Oncology Institute, Inc. (TOI) Risk Factors

We and the TOI PCs collect, receive, generate, use, process, and store significant and increasing volumes of sensitive information, such as employee, individually identifiable health information and other personally identifiable information. We and the TOI PCs are subject to a variety of federal and state laws and regulations, as well as contractual obligations, relating to the collection, use, storage, retention, security, disclosure, transfer, return, destruction and other processing of personal information, including health- related information. Enforcement actions and consequences for noncompliance with such laws, directives and regulations are rising, and the regulatory framework for privacy, data protection and data transfers is complex and rapidly evolving and is likely to remain uncertain for the foreseeable future. In the United States, numerous such federal and state laws and regulations, including data breach notification laws, health information privacy laws, and consumer protection laws and regulations, including those that govern the collection, use, disclosure, and protection of health-related and other personal information, could apply to our operations or the operations of the TOI PCs. For example, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder, which we refer to collectively as HIPAA, imposes privacy, security and breach notification obligations on certain health care providers, health plans, and health care clearinghouses, known as covered entities, as well as business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities. HIPAA requires covered entities, such as the TOI PCs, and business associates, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of protected health information, or PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a data breach. Entities that are found to be in violation of HIPAA as the result of a breach of unsecured protected health information, or PHI, a complaint about privacy practices or an audit by HHS, may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Numerous other state and federal laws, including consumer protection laws and regulations, govern the collection, dissemination, use, access to, confidentiality, security and processing of personal information, including health-related information, some of which are more stringent than HIPAA and many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. In addition, these laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and may be subject to varying interpretations by courts and government agencies. Laws in all 50 states and other United States territories require businesses to provide notice to individuals whose personal information has been disclosed as a result of a data breach. Such laws are not always consistent, and compliance in the event of a widespread data breach is costly and may be challenging. States are also constantly amending existing laws, requiring attention to frequently changing requirements, and we expect these changes to continue. For example, in June 2018, California enacted the California Consumer Privacy Act, or the CCPA, which became effective on January 1, 2020, and, among other things, requires covered companies to provide disclosures to California consumers, and affords such consumers certain data protection rights, including the ability to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information that may increase data breach litigation. While the CCPA includes certain exceptions for health-related information, including PHI, it still may require us to modify our data practices and policies and to incur substantial costs and expenses in an effort to comply. Further, the California Privacy Rights Act, or CPRA, generally went into effect on January 1, 2023 and significantly amends the CCPA. The CPRA imposes additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. Additional compliance investment and potential business process changes may be required. Similar laws have passed in Virginia, Colorado, Connecticut and Utah, and have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. As required by certain laws, we publicly post documentation regarding our privacy practices concerning the collection, processing, use and disclosure of certain data. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. In addition, although we endeavor to comply with our published policies and documentation, individuals could allege we have failed to do so, or we may at times actually fail to do so despite our efforts. Any failure by us, our third-party service providers or other parties with whom we do business to comply with this documentation or with laws or regulations applicable to our business could result in proceedings against us by governmental entities or others. In addition, the Federal Trade Commission, or the FTC, expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Our failure to take any steps perceived by the FTC as appropriate to protect consumers' personal information may result in claims by the FTC that we have engaged in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act. State consumer protection laws provide similar causes of action for unfair or deceptive practices for alleged privacy, data protection and data security violations. In addition to government regulation, privacy advocates and industry groups may propose self- regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards or to facilitate our payors' compliance with such standards. We expect that there will continue to be new proposed laws and regulations concerning privacy, data protection, and information security, and we cannot yet determine the impact such future laws, regulations, and standards may have on our business. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of laws, standards, contractual and other obligations relating to privacy and data protection are still uncertain and changing, it is possible that these laws, standards, contractual and other obligations may be interpreted and applied in a manner that is inconsistent with our data management practices, our privacy, data protection or data security policies or procedures or the features of our technology. If so, in addition to the possibility of fines, lawsuits, regulatory investigations, imprisonment of company officials and public censure, other claims and penalties, significant costs for remediation and damage to our reputation, we could be required to fundamentally change our business activities and practices or modify our technology, any of which could adversely affect our business. We may be unable to make such changes or modifications in a commercially reasonable manner, or at all, and our ability to develop new software or provide new services could be limited. Any inability to adequately address privacy, data protection or information security-related concerns, even if such concerns are unfounded, or to successfully negotiate privacy, data protection or information security- related contractual terms with customers, or to comply with applicable laws and regulations, or our policies relating to privacy, data protection, and information security, could result in additional cost and liability to us, harm our reputation and brand, and adversely affect our business, financial condition and results of operations.

We and the TOI PCs compete directly with national, regional and local providers of healthcare for patients and physicians. There are many other companies and individuals currently providing healthcare services, many of which have been in business longer and/or have substantially more resources. Other companies could enter the healthcare industry in the future and divert some or all of our business. If we expand to other geographies, we expect competition may change based on a number of factors, including the number of competing oncology care facilities in the local market and the types of services available at those facilities, our local and the TOI PCs reputation for quality care of patients, the commitment and expertise of the TOI PCs medical staff, our local service offerings and community programs, the cost of care in each locality, and the physical appearance, location, age and condition of our facilities. If we are unable to attract patients to our managed clinics, our revenue and profitability will be adversely affected. Some of our competitors may have greater recognition and be more established in their respective communities than we are, and may have greater financial and other resources than we have. Competing oncology care providers may also offer larger facilities or different programs or services than we do, which, combined with the foregoing factors, may result in our competitors being more attractive to our current patients, potential patients and referral sources. Furthermore, while we budget for routine capital expenditures at our managed clinics to keep them competitive in their respective markets, to the extent that competitive forces cause those expenditures to increase in the future, our financial condition may be negatively affected. In addition, our relationships with governmental and private third-party payors are not exclusive and our competitors have established or could seek to establish relationships with such payors to serve their covered patients. Additionally, as we expand into new geographies, we may encounter competitors with stronger relationships or recognition in the community in such new geography, which could give those competitors an advantage in obtaining new patients. Individual physicians, physician groups and companies in other healthcare industry segments, including those with which the TOI PCs have contracts, and some of which have greater financial, marketing and staffing resources, may become competitors in providing health care services, and this competition may have a material adverse effect on our business operations and financial position.

Negative publicity regarding the managed healthcare industry generally, or the MA program in particular, may result in increased regulation and legislative review of industry practices that further increase our costs of doing business and adversely affect our results of operations or business by: - requiring us to change our products and services;- increasing the regulatory, including compliance, burdens under which we operate, which, in turn, may negatively impact the manner in which the TOI PCs provide services and increase our costs of providing services;- adversely affecting our ability to market the TOI PCs products or services through the imposition of further regulatory restrictions regarding the manner in which plans and providers market to MA enrollees; or - adversely affecting our ability to attract and retain patients.

TCR contracts with biotechnology and pharmaceutical companies to perform services to assist them in bringing new drugs and biologics to market. TCR's services include monitoring clinical trials, laboratory analysis, electronic data capture, patient recruitment, data analytics, technology solutions, and other related services. Such services are complex and subject to contractual requirements, government regulations, and ethical considerations. TCR's services are subject to various regulatory requirements designed to ensure the quality and integrity of the clinical trial process. In the United States, clinical development services must be performed in compliance with applicable laws, rules and regulations enforced by the United States Food and Drug Administration, or FDA, including Good Clinical Practice, or GCP, requirements, which govern, among other things, the design, conduct, performance, monitoring, auditing, recording, analysis, and reporting of clinical trials. If TCR fails to perform services in accordance with these requirements, regulatory authorities may take action against TCR. Such actions may include injunctions or failure to grant marketing approval of products, imposition of clinical holds or delays, suspension or withdrawal of approvals, rejection of data collected in TCR's studies, license revocation, product seizures or recalls, operational restrictions, civil or criminal penalties or prosecutions, damages, or fines. Additionally, there is a risk that actions by regulatory authorities, if they result in significant inspectional observations or other measures, could harm TCR's reputation and cause customers not to award TCR future contracts or to cancel existing contracts. Clients may also bring claims against TCR for breach of TCR's contractual obligations and patients in the clinical trials and patients taking drugs approved on the basis of those trials may bring personal injury claims against TCR. Any such action could have a material adverse effect on our results of operations, financial condition, and reputation. We may be subject to formal or informal inquiries or investigations, both internal or external, from time to time pertaining to clinical trials or studies with which we are involved. Regardless whether any such inquiry or investigation ultimately leads to enforcement action or litigation, the cost of such inquiries and investigations can be substantial and could require us to divert financial and human resources away from strategic initiatives we have planned for building the business, and the mere allegation of misconduct can severely harm our reputation.

The TOI PCs have significant drug suppliers that may be the sole or primary source of products critical to the services the TOI PCs provide, or to which we have committed obligations to make purchases, sometimes at particular prices. Approximately 57% of the TOI PCs' total costs are related to drug purchases, including both oral and chemotherapy drugs, for the year ended December 31, 2023. If any of these suppliers do not meet the TOI PCs' needs for the products they supply, including in the event of a product recall, shortage or dispute, and we are not able to find adequate alternative sources, if we experience material price increases from these suppliers that we are unable to mitigate, or if some of the drugs that the TOI PCs purchase are not reimbursed or not adequately reimbursed by commercial or government payors, it could have a material adverse impact on our business, results of operations, financial condition and cash flows. In addition, the technology related to the products critical to the services we provide is subject to new developments which may result in superior products. If we are not able to access superior products on a cost-effective basis or if suppliers are not able to fulfill our requirements for such products, we and the TOI PCs could face patient attrition and other negative consequences which could have a material adverse effect on our business, results of operations, financial condition and cash flows.

Recently, inflation has increased throughout the U.S. economy. Inflation can adversely affect us by increasing the costs of drugs, clinical trials and research, administration and other costs of doing business. We may experience increases in the prices of labor and other costs of doing business. In an inflationary environment, cost increases may outpace our expectations, causing us to use our cash and other liquid assets faster than forecasted. If this happens, we may need to raise additional capital to fund our operations, which may not be available in sufficient amounts or on reasonable terms, if at all, sooner than expected.