10-K 1 phr-20240131.htm 10-K phr-20240131
false00014124082024FYP1DP2DP1DP2DP3YP3YP2DP3YP2Yhttp://fasb.org/us-gaap/2023#PropertyPlantAndEquipmentAndFinanceLeaseRightOfUseAssetAfterAccumulatedDepreciationAndAmortizationhttp://fasb.org/us-gaap/2023#PropertyPlantAndEquipmentAndFinanceLeaseRightOfUseAssetAfterAccumulatedDepreciationAndAmortizationhttp://fasb.org/us-gaap/2023#LongTermDebtAndCapitalLeaseObligationsCurrenthttp://fasb.org/us-gaap/2023#LongTermDebtAndCapitalLeaseObligationsCurrenthttp://fasb.org/us-gaap/2023#LongTermDebtAndCapitalLeaseObligationshttp://fasb.org/us-gaap/2023#LongTermDebtAndCapitalLeaseObligations29540846528400014124082023-02-012024-01-3100014124082023-07-31iso4217:USD00014124082024-03-06xbrli:shares00014124082024-01-3100014124082023-01-31iso4217:USDxbrli:shares0001412408phr:SubscriptionAndServicesMember2023-02-012024-01-310001412408phr:SubscriptionAndServicesMember2022-02-012023-01-310001412408phr:SubscriptionAndServicesMember2021-02-012022-01-310001412408phr:PaymentProcessingFeesMember2023-02-012024-01-310001412408phr:PaymentProcessingFeesMember2022-02-012023-01-310001412408phr:PaymentProcessingFeesMember2021-02-012022-01-310001412408phr:NetworkSolutionsMember2023-02-012024-01-310001412408phr:NetworkSolutionsMember2022-02-012023-01-310001412408phr:NetworkSolutionsMember2021-02-012022-01-3100014124082022-02-012023-01-3100014124082021-02-012022-01-310001412408us-gaap:CommonStockMember2021-01-310001412408us-gaap:AdditionalPaidInCapitalMember2021-01-310001412408us-gaap:RetainedEarningsMember2021-01-310001412408us-gaap:TreasuryStockCommonMember2021-01-3100014124082021-01-310001412408us-gaap:RetainedEarningsMember2021-02-012022-01-310001412408us-gaap:AdditionalPaidInCapitalMember2021-02-012022-01-310001412408us-gaap:CommonStockMember2021-02-012022-01-310001412408us-gaap:TreasuryStockCommonMember2021-02-012022-01-310001412408us-gaap:CommonStockMember2022-01-310001412408us-gaap:AdditionalPaidInCapitalMember2022-01-310001412408us-gaap:RetainedEarningsMember2022-01-310001412408us-gaap:TreasuryStockCommonMember2022-01-3100014124082022-01-310001412408us-gaap:RetainedEarningsMember2022-02-012023-01-310001412408us-gaap:AdditionalPaidInCapitalMember2022-02-012023-01-310001412408us-gaap:CommonStockMember2022-02-012023-01-310001412408us-gaap:TreasuryStockCommonMember2022-02-012023-01-310001412408us-gaap:CommonStockMember2023-01-310001412408us-gaap:AdditionalPaidInCapitalMember2023-01-310001412408us-gaap:RetainedEarningsMember2023-01-310001412408us-gaap:TreasuryStockCommonMember2023-01-310001412408us-gaap:RetainedEarningsMember2023-02-012024-01-310001412408us-gaap:AdditionalPaidInCapitalMember2023-02-012024-01-310001412408us-gaap:CommonStockMember2023-02-012024-01-310001412408us-gaap:TreasuryStockCommonMember2023-02-012024-01-310001412408us-gaap:CommonStockMember2024-01-310001412408us-gaap:AdditionalPaidInCapitalMember2024-01-310001412408us-gaap:RetainedEarningsMember2024-01-310001412408us-gaap:TreasuryStockCommonMember2024-01-310001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:SeniorSecuredAssetBasedRevolvingCreditFacilityMember2023-12-040001412408phr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2023-02-012024-01-310001412408srt:MinimumMember2024-01-310001412408srt:MaximumMember2024-01-310001412408srt:MinimumMember2023-02-012024-01-310001412408srt:MaximumMember2023-02-012024-01-31phr:processor0001412408srt:MinimumMemberus-gaap:ComputerSoftwareIntangibleAssetMember2024-01-310001412408srt:MaximumMemberus-gaap:ComputerSoftwareIntangibleAssetMember2024-01-31phr:segment0001412408us-gaap:EmployeeStockMember2023-02-012024-01-31xbrli:pure0001412408phr:PhreesiaPadsAndArrivalsStationsMember2024-01-310001412408phr:PhreesiaPadsAndArrivalsStationsMember2023-01-310001412408us-gaap:ComputerEquipmentMember2024-01-310001412408us-gaap:ComputerEquipmentMember2023-01-310001412408srt:MinimumMemberphr:ComputerSoftwareMember2024-01-310001412408phr:ComputerSoftwareMembersrt:MaximumMember2024-01-310001412408phr:ComputerSoftwareMember2024-01-310001412408phr:ComputerSoftwareMember2023-01-310001412408phr:HardwareDevelopmentMember2024-01-310001412408phr:HardwareDevelopmentMember2023-01-310001412408srt:MinimumMemberus-gaap:TechnologyBasedIntangibleAssetsMember2024-01-310001412408srt:MaximumMemberus-gaap:TechnologyBasedIntangibleAssetsMember2024-01-310001412408us-gaap:TechnologyBasedIntangibleAssetsMember2024-01-310001412408us-gaap:TechnologyBasedIntangibleAssetsMember2023-01-310001412408srt:MinimumMemberus-gaap:CustomerRelationshipsMember2024-01-310001412408srt:MaximumMemberus-gaap:CustomerRelationshipsMember2024-01-310001412408us-gaap:CustomerRelationshipsMember2024-01-310001412408us-gaap:CustomerRelationshipsMember2023-01-310001412408us-gaap:LicenseMember2024-01-310001412408us-gaap:LicenseMember2023-01-310001412408us-gaap:TrademarksMember2024-01-310001412408us-gaap:TrademarksMember2023-01-310001412408phr:SubscriptionAndRelatedServicesMember2023-02-012024-01-310001412408phr:SubscriptionAndRelatedServicesMember2022-02-012023-01-310001412408phr:SubscriptionAndRelatedServicesMember2021-02-012022-01-310001412408phr:FinancingArrangementsMember2024-01-310001412408phr:FinancingArrangementsMember2023-01-310001412408phr:AccruedInterestAndPaymentsMember2024-01-310001412408phr:AccruedInterestAndPaymentsMember2023-01-310001412408phr:FinancingArrangementsMember2023-06-082023-06-080001412408phr:FinancingArrangementsMember2023-06-080001412408phr:TermLoanMember2019-02-280001412408phr:SecondAmendedAndRestatedLoanAndSecurityAgreementSecondSVBFacilityMemberus-gaap:RevolvingCreditFacilityMember2020-05-050001412408us-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2022-03-270001412408us-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2022-03-280001412408us-gaap:PrimeRateMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMemberus-gaap:RevolvingCreditFacilityMember2022-03-282022-03-280001412408us-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2022-03-282022-03-280001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2023-12-042023-12-040001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2023-01-310001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:ThirdAmendedAndRestatedLoanAndSecurityAgreementThirdSVBFacilityMember2024-01-310001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:SeniorSecuredAssetBasedRevolvingCreditFacilityMember2023-12-042023-12-040001412408us-gaap:LineOfCreditMemberus-gaap:BridgeLoanMemberphr:SeniorSecuredAssetBasedRevolvingCreditFacilityMember2023-12-040001412408us-gaap:LetterOfCreditMemberus-gaap:LineOfCreditMemberphr:SeniorSecuredAssetBasedRevolvingCreditFacilityMember2023-12-040001412408us-gaap:LineOfCreditMemberus-gaap:RevolvingCreditFacilityMemberphr:SeniorSecuredAssetBasedRevolvingCreditFacilityMember2023-02-012024-01-3100014124082019-07-220001412408phr:FollowOnOfferingMember2021-04-122021-04-120001412408phr:FollowOnOfferingMember2021-04-120001412408us-gaap:CommonStockMemberphr:AcquisitionOfMediFindMember2023-06-302023-06-300001412408phr:AcquisitionOfMediFindMember2023-06-300001412408phr:AcquisitionOfAccessMemberus-gaap:CommonStockMember2023-08-112023-08-110001412408phr:AcquisitionOfAccessMember2023-08-110001412408phr:TwoThousandEighteenStockOptionPlanMember2018-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMember2019-06-300001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMember2019-06-012019-06-300001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockMember2019-06-300001412408phr:TwoThousandTwentyThreeInducementAwardPlanMember2023-07-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockMember2024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockMember2023-02-012024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockMember2022-02-012023-01-31phr:offering_period0001412408us-gaap:EmployeeStockMember2022-02-012023-01-310001412408us-gaap:RestrictedStockUnitsRSUMemberphr:TwoThousandTwentyThreeInducementAwardPlanMember2024-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2023-02-012024-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2022-02-012023-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2021-02-012022-01-310001412408phr:LiabilityAwardsMember2023-02-012024-01-310001412408phr:LiabilityAwardsMember2022-02-012023-01-310001412408phr:LiabilityAwardsMember2021-02-012022-01-310001412408us-gaap:PerformanceSharesMember2023-02-012024-01-310001412408us-gaap:PerformanceSharesMember2022-02-012023-01-310001412408us-gaap:PerformanceSharesMember2021-02-012022-01-310001412408us-gaap:EmployeeStockOptionMember2023-02-012024-01-310001412408us-gaap:EmployeeStockOptionMember2022-02-012023-01-310001412408us-gaap:EmployeeStockOptionMember2021-02-012022-01-310001412408us-gaap:EmployeeStockMember2021-02-012022-01-310001412408us-gaap:AdditionalPaidInCapitalMember2023-02-012024-01-310001412408us-gaap:AdditionalPaidInCapitalMember2022-02-012023-01-310001412408us-gaap:AdditionalPaidInCapitalMember2021-02-012022-01-310001412408us-gaap:AccruedLiabilitiesMember2023-02-012024-01-310001412408us-gaap:AccruedLiabilitiesMember2022-02-012023-01-310001412408us-gaap:AccruedLiabilitiesMember2021-02-012022-01-310001412408us-gaap:RestrictedStockUnitsRSUMemberus-gaap:ShareBasedCompensationAwardTrancheOneMember2020-12-312020-12-310001412408us-gaap:RestrictedStockUnitsRSUMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2020-12-312020-12-310001412408us-gaap:RestrictedStockUnitsRSUMemberus-gaap:ShareBasedCompensationAwardTrancheThreeMember2020-12-312020-12-310001412408us-gaap:RestrictedStockUnitsRSUMemberphr:ShareBasedPaymentArrangementTrancheFourMember2020-12-312020-12-310001412408us-gaap:RestrictedStockUnitsRSUMember2020-12-312020-12-310001412408us-gaap:RestrictedStockUnitsRSUMemberphr:EmployeesOtherThanNamedExecutiveOfficersMember2021-01-012021-01-010001412408srt:ExecutiveOfficerMemberus-gaap:RestrictedStockUnitsRSUMember2022-01-012022-12-310001412408srt:ExecutiveOfficerMemberus-gaap:RestrictedStockUnitsRSUMember2023-01-022023-01-020001412408us-gaap:RestrictedStockUnitsRSUMember2021-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2022-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2023-01-310001412408us-gaap:RestrictedStockUnitsRSUMember2024-01-310001412408us-gaap:RestrictedStockUnitsRSUMemberphr:TwoThousandTwentyThreeInducementAwardPlanMember2023-02-012024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockOptionMemberus-gaap:ShareBasedCompensationAwardTrancheThreeMember2023-02-012024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockOptionMemberus-gaap:ShareBasedCompensationAwardTrancheOneMember2023-02-012024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:EmployeeStockOptionMemberphr:ShareBasedPaymentArrangementTrancheFourMember2023-02-012024-01-310001412408phr:TwoThousandAndNineteenStockOptionAndIncentivePlanMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMemberus-gaap:EmployeeStockOptionMember2023-02-012024-01-310001412408us-gaap:EmployeeStockOptionMember2024-01-310001412408us-gaap:PerformanceSharesMembersrt:MinimumMember2023-02-012024-01-310001412408us-gaap:PerformanceSharesMembersrt:MaximumMember2023-02-012024-01-310001412408us-gaap:PerformanceSharesMembersrt:MaximumMember2022-02-012023-01-310001412408us-gaap:PerformanceSharesMembersrt:MaximumMember2021-02-012022-01-310001412408us-gaap:PerformanceSharesMember2024-01-310001412408us-gaap:PerformanceSharesMember2023-01-310001412408us-gaap:PerformanceSharesMember2022-01-310001412408us-gaap:PerformanceSharesMember2021-01-310001412408us-gaap:CommonStockIncludingAdditionalPaidInCapitalMember2023-02-012024-01-310001412408us-gaap:EmployeeStockMember2024-01-310001412408us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2024-01-310001412408us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2024-01-310001412408us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2024-01-310001412408us-gaap:FairValueMeasurementsRecurringMember2024-01-310001412408us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2023-01-310001412408us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2023-01-310001412408us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2023-01-310001412408us-gaap:FairValueMeasurementsRecurringMember2023-01-310001412408srt:MinimumMemberus-gaap:ComputerEquipmentMember2024-01-310001412408us-gaap:ComputerEquipmentMembersrt:MaximumMember2024-01-310001412408us-gaap:ComputerEquipmentMember2024-01-310001412408us-gaap:DomesticCountryMember2024-01-310001412408us-gaap:DomesticCountryMember2023-01-310001412408us-gaap:ForeignCountryMember2024-01-310001412408us-gaap:ResearchMember2024-01-310001412408us-gaap:StockCompensationPlanMember2023-02-012024-01-310001412408us-gaap:StockCompensationPlanMember2022-02-012023-01-310001412408us-gaap:StockCompensationPlanMember2021-02-012022-01-310001412408us-gaap:EmployeeStockMember2023-02-012024-01-310001412408us-gaap:EmployeeStockMember2022-02-012023-01-310001412408us-gaap:EmployeeStockMember2021-02-012022-01-310001412408us-gaap:RelatedPartyMember2023-02-012024-01-310001412408us-gaap:RelatedPartyMember2022-02-012023-01-310001412408us-gaap:RelatedPartyMember2024-01-310001412408us-gaap:RelatedPartyMember2023-01-310001412408phr:AcquisitionOfMediFindMember2023-06-302023-06-300001412408phr:AcquisitionOfAccessMember2023-08-112023-08-110001412408phr:ConnectOnCallMember2023-10-030001412408phr:ConnectOnCallMember2023-10-032023-10-03phr:installment0001412408phr:ConnectOnCallMember2023-02-012024-01-310001412408phr:AcquisitionOfMediFindMember2023-02-012024-01-310001412408phr:AcquisitionOfAccessMember2023-02-012024-01-3100014124082023-10-030001412408phr:AcquisitionOfMediFindMemberus-gaap:TechnologyBasedIntangibleAssetsMember2023-06-300001412408us-gaap:TrademarksMemberphr:AcquisitionOfMediFindMember2023-06-300001412408phr:AcquisitionOfMediFindMemberus-gaap:CustomerRelationshipsMember2023-06-300001412408phr:AcquisitionOfAccessMemberus-gaap:TechnologyBasedIntangibleAssetsMember2023-08-110001412408us-gaap:TrademarksMemberphr:AcquisitionOfAccessMember2023-08-110001412408phr:AcquisitionOfAccessMemberus-gaap:CustomerRelationshipsMember2023-08-110001412408us-gaap:TechnologyBasedIntangibleAssetsMemberphr:ConnectOnCallMember2023-10-030001412408us-gaap:CustomerRelationshipsMemberphr:ConnectOnCallMember2023-10-030001412408phr:MediFindAccessAndConnectOnCallMember2024-01-310001412408phr:InsigniaHealthLLCMember2021-12-030001412408phr:InsigniaHealthLLCMember2021-12-032021-12-030001412408phr:InsigniaHealthLLCMember2022-01-3100014124082023-11-012024-01-310001412408phr:MichaelWeintraubMember2023-02-012024-01-310001412408phr:MichaelWeintraubMember2023-11-012024-01-310001412408phr:MichaelWeintraubMember2024-01-310001412408phr:AllisonHoffmanMember2023-02-012024-01-310001412408phr:AllisonHoffmanMember2023-11-012024-01-310001412408phr:AllisonHoffmanMember2024-01-310001412408phr:EvanRobertsMember2023-02-012024-01-310001412408phr:EvanRobertsMember2023-11-012024-01-310001412408phr:EvanRobertsMember2024-01-310001412408phr:MarkSmithMember2023-02-012024-01-310001412408phr:MarkSmithMember2023-11-012024-01-310001412408phr:MarkSmithMember2024-01-310001412408phr:MichaelDavidoffMember2023-02-012024-01-310001412408phr:MichaelDavidoffMember2023-11-012024-01-310001412408phr:MichaelDavidoffMember2024-01-31


UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, DC 20549
FORM 10-K
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended January 31, 2024
OR
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the transition period from _ to _

Commission File Number: 001-38977


PHREESIA, INC.
(Exact Name of Registrant as Specified in Its Charter)
Delaware20-2275479
(State or Other Jurisdiction of Incorporation or Organization)(IRS Employer Identification No.)
1521 Concord Pike, Suite 301 PMB 221
Wilmington, DE1
19803
(Address of Principal Executive Offices)(Zip Code)

(888) 654-7473
(Registrant’s Telephone Number, Including Area Code)

Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading SymbolName of each exchange on which registered
Common stock, $0.01 par value per sharePHRThe New York Stock Exchange


Securities registered pursuant to Section 12(g) of the Act:
None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes No

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes No

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes No

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§ 232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes No

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer”, “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer
Accelerated filer ☐Non-accelerated filer ☐Smaller reporting company
Emerging growth company

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Indicate by check mark whether the Registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal controls over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. Yes No

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). ☐

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes No

The aggregate market value of the common stock held by non-affiliates of the registrant, based on the closing price of a share of common stock on July 31, 2023, the last business day of the registrant’s most recently completed second fiscal quarter, as reported by the New York Stock Exchange on such date was approximately $1,617,063,047. This calculation does not reflect a determination that certain persons are affiliates of the registrant for any other purpose.

As of March 6, 2024, there were 56,387,472 shares of the registrant’s common stock, par value $0.01 per share, outstanding.

1 Phreesia, Inc. is a fully remote company and no longer maintains its principal executive office. The address listed here is the mailing address that we maintain. For purposes of compliance with applicable requirements of the Securities Act of 1933, as amended, and
Securities Exchange Act of 1934, as amended, stockholder communications required to be sent to our principal executive offices should
be directed to the email address set forth in our proxy materials and/or identified on our investor relations website.

DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant’s Definitive Proxy Statement relating to its 2024 Annual Meeting of Stockholders to be filed hereafter are incorporated by reference into Part III of this Annual Report on Form 10-K where indicated.



1

Table of Contents

PART I.
Item 1.
Item 1A.
Item 1B.
Item 1C.
Item 2.
Item 3.
Item 4.
PART II.
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
Item 9C.
PART III.
Item 10.
Item 11.
Item 12.
Item 13.
Item 14.
PART IV.
Item 15.
Item 16.
Signatures

2

Table of Contents
Summary of Material Risks Associated with our Business


Our business is subject to numerous risks and uncertainties that you should be aware of in evaluating our business. These risks and uncertainties include, but are not limited to, the following:

We have grown rapidly in recent periods, and as a result, our expenses have continued to increase. If we fail to manage our growth effectively, our revenue may not increase and we may be unable to implement our business strategy.
We operate in a highly competitive industry, and if we are not able to compete effectively, including with the electronic health records ("EHR") and practice management ("PM") systems with which we integrate, our business and results of operations will be harmed.
We have experienced net losses in the past and we may not achieve profitability in the future.
Privacy concerns or security breaches or incidents relating to our SaaS-based solutions could result in economic loss, damage to our reputation, deterring users from using our products, and our exposure to legal penalties and liability.
Business or economic disruptions or global health concerns have harmed and may continue to harm our business and increase our costs and expenses.
We typically incur significant upfront costs in our client relationships, and if we are unable to develop or grow these relationships over time, we are unlikely to recover these costs and our operating results may suffer.
As a result of our variable sales and implementation cycles, we may be unable to recognize revenue to offset expenditures, which could result in fluctuations in our quarterly results of operations or otherwise harm our future operating results.
We depend on our senior management team and certain key employees, and the loss of one or more of our executive officers or key employees or an inability to attract and retain highly skilled employees could adversely affect our business.
We have made, and in the future, may make acquisitions and investments which may be difficult to integrate, divert management resources, result in unanticipated costs or dilute our stockholders.
We are subject to health care laws and data privacy and security laws and regulations governing our collection, use, disclosure, or storage of personally identifiable information, including protected health information and payment card data, which may impose restrictions on us and our operations, require us to change our business practices and put in place additional compliance mechanisms, and subject us to fines, penalties, lawsuits, adverse publicity, reputational harm, loss of customer trust or government enforcement actions if we are unable to fully comply with such laws.
We rely on our third-party contractors, vendors and partners, including some outside of the United States, to execute our business strategy. Replacing them could be difficult and disruptive to our business. If we are unsuccessful in forming or maintaining such relationships on terms favorable to us, our business may not succeed.

The summary risk factors described above should be read together with the text of the full risk factors below in the section titled "Risk Factors" and in the other information set forth in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, as well as in other documents that we file with the U.S. Securities and Exchange Commission (the "SEC"). If any such risks and uncertainties actually occur, our business, prospects, financial condition and results of operations could be materially and adversely affected. The risks summarized above or described in full below are not the only risks that we face. Additional risks and uncertainties not currently known to us, or that we currently deem to be immaterial, may also materially adversely affect our business, prospects, financial condition and results of operations.

3

Table of Contents
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K, including the sections entitled “Business,” “Risk Factors,” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” contains express or implied statements that are not historical facts and are considered forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance and may contain projections of our future results of operations or of our financial information or state other forward-looking information. In some cases, you can identify forward-looking statements by the following words: “may,” “will,” “could,” “would,” “should,” “expect,” “intend,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “project,” “potential,” “continue,” “ongoing,” or the negative of these terms or other comparable terminology, although not all forward-looking statements contain these words.
Although we believe that the expectations reflected in these forward-looking statements are reasonable, these statements relate to future events or our future operational or financial performance, and involve known and unknown risks, uncertainties, and other factors that may cause our actual results, performance, or achievements to be materially different from any future results, performance, or achievements expressed or implied by these forward-looking statements. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
 
our future financial performance, including our revenue, cash flows, costs of revenue and operating expenses;
the rapidly evolving industry and the market for technology-enabled services in healthcare in the United States being relatively immature and unproven;
our reliance on a limited number of clients for a substantial portion of our revenue;
our anticipated growth and growth strategies and our ability to effectively manage that growth;
our ability to achieve and grow profitability;
the sufficiency of our cash, cash equivalents and investments to meet our liquidity needs;
our potential competition with our customers or partners;
our existing clients not renewing their existing contracts with us, renewing at lower fee levels or declining to purchase additional applications from us;
our failure to adequately maintain our direct sales force, impeding our growth;
our ability to recover the significant upfront costs in our customer relationships;
liability arising from our collection, use, disclosure, or storage of sensitive data collected from or about patients;
our reliance on third-party vendors, manufacturers and partners to execute our business strategy;
consolidation in the healthcare industry resulting in loss of clients;
the uncertainty and ongoing flux of the regulatory and political framework;
our ability to determine the size of our target market;
the impact of pandemics or epidemics, market volatility, including the recent high inflationary and high interest rate environment, bank failures and measures taken in response thereto, economic slowdowns and recessions, and other global financial, economic and political events on our business and our ability to attract, retain and cross-sell to healthcare services clients;
our ability to obtain, maintain and enforce intellectual property for our technology and products;
our inability to implement our solutions for clients resulting in loss of clients and reputation;
our dependency on our key personnel, and our ability to attract, hire, integrate, and retain key personnel, including as a result of being a fully remote company;
the possibility that we may become subject to future litigation;
our future indebtedness and contractual obligations;
4

Table of Contents
our expectations regarding trends in our key metrics and revenue from subscription fees from our healthcare services clients, payment processing fees and fees charged to our life sciences and payer clients for delivering direct communications to help activate, engage and educate patients about topics critical to their health;
the intended benefits of our acquisitions, including that of Comsort, Inc., d/b/a MediFind ("MediFind") on June 30, 2023, Access eForms, LLC ("Access") on August 11, 2023 and ConnectOnCall.com, LLC ("ConnectOnCall") on October 3, 2023;
our plans and expectations regarding operations in India; and
other risks and uncertainties, including those listed under the section titled “Risk Factors”.
We caution you that the foregoing list may not contain all of the forward-looking statements made in this Annual Report on Form 10-K. You should not rely upon forward-looking statements as predictions of future events. We have based our forward-looking statements primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties and other factors, including, without limitation, those described in the section titled “Risk Factors” in this Annual Report on Form 10-K.
Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in these forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
The forward-looking statements contained in this Annual Report on Form 10-K speak only as of the date on which the statements are made. We undertake no obligation to update, and expressly disclaim the obligation to update, any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements.
This Annual Report on Form 10-K includes statistical and other industry and market data that we obtained from industry publications and research, surveys and studies conducted by third parties. Industry publications and third-party research, surveys and studies generally indicate that their information has been obtained from sources believed to be reliable, although they do not guarantee the accuracy or completeness of such information. We have not independently verified the information contained in such sources.

NOTE REGARDING COMPANY REFERENCES
Unless the context otherwise requires, the terms “Phreesia,” “the Company,” “we,” “us,” and “our” in this Annual Report on Form 10-K refer to Phreesia, Inc.
5

Table of Contents
PART I
Item 1. Business
Overview
We are a leading provider of comprehensive software solutions that improve the operational and financial performance of healthcare organizations and improve health outcomes by helping patients take a more active role in their care. Our solutions include SaaS-based integrated tools that manage patient access, registration and payments. We have tools to communicate with patients about their health and have demonstrated increased rates of preventive care and vaccinations. Additionally, our solutions include clinical assessments to screen patients for a variety of physical, behavioral and mental health conditions, helping providers to better understand their patients and connect them to needed services, resulting in improved health outcomes. We also provide life sciences companies, health plans and other payer organizations (payers), patient advocacy, public interest and other not-for-profit organizations with a channel for direct communication with patients. Our solutions also include additional products and services such as the MediFind provider directory, which helps patients find care based on providers' specific clinical expertise. In fiscal 2024, we facilitated patient visits in over 3,900 healthcare services clients across all 50 states. We define a patient visit as an individual, in-person or telehealth visit to a healthcare services provider, which may include multiple encounters by the same patient.
Patient intake is a complex and time-consuming process involving numerous tasks, including registration, insurance verification, patient questionnaires, patient-reported outcomes ("PROs"), payments and scheduling. Inefficiencies during the intake process often result in lower satisfaction for patients and healthcare services organizations, wasted time, missed revenue opportunities and diminished health outcomes. Phreesia’s mission is to make care easier every day. We have created an integrated and streamlined system that automates data capture and activates patients before, during and after their interaction with their healthcare services provider.
Our comprehensive range of technology solutions and services include initial patient contact, registration, appointment scheduling, payments, automated answering services, and post-appointment patient surveys. We securely collect and analyze each patient’s information and provide engagement tools to efficiently guide each patient through their healthcare journey. We deploy our solutions across a range of modalities, including through patients’ mobile devices (Phreesia Mobile), through a web-based dashboard for healthcare services clients (Phreesia Dashboard), and through our self-service intake tablets (PhreesiaPads) and on-site kiosks (Arrivals Kiosks), all of which provide an individualized experience for each patient based on age, gender, appointment type and other clinical and demographic factors. Our solutions are highly customizable and scalable to any size healthcare service organization and can seamlessly integrate within a client’s workflows and leading Practice Management, or PM, and Electronic Health Record, or EHR, systems. Our solutions additionally allow for secure time-of-service and post-explanation of benefits integrated payments.
We serve an array of healthcare services clients of all sizes across over 25 specialties, ranging from single-specialty practices, including internal and family medicine, urology, dermatology, and orthopedics, to large, multi-specialty groups, and health systems as well as regional and national payers and other organizations that provide other types of healthcare-related services. Our Network solutions revenue (as described below) is generated from clients in the pharmaceutical, biotechnology and medical device industries, as well as payers, patient advocacy, public interest and other not-for-profit organizations seeking to activate, engage and educate patients about topics critical to their health.

Our solutions
We offer our clients a comprehensive range of technology applications and modules that address the growing needs of the healthcare market by helping patients take a more active role in their care.
Our access to care solutions provide a comprehensive appointment scheduling system to provide clients with applications for online appointments, reminders and referral tracking and management, in addition to managing inbound patient calls during and after business hours. Through our MediFind.com provider directory, we enable healthcare services clients to manage their MediFind provider profiles, helping patients to find the best doctors, latest medical advances and active clinical trials, and helping patients to book appointments.
Our registration solutions automate patient self-registration before or at the time of the patient’s visit— via Phreesia Mobile or through the use of a purpose-built PhreesiaPad or Arrivals Kiosk for on-site check-in. Our
6

Table of Contents
Phreesia Dashboard is used by healthcare services organization staff to monitor and manage the intake process. We also collect clinical intake and PRO data for more than 25 specialties, enabling our clients to ask the right clinical questions of the appropriate patients at the right time and gather key data that aligns with their quality-reporting goals.
Our revenue cycle solutions provide insurance-verification processes, point-of-sale payments applications, post-visit payment collection and flexible payment options, which help healthcare services clients maximize the timely collection of patient payments.
Our network solutions provide a channel to our life sciences and payer clients that leverages our large and growing network of over 3,900 healthcare services clients. On behalf of our life sciences and payer clients, we deliver clinically relevant content to patients and health plan members who voluntarily opt in to receive this type of engagement. Additionally, our DoctorFinder product allows Life Sciences companies to embed a doctor directory in their own websites, thereby helping patients find appropriate care for their unique needs.

Our market opportunity
We serve a range of healthcare services clients, including single-specialty practices, large multi-specialty groups and health systems. We provide services to large and small pharmaceutical, medical device and biotechnology companies as well as payer organizations. We believe our current addressable market is approximately $10.0 billion and is derived from: (1) the potential $6.3 billion of subscription and related services revenue generated from the approximately 1.4 million U.S.-based healthcare services organizations who take medical appointments in ambulatory care settings and healthcare service providers who work in hospital settings, (2) the estimated potential $2.3 billion of consumer-related transaction and payment processing fees, which are based on a percentage of payments that we process through our platform and address approximately $95.0 billion of annual out of pocket patient spend in ambulatory healthcare related professional services, (3) an estimated potential $1.9 billion in Network solutions revenue, based on projections of direct-to-consumer point-of-care marketing spend and other digital, direct-to-consumer life sciences marketing spend. We estimate that our target client universe in the ambulatory and hospital markets is approximately 50,000 unique healthcare services clients. As we develop new products and services, we expect our total addressable market to grow.

Our value proposition
We are focused on providing healthcare services organizations, life sciences companies and payer organizations the tools to help patients take a more active role in their care. We believe our solutions provide a unique value proposition that is differentiated from what is offered by the traditional healthcare system.
Value proposition for patients
Improved patient experience. Our solutions streamline the patient intake process and provides consumer-centric options for check-in. We pre-populate information from prior visits, minimizing the frustration of repetitive questions during the intake process and streamlining the information for review by a clinician by the time the patient reaches the exam room. We also offer patients a convenient, flexible, secure intake experience that saves time and provides clarity regarding the amount of payment due. The MediFind provider directory helps patients find the right care for their unique needs. Patients are also able to save time by making their appointments using our technology. Additionally, our smart answering and after hours care solution improves the patient experience by routing incoming patient calls to the appropriate healthcare resources.
Flexible payment options. We provide patients with flexibility and choice in how they pay for healthcare services. Patients are able to pay upfront or set up an automated payment plan that adheres to our healthcare services clients' financial policies. Patients can also choose to pay online on their healthcare services organization’s website or place a card on file, removing the need for difficult payment-related conversations with staff.
Activation in care. By leveraging the power of self-service and providing individualized and flexible software solutions, we activate patients early in their healthcare journey and provide them with relevant information to further educate them so they can take an active role in their healthcare decisions.
Value proposition for healthcare services clients
Simplify operations and enhance staff efficiency. We enable healthcare services clients to streamline operations through automated patient intake, automated answering services and payments that are integrated into existing
7

Table of Contents
workflows and PM and EHR systems. By automating the numerous tasks and forms associated with the intake process, our healthcare services clients have been able to save time on patient check-ins and inbound calls.
Improve cash flow and profitability and gain new business. We enable our healthcare services clients to increase collections and reduce costs. Based on client feedback received and our internal analysis, we believe that our flexible patient payment options, including card on file, have led to an increase in time-of-service collections for the majority of our healthcare services clients. Our automated eligibility and benefits verification solution also reduces the number of denied claims. Additionally, the MediFind provider directory enables providers to enhance their visibility to prospective new patients by including their profiles in the provider directory.
Enhance clinical and cost outcomes. We enable our healthcare services clients to more efficiently and effectively capture the right clinical information to meet their clinical goals and align with quality reporting initiatives. Our logic-driven delivery of PROs and other questionnaires help healthcare services clients identify at-risk patients in need of specific care and reduce errors by avoiding the need to manually gather the information. These PROs enable our healthcare services clients to close gaps in care, identify successful treatments and engage patients in their care. Through our subsidiary, Insignia Health, LLC ("Insignia"), we license the exclusive worldwide rights to the Patient Activation Measure ("PAM"®), which we believe is widely viewed as the gold standard of patient activation measures. Extensive research over the past decade suggests that the PAM could be a critical pathway in helping healthcare services clients achieve the goals of reducing costs and improving the health of their patients. Beginning in 2024, the Centers for Medicare and Medicaid Services ("CMS") includes the PAM Performance Measure ("PAM-PM") in its Merit-based Incentive Payments System ("MIPS").
Improve patient experience. We activate patients through their journey from access to registration to drive higher patient satisfaction, retention and safety. Our streamlined intake and payments offering provides a consumer-friendly experience and activates patients to take control of their care. Additionally, after obtaining patient consent, we enable healthcare services clients to conduct outreach within 24 hours of visit and generate real-time feedback that informs and drives efforts to improve patient experience. Providers benefit from the increased volumes of patients able to find them through the MediFind provider directory. We also provide an automated answering service that routes and triages incoming patient calls to connect patients with the appropriate care during a practice's normal business hours, as well as a service that connects patients with the appropriate care after hours.
Value proposition for life sciences and payer organizations
Direct communications. We provide life sciences and payer organizations with a channel to engage healthcare consumers who have voluntarily opted in for such communications, when they are most receptive and actively seeking care. Our data-driven solutions provide life sciences and payer organizations the ability to reach specific populations based on various demographic, clinical, environmental and social data, allowing our clients to activate patients and members with clinically or demographically relevant health content to help facilitate conversations with their providers about treatment and prevention options.
Speed diagnosis and increase uptake of preventive health services. Our data and analytics capabilities identify patient populations that align with our life sciences clients’ audiences. Based on our ongoing analyses of client marketing and education campaigns conducted by data analytics companies, we believe patients exposed to our campaigns are more likely, on average, to receive a relevant diagnosis, undergo a preventive health screening, or receive a relevant treatment, than control patients.
Improve brand conversion, treatment, and adherence. Our data and analytics capabilities identify patient populations that align with our life sciences clients’ audiences. Based on our ongoing analyses of client marketing campaigns conducted by data analytics companies, we believe patients exposed to a brand campaign using our solutions are more likely, on average, to take an action, such as initiating treatment, continuing treatment, or having a prescription filled for that product, than control patients.
Learn about patient cohorts. Our Patient Insights solutions provide a channel for our life sciences clients to deliver surveys to patients and capture direct feedback and access relevant population insights.
Our competitive landscape
We compete in a dynamic patient intake market with direct and indirect competitors that maintain varying degrees of resources and capabilities. We believe many direct competitors are focused on the basic aspects of electronic patient intake and are only starting to expand into the multiple adjacencies beyond patient registration such as access and clinical support. Some of our existing and potential service providers, particularly EHR providers, have
8

Table of Contents
developed their own patient intake solutions and have become direct competitors. Our solutions integrate with a majority of the leading EHR systems.

We believe companies in the market for comprehensive software solutions, including patient intake, compete on the basis of several factors, including:
price;
breadth, depth, quality and reliability of product and service offerings;
ease of use;
ability to drive tangible return on investment;
client-focused implementation services and training programs;
healthcare domain expertise;
patient clinical content offerings;
client support and client services; and
ability to integrate with all of a client’s existing systems, including EHR and/or PM systems.

Life sciences marketing is highly competitive and rapidly evolving and consists of both traditional media platforms (e.g. television and print media) as well as more modern web-based and application-based platforms that provide direct-to-consumer marketing for the life sciences industries. Our direct marketing solutions are unique and compete at the point of care as well as pre- and post-visit across an array of digital devices backed by our commitment to transparency and third-party auditing. We compete on the basis of several factors, including price, quality, transparency and the ability to demonstrate meaningful return on investment.
Our growth strategies
The success of our business depends on acquiring new clients and increasing utilization among our existing clients, which in turn drives growth across our solutions. We believe we are well-positioned to benefit from a number of prevailing industry tailwinds across our patient access, registration, revenue cycle and Network solution areas. We intend to continue to proactively grow the business through the following strategies:

Expanding our solutions to new healthcare services organizations
The market for a technology-powered intake and payment solution in the U.S. healthcare industry is large and underserved, and we believe we have a substantial opportunity to grow our client base and market share. With the ability to support over 25 different medical specialties and existing agreements with leading PM and EHR providers, we are able to serve a large portion of the U.S. ambulatory and acute care market. We currently serve a small percentage of ambulatory and acute care organizations, and we plan to continue to utilize our direct sales force to win new clients.

Deepening our relationship with existing healthcare services clients
We generate recurring fees from our healthcare services clients based on the number of subscriptions to our solutions and add-on applications. As our healthcare services clients realize the value our solutions offer, they typically purchase additional subscriptions for their organizations. Our sales strategy is focused on expanding our revenue per average healthcare services client ("AHSC") and we believe there is a significant opportunity to sell new applications.

Continuing to innovate and leverage our solutions
We believe our depth, scalability and robust capabilities allow us to address key challenges facing providers, payers and life sciences organizations. As an innovative leader across these segments of healthcare, we intend to continue to invest in new value-added offerings for our clients. We have a well-defined technology roadmap to introduce new features and functionality to our products. We intend to leverage our network and patient activation capabilities to eliminate gaps in care and increase care coordination among all key healthcare constituents. By expanding and continuously enhancing our solutions, we believe we can drive incremental revenue from existing clients as well as broaden our appeal to potential new clients.

Pursuing opportunistic strategic investments, partnerships and acquisitions
Our strong growth has included significant organic growth as we have added healthcare services and life sciences clients, while also expanding the solutions we offer those clients. Throughout our history, we have effectively contracted with leading PM and EHR solution providers and will continue to evaluate strategic and innovative investments and partnerships to accelerate growth. Phreesia has also acquired products and functionalities that
9

Table of Contents
expand our suite of solutions. We evaluate many investment, partnership and acquisition opportunities on an ongoing basis. We target opportunities that enhance the breadth or depth of our ability to activate patients in their care. Our acquisitions to date have all been consistent with this philosophy, and we will continue to evaluate growth opportunities that complement our internal initiatives.

Enhancing our margins through continued strategic growth
Our business model is based on developing and deploying new, value-added applications for our clients that increase revenue and enhance our attractive client unit economics. We have invested significantly and expect to continue investing significantly to create a comprehensive, scalable suite of solutions that allow us to gain operating leverage and enhance margins. Over time, we expect to increase profitability and margins by adding new clients and by expanding our existing clients with minimal incremental investment. Moreover, we continually aim to improve effectiveness and efficiency.

Our products and services
Our solutions are specifically designed to cater to the needs of patients, healthcare services clients and life sciences and payer companies while improving healthcare engagement.

Access to Care
We offer healthcare services clients convenient online appointment requests for patients, appointment tracking and appointment management in one place, and provide insight into past and upcoming appointments. Our Access to Care solutions include:
Provider directory for patients seeking care. On MediFind.com, healthcare services clients in our network can manage and update their profiles, to help new patients discover their services and book appointments.
Integrated patient scheduling. We give patients 24/7 access to request or schedule their own in-person or virtual appointments online, either through a link or by responding to patient-outreach by their provider. Once patients self-schedule or send an appointment request, their information automatically populates into the Phreesia Appointments Hub for staff to track and manage.
Automated appointment rescheduling. Our appointment rescheduling tool is an automated, text-based solution designed to fill open slots on a healthcare services client's schedule with clinically relevant patients. The tool leverages artificial intelligence and a custom-rules engine to offer earlier appointments for eligible patients as soon as a time slot becomes available.
Appointment reminders. With our appointment reminder solution, patients receive email, text, and voice reminders about upcoming in-person and virtual appointments, reducing no-shows for our healthcare services clients. Patient responses to confirm, cancel or reschedule appointments flow directly into the Phreesia Appointments Hub.
Patient text messaging. We allow healthcare services clients to send and receive text messages from individual patients about their in-person or virtual visits. This capability helps to reduce face-to-face interactions, decrease phone-call volume and improve patient communication.
After-hours care. PhreesiaOnCall helps healthcare services clients manage patients seeking care after-hours. A provider-facing app transcribes patient messages, routes to the on-call provider, and displays key information from the patient’s chart for a more productive call.
Smart answering solution. We help healthcare services clients manage inbound patient calls digitally with the option to follow-up via text message, reducing burden on call center and front desk staff members.

Registration
Our Registration applications facilitate mobile and on-site check-in, create a more complete patient record and increase patient convenience and satisfaction. These solutions include:
Mobile and in-office intake modalities. We allow patients to check in securely and conveniently on their computer or mobile device, either prior to their visit or when they arrive at the office. Patients can also update their clinical and demographic information, take a photo to store in their patient record, capture images of their driver’s license and insurance card, sign forms and policies and pay copays and outstanding balances—all from the privacy and ease of their own device.
10

Table of Contents
Registration for virtual visits. We support healthcare services clients offering telehealth by allowing them to perform all the necessary intake tasks for each virtual visit, including gathering consents, at scale. Intake for telehealth also provides patients with information about how their telehealth visit will work.
Specialty-specific workflows. Our workflows cover over 25 specialties leveraging our proprietary logic to guide patients through a tailored list of questions, allowing them to efficiently enter and verify their demographics, insurance data and clinical information.
Consent management. We streamline the process of collecting consents by ensuring that each patient receives the right forms. These forms can be customized by appointment type and can capture electronic signatures and send required forms directly to the PM or EHR system.
Self service patient-reported outcomes and screenings.
We deliver clinical assessments to screen patients for common morbidities, and we own the worldwide exclusive license to the PAM™, a measure that we believe is widely viewed as the gold standard for measuring patient activation.
Behavioral health screenings for primary care. We identify and screens patients for common behavioral and mental health conditions, including depression, anxiety and substance abuse.
Social determinants of health screening. We enable healthcare services clients to ask patients confidentially about their access to healthy food, safe housing and other social determinants that can have a critical impact on their health, to help healthcare services clients better understand patients and connect them to needed services.

Revenue cycle
We are able to improve key revenue cycle metrics with our payment solutions, increasing time-of-service and post-visit collections as well as improving patient convenience with online payments and card on file. Our Revenue Cycle solutions include:
Point-of-service payments. We offer self-service payment options on Phreesia Mobile, on the PhreesiaPad or at an Arrivals Kiosk. Healthcare services client staff can also process time-of-service or post-explanation of benefits payments on the Phreesia Dashboard. We are able to replace or support a client’s existing payment processor with a fast and secure way to process transactions, as we accept all major credit cards (Visa, MasterCard, American Express and Discover), ApplePay, and other payment methods. Phreesia is a PCI DSS Level 1 Service Provider and offers PCI-compliant point-of-sale solutions that significantly reduce the client's PCI DSS reporting requirements.
Insurance verification. Our automated eligibility and benefits application streamlines verification, reduces staff’s manual workload and alerts staff when attention is needed. We can run eligibility and benefits checks in advance, so our clients know their patients’ primary and secondary insurance before their visit.
Payment plans. Our healthcare services clients can give patients the option to set up private, automated payment plans when they check in, or have the staff create payment plans for them on the Phreesia Dashboard. Each plan is configured according to the healthcare services client’s financial policies and managed automatically.
Online payments. We allow practices to add a custom payment button to their website or send email reminders that direct patients to an online payment page.
Card on file and payment assurance. Patients may sign a financial policy that gives authorization to store their payment card on our secure solution, thus automatically collecting payments once claims are adjudicated.

Network Solutions
We provide several opportunities for third parties to engage with the patients and providers who are using the tools and products we offer.
Education and engagement before, during and after the visit. PatientConnect is our point of care offering which enables third parties to deliver personalized health content to users who opt to receive it after they have completed checking in for a doctor's appointment via Phreesia's intake software. Clients of this tool include life sciences organizations, health plans, and patient advocacy groups. Educational and promotional
11

Table of Contents
content about health is delivered to raise patient awareness and help patients start the right conversations with their providers, improving outcomes for these individuals. Educational material includes information about different therapy options to assist in advocating for their needs and preferences; disease education, which speeds up the time to diagnosis; screening tools and information to aid in early detection and disease prevention; and public service materials about vaccines, avoiding use of tobacco products, and more.
Patient insights. Similar to delivery of educational materials, we conduct primary research among interested users after they check in for appointments via our intake software to understand sentiments and behaviors, uncover unmet needs, and learn about preferences and health beliefs. These insights aid clients in understanding their patients’ experiences and enhancing their existing products and services.
Referral management. We offer a suite of referral management tools for healthcare services clients that enable them to track incoming referrals in a centralized list, send referrals to specialists, and check the status of each request.

Our technology
We have continued to enhance and develop our proprietary solutions with a focus on delivering reliability, performance, security and privacy. Our solutions have demonstrated scalability and robust integration within the operating infrastructure of our healthcare services clients. Our core technology capabilities include:
Robust integration. We integrate our technology into PMs, EHRs and ambulatory and acute system workflows for over 3,900 healthcare services clients. Data captured from the patient or generated by the use of our solutions automatically integrate into the PM and EHR systems of healthcare services clients. We currently contract with leading PM and EHR providers that collectively represent the majority of the total PM and EHR market. These providers of PM and EHR solutions and our healthcare services clients can leverage our expanding APIs to embed the functionality of our solutions for their patients, while controlling the look and feel.
Embedded payments. Our payment processing features have been designed to operate seamlessly within the workflows of our healthcare services clients, and our revenue cycle solutions can connect directly to those making payments, to multiple clearinghouses and directly with PM, EHR and other systems.
Scalable at cost. Our robust and scalable SaaS-based solution allows us to iterate on existing technology and develop new solutions quickly and efficiently to meet the needs of our clients. Our unique architecture also allows new integrated applications to be quickly deployed to clients and allows real-time integration without expensive and difficult-to-manage VPN tunnels. This is particularly important in a regulatory environment and industry that continues to evolve.
Consumer-oriented. Through technological innovation, we have continued to ensure our products and services evolve to meet growing and increasingly consumer-centric demands. Our technological innovations include enhancements to our user interface, which we believe has improved user experience, accessibility and satisfaction.
Reliable. Our technology is engineered to provide strong reliability and availability. We process hundreds of thousands of transactions, including eligibility and benefits verification, payment card processing and email and text messaging, quickly and reliably at a low cost every day.
Secure and private. We securely manage billions of data points for millions of patients using multiple devices. Maintaining the integrity of our solutions is critical to our business, our clients and the patients they treat. As our product offerings increase and become more robust, we continue to enhance and evolve our security program.

Privacy and security
Privacy and security are our top priorities. We maintain a comprehensive security program designed to safeguard the confidentiality, integrity and availability of our clients’ data. In particular, we deploy physical, administrative and technical controls to appropriately safeguard patient information.
We offer reliability, performance, security and privacy for our clients. We have infrastructure in place with three co-located data centers, and within Microsoft Azure and Amazon Web Service environments, to securely manage and maintain our clients’ information.
We use external security auditors and industry-leading vendors, such as Sikich, A-LIGN, and Bluefin to ensure we have the controls and procedures in place to protect our clients’ sensitive information. We have industry
12

Table of Contents
certifications, including HITRUST, PCI-DSS Level 1 Service Provider, Systems and Organization Controls 2 ("SOC 2") and PCI Point-to-Point Encryption. As a PCI-DSS Level 1 Service Provider, we are committed to upholding industry security standards to cardholder data.
We are committed to protecting the information and privacy of our clients and their patients. To the extent we work as a third-party for our healthcare provider partners, we are a "Business Associate" as defined under the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information and Technology for Economic ad Clinical Health Act ("HITECH Act") and their implementing regulations, collectively referred to as HIPAA. As a Business Associate, we sign Business Associate Agreements that govern our uses and disclosures of protected health information ("PHI") on behalf of our covered entity clients that engage us to provide our software solutions.
Refer to Item 1C. Cybersecurity in Part I of this Annual Report on Form 10-K for additional information regarding our processes to assess, identify and manage material risks from cybersecurity threats and our board’s role in overseeing risks from cybersecurity threats.
Sales and marketing
We market and sell our products and services to healthcare services prospects throughout the U.S. using a direct sales organization. Our database team is responsible for the hygiene and health of our data and is tasked with validating information by using various tools to enrich it. This data powers our sales development organization. Our marketing team identifies customer profiles, develops content and deploys one-to-many communications to soften the market. This helps prepare our sales development team to engage with new prospective customers. The sales development team creates opportunities and works with the direct sales team to qualify those opportunities. Our sales force executes on these qualified sales leads, partnering with sales enablement and client services to ensure prospects are educated on the breadth of our capabilities and demonstrable value proposition, with the goal of attracting and retaining clients and expanding their use of our solutions over time. Most of our healthcare services customer contracts are structured as annual, auto-renewing agreements. Our sales typically involve competitive processes, and sales cycles have, on average, varied in duration from three months to six months, depending on the size of the potential client. In addition, through Phreesia University (Phreesia’s in-house training program), events, client conferences and webinars, we help our healthcare services clients optimize their businesses and, as a result, support client retention.

We also sell products and services to life sciences and payer organizations, healthcare advertising agencies and advocacy groups as well as advertising agencies through our direct sales and marketing teams. Most of the life science campaigns need to be measured and resold each year. Like healthcare services, the marketing team supports net new business and client retention for life sciences by educating ideal customer profiles about the value of Phreesia and the positive impact on health outcomes Phreesia campaigns have on patients.

Subscriber services and support
Our operations and support organizations differentiate and enhance our clients’ and patients’ experience. Our teams have significant experience integrating with various EHR and PM systems, which can help take our healthcare services clients from sale to go-live much quicker than other solutions. Our client-focused operations are structured to provide a seamless process.
Client services. Our dedicated Client Services team is responsible for pre-sales engagement, new client onboarding and implementation, existing client implementation and on-site optimization. Client Services is organized by market specialization, ensuring that our team provides deep expertise in the markets they support. In addition, our implementation teams have extensive knowledge of the PM and EHR systems that our healthcare services clients use. Through our designed implementation approach and expertise, we are able to take healthcare services clients live efficiently and quickly. Our Client Services team is also able to demonstrate early return on investment in land-and-expand deals, enabling us to roll out to additional locations.
Client success. Our success is driven by our ability to retain and expand relationships with existing and new clients. Our dedicated Client Success team is focused on the retention of our client base, coordinating directly with Sales and Client Services to meet this objective. Furthermore, we are continuously expanding our business and enhancing our clients' experience by offering additional products to our clients and driving adoption and utilization.
Client support. We provide technical support to our healthcare services clients through our dedicated Client Support team to directly resolve any product and/or service issues. We serve as the single starting point for
13

Table of Contents
client issues and offer a collaborative support model in contrast to tiered support models. This model has proven to help large companies continue to scale, while leveraging the benefits of smaller operations.
We are committed to providing quality services and support, with a focus on integration, implementation support and overall client satisfaction.

Regulatory Matters

Our business is subject to extensive, complex and rapidly changing federal and state laws and regulations. Various federal and state agencies have discretion to issue regulations and interpret and enforce healthcare laws. While we routinely evaluate our legal positions under applicable healthcare laws and regulations, these regulations can vary significantly from jurisdiction to jurisdiction, and interpretation and enforcement of existing laws and regulations can be uncertain or may change periodically. Moreover, in many jurisdictions in which we operate, neither our current nor our anticipated business model has been the subject of judicial or administrative interpretation. We cannot be assured that a review of our business by courts or regulatory authorities will not result in determinations that could adversely affect our operations or that the healthcare regulatory environment will not change in a way that restricts our operations. Federal and state legislatures also may enact various legislative proposals that could materially impact certain aspects of our business. In addition, our consumer transactions business is subject to certain financial services laws, regulations and rules, such as the Payment Card Industry Data Security Standards.

U.S. state and federal health information privacy and security laws
There are numerous U.S. federal and state laws and regulations related to the privacy and security of personally identifiable information, including health information. In particular, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, establishes privacy and security standards that limit the use and disclosure of protected health information, referred to as PHI, and require the implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity and availability of individually identifiable health information in electronic form. Many of our customers are regulated as covered entities under HIPAA. As a service provider who creates, receives, maintains or transmits PHI on behalf of our covered entity customers, Phreesia is a “business associate” as defined under HIPAA, and certain HIPAA requirements are directly applicable to business associates.
Violations of HIPAA may result in civil and criminal penalties and a single breach incident can result in violations of multiple standards. We must also comply with HIPAA’s breach notification rule. Under the breach notification rule, business associates must notify covered entities of a breach, and those covered entities must notify affected individuals without unreasonable delay in the case of a breach of unsecured PHI, which may compromise the privacy, security or integrity of the PHI. In addition, notification must be provided to the U.S. Department of Health and Human Services, or HHS, and the local media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to HHS on an annual basis. In the event of a breach, our covered entity customers may require we provide assistance in the breach notification process and may seek indemnification and other contractual remedies.
State attorneys general also have the right to prosecute HIPAA violations committed against residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for a HIPAA violation, its standards have been used as the basis for the duty of care in state civil suits, such as those for negligence or recklessness in misusing personal information. In addition, HIPAA mandates that HHS conduct periodic compliance audits of HIPAA covered entities and their business associates. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator. In light of the HIPAA Omnibus Final Rule, recent enforcement activity, and statements from HHS, we expect increased federal and state HIPAA privacy and security enforcement efforts.
There has been increasing focus on the application of HIPAA and other privacy laws to technology companies.
Other federal and state laws restrict the use and protect the privacy and security of personally identifiable information. For example, according to the Federal Trade Commission (FTC), failing to take appropriate steps to keep consumers’ personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a). The FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. In recent years, the FTC has paid increased attention to privacy and data security matters, and we expect them to continue to do so in the future.
14

Table of Contents
Many states in which we operate and in which our patients reside also have laws that protect the privacy and security of sensitive and personal information, including health information, and are, in many cases, not preempted by HIPAA and may be subject to varying interpretations by courts and government agencies. These laws may be similar to or even more protective than HIPAA and other federal privacy laws. For example, the laws of the State of California, in which we operate, are more restrictive than HIPAA. The California Consumer Privacy Act, or CCPA, as amended by the California Privacy Rights Act, or CPRA, creates individual privacy rights for California consumers (as defined in the law) and places increased privacy and security obligations on entities handling personal data of consumers or households. The CCPA requires covered companies to provide certain disclosures to consumers about its data collection, use and sharing practices, and to provide affected California residents with ways to opt-out of certain sales or transfers of personal information. Additionally, as of January 1, 2023, California has a new state agency that is vested with authority to implement and enforce the CCPA. While any information we maintain in our role as a business associate may be exempt from the CCPA, other records and information we maintain may be subject to the CCPA.
We expect that there will continue to be new proposed and amended laws, regulations and industry standards concerning privacy, data protection and information security in the U.S. Already in the U.S. we have witnessed significant developments at the state level. In addition to the CCPA, new privacy and data security laws have been enacted in numerous other states and have been proposed in even more states as well as in the U.S. Congress, reflecting a trend toward more stringent privacy legislation in the U.S., which may accelerate. If enacted, such proposed legislation, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance.
Where state laws are more protective than HIPAA, we must comply with these additional state laws. In certain cases, it may be necessary to modify our planned operations and procedures to comply with these more stringent state laws. Not only may some of these state laws impose fines and penalties upon violators, but also some state laws, unlike HIPAA, may afford private rights of action to individuals who believe their personal information has been misused. In addition, state laws are changing rapidly, and there is discussion of a new federal privacy law or federal breach notification law, to which we may be subject.
In addition to HIPAA, state health information privacy and state health information privacy laws, we may be subject to other state and federal privacy laws. Such laws, for example, could include state laws that prohibit unfair privacy and security practices and deceptive statements about privacy and security and laws that place specific requirements on certain types of activities, such as data security and texting.
In recent years, there have been a number of well publicized data breaches involving the improper use and disclosure of personally identifiable information and PHI. Many states have responded to these incidents by enacting laws requiring holders of personal information to maintain safeguards and to take certain actions in response to a data breach, such as providing prompt notification of the breach to affected individuals and state officials. In addition, under HIPAA and pursuant to the related contracts with our business associates, we must report breaches of unsecured PHI to our contractual partners following discovery of the breach. Notification must also be made in certain circumstances to affected individuals, federal authorities and others.

U.S. federal and state telecommunications laws

There are number of U.S. federal and state laws and regulations that concern telephone calls, text messages and other telephonic communications to patients, potential patients, clients, and potential clients. For example, the Telephone Consumer Protection Act (“TCPA”) is a federal statute that restricts certain calls and text messages to individuals. Some states, including Florida and Oklahoma, have mini-TCPA laws that restrict certain calls and text messages to their residents and mini-TCPA laws have been proposed in other state legislatures. Our call and text communications are or may be (or may become) subject to these laws.

U.S. federal contracting laws
Our subsidiary, Insignia, as a federal government contractor, is obligated to comply with applicable laws and regulations, including provisions of the Federal Acquisition Regulation ("FAR") and Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 ("Section 508"), in connection
15

Table of Contents
with its performance of its government contracts. Insignia’s obligations under the FAR include, for example, calculating overhead rates in accordance with the accounting procedures and internal controls required under the FAR standards. In addition, Insignia is obligated under Section 508 to ensure its services and products comply with federal accessibility standards. Consequences for violating the FAR and other laws and regulations applicable to government contracting include termination of contracts, suspension or debarment from doing future business with the government, criminal or civil remedies under the False Claims Act (as described below), and other penalties.

U.S. federal and state fraud and abuse laws
We are subject to additional healthcare regulation and enforcement by the federal government and by authorities in the states and foreign jurisdictions in which we conduct our business that may constrain the financial arrangements and relationships through which we research, as well as sell, market and distribute any products for which we obtain marketing authorization. Such laws include, without limitation, state and federal anti-kickback, fraud and abuse, false claims, and transparency laws and regulations related to drug pricing and payments and other transfers of value made to physicians and other healthcare providers. If our operations are found to be in violation of any of such laws or any other governmental regulations that apply, we may be subject to penalties, including, without limitation, administrative, civil and criminal penalties, damages, fines, disgorgement, the curtailment or restructuring of operations, integrity oversight and reporting obligations, exclusion from participation in federal and state healthcare programs and responsible individuals may be subject to imprisonment. Such laws and regulations include:

the federal Anti-Kickback Statute, which prohibits, among other things, persons or entities from knowingly and willfully soliciting, receiving, offering or paying any remuneration (including any kickback, bribe or rebate), directly or indirectly, overtly or covertly, in cash or in kind, to induce, or in return for, the purchase, lease, order, arrangement, or recommendation of any good, facility, item or service for which payment may be made, in whole or in part, under a federal healthcare program, such as the Medicare and Medicaid programs. A person or entity does not need to have actual knowledge of this statute or specific intent to violate it to have committed a violation. In addition to a few statutory exceptions and regulatory safe harbors, the U.S. Department of Health and Human Services Office of Inspector General, or OIG, has published safe-harbor regulations that outline categories of activities that are deemed protected from prosecution under the Anti-Kickback Statute provided all applicable criteria are met. The failure of a financial relationship to meet all of the applicable safe harbor criteria does not necessarily mean that the particular arrangement violates the Anti-Kickback Statute. Violations are subject to civil and criminal fines and penalties for each violation, plus up to three times the remuneration involved, imprisonment, and exclusion from government healthcare programs. Moreover, the government may assert that a claim including items or services resulting from a violation of the Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the False Claims Act or federal civil monetary penalty laws;

the federal civil and criminal false claims laws and civil monetary penalty laws, such as the federal False Claims Act, which impose criminal and civil penalties and authorize civil whistleblower or qui tam actions, against individuals or entities for, among other things: knowingly presenting, or causing to be presented, to the federal government, claims for payment that are false or fraudulent; knowingly making, using or causing to be made or used, a false statement of record material to a false or fraudulent claim or obligation to pay or transmit money or property to the federal government or knowingly concealing or knowingly and improperly avoiding or decreasing an obligation to pay money to the federal government. Manufacturers can be held liable under the federal False Claims Act even when they do not submit claims directly to government payors if they are deemed to “cause” the submission of false or fraudulent claims. The federal False Claims Act also permits a private individual acting as a “whistleblower” to bring actions on behalf of the federal government alleging violations of the federal False Claims Act and to share in any monetary recovery;

HIPAA, which created new federal criminal statutes that prohibit a person from knowingly and willfully executing, or attempting to execute, a scheme to defraud any healthcare benefit program or obtain, by means of false or fraudulent pretenses, representations or promises, any of the money or property owned by, or under the custody or control of, any healthcare benefit program, regardless of the payor (e.g., public
16

Table of Contents
or private) and knowingly and willfully falsifying, concealing or covering up by any trick or device a material fact or making any materially false, fictitious, or fraudulent statements or representations in connection with the delivery of, or payment for, healthcare benefits, items or services relating to healthcare matters; similar to the federal Anti-Kickback Statute, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation;

HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, or HITECH and their respective implementing regulations, including the Final Omnibus Rule published in January 2013, which impose requirements on certain covered healthcare providers, health plans, and healthcare clearinghouses as well as their respective business associates, independent contractors or agents of covered entities, that perform services for them that involve the creation, maintenance, receipt, use, or disclosure of, individually identifiable health information relating to the privacy, security and transmission of individually identifiable health information. HITECH also created new tiers of civil monetary penalties, amended HIPAA to make civil and criminal penalties directly applicable to business associates, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, there may be additional federal, state and non-U.S. laws which govern the privacy and security of health and other personal information in certain circumstances, many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts; and

federal consumer protection and unfair competition laws, which broadly regulate marketplace activities and activities that potentially harm consumers.

Additionally, we are subject to state and foreign equivalents of each of the healthcare laws and regulations described above, among others, some of which may be broader in scope and may apply regardless of the payor. Many U.S. states have adopted laws similar to the federal Anti-Kickback Statute and False Claims Act, and may apply to our business practices, including, but not limited to, research, distribution, sales or marketing arrangements and claims involving healthcare items or services reimbursed by non-governmental payors, including private insurers. In addition, some states have passed laws that require pharmaceutical companies to comply with the April 2003 Office of Inspector General Compliance Program Guidance for Pharmaceutical Manufacturers and/or the Pharmaceutical Research and Manufacturers of America’s Code on Interactions with Healthcare Professionals. Several states also impose other marketing restrictions or require pharmaceutical companies to make marketing or price disclosures to the state and require the registration of pharmaceutical sales representatives. State and foreign laws, including for example the European Union General Data Protection Regulation, which became effective May 2018 also govern the privacy and security of health information in some circumstances, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. There are ambiguities as to what is required to comply with these state requirements and if we fail to comply with an applicable state law requirement we could be subject to penalties. Finally, there are state and foreign laws governing the privacy and security of health information, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts.

Intellectual property
Our continued growth and success depend, in part, on our ability to protect our intellectual property and proprietary technology. We primarily protect our intellectual property through a combination of trademarks, trade secrets and other contractual rights, including confidentiality, non-disclosure and assignment-of-invention agreements with our employees, independent contractors, consultants and companies with which we conduct business.
However, these intellectual property rights and procedures may not prevent others from creating a competitive SaaS solution or otherwise competing with us. We may be unable to obtain, maintain and enforce the intellectual property rights on which our business depends, and assertions by third parties that we violate their intellectual property rights could have a material adverse effect on our business, financial condition and results of operations.

Human Capital Resources

17

Table of Contents
As of January 31, 2024, we had 1,438 full-time employees, including 512 in sales and marketing, 473 in research and development, 294 in services and support and 159 in general and administrative. As of January 31, 2024, we had 946 full-time employees in the United States and 492 full-time employees internationally. We also supplement our workforce with contractors and consultants, including a substantial number of contractors and consultants in international locations. For example, as of January 31, 2024 we had a strategic relationship with Rayden Design Studio Private Ltd. (“Rayden”), pursuant to which approximately 1,000 Rayden India-based personnel supported our business through various functions, including, but not limited to, customer operations, research and development, product management and support, sales and marketing, and finance and accounting. None of our employees are represented by labor unions or covered by collective bargaining agreements. We consider our relationship with our employees to be good, and we have not experienced any work stoppages.

Talent and Culture: The success and continued evolution of our company has been due in large part to the talent and engagement of our entire team. Our team members are key pillars of our success and fostering and developing their talent is central to our culture. Attracting and retaining top talent is a high priority for us, and we look to hire smart, passionate, diverse and driven individuals who want to be a part of our mission. Our strong company culture and investment in long-term career growth for our people is evidenced by the long tenure of many of our team members with our organization. We believe our success is due in large part to the continued engagement of our talented and committed team. During our fiscal year ended January 31, 2024, Modern Healthcare magazine recognized Phreesia as one of the “Best Places to Work in Healthcare” for the seventh time, and Phreesia was named to the list of "The Top 100 Software Companies of 2023" by the Software Report, our second year in a row on the list. Additionally, Phreesia was named as one of 2023 Achievers 50 "Most Engaged Workplaces". Phreesia has also had representation on the Software Report's Top 50 Women Leaders in SaaS for the past six years. All of these achievements optimally position us to continue to attract top healthcare and technology talent.

Diversity and Inclusiveness: We are committed to hiring, developing and supporting a diverse and inclusive workplace. We employ strong recruiting practices that actively seek out and engage underrepresented groups. We strive to make career paths, career development opportunities and mentorships available to all employees. Additionally, we cultivate opportunities for diverse voices to be heard and supported. Our employee resource groups ("ERGs") support our commitment to promoting and maintaining an inclusive culture for all employees by bringing together individuals from a wide range of backgrounds, experiences and perspectives. These groups seek to foster a sense of shared community and empowerment for employees who share a common social identity, such as gender, race, ethnicity, disability and sexual orientation. Phreesians can voluntarily join an ERG to network, discuss and exchange ideas and enhance their professional development.

We recognize that our ability to execute on our mission of making care easier every day depends on our people. We are also committed to supporting gender equality in our organization, including through our inclusive culture, board representation, pathways to leadership for women, pay equity and strong family-leave policies.

We published our fourth Phreesia Gender Equality Report in 2023 based on the framework provided by the Bloomberg Gender Equality Index which has included Phreesia in January 2021, 2022, and 2023.

Remote Workforce: We have operated as a fully remote company since 2020, as we believe this arrangement allows us access to the best talent and creates optimal flexibility for our employees.

Corporate Information

We are a fully remote company and do not maintain principal executive offices. Our mailing address is 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803, and our telephone number is (888) 654-7473. Our website address is http://www.phreesia.com. We do not incorporate the information on or accessible through our website into this report, and you should not consider any information on, or that can be accessed through, our website as part of this report.

Available Information

Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and all amendments to these filings, are available free of charge from our investor relations website at https://ir.phreesia.com as soon as reasonably practicable following our filing with or furnishing to the Securities and Exchange Commission, or SEC, of any of these reports. The SEC maintains an Internet website at https://
18

Table of Contents
www.sec.gov that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC.
Phreesia investors and others should note that we announce material information to the public about our company, products and services and other issues through a variety of means, including our website at https://www.phreesia.com, our investor relations website at https://ir.phreesia.com, press releases, SEC filings and public conference calls, in order to achieve broad, non-exclusionary distribution of information to the public. We also use the following social media channels as a means of disclosing information about the company, our solutions, our planned financial and other announcements and attendance at upcoming investor and industry conferences, and other matters and for complying with our disclosure obligations under Regulation FD:
PHREESIA Twitter Account (https://twitter.com/phreesia)
PHREESIA Facebook Page (https://www.facebook.com/phreesia/)
PHREESIA LinkedIn Page (https://www.linkedin.com/company/phreesia)
PHREESIA Instagram Account (https://www.instagram.com/phreesia.co)
PHREESIA News Page (https://www.phreesia.com/news/)
PHREESIA Life Sciences Twitter Account (https://twitter.com/PhreesiaLifeSci)
PHREESIA Life Sciences Facebook Page (https://www.facebook.com/PhreesiaLifeSciences/)
PHREESIA Life Sciences LinkedIn Page (https://www.linkedin.com/company/phreesia-life-sciences/)
PHREESIA Life Sciences Page (https://lifesciences.phreesia.com)
INSIGNIA Health website (https://www.insigniahealth.com/)
MEDIFIND website (https://www.medifind.com/)

We encourage our investors and others to review the information we make public in these locations as such information could be deemed to be material information. Please note that this list may be updated from time to time.
The contents of any website referred to in this Annual Report on Form 10-K are not intended to be incorporated into this Annual Report on Form 10-K or in any other report or document we file with the SEC, and any references to our websites are intended to be inactive textual references only.

ITEM 1A.    RISK FACTORS
Risk factors
A description of the risks and uncertainties associated with our business and industry is set forth below. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including our consolidated financial statements and notes thereto and the “Management’s discussion and analysis of financial condition and results of operations” section of Annual Report on Form 10-K, before deciding whether to purchase shares of our common stock. If any of the following risks are realized, our business, financial condition, operating results and prospects could be materially and adversely affected. In that event, the price of our common stock could decline, perhaps significantly. Additional risks and uncertainties not presently known to us or that we currently deem immaterial also may impair our business operations. Certain statements in this Annual Report on Form 10-K are forward-looking statements. See the section of this Annual Report on Form 10-K titled “Special Note Regarding Forward-Looking Statements.”

Risks relating to our business and industry
We have grown rapidly in recent periods, and as a result, our expenses have continued to increase. If we fail to manage our growth effectively, our revenue may not increase, and we may be unable to implement our business strategy.
We have experienced significant growth in recent periods, which puts strain on our business, operations and employees. We anticipate that our operations will continue to expand. As we continue to grow, both organically and through acquisitions, we must effectively integrate, develop, and manage an increasingly distributed employee base in a fully remote working environment. We may find it challenging to maintain the same level of employee productivity while executing our growth plan, fostering collaboration, and maintaining the beneficial aspects of our culture, and any such failures could negatively affect our future success, including our ability to attract and retain highly qualified employees and to achieve our business objectives.
In addition, to manage our current and anticipated future growth effectively, we must continue to maintain and enhance our IT infrastructure, financial and accounting systems and controls and continue to build our qualified work force in key areas of our company. A key element of how we manage our growth is our ability to scale our
19


capabilities and satisfactorily implement solutions for our clients’ needs. Our healthcare services clients often require specific features or functions unique to their organizational structure, which, at a time of significant growth or during periods of high demand, may strain our implementation capacity and hinder our ability to successfully implement our solutions for our clients in a timely manner. If we are unable to address the needs of our healthcare services clients or our healthcare services clients are unsatisfied with the quality of our solutions or our services due to our inability to manage our rapid growth, they may not renew their contracts, seek to cancel or terminate their relationship with us or renew on less favorable terms, any of which could adversely affect our business.
Failure to effectively manage our growth could also lead us to over-invest or under-invest in development and operations, result in weaknesses in our infrastructure, systems or controls, give rise to operational mistakes, financial losses, loss of productivity or business opportunities and result in loss of employees and reduced productivity of remaining employees. In addition, our growth has required and is expected to require significant capital expenditures and may divert financial resources from other projects such as the development of new applications and services. We may also need to make further investments in our technology and automate portions of our solutions or our services to decrease our costs. If our management is unable to effectively manage our growth, our revenue may not increase (including sufficiently to offset our expenses) or may grow more slowly than expected and we may be unable to implement our business strategy.

We operate in a highly competitive industry, and if we are not able to compete effectively, including with the EHR and PM systems with which we integrate, our business and results of operations will be harmed.
The market for our products and services is fragmented, competitive and characterized by rapidly evolving technology standards, evolving regulatory requirements, changes in client needs and the frequent introduction of new products and services. Our competitors range from smaller niche companies to large, well-financed and technologically-sophisticated entities, including the EHR and PM systems with which we integrate. As costs fall and technology improves, increased market saturation may change the competitive landscape in favor of competitors with greater scale than we currently possess.
In order to remain competitive, we are continually involved in a number of projects to compete with new market entrants by developing new services, growing our client base and penetrating new markets. These projects carry risks, such as cost overruns, delays in delivery, performance problems and lack of acceptance by our clients.
The success of our business and growth strategy depend upon our continued ability to maintain and expand a network of healthcare services clients. If we are unable to attract and retain healthcare services clients, it would have a material adverse effect on our business and ability to grow and would adversely affect our results of operations. Our success also depends on providing high-quality products and services that healthcare services clients use to improve clinical, financial and operational performance and that are used and positively received by patients. If we cannot adapt to rapidly evolving industry standards and technology and increasingly sophisticated and varied healthcare services organization and patient needs, our existing technology could become undesirable, obsolete or harm our reputation.
We believe demand for our products and services has been driven in large part by increasing patient responsibility, engagement and consumerism. Our ability to streamline the intake process and critical workflows in order to improve healthcare services organization, staff efficiency and patient engagement to allow for optimal allocation of resources will be critical to our business. Our success also depends on the ability of our solutions to increase patient engagement, and our ability to demonstrate the value of our solutions to healthcare services clients, patients and life sciences companies. If our existing clients do not recognize or acknowledge the benefits of our solutions or our solutions do not drive patient engagement, then the market for our products and services might develop more slowly than we expect, which could adversely affect our operating results.
In addition, as we and the EHR and PM solutions with which we integrate, grow and expand product offerings, the EHR and PM solutions with which we integrate could offer more competitive services. Some of these EHR and PM systems offer, or may begin to offer, services, including patient intake and engagement services, payment processing tools and direct patient communication services, in the same or similar manner as we do. Although there are many potential opportunities for, and applications of, these services, these EHR and PM systems may seek opportunities or target new clients in areas that may overlap with those that we have chosen to pursue. Such competition from these EHR and PM systems may adversely affect our business, market share and results from operations.
We compete on the basis of several factors, including breadth, depth and quality of product and service offerings, ability to deliver clinical, financial and operational performance improvement through the use of products and services, quality and reliability of services, ease of use and convenience, brand recognition, price and the ability to




20


integrate our solutions with various EHR and PM systems and other technology. Some of our competitors have greater name recognition, longer operating histories and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or client requirements. In addition, current and potential competitors have established, and may in the future establish, cooperative relationships with vendors of complementary products, technologies or services to increase the availability of their products to the marketplace. Accordingly, new competitors or providers of EHR and PM solutions may emerge that have greater market share, larger client bases, more widely adopted proprietary technologies, greater marketing expertise, greater financial resources and larger sales forces than we have, which could put us at a competitive disadvantage. We also may be subject to pricing pressures as a result of, among other things, competition within the industry, consolidation of healthcare industry participants, practices of managed care organizations, government action and financial stress experienced by our clients. If our pricing experiences significant downward pressure, our business will be less profitable and our results of operations will be adversely affected. We cannot be certain that we will be able to retain our current clients or expand our client base in this competitive environment. If we do not retain current clients or expand our client base, or if we have to renegotiate existing contracts, our business, financial condition and results of operations will be harmed. Moreover, we expect that competition will continue to increase as a result of consolidation in both the healthcare information technology and healthcare industries. If one or more of our competitors or potential competitors were to merge or partner with another of our competitors, the change in the competitive landscape could also adversely affect our ability to compete effectively and could harm our business, financial condition and results of operations.

We have experienced net losses in the past and we may not achieve profitability in the future.
We have incurred significant operating losses since our inception. For the years ended January 31, 2024 and January 31, 2023, we had net losses of $136.9 million and $176.1 million, respectively, and losses from operations of $136.5 million and $176.6 million, respectively. Our operating expenses may increase in the foreseeable future as we continue to invest to grow our business and build relationships with our clients and partners, develop new solutions and operate as a public company. In addition, to the extent we are successful in increasing our client base, we could incur increased losses because significant costs associated with entering into client agreements are generally incurred up front, while revenue is generally recognized ratably over the term of the agreement. As a result, we may need to raise additional capital through equity and debt financings in order to fund our operations, which may not be available to us on favorable terms or at all. If we are unable to effectively manage these risks and difficulties as we encounter them or effectively access the capital markets, our business, financial condition and results of operations may suffer.

Our operating results have in the past and may continue to fluctuate significantly and if we fail to meet the expectations of analysts or investors, our stock price and the value of your investment could decline substantially.
Our operating results are likely to fluctuate, and if we fail to meet or exceed the expectations of securities analysts or investors, the trading price of our common stock could decline. Moreover, our stock price may be based on expectations of our future performance that may be unrealistic or that may not be met. Some of the important factors that could cause our revenues and operating results to fluctuate from quarter to quarter include:
the extent to which our products and services achieve or maintain market acceptance;
our ability to introduce new products and services and enhancements to our existing products and services on a timely basis;
new competitors and the introduction of enhanced products and services from new or existing competitors;
the length of our contracting and implementation cycles;
the financial condition of our current and potential clients;
our ability to integrate our solutions with the systems utilized by our healthcare services clients, including but not limited to, EHR and PM systems;
changes in client budgets and procurement policies;
patients' desires to receive communications from Phreesia and/or our partners, the extent to which they opt-in to such communications, and our ability to deliver a consistent volume of such communications;
amount and timing of our investment in research and development activities and other areas of our business;
technical difficulties or interruptions in our services;
our ability to hire and retain qualified personnel, including the rate of expansion of our sales force;
changes in the regulatory environment related to healthcare;
regulatory compliance costs;




21


the timing, size and integration success of recent and potential future acquisitions;
unforeseen legal expenses, including litigation and settlement costs; and
buying patterns of our clients and the related seasonality impacts on our business.

Many of these factors are not within our control, and the occurrence of one or more of them might cause our operating results to vary widely. As such, we believe that quarter-to-quarter comparisons of our revenues and operating results may not be meaningful and should not be relied upon as an indication of future performance
A significant portion of our operating expense is relatively fixed in nature, and planned expenditures are based in part on expectations regarding future revenue. Accordingly, unexpected revenue shortfalls may decrease our margins and could cause significant changes in our operating results from quarter to quarter.
Privacy concerns or security breaches or incidents relating to our SaaS-based solutions could result in economic loss, damage to our reputation, deterring users from using our products, and our exposure to legal penalties and liability.

We collect, process and store significant amounts of sensitive, confidential and proprietary information, including personally identifiable information, such as payment data and protected health information, of patients received in connection with the utilization of our solutions. Attacks on information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, they are being conducted by increasingly sophisticated and organized groups and individuals with a wide range of motives and expertise, and they may remain undetected for an extended period of time. If such an event were to occur and cause interruptions in our operations, result in the unauthorized access to, disclosure, loss, processing or other compromise of, personal information or individually identifiable health information (violating certain privacy laws such as HIPAA) or confidential information, or jeopardize the confidentiality, integrity, or availability of our solutions, it could result in a material disruption to our solutions and our business operations. In addition to extracting sensitive information, such attacks could include the deployment of harmful malware, ransomware, denial-of-service attacks, social engineering and other means to affect service reliability and threaten the confidentiality, integrity and availability of information. The prevalent use of mobile devices also increases the risk of data security incidents. While we believe we have taken reasonable steps to protect such data, techniques used to gain unauthorized access to data and systems, disable or degrade service, or sabotage systems, are constantly evolving, and we may be unable to anticipate such techniques or implement adequate preventative measures to avoid unauthorized access or other adverse impacts to such data or our systems. In addition, some of our third-party service providers and partners also collect and/or store our sensitive information and our clients' data on our behalf, and these service providers and partners are subject to similar threats of cyber-attacks and other malicious internet-based activities, which could also expose us to risk of loss, litigation, and potential liability. Even though we may have contractual protections with such vendors, contractors, or other organizations, notifications and follow-up actions related to a cybersecurity breach could impact our reputation, cause us to incur significant costs, including legal expenses, harm customer confidence, expose us to government enforcement action, hurt our expansion into new markets, cause us to incur remediation costs, or cause us to lose existing customers. The risk of state-supported and geopolitical-related cyber-attacks may increase in connection with the war in Ukraine and any related political or economic responses and counter-responses. We may not discover all such incidents or activity or be able to respond or otherwise address them promptly, in sufficient respects or at all.
We may be subject to state laws requiring notification of affected individuals and state regulators in the event of a breach of personal information, which is a broader class of information than the health information protected by HIPAA (as defined below). Furthermore, certain health privacy laws, data breach notification laws, consumer protection laws and genetic testing laws may apply directly to our business and/or those of our collaborators and may impose restrictions on our collection, use and dissemination of individuals’ health information. Patients about whom we obtain health information, as well as the healthcare services clients who share this information with us, may have statutory or contractual rights that limit our ability to use and disclose the information. We may be required to expend significant capital and other resources to ensure ongoing compliance with applicable privacy and data security laws. Claims that we have violated individuals’ privacy rights, violated applicable privacy laws and regulations or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.
Like all internet services, our service is vulnerable to software bugs, computer viruses, internet worms, break-ins, phishing attacks, attempts to overload servers with denial-of-service, or other attacks or similar disruptions from unauthorized use of our and third-party computer systems, any of which could lead to system interruptions, delays, or shutdowns, causing loss of critical data or the unauthorized access of data. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, any failure to maintain performance,




22


reliability, security and availability of our products, or failure to prevent software bugs, to the satisfaction of our clients or the health and safety of their patients, such events may harm our reputation and our ability to retain existing clients, and negatively affect our clients and their patients. We have in place systems and processes that are designed to protect our data, prevent data loss, disable undesirable accounts and activities on our platform and prevent or detect security breaches, however, we cannot assure you that such measures will provide absolute security.
Further, the security systems in place at our employees’ and service providers’ offices and homes may be less secure than those used in our offices, and while we have implemented technical and administrative safeguards to help protect our systems as our employees and service providers work from their offices, homes and other remote locations, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss, and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees and service providers accessing company data and systems remotely. If an actual or perceived breach of security occurs to our systems or a third-party’s systems, we also could be required to expend significant resources to mitigate the breach of security, pay any applicable fines and address matters related to any such breach, including notifying users or regulators, and address reputational harm.

Business or economic disruptions or global health concerns could harm our business and increase our costs and expenses.
Broad-based business or economic disruptions or global health concerns could materially and adversely impact our business and results of operations due to, among other factors:

a general decline in business activity;
a potentially disproportionate impact on the healthcare services clients with whom we contract;
disruptions to our supply chains and our third-party vendors, partners, and suppliers;
difficulty accessing the capital and credit markets on favorable terms, or at all, and a severe disruption and instability in the global financial markets, or deteriorations in credit and financing conditions that could affect our access to capital necessary to fund business operations or address maturing liabilities on a timely basis; and
social, economic, and labor instability in the countries in which we or the third parties with whom we engage operate.

In addition, recent macroeconomic challenges (including high levels of inflation and high interest rates) and the tight labor market continue to adversely affect workforces, organizations, governments, clients, economies, and financial markets globally and have disrupted the normal operations of many businesses, including our business, making it potentially very difficult for our clients and us to accurately forecast and plan future business activities. These factors have and could further decrease healthcare industry spending, adversely affect demand for our products and services, impair the ability of our clients to pay for the products and services they have already purchased from us, cause one or more of our clients to file for bankruptcy protection or go out of business, cause one or more of our clients to fail to renew, terminate, or renegotiate their contracts, impact expected spending from new clients, negatively impact collections of accounts receivable, and harm our business, results of operations, and financial condition.
Further, market volatility as a result of future failures of financial institutions, similar to the failures of Silicon Valley Bank and Signature Bank, could lead to market-wide liquidity shortages, impair the ability of companies to access near-term working capital needs and create additional market and economic uncertainty. During challenging economic times, our clients and patients may have difficulty gaining timely access to sufficient credit or obtaining credit on reasonable terms and may face increased costs or other negative financial impacts, each of which could impair their ability to make timely payments to us and adversely affect our revenue, which could harm our business, financial condition and results of operations.

We are a fully remote company that does not maintain a physical office presence, which subjects us to unique operational risks.

Being a fully remote company subjects us to unique operational risks. For example, technologies in our employees’ homes may not be as robust as in our offices and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in our offices. Further, the security systems in place at our employees’ homes may be less secure than those used in our offices,




23


and while we have implemented technical and administrative safeguards to help protect our systems as our employees and service providers work from home, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees accessing company data and systems remotely. In addition, operating remotely may negatively impact our corporate culture, including employee engagement and productivity.

If our internal controls over financial reporting or our disclosure controls and procedures are not effective, we may not be able to accurately report our financial results, prevent fraud or file our periodic reports in a timely manner, which may cause investors to lose confidence in our reported financial information and may lead to a decline in our stock price.
As a public company, we are required to maintain internal control over financial reporting and disclosure controls and procedures. Section 404 of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act") requires that we evaluate and determine the effectiveness of our internal control over financial reporting and provide a management report on the internal control over financial reporting. Our testing, or the subsequent testing by our independent public accounting firm, may reveal deficiencies in our internal control over financial reporting that are deemed to be material weaknesses. If we are not able to comply with the requirements of Section 404 in a timely manner, or if we or our accounting firm identify deficiencies in our internal control over financial reporting that are deemed to be material weaknesses, the market price of our stock would likely decline and we could be subject to lawsuits, sanctions or investigations by regulatory authorities, including SEC enforcement actions, and we could be required to restate our financial results, any of which would require additional financial and management resources.
If material weaknesses in our internal control over financial reporting are discovered or occur in the future, our consolidated financial statements may contain material misstatements and we could be required to restate our financial results, which could materially and adversely affect our business, results of operations and financial condition, restrict our ability to access the capital markets, require us to expend significant resources to correct the material weakness, subject us to fines, penalties or judgments, harm our reputation or otherwise cause a decline in investor confidence.
We continue to invest in more robust technology and resources to manage those reporting requirements. Implementing the appropriate changes to our internal controls may distract our officers and employees, result in substantial costs and require significant time to complete. Any difficulties or delays in implementing these controls could impact our ability to timely report our financial results. For these reasons, we may encounter difficulties in the timely and accurate reporting of our financial results, which would impact our ability to provide our investors with information in a timely manner. As a result, our investors could lose confidence in our reported financial information, and our stock price could decline.
In addition, any such changes do not guarantee that we will be effective in maintaining the adequacy of our internal controls, and any failure to maintain that adequacy could prevent us from accurately reporting our financial results.

We typically incur significant upfront costs in our client relationships, and if we are unable to develop or grow these relationships over time, we are unlikely to recover these costs and our operating results may suffer.
We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. Our efforts involve educating our clients and patients about the use, technical capabilities and benefits of our products and services. We do not provide access to our solutions and do not charge fees during this initial sales period. For clients that decide to enter into a contract with us, most of these contracts may provide for a preliminary trial period where a subset of healthcare services locations from the client is granted access to our solutions. Following any such trial period, we aim to increase the number of healthcare services locations within the client that utilize our solutions. Accordingly, our operating results depend in substantial part on our ability to deliver a successful client and patient experience and persuade our clients and patients to grow their relationship with us over time. As we expect to grow rapidly, our client acquisition costs could outpace revenue growth, and we may be unable to reduce our total operating costs through economies of scale such that we are unable to achieve profitability. Any increased or unexpected costs or unanticipated delays, including delays caused by factors outside of our control, could cause our operating results to suffer.




24


As a result of our variable sales and implementation cycles, we may be unable to recognize revenue to offset expenditures, which could result in fluctuations in our quarterly results of operations or otherwise harm our future operating results.
The sales cycle for our services can be variable, typically ranging from three to six months from initial contact to contract execution. During the sales cycle, we expend time and resources, and we do not recognize any revenue to offset such expenditures. Our implementation cycle is also variable, typically ranging from one to 24 months from contract execution to completion of implementation. The variability of our sales and implementation cycle is dependent on numerous factors, including the discretionary nature of potential clients' purchasing and budget decisions and the size and complexity of the applicable client. Some of our new-client set-up projects are complex and require a lengthy delay and significant implementation work, including to educate prospective clients about the uses and benefits of our solutions. Each customer’s situation is different, and unanticipated difficulties and delays may arise as a result of failure by us or by the client to meet our respective implementation responsibilities. During the implementation cycle, we expend substantial time, effort and financial resources implementing our service, but accounting principles do not allow us to recognize the resulting revenue until the service has been implemented, at which time we begin recognition of subscription and related implementation revenue over the life of the contract. This could harm our future operating results. If implementation periods are extended, our revenue cycle will be delayed and our financial condition may be adversely affected. In addition, cancellation of any implementation after it has begun may involve loss to us of time, effort and expenses invested in the cancelled implementation process and lost opportunity for implementing paying clients in that same period of time.
These factors may contribute to substantial fluctuations in our quarterly operating results, particularly in the near term and during any period in which our sales volume is relatively low. As a result, in future quarters our operating results could fall below the expectations of securities analysts or investors, in which event our stock price would likely decrease.
The growth of our business relies, in part, on the growth and success of our clients and certain revenues from our engagements, which is difficult to predict and is subject to factors outside of our control.
We enter into agreements with our healthcare services clients, under which a significant portion of our fees are variable, including fees which are dependent upon the number of add-on features subscribed for by our clients and the number of patients utilizing our payment processing tools. If there is a general reduction in spending by healthcare services organizations on healthcare technology solutions, it may result in a reduction in fees generated from our healthcare services clients or a reduction in the number of add-on features subscribed for by our healthcare services clients. This could lead to a decrease in our revenue, which could harm our business, financial condition and results of operations.
In addition, the number of patients utilizing our payment processing tools, and the amounts those patients pay directly to our healthcare services clients for services, is often impacted by factors outside of our control, such as the number of patients with high deductible health plans. Accordingly, revenue under these agreements can be uncertain and unpredictable. If the number of patients utilizing our payment systems, or the aggregate amounts paid by such patients directly to our healthcare services clients through our solutions, were to be reduced by a material amount, such decrease would lead to a decrease in our revenue, which could harm our business, financial condition and results of operations.
We also generate Network solutions revenue through fees charged to our life sciences and payer clients by delivering direct communications to help activate, engage and educate patients who authorize the delivery of, or "opt-in" to, such communications about topics critical to their health. The growth of our revenue stream from life sciences and payer clients is driven, in part, by our ability to grow our network of healthcare services clients and available population of patients to engage, our ability to achieve adequate patient opt-in rates, the number of newly approved drugs and the success of newly launched drugs, each of which is impacted by factors outside of our control. If there is a reduction in newly approved drugs, or newly launched drugs are not successful, this could negatively affect the ability of our life sciences clients to deliver relevant messages to patients who would have otherwise been candidates to receive such drugs, and accordingly may reduce patient opt-in rates. A reduction in the available population of patients to engage or a decline in patient opt-in rates or a lack of relevant content could lead to a decrease in our Network solutions revenue, which could harm our business, financial condition and results of operations.
If our existing clients are not satisfied with our services, it could have a material adverse effect on our business, financial condition, results of operations and reputation.




25


We depend on our existing clients’ satisfaction with our products and services. We expect to derive a significant portion of our revenue from renewal of existing clients’ contracts and sales of additional applications and services to existing clients. As part of our growth strategy, we have recently focused on expanding our services amongst current clients. As a result, achieving a high client retention rate, expanding within clients and selling additional applications and services are critical to our future business, revenue growth and results of operations. We also believe that maintaining and enhancing our reputation and brand recognition is critical to our relationships with existing clients and the patients that they serve and to our ability to attract new clients. The promotion of our brand may require us to make substantial investments, and we anticipate that, as our market becomes increasingly competitive, these marketing initiatives may become increasingly difficult and expensive. In addition, the loss or dissatisfaction of any client could substantially harm our brand and reputation, inhibit widespread adoption of our solutions and impair our ability to attract new clients.
Factors that may affect our client satisfaction and our ability to sell additional applications and services include, but are not limited to, the following:
the price, performance and functionality of our solutions;
patient acceptance and adoption of services and utilization of our payment processing tools;
the availability, price, performance and functionality of competing solutions;
our ability to develop and sell complimentary applications and services;
the stability, performance and security of our hosting infrastructure and hosting services;
changes in healthcare laws, regulations or trends;
the business environment of our clients including healthcare staffing shortages and headcount reductions by our clients; and
our ability to maintain and enhance our reputation and brand recognition.
We typically enter into annual contracts with our clients, which have a stated initial term of one year and automatically renew for one-year subsequent terms. Most of our clients have no obligation to renew their subscriptions for our solutions after the initial term expires. In addition, our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue from these clients and may decrease our annual revenue. If our clients fail to renew their contracts, renew their contracts upon less favorable terms or at lower fee levels or fail to purchase new products and services from us, our revenue may decline or our future revenue growth may be constrained. Should any of our clients terminate their relationship with us after implementation has begun, we would not only lose our time, effort and resources invested in that implementation, but we would also have lost the opportunity to leverage those resources to build a relationship with other clients over that same period of time.

The estimates and assumptions we use to determine the size of our target market may prove to be inaccurate, and even if the markets in which we compete meet our size estimates and forecasted growth, our business may not grow at similar rates, or at all.
Market estimates and growth forecasts that we disclose are subject to significant uncertainty and are based on assumptions and estimates that may not prove to be accurate. The estimates and forecasts relating to the size and expected growth of the market for our services may prove to be inaccurate. These estimates and forecasts may be impacted by economic uncertainty that is outside our control, including international conflicts that may impact international trade and global economic performance and other macroeconomic trends, such as international and domestic supply chain risks, inflationary pressure, interest rate increases and declines in consumer confidence that impact our customers.
The principal assumptions relating to our market opportunity include the number of healthcare services organizations currently taking appointments, the amount of annual out of pocket consumer spend for healthcare-related services, and the amount of annual spend by life sciences and payer companies on direct communications with patients at the point of care. Our market opportunity is also based on the assumption that the strategic approach that Phreesia enables for our potential clients will be more attractive in creating efficiencies in patient care than competing solutions.
If these assumptions prove inaccurate, our business, financial condition and results of operations could be adversely affected.

If we cannot implement our solutions for clients or resolve any technical issues in a timely manner, we may incur costs in the form of service credits or other remedial steps and/or lose clients, and our reputation may be harmed.




26


Our clients utilize a variety of data formats, applications and infrastructure and we must support our clients’ data formats. Furthermore, the healthcare industry has shifted towards digitalized record keeping, and accordingly, many of our healthcare services clients have developed their own software, or utilize third-party software, for practice management and secure storage of electronic medical records. Our ability to develop and maintain logic-based and scalable technology for patient intake management and engagement and payment processing that successfully integrates with our clients’ software systems for practice management and storage of electronic medical records is critical. If we do not currently support a client’s required data format or appropriately integrate with clients’ systems, then we must configure our solutions to do so, which could increase our expenses. Additionally, we do not control our clients’ implementation schedules. As a result, if our clients do not allocate the internal resources necessary to meet their implementation responsibilities or if we face unanticipated implementation difficulties, the implementation may be delayed. If the client implementation process is not executed successfully or if execution is delayed, we could incur significant costs, clients could become dissatisfied and decide not to increase utilization of our services or not to implement our solutions beyond an initial period prior to their term commitment or, in some cases, revenue recognition could be delayed. In addition, competitors with more efficient operating models with lower implementation costs could jeopardize our client relationships.
Our clients and patients depend on our support services to resolve any technical issues relating to our solutions and our services, and we may be unable to respond quickly enough to accommodate short-term increases in demand for support services, particularly as we increase the size of our client bases (including healthcare services clients and the number of patients that they serve). We also may be unable to modify the format of our support services to compete with changes in support services provided by competitors. It is difficult to predict client and patient demand for technical support services, and if client or patient demand increases significantly, we may be unable to provide satisfactory support services to our clients. Further, if we are unable to address the needs of our clients and their patients in a timely fashion or further develop and enhance our solutions, or if a client or patient is not satisfied with the quality of work performed by us or with the technical support services rendered, then we could incur additional costs to address the situation or be required to issue credits or refunds for amounts related to unused services, and our profitability may be impaired and clients’ or patients’ dissatisfaction with our solutions could damage our ability to expand the number of applications and services purchased by such clients. These clients may not renew their contracts, seek to terminate their relationships with us or renew on less favorable terms. Moreover, negative publicity related to our client and patient relationships, or regarding patient confidentiality and privacy in the context of technology-enabled healthcare, regardless of its accuracy, may further damage our business by affecting our reputation or ability to compete for new business with current and prospective clients. If any of these were to occur, our revenue may decline and our business, financial condition and results of operations could be adversely affected.

We historically derive a significant portion of our revenues from our largest clients.
Historically, we have relied on a limited number of clients for a substantial portion of our total revenue and accounts receivable. The sudden loss of any of our larger clients, or the renegotiation of any of their contracts on less favorable terms, could adversely affect our operating results. Because we rely on a limited number of clients for a significant portion of our revenues, we depend on the creditworthiness of these clients. If the financial condition of our larger clients declines, our credit risk could increase. Should one or more of our significant clients declare bankruptcy, it could adversely affect the collectability of our accounts receivable and affect our bad debt reserves and net income.

Consolidation in the healthcare industry could have a material adverse effect on our business, financial condition and results of operations.
Many healthcare industry participants are consolidating to create larger and more integrated healthcare delivery systems with greater market power. We expect regulatory and economic conditions to result in additional consolidation in the healthcare industry in the future. As consolidation accelerates, the economies of scale of our clients’ organizations may grow. If a client experiences sizable growth following consolidation, it may determine that it no longer needs to rely on us and may reduce its demand for our products and services. In addition, as healthcare services organizations and life sciences companies consolidate to create larger and more integrated healthcare delivery systems with greater market power, these healthcare services organizations may try to use their market power to negotiate fee reductions for our products and services. Finally, consolidation may also result in the acquisition or future development by our healthcare services clients and life sciences clients of products and services that compete with our products and services. Any of these potential results of consolidation could have a material adverse effect on our business, financial condition and results of operations.





27


We depend on our senior management team and certain key employees, and the loss of one or more of our executive officers or key employees or an inability to attract and retain highly skilled employees could adversely affect our business.
Our success depends, in part, on the skills, working relationships and continued services of our founders, Chaim Indig (Chief Executive Officer) and Evan Roberts (Chief Operating Officer), and senior management team and other key personnel. From time to time, there may be changes in our senior management team resulting from the hiring or departure of executives, which could disrupt our business. In addition, our shift to a remote work environment could make it increasingly difficult to manage our business and adequately oversee our employees and business functions, potentially resulting in harm to our company culture, increased employee attrition, and the loss of key personnel.
In addition, we must attract, train and retain a significant number of highly skilled employees, including sales and marketing personnel, client support personnel, professional services personnel, software engineers, technical personnel and management personnel, and the availability of such personnel, in particular software engineers, may be constrained. We also believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. If we are unable to hire and develop sufficient numbers of productive direct sales personnel or if new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time, sales of our services will suffer and our growth will be impeded.
Competition for qualified management and employees in our industry is intense, and identifying and recruiting qualified personnel and training them requires significant time, expense and attention. Many of the companies with which we compete for personnel have greater financial and other resources than we do. While we have entered into offer letters or employment agreements with certain of our executive officers, all of our employees are “at-will” employees, and their employment can be terminated by us or them at any time, for any reason and without notice, subject, in certain cases, to severance payment rights. The departure and replacement of one or more of our executive officers or other key employees would likely involve significant time and costs, may significantly delay or prevent the achievement of our business objectives and could materially harm our business. In addition, volatility or lack of performance in our stock price may affect our ability to attract replacement should key personnel depart.

We have made, and may in the future make, acquisitions and investments which may be difficult to integrate, divert management resources, result in unanticipated costs or dilute our stockholders.
We have in the past acquired, and we may continue to acquire or invest in, businesses, products or technologies that we believe could complement or expand our products and services, enhance our market coverage or technical capabilities or otherwise offer growth opportunities. This may include acquiring or investing in companies, businesses, products or technologies that are tangential to our current business and/or in which we have limited or no prior operating experience.
There are inherent risks in integrating and managing acquisitions, and the pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses related to identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated. We cannot assure you that we will realize the anticipated benefits of these or any future acquisitions. We also may not achieve the anticipated benefits from the acquired business due to a number of factors, including, without limitation:
difficulty integrating the purchased operations, products or technologies and maintaining the quality and security standards consistent with our brand;
the need to integrate or implement additional controls, procedures and policies;
unanticipated costs or liabilities associated with the acquisition;
our inability to comply with the regulatory requirements applicable to the acquired business;
assimilation of the acquired businesses, which may divert significant management attention and financial resources from our other operations and could disrupt our ongoing business;
use of substantial portions of our available cash or entail the issuance of our equity securities or the incurrence of debt to consummate the acquisition;
the loss of key employees, particularly those of the acquired operations;
difficulty retaining or developing the acquired business’ customers;
adverse effects on our existing business relationships;
failure to realize the potential cost savings or other financial benefits or the strategic benefits of the acquisitions, including failure to consummate any proposed or contemplated transaction; and
liabilities from the acquired businesses for infringement of intellectual property rights or other claims and failure to obtain indemnification for such liabilities or claims.




28


Acquisitions also increase the risk of unforeseen legal liability, including for potential violations of applicable law or industry rules and regulations, arising from prior or ongoing acts or omissions by the acquired businesses which are not discovered by due diligence during the acquisition process. Acquisitions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our business, results of operations or financial condition. Even if we are successful in completing and integrating an acquired business, it may not perform as we expect or enhance the value of our business as a whole.
Certain of our operating results and financial metrics, including the key metrics included in this report, may be difficult to predict as a result of seasonality.
We believe there are significant seasonal factors that may cause us to record higher revenue in some quarters compared with others. We believe this variability is largely due to our focus on the healthcare industry. For example, with respect to our healthcare services clients, we receive a disproportionate increase in payment processing revenue from such clients during the first two to three months of the calendar year relative to the other months of the year, which is driven, in part, by the resetting of patient deductibles at the beginning of each calendar year. Sales for our life sciences solutions are also seasonal, primarily due to the annual spending patterns of our clients. This portion of our sales is usually the highest in the fourth quarter of each calendar year. While we believe we have visibility into the seasonality of our business, our rapid growth rate over the last several years may have made seasonal fluctuations more difficult to detect. If our rate of growth slows over time, seasonal or cyclical variations in our operations may become more pronounced, and our business, results of operations and financial position may be adversely affected.

Our risk management policies and procedures may not be fully effective in mitigating our risk exposure in all market environments or against all types of risk.
We operate in a rapidly changing industry. Accordingly, our risk management policies and procedures may not be fully effective to identify, monitor and manage all risks our business encounters. If our policies and procedures are not fully effective or we are not successful in identifying and mitigating all risks to which we are or may be exposed, we may suffer uninsured liability, harm to our reputation or be subject to litigation or regulatory actions that could adversely affect our business, financial condition or results of operations.

Our ability to limit our liabilities by contract or through insurance may be ineffective or insufficient to cover our future liabilities.
We attempt to limit, by contract, our liability for damages arising from our negligence, errors, mistakes or security breaches. Contractual limitations on liability, however, may not be enforceable or may otherwise not provide sufficient protection to us from liability for damages and we are not always able to negotiate meaningful limitations. We maintain liability insurance coverage, including coverage for cyber security and errors and omissions. It is possible, however, that claims could exceed the amount of our applicable insurance coverage, if any, or that this coverage may not continue to be available on acceptable terms or in sufficient amounts. Even if these claims do not result in liability to us, investigating and defending against them could be expensive and time-consuming and could divert management’s attention away from our operations. In addition, negative publicity caused by these events may delay market acceptance of our products and services, any of which could materially and adversely affect our reputation and our business.

We may become subject to litigation, which could have a material adverse effect on our business, financial condition and results of operations.
We may become subject to litigation in the future. Some of these claims may result in significant defense costs and potentially significant judgments against us, some of which we are not, or cannot be, insured against. We generally intend to defend ourselves vigorously; however, we cannot be certain of the ultimate outcomes of any claims that may arise in the future. Resolution of these types of matters against us may result in our having to pay significant fines, judgments or settlements, which, if uninsured, or if the fines, judgments and settlements exceed insured levels, could adversely impact our earnings and cash flows, thereby having a material adverse effect on our business, financial condition, results of operations, cash flow and per share trading price of our common stock. Certain litigation or the resolution of certain litigation may affect the availability or cost of some of our insurance coverage, which could adversely impact our results of operations and cash flows, expose us to increased risks that would be uninsured and adversely impact our ability to attract directors and officers.

Our operations in India will subject us to additional risks which could have an adverse effect on our business, operating results, and financial condition.




29


We have created a subsidiary in India to perform a number of functions currently performed by outside contractors. We expect to hire a significant number of employees from our outside contractor in India to bring these services in-house. While we believe our planned Indian operations will be advantageous to our business, they may also create risks that we must effectively manage. The continued management of our Indian operations will require significant management attention and financial resources that could adversely affect our operating performance. Wages in India are increasing at a faster rate than those in many countries, including the United States. In addition, with the significant increase in the numbers of foreign businesses that have established operations in India, the competition to attract and retain employees there has increased significantly. As a result, we may be unable to cost-effectively retain our current employee base in India or hire additional new talent. In addition, India has experienced significant inflation, low growth in gross domestic product and shortages of foreign exchange. India also has experienced civil unrest and terrorism and, in the past, has been involved in conflicts with neighboring countries. The occurrence of any of these circumstances could result in disruptions to our India operations, which, if continued for an extended period of time, could have a material adverse effect on our business. Further, conducting business abroad may subject us to increased legal and regulatory compliance and oversight. A failure to comply with applicable laws and regulations could result in regulatory enforcement actions, as well as substantial civil and criminal penalties assessed against us and our employees.
Our operating expenses incurred outside the United States and denominated in foreign currencies will increase as we expand our operations in India. Transactions denominated in foreign currencies are subject to fluctuations due to changes in foreign currency exchange rates. If we are not able to successfully hedge against the risks associated with foreign currency fluctuations, our financial condition and operating results could be adversely affected.

Risks relating to our payments business

If our payments platform is limited, restricted, curtailed or degraded in any way, or if we fail to continue to grow and develop our payments platform, our business may be materially and adversely affected.
Our payments platform is a core element of our business. For the fiscal year ended January 31, 2024, our payments platform generated 27% of our total revenue. Our future success depends in part on the continued growth and development of our payments platform. If such activities are limited, restricted, curtailed or degraded in any way, or if we fail to continue to grow and develop our payments platform, our business may be materially and adversely affected. The utilization of our payment processing tools may be impacted by factors outside of our control, such as disruptions in the payment processing industry generally. If the number of patients utilizing our payments platform, or the aggregate amounts paid by such patients directly to our healthcare services clients through our payments platform, were to be reduced as a result of disruptions in the payment processing industry or other factors, it could result in a decrease to our revenue, which could harm our business, financial condition and results of operations. In addition, some potential or existing clients may not desire to use our payment processing services or to switch from their existing payment processing vendors for a variety of reasons, such as transition costs, business disruption, and loss of accustomed functionality. There can be no assurance that our efforts to overcome these factors will be successful, and this resistance may adversely affect our growth.
The attractiveness of our payment processing services may also depend on our ability to integrate emerging payment technologies, including crypto-currencies, other emerging or alternative payment methods, and credit card systems that we or our processing partners may not adequately support or for which we or they do not provide adequate processing rates. In the event such methods become popular among consumers, any failure to timely integrate emerging payment methods (such as ApplePay) into our software, anticipate client behavior changes, or contract with payment processing partners that support such emerging payment technologies could reduce the attractiveness of our payment processing services, potentially resulting in a corresponding loss of revenue.

Increases in card network fees and other changes to fee arrangements may result in the loss of clients who use our payment processing services or a reduction in our earnings.
From time to time, card networks, including Visa, MasterCard, American Express and Discover, increase the fees that they charge acquirers, which would be passed down to processors, payment facilitators and merchants. We could attempt to pass these increases along to our clients, but this strategy might result in the loss of clients to competitors who do not pass along the increases. If competitive practices prevent us from passing along the higher fees to our clients in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our earnings.

If we fail to comply with the applicable requirements of card networks, they could seek to fine us, suspend




30


us or terminate our payment facilitator status. If our clients or sales partners incur fines or penalties that we cannot collect from them, we may have to bear the cost of such fines or penalties.
We provide a payments solution for the secure processing of patient payments. Our payment processing tools can connect to multiple clearinghouses and can also connect directly with patients. We have developed partnerships with primary credit card processors in the United States to facilitate payment processing, and we are registered with Visa, MasterCard, American Express, Discover and other card networks as a service provider (payment facilitator or the equivalent) for acquiring member institutions. These card networks set the operating rules and standards with which we must comply. The termination of our status as a certified service provider, a decision by the card networks to disallow payment facilitators or bar us from serving as such, or any changes in network rules or standards, including interpretation and implementation of the operating rules or standards, that increase the cost of doing business or limit our ability to provide transaction processing services to our clients or partners, could adversely affect our business, financial condition or results of operations.
We and our clients are subject to card network rules that could subject us or our clients to a variety of fines or penalties that may be levied by card networks for certain acts or omissions by us or our clients. If a client or sales partner fails to comply with the applicable requirements of card networks, we could be subject to a variety of fines or penalties that may be levied by card networks. We may have to bear the cost of such fines or penalties if we cannot collect them from the applicable client or sales partner, resulting in lower earnings or losses for us. Our violation of the network rules may result in the termination or suspension of our registration with the affected network. The termination of our registration, including a card network barring us from acting as a payment facilitator, or any changes in card network rules that would impair our registration, could require us to stop providing payment processing services relating to the affected card network, which would adversely affect our ability to conduct our business.
In addition, the rules of card networks are set by their boards, which may be influenced by card issuers. Many banks directly or indirectly sell processing services to clients in competition with us. These banks could attempt, by virtue of their influence on the networks, to alter the networks’ rules or policies to the detriment of non-members, including us.

Changes in laws and regulations relating to interchange fees on payment card transactions would adversely affect our revenue and results of operations.

We pay interchange fees to the card networks or the card issuers for each transaction we process. The card networks may increase, from time to time, the fees that they charge members or service providers. Although we may attempt to pass these increases along to our clients, this may result in the loss of clients to our competitors that do not pass along the increases. A provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act") known as the Durbin Amendment empowered the Board of Governors of the Federal Reserve System, ("FRS"), to establish and regulate a cap on the interchange fees that issuers (e.g. banks) may charge or receive for electronic clearing of debit card transactions. The original regulations implementing the Durbin Amendment established standards for assessing whether debit card interchange fees received by debit card issuers were reasonable and proportional to the costs incurred by issuers for electronic debit transactions, and it established a maximum permissible interchange fee that an issuer may receive for an electronic debit transaction, limiting the fee revenue to debit card issuers and payment processors. In November 2023, the FRS proposed amendments to Regulation II that would, if adopted as proposed, significantly lower the maximum permissible interchange fee for such transactions, and such maximum would be reevaluated every two years. To the extent that HSA-linked payment cards and other exempt payment cards (or their issuing banks, such as those having assets of less than $10 billion) lose their exempt status under the current rules, or if any interchange rate caps applicable to the debit card, credit card or other payment cards are changed, any such amendment, rule-making, or legislation could impact interchange rates applicable to payment card transactions processed through our payments platform. As a result, this could decrease our revenue and profit and could have a material adverse effect on our financial condition and results of operations.

Risk relating to our data and intellectual property
If our intellectual property is not adequately protected, we may not be able to build name recognition, protect our technology and products, and our business may be adversely affected.
Our business depends on proprietary technology and content, including software, databases, confidential information and know-how, the protection of which is crucial to the success of our business. We rely on a combination of trademark, trade-secret and copyright laws, confidentiality procedures and contractual provisions to protect our intellectual property rights in our proprietary technology, content and brand. We may, over time, increase our investment in protecting our intellectual property through additional trademark, patent and other intellectual




31


property filings that could be expensive and time-consuming. Effective trademark, trade-secret and copyright protection is expensive to develop and maintain, both in terms of initial and ongoing registration requirements and the costs of defending our rights. These measures, however, may not be sufficient to offer us meaningful protection. If we are unable to protect our intellectual property and other proprietary rights, our brand, competitive position and business could be harmed, as third parties may be able to dilute our brand or commercialize and use technologies and software products that are substantially the same as ours without incurring the development and licensing costs that we have incurred. Any of our owned or licensed intellectual property rights could be challenged, invalidated, circumvented, infringed or misappropriated, our trade secrets and other confidential information could be disclosed in an unauthorized manner to third parties, or our intellectual property rights may not be sufficient to permit us to take advantage of current market trends or otherwise provide us with competitive advantages, which could result in costly redesign efforts, discontinuance of certain offerings or other competitive harm.
Monitoring unauthorized use of our intellectual property is difficult and costly. From time to time, we seek to analyze our competitors’ products and services, and may in the future seek to enforce our rights against potential infringement. However, the steps we have taken to protect our proprietary rights may not be adequate to prevent infringement or misappropriation of our intellectual property. We may not be able to detect unauthorized use of, or take appropriate steps to enforce, our intellectual property rights. Any inability to meaningfully protect our intellectual property rights could result in harm to our brand or our ability to compete and reduce demand for our technology and products. Moreover, our failure to develop and properly manage new intellectual property could adversely affect our market positions and business opportunities. Also, some of our products and services rely on technologies and software developed by or licensed from third parties. Any disruption or disturbance in such third-party products or services, which we have experienced in the past, could interrupt the operation of our solutions. We may not be able to maintain our relationships with such third parties or enter into similar relationships in the future on reasonable terms or at all.
We may also be required to protect our proprietary technology and content in an increasing number of jurisdictions, a process that is expensive and may not be successful, or which we may not pursue in every location. In addition, effective intellectual property protection may not be available to us in every country, and the laws of some foreign countries may not be as protective of intellectual property rights as those in the United States. Additional uncertainty may result from changes to intellectual property legislation enacted in the United States and elsewhere, and from interpretations of intellectual property laws by applicable courts and agencies. Accordingly, despite our efforts, we may be unable to obtain and maintain the intellectual property rights necessary to provide us with a competitive advantage. Our failure to obtain, maintain and enforce our intellectual property rights could therefore have a material adverse effect on our business, financial condition and results of operations.

Our use of “open source” software could adversely affect our ability to offer our services and subject us to possible litigation.
We may use open source software in connection with our products and services. Companies that incorporate open source software into their products have, from time to time, faced claims challenging the use of open source software and/or compliance with open source license terms. As a result, we could be subject to suits by parties claiming ownership of what we believe to be open source software or claiming noncompliance with open source licensing terms. Some open source software licenses require users who distribute software containing open source software to publicly disclose all or part of the source code to such software and/or make available any derivative works of the open source code, which could include valuable proprietary code of the user, on unfavorable terms or at no cost. While we monitor the use of open source software and try to ensure that none is used in a manner that would require us to disclose our proprietary source code or that would otherwise breach the terms of an open source agreement, such use could inadvertently occur, in part because open source license terms are often ambiguous. Any requirement to disclose our proprietary source code or pay damages for breach of contract could have a material adverse effect on our business, financial condition and results of operations and could help our competitors develop products and services that are similar to or better than ours.

Any restrictions on our use of, or ability to license, data, or our failure to license data and integrate third-party technologies, could have a material adverse effect on our business, financial condition and results of operations.
We depend upon licenses from third parties for some of the technology and data used in our applications, and for some of the technology platforms upon which these applications are built and operate. We expect that we may need to obtain additional licenses from third parties in the future in connection with the development of our products and services. In addition, we obtain a portion of the data that we use from government entities, public records and our partners for specific partner engagements. We believe that we have all rights necessary to use the data that is




32


incorporated into our products and services. However, we cannot assure you that our licenses for information will allow us to use that information for all potential or contemplated applications and products. In addition, our ability to use data to support existing products and services and to develop new products and services is largely dependent upon the contractual rights we secure. For example, certain of our products depend on maintaining our data and analytics platform, which is populated with data disclosed to us by healthcare services clients, life sciences companies and their respective patients and other partners with their consent. If these clients, patients or partners revoke their consent for us to maintain, use, de-identify and share this data, consistent with applicable law, our data assets could be degraded.
In the future, data providers could withdraw their data from us or restrict our usage for any reason, including if there is a competitive reason to do so, if legislation is passed restricting the use of the data or if judicial interpretations are issued restricting use of the data that we currently use in our products and services. In addition, data providers could fail to adhere to our quality control standards in the future, causing us to incur additional expense to appropriately utilize the data. If a substantial number of data providers were to withdraw or restrict their data, or if they fail to adhere to our quality control standards, and if we are unable to identify and contract with suitable alternative data suppliers and integrate these data sources into our service offerings, our ability to provide products and services to our partners would be materially adversely impacted, which could have a material adverse effect on our business, financial condition and results of operations.
We also integrate into our proprietary applications and use third-party software to maintain and enhance, among other things, content generation and delivery, and to support our technology infrastructure. Some of this software is proprietary and some is open source software. Our use of third-party technologies and open source software exposes us to increased risks, including, but not limited to, risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from licensed technology sufficient to offset associated acquisition and maintenance costs. These technologies may not be available to us in the future on commercially reasonable terms or at all and could be difficult to replace once integrated into our own proprietary applications. Most of these licenses can be renewed only by mutual consent and may be terminated if we breach the terms of the license and fail to cure the breach within a specified period of time. Our inability to obtain, maintain or comply with any of these licenses could delay development until equivalent technology can be identified, licensed and integrated, which would harm our business, financial condition and results of operations.
Most of our third-party licenses are non-exclusive and our competitors may obtain the right to use any of the technology covered by these licenses to compete directly with us. If our data suppliers choose to discontinue support of the licensed technology in the future, we might not be able to modify or adapt our own solutions.

Third parties may initiate legal proceedings alleging that we are infringing or otherwise violating their intellectual property rights, the outcome of which would be uncertain and could have a material adverse effect on our business, financial condition and results of operations.
Our commercial success depends on our ability to develop and commercialize our services and use our proprietary technology without infringing the intellectual property or proprietary rights of third parties. Intellectual property disputes can be costly to defend and may cause our business, operating results and financial condition to suffer. As the market for healthcare in the United States expands and more patents are issued, the risk increases that there may be patents issued to third parties that relate to our products and technology of which we are not aware or that we must challenge to continue our operations as currently contemplated. Whether merited or not, we may face allegations that we, our partners, our licensees or parties indemnified by us have infringed or otherwise violated the patents, trademarks, copyrights or other intellectual property rights of third parties. Such claims may be made by competitors seeking to obtain a competitive advantage or by other parties. Additionally, in recent years, individuals and groups have begun purchasing intellectual property assets for the purpose of making claims of infringement and attempting to extract settlements from companies like ours. We may also face allegations that our employees have misappropriated the intellectual property or proprietary rights of their former employers or other third parties. It may be necessary for us to initiate litigation to defend ourselves in order to determine the scope, enforceability and validity of third-party intellectual property or proprietary rights, or to establish our respective rights. Regardless of whether claims that we are infringing patents or other intellectual property rights have merit, such claims can be time-consuming, divert management’s attention and financial resources and can be costly to evaluate and defend. Results of any such litigation are difficult to predict and may require us to stop commercializing or using our products or technology, obtain licenses, modify our services and technology while we develop non-infringing substitutes or incur substantial damages, settlement costs or face a temporary or permanent injunction prohibiting us from marketing or providing the affected products and services. If we require a third-party license, it may not be




33


available on reasonable terms or at all, and we may have to pay substantial royalties, upfront fees or grant cross-licenses to intellectual property rights for our products and services. We may also have to redesign our products or services so they do not infringe third-party intellectual property rights, which may not be possible or may require substantial monetary expenditures and time, during which our technology and products may not be available for commercialization or use. Even if we have an agreement to indemnify us against such costs, the indemnifying party may be unable to uphold its contractual obligations. If we cannot or do not obtain a third-party license to the infringed technology, license the technology on reasonable terms or obtain similar technology from another source, our revenue and earnings could be adversely impacted.
From time to time, we may be subject to legal proceedings and claims in the ordinary course of business with respect to intellectual property. We are not currently subject to any claims from third parties asserting infringement of their intellectual property rights. Some third parties may be able to sustain the costs of complex litigation more effectively than we can because they have substantially greater resources. Even if resolved in our favor, litigation or other legal proceedings relating to intellectual property claims may cause us to incur significant expenses and could distract our technical and management personnel from their normal responsibilities. In addition, there could be public announcements of the results of hearings, motions or other interim proceedings or developments, and if securities analysts or investors perceive these results to be negative, it could have a material adverse effect on the price of our common stock. Moreover, any uncertainties resulting from the initiation and continuation of any legal proceedings could have a material adverse effect on our ability to raise the funds necessary to continue our operations. Assertions by third parties that we violate their intellectual property rights could therefore have a material adverse effect on our business, financial condition and results of operations.

Interruption or failure of our information technology and communications systems could impair our ability to effectively deliver our products and services, which could cause us to lose clients and harm our operating results.
Our business depends on the continuing operation of our technology infrastructure and systems. Proprietary software development is time-consuming, expensive and complex, and may involve unforeseen difficulties. We may encounter technical obstacles in enhancing our existing software and developing new software, and it is possible that we may discover additional problems that prevent our proprietary applications from operating properly. In addition, any damage to or failure of our existing systems could result in interruptions in our ability to deliver our products and services. Interruptions in our service could reduce our revenue and profits, and our reputation could be damaged if people believe our systems are unreliable.
Our systems and operations are vulnerable to damage or interruption from natural disasters or man-made problems, such as earthquakes, floods, fires, political unrest, acts of terrorism, armed conflict or war (such as the current Russian invasion of Ukraine and the conflict in the Middle East), power loss, break-ins, hardware or software failures, telecommunications failures, computer viruses or other attempts to harm our systems and similar events. Any unscheduled interruption in our service would result in an immediate loss of revenue. Frequent or persistent system failures that result in the unavailability of our solutions or slower response times could reduce our clients’ ability to access our solutions, impair our delivery of our products and services and harm the perception of our solutions as reliable, trustworthy and consistent. Our insurance policies provide only limited coverage for service interruptions and may not adequately compensate us for any losses that may occur due to any failures or interruptions in our systems.

If our services fail to provide accurate and timely information, or if our content or any other element of our service is associated with errors or malfunctions, we could have liability to clients or patients which could adversely affect our results of operations.
Our software, content and services are used to assist medical groups, health systems and payers with managing the patient intake process and to empower patients and healthcare organizations as they navigate the challenges of an evolving healthcare system. If our software, content or services fail to provide accurate and timely information or are associated with errors or malfunctions, then healthcare services clients or patients could assert claims against us that could result in substantial costs to us, harm our reputation in the industry and cause demand for our services to decline.
Our proprietary service is utilized in patient intake and engagement and to help healthcare services organizations better understand patients through medical histories, insurance benefits and socio-economic indicators. If our service fails to provide accurate and timely information, or if our content or any other element of our service is associated with errors or malfunctions, we could have liability to healthcare services clients or patients. We attempt to limit by contract our liability for damages and to require that our clients assume responsibility for medical care and




34


approve key system rules, protocols and data. Despite these precautions, the allocations of responsibility and limitations of liability set forth in our contracts may not be enforceable, may not be binding upon patients or may not otherwise protect us from liability for damages.
Our proprietary software may contain errors or failures that are not detected until after the software is introduced or updates and new versions are released. It is challenging for us to test our software for all potential problems because it is difficult to simulate the wide variety of computing environments or methodologies that our clients may deploy or rely upon. From time to time we have discovered defects or errors in our software, and such defects or errors can be expected to appear in the future. Defects and errors that are not timely detected and remedied could expose us to risk of liability to healthcare services clients and patients and cause delays in introduction of new services, result in increased costs and diversion of development resources, require design modifications or decrease market acceptance or client satisfaction with our services. If any of these risks occur, they could materially adversely affect our business, financial condition or results of operations.

We may be liable for use of incorrect or incomplete data we provide which could harm our business, financial condition and results of operations.

We collect, store and display data, including patient health information, for use by healthcare services clients in handling patient intake and engagement. Our clients, their patients, or third parties provide us with most of this data. If this data is incorrect or incomplete or if we make mistakes in the capture or input of this data, adverse consequences may occur and give rise to product liability and other claims against us. In addition, a court or government agency may take the position that our storage and display of health information exposes us to liability arising out of our intake, storage and display of erroneous health information. While we maintain insurance coverage, we cannot be certain that this coverage will prove to be adequate or will continue to be available on acceptable terms, if at all. Even unsuccessful claims could result in substantial costs and diversion of management resources. A claim brought against us that is uninsured or under-insured could harm our business, financial condition and results of operations.

Risks relating to laws and regulations applicable to our industry

We are subject to health care laws and data privacy and security laws and regulations governing our collection, use, disclosure, storage and transmission of personally identifiable information, including protected health information and payment card data, which may impose restrictions on us and our operations, require us to change our business practices and put in place additional compliance mechanisms, and subject us to fines, penalties, lawsuits, adverse publicity, reputational harm, loss of customer trust or government enforcement actions if we are unable to fully comply with such laws.
Numerous complex federal and state laws and regulations govern the collection, use, disclosure, storage and transmission of personally identifiable information, including protected health information. State laws may be even more restrictive and not preempted by HIPAA,(as defined below), and may be subject to varying interpretations by the courts and government agencies. These laws and regulations, including their interpretation by governmental agencies, are subject to frequent change and could have a negative impact on our business. Further, these varying interpretations could create complex compliance issues for us and our partners and potentially expose us to additional expense, liability, penalties, negatively impact our client relationships, and lead to adverse publicity, and all of these risks could adversely affect our business in the short and long term. In addition, contractual obligations and in the future, legislation may limit, forbid or regulate the use or transmission of health information outside of the United States or across other national borders. These developments, if adopted, could render our use of Canadian employees and other non-U.S. resources for work related to such data impracticable or substantially more expensive.
We are a “Business Associate” as defined under the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and their implementing regulations, collectively referred to as HIPAA. The U.S. Department of Health and Human Services, ("HHS"), Office for Civil Rights, may impose civil penalties on a Business Associate for a failure to comply with HIPAA requirements. The U.S. Department of Justice is responsible for criminal prosecutions under HIPAA. Penalties can vary significantly depending on a number of factors, such as whether the Business Associate’s failure to comply was due to willful neglect. State attorneys general also have the right to prosecute HIPAA violations committed against residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for HIPAA violations, its standards have been used as the basis for the duty of care in state civil suits, such as those for recklessness in misusing individuals’ health information. If we are subject to




35


investigation or litigation related to an alleged violation of HIPAA, then we may elect to resolve the matter through a settlement. Such settlement could require payment of a civil penalty or damages, corrective action and/or monitoring of our business by a third party.
The security measures that we and our third-party vendors and subcontractors have in place to ensure compliance with privacy and data protection laws are not guarantees that we and our subcontractors will not be the victims of cybersecurity attacks, acts of vandalism or theft, computer viruses, misplaced or lost data, malfeasance, programming and human errors or other similar events. Under the HITECH Act, as a Business Associate we may also be liable for privacy and security breaches and failures of our subcontractors. Even though we provide for appropriate protections through our agreements with our subcontractors, we still have limited control over their actions and practices. A breach of privacy or security of individually identifiable health information by a subcontractor may result in an enforcement action, including criminal and civil liability, against us. We are not able to predict the extent of the impact such incidents may have on our business. Our failure to comply may result in criminal and civil liability because the potential for enforcement action against Business Associates is now greater. Enforcement actions against us could be costly and could interrupt regular operations, which may adversely affect our business. While we have not received any notices of violation of the applicable privacy and data protection laws and believe we are in compliance with such laws, there can be no assurance that we will not receive such notices in the future.
Even when HIPAA does not apply, according to the Federal Trade Commission, or the FTC, failing to take appropriate steps to keep consumers’ personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, or the FTCA, 15 U.S.C. § 45(a). The FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. The FTC’s current guidance for appropriately securing consumers’ personal information is similar to what is required by the HIPAA security regulations, but this guidance may change in the future, resulting in increased complexity and the need to expend additional resources to ensure we are complying with the FTCA.
Other federal and state laws restrict the use and protect the privacy and security of personally identifiable information are, in many cases, are not preempted by HIPAA and may be subject to varying interpretations by the courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity and liability, any of which could adversely affect our business.
Federal and state consumer protection laws are increasingly being applied by the United States Federal Trade Commission and states’ attorneys general to regulate the collection, use, storage and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content.

There is ongoing concern from privacy advocates, regulators and others regarding data privacy and security issues, and the number of jurisdictions with data privacy and security laws has been increasing. Also, there are ongoing public policy discussions regarding whether the standards for de-identification, anonymization or pseudonymization of health information are sufficient, and the risk of re-identification sufficiently small, to adequately protect patient privacy. We expect that there will continue to be new proposed and amended laws, regulations and industry standards concerning privacy, data protection and information security in the United States, such as the CCPA, as amended by the California Privacy Rights Act, or CPRA, which amendments went into effect on January 1, 2023, The CCPA creates specific obligations with respect to processing and storing personal information, and the CPRA amendments created a new state agency that is vested with authority to implement and enforce the CCPA. In addition to the CCPA, new privacy and data security laws have been enacted in numerous states and have been proposed in even more states as well as in the U.S. Congress. If passed, these new laws could impose similar or more restrictive requirements than these recently enacted laws.
Furthermore, other states have proposed or enacted legislation that is focused on more narrow aspects of privacy. For example, a number of states have passed laws that protect biometric information and a smaller number of states have passed or are considering laws that are specifically focused upon health privacy, such as Washington’s My Health My Data Act. The My Health, My Data Act imposes new state restrictions and requirements on the processing and sale of consumer health data and creates a private right of action. The effects of state and federal privacy laws are potentially significant and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation.




36


We cannot yet determine the full impact these laws or other such future laws, regulations and standards may have on our current or future business. Any of these laws may broaden their scope in the future, and similar laws have been proposed on both a federal level and in various states in the U.S. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country, and the heightened scrutiny associated with the enforcement of such laws, could make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance.
We also expect that there will continue to be new or amended laws, regulations, standards and obligations proposed and enacted in various jurisdictions. Many countries around the world have enacted comprehensive privacy and data protection laws that can impact our business. For example, in May 2018, the General Data Protection Regulation, or GDPR, went into effect in the European Union, or EU. The GDPR imposes more stringent data protection requirements and requires businesses subject to it to give more detailed disclosures about how they collect, use, and share personal information; contractually commit to data protection measures in contracts; maintain adequate data security measures; notify regulators and affected individuals of certain data breaches; obtain consent to collect sensitive personal information such as health information or ensuring another appropriate legal basis or condition applies to the processing of personal information; meet extensive privacy governance and documentation requirements; and honor individuals’ data protection rights. The GDPR also imposes strict rules on the transfer of personal information to countries outside of the European Economic Area, or EEA to jurisdictions that the European Commission (EC) does not recognize as having “adequate” data protection laws. These transfers are prohibited unless a valid transfer mechanism is implemented, such as the Standard Contractual Clauses (SCCs) published by the EC, binding corporate rules or certification to the EU-U.S. Data Privacy Framework that the EC adopted on July 10, 2023. Evolving laws and decisions surrounding transfers of EU personal information have increased the legal risks and liabilities, and compliance and operational costs, of lawfully making such transfers. Companies that violate the GDPR can face private litigation, restrictions, or prohibitions on data processing, and fines of up to the greater of 20 million Euros or 4% of worldwide annual revenue.
In addition, further to the UK’s exit from the EU on January 31, 2020, the GDPR ceased to apply in the UK at the end of the transition period on December 31, 2020; however, the UK’s European Union (Withdrawal) Act 2018 incorporated the GDPR (as it existed on December 31, 2020 but subject to certain UK specific amendments) into UK law, referred to as the UK GDPR. The UK GDPR and the UK Data Protection Act 2018 set out the UK’s data protection regime, which is independent from but aligned to the EU’s data protection regime. Non-compliance with the UK GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. Although the GDPR and the UK GDPR currently impose substantially similar obligations, it is possible that over time the UK GDPR could become less aligned with the GDPR. The UK government has announced plans to reform the data protection legal framework in the UK in its Data Reform Bill, which will introduce significant changes from the GDPR. This may lead to additional compliance costs and could increase our overall risk exposure as we may no longer be able to take a unified approach across the EEA and the UK. This lack of clarity on future UK laws and regulations and their interaction with EU laws and regulations could add legal risk, uncertainty, complexity and cost to our handling of EU personal information and our privacy and data security compliance programs and could require us to implement different compliance measures for the UK and the EU.
Although the UK is regarded as a third country under the EU’s GDPR, the European Commission (the “EC”), has now issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. To enable the transfer of personal data outside of the EEA or the UK, adequate safeguards must be implemented in compliance with European and UK data protection laws, such as the Standard Contractual Clauses (SCCs) published by the European Commission, binding corporate rules or certification to the EU-U.S. Data Privacy Framework that the European Commission adopted on July 10, 2023. The UK is not subject to the EC’s SCCs but has published the UK International Data Transfer Agreement and International Data Transfer Addendum to the new standard contractual clauses (the “IDTA”), which enable transfers from the UK. For new transfers, the IDTA already needs to be in place, and must be in place for all existing transfers from the UK from March 21, 2024. Following a ruling from the Court of Justice of the EU, in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 ("Schrems II"), companies relying on SCCs to govern transfers of personal data to third countries (in particular the United States) will need to assess whether the data importer can ensure sufficient guarantees for safeguarding the personal data under GDPR. This assessment includes assessing whether




37


third-party vendors can also ensure these guarantees. The same assessment is required for transfers governed by the IDTA. We will be required to implement these new safeguards when conducting restricted data transfers under the GDPR and doing so will require significant effort and cost.
Moreover, on September 21, 2023, the UK Government adopted the Data Protection (Adequacy) Regulations 2023, also referred to as the “UK-U.S. Data Bridge”, which will allow companies to transfer personal data from the UK to the United States on the basis of the EU-U.S. Data Privacy Framework.
Some of the businesses we have acquired are subject to additional laws and regulations in jurisdictions outside of the United States, including those in the EEA and UK, such as the GDPR and UK GDPR. Compliance with such laws and regulations requires resources and could be more costly and take more time than we anticipate and could involve new fines or penalties for non-compliance, all of which could adversely affect our business.
In addition to the GDPR and UK GDPR, the EU e-Privacy Directive (2002/58/EC) and the UK Privacy and Electronic Communications Regulations 2003 govern marketing messages we send to customers based in the EEA and UK.
We have operations in Canada, where our collection, use, disclosure, and management of personal information must comply with both federal and provincial privacy laws, which impose separate requirements, but may overlap in some instances. The Personal Information Protection and Electronic Documents Act ("PIPEDA") applies in all Canadian provinces except Alberta, British Columbia and Québec, as well as to the transfer of consumer data across provincial borders. PIPEDA imposes stringent consumer data protection obligations, requires privacy breach reporting, and limits the purposes for which organizations may collect, use, and disclose consumer data. The provinces of Alberta, British Columbia, and Québec have enacted separate data privacy laws that are substantially similar to PIPEDA, but all three additionally apply to our handling of our own employees’ personal data within their respective provinces. Notably, Québec’s Act respecting the protection of personal information in the private sector, or the Private Sector Act, was amended by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, which introduced major amendments to the Private Sector Act, notably, to impose significant and stringent new obligations on Québec businesses while increasing the powers of Quebec’s supervisory authority. We may incur additional costs and expenses related to compliance with these laws and may incur significant liability if we are not able to comply with these laws. We are also subject to Canada’s anti-spam legislation, or CASL, which includes rules governing commercial electronic messages, which include marketing emails, text messages, and social media advertisements. Under these rules, we must follow certain standards when sending marketing communications, are prohibited from sending them to customers without their consent, and can be held liable for violations.
Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Cross-border data transfers and other future developments regarding local data residency and access could increase the cost and complexity of delivering our services in some markets and may lead to governmental enforcement actions, litigation, fines, and penalties or adverse publicity, which could adversely affect our business and financial position could greatly increase our cost of providing our products and services, require significant changes to our operations or even prevent us from offering certain services in specific jurisdictions. In addition, any limitation on our ability to use or transmit health information outside of the U.S. could impose restrictions on our ability to recruit and maintain employees residing outside of the U.S., which could, in turn, adversely affect our business.
Future laws, regulations, standards, obligations amendments, and changes in the interpretation of existing laws, regulations, standards and obligations could impair our or our clients’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our solutions, increase our costs and impair our ability to maintain and grow our client base and increase our revenue. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards and contractual obligations could impair our or our customers’ ability to collect, use or disclose information relating to patients or consumers, which could decrease demand for our platform offerings, increase our costs and impair our ability to maintain and grow our client base and increase our revenue. Accordingly, we may find it necessary or desirable to fundamentally change our business activities and practices or to expend significant resources to modify our software and otherwise adapt to these changes.
We are also subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS") and AICPA Security Organization Control 2 ("SOC 2"), with which we are currently compliant, and HITRUST certification, which we currently maintain. In the event we fail to comply with the PCI-DSS or fail to maintain our SOC 2 or HITRUST certification, we could be in breach of our obligations under customer and other contracts, fines and other penalties could result, and we may suffer reputational harm and damage to our business. Further, our clients may expect us to comply with more stringent privacy, data storage and data security requirements than those imposed by laws,




38


regulations or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data.
Any failure or perceived failure by us to comply with domestic or foreign laws or regulations, industry standards or other legal obligations, or any actual or suspected privacy or security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personally identifiable information or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity and could cause our clients to lose trust in us, which could have an adverse effect on our reputation and business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited. Any of these developments could harm our business, financial condition and results of operations. Privacy and data security concerns, whether valid or not valid, may inhibit retention of services by existing clients or adoption of our services by new clients.

Existing laws regulate our ability to engage in direct marketing and changes in privacy laws could adversely affect our ability to market our products effectively and could impact our results from operations or result in costs and fines.
We rely on a variety of direct marketing techniques, including email marketing. These activities are regulated by legislation such as the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. Any failure by us to comply fully with the CAN-SPAM Act may leave us subject to substantial fines and penalties. In addition, any future restrictions in laws such as the CAN-SPAM Act, and various United States state laws, or new federal laws regarding marketing and solicitation or international data protection laws that govern these activities could adversely affect the continuing effectiveness of our marketing efforts and could force changes in our marketing strategies. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could have a material adverse impact on our results of operations.

Any failure by us to comply fully with website accessibility standards could result in us being subject to considerable fines and penalties.
We conduct business through various Internet websites and web-based applications that are subject to accessibility requirements. Courts have ruled that the Americans with Disabilities Act (ADA) applies to Internet websites and other digital experiences and litigation related to ADA website accessibility has soared in recent years. Failing to comply with those requirements could leave our Company subject to claims, litigation, lawsuits and, ultimately, substantial fines and penalties.

The healthcare regulatory and political framework is uncertain and evolving.
Healthcare laws and regulations are rapidly evolving and may change significantly in the future, which could adversely affect our financial condition and results of operations. For example, in 2010, the Patient Protection and Affordable Care Act ("ACA") was adopted, which is a healthcare reform measure that provides healthcare insurance for millions of Americans. The ACA includes a variety of healthcare reform provisions and requirements that became effective at varying times through 2018 and substantially changes the way healthcare is financed by both governmental and private insurers, which may significantly impact our industry and our business. Since its enactment, there have been numerous judicial, administrative, executive, and legislative challenges to certain aspects of the ACA. It is unclear how other healthcare reform measures of the Biden administration or other efforts, if any, to challenge, repeal or replace the ACA will impact our business.
Further, in 2020, the HHS, Office of the National Coordinator for Health Information Technology ("ONC") and CMS promulgated final rules aimed at supporting seamless and secure access, exchange, and use of electronic health information ("EHI"), referred to as the Final Rule, by increasing innovation and competition by giving patients and their healthcare service providers secure access to health information and new tools, allowing for more choice in care and treatment. The Final Rules is intended to clarify and operationalize provisions of the 21st Century Cures Act ("Cures Act"), regarding interoperability and “information blocking,” and create significant new requirements for health care industry participants. Information blocking is defined as activity that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, where a health information technology developer, health information network or health information exchange knows or should know that such practice is likely to interfere with access to, exchange or use of EHI. In April 2023, the ONC issued a notice of proposed rulemaking that would modify certain components of the Final Rule, including modifying and expanding certain exceptions to the information blocking regulations, which are intended to support information sharing.




39


The Final Rule focuses on patients enrolled in Medicare Advantage plans, Medicaid and Children's Health Insurance Program ("CHIP") fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans on the federally-facilitated exchanges, and enacts measures to enable patients to have both their clinical and administrative information travel with them.
Recent regulatory reform constitutes a significant departure from previous regulations regarding patient data. While these rules benefit us in that certain EHR vendors will no longer be permitted to interfere with our attempts at integration, they may also make it easier for other similar companies to enter the market, creating increased competition and reducing our market share. It is unclear at this time what the costs of compliance with the Final Rule will be, and what additional risks there may be to our business.
In addition, we are subject to various other laws and regulations, including, among others, anti-kickback laws, antitrust laws and the privacy and data protection laws described below.

We conduct business in a heavily regulated industry, and any failure to comply with applicable healthcare laws and government regulations, could result in financial penalties, exclusion from participation in government healthcare programs and adverse publicity, or could require us to make significant operational changes, any of which could harm our business.
Our current and future arrangements with healthcare professionals, principal investigators, consultants, customers and third-party payors subject us to various federal and state fraud and abuse laws and other healthcare laws, including, without limitation, the federal Anti-Kickback Statute, the federal civil and criminal false claims laws, HIPAA and regulations promulgated under such laws. These laws will impact, among other things, our clinical research, proposed sales, marketing and educational programs, and other interactions with healthcare professionals. For more information regarding the risks related to these laws and regulations please see “Business – Regulatory Matters – U.S. Federal and State Fraud and Abuse Laws.”
The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform. Federal and state enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Because of the breadth of these laws and the narrowness of their statutory or regulatory exceptions and safe harbors, some of our business activities may be subject to challenge under one or more of them.
Ensuring that our internal operations and future business arrangements with third parties comply with applicable healthcare laws and regulations will involve substantial costs. Achieving and sustaining compliance requires us to implement controls across our entire organization which may prove costly and challenging to monitor and enforce. The risk of our being found in violation of healthcare laws and regulations is increased by the fact that their provisions are sometimes complex and open to a variety of interpretations.
It is possible that governmental authorities will conclude that our business practices do not comply with current or future statutes, regulations, agency guidance or case law involving applicable fraud and abuse or other healthcare laws and regulations. If our operations are found to be in violation of any of the laws described above or any other governmental laws and regulations that may apply to us, we may be subject to significant penalties, including administrative, civil and criminal penalties, damages, fines, disgorgement, the exclusion from participation in federal and state healthcare programs, individual imprisonment, reputational harm, and the curtailment or restructuring of our operations, as well as additional reporting obligations and oversight if we become subject to a corporate integrity agreement or other agreement to resolve allegations of non-compliance with these laws. Likewise, if any of the physicians or other providers or entities with whom we expect to do business are found to not be in compliance with applicable laws, they may be subject to criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs and imprisonment as well. Further, defending against any such actions can be costly and time consuming, and may require significant financial and personnel resources. Therefore, even if we are successful in defending against any such actions that may be brought against us, our business may be impaired. If any of the above occur, our ability to operate our business and our results of operations could be adversely affected.
The U.S. Food and Drug Administration may in the future determine that our technology solutions are subject to the Federal Food, Drug, and Cosmetic Act and we may face additional costs and risks as a result.
The FDA may promulgate a policy or regulation that affects our products and services. FDA regulations govern among other things, product development, testing, manufacture, packaging, labeling, storage, clearance or approval, advertising and promotion, sales and distribution and import and export for regulated drugs, biologics and devices. Non-compliance with applicable FDA requirements can result in, among other things, public warning




40


letters, fines, injunctions, civil penalties, recall or seizure of products, total or partial suspension of production, failure of the FDA to grant marketing approvals, withdrawal of marketing approvals, a recommendation by the FDA to disallow us from entering into government contracts and criminal prosecutions. The FDA also has the authority to request repair, replace or refund of the cost of any device.
Individuals may claim our calling or text messaging services are subject to, and are not compliant with the Telephone Consumer Protection Act or similar state laws.
Our clients may use our products to place various short message service, or SMS, text messages and calls to patients. The Telephone Consumer Protection Act ("TCPA") is a federal statute that protects consumers from unwanted telephone calls, faxes and text messages. There are a number of federal and state statutes and regulations that govern such telecommunications, the use of automatic telephone dialing systems (“ATDS”) or other automated systems to make such telecommunications, and the use of artificial voice or pre-recorded messages in certain telecommunications. These laws include the Telephone Consumer Protection Act (TCPA), Telemarketing Sales Rule (TSR), and various other state laws. The U.S. Federal Communications Commission (FCC), and the Federal Trade Commissions have responsibility for regulating various aspects of some of the TCPA, TSR and other federal laws. Among other requirements, the TCPA requires callers to obtain prior express written consent for certain telemarketing calls and to adhere to “do-not-call” registry requirements which, in part, mandate that callers maintain and regularly update lists of consumers who have chosen not to be called and restrict calls to consumers who are on the national do-not-call list. Florida, Oklahoma and other states also have mini-TCPA and other similar consumer protection laws regulating calls and texts directed to their residents. As currently construed, the TCPA does not distinguish between voice and data, and, as such, text and SMS/MMS messages are also “calls” for the purpose of TCPA (and, in some cases, state mini-TCPA) obligations and restrictions.
For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary damages of $500 for each call or text made in violation of the prohibitions on certain calls made using an artificial or pre-recorded voice or an ATDS and certain calls made to numbers properly registered on the federal “do-not-call” list. A court may treble the $500 amount upon a finding of a willful or knowing violation. There is no statutory cap on maximum aggregate exposure (although some courts have applied in TCPA class actions constitutional limits on excessive penalties). An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. As with the TCPA, Florida’s mini-TCPA, for example, restricts certain calls and calls and texts made using an automated system to Florida residents without prior consent, allows a plaintiff to obtain $500 for each call or text made in violation of its prohibitions, and permits a court to treble the $500 amount for willful or knowing violations of the statute. The TCPA, TSR, mini-TCPA laws and other similar state laws are subject to interpretations that may change. We regularly evaluate how they may apply to our business. The FCC, FTC, a state attorney general or other regulator, or a court, however, may disagree with our interpretation of these laws and conclude that we are not in compliance and impose damages, civil penalties and other consequences upon us for noncompliance. Determination by a court or regulatory agency that our services did not comply also invalidate all or portions of some of our client contracts, could require us to change or terminate some portions of our business, could require us to refund portions of our services fees, and could have an adverse effect on our business. Further, we could be subject to putative class action lawsuits alleging violations of the TCPA, state mini-TCPA laws and other similar state laws. Our call and SMS texting services are potential sources of risk for class action lawsuits and liability for our Company. Numerous class-action suits under federal and state laws have been filed in recent years against companies who conduct call and SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. Even an unsuccessful challenge by consumers or regulatory authorities of our activities could result in adverse publicity and could require a costly response from us. If in the future we are found to have violated such laws in a class action, the amount of damages and potential liability could be extensive and adversely impact our business. Accordingly, were such a class certified or if we are unable to successfully defend such a suit, then the damages could have a material adverse effect on our results of operations and financial condition.
Artificial intelligence presents risks and challenges that can impact our business including by posing security risks to our confidential information, proprietary information, and personal data.
Issues in the development and use of artificial intelligence, combined with an uncertain regulatory environment, may result in reputational harm, liability, or other adverse consequences to our business operations. As with many technological innovations, artificial intelligence presents risks and challenges that could impact our business. We may adopt and integrate generative artificial intelligence tools into our systems for specific use cases reviewed by legal and information security. Our vendors may incorporate generative artificial intelligence tools into their offerings without disclosing this use to us, and the providers of these generative artificial intelligence tools may not meet existing or rapidly evolving regulatory or industry standards with respect to privacy and data protection and may




41


inhibit our or our vendors’ ability to maintain an adequate level of service and experience. If we, our vendors, or our third-party partners experience an actual or perceived breach or privacy or security incident because of the use of generative artificial intelligence, we may lose valuable intellectual property and confidential information and our reputation and the public perception of the effectiveness of our security measures could be harmed. Further, bad actors around the world use increasingly sophisticated methods, including the use of artificial intelligence, to engage in illegal activities involving the theft and misuse of personal information, confidential information, and intellectual property. Any of these outcomes could damage our reputation, result in the loss of valuable property and information, and adversely impact our business.

Our employees in Canada are subject to the laws and regulations of the government of Canada and its subdivisions.
Certain of our employees are based in Canada and are subject to additional laws and regulations by the government of Canada, as well as its provinces. These include Canadian federal and local corporation requirements, restrictions on exchange of funds, employment-related laws and qualification for tax status. If we fail to comply with Canadian laws and regulations, or if the government of Canada or its provinces determines that our corporate actions do not comply with applicable Canadian law, we could face sanctions or fines, which could have a material adverse effect on our business.

Due to the particular nature of certain services we provide or the manner in which we provide them, we may be subject to additional government regulation and foreign government regulation.

While our solutions are primarily subject to government regulations pertaining to healthcare, certain aspects of our solutions may require us to comply with regulatory schema from other areas. Examples of such regulatory schema include:

Foreign Corrupt Practices Act ("FCPA") and foreign anti-bribery laws. The FCPA makes it illegal for U.S. persons, including U.S. companies, and their subsidiaries, directors, officers, employees, and agents, to promise, authorize or make any corrupt payment, or otherwise provide anything of value, directly or indirectly, to any foreign official, any foreign political party or party official, or candidate for foreign political office to obtain or retain business. Violations of the FCPA can also result in violations of other U.S. laws, including anti-money laundering, mail and wire fraud, and conspiracy laws. There are severe penalties for violating the FCPA. The Company may also be subject to other non-U.S. anti-corruption or anti-bribery laws, such as the U.K. Bribery Act 2010. In many foreign countries, particularly in those with developing economies, it may be common to engage in business practices that are prohibited by laws and regulations applicable to us, such as the FCPA and other anti-bribery laws. Any violations of the FCPA or local anti-corruption laws by us, our subsidiaries or our local agents in India or elsewhere could have a material adverse effect on our business, financial condition, results of operations, and prospects, as well as our reputation, and result in substantial financial penalties or other sanctions.
Economic sanctions and export controls. Economic and trade sanctions programs that are administered by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) prohibit or restrict transactions to or from, and dealings with specified countries and territories, their governments, and in certain circumstances, with individuals and entities that are located in or nationals of those countries, and other sanctioned persons, including specially designated nationals, narcotics traffickers and terrorists or terrorist organizations. As federal, state and foreign legislative regulatory scrutiny and enforcement actions in these areas increase, we expect our costs to comply with these requirements will increase as well. Failure to comply with any of these requirements could result in the limitation, suspension or termination of our services, imposition of significant civil and criminal penalties, including fines, and/or the seizure and/or forfeiture of our assets.
Further, our solutions incorporate encryption technology. The U.S. Export Administration Regulations require authorization for the export of certain encryption items, including by a license, a license exception or other appropriate government authorizations. Such solutions may also be subject to certain regulatory reporting requirements. While we believe our products meet certain exceptions that reduce the scope of export control restrictions applicable to such products, these exceptions may be determined not to apply to our products and our products and underlying technology may become subject to export control restrictions.
In addition, our establishment of a subsidiary in India and our plans to bring outside services in-house through that entity could increase our risk of violations of such laws and regulations in the future. Despite our policies, procedures and compliance programs, our internal controls and compliance systems may not




42


be able to protect us from prohibited acts willfully committed by our employees, agents or business partners that would violate such applicable laws and regulations.


Risks relating to our dependence on third parties

We rely on our third-party contractors, vendors and partners, including some outside of the United States, to execute our business strategy. Replacing them could be difficult and disruptive to our business. If we are unsuccessful in forming or maintaining such relationships on terms favorable to us, our business may not succeed.
We have entered into contracts with third-party contractors and vendors to provide critical services relating to our business, including initial software development and cloud hosting. We also rely on third-party providers to enable automated eligibility and benefits verification through our solutions, and we outsource certain of our software development and design, quality assurance and operations activities to third-party contractors that have employees and consultants in international locations that may be subject to political and economic instability, including India and Ukraine.
Our dependence on third-party contractors to support key functions of our business creates numerous risks, in particular, the risk that we may not maintain service quality, control or effective management with respect to these operations. In the event that these service providers fail to maintain adequate levels of support, do not provide high quality service, increase the fees they charge us, discontinue their lines of business, terminate our contractual arrangements or cease or reduce operations, we may suffer additional costs and be required to pursue new third-party relationships, which could materially disrupt our operations and our ability to provide our products and services, and could divert management’s time and resources. Our reputation and our customers’ willingness to purchase our products and partners’ willingness to use our products depend, in part, on our third-party contractors’ compliance with ethical employment practices, such as with respect to child labor, wages and benefits, forced labor, discrimination, safe and healthy working conditions, and with all legal and regulatory requirements relating to the conduct of their businesses. If our third-party contractors fail to comply with applicable laws, regulations, safety codes, employment practices, human rights standards, quality standards, environmental standards, production practices, or other obligations, norms, or ethical standards, our reputation and brand image could be harmed and we could be exposed to litigation and additional costs that would harm our business, reputation, and results of operations.
These third-party contractors, some of which handle sensitive data on our behalf, could be non-compliant with regulatory requirements or our contractual provisions regarding the handling of sensitive data, despite our best efforts to monitor their compliance and mitigate risks in our contractual cost-shifting provisions. Even if these third parties are compliant, they still could be the victims of sophisticated cyberattacks or other unforeseeable events.The ability of our third-party contractors to effectively satisfy our business requirements could be impacted by financial difficulty of our third-party contractors or damage to their operations caused by fire, terrorist attack, natural disaster, or other events. It would be difficult to replace some of our third-party contractors and third-party vendors in a timely manner if they were unwilling or unable to provide us with these services in the future, and our business and operations could be adversely affected. If these services fail or are of poor quality, our business, reputation and operating results could be harmed. For example, the continued Russian invasion of Ukraine has, and may continue to, impact macroeconomic conditions, give rise to regional instability, increase the threat of cyberwarfare and result in heightened economic sanctions from the U.S. and the international community in a manner that adversely affects us and our third-party contractors that have employees and consultants located in Ukraine. Further, although the length and impact of the continuing conflict are highly unpredictable, individuals located in these areas have been and could continue to be forced to evacuate or voluntarily choose to relocate, making them unavailable to provide services, such as software engineering, to support our business. It could also disrupt or delay our communications with such resources or the flow of funds to support their operations, or otherwise render some of our resources unavailable. While we have risk mitigation efforts in place, the realization of any of these risks could adversely affect our product development, operations, business and/or financial results and may require us to shift some of our development activities to other jurisdictions and/or third-party contractors, which may result in significant disruption, including delays in releases of new versions or updates of our software and incurrence of additional costs. We anticipate that we will continue to depend on these and other third-party relationships in order to grow our business for the foreseeable future. If we are unsuccessful in maintaining existing and, if needed, establishing new relationships with third parties, our ability to efficiently operate existing services or develop new services could be impaired, and, as a result, our competitive position or our results of operations could suffer.




43


We also depend on our third-party processing partners to perform payment processing services, which generate almost all of our payments revenue. Our processing partners may go out of business or otherwise be unable or unwilling to continue providing such services, which could significantly and materially reduce our payments revenue and disrupt our business. A number of our processing contracts require us to assume liability for any losses our processing partners may suffer as a result of losses caused by our healthcare services clients and their patients, including losses caused by chargebacks and fraud. Thus, in the event of a significant loss by our processing partners, we may be required to pay-out a large amount of cash in one or two business days following such event and, if we do not have sufficient cash on hand, may be deemed in breach of such contracts. A contractual dispute with our processing partners could adversely impact our revenue. Certain contracts may expire or be terminated, and we may not be able to enter into a new payment processor relationship that replicates the associated revenue for a considerable period of time.
In addition, we have entered into contracts with providers of EHR and PM solutions, and we intend to pursue such agreements in the future. These contracts are typically structured as commercial and technical agreements, pursuant to which we integrate certain of our solutions into the EHR and PM systems that are utilized by many of our clients, for agreed payments or provision of services to such providers of EHR and PM solutions. Our ability to form and maintain these agreements in order to facilitate the integration of our solutions into the EHR and PM systems used by our healthcare services clients and their patients is important to the success of our business. If providers of EHR or PM solutions amend, terminate or fail to perform their obligations under their agreements with us, we may need to seek other ways of integrating our solutions with the EHR and PM systems of our healthcare services clients, which could be costly and time consuming, and could adversely affect our business results.
We or the providers of EHR and PM solutions with which we contract may terminate or seek to amend our agreements in order to incorporate the Final Rules promulgated in 2020 by the HHS, ONC, and CMS, which is further described above and is aimed at supporting seamless and secure access, exchange, and use of EHI by increasing innovation and competition by giving patients and their healthcare service providers secure access to health information and new tools, allowing for more choice in care and treatment.
We may also seek to enter into new agreements in the future, and we may not be successful in entering into future agreements on terms favorable to us. Any delay in entering agreements with providers of EHR or PM solutions or other technology providers could either delay the development and adoption of our products and services and reduce their competitiveness. Any such delay could adversely affect our business.

We rely on a limited number of third-party suppliers and contract manufacturers to support our products, and a loss or degradation in performance of these suppliers and contract manufacturers could have a negative effect on our business, financial condition and results of operations.
We rely on third-party suppliers and contract manufacturers for the materials and components used to operate our solutions and product offerings, and to manufacture and assemble our hardware, including the PhreesiaPad and our on-site kiosks, which we refer to as Arrivals Kiosks. We rely on a sole supplier, for example, as the manufacturer of our PhreesiaPads and Arrivals Kiosks, which help drive our business and support our subscription, payment processing and life sciences offerings. In connection with these services, our supplier builds new hardware for us and refurbishes and maintains existing hardware.
Any of our other suppliers or third-party contract manufacturers may be unwilling or unable to supply the necessary materials and components or manufacture and assemble our products reliably and at the levels we anticipate or that are required by the market. Our ability to supply our products commercially and to develop any future products depends, in part, on our ability to obtain these materials, components and products in accordance with regulatory requirements and in sufficient quantities for commercialization. If we are required to change contract manufacturers due to any change in or termination of our relationships with these third parties, or if our manufacturers are unable to obtain the materials they need to produce our products at consistent prices or at all, (including, without limitation, because of the effect of tariffs or other trade restrictions), we may lose sales, experience manufacturing or other delays, incur increased costs or otherwise experience impairment to our client relationships. We cannot guarantee that we will be able to establish alternative relationships on similar terms, without delay or at all.
If our third-party suppliers fail to deliver the required quantities of materials on a timely basis and at commercially reasonable prices, and we are unable to find one or more replacement suppliers capable of production at a substantially equivalent cost in substantially equivalent volumes and quality on a timely basis, the supply of our products to clients and the development of any future products will be delayed, limited or prevented, which could have material adverse effect on our business, financial condition and results of operations.





44


We rely on Internet infrastructure, bandwidth providers, data center providers, other third parties and our own systems for providing services to our clients, and any failure or interruption in the services provided by these third parties or our own systems could expose us to litigation and negatively impact our relationships with clients, adversely affecting our brand and our business.
Our ability to deliver our products and services, particularly our cloud-based solutions, is dependent on the development and maintenance of the infrastructure of the Internet and other telecommunications services by third parties. This includes maintenance of a reliable network connection with the necessary speed, data capacity and security for providing reliable Internet access and services and reliable telephone and facsimile services. Our services are designed to operate without interruption in accordance with our service level commitments.
However, we have experienced limited interruptions in these systems in the past, including server failures that temporarily slow down the performance of our services, and we may experience more significant interruptions in the future. We rely on internal systems as well as third-party suppliers, including bandwidth and telecommunications equipment providers, to provide our services. We do not maintain redundant systems or facilities for some of these services. Interruptions in these systems, whether due to system failures, computer viruses, physical or electronic attacks or other catastrophic events, could affect the security or availability of our services, compromise the data we handle on behalf of our partners and prevent or inhibit the ability of our partners to access our services. In the event of a catastrophic event with respect to one or more of these systems or facilities, we may experience an extended period of system unavailability, which could result in substantial costs to remedy those problems or negatively impact our relationship with our clients, our business, results of operations and financial condition.
Any disruption in the network access, telecommunications or co-location services provided by third-party providers or any failure of or by third-party providers’ systems or our own systems to handle current or higher volume of use could significantly harm our business. We exercise limited control over our third-party suppliers, which increases our vulnerability to problems with services they provide. We have experienced failures by third-party providers’ systems which resulted in a limited interruption of our system. Any errors, failures, interruptions or delays experienced in connection with these third-party technologies and information services or our own systems could negatively impact our relationships with clients and adversely affect our business and could expose us to third-party liabilities.
The reliability and performance of our Internet connection may be harmed by increased usage or by denial-of-service attacks. The Internet has experienced a variety of outages and other delays as a result of damages to portions of its infrastructure, and it could face outages and delays in the future. These outages and delays could reduce the level of Internet usage as well as the availability of the Internet to us for delivery of our Internet-based services.

Risks relating to taxes and accounting standards
Changes in tax regulations and accounting standards, or changes in related judgments or assumptions could materially impact our financial position and results of operation.
We are subject to federal and state income, sales, use, value added and other taxes in the United States and other countries in which we conduct business, and such laws and rates vary by jurisdiction. We are now registered in all states that assess sales taxes on our services. Although we believe our tax practices and provisions are reasonable, the final determination of tax audits and any related litigation, changes in the taxation of our activities and proposed changes in tax laws could cause the ultimate settlement of our tax liabilities to be materially different from our historical tax practices, provisions and accruals. If we receive an adverse ruling as a result of an audit, or we unilaterally determine that we have misinterpreted provisions of the tax regulations to which we are subject, there could be a material effect on our tax provision, net income or cash flows in the period or periods for which that determination is made, which could materially impact our financial results. Further, any changes in the taxation of our activities, including certain proposed changes in U.S. tax laws, may increase our effective tax rate and adversely affect our financial position and results of operations. In addition, liabilities associated with taxes are often subject to an extended or indefinite statute of limitations period. Therefore, we may be subject to additional tax liability (including penalties and interest) for a particular year for extended periods of time.
Furthermore, changes in accounting rules and interpretations or in our accounting assumptions and/or judgments could significantly impact our consolidated financial statements. In some cases, we could be required to delay the filing of our consolidated financial statements, or to apply a new or revised standard retroactively, resulting in restating prior period consolidated financial statements. Any of these circumstances could have a material adverse effect on our business, prospects, liquidity, financial condition and results of operations.





45


Our ability to use our net operating losses to offset future taxable income may be subject to certain limitations.
As of January 31, 2023, we had U.S. federal and state net operating loss carryforwards ("NOLs") of $599.0 million due to prior period losses, which, subject to the following discussion, are generally available to be carried forward to offset a portion of our future taxable income, if any, until such NOLs are used or expire. In general, under Section 382 ("Section 382") of the Internal Revenue Code of 1986, as amended (the "Code"), a corporation that undergoes an “ownership change” is subject to limitations on its ability to utilize its pre-ownership change NOLs to offset future taxable income. Similar rules may apply under state tax laws. We have completed a Section 382 study and as a result of the analysis, it is more likely than not that we have experienced an "ownership change." In addition, it is more likely than not that our existing NOLs are subject to limitations arising from previous ownership changes. Future changes in our stock ownership, some of which are outside of our control, could result in an ownership change under Section 382 of the Code. In addition, under the Tax Cuts and Jobs Act of 2017, as amended by The Coronavirus Aid, Relief, and Economic Security Act of 2020, the amount of post 2017 NOLs that we are permitted to utilize in any taxable year is limited to 80% of our taxable income in such year, where taxable income is determined without regard to the NOL deduction itself. For these reasons, we may not be able to realize a tax benefit from the use of our NOLs. We have a valuation allowance related to our NOLs to recognize only the portion of the deferred tax asset that is more likely than not to be realized.

Risks relating to our financing needs

Our cash and cash equivalents could be adversely affected if the financial institutions in which we hold our cash and cash equivalents fail.
We regularly maintain cash balances at third-party financial institutions in excess of the Federal Deposit Insurance Corporation ("FDIC") insurance limit, and there can be no assurance that we will be able to access uninsured funds in a timely manner or at all in the event of a failure of these financial institutions. If any such depositary institution fails to return our deposits, or if a depository institution is subject to other adverse conditions in the financial or credit markets, this could further impact access to our invested cash or cash equivalents and could adversely impact our operating liquidity and financial performance.

In order to support the growth of our business, we may need to incur additional indebtedness under our current credit facilities or seek capital through new equity or debt financings, which sources of additional capital may not be available to us on acceptable terms or at all.
Our operations have consumed substantial amounts of cash since inception and we intend to continue to make significant investments to support our business growth, respond to business challenges or opportunities, develop new applications and services, enhance our existing solution and services, enhance our operating infrastructure and potentially acquire complementary businesses and technologies. For the year ended January 31, 2024 our net cash used in operating activities was $32.4 million. As of January 31, 2024, we had $87.5 million of cash and cash equivalents, which are held for working capital purposes. Prior to its termination on December 4, 2023, we were party to a credit facility with Silicon Valley Bank ("SVB") pursuant to which we had the ability to borrow up to $100.0 million under a revolving line of credit.
On December 4, 2023, we entered into a credit agreement (the “Credit Agreement”) with Capital One, National Association (“Capital One”), providing for a senior secured asset-based revolving credit facility with an initial borrowing capacity of up to $50.0 million (the “Capital One Credit Facility”). Our obligations under the Capital One Credit Facility are guaranteed by our subsidiaries located in the United States, and are secured by a first priority lien on substantially all of our tangible and intangible property. As of January 31, 2024, we had no outstanding borrowings under the Capital One Credit Facility.
Our future capital requirements may be significantly different from our current estimates and will depend on many factors, including the need to:

finance unanticipated working capital requirements;
develop or enhance our technological infrastructure and our existing products and services;
fund strategic relationships, including joint ventures and co-investments;
fund additional implementation engagements;
respond to competitive pressures; and
acquire complementary businesses, technologies, products or services.




46



Accordingly, we may need to engage in equity or debt financings or collaborative arrangements to secure additional funds. Additional financing may not be available on terms favorable to us, or at all. If we raise additional funds through further issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing secured by us in the future could involve additional restrictive covenants relating to our capital-raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. In addition, during times of economic instability, it has been difficult for many companies to obtain financing in the public markets or to obtain debt financing, and we may not be able to obtain additional financing on commercially reasonable terms, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us, it could have a material adverse effect on our business, financial condition and results of operations.

Restrictive covenants in the agreements governing our Capital One Credit Facility may restrict our ability to pursue our business strategies.

The Credit Agreement governing our Capital One Credit Facility contains various restrictive covenants that limit our ability to take certain actions, including, but not limited to, our ability to grant or incur liens, dispose of assets, incur additional indebtedness, make certain investments, restricted payments (including dividends), and restricted debt payments, enter into certain transactions with affiliates, and enter into certain mergers and acquisitions. In addition, the Capital One Credit Facility contains financial covenants applicable from time to time, which include Minimum Consolidated EBITDA, Consolidated Fixed Charge Coverage Ratio and Minimum Liquidity, as such terms are defined in the Credit Agreement.

Our ability to comply with these covenants and meet these financial ratios and tests may be affected by events beyond our control, and we may not be able to meet those covenants. A breach of any such covenants could result in a default under the applicable loan agreement, which could cause all of the outstanding indebtedness under such credit facility to become immediately due and payable and terminate all commitments to extend further credit. These covenants could also limit our ability to seek capital through the incurrence of new indebtedness or, if we are unable to meet our obligations, require us to repay any outstanding amounts with sources of capital we may otherwise use to fund our business, operations and strategy.

Adverse developments affecting the financial services industry, such as actual events or concerns involving liquidity, defaults or non-performance by financial institutions or transactional counterparties, could adversely affect our current and projected business operations and our financial condition and results of operations.

Adverse developments that affect financial institutions, transactional counterparties or other third parties, or concerns or rumors about any events of these kinds or other similar risks, have in the past and may in the future lead to market-wide liquidity problems.

Inflation and rapid increases in interest rates have led to a decline in the trading value of previously issued government securities with interest rates below current market interest rates. Although the U.S. Department of Treasury, FDIC and Federal Reserve Board have announced a program to provide up to $25 billion of loans to financial institutions secured by certain of such government securities held by financial institutions to mitigate the risk of potential losses on the sale of such instruments, widespread demands for customer withdrawals or other liquidity needs of financial institutions for immediately liquidity may exceed the capacity of such program. There is no guarantee that the U.S. Department of Treasury, FDIC and Federal Reserve Board will provide access to uninsured funds in the future in the event of the closure of other banks or financial institutions, or that they would do so in a timely fashion.

Although we assess our banking relationships as we believe necessary or appropriate, our access to cash in amounts adequate to finance or capitalize our current and projected future business operations could be significantly impaired by factors that affect us, the financial institutions with which we have banking relationships, or the financial services industry or economy in general. These factors could include, among others, events such as liquidity constraints or failures, the ability to perform obligations under various types of financial, credit or liquidity agreements or arrangements, disruptions or instability in the financial services industry or financial markets, or concerns or negative expectations about the prospects for companies in the financial services industry. These




47


factors could involve financial institutions or financial services industry companies with which we have financial or business relationships, but could also include factors involving financial markets or the financial services industry generally.

The results of events or concerns that involve one or more of these factors could include a variety of material and adverse impacts on our current and projected business operations and our financial condition and results of operations. These could include, but may not be limited to, the following:

delayed access to deposits or other financial assets or the uninsured loss of deposits or other financial assets;
loss of access to revolving existing credit facilities or other working capital sources and/or the inability to refund, roll over or extend the maturity of, or enter into new credit facilities or other working capital resources; or
potential or actual breach of financial covenants in our credit agreements or credit arrangements.

Widespread investor concerns regarding the U.S. or international financial systems could also result in less favorable commercial financing terms, including higher interest rates or costs and tighter financial and operating covenants, or systemic limitations on access to credit and liquidity sources, thereby making it more difficult for us to acquire financing on acceptable terms or at all. Any decline in available funding or access to our cash and liquidity resources could, among other risks, adversely impact our ability to meet our operating expenses, financial obligations or fulfill our other obligations, result in breaches of our financial and/or contractual obligations or result in violations of federal or state wage and hour laws. Any of these impacts, or any other impacts resulting from the factors described above or other related or similar factors not described above, could have material adverse impacts on our liquidity and our current and/or projected business operations and financial condition and results of operations.

In addition, a partner or supplier could be adversely affected by any of the liquidity or other risks that are described above as factors that could result in material adverse impacts on the Company, including but not limited to delayed access or loss of access to uninsured deposits or loss of the ability to draw on existing credit facilities involving a troubled or failed financial institution. Any partner or supplier bankruptcy or insolvency, or the failure of any partner to make payments when due, or any breach or default by a partner or supplier, or the loss of any significant supplier relationships, may have a material adverse impact on our business.

Risks relating to ownership of our common stock

Our share price has been and may in the future be volatile, and you could lose all or part of your investment.
The trading price of our common stock has been and may be volatile and subject to wide price fluctuations in response to various factors, including, but not limited to:

market conditions in the broader stock market in general, or in our industry in particular, which create highly variable and unpredictable pricing of equity securities;
actual or anticipated fluctuations in our quarterly financial reports and results of operations;
changes in the financial projections we provide to the public or our failure to meet these projections;
our ability to satisfy our ongoing capital needs and unanticipated cash requirements;
indebtedness incurred in the future;
actual or anticipated developments in our business, our competitors' businesses, or the competitive landscape generally, including introduction of new products and services by us or our competitors;
issuance of new or changed securities analysts’ reports or recommendations;
additions or departures of key personnel;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
regulatory developments;
litigation and governmental investigations;




48


the impact of public health concerns on the economy, our company, our customers, suppliers or employees;
macroeconomic conditions, such as rising interest and inflation rates and economic slowdowns and recessions, and political conditions or events, including those resulting from geopolitical uncertainty and instability or war, such as the ongoing military conflict between Russia and Ukraine and the conflict in the Middle East; and
our sale of common stock or other securities in the future.

In addition, on March 10, 2023, the FDIC took control and was appointed receiver of SVB. At the time SVB entered into receivership, a large number of companies, including many technology companies, held cash deposits with SVB. Although such companies had access to their deposits as of March 13, 2023, companies may continue to face financing uncertainty as a result of SVB’s entry into receivership, which may cause significant volatility with respect to technology company stocks. This, in turn, could negatively impact the trading price of our common stock.
These and other factors may cause the market price and demand for our common stock to fluctuate substantially, which may limit or prevent investors from readily selling their shares of common stock and may otherwise negatively affect the liquidity of our common stock. In addition, in the past, when the market price of a stock has been volatile, holders of that stock have instituted securities class action litigation against the company that issued the stock. If any of our stockholders brought a lawsuit against us, we could incur substantial costs defending the lawsuit. Such a lawsuit could also divert the time and attention of our management from our business.
The trading market for our common stock is also influenced by the research and reports that industry or securities analysts publish about us or our business. If one or more securities or industry analysts cease coverage of our company or fail to publish reports on us regularly, we could lose visibility in the financial markets, which in turn could cause our stock price or trading volume to decline. If one or more of the analysts who cover us downgrades our common stock or provides more favorable recommendations about our competitors, or if our results of operations do not meet their expectations, our stock price could decline.
We do not currently intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not currently intend to do so for the foreseeable future. We currently intend to invest our future earnings, if any, to fund our growth. Therefore, you are not likely to receive any dividends on your common stock for the foreseeable future and the success of an investment in shares of our common stock will depend upon any future appreciation in its value. There is no guarantee that shares of our common stock will appreciate in value or even maintain the price at which our stockholders have purchased their shares.

Risks relating to our bylaws and certificate of incorporation

Anti-takeover provisions under our incorporation documents and Delaware law could delay or prevent a change of control which could limit the market price of our common stock and may prevent or frustrate attempts by our stockholders to replace or remove our current management.

Our seventh amended and restated certificate of incorporation (as amended, our "certificate of incorporation") and our fourth amended and restated by-laws ("bylaws") contain provisions that could delay or prevent a change of control of our company or changes in our board of directors that our stockholders might consider favorable. Some of these provisions include:
a board of directors divided into three classes serving staggered three-year terms, such that not all members of the board will be elected at one time;
a prohibition on stockholder action through written consent, which requires that all stockholder actions be taken at a meeting of our stockholders;
a requirement that special meetings of stockholders be called only by the board of directors acting pursuant to a resolution approved by the affirmative vote of a majority of the directors then in office;
advance notice requirements for stockholder proposals and nominations for election to our board of directors;
49


a requirement that no member of our board of directors may be removed from office by our stockholders except for cause and, in addition to any other vote required by law, upon the approval of not less than 75% of all outstanding shares of our voting stock then entitled to vote in the election of directors;
a requirement of approval of not less than 75% of all outstanding shares of our voting stock to amend any bylaws by stockholder action or to amend specific provisions of our certificate of incorporation; and
the authority of the board of directors to issue preferred stock on terms determined by the board of directors without stockholder approval and which preferred stock may include rights superior to the rights of the holders of common stock.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporate Law ("DGCL"), which may prohibit certain business combinations with stockholders owning 15% or more of our outstanding voting stock. These anti-takeover provisions and other provisions in our certificate of incorporation and our bylaws could make it more difficult for stockholders or potential acquirers to obtain control of our board of directors or initiate actions that are opposed by the then-current board of directors and could also delay or impede a merger, tender offer or proxy contest involving our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors or cause us to take other corporate actions. Any delay or prevention of a change of control transaction or changes in our board of directors could cause the market price of our common stock to decline.
Our bylaws designate certain specified courts as the sole and exclusive forums for certain disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers or employees.
Our bylaws provide that, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware (the "Chancery Court") will be the sole and exclusive forum for state law claims for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action asserting a claim pursuant to any provision of the DGCL, our certificate of incorporation or our bylaws, (iv) any action to interpret, apply, enforce or determine the validity of our certificate of incorporation or bylaws, or (v) any action asserting a claim governed by the internal affairs doctrine (the "Delaware Forum Provision"). The Delaware Forum Provision will not apply to any causes of action arising under the Securities Act of 1933, as amended (the "Securities Act"), or Securities Exchange Act of 1934, as amended, (the "Exchange Act"). Our bylaws further provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States will be the sole and exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act (the "Federal Forum Provision"). Our bylaws provide that any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock is deemed to have notice of and consented to the foregoing Delaware Forum Provision and the Federal Forum Provision; provided, however, that stockholders cannot and will not be deemed to have waived our compliance with the federal securities laws and the rules and regulations thereunder.
The Delaware Forum Provision and the Federal Forum Provision in our bylaws may impose additional litigation costs on stockholders in pursuing any such claims. Additionally, these forum selection clauses may limit our stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other employees, which may discourage the filing of lawsuits against us and our directors, officers and employees, even though an action, if successful, might benefit our stockholders. In addition, while the Delaware Supreme Court and other states courts have upheld the validity of federal forum selection provisions purporting to require claims under the Securities Act be brought in federal court, there is uncertainty as to whether other courts will enforce our Federal Forum Provision. If the Federal Forum Provision is found to be unenforceable in an action, we may incur additional costs associated with resolving such an action. The Federal Forum Provision may also impose additional litigation costs on stockholders who assert that the provision is not enforceable or invalid. The Chancery Court or the federal district courts of the United States may also reach different judgments or results than would other courts, including courts where a stockholder considering an action may be located or would otherwise choose to bring the action, and such judgments may be more or less favorable to us than our stockholders.

Item 1B. Unresolved Staff Comments
None.

Item 1C. Cybersecurity
50


As a healthcare-focused company, we understand the importance of managing cybersecurity risks that we face and have established a cybersecurity risk management program as part of our enterprise risk management program.
Cyber Risk Management and Strategy
Our cybersecurity risk management program is informed by recognized industry standards and frameworks and incorporates elements of the same, including elements of the National Institute of Standards and Technology Cybersecurity Framework and The Health Information Trust Alliance (HITRUST) Common Security Framework. Additionally, we are certified as a PCI-DSS Level 1 Service Provider. The Company’s cybersecurity program utilizes a cross functional, multilayered approach designed to: (i) identify, prevent and mitigate cybersecurity threats to the Company; (ii) preserve the confidentiality, security and availability of the information that we collect and store; (iii) protect the Company’s intellectual property; (iv) maintain the confidence of our customers, clients and business partners; and (v) provide appropriate public disclosure and required notices of cybersecurity risks and incidents when required.
Our cybersecurity program includes safeguards that are designed to protect the Company’s information systems from cybersecurity threats. Such safeguards include firewalls, automated intrusion detection systems, anti-malware functionality and access controls, which are evaluated and improved through periodic vulnerability assessments and ongoing cybersecurity threat intelligence. We have established and maintain an incident response plan that addresses the Company’s response to and recovery from a cybersecurity incident. The incident response plan is tested and evaluated on an annual basis.
The Company’s cybersecurity program is supported by engagement of third-party service providers who help identify, assess and respond to cybersecurity risks. For example, the Company regularly engages third parties to perform and facilitate assessments on our cybersecurity measures, including information security maturity assessments, audits, tabletop exercises, threat modeling and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to leadership, the Audit Committee, and/or the Board, as appropriate, and the Company adjusts its cybersecurity policies, standards, processes and practices as appropriate based on the information provided by the assessments, audits and reviews.
As part of our cybersecurity risk management program, we maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business. Further, all personnel are required to undergo cybersecurity training during onboarding and, thereafter, on an annual basis to reinforce the Company’s information security policies, standards and practices.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors may from time to time experience threats and security incidents that could affect our information or systems. See Item 1A “Risk Factors” in this Annual Report on Form 10-K for more information.
Governance
Phreesia takes a cross-functional approach to address the risks from cybersecurity threats. The Company’s Board of Directors (the “Board”) holds oversight responsibility over the Company’s enterprise risk management (“ERM”) program, which incorporates the Company’s cybersecurity risk management program. The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which regularly interacts with the Company’s ERM function, the Company’s Chief Technology Officer, who serves as the Company’s Security Officer, along with other members of management including the Senior Director of Security Engineering, the Chief Privacy Officer, and the compliance, audit, and risk teams.
The Company’s Chief Technology Officer is principally responsible for day-to-day management of the Company’s cybersecurity risk management program. The Chief Technology Officer reports directly to the Chief Executive Officer and works in coordination with the other members of the leadership team, which includes our General Counsel, Chief Operating Officer, and Chief Financial Officer. The Chief Technology Officer oversees a team of security professionals, which is led by the Senior Director of Security Engineering. The security team includes approximately 40 security professionals, 25 of whom are security engineers. Other members of the team oversee and manage identity, risk, compliance and audit functions.
The Board and the Audit Committee each receive regular presentations and reports from the Company’s Chief Technology Officer and/or General Counsel on cybersecurity risks, which address a wide range of topics including, among others, recent developments, evolving standards, vulnerability assessments, third-party and independent
51


reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third party service providers. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds under the Company’s incident response plan.
Item 2. Properties
We are a fully remote company and do not maintain physical corporate offices. Our employees work remotely, from home or at shared co-working office spaces. We believe these arrangements support our current needs. We maintain a mailing address at 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803. For purposes of compliance with applicable requirements of the Securities Act and the Exchange Act, stockholder communications required to be sent to our principal executive offices may be directed to the email address set forth in our proxy materials and/or identified on our investor relations website.

Item 3. Legal Proceedings
From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. We are not presently a party to any legal proceedings that, if determined adversely to us, would individually or taken together have a material adverse effect on our business, operating results, financial condition or cash flows.

Item 4. Mine Safety Disclosures
Not applicable.
52


PART II

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market for Our Common Stock
Our common stock began trading on the New York Stock Exchange, or NYSE, under the symbol "PHR" on July 18, 2019. Prior to that time, there was no public market for our common stock.
Stock Performance Graph
The following performance graph shall not be deemed “soliciting material” or to be “filed” with the Securities and Exchange Commission, or SEC, for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any filing of Phreesia, Inc. under the Securities Act of 1933, as amended, or the Securities Act, or the Exchange Act.
The following graph shows a comparison from July 18, 2019, the date on which our common stock first began trading the NYSE, through January 31, 2024 of the cumulative total stockholder return on our common stock, the NYSE Composite Index, S&P 500, and the S&P 1500 Composite Software and Services Index, each of which assumes an initial investment of $100 and reinvestment of all dividends. Such returns are based on historical results and are not intended to suggest future performance.
The comparisons shown in the graph below are based upon historical data. We caution that the stock price performance shown in the graph below is not necessarily indicative of, nor is it intended to forecast, the potential future performance of our common stock.

Stock Performance Graph.jpg

Stockholders
We had approximately 42 stockholders of record as of March 15, 2024; however, because many of our outstanding shares are held in accounts with brokers and other institutions, we believe we have more beneficial owners. This number of holders of record also does not include stockholders whose shares may be held in trust by other entities.

53


Dividend Policy
We have never declared or paid any cash dividends on our common stock. We anticipate that we will retain all available funds and any future earnings, if any, for use in the operation of our business and do not anticipate declaring or paying cash dividends in the foreseeable future. In addition, future debt instruments may materially restrict our ability to pay dividends on our common stock. Payment of future cash dividends, if any, will be at the discretion of the board of directors after taking into account various factors, including our financial condition, operating results, current and anticipated cash needs, restrictions that may be imposed by applicable law and our contracts and other factors the board of directors deems relevant. Additionally, our ability to pay dividends on our common stock is limited by restrictions under the terms of the Capital One Credit Facility.
Securities Authorized for Issuance Under Equity Compensation Plans
Information about our equity compensation plans in Item 12 of Part III of this Annual Report on Form 10-K is incorporated herein by reference.
Recent Sales of Unregistered Securities
There were no sales of unregistered securities during the fiscal year ended January 31, 2024 that were not previously reported on a Current Report on Form 8-K.
Issuer Purchases of Equity Securities
Not applicable.
Use of Proceeds from Sales of Registered Securities
Not applicable.

Item 6. Reserved
Not applicable.
54



Item 7. Management’s discussion and analysis of financial condition and results of operations
You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and related notes and other financial information appearing elsewhere in this Annual Report on Form 10-K. Some of the information contained in this discussion and analysis or set forth elsewhere in this Annual Report on Form 10-K, including information with respect to our plans and strategy for our business, includes forward-looking statements based upon current plans, expectations and beliefs that involve risks and uncertainties. As a result of many factors, including those factors set forth in the “Risk Factors” section of this Annual Report on Form 10-K, our actual results could differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis. Our fiscal year ends January 31. References to fiscal 2024 and 2023 refer to the fiscal years ended January 31, 2024 and 2023, respectively.
Basis of Presentation
This management's discussion and analysis discusses our financial condition and results of operations for the years ended January 31, 2024 and 2023. Please refer to Part II, Item 7, "Management's Discussion and Analysis of Financial Condition and Results of Operations" in our Annual Report on Form 10-K for the year ended January 31, 2023 for a comparison of the year ended January 31, 2023 to the year ended January 31, 2022.

Financial Highlights
Fiscal 2024
Total revenue increased 27% to $356.3 million in fiscal 2024 compared with $280.9 million in fiscal 2023.
Net loss was $136.9 million in fiscal 2024 compared with $176.1 million in fiscal 2023.
Adjusted EBITDA was negative $35.4 million in fiscal 2024 compared with negative $92.5 million in fiscal 2023.
Cash used in operating activities was $32.4 million in fiscal 2024 compared with cash used in operating activities of $90.1 million in fiscal 2023.
Free cash flow was negative $57.5 million in fiscal 2024 compared with negative $116.3 million in fiscal 2023.
Cash and cash equivalents was $87.5 million as of January 31, 2024 compared with $176.7 million as of January 31, 2023.
For a reconciliation of Adjusted EBITDA to net loss and a reconciliation of free cash flow to net cash used in operating activities, and for more information as to how we define and calculate such measures, see the section below titled “Non-GAAP financial measures.”
Overview
We are a leading provider of comprehensive software solutions that improve the operational and financial performance of healthcare organizations and improve health outcomes by helping patients take a more active role in their care. Our solutions include SaaS-based integrated tools that manage patient access, registration and payments. We have tools to communicate with patients about their health and have demonstrated increased rates of preventive care and vaccinations. Additionally, our solutions include clinical assessments to screen patients for a variety of physical, behavioral and mental health conditions, helping providers to better understand their patients and connect them to needed services, resulting in improved health outcomes. We also provide life sciences companies, health plans and other payer organizations (payers), patient advocacy, public interest and other not-for-profit organizations with a channel for direct communication with patients. Our solutions also include additional products and services such as the MediFind provider directory, which helps patients find care based on providers' specific clinical expertise.
We serve an array of healthcare services clients of all sizes across over 25 specialties, ranging from single-specialty practices, including internal and family medicine, urology, dermatology, and orthopedics, to large, multi-specialty groups, and health systems as well as regional and national payers and other organizations that provide other types
55


of healthcare-related services. Our Network solutions revenue (as described below) is generated from clients in the pharmaceutical, biotechnology and medical device industries, as well as payers, patient advocacy, public interest and other not-for-profit organizations seeking to activate, engage and educate patients about topics critical to their health.
We derive revenue from (i) subscription fees from healthcare services clients for access to our solutions and related professional services fees, (ii) payment processing fees based on levels of patient payment volume processed through our solutions and (iii) fees from life sciences and payer clients for delivering direct communications to help activate, engage and educate patients about topics critical to their health using our solutions. We also generate revenue through our additional products and services such as the MediFind provider directory, which helps patients find care based on providers' specific clinical expertise. We have strong visibility into our business as the majority of our revenue is derived from recurring subscription fees and re-occurring payment processing fees.
We market and sell our products and services to healthcare services prospects throughout the U.S. using a direct sales organization. Our database team is responsible for the hygiene and health of our data and is tasked with validating information by using various tools to enrich it. This data powers our sales development organization. Our marketing team identifies customer profiles, develops content and deploys one-to-many communications to soften the market. This helps prepare our sales development team to outbound to prospects. The sales development team creates opportunities and works with the direct sales team to qualify those opportunities. Our sales force executes on these qualified sales leads, partnering with sales enablement and client services to ensure prospects are educated on the breadth of our capabilities and demonstrable value proposition, with the goal of attracting and retaining clients and expanding their use of our solutions over time. Most of our healthcare services customer contracts are structured as annual, auto-renewing agreements. Our sales typically involve competitive processes, and sales cycles have, on average, varied in duration from three months to six months, depending on the size of the potential client. In addition, through Phreesia University (Phreesia’s in-house training program), events, client conferences and webinars, we help our healthcare services clients optimize their businesses and, as a result, support client retention.
We also sell products and services to life sciences and payer organizations, healthcare advertising agencies and advocacy groups as well as advertising agencies through our direct sales and marketing teams. Unlike healthcare services programs, most of the life science campaigns need to be measured and resold each year. Like healthcare services, the marketing team supports net new business and client retention for life sciences by educating ideal customer profiles about the value of Phreesia and the positive impact on health outcomes Phreesia campaigns have on patients.
Since our inception, we have focused substantially all of our sales efforts within the United States. Accordingly, substantially all of our revenue from historical periods has come from the United States, and our current strategy is to continue to focus substantially all of our sales efforts within the United States.
Our revenue growth has been primarily organic and reflects our significant addition of new healthcare services clients. New healthcare services clients are defined as clients that go live in the applicable period and existing healthcare services clients are defined as clients that go live in any period before the applicable period.
Recent developments and current economic conditions
Acquisitions
On June 30, 2023, we acquired MediFind for total cash and equity consideration of $8.9 million. MediFind is a consumer-facing healthcare product that helps patients - especially those with serious, chronic and rare diseases - find better care faster. We acquired MediFind to reinforce our commitment to patient-centered care and expand our offerings to consumers.
On August 11, 2023, we acquired Access for total cash and equity consideration of $37.4 million. Access is an innovative electronic forms management and automation provider that helps hospitals across the country streamline workflows, improve compliance and deliver a better patient experience. We acquired Access to enhance and build on our existing functionality in the acute care space and to expand our network of clients and partners.
On October 3, 2023, we acquired ConnectOnCall for total consideration of $13.9 million. ConnectOnCall is a founder-owned company with an automated medical answering solution that routes and triages after-hours calls and manages high daytime call volumes. We acquired ConnectOnCall to expand our offerings to provider organizations, helping them make the call-triaging process more efficient and less expensive.
56


See Note 16 - Acquisitions within Part II - Item 8 of this Annual Report on Form 10-K for additional information regarding our acquisitions.
Termination of Third SVB Facility
On December 4, 2023, we terminated the Third SVB Facility with SVB. We recorded a loss on extinguishment of debt of $1.1 million in connection with the termination of the Third SVB Facility, including lender fees of $0.6 million.
Capital One Facility
On December 4, 2023, we entered into a new 5-year $50.0 million senior secured asset-based revolving credit facility ("Capital One Credit Facility") maturing in December 2028, which includes a swingline sub-limit of at least $5.0 million and a letter of credit sub-limit of at least $5.0 million. The new Capital One Credit Facility was entered into with Capital One, N.A., acting as administrative agent and replaces our previous senior secured revolving credit facility with SVB. The new Capital One Credit Facility will give us additional financial flexibility through fiscal year 2028. The facility is available to us for working capital and general corporate purposes. The Capital One Credit Facility bears interest at a rate per annum based on the Secured Overnight Financing Rate (“SOFR”) or a Base Rate as specified in the Credit Agreement. In addition to principal and interest due under the Capital One Credit Facility, we are required to pay an annual fee equal to 0.25% of the unused balance of the facility.
Macroeconomic environment and geopolitical conditions
Our business is directly and indirectly affected by macroeconomic conditions, geopolitical conditions and the state of global financial markets. Recent geopolitical uncertainty resulting, in part, from military conflict between Russia and Ukraine and the conflict in the Middle East, as well as other macro-economic conditions, such as the impact of pandemics, increased interest rates, inflation in the cost of goods, services and labor, or a recession or an economic slowdown in the U.S. or internationally have contributed to significant volatility and declines in global financial markets. The uncertainty over the extent and duration of the ongoing conflict and these macroeconomic conditions continues to cause disruptions to businesses and markets worldwide. While none of these factors individually has had a material impact on our business to date, it is difficult to predict the potential impact these factors may have on our future business results, and each could adversely impact our business operations, financial performance and results of operations.
Key Metrics
We regularly review the following key metrics to measure our performance, identify trends affecting our business, formulate financial projections, make strategic business decisions and assess working capital needs.
For the fiscal years ended January 31,Change
20242023Amount%
Key Metrics:
Average number of healthcare services clients ("AHSCs")3,601 2,856 745 26 %
Healthcare services revenue per AHSC$72,215 $72,599 $(384)(1)%
Total revenue per AHSC$98,944 $98,358 $586 %

AHSCs. We define AHSCs as the average number of clients that generate subscription and related services or payment processing revenue each month during the applicable period. In cases where we act as a subcontractor providing white-label services to our partner's clients, we treat the contractual relationship as a single healthcare services client. We believe growth in AHSCs is a key indicator of the performance of our business and depends, in part, on our ability to successfully develop and market our solutions to healthcare services organizations that are not yet clients. While growth in AHSCs is an important indicator of expected revenue growth, it also informs our management of the areas of our business that will require further investment to support expected future AHSC growth. For example, as AHSCs increase, we may need to add to our customer support team and invest to maintain effectiveness and performance of our solutions for our healthcare services clients and their patients.
Healthcare services revenue per AHSC. We define Healthcare services revenue as the sum of subscription and related services revenue and payment processing revenue. We define Healthcare services revenue per AHSC as healthcare services revenue in a given period divided by AHSCs during that same period. We are focused on
57


continually delivering value to our healthcare services clients and believe that our ability to increase healthcare services revenue per AHSC is an indicator of the long-term value of our solutions. Healthcare services revenue per AHSC was $72,215 for the year ended January 31, 2024 compared to $72,599 for the year ended January 31, 2023, a decrease of $384. The decline was primarily driven by AHSC growth significantly outpacing growth in payment processing volume and payment processing revenue.
Total Revenue per AHSC. We define Total revenue per AHSC as Total revenue in a given period divided by AHSCs during that same period. Our healthcare services clients directly generate subscription and related services and payment processing revenue. Additionally, our relationships with healthcare services clients who subscribe to our technology give us the opportunity to engage with life sciences companies, health plans and other payer organizations, patient advocacy, public interest and other not-for-profit organizations who deliver direct communication to patients through our solutions. As a result, we believe that our ability to increase Total revenue per AHSC is an indicator of the long-term value of our solutions. Total revenue per AHSC was $98,944 for the year ended January 31, 2024 compared to $98,358 for the year ended January 31, 2023, an increase of $586. The increase was primarily driven by Network solutions revenue growth outpacing healthcare services client growth.

Additional Information
For the fiscal years ended January 31,Change
20242023Amount%
Patient payment volume (in millions)$3,947 $3,284 $663 20 %
Payment facilitator volume percentage82 %80 %%%

Patient payment volume. We believe that patient payment volume is an indicator of both the underlying health of our healthcare services clients’ businesses and the continuing shift of healthcare costs to patients. We measure patient payment volume as the total dollar volume of transactions between our healthcare services clients and their patients utilizing our payment platform, including via credit and debit cards that we process as a payment facilitator as well as cash and check payments and credit and debit transactions for which we act as a gateway to other payment processors.
Payment facilitator volume percentage. We define payment facilitator volume percentage as the volume of credit and debit card patient payment volume that we process as a payment facilitator as a percentage of total patient payment volume. Payment facilitator volume is a major driver of our payment processing revenue.


58


Results of operations
The following tables set forth our results of operations for the periods presented and as a percentage of revenue for those periods:
For the fiscal years ended January 31,For the fiscal years ended January 31,
(in thousands)2024202320242023
Revenue
Subscription and related services$165,436 $128,975 46 %46 %
Payment processing fees94,610 78,368 27 %28 %
Network solutions96,253 73,567 27 %26 %
Total revenues356,299 280,910 100 %100 %
Expenses
Cost of revenue (excluding depreciation and amortization)61,025 58,944 17 %21 %
Payment processing expense62,986 50,323 18 %18 %
Sales and marketing147,008 151,263 41 %54 %
Research and development112,346 91,244 32 %32 %
General and administrative79,926 80,384 22 %29 %
Depreciation17,584 17,988 %%
Amortization11,903 7,316 %%
Total expenses492,778 457,462 138 %163 %
Operating loss(136,479)(176,552)(38)%(63)%
Other income (expense), net44 (175)— %— %
Loss on extinguishment of debt(1,118)— — %— %
Interest income, net2,211 1,064 %— %
Total other income, net1,137 889 — %— %
Loss before provision for income taxes(135,342)(175,663)(38)%(63)%
Provision for income taxes(1,543)(483)— %— %
Net loss$(136,885)$(176,146)(38)%(63)%

Components of statements of operations
Revenue
We generate revenue primarily from providing an integrated SaaS-based software and payment platform for the healthcare industry. We derive revenue from subscription fees and related services generated from our healthcare services clients for access to our solutions, payment processing fees based on the levels of patient payment volume we process, and from fees from life sciences and payer clients for delivering direct communications to help activate, engage and educate patients about topics critical to their health.
Our total revenues consist of the following:
Subscription and related services. We primarily generate subscription fees from our healthcare services clients based on the number of healthcare services clients that subscribe to and utilize our solutions. Our healthcare services clients are typically billed monthly in arrears, though in some instances, healthcare services clients may opt to be billed quarterly or annually in advance. Subscription fees are typically auto-debited from healthcare services clients’ accounts every month. As we target and add larger enterprise healthcare services clients, these clients may choose to contract differently than our typical per healthcare services client subscription model. To the extent we charge in an alternative manner with larger enterprise healthcare services clients, we expect that such a pricing model will recur and, combined with our per healthcare services client subscription fees, will increase as a percentage of our total revenue.
In addition, we receive certain fees from healthcare services clients for professional services associated with our implementation services as well as travel and expense reimbursements, shipping and handling fees, sales of hardware (PhreesiaPads and Arrivals Kiosks), on-site support and training.
59


Payment processing fees. We generate revenue from payment processing fees based on the number of transactions and the levels of patient payment volume processed through our solutions. Payment processing fees are generally calculated as a percentage of the total transaction dollar value processed and/or a fee per transaction. Credit and debit patient payment volume processed through our payment facilitator model represented 82% and 80% of our patient payment volume in fiscal 2024 and 2023, respectively. The remainder of our patient payment volume is composed of credit and debit transactions for which Phreesia acts as a gateway to another payment processor, and cash and check transactions. Patient payment responsibility typically declines as a share of total spending as the calendar year progresses due to benefit design. Consistent with that trend, payment volume on a per client basis has historically been lower in the second half of our fiscal year as compared to the first half of our fiscal year.
Network solutions. We generate revenue from life sciences and payer clients for delivering direct communications to patients. As we expand our healthcare services client base, we increase the number of new patients we can reach to deliver our direct communications that help activate, engage and educate patients about topics critical to their health on behalf of life sciences and payer clients.
Cost of revenue (excluding depreciation and amortization)
Our cost of revenue (excluding depreciation and amortization) primarily consists of personnel costs, including salaries, stock-based compensation, benefits and bonuses for implementation and technical support, and infrastructure costs to operate our solutions such as hosting fees and fees paid to various third-party providers for access to their technology, as well as costs to verify insurance eligibility and benefits.
Payment processing expense
Payment processing expense consists primarily of interchange fees set by payment card networks that are ultimately paid to the card-issuing financial institution, assessment fees paid to payment card networks, and fees paid to third-party payment processors and gateways. Payment processing expense may increase as a percentage of payment processing revenue if card networks raise pricing for interchange and assessment fees or if we reduce pricing to our clients.
Sales and marketing
Sales and marketing expense consists primarily of personnel costs, including salaries, stock-based compensation, benefits, bonuses and commission costs for our sales and marketing personnel. Sales and marketing expense also includes costs for advertising, promotional and other marketing activities, as well as certain fees paid to various third-party partners for sales and lead generation. Advertising is expensed as incurred.
Research and development
Research and development expense consists of costs to develop our products and services that do not meet the criteria for capitalization as internal-use software. These costs consist primarily of personnel costs, including salaries, stock-based compensation and benefits for our development personnel. Research and development expense also includes third-party partner fees and third-party consulting fees.
General and administrative
General and administrative expense consists primarily of personnel costs, including salaries, stock-based compensation and benefits for our executive, finance, legal, security, human resources, information technology and other administrative personnel. General and administrative expense also includes software costs to support our finance, legal and human resources operations, insurance costs as well as fees to third-party providers for accounting, legal and consulting services, costs for various non income-based taxes and software costs.
Depreciation
Depreciation represents depreciation expense for PhreesiaPads and Arrivals Kiosks, data center and other computer hardware, purchased computer software, furniture and fixtures and leasehold improvements.
Amortization
Amortization primarily represents amortization of our capitalized internal-use software related to our solutions as well as amortization of acquired intangible assets.
Other income (expense), net
Our other income and expense line items consist of the following:
60


Other income (expense), net. Other income (expense), net consists of foreign currency-related gains and losses and other miscellaneous income (expense).
Loss on extinguishment of debt. Loss on extinguishment of debt represents the difference between the amount paid on extinguishment of debt (including any directly related fees) and the net carrying amount of debt being extinguished.
Interest income. Interest income consists of interest earned on our cash and cash equivalent balances.
Interest expense. Interest expense consists primarily of the interest incurred on our financing obligations as well as amortization of discounts and deferred financing costs.
Provision for income taxes
Based upon our cumulative pre-tax losses in recent years and available evidence, we have determined that it is more likely than not that substantially all of our deferred tax assets as of January 31, 2024 will not be realized in the near term. Consequently, we have established a valuation allowance against our deferred tax assets that are not more likely than not to be realized. In future periods, if we conclude we have future taxable income sufficient to realize the deferred tax assets, we may reduce or eliminate the valuation allowance. Provision for income taxes also includes U.S. state and local income taxes and foreign income taxes. We record unrecognized tax benefits as liabilities or as reductions to deferred tax assets and adjust these balances when our judgement changes as a result of the evaluation of new information previously not available.
Comparison of fiscal 2024 versus fiscal 2023
Revenue
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Subscription and related services$165,436 $128,975 $36,461 28 %
Payment processing fees94,610 78,368 16,242 21 %
Network solutions96,253 73,567 22,686 31 %
Total revenues$356,299 $280,910 $75,389 27 %
Subscription and related services. Our subscription and related services revenue from healthcare services organizations increased $36.5 million to $165.4 million for fiscal 2024, as compared to $129.0 million for fiscal 2023, primarily due to new healthcare services clients added in fiscal 2024 as well as expansion of and cross-selling to existing healthcare services clients.
Payment processing fees. Our revenue from patient payments processed through our solutions increased $16.2 million to $94.6 million for fiscal 2024, as compared to $78.4 million for fiscal 2023, due to the addition of new healthcare services clients, which drove increases in patient visits and patient payments processed through our platform.
Network solutions. Our revenue from life science and payer clients increased $22.7 million to $96.3 million for fiscal 2024, as compared to $73.6 million for fiscal 2023 due to an increase in engagement, education programs and deeper patient outreach among the existing programs.
Cost of revenue (excluding depreciation and amortization)
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Cost of revenue (excluding depreciation and amortization)
$61,025 $58,944 $2,081 %
Cost of revenue (excluding depreciation and amortization) increased $2.1 million to $61.0 million for fiscal 2024, as compared to $58.9 million for fiscal 2023. The increase resulted primarily from a $6.1 million increase in outside services and other third-party costs driven by growth in revenue and a $0.9 million increase in employee stock compensation costs, partially offset by a $4.7 million decrease in employee salary and benefits costs driven by lower headcount.
61


Stock compensation incurred related to cost of revenue was $4.6 million and $3.7 million for fiscal 2024 and fiscal 2023, respectively.
Payment processing expense
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Payment processing expense$62,986 $50,323 $12,663 25 %
Payment processing expense increased $12.7 million to $63.0 million for fiscal 2024, as compared to $50.3 million for fiscal 2023. The increase resulted primarily from the increase in payment processing fees revenue and patient payments processed through our solutions, each driven by an increase in patient visits over the prior year.
Sales and marketing
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Sales and marketing
$147,008 $151,263 $(4,255)(3 %)
Sales and marketing expense decreased $4.3 million to $147.0 million for fiscal 2024, as compared to $151.3 million for fiscal 2023. The decrease was primarily attributable to a $13.6 million decrease in employee salary and benefits costs driven by lower average headcount, partially offset by a $3.8 million increase in employee stock compensation, a $3.0 million increase in travel and other internal sales and marketing costs as well as a $2.6 million increase in outside services and other third-party sales and marketing costs.
Stock compensation incurred related to sales and marketing expense was $26.0 million and $22.2 million for fiscal 2024 and fiscal 2023, respectively.
Research and development
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Research and development
$112,346 $91,244 $21,102 23 %
Research and development expense increased $21.1 million to $112.3 million for fiscal 2024, as compared to $91.2 million for fiscal 2023. The increase resulted primarily from a $9.2 million increase in employee salary and benefit costs and a $5.7 million increase in employee stock compensation costs, each driven by increased research and development headcount, a $2.1 million increase in software costs, a $1.1 million increase in outside services costs, as well as a $0.8 million increase in hardware and hosting costs.
Stock compensation incurred related to research and development expense was $17.4 million and $11.8 million in fiscal 2024 and fiscal 2023, respectively.
General and administrative
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
General and administrative
$79,926 $80,384 $(458)(1 %)
General and administrative expense decreased $0.5 million to $79.9 million for fiscal 2024, as compared to $80.4 million for fiscal 2023. The $0.5 million decrease resulted primarily from a $1.7 million decrease in employee salary and benefit costs as well as lower rent, travel and insurance costs, partially offset by a $2.5 million increase in employee stock compensation costs as well as higher outside services costs associated with fiscal year 2024 acquisitions.
Stock compensation incurred related to general and administrative expense was $23.7 million and $21.2 million in fiscal 2024 and fiscal 2023, respectively.
62


Depreciation
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Depreciation
$17,584 $17,988 $(404)(2 %)
Depreciation expense decreased $0.4 million to $17.6 million for fiscal 2024, as compared to $18.0 million for fiscal 2023. The decrease was primarily attributable to lower computer equipment depreciation.
Amortization
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Amortization
$11,903 $7,316 $4,587 63 %
Amortization expense increased $4.6 million to $11.9 million for fiscal 2024, as compared to $7.3 million for fiscal 2023. The increase was primarily driven by higher amortization of capitalized internal-use software development costs as well as amortization of intangible assets acquired during the current year.
Other income (expense), net
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Other income (expense), net$44 $(175)$219 (125 %)
Other income (expense), net was income of less than $0.1 million for fiscal 2024 as compared to expense of $0.2 million for fiscal 2023. Other income (expense) is comprised primarily of foreign exchange gains and losses.
Loss on extinguishment of debt
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Loss on extinguishment of debt$(1,118)$— $(1,118)(100 %)
During fiscal 2024, we recorded a $1.1 million loss on extinguishment of debt in connection with the termination of the Third SVB Facility.
Interest income, net
Fiscal years ended January 31,
(in thousands)
20242023$ Change% Change
Interest income, net$2,211 $1,064 $1,147 108 %
Interest income, net increased by $1.1 million to $2.2 million for fiscal 2024, as compared to $1.1 million for fiscal 2023. The increase is primarily attributable to higher interest income earned from our cash and cash equivalent balances.
63


Provision for income taxes
Fiscal years ended January 31,
(in thousands)20242023$ Change% Change
Provision for income taxes$(1,543)$(483)$(1,060)219 %
Provision for income taxes increased by $1.1 million to $1.5 million for fiscal 2024, as compared to $0.5 million for fiscal 2023. The increase in provision for income taxes relates primarily to an increase in Canadian income tax expense.
Non-GAAP financial measures
Adjusted EBITDA is a supplemental measure of our performance that is not required by, or presented in accordance with, GAAP. Adjusted EBITDA is not a measurement of our financial performance under GAAP and should not be considered as an alternative to net income or loss or any other performance measure derived in accordance with GAAP, or as an alternative to cash flows from operating activities as a measure of our liquidity. We define Adjusted EBITDA as net income or loss before interest income (expense), net, provision for income taxes, depreciation and amortization, and before stock-based compensation expense, loss on extinguishment of debt and other income (expense) net.
We have provided below a reconciliation of Adjusted EBITDA to net loss, the most directly comparable GAAP financial measure. We have presented Adjusted EBITDA in this Annual Report on Form 10-K because it is a key measure used by our management and board of directors to understand and evaluate our core operating performance and trends, to prepare and approve our annual budget, and to develop short and long-term operational plans. In particular, we believe that the exclusion of the amounts eliminated in calculating Adjusted EBITDA can provide a useful measure for period-to-period comparisons of our core business. Accordingly, we believe that Adjusted EBITDA provides useful information to investors and others in understanding and evaluating our operating results in the same manner as our management and board of directors.
Our use of Adjusted EBITDA has limitations as an analytical tool, and you should not consider it in isolation or as a substitute for analysis of our financial results as reported under GAAP. Some of these limitations are as follows:
Although depreciation and amortization expense are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future, and Adjusted EBITDA does not reflect cash capital expenditure requirements for such replacements or for new capital expenditure requirements;
Adjusted EBITDA does not reflect: (1) changes in, or cash requirements for, our working capital needs; (2) the potentially dilutive impact of non-cash stock-based compensation; (3) tax payments that may represent a reduction in cash available to us; or (4) interest (income) expense, net; and
Other companies, including companies in our industry, may calculate Adjusted EBITDA or similarly titled measures differently, which reduces its usefulness as a comparative measure.
64


Because of these and other limitations, you should consider Adjusted EBITDA along with other GAAP-based financial performance measures, including various cash flow metrics, net loss, and our GAAP financial results. The following table presents a reconciliation of Adjusted EBITDA to net loss for each of the periods indicated:

For the fiscal years ended January 31,
(in thousands)20242023
Net loss$(136,885)$(176,146)
Interest income, net(2,211)(1,064)
Provision for income taxes1,543 483 
Depreciation and amortization29,487 25,304 
Stock-based compensation expense71,613 58,775 
Loss on extinguishment of debt1,118 — 
Other (income) expense, net(44)175 
Adjusted EBITDA$(35,379)$(92,473)

We calculate free cash flow as net cash used in operating activities less capitalized internal-use software development costs and purchases of property and equipment.
Additionally, free cash flow is a supplemental measure of our performance that is not required by, or presented in accordance with, GAAP. We consider free cash flow to be a liquidity measure that provides useful information to management and investors about the amount of cash generated by our business that can be used for strategic opportunities, including investing in our business, making strategic investments, partnerships and acquisitions and strengthening our financial position.
The following table presents a reconciliation of free cash flow from net cash used in operating activities, the most directly comparable GAAP financial measure, for each of the periods indicated:

For the fiscal years ended January 31,
(in thousands)20242023
Net cash used in operating activities$(32,378)$(90,123)
Less:
Capitalized internal-use software(19,291)(21,471)
Purchases of property and equipment(5,806)(4,732)
Free cash flow$(57,475)$(116,326)

Liquidity and capital resources
As of January 31, 2024 and 2023, we had cash and cash equivalents of $87.5 million and $176.7 million, respectively. Cash and cash equivalents consist of money market funds and cash on deposit.
We believe that our existing cash and cash equivalents, along with cash generated in the normal course of business, will be sufficient to meet our needs for at least the next 12 months.
In addition, we also have potential borrowing capacity under our credit agreement subject to certain restrictive covenants.
Our future capital requirements and the adequacy of available funds will depend on many factors, including those set forth under “Risk Factors.”
In the event that additional financing is required from outside sources, we may be unable to raise the funds on acceptable terms, if at all. If we are unable to raise additional capital when desired, our business, operating results and financial condition could be adversely affected.
65


Silicon Valley Bank facility
Termination of the Third SVB Facility
On December 4, 2023, we terminated the Third SVB Facility and we recorded a $1.1 million loss on extinguishment of debt, including $0.6 million of lender and third-party fees and $0.5 million to write-off unamortized deferred financing costs. Lender fees included a termination fee of 1.0% of borrowing capacity.
Capital One facility
On December 4, 2023, we entered into a new 5-year $50 million senior secured asset-based revolving credit facility ("Capital One Credit Facility") maturing in December 2028, which includes a swingline sub-limit of at least $5.0 million and a letter of credit sub-limit of at least $5.0 million. The new Capital One Credit Facility was entered into with Capital One, N.A., acting as administrative agent and replaces our previous senior secured revolving credit facility with Silicon Valley Bank, which we terminated the same date. We believe the new Capital One Credit Facility will give us additional financial flexibility through fiscal 2028. The facility is available to us for working capital and general corporate purposes.
The obligations under the Capital One Credit Facility are secured by a first priority security interest in substantially all of our tangible and intangible assets, and by pledges of the equity of certain of our U.S. subsidiaries, in each case subject to customary exclusions.
The Capital One Credit Facility includes financial covenants including, but not limited to requiring us to maintain minimum Consolidated EBITDA, minimum Liquidity, a minimum Consolidated Fixed Charge Coverage Ratio and limiting the amount of cash and cash equivalents we hold outside Capital One, each as defined in the Credit Agreement. We were in compliance with all covenants related to the Capital One Credit Facility as of January 31, 2024.
We believe that our cash and cash equivalents along with cash generated in the normal course of business, are sufficient to fund our operations for at least the next 12 months.
Financing agreements
On June 8, 2023, we entered into a financing agreement to obtain financing for internal-use software and related software support. As of January 31, 2024, there was $3.1 million in outstanding principal and interest due under the agreement. The financing agreement requires us to pay $0.1 million per month for 36 months beginning August 2023. The effective interest rate on the agreement is 10.5% per annum.
Shares issued as consideration for acquisition
On June 30, 2023, we entered into an agreement to acquire 100% of the outstanding equity of MediFind for total consideration of $8.9 million, which included the issuance of 150,786 shares of our common stock to certain MediFind stockholders.
On August 11, 2023, we entered into an agreement to acquire 100% of the outstanding equity of Access for total consideration of $37.4 million, which included the issuance of 1,096,436 shares of our common stock to certain members of Access.
Liabilities issued as consideration for acquisition
On October 3, 2023, we entered into an agreement to acquire 100% of the outstanding equity of ConnectOnCall for total consideration of $13.9 million, including liabilities with an acquisition-date fair value of $10.0 million. The liabilities include undiscounted payments of $10.9 million payable in seven quarterly installments through June 2025. See Note 16 - Acquisitions of this Annual Report on Form 10-K for additional information regarding the acquisition of ConnectOnCall.
66


The following table summarizes our sources and uses of cash for each of the periods presented:
Fiscal years ended
January 31,
(in thousands)
20242023
Net cash used in operating activities$(32,378)$(90,123)
Net cash used in investing activities(39,670)(26,203)
Net cash used in financing activities(17,115)(20,803)
Net decrease in cash and cash equivalents$(89,163)$(137,129)
Operating activities
The primary sources of cash from operating activities are cash received from our customers and interest earned on our money market mutual funds. The primary uses of cash for operating activities are for payroll, payments to suppliers, payments for operating leases, as well as cash paid for interest on our finance leases and other financings and cash paid for various taxes.
During the fiscal year ended January 31, 2024, net cash used in operating activities was $32.4 million, as our cash paid to employees and suppliers exceeded our cash received from customers in connection with our normal operations. During the fiscal year ended January 31, 2023, net cash used in operating activities was $90.1 million, as our cash paid to employees and suppliers exceeded our cash received from customers in connection with our normal operations.
The change in net cash used in operating activities was driven primarily by an increase in cash received from customers driven by higher revenues, higher interest income on money market mutual funds we held during the year ended January 31, 2024 and lower employee compensation costs, primarily due to lower average employee headcount, partially offset by higher outside services costs and acquisition-related costs.
Investing activities
During the fiscal year ended January 31, 2024, net cash used in investing activities was $39.7 million, including $19.3 million of cash paid for capitalized internal-use software, $14.6 million of cash paid for acquisitions, net of cash acquired, as well as well as $5.8 million of purchases of property and equipment.
During the fiscal year ended January 31, 2023, net cash used in investing activities was $26.2 million, principally resulting from capital expenditures, the majority of which consisted of $21.5 million of cash paid for capitalized internal-use software, as well as $4.7 million of purchases of property and equipment, including hardware used by clients and data center equipment.
Financing activities
During the fiscal year ended January 31, 2024, net cash used in financing activities was $17.1 million, primarily consisting of $12.2 million used for treasury stock to satisfy tax withholdings on stock compensation awards, $7.4 million used for principal payments on finance leases and financing arrangements, $2.1 million used for debt issuance costs, facility fees and debt extinguishment costs, and $1.3 million used for principal payments of acquisition-related liabilities, partially offset by $4.2 million in proceeds from our equity compensation plans and $1.7 million constructive financing related to our software financing arrangement.
During the fiscal year ended January 31, 2023, cash provided by financing activities was $20.8 million, primarily consisting of $19.4 million used for treasury stock to satisfy tax withholdings on stock compensation awards and $5.9 million used for principal payments on finance leases and financing arrangements, partially offset by $4.9 million in proceeds from our equity compensation plans.
Material Cash Requirements
Our material cash requirements relate to human capital, contractual purchase commitments, payments on deferred consideration liabilities, leases and financing arrangements. Refer to Note 4 - Composition of certain financial statement accounts in Part II - Item 8 of this Annual Report on Form 10-K for additional information on accrued payroll related liabilities and deferred consideration liabilities. Refer to Note 6 - Finance leases and other debt, Note 10 - Leases and Note 11 - Commitments and contingencies in Part II - Item 8 of this Annual Report on Form 10-K for additional information on cash requirements for leases, financing arrangements and contractual purchase commitments.
67


Critical accounting policies and estimates
The preparation of the consolidated financial statements in conformity with GAAP requires us to make certain estimates and assumptions. These estimates and assumptions affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities as of the balance sheet date, as well as reported amounts of revenue and expenses during the reporting period. Our most significant estimates and judgments involve revenue recognition, the fair value of assets acquired in business combinations, capitalized internal-use software, income taxes, and valuation of our stock-based compensation. Actual results may differ from these estimates. To the extent that there are differences between our estimates and actual results, our future financial statement presentation, financial condition, results of operations, and cash flows will be affected.
We believe that the accounting policies described below involve a greater degree of judgment and complexity. Accordingly, these are the policies we believe are the most critical to aid in fully understanding and evaluating our financial condition and results of operations.
Revenue recognition
We account for revenue from contracts with clients by applying the requirements of Topic 606, which includes the following steps:
Identification of the contract, or contracts, with a client
Identification of the performance obligations in a contract
Determination of the transaction price
Allocation of the transaction price to the performance obligations in the contract
Recognition of revenue when, or as, performance obligations are satisfied
Revenues are recognized when control of these services is transferred to our clients, in an amount that reflects the consideration we expect to be entitled to in exchange for those services.
We believe the areas in which we apply significant judgements when determining revenue recognition relate to the identification of distinct performance obligations, the assessment of the standalone selling price (“SSP”) for each performance obligation identified, the determination of the amount of variable consideration to include in the transaction price of our contracts with customers and the determination of whether we are the principal or the agent for certain performance obligations.
Determination of Performance Obligations
A performance obligation is a promise in a contract with a customer to transfer products or services that are distinct. Our contracts with customers may include multiple promises to transfer services to a customer. Determining whether products and services are distinct performance obligations that should be accounted for separately or combined as a single performance obligation may require significant judgment that requires us to assess the nature of the promise and the value delivered to the customer.
Our subscription and related services revenue includes certain fees from clients for professional services associated with implementation services.
In determining whether professional services for implementation are distinct, we consider the following factors for each professional services agreement: availability of the services from other vendors, the nature of the professional services and the complexity of interfaces created between systems.
We determined that the majority of implementation services were not distinct from the related subscription service because they are proprietary such that they cannot be performed by another entity, because we generally do not sell professional services on a stand-alone basis, and because they are integral to the customer’s ability to derive the intended benefit of the subscription service, indicating that the implementation services and related subscription are inputs to a combined output.
Determination of Standalone Selling Prices
We allocate the transaction price of our customer contracts to the performance obligations within those contracts based on the relative SSP of the performance obligations.
The SSP is the price that we would sell a product separately to a customer. The best evidence of this is an observable price from stand-alone sales of that product to similarly situated customers. However, as we do not typically transfer our performance obligations on a standalone basis, but rather we transfer bundles of performance
68


obligations, we use an adjusted market assessment approach to estimate the price a customer would be willing to pay for our performance obligations using historical price information as priced in previous bundled contracts.
In determining SSPs, we stratify the population of customer transactions by product, type, size of customer and geographic area. We typically establish a range of SSPs for each of our performance obligations.
The prices we charge for digital messaging solutions provided to life sciences companies have historically been highly variable. We consider pricing to be highly variable if we have a history of selling the services at a wide range of prices to similar customers in similar geographic areas within the same time periods. As the pricing of our digital messaging solutions has historically been highly variable, we use the residual method to estimate the SSP of performance obligations for digital messaging solutions. We estimate the residual SSP of our digital messaging solutions as the total transaction price of the customer contract less the SSPs of the remaining performance obligations pursuant to the contract.
Variable Consideration
We estimate the transaction price at contract inception, including any variable consideration, and we update the estimate each reporting period for any changes in circumstances. When determining the transaction price, we assume the products will be transferred to the customer based on the terms of the existing contract and our assumption does not take into consideration the possibility of a contract being canceled, renewed, or modified.
We occasionally provide credits to customers representing adjustments to the transaction price. Known and estimable credits and adjustments represent a form of variable consideration, which are estimated at contract inception and generally result in reductions to revenues recognized for a particular contract. These estimates are updated at the end of each reporting period as additional information becomes available. We estimate the amount of variable consideration based on its expected probability-weighted value or its most likely amount. We include variable consideration in the transaction price to the extent it is probable there will not be a significant reversal of revenue when the uncertainty with respect to the variable consideration is resolved. We believe that there will not be significant changes to our estimates of variable consideration as of January 31, 2024.
Principal vs Agent Considerations
As part of our revenue recognition process, we evaluate whether we are the principal or agent for the performance obligations in our contracts with customers. When we determine that we are the principal for a performance obligation, we recognize revenue for that performance obligation on a gross basis. When we determine that we are an agent for a performance obligation, we recognize revenue for that performance obligation net of the related costs. In determining whether we are the principal or the agent, we evaluate whether we have control of the services before we transfer the services to the customer by considering whether we are primarily obligated for transferring the services to the customer, whether we have inventory risk for the services before the services are transferred to the customer, and whether we have latitude in establishing prices. We recognize payment processing fees collected from customers as revenue on a gross basis because, as the merchant of record, we control the services before delivery to the customer, we are primarily responsible for the delivery of the services to our customers, we have latitude in establishing pricing with respect to the customer and other terms of service, we have sole discretion in selecting the third-party to perform the settlement, and we assume the credit risk for the transaction processed. We also have the unilateral ability to accept or reject a transaction based on our established criteria.
Business combinations
We use our best estimates and assumptions to accurately assign fair value to the tangible and intangible assets acquired and liabilities assumed at the acquisition date. With the assistance of third-party appraisers, we assess the fair value of the assets acquired in business combinations. The fair value of the acquired licenses and technology was estimated using the relief from royalty method. The fair value of customer relationships was estimated using a multi period excess earnings method. To calculate fair value, we used cash flows discounted at a rate considered appropriate given the inherent risks associated with each client grouping. Our estimates are inherently uncertain and subject to refinement. During the measurement period, which may be up to one year from the acquisition date, we may record adjustments to the fair value of these tangible and intangible assets acquired and liabilities assumed, with the corresponding offset to goodwill. We continue to collect information and reevaluate these estimates and assumptions quarterly and record any adjustments to our estimates to goodwill provided that we are within the measurement period. Upon the conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, any subsequent adjustments are recorded to our consolidated statements of operations.

69


In connection with the ConnectOnCall acquisition, we recorded deferred consideration liabilities within other current liabilities and other long-term liabilities for amounts payable to the selling shareholders in seven quarterly installments from December 2023 through June 2025. The fair value of our deferred consideration liabilities was determined based on a discount cash flow approach, using the pre-tax cost of debt of 9.3%. In connection with the acquisition of ConnectOnCall, we recorded deferred consideration liabilities with an acquisition-date fair value of $10.0 million. During the fiscal year ended January 31, 2024, we paid $1.6 million against the deferred consideration liabilities. Payments of the deferred consideration liabilities are included in general and administrative expense in our accompanying consolidated statements of operations.
Capitalized internal-use software
We capitalize certain costs incurred for the development of computer software for internal use pursuant to ASC Topic 350-40, Intangibles—Goodwill and Other—Internal use software. These costs relate to the development of our solutions. We capitalize the costs during the development of the project, when it is determined that it is probable that the project will be completed, and the software will be used as intended. Costs related to preliminary project activities, post-implementation activities, training and maintenance are expensed as incurred. Internal-use software is amortized on a straight-line basis over its estimated useful life, which is generally three to five years. We evaluate the useful lives of these assets on an annual basis and tests for impairment whenever events or changes in circumstances occur that could impact the recoverability of these assets. We exercise judgment in determining the point at which various projects may be capitalized, in assessing the ongoing value of the capitalized costs and in determining the estimated useful lives over which the costs are amortized. To the extent that we change the manner in which we develop and test new features and functionalities related to our solutions, assess the ongoing value of capitalized assets or determine the estimated useful lives over which the costs are amortized, the amount of internal-use software development costs we capitalize and amortize could change in future periods.
Stock-based compensation for market-based performance stock units ("PSUs")
We granted market-based PSUs during fiscal 2022, 2023 and 2024.
PSUs vest in between 0% and 220% of the number of PSUs originally granted based on our total stockholder return ("TSR"), relative to a peer group of companies on the Russell 3000 stock index. PSUs granted during fiscal 2024, 2023 and 2022 vest in a maximum of 220%, 200% and 200% of the number of PSUs originally granted, respectively. We estimate the fair value of the PSUs using a Monte Carlo Simulation model which projects TSR for Phreesia and each member of the peer group over a performance period of approximately three years. The most critical and judgmental assumptions used in the Monte Carlo Simulation to estimate the fair value of the PSUs are set forth below:
Correlation coefficient: The correlation coefficient measures the correlation of our stock to the stock of the companies in the peer group. This coefficient is used to project the performance of our stock against our peers to estimate projected performance under the plan.
Expected volatility: For PSUs granted during the year ended January 31, 2024 and January 31, 2023, the expected volatility is based on the historical volatility of our stock price over a term commensurate with the simulation term assumption. For PSUs granted during the fiscal year ended January 31, 2022, the expected volatility was based on historical volatilities of peer companies within our industry which were commensurate with the simulation term assumption.
We recognize the grant-date fair value of stock-based awards issued as compensation expense on a straight-line basis over the requisite service period, which is generally the vesting period of the award.
Recent accounting pronouncements
In November 2023, the Financial Accounting Standards Board (“FASB”) issued Accounting Standard Update (“ASU”) 2023-07, Segment Reporting. The new standard will require us to provide all disclosures required by ASC 280 - Segment Reporting all segment reporting, including a measure of segment profit or loss. The new standard will also require us to disclose the title and position of our Chief Operating Decision Maker. ASU 2023-07 will be effective for our fiscal year ended January 31, 2025 and interim periods within our fiscal year ended January 31, 2026. Early adoption is permitted. We will be required to apply ASU 2023-07 retrospectively to all periods presented.
In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740): Improvements to Income Tax Disclosures. ASU 2023-09 will require us to add additional disclosures to our income tax footnote. The new
70


standard will require us to provide an income tax rate reconciliation in dollars and percent. Additionally, the new standard will require us to disclose any significant impacts of individual jurisdictions on our income tax rate reconciliation and our disclosure of and income taxes paid. The provisions of ASU 2023-09 are effective for annual periods beginning after December 15, 2024; early adoption is permitted.
See Note 3 - Summary of significant accounting policies in Part II - Item 8 of this Annual Report on Form 10-K for a discussion of recent accounting pronouncements.

Item 7A. Quantitative and Qualitative Disclosures about Market Risk
We have operations both within the United States and in Canada, and we are exposed to market risks in the ordinary course of our business. These risks primarily include interest rate and foreign exchange risks.
Interest rate risk
As of January 31, 2024, our cash and cash equivalents consisted primarily of money market funds and cash on deposit. The primary objective of our investment activities is to preserve principal while maximizing income without significantly increasing risk. Because our cash equivalents have a short maturity, our portfolio’s fair value is relatively insensitive to interest rate changes. We do not believe that an increase or decrease in interest rates of 100 basis points would have a material effect on our financial condition. Changes in interest rates impact the amount of interest income we record on our cash equivalents. In future periods, we will continue to evaluate our investment policy in order to ensure that we continue to meet our overall objectives.
Although we had no debt outstanding under the Capital One Credit Facility as of January 31, 2024, changes in interest rates would affect interest expense if we borrow against the Capital One Credit Facility in the future. Additionally, changes in interest rates will impact the discount rate and resulting interest expense for any new finance leases or financing arrangements.
Foreign currency exchange risk
We have foreign currency risks related to our expenses denominated in Canadian dollars, which are subject to fluctuations due to changes in foreign currency exchange rates. Fluctuations in foreign currency exchange rates may cause us to recognize transaction gains and losses in our statements of operations. To date, foreign currency transaction gains and losses have not been material to our consolidated financial statements.

71


Item 8. Consolidated Financial Statements and Supplementary Data

PHREESIA, INC.
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Reports of Independent Registered Public Accounting Firm (KPMG LLP, Pittsburgh, PA, Auditor Firm ID: 185)
Consolidated Balance Sheets as of January 31, 2024 and 2023
Consolidated Statements of Operations for the years ended January 31, 2024, 2023 and 2022
Consolidated Statements of Stockholders’ Equity for the years ended January 31, 2024, 2023 and 2022
Consolidated Statements of Cash Flows for the years ended January 31, 2024, 2023 and 2022
Notes to Consolidated Financial Statements


72





Report of Independent Registered Public Accounting Firm
To the Stockholders and Board of Directors
Phreesia, Inc.:
Opinion on the Consolidated Financial Statements
We have audited the accompanying consolidated balance sheets of Phreesia, Inc. and subsidiaries (the Company) as of January 31, 2024 and 2023, the related consolidated statements of operations, stockholders’ equity, and cash flows for each of the years in the three-year period ended January 31, 2024, and the related notes (collectively, the consolidated financial statements). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company as of January 31, 2024 and 2023, and the results of its operations and its cash flows for each of the years in the three-year period ended January 31, 2024, in conformity with U.S. generally accepted accounting principles.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting as of January 31, 2024, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission, and our report dated March 15, 2024 expressed an unqualified opinion on the effectiveness of the Company’s internal control over financial reporting.
Basis for Opinion
These consolidated financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. We believe that our audits provide a reasonable basis for our opinion.
Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the consolidated financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of a critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.
Fair value of acquired customer relationships intangible asset
As discussed in Note 16 to the consolidated financial statements, the Company consummated the acquisition of Access eForms, LLC (Access eForms) for $37,411 thousand during the year ended January 31, 2024. The acquisition-date fair value of Access eForms’ customer relationships intangible asset was $10,700 thousand. The fair value of these intangibles was estimated using a multi-period excess earnings method.
We identified the evaluation of the fair value of customer relationships intangible asset acquired through the Access eForms business combination as a critical audit matter. A high degree of subjective auditor judgment was required
73


to evaluate the attrition rate assumption used to value the customer relationships intangible asset. Specifically, the fair value of the acquired intangible asset was sensitive to possible changes in the attrition rate assumption, requiring the assistance of valuation professionals with specialized skills and knowledge.
The following are the primary procedures we performed to address this critical audit matter. We evaluated the design and tested the operating effectiveness of certain internal controls related to the attrition rate assumption used in the Company’s valuation. We involved valuation professionals with specialized skills and knowledge, who assisted in (1) evaluating the attrition rate by comparing it against historical attrition rates using historical customer sales data that we assessed for completeness and accuracy, and (2) independently developing a range of attrition rates using the historical customer sales data and comparing it to the Company’s estimate.
/s/ KPMG LLP
We have served as the Company’s auditor since 2019.
Pittsburgh, Pennsylvania
March 15, 2024
74



Report of Independent Registered Public Accounting Firm

To the Stockholders and the Board of Directors
Phreesia, Inc.:
Opinion on Internal Control Over Financial Reporting
We have audited Phreesia, Inc. and subsidiaries' (the Company) internal control over financial reporting as of January 31, 2024, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of January 31, 2024, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated balance sheets of the Company as of January 31, 2024 and 2023, the related consolidated statements of operations, stockholders’ equity, and cash flows for each of the years in the three-year period ended January 31, 2024, and the related notes (collectively, the consolidated financial statements), and our report dated March 15, 2024 expressed an unqualified opinion on those consolidated financial statements.
Basis for Opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Annual Report on Internal Control Over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may
75


become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
/s/ KPMG LLP
Pittsburgh, Pennsylvania
March 15, 2024

76



Phreesia, Inc.
Consolidated Balance Sheets
(in thousands, except share and per share data)
January 31,
20242023
Assets
Current:
Cash and cash equivalents$87,520 $176,683 
Settlement assets28,072 22,599 
Accounts receivable, net of allowance for doubtful accounts of $1,392 and $1,053 as of January 31, 2024 and 2023, respectively
64,863 51,394 
Deferred contract acquisition costs768 1,056 
Prepaid expenses and other current assets14,461 10,709 
Total current assets195,684 262,441 
Property and equipment, net of accumulated depreciation and amortization of $76,859 and $59,847 as of January 31, 2024 and 2023, respectively
16,902 21,670 
Capitalized internal-use software, net of accumulated amortization of $45,769 and $37,236 as of January 31, 2024 and 2023, respectively
46,139 35,150 
Operating lease right-of-use assets266 569 
Deferred contract acquisition costs986 1,754 
Intangible assets, net of accumulated amortization of $4,925 and $2,549 as of January 31, 2024 and 2023, respectively
31,625 11,401 
Deferred tax asset 81 
Goodwill75,845 33,736 
Other assets2,879 3,255 
Total Assets$370,326 $370,057 
Liabilities and Stockholders’ Equity
Current:
Settlement obligations$28,072 $22,599 
Current portion of finance lease liabilities and other debt6,056 5,172 
Current portion of operating lease liabilities393 934 
Accounts payable8,480 10,836 
Accrued expenses37,130 21,810 
Deferred revenue24,113 17,688 
Other current liabilities5,875  
Total current liabilities110,119 79,039 
Long-term finance lease liabilities and other debt5,400 2,725 
Operating lease liabilities, non-current134 349 
Long-term deferred revenue97 125 
Long-term deferred tax liabilities270  
Other long-term liabilities2,857  
Total Liabilities118,877 82,238 
Commitments and contingencies (Note 11)


Stockholders’ Equity:
Preferred stock, undesignated, $0.01 par value—20,000,000 shares authorized as of both January 31, 2024 and 2023; no shares issued or outstanding as of January 31, 2024 and 2023, respectively
  
Common stock, $0.01 par value—500,000,000 shares authorized as of both January 31, 2024 and 2023; 57,709,762 and 54,187,172 shares issued as of January 31, 2024 and 2023, respectively
577 542 
Additional paid-in capital1,039,361 926,957 
Accumulated deficit(742,969)(606,084)
Treasury stock, at cost, 1,355,169 and 971,236 shares as of January 31, 2024 and 2023, respectively
(45,520)(33,596)
Total Stockholders’ Equity251,449 287,819 
Total Liabilities and Stockholders’ Equity$370,326 $370,057 
See notes to consolidated financial statements.
77


Phreesia, Inc.
Consolidated Statements of Operations
(in thousands, except share and per share data)
For the fiscal years ended January 31,
202420232022
Revenue:
Subscription and related services$165,436 $128,975 $95,514 
Payment processing fees94,610 78,368 65,201 
Network solutions96,253 73,567 52,518 
Total revenues356,299 280,910 213,233 
Expenses:
Cost of revenue (excluding depreciation and amortization)61,025 58,944 42,669 
Payment processing expense62,986 50,323 38,719 
Sales and marketing147,008 151,263 106,421 
Research and development112,346 91,244 52,265 
General and administrative79,926 80,384 68,674 
Depreciation17,584 17,988 14,985 
Amortization11,903 7,316 6,317 
Total expenses492,778 457,462 330,050 
Operating loss(136,479)(176,552)(116,817)
Other income (expense), net44 (175)(78)
Loss on extinguishment of debt(1,118)  
Interest income (expense), net2,211 1,064 (1,084)
Total other income (expense), net1,137 889 (1,162)
Loss before provision for income taxes(135,342)(175,663)(117,979)
Provision for income taxes(1,543)(483)(182)
Net loss$(136,885)$(176,146)$(118,161)
Net loss per share attributable to common stockholders, basic and diluted$(2.51)$(3.36)$(2.37)
Weighted-average common shares outstanding, basic and diluted54,561,449 52,440,067 49,888,436 
See notes to consolidated financial statements.
78


Phreesia, Inc.
Consolidated Statements of Stockholders’ Equity
(in thousands, except share data)
Stockholders’ Equity
Common stock
SharesAmountAdditional
paid-in
capital
Accumulated
deficit
Treasury stockTotal
Balance, January 31, 202144,880,883 $449 $579,599 $(311,777)$(4,965)$263,306 
Net loss— — — (118,161) — (118,161)
Stock-based compensation expense— — 29,668 —  — 29,668 
Exercise of stock options and vesting of restricted stock units1,997,551 20 4,123 —  — 4,143 
Issuance of common stock for employee stock purchase plan42,530 — 1,506 — — 1,506 
Treasury stock from vesting of restricted stock units - satisfaction of tax withholdings— — — —  (8,995)(8,995)
Issuance of common stock in follow-on public offering, net5,175,000 52 245,761 —  — 245,813 
Balance, January 31, 202252,095,964 $521 $860,657 $(429,938) $(13,960)$417,280 
Net loss— — — (176,146)— (176,146)
Stock-based compensation expense— — 52,506 — — 52,506 
Exercise of stock options and vesting of restricted stock units1,626,123 161,515 — — 1,531 
Issuance of common stock for employee stock purchase plan162,154 2 3,470 — — 3,472 
Issuance of stock for share-settled bonus awards302,931 3 8,809 — — 8,812 
Treasury stock from vesting of restricted stock units - satisfaction of tax withholdings— — — — (19,636)(19,636)
Balance, January 31, 202354,187,172 $542 $926,957 $(606,084)$(33,596)