security regulations. Moreover, HITECH and associated regulatory requirements extend many of the HIPAA obligations, formerly imposed only upon covered entities, to business associates as well. As a business associate of our clients who are covered entities, we are in most instances already contractually required to ensure compliance with the HIPAA regulations as they pertain to the handling of covered client data. However, the extension of these HIPAA obligations to business associates by law has created a direct liability risk related to the privacy and security of individually identifiable health information. Evolving HIPAA and HITECH-related laws or regulations could restrict the ability of our clients to obtain, use or disseminate patient information. This could adversely affect demand for our solutions and devices if they are not re-designed in a timely manner in order to meet the requirements of any new interpretations or regulations that seek to protect the privacy and security of patient data or enable our clients to execute new or modified healthcare transactions. We may need to expend additional capital and software development and other resources to modify our solutions to address these evolving data security and privacy issues. Furthermore, our failure to maintain the confidentiality of sensitive personal information in accordance with the applicable regulatory requirements could damage our reputation and expose us to claims, fines and penalties. Federal and state statutes and regulations have granted broad enforcement powers to regulatory agencies to investigate and enforce compliance with these privacy and security laws and regulations. Federal and state enforcement personnel have substantial funding, powers and remedies to pursue suspected or perceived violations. If we fail to comply with any applicable laws or regulations, we could be subject to civil penalties, sanctions or other liability. Enforcement investigations, even if meritless, could have a negative impact on our reputation, cause us to lose existing clients or limit our ability to attract new clients. ARRA Meaningful Use Program. The ARRA initially required "meaningful use of certified electronic health record technology" by healthcare providers by 2015 in order to receive limited incentive payments and to avoid related reduced reimbursement rates for Medicare claims. Related standards and specifications are subject to interpretation by the entities designated to certify such technology. While a combination of our solutions has been certified as meeting stage one, stage two, and stage three standards for certified electronic health record technology, the regulatory standards to achieve certification will continue to evolve over time. We may incur increased development costs and delays in delivering solutions if we need to upgrade our software or healthcare devices to be in compliance with these varying and evolving standards. In addition, further delays in interpreting these standards may result in postponement or cancellation of our clients' decisions to purchase our software solutions. If our software solutions are not compliant with these evolving standards, our market position and sales could be impaired and we may have to invest significantly in changes to our software solutions. Interoperability Standards. Our clients are concerned with and often require that our software and systems be interoperable with other third party healthcare information technology systems. Market forces or governmental or regulatory authorities could create software interoperability standards that would apply to our software and systems, and if our software and systems are not consistent with those standards, we could be forced to incur substantial additional development costs. For example, the HITECH Act contains interoperability standards that healthcare providers are required to adhere to in order to receive stimulus funds from the federal government under the ARRA. Compliance with these and related standards is becoming a competitive requirement and, although a combination of our solutions has been certified as meeting all such required interoperability standards to date, maintaining such compliance with these varying and evolving rules may result in increased development costs and delays in upgrading our client software and systems. To the extent these rules are narrowly construed, subsequently changed or supplemented, or that we are delayed in achieving certification under these evolving rules for applicable products, our clients may postpone or cancel their decisions to purchase or implement our software and systems. As it relates specifically to interoperability, we are a member of CommonWell Health Alliance ("CommonWell"), a not-for-profit trade association comprised of healthcare information technology vendors devoted to the notion that patient data should be safely, securely and immediately available to patients and healthcare providers to support better care delivery, regardless of where that care occurs. CommonWell is committed to fostering standards that make this possible, and to having healthcare information technology companies embed these capabilities natively and cost effectively into their EHR systems. Despite our membership in CommonWell, there is no guarantee that we will successfully manage the interoperability of our software and systems with third-party health IT providers. Patient Access Rights. In March 2020, the Office of National Coordinator for Health Information Technology ("ONC") of the U.S. Department of Health and Human Services ("HHS") released the "21st Century Cures Act: Interoperablity, Information Blocking, and the ONC Health IT Certification Program, Final Rule." The rule implements several of the key interoperability provisions included in the 21st Century Cures Act. Specifically, it calls on developers of certified EHRs and health IT products to adopt standardized APIs, which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. This provision and others included in the final rule create a potentially lengthy list of certification and maintenance of certification requirements that developers of EHRs and other health IT products have to meet in order to maintain approved federal government certification status. Meeting and maintaining this certification status could require additional development costs. The ONC rule also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. Under the 21st Century Cures Act, the HHS has the regulatory authority to investigate and assess civil monetary penalties of up to $1,000,000 against health IT developers and/or providers found to be guilty of "information blocking." This oversight and authority to investigate claims of information blocking creates significant risks for us and our clients and could potentially create substantial new compliance costs. The HHS may impose penalties for information blocking that has occurred after September 1, 2023, and the ONC and the HHS released a final rule on June 24, 2024 listing certain disincentives for actors that conduct information blocking. Standards for Submission of Healthcare Claims. CMS requires all providers, payors, clearinghouses and billing services to utilize patient codes for reporting medical diagnosis and inpatient procedures, referred to as ICD-10 codes when submitting claims for payment. ICD-10 codes affect medical diagnosis and inpatient procedure coding for everyone covered by HIPAA, not just those who submit Medicare or Medicaid claims. Claims for services must use ICD-10 codes for medical diagnosis and inpatient procedures or they will not be paid. While we have successfully implemented the use of ICD-10 codes within our products and services since their initial mandate in 2015, the possibility exists for similar future mandates by CMS. If our products and services do not accommodate CMS mandates at any future date, clients may cease to use those products and services that are not compliant and may choose alternative vendors and products that are compliant. This could adversely impact future revenues. Finally, with the change in presidential administrations in 2025, there is substantial uncertainty as to how, if at all, the new administration will seek to modify or revise the requirements and policies of HHS, CMS, the FDA and other regulatory agencies with jurisdiction over our products and services.

We face the risks associated with litigation concerning the operation of our business. For example, companies in our industry, including many of our competitors, have been subject to litigation based on allegations of the federal False Claims Act ("FCA") and their state analogs, in addition to patent infringement or other violations of intellectual property rights. As described in more detail above, the FCA imposes civil liability for the knowing receipt or retention of payment from federal health care payers where the receipt of such payment is knowingly false or fraudulent. The FCA incentivizes private individuals, including our employees, to report such false claims to the government by offerings "whistleblowers" monetary compensation should the government recoup payments for false claims. Additionally, patent holding companies often engage in litigation to seek to monetize patents that they have obtained. As the number of competitors, patents and patent holding companies in our industry increases, the functionality of our products and services expands, and we enter into new geographies and markets, the number of intellectual property rights-related actions against us is likely to continue to increase. The uncertainty associated with substantial unresolved litigation may have an adverse effect on our business. In particular, such litigation could impair our relationships with existing clients and our ability to obtain new clients. Defending such litigation may result in a diversion of management's time and attention away from business operations, which could have an adverse effect on our business, results of operations and financial condition. Such litigation may also have the effect of discouraging potential acquirers from bidding for us or reducing the consideration such acquirers would otherwise be willing to pay in connection with an acquisition. There can be no assurance that such litigation will not result in liability in excess of our insurance coverage, that our insurance will cover such claims or that appropriate insurance will continue to be available to us in the future at commercially reasonable rates. Investigations may lead to future requests for information and ultimately the assertion of claims or the commencement of legal proceedings against us, which themselves may lead to material fines, penalties or other material liabilities. In addition, our responses to these and any future requests require time and effort, which can result in additional cost to us. Given the highly-regulated nature of our industry, we have been and may, from time to time, be subject to subpoenas, requests for information, or investigations from various government agencies.

The limited number of hospitals with fewer than 200 acute care beds in our general target market for our acute care product and service offerings has resulted in an ever narrowing market for new system installations and add-on sales which could materially and adversely impact our business, financial condition and operating results. Our primary objectives are to increase the market share of our Financial Health services, aggressively pursue competitive and vulnerable Patient Care replacement opportunities, and differentiate our products and services on a client experience basis that enables us to sell a broader set of services into a loyal base of clients that are our advocates. Although we have formulated strategic responses for capitalizing on each of the identified opportunities, there is no guarantee that such responses will ultimately prove successful. Additionally, to the extent that these opportunities fail to develop or develop more slowly than expected, our business, financial condition and operating results could be materially and adversely impacted. Furthermore, many healthcare providers have consolidated to create larger healthcare delivery enterprises with greater market power. If this consolidation continues, we could lose existing clients and could experience a decrease in the number of potential purchasers of our products and services. The loss of existing and potential clients due to industry consolidation could cause our revenue growth rate to decline.

The purchase of our information system involves a significant financial commitment by our clients. At the same time, the healthcare industry faces significant financial pressures that could adversely affect overall spending on healthcare information technology and services. To the extent spending for healthcare information technology and services declines or increases slower than we anticipate, demand for our products and services, as well as the prices we charge, could be adversely affected. Accordingly, we cannot assure you that we will be able to increase or maintain our revenues or our revenue growth rate.

Our reliance on an international workforce exposes us to business disruptions caused by the political and economic environment in those regions. Terrorist attacks and acts of violence or war may directly affect our workforce or contribute to general instability. Our global business services operations require us to comply with local laws and regulatory requirements, which are complex and of which we may not always be aware, and expose us to foreign currency exchange rate risk. Our global business services operations may also subject us to trade restrictions, reduced or inadequate protection for intellectual property rights, security breaches, and public health events, and other factors which may adversely affect our business. Negative developments in any of these areas could increase our operating costs or otherwise harm our business. In addition, local laws and customs in countries in which we contract with third-party partners may differ from those in the U.S. For example, it may be a local custom for businesses to engage in practices that are prohibited by our internal policies and procedures or U.S. laws and regulations applicable to us, such as the Foreign Corrupt Practices Act ("FCPA"). The FCPA generally prohibits U.S. companies from giving or offering money, gifts, or anything of value to a foreign official to obtain or retain business and requires businesses to make and keep accurate books and records and a system of internal accounting controls. We cannot guarantee that our employees, contractors, and agents will comply with all of our FCPA compliance policies and procedures. If we or our employees, contractors, or agents fail to comply with the requirements of the FCPA or similar legislation, government authorities in the U.S. and elsewhere could seek to impose civil or criminal fines and penalties which could have a material adverse effect on our business, operating results, and financial condition. Offshore outsourcing is a politically sensitive topic in the U.S. For example, various domestic organizations and public figures have expressed concern about a perceived association between offshore outsourcing providers and the loss of jobs in the U.S. Current or prospective customers may elect to perform such outsourced services themselves or may be discouraged from transferring these services from onshore to offshore providers to avoid negative perceptions that may be associated with using an offshore provider. Any slowdown or reversal of existing industry trends towards offshore outsourcing, and the resulting need to relocate aspects of our services from our global business services operations to the U.S., where operating costs are higher, would increase the cost of delivering our services.