Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

Risk Factors - INNV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors, “Risks Related to Regulation.”
Federal and State Regulation of PACE Providers
We are subject to a complex array of federal and state laws, regulations, and guidance, including legal requirements directly applicable to PACE providers as well as Medicare and Medicaid laws and regulations. These laws and guidance relate to our organizational structure, governance, fiscal soundness, marketing activities, participant enrollment and disenrollment, charges to participants, provision of healthcare and other services to participants, care planning activities, service delivery settings and maintenance of centers, participant rights, employment and contractual arrangements with healthcare providers and other staff, quality assessment and performance improvement activities, participant grievances and appeals, medical records documentation, compliance program activities, and other aspects of our operations and financing. As a PACE provider that provides qualified prescription drug coverage, we are also subject to Medicare laws, regulations, and requirements applicable to Medicare Part D plan sponsors.
The regulations and contractual requirements applicable to PACE providers are complex and subject to change, making it necessary for us to invest significant resources in complying with these requirements. Scrutiny through federal and state government audits, oversight and enforcement and the highly technical regulatory scheme in which we operate require us to allocate significant resources to our compliance efforts. In addition, new centers that we may acquire in the future may have less developed compliance and quality infrastructures, which may require us to allocate additional resources to making any required enhancements.
CMS and state regulatory authorities regularly audit our performance to determine our compliance with CMS’s regulations and our contracts with CMS and state authorities, and to assess the quality of the services we provide to our participants. Such audits have in the past, and may in the future, result in the identification of deficiencies in connection with our compliance with regulatory requirements, participant quality of care, care plan development and implementation, grievance and appeal processes, clinicians acting outside of their scope of practice, and other issues. See Item 1A. Risk Factors, “Risks Related to Regulation” .
Whether identified through such audits or other avenues, our failure to comply with the federal and state laws applicable to our business could result in significant or material retroactive adjustments to and/or withholding of capitation payments, fines, criminal liability, civil monetary penalties, requirements to make significant changes to our operations, corrective action plans, CMS imposed sanctions (including suspension or exclusion from participation in government programs), loss of contracts, or cessation of our services.Whether identified through such audits or other avenues, our failure to comply with the federal and state laws applicable to our business has and may continue to result in significant or material retroactive adjustments to and/or withholding of capitation payments, fines, criminal liability, civil monetary penalties, requirements to make significant changes to our operations, corrective action plans, CMS imposed sanctions (including suspension or exclusion from participation in government programs), loss of contracts, or cessation of our services.
Licensing Laws
We, our healthcare professionals, and our centers are subject to various federal, state and local licensure and certification requirements in connection with our provision of healthcare and other services. Specifically, in some of the states in which we operate, we are required to maintain licensure or certification as an adult day health center, home health or home care provider, diagnostic and treatment center, pharmacy provider, clinical laboratory and/or other type of facility, and our affiliated physicians and other clinicians also must be licensed or certified, as applicable, in the states in which they are providing services. In addition, certain of the states where we currently operate regulate the operations and financial condition of risk bearing providers and impose capital requirements, licensing or certification, governance controls, and other obligations. While the states in which we operate do not currently impose these regulations on entities solely bearing risk under the PACE program, these states may seek to license or otherwise regulate our operations and financial solvency in the future; further, states in which we expand in the future may impose similar requirements on our operations. While the states in which we operate do not currently impose these regulations on entities solely bearing risk under the PACE 8Table of Contentsprogram, these states may seek to license or otherwise regulate our operations and financial solvency in the future; further, states in which we expand in the future may impose similar requirements on our operations. In addition to state requirements, we, our centers, and our healthcare professionals are in some cases subject to federal licensing and certification requirements, such as certification or waiver under the Clinical Laboratory Improvement Amendments of 1988 for performing laboratory services and Drug Enforcement Administration registrations for prescribing, storing, and dispensing controlled substances.
Failure to comply with federal, state and local licensing and certification laws, regulations and standards could result in a variety of consequences, including cessation of our services, loss of our contracts, prior payments by payors being subject to recoupment, requirements to make significant changes to our operations, or civil or criminal penalties. We routinely take the steps we believe are necessary to retain or obtain all requisite licensure and operating authorities. While we endeavor to comply with federal, state and local licensing and certification laws and regulations and standards as we interpret them, the laws and regulations in these areas are complex, changing and often subject to varying interpretations. Any failure to
8

satisfy applicable laws and regulations could have a material adverse impact on our business, results of operations, financial condition, cash flows and reputation.
Corporate Practice of Medicine
The laws and regulations relating to our operations vary from state to state, and some states in which we operate prohibit general business corporations, such as us, from practicing medicine, directly employing physicians, controlling physicians’ or other clinicians’ medical decisions, or engaging in some practices such as splitting professional fees with physicians or other clinicians. In certain states, we contract with physicians to provide healthcare services that are required to be provided by licensed physicians to comply with such requirements. While we believe that we are in substantial compliance with state laws prohibiting the corporate practice of medicine, regulatory agencies and other parties may assert that we could be engaged in the corporate practice of medicine. Further, many such state laws are often vague or have otherwise only been infrequently interpreted by courts or regulatory agencies and are subject to change. The consequences associated with violating corporate practice of medicine laws vary by state and may result in physicians or other clinicians being subject to disciplinary action, as well as forfeiture of revenues from government payors for services rendered. However, if allegations are successfully asserted before the appropriate judicial or administrative forums, we could be subject to adverse judicial or administrative penalties, certain of our contracts could be determined to be unenforceable, and we may be required to restructure our organization or our contractual arrangements. Any allegations or findings that we have violated these laws could have a material adverse impact on our reputation, business, results of operations and financial condition.
See Item 1A. Risk Factors, “Risks Related to Our Business—Laws regulating the corporate practice of medicine could restrict the manner in which we are permitted to conduct our business, and the failure to comply with such laws could subject us to penalties or require a restructuring of our business.”
Federal Anti-Kickback Statute
The federal Anti-Kickback Statute prohibits, among other things, knowingly and willfully offering, paying, soliciting, or receiving remuneration, directly or indirectly, in cash or kind, to induce or reward either the referral of an individual for, or the purchase, order or recommendation of, any good or service, for which payment may be made under federal and state healthcare programs such as Medicare and Medicaid. Court decisions have held that the statute may be violated even if only one purpose of remuneration is to induce referrals. In addition, a defendant need not have actual knowledge of, or the specific intent to violate, the federal Anti-Kickback Statute in order to have the requisite intent to support an Anti-Kickback Statute violation.
Federal criminal penalties for the violation of the federal Anti-Kickback Statute include imprisonment, fines and exclusion of the provider from future participation in federal healthcare programs, including Medicare and Medicaid. Violations of the federal Anti-Kickback Statute are punishable by imprisonment for up to ten years, fines of up to $100,000 per kickback or both. Larger fines can be imposed upon corporations under the provisions of the U.S. Sentencing Guidelines and the Alternate Fines Statute. Individuals and entities convicted of a criminal violation of the federal Anti-Kickback Statute are subject to mandatory exclusion from participation in Medicare, Medicaid, and other federal healthcare programs for a minimum of five years. Civil penalties for violation of the Anti-Kickback Statute include up to $120,816 in monetary penalties per violation, fines, or penalties of up to three times the total payments between the parties to the arrangement and potential exclusion from participation in Medicare and Medicaid. In addition, the federal Anti-Kickback Statute provides that any claims for items or services resulting from a violation of the federal Anti-Kickback Statute are considered false or fraudulent for purposes of the FCA, which is further discussed below. In addition, the ACA amended the federal Anti-Kickback Statute to provide that any claims for items or services resulting from a violation of the federal Anti-Kickback Statute are considered false or fraudulent for purposes of the FCA, which is further discussed below. Any findings that we have violated these laws could have a material adverse impact on our business, results of operations, financial condition, cash flows, reputation and stock price.
The federal Anti-Kickback Statute includes statutory exceptions and regulatory safe harbors that protect certain arrangements. These exceptions and safe harbors are voluntary. To receive safe harbor protection, business transactions and arrangements must meet all the requirements of a safe harbor. However, transactions and arrangements that do not satisfy all elements of a relevant safe harbor do not necessarily render the arrangement per se illegal. However, transactions and arrangements that do not satisfy 9Table of Contentsall elements of a relevant safe harbor do not necessarily render the arrangement per se illegal. When an arrangement does not satisfy a safe harbor, the arrangement must be evaluated upon all facts and circumstances, on a case-by-case basis in light of among other things, the parties’ intent, and the arrangement’s potential for abuse. Arrangements that do not satisfy a safe harbor may be subject to greater scrutiny by enforcement agencies.
Additionally, some states have enacted statutes and regulations similar to the federal Anti-Kickback Statute.Additionally, some states have enacted statutes and regulations similar to the federal Anti-Kickback Statute, which may be applicable regardless of the payor source for the patient. Unlike the federal Anti-Kickback Statute, however, certain state laws may be applicable regardless of the payor source for the patient.
9

Moreover, these state laws may contain exceptions and safe harbors that are different from and/or more limited than those of federal law and that may vary from state to state.
We have entered, and may continue to enter, into several arrangements that may not fit squarely within enumerated safe harbors and could potentially implicate the Anti-Kickback Statute if the requisite intent were present, such as:
Joint Ventures. We operate two of our centers, our Sacramento, California center, and Orlando, Florida center, under joint ventures, each with a not-for-profit healthcare provider. We operate one of our centers, our Sacramento, California center, under a joint venture with a not-for-profit healthcare provider and may enter other joint ventures with providers and payors in the future. We may enter other joint ventures with providers and payors in the future. The Office of Inspector General (the “OIG”) of the Department of Health and Human Services (“HHS”) has warned healthcare entities in the past that certain joint venture relationships have a potential for abuse. We have endeavored to structure our joint ventures to satisfy as many elements of the applicable safe harbor for investments in small entities as we believe are commercially reasonable. We have endeavored to structure our joint venture to satisfy as many elements of the applicable safe harbor for investments in small entities as we believe are commercially reasonable. For example, we believe that these investments are offered and made by us on a fair market value basis and provide returns to the investors in proportion to their actual investment in the venture.
Discounts. Our centers sometimes acquire certain items and services at a discount that may be reimbursed by a federal healthcare program. We endeavor to structure our vendor contracts that include discount or rebate provisions to comply with the federal Anti-Kickback Statute safe harbor for discounts.
Sales Force and Participant Recruitment. We employ our own sales force and attempt to meet the Anti-Kickback safe harbor for bona fide employment.
As noted in the examples above, we have endeavored to structure our business arrangements to fit within applicable federal Anti-Kickback Statute safe harbors and to otherwise operate in material compliance with the federal Anti-Kickback Statute and state analogs. Many of our arrangements are structured to provide for compensation that is fair market value for services actually rendered and in a manner that does not reflect the volume or value of referrals generated between the parties. In structuring our relationships with providers, including our physician partners, and other healthcare entities, we endeavor to comply with the regulatory requirements of such safe harbors and exceptions.
On January 19, 2021, the OIG issued regulations under the Anti-Kickback Statute that added new safe harbors and modified existing safe harbors that protect certain payment practices and business arrangements from sanctions under the Anti-Kickback Statute in order to remove potential barriers to more effective coordination and management of patient care and delivery of value-based care. Among other changes, these regulations contained safe harbors for value-based arrangements centering around value-based enterprises, which are enterprises, such as ours, composed of participants collaborating to achieve one or more value-based purposes, including coordinating, and managing the care of a target patient population and coordinating and managing the care of a target population. Among other changes, the new regulations contain safe harbors for value-based arrangements centering around value-based enterprises, which are enterprises, such as ours, composed of participants collaborating to achieve one or more value-based purposes, including coordinating, and managing the care of a target patient population and coordinating and managing the care of a target population. These new and modified value-based care safe harbors may allow our business to pursue new value-based arrangements with safe harbor protections under the Anti-Kickback Statute. However, compliance with these new Anti-Kickback Statute safe harbors is complex and, to the extent that one of our value-based arrangements does not squarely fit within the relevant safe harbors, it could be subject to greater scrutiny by enforcement agencies.
Federal Self-Referral Prohibition
The federal Ethics in Patient Referral Act (“Stark Law”) generally prohibits a physician who has (or whose immediate family member has) a financial relationship with certain types of entities from making referrals to that such entities for “designated health services” if payment for the services may be made under Medicare or Medicaid. “Designated health services” include clinical laboratory services, inpatient and outpatient hospital services, physical and occupational therapy services, outpatient speech-language pathology services, certain radiology services, radiation therapy services and supplies, durable medical equipment and supplies, parenteral and enteral nutrients equipment and supplies, prosthetics, orthotics and prosthetic devices and supplies, home health services, and outpatient prescription drugs. To the extent we fall within the types of entities to which the Stark Law applies, then we need to ensure that any financial relationships that we have with a referring provider would satisfy a statutory or regulatory exception to the Stark Law prohibition. To the extent we fall within the 10Table of Contentstypes of entities to which the Stark Law applies, then we need to ensure that any financial relationships that we have with a referring provider would satisfy a statutory or regulatory exception to the Stark Law prohibition.
Providers are prohibited from billing Medicare and Medicaid for services related to a prohibited referral and a provider that has billed for prohibited services is obligated to notify and refund the amounts collected from the Medicare program or to make a self-disclosure to CMS under its Self-Referral Disclosure Protocol. Penalties for violation of the Stark Law include denial of payment, recoupment, refunds of amounts paid in violation of the law, exclusion from the Medicare or Medicaid programs, and substantial civil monetary penalties ($29,899 per prohibited item or service and $199,338 if there is a circumvention scheme; penalty amounts reflect current 2023 levels and are adjusted for inflation from time to time).
10

Claims filed in violation of the Stark Law may be deemed false claims under the FCA. In addition to the Stark Law, various states in which we operate have adopted their own self-referral prohibition statutes.
In parallel with OIG’s regulations on value-based care discussed above, on January 19, 2021, CMS issued a sweeping set of regulations that introduce significant new value-based terminology and exceptions to the Stark Law, including new exceptions for certain remuneration exchanged between or among eligible participants in value-based arrangements. These exceptions and their various requirements apply based on the level of risk assumed by the arrangement’s participants. These regulations purport to ease the compliance burden for healthcare providers across the industry while maintaining strong safeguards to protect patients and programs from fraud and abuse. These new regulations purport to ease the compliance burden for healthcare providers across the industry while maintaining strong safeguards to protect patients and programs from fraud and abuse. To the extent that we rely on the new value-based exceptions to the Stark Law for our value-based arrangements, we intend to fully comply with such safeguards. However, if we were to be found as out of compliance with such exceptions, we could be subject to penalties, as discussed above.
The False Claims Act
Among other things, the FCA authorizes the imposition of up to three times the government’s damages and significant per claim civil penalties on any “person” (including an individual, organization or company) who, among other acts:
knowingly presents or causes to be presented to the federal government a false or fraudulent claim for payment or approval;
knowingly makes, uses or causes to be made or used a false record or statement material to a false or fraudulent claim;
knowingly makes, uses or causes to be made or used a false record, report or statement material to an obligation to pay the government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the federal government; or
conspires to commit the above acts.
The federal government has used the FCA to prosecute a wide variety of alleged false claims and fraud allegedly perpetrated against Medicare and state healthcare programs, including but not limited to coding errors, billing for services not rendered, the submission of false cost or other reports, billing for services at a higher payment rate than appropriate, billing under a comprehensive code as well as under one or more component codes included in the comprehensive code, billing for care that is not considered medically necessary and false reporting of risk-adjusted diagnostic codes, encounter data or other information used to determine capitated payments. The Affordable Care Act (“ACA”) provides that claims for payment that are tainted by a violation of the federal Anti-Kickback Statute (which could include, for example, illegal incentives or remuneration in exchange for enrollment or referrals) are false for purposes of the FCA. As noted above, the ACA provides that claims for payment that are tainted by a violation of the federal Anti-Kickback Statute (which could include, for example, illegal incentives or remuneration in exchange for enrollment or referrals) are false for purposes of the FCA. In addition, amendments to the FCA and Social Security Act impose severe penalties for the knowing and improper retention of overpayments from government payors. This could be relevant to our business the extent we receive payments on account of RAF determinations that are based on improper or erroneous records or reports. Failure to return overpayments could subject us to liability under the FCA, exclusion from government healthcare programs and penalties under the federal Civil Monetary Penalty Statute.
The penalties for a violation of the FCA may include per claim penalties, plus up to three times the amount of damages caused by each false claim, which can be as much as the amounts received directly or indirectly from the government for each such false claim. As of February 12, 2024, the minimum False Claims Act penalty increased from $13,508 to $13,946 per claim. As of January 30, 2023, the minimum False Claims Act penalty increased from $12,537 to $13,508 per claim. As of January 30, 2023, the minimum False Claims Act penalty increased from $12,537 to $13,508 per claim. The maximum penalty has increased from $27,018 to $27,894 per claim.
In addition to civil enforcement under the FCA, the federal government can use several criminal statutes to prosecute persons who are alleged to have submitted false or fraudulent claims for payment to the federal government. Private parties may initiate qui tam whistleblower lawsuits against any person or entity under the FCA in the name of the federal government, as well as under the false claims’ laws of several states, and may share in the proceeds of a successful suit. Private parties initiate qui tam whistleblower lawsuits against any person or entity under the FCA in the name of the federal government, as well as under the false claims’ laws of several states, and may share in the proceeds of a successful suit. Generally, federal and state governments have made investigating and prosecuting healthcare fraud and abuse a priority. Any allegations or findings that we have violated the FCA could have a material adverse impact on our reputation, business, results of operations and financial condition.
In addition to the FCA, the various states in which we operate have adopted their own analogs of the FCA.11Table of ContentsIn addition to the FCA, the various states in which we operate have adopted their own analogs of the FCA. States are becoming increasingly active in using their false claims laws to police the same activities listed above, particularly with regard to capitated government-sponsored healthcare programs, such as Medicaid managed care and PACE. Under Section 6031 of the Deficit Reduction Act of 2005, as amended, if a state enacts a false claims act that is at least as stringent as the
11

federal statute and that also meets certain other requirements, the state will be eligible to receive a greater share of any monetary recovery obtained pursuant to certain actions brought under the state’s false claims act. As a result, more states are expected to enact laws that are similar to the federal FCA in the future along with a corresponding increase in state false claims enforcement efforts.
For additional information regarding allegations against us under Federal and State FCA statutes, see Item 1A. Risk Factors, “Risks Related to Our Business—We are subject to legal proceedings, enforcement actions and litigation, malpractice and privacy disputes, which are costly to defend and could materially harm our business and results of operations.•We are subject to legal proceedings, enforcement actions and litigation, malpractice and privacy disputes, which are costly and could materially harm our business.
Civil Monetary Penalties Statute
The Civil Monetary Penalties Statute, 42 U.S.C. § 1320a-7a, authorizes the imposition of civil monetary penalties, assessments and exclusion against an individual or entity based on a variety of prohibited conduct, including, but not limited to:
presenting, or causing to be presented, claims, reports or records relating to payment by Medicare, Medicaid or other government payors that the individual or entity knows or should know are for an item or service that was not provided as reported, is false or fraudulent or was presented for a physician’s service by a person who knows or should know that the individual providing the service is not a licensed physician, obtained licensure through misrepresentation or represented certification in a medical specialty without in fact possessing such certification;
offering remuneration to a federal healthcare program beneficiary that the individual or entity knows or should know is likely to influence the beneficiary to order or receive healthcare items or services from a particular provider, unless an exception applies;
arranging contracts with or making payments to an entity or individual excluded from participation in the federal healthcare programs or included on CMS’s preclusion list;
violating the federal Anti-Kickback Statute;
making, using or causing to be made or used a false record or statement material to a false or fraudulent claim for payment for items and services furnished under a federal healthcare program;
making, using or causing to be made any false statement, omission or misrepresentation of a material fact in any application, bid or contract to participate or enroll as a provider of services or a supplier under a federal healthcare program; and
failing to report and return an overpayment owed to the federal government.
We could be exposed to a wide range of allegations to which the federal Civil Monetary Penalty Statute would apply. We perform monthly checks on our employees and certain affiliates and vendors using government databases to confirm that these individuals have not been excluded from federal programs or otherwise ineligible for payment. We have also implemented processes to ensure that we do not make payments to contracted or noncontracted providers listed on CMS’s preclusion list nor make payments for drugs prescribed by individuals on the preclusion list. However, should an individual or entity be excluded, on the preclusion list, or otherwise ineligible for payment and we fail to detect it, a federal agency could require us to refund amounts attributable to all claims or services performed or sufficiently linked to such individual or entity. Due to this area of risk and the possibility of other allegations being brought against us, we cannot foreclose the possibility that we could face allegations of noncompliance with the Civil Monetary Penalty Statute that have the potential for a material adverse impact on our business, results of operations and financial condition.
Privacy and Security
HIPAA requires covered entities, and the business associates with whom such covered entities contract for services involving the use or disclosure of protected health information to provide certain protections to their patients or participants and their health information. Through our various service offerings, the Company acts primarily as a covered entity under HIPAA but may also act as a business associate of other covered entities. The HIPAA privacy and security regulations extensively regulate the use and disclosure of PHI and require covered entities and their business associates, to develop and maintain policies and procedures and implement and maintain administrative, physical, and technical safeguards to protect
12

the security of such information. Additional security requirements apply to electronic PHI. Additional security 12Table of Contentsrequirements apply to electronic PHI. These regulations also provide our participants with substantive rights with respect to their health information.
The HIPAA privacy and security regulations also require covered entities to enter into written agreements with their business associates. Covered entities may be subject to fines and penalties for, among other activities, failing to enter into a business associate agreement where required by law or as a result of a business associate violating HIPAA. Business associates are also directly subject to liability under certain HIPAA privacy and security regulations. In instances where we act as a business associate to a covered entity, there is the potential for additional liability beyond our status as a covered entity.
Covered entities must notify affected individuals of breaches of unsecured PHI without unreasonable delay but no later than 60 days after discovery of the breach. Reporting must also be made to the HHS Office for Civil Rights (“OCR”) and, for breaches of unsecured PHI involving more than 500 residents of a state or jurisdiction, to the media in accordance with HIPAA requirements. All impermissible uses or disclosures of unsecured PHI are presumed to be breaches unless an exception to the definition of breach applies or the covered entity or business associate establishes that there is a low probability the PHI has been compromised. Additionally, beginning in December 2022, OCR has issued guidance on the use of tracking technologies on websites and mobile applications by covered entities and business associates, indicating that certain information collected by tracking technology vendors from websites and applications may cause a breach under HIPAA. Additionally, on December 1, 2022, OCR issued guidance on the use of tracking technologies on websites and mobile applications by covered entities and business associates, indicating that certain information collected by tracking technology vendors from websites and applications may cause a breach under HIPAA.
Violations of HIPAA by covered entities and business associates, including, but not limited to, failing to implement appropriate administrative, physical and technical safeguards, have resulted in enforcement actions and in some cases triggered settlement payments or civil monetary penalties. Penalties for impermissible use or disclosure of PHI were increased by the HITECH Act by imposing tiered penalties of more than $50,000 (not adjusted for inflation) per violation and up to approximately $1.9 million (not adjusted for inflation) per year for identical violations. In addition, HIPAA provides for criminal penalties of up to $250,000 and ten years in prison, with the severest penalties for obtaining and disclosing PHI with the intent to sell, transfer or use such information for commercial advantage, personal gain or malicious harm. Further, state attorneys general may bring civil actions seeking either injunction or damages in response to violations of the HIPAA privacy and security regulations that threaten the privacy of state residents. There can be no assurance that we will not be the subject of an investigation (arising out of a reportable breach incident, audit or otherwise) alleging non-compliance with HIPAA regulations in our maintenance of PHI.
We may also be subject to other laws governing the privacy and security of data, such as the California Consumer Privacy Act of 1918 (“CCPA”) and data breach notification laws.We may also be subject to other laws governing the privacy and security of data, such as the CCPA and data breach notification laws. Additionally, many states also enacted laws that protect the privacy and security of confidential, personal and health information, which may be even more stringent than HIPAA and may add additional compliance costs and legal risks to our operations. Some state privacy and security laws overlap with federal law, some of which are preempted, in part by federal laws, whereas others are not. States have also passed privacy and security laws and regulations that apply across sectors and go beyond federal law, such as data security laws, secure destruction, Social Security number privacy, online privacy biometric information privacy, and data breach notification laws. Some of these state laws impose fines and penalties on violators and afford private rights of action to individuals who believe their personal information has been misused. Various state laws and regulations also require us to notify affected individuals in the event of a data breach involving personal information without regard to the probability of the information being compromised.
Looking ahead, it is possible that Congress could pursue a federal privacy bill to harmonize privacy regimes across states.
Various other federal and state laws restrict the use and protect the privacy and security of individually identifiable information, as well as employee personal information, including certain state laws modeled to some extent on the European Union’s General Data Protection Regulation. Federal and state consumer protection laws, including laws that do not on their face specifically address data privacy or security, have been applied to data privacy and security matters by a range of government agencies and courts.
Healthcare Reform Efforts
The U.S. federal and state governments continue to enact and consider many broad-based legislative and regulatory proposals that have had a material impact on or could materially impact various aspects of the healthcare system and our business, operating results and/or cash flows. In addition, state and federal budgetary shortfalls and constraints pose potential risks for our revenue streams. We cannot predict how government payors or healthcare consumers might react to federal and state healthcare legislation and regulation, whether already enacted or enacted in the future, nor can we predict
13

what form such legislation or regulations will take. Some examples of legislative and regulatory changes impacting our business include:
In March 2010, broad healthcare reform legislation was enacted in the United States through the ACA. There have since been numerous political and legal efforts to repeal, replace or modify the ACA, some of which have been successful, in part, in modifying the law. Although some provisions of the ACA have been and may be modified, the reforms, particularly those relating to Medicare and Medicaid programs, could continue to have an impact on our business. These and other provisions of the ACA remain subject to ongoing uncertainty due to developing regulations as well as continuing political and legal challenges at both the federal and state levels.
There have in recent years been congressional efforts to move Medicaid from an open-ended program with coverage and benefits set by the federal government to one in which states receive a fixed amount of federal funds, either through block grants or per capita caps, and have more flexibility to determine benefits, eligibility or provider payments. If these types of changes are implemented in the future, we cannot predict whether the amount of fixed federal funding to the states will be based on current payment amounts, or if it will be based on lower payment amounts, which would negatively impact those states that expanded their Medicaid programs in response to the ACA.
Legislation enacted in 2011 requires CMS to sequester or reduce all Medicare payments, including payments to PACE organizations, by two percent per year beginning on April 1, 2013.
The Inflation Reduction Act of 2022 includes a few provisions intended to lower the costs of some drugs covered under Medicare Part D and to limit Medicare beneficiaries’ out-of-pocket spending under the Medicare Part D benefit. It is not yet clear what effect, if any, these legislative changes and any subsequent implementing regulations and guidance will have on our business.
The “Medicare Program; Contract Year 2024 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, and Programs of All-Inclusive Care for the Elderly” final rule (“PACE Final Rule”) set out a number of changes for PACE organizations, including (i) clarifying that CMS has enforcement discretion to impose civil monetary penalties or an intermediate sanction in the event CMS has made a determination that could lead to the termination of a PACE program; and (ii) reinstating the requirement that PACE organizations enter into written contracts with each outside organization, agency, or individual that furnishes administrative or care-related services not furnished directly by the PACE organization, including 25 medical specialties enumerated by the PACE Final Rule.
The remaining provisions of the PACE final rule from 2024 were issued alongside the new PACE Final Rule for 2025. In this new final rule, CMS sets out changes which include but are not limited to: (i) implementation of past performance guidelines used to evaluate new PACE organization applications; (ii) personnel medical clearance guidelines; (iii) updates to service delivery timeframes by which participants must receive services; (iv) guidelines on IDT care coordination across all service settings with timeframes applied to external provider recommendations; (v) new content and documentation guidelines for participant plans of care; (vi) expansion of participant rights in care settings; and (vii) revisions to existing grievance process to align with standard determination request guidance.
CMS and state Medicaid agencies also routinely adjust the RAF which is central to payment under PACE and Managed Medicaid programs in which we participate. The monetary “coefficient” values associated with diseases that we manage in our population are subject to change by CMS and state agencies. Such changes could have a material adverse effect on our financial condition. See Item 1A. Risk Factors, “Risks Related to Our Business — Our records and submissions to government payors may contain inaccurate or unsupportable information regarding risk adjustment scores of participants, which could cause us to overstate or understate our revenue and subject us to payment obligations or penalties.”
Other Regulations
Our operations are subject to various state hazardous waste and non-hazardous medical waste disposal laws. These laws do not classify as hazardous most of the waste produced from medical services. Occupational Safety and Health Administration regulations require employers to provide workers who are occupationally subject to blood or other potentially infectious materials with prescribed protections. These regulatory requirements apply to all healthcare facilities, including our participant centers, and require employers to make a determination as to which employees may be exposed to blood or other potentially infectious materials and to have in effect a written exposure control plan. These regulatory requirements apply to all healthcare facilities, including our community centers, and require employers to make a determination as to which employees may be exposed to blood or other potentially infectious materials and to have in effect a written exposure control plan. In addition, employers
14

are required to provide or employ hepatitis B vaccinations, personal protective equipment and other safety devices, infection control training, post-exposure evaluation and follow-up, waste disposal techniques and procedures and work practice controls. Employers are also required to comply with various record-keeping requirements.
Federal and state law also governs the purchase, handling, and dispensing of controlled substances by physicians and other clinicians. If we are unable to maintain our registrations this could limit or affect our ability to purchase, handle, or dispense controlled substances and other violations of these laws could subject us to criminal or other sanctions. In addition, certain laws may apply to activities of our affiliated physicians and clinicians. For example, the Prescription Drug Marketing Act governs the provision of drug samples to physicians and other clinicians, and physicians and other clinicians are required to report relationships they have with the manufacturers of drugs, medical devices and biologics through the Open Payments Program database.
Clinical laboratories may be subject to oversight by CMS and state regulators, including the Eliminating Kickbacks in Recovery Act of 2018. If our laboratories or laboratories that we partner with are not in compliance with the applicable CMS or state laws or regulations, they could be subject to enforcement action, which could negatively affect our business.
We have in the past and continue to intend to grow our business through acquisitions in the states in which we currently operate or in new states that we seek to enter. Several states, including California, have adopted laws focused on competition, quality, access, and cost that authorize state agencies to review and approve healthcare transactions, and many other states, including Pennsylvania, are considering similar legislation. California is also considering additional legislation that would provide the California attorney general with approval authority with respect to certain health care transactions. Such laws may negatively affect our ability to grow our business. Such laws may negatively affect our ability to grow our business.
Any allegations or findings that we or our providers have violated any of these laws or regulations could have a material adverse impact on our reputation, business, results of operations and financial condition. Certain states in which we do business or may desire to do business in the future have certificate of need programs regulating the establishment or expansion of healthcare facilities, including our participant centers. These regulations can be complex and time-consuming to ensure compliance with. Any failure to comply with such regulatory requirements could adversely impact our business, results of operations and financial condition.
Competition
The U.S. healthcare industry is highly competitive. We compete directly with national, regional and local providers of healthcare for participants and clinical providers. We also compete with payors and other alternate managed care programs for participants. Of these providers, there are many other companies and individuals currently providing healthcare services, many of which have been in business longer and/or have substantially more resources. Given the regulatory environment, there may be high barriers to entry for PACE providers; however, since there are relatively modest capital expenditures required for providing healthcare services, there are less substantial financial barriers to entry in the healthcare industry generally. Other companies could enter the healthcare industry in the future and divert some or all of our business. Our principal competitors for dual-eligible seniors vary considerably in type and identity by market. Our growth strategy and our business could be adversely affected if we are not able to compete efficiently, including penetrating existing markets or new markets, recruit qualified physicians or if we experience significant participant attrition to our competitors. See Item 1A. Risk Factors—Risks Related to Our Business—“The healthcare industry is highly competitive and, if we are not able to compete effectively, our business could be harmed.”
We believe the principal competitive factors for serving adults dually-eligible for Medicare and Medicaid and who meet nursing home eligibility criteria include: participant experience, quality of care, health outcomes, total cost of care, brand identity and trust in that brand.
Seasonality
Our business experiences some variability depending upon the time of year. Medical costs will vary seasonally depending on a number of factors, but most significantly the weather. Certain illnesses, such as the influenza virus and COVID-19, are far more prevalent during colder months of the year, which results in an increase in medical expenses during these time periods. We therefore see higher levels of per-participant medical costs in our second and third fiscal quarters. Medical costs also depend upon the number of business days in a period, with shorter periods generally having lower medical costs, all else being equal. Medical costs also depend upon the number of business days in a period, and shorter periods will have lower 15Table of Contentsmedical costs. There is also increased variability of participant enrollment during the open enrollment period, which occurs during our third fiscal quarter.
15

In addition, the retrospective capitation payments we receive for each participant are determined by a participant’s RAF score, which is calculated twice per year and is based on the evolving acuity and chronic conditions of a participant. We estimate and accrue for the expected true-up payments of our participants. Though no assurances can be made in the future, we have historically used our best estimate for accruing for this payment, and we received net positive true-up payments during the fiscal years ended June 30, 2024 and 2023. Historically, these true-up payments typically occur between May and August, but the timing of these payments is determined by CMS, and we have neither visibility nor control over the timing of such payments.
Human Capital Resources
As of June 30, 2024, we had approximately 2,350 employees, including over 1,300 clinical professionals (excluding contract labor). Approximately 1% of our workforce is represented by a union, all of which are located in Pennsylvania. Collective bargaining commenced in March 2024. We are unable to predict the terms or timing of any resulting collective bargaining agreement.
We believe our efforts in managing our workforce have been effective, evidenced by improved retention, lower turnover, and employee satisfaction during fiscal year 2024.
Our people are our product at InnovAge, and their commitment to our participants propels our mission of enabling seniors to age at home, with dignity, for as long as is safely possible. We believe that our employees are drawn to this mission and our values, which is why our voluntary retention rate was 68% over fiscal year 2024. Additionally, in our most recent employee engagement survey conducted in February 2024, 75% of our employees indicated that they feel engaged by their work at InnovAge.
Attracting and retaining top talent is critical to the success of InnovAge's mission and one of the highest priorities to leadership. To keep leadership informed of the health of our employee base, we report weekly on key hiring and retention metrics. We launched employee engagement surveys in fiscal year 2022, and we implemented action plans with all staff groups based on survey findings and opportunities uncovered. We launched employee engagement surveys in fiscal year 2022, and we are implementing action plans with all staff groups based on survey findings and opportunities uncovered.
We continue to evaluate talent needs at the senior management level, aiming to hire ahead of the curve as the business evolves and to assess and respond to any gaps in our capabilities.
Diversity
At InnovAge, we strive to be a reflection of the diverse communities that we serve. We are steadfastly dedicated to fostering an atmosphere that champions diversity, equity, and inclusion throughout all sectors of InnovAge. Our commitment remains in building a culture where individual distinctions are not just acknowledged but deeply valued.
In our previous engagement survey from February 2024, 76.6% of employees indicated that they feel that they can be their authentic selves at work. In our previous engagement survey from April 2022, 79.2% of employees indicated that they feel that they can be their authentic selves at work. As part of our continuous journey to engage and understand our teams better, we plan to conduct our annual engagement survey during September 2024.
As of June 30, 2024, our employed workforce was comprised of individuals who identified as women – 76%, and minorities – 52%. Four of eleven members of our leadership team identify as women as of June 30, 2024.
Training and Development
We aim to provide our employees opportunities to grow and advance in their careers at InnovAge with learning and development programs. Each year we conduct soft skills training for managers and supervisors, the content of which is informed by gap assessment surveys. A quarterly training series for front-line leaders enables them to develop their management skills. Our clinical leaders also conduct separate physician leadership trainings quarterly, with a ne