Waystar Holding Corp. (WAY) Risk Analysis

To the extent we are not otherwise permitted to use and/or disclose client information, we require our clients to provide necessary notices and obtain necessary permissions, consents, and authorizations for the use and disclosure of the information that we receive from our solutions. We then provide patient information to third parties, pursuant to patient permissions, consents, and authorizations that permit the third parties to collect such information, and such patient information may be aggregated or combined with other data sources to gain additional insights from such patient information. Such patient information may also be anonymized/de-identified and sold to or collected by a data aggregator. If our clients do not provide necessary notices or obtain necessary permissions, consents, or authorizations, then our use and disclosure of information that we receive from them or on their behalf may be limited or prohibited by federal or state privacy or other laws. Such failures by our clients could impair our functions, processes, and databases that reflect, contain, or are based upon such information. In addition, such failures by our clients could interfere with or prevent creation or use of rules, analyses, or other data-driven activities that benefit us or make our solutions less useful. Accordingly, we may be subject to claims or liability for inaccurate claims data submitted to payers, inaccurate or incomplete billing and coding claims or for use or disclosure of information by reason of lack of valid notice, permission, consent, or authorization. These claims or liabilities could damage our reputation, subject us to unexpected costs, and could have a material adverse impact on our business, results of operations, or financial condition.

Numerous complex federal and state laws and regulations govern the Processing of personal information, including PHI, personal health records, and payment card data. State laws may be even more restrictive and not preempted by HIPAA and may be subject to varying interpretations by the courts and government agencies. These laws and regulations, including their interpretation by governmental agencies, are subject to frequent change and could have a negative impact on our business. Further, these varying interpretations could create complex compliance issues for us and our partners and potentially expose us to additional expense, liability, penalties, negatively impact our client relationships, and lead to adverse publicity, and these risks could adversely affect our business in the short and long term. See Part I, Item 1, "Business- Regulation-Federal and state health information privacy and security laws." We are a "covered entity" as defined under HIPAA when we provide our clearinghouse services, and we also are a "business associate" as defined under HIPAA for other covered entities when we provide revenue cycle management and other solutions. HHS OCR may impose civil penalties on both covered entities and business associates for their failure to comply with HIPAA requirements. These requirements are subject to change. In December 2024, HHS OCR issued a notice of proposed rulemaking on the HIPAA Security Rule, which is specifically aimed at strengthening cybersecurity of electronic PHI, and we are monitoring this proposed rulemaking. The U.S. Department of Justice is responsible for criminal prosecutions under HIPAA. Penalties can vary significantly depending on a number of factors, such as whether the covered entity's or business associate's failure to comply was due to willful neglect. Violations of HIPAA could result in criminal penalties up to $250,000 and ten years in prison and civil penalties of up to $68,928 for each violation, with a cap of $2,067,813 for violations of the same standard per calendar year, administrative fines and penalties, and/or additional reporting and oversight obligations if we are required to enter into a resolution agreement and corrective action plan. A single breach incident can result in violations of multiple standards over many years, resulting in potential penalties in excess of $2,067,813 per year. For example, HIPAA violations at one covered entity resulted in total penalties of $16 million in 2018. HIPAA also authorizes state attorneys general to file suit on behalf of the residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for HIPAA violations, its standards have been used as the basis for the duty of care in state civil suits, such as those for recklessness in misusing individuals' health information. If we are subject to investigation or litigation related to an alleged violation of HIPAA, then we may elect to resolve the matter through additional reporting and oversight obligations through a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. Such settlement could require payment of a civil penalty or damages, corrective action, and/or monitoring of our business by a third party. The security measures that we and our third-party vendors and subcontractors have in place to ensure compliance with privacy and data protection laws may not protect our facilities and systems from security breaches or incidents, acts of vandalism or theft, computer viruses, misplaced or lost data, malfeasance, programming, and human errors or other similar events. We may also be liable for privacy and security breaches and failures of our business associates and subcontractors. Even though we provide for appropriate protections through our agreements with our subcontractors, we still have limited control over their actions and practices. A breach of privacy or security of individually identifiable health information by a subcontractor may result in an enforcement action, including criminal and civil liability, against us. We are not able to predict the extent of the impact such incidents may have on our business. Our failure to comply with HIPAA and other health privacy laws may also result in criminal and civil liability. Enforcement actions against us could be costly and could interrupt regular operations, which may adversely affect our business. While we have not received any notices of violation of the applicable privacy and data protection laws and believe we are in compliance with such laws, there can be no assurance that we will not receive such notices in the future. Our AI platform and the data it uses may also subject us to additional risks. We use de-identified claims data to train our revenue cycle management AI. In order to de-identify PHI for our AI, we must have explicit rights and permissions to do so from our clients. If we do not de-identify PHI in accordance with HIPAA's safe harbor method or if we do not have rights or permissions to de-identify PHI, but de-identify PHI for such purposes, a regulator or client may consider such actions to be a breach of HIPAA's requirements or of contractual requirements, and we may be subject to criminal and civil liability or other actions and our clients may not renew or terminate their contracts with us. Many states are also enacting legislation on the use, creation, and deployment of AI. For example, in March 2024, Utah enacted the Artificial Intelligence Policy Act, which requires disclosures to consumers about the use of AI in certain circumstances, including advance AI use disclosures by physicians and individuals in other regulated occupations. In Connecticut, proposed legislation would regulate the development, deployment, and use of certain AI systems. The Connecticut bill would address algorithmic discrimination, decisions with respect to healthcare services, and studies on the use of AI by healthcare providers. Developers of generative AI systems would be required to complete impact assessments and disclose measures the developer has taken to mitigate any known or reasonably foreseeable risks of algorithmic discrimination that may arise from deployment of certain "high-risk" AI systems that are developed and marketed to make consequential decisions, such as decisions that have a material legal or similarly significant effect on consumer access to certain services, including healthcare and financial services. Other states have introduced similar bills. Even when HIPAA does not apply, according to the Federal Trade Commission (the "FTC"), failing to take appropriate steps to keep consumers' personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (the "FTCA") 15 U.S.C. § 45(a). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. The FTC's current guidance for appropriately securing consumers' personal information is similar to what is required by the HIPAA security regulations, but this guidance may change in the future, resulting in increased complexity and the need to expend additional resources to ensure we are complying with the FTCA. For information that is not subject to HIPAA and deemed to be "personal health records," the FTC may also impose penalties for violations of the Health Breach Notification Rule ("HBNR") to the extent we are considered a "personal health record- related entity" or "third party service provider." The FTC has taken several enforcement actions under HBNR this year and indicated that the FTC will continue to protect consumer privacy through greater use of the agency's enforcement authorities. As a result, we expect even greater scrutiny by federal and state regulators, partners, and consumers of our Processing of health information, particularly with our AI-enabled solutions. Additionally, federal and state consumer protection laws are increasingly being applied by the FTC and states' attorneys general to regulate the Processing of personal information, through websites or otherwise, and to regulate the presentation of website content. Other federal and state laws that restrict the use and protect the privacy and security of personally identifiable information are, in many cases, not preempted by HIPAA and may be subject to varying interpretations by the courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity, and liability, any of which could adversely affect our business. Recently, several states have enacted consumer health data laws, which generally require consent for the collection, use, or sharing of any "consumer health data," which is typically defined as personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health. Other states have enacted similar bills. Future laws, regulations, standards, obligations, amendments, and changes in the interpretation of existing laws, regulations, standards, and obligations could impair our or our clients' ability to Process information relating to consumers, which could decrease demand for our platform, increase our costs, and impair our ability to maintain and grow our client base, and increase our revenue. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, and contractual obligations could impair our or our clients' ability to collect, use, or disclose information relating to patients or consumers, which could decrease demand for our platform offerings, increase our costs, and impair our ability to maintain and grow our client base, and increase our revenue. Accordingly, we may find it necessary or desirable to fundamentally change our business activities and practices or to expend significant resources to modify our software or platform and otherwise adapt to these changes. We are also subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS") and AICPA Systems and Organization Controls 2 ("SOC 2"), with which we are currently compliant, and HITRUST certification, which we currently maintain. In the event we fail to comply with the PCI-DSS or fail to maintain our SOC 2 or HITRUST certification, we could be in breach of our obligations under client and other contracts, fines, and other penalties could result, and we may suffer reputational harm and damage to our business. Further, our clients may expect us to comply with more stringent privacy, data storage, and data security requirements than those imposed by laws, regulations or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data. Any failure or perceived failure by us to comply with domestic laws or regulations, industry standards, or other legal obligations, or any actual or suspected breach or privacy or security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personally identifiable information or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines, and penalties or adverse publicity and could cause our clients to lose trust in us, which could have an adverse effect on our reputation and business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited. Any of these developments could harm our business, financial condition, and results of operations. Privacy and data security concerns, whether valid or not valid, may inhibit retention of our platform or services by existing clients or adoption of our platform or services by new clients.

Our business depends on proprietary technology and content, including software, databases, confidential information and know-how, the protection of which is crucial to the success of our business. We rely on a combination of trademark, trade-secret, copyright, and other intellectual property laws, confidentiality procedures, and contractual provisions to protect our intellectual property rights in our proprietary technology, content, and brand. We may, over time, increase our investment in protecting our intellectual property through additional trademark, patent, and other intellectual property filings that could be expensive and time- consuming. Effective trademark, trade-secret, and copyright protection is expensive to develop and maintain, both in terms of initial and ongoing registration requirements and the costs of asserting our rights against third parties. Further, these measures may not be sufficient to offer us meaningful protection. If we are unable to protect our intellectual property and assert our rights in such intellectual property against third parties, our brand, competitive position, and business could be harmed, as third parties may be able to dilute our brand or commercialize and use technologies and software products that are substantially the same as ours without incurring the development and licensing costs that we have incurred. Any of our owned or licensed intellectual property rights could be challenged, invalidated, circumvented, infringed, or misappropriated, our trade secrets and other confidential information could be disclosed in an unauthorized manner to third parties, or our intellectual property rights may not be sufficient to permit us to take advantage of current market trends or otherwise provide us with competitive advantages, which could result in costly redesign efforts, discontinuance of certain products and solutions, or other competitive harm. Monitoring unauthorized use of our intellectual property is difficult and costly. From time to time, we seek to analyze our competitors' products and solutions, and may in the future seek to enforce our rights against potential infringement. However, the steps we have taken to protect our proprietary rights may not be adequate to prevent infringement or misappropriation of our intellectual property. We may not be able to detect unauthorized use of, or take appropriate steps to enforce, our intellectual property rights. Any inability to meaningfully protect or enforce our intellectual property rights could result in harm to our brand or our ability to compete and reduce demand for our technology and products. Moreover, our failure to develop and properly manage new intellectual property could adversely affect our market positions and business opportunities. Also, some of our products and solutions rely on technologies and software developed by or licensed from third parties. Any disruption or disturbance in such third-party products or services, which we have experienced in the past and may experience again in the future, could interrupt the operation of our platform, and could cause us to be in breach of contracts with our clients. We may not be able to maintain our relationships with such third parties or enter into similar relationships in the future on reasonable terms or at all. Additional uncertainty may result from changes to intellectual property legislation enacted in the United States and elsewhere, and from interpretations of intellectual property laws by applicable courts and agencies. Accordingly, despite our efforts, we may be unable to obtain and maintain the intellectual property rights necessary to provide us with a competitive advantage. Our failure to obtain, maintain, and enforce our intellectual property rights could therefore have a material adverse effect on our business, financial condition, and results of operations.

We depend upon licenses from third parties for some of the technology and data used in our products and solutions, and for some of the technology platforms upon which these products and solutions are built and operate. We expect that we may need to obtain additional licenses from third parties in the future in connection with the development of our products and solutions. In addition, we obtain a portion of the data that we use from government entities and public records for specific client engagements. We believe that we have all rights necessary to use the data that is incorporated into, or used to develop and improve, our products and solutions. However, we cannot assure you that our licenses for information will allow us to use that information for all potential or contemplated products and solutions. In addition, our ability to use data to support and improve existing products and solutions and to develop new products and solutions is largely dependent upon the contractual rights we secure. For example, certain of our products depend on maintaining our data and analytics platform, which is populated with data disclosed to us by healthcare providers and payers with their consent. If these providers and/or payers revoke their consent for us to maintain, use, de-identify, and share this data, consistent with applicable law, our data assets could be degraded. In the future, data providers could withdraw their data from us or restrict our usage for any reason, including if there is a competitive reason to do so, if legislation is passed restricting the use of the data, or if judicial interpretations are issued restricting use of the data that we currently use in or for development and maintenance of our products and solutions. In addition, data providers could fail to adhere to our quality control standards in the future, causing us to incur additional expense to appropriately utilize the data. If a substantial number of data providers were to withdraw or restrict their data, or if they fail to adhere to our quality control standards, and if we are unable to identify and contract with suitable alternative data suppliers and integrate these data sources into our offerings, our ability to provide products and solutions to our partners would be materially adversely impacted, which could have a material adverse effect on our business, financial condition, and results of operations. We also integrate into our proprietary products and solutions and use third-party software to maintain and enhance, among other things, content generation and delivery, and to support our technology infrastructure. Some of this software is proprietary and some is open source software. Our use of third-party technologies and open source software exposes us to increased risks, including, but not limited to, risks associated with the integration of new technology into our platform, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs. These technologies may not be available to us in the future on commercially reasonable terms or at all and could be difficult to replace once integrated into our own proprietary products and solutions. Most of these licenses can be renewed only by mutual consent and may be terminated if we breach the terms of the license and fail to cure the breach within a specified period of time. Our inability to obtain, maintain, or comply with any of these licenses could delay development until equivalent technology can be identified, licensed, and integrated, which would harm our business, financial condition, and results of operations. Most of our third-party licenses are non-exclusive and our competitors may obtain the right to use any of the technology covered by these licenses to compete directly with us. If our data suppliers choose to discontinue support of the licensed technology in the future, we might not be able to modify or adapt our own solutions.

Many healthcare provider organizations are consolidating to create integrated healthcare delivery systems with greater market power. As provider networks and managed care organizations consolidate, thus decreasing the number of market participants, competition to provide products and solutions like ours will become more intense, and the importance of establishing and maintaining relationships with key industry participants will increase. These industry participants may try to use their market power to negotiate price reductions for our products and solutions. Further, consolidation of management and billing services through integrated delivery systems may decrease demand for our products. Such consolidation may also lead integrated delivery systems to require newly acquired physician practices to replace our product with that already in use in the larger enterprise. In addition, vertical integration whereby healthcare provider organizations acquire EHR, PM, revenue management cycle, or similar systems may make it more challenging to establish new relationships with such providers or may lead to such provider organizations replacing our solutions with those offered by systems that they acquire. Any of these factors could materially and adversely impact our business, financial condition, and operating results.

We offer certain electronic claims submission products as part of our platform. While we have implemented certain product features designed to maximize the accuracy and completeness of claims submissions, these features may not be sufficient to prevent inaccurate claims data from being submitted to payers. Should inaccurate claims data be submitted to payers due to errors and omissions by Waystar, we may be subject to liability claims. Electronic data transmission services are offered by certain payers to healthcare providers that establish a direct link between the provider and payer. This process could reduce revenue to vendors such as us. A significant increase in the utilization of direct links between providers and payers would reduce the number of transactions that we process and for which we are paid, resulting in a decrease in revenue and an adverse effect on our financial condition and results of operations.

Our success depends, in part, on the skills, working relationships, and continued services of Matthew Hawkins (our Chief Executive Officer), the senior management team, and other key personnel. From time to time, there may be changes in our senior management team resulting from the hiring or departure of executives, which could disrupt our business. In addition, our hybrid work environment could make it difficult to manage our business and adequately oversee our employees and business functions, potentially resulting in harm to our company culture, increased employee attrition, and the loss of key personnel. We must attract, train, and retain a significant number of highly skilled employees, including sales and marketing personnel, client support personnel, professional services personnel, software engineers, technical personnel, and management personnel, and the availability of such personnel, in particular software engineers, may be constrained. We also believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. If we are unable to hire and develop sufficient numbers of productive direct sales personnel or if new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time, sales of our products and solutions will suffer and our growth will be impeded. Competition for qualified management and employees in our industry is intense and identifying and recruiting qualified personnel and training them requires significant time, expense, and attention. Many of the companies with which we compete for personnel have greater financial and other resources than we do. While we have entered into offer letters or employment agreements with certain of our executive officers, all of our employees are "at-will" employees, and their employment can be terminated by us or them at any time, for any reason, and without notice, subject, in certain cases, to severance payment rights. The departure and replacement of one or more of our executive officers or other key employees would likely involve significant time and costs, may significantly delay or prevent the achievement of our business objectives, and could materially harm our business. In addition, volatility or lack of performance in our stock price may affect our ability to attract replacements should key personnel depart.