Cyber, Regulatory and Licensing Action Insurance

If it wasn’t complicated enough to practice medicine and field a large back office to handle getting paid, physicians, midwives, Physicians Assistants, Nurse Practitioners, other healthcare providers and facilities have entered a whole new world of exposure due to Electronic Medical Records, other internet based activities and heavy intervention by local licensing boards.

To meet these concerns, many insurance companies have added, usually at no charge, a basket of cyber and regulatory action coverages. Unfortunately, in virtually all cases, these coverages are inadequate should a real concern arise. More is left bare than covered. Having said that, it has highlighted a need and companies have moved in to provide coverage for these exposures. That leaves one last concern. You need to be a lawyer to understand what you are buying.

In this posting I’m going to provide as much explanation of what these policies cover as I believe is needed to get the gist of it without making you an expert. For more than that, you should consult your insurance broker or attorney. There are a number of policies available and the discussion below is not intended to cover them all. It is very general.

The exposures tend to fall into three categories:

  • Cyber
  • Regulatory
  • Licensing

As with all things, there is some overlap between them and the best approach is to purchase a policy that includes at least the Cyber and Regulatory pieces to make it less likely that you will have gaps in coverage. For this reason, I’m not going to break my discussion into three categories but will move through all the exposures that should be covered by these policies.

One last matter before moving on to the subject itself and that is the issue of coverage limits and cost. Most of these policies have some deductible/copay. These are the costs that you will bear before the policy kicks in and they tend to be reasonable. After the deductible, the limits that will be available will generally be $500,000, $1,000,000 or more (can be $10,000,000 or more). For most individual and small group practices, $1,000,000 should be adequate for all coverages except the cost of defending your license. For licensing actions $50,000 to $250,000 should be adequate and it will largely be a matter of what is available and the cost. For ballpark purposes, a policy that provides a $1,000,000 limit for Cyber and Regulatory coverages and $100,000 of license protection limits should have an annual premium of approximately $1,700 to $3,000 per provider, with the per provider cost dropping considerably for groups. The actual cost will depend on a number of factors including which company provides your Malpractice insurance. Reasonably priced licensing action coverage will not always be available as will be discussed below.

Let’s move on to the particular coverages found in many of these policies:

MEDICARE AND MEDICAID FRAUD AND ABUSE: The Federal government has moved aggressively to identify billing that it deems excessive and a whole industry has been created to mine data and find billing practices that are out of the norm. Private plaintiffs can initiate “Qui Tam” proceedings themselves. Health insurance companies have also gotten into the act, clawing back reimbursements deemed excessive. Some policies cover both of these exposures. If the government undertakes an investigation of a practice and charges it with improper billing, the cost of defense can be exorbitant. These policies can cover the cost of defense and penalties (if permitted by law) but generally do not cover the cost of “disgorgement,” paying the government or insurance company back for the receipt of excessive payments. Many policies also cover the cost of a “shadow audit,” a very important piece of coverage. It is an audit performed by your professionals on the same documents the government is reviewing, to give you an expert opinion on what the government is likely to find and to assist in your defense.

REGULATORY PROCEEDINGS: This includes the proceedings mentioned above, and for: violation of the Emergency Medical Treatment and Labor Act (EMTALA); Stark violations alleging transgression of any federal, state or local anti-kickback or self-referral laws; and, HIPAA violations. The federal government has collected billions of dollars from practices, large and small, that have had private patient information released, a HIPAA breach.

PRIVACY ACTIONS: It is astounding how many different ways a practice can be attacked by regulators. These coverages are for actions based on: release of private patient information under HIPAA; the Gram-Leach-Bliley Act; state and federal statutes; consumer protection laws such as the Federal Fair Credit Reporting Act; Children’s Online Privacy Protection Act or similar laws; and, the EU Data Protections Act or other similar privacy laws worldwide.

CUSTOMER NOTIFICATION EXPENSES: An intrusion into a practice’s patient records can trigger a requirement that all affected patients be notified and be given support such as credit monitoring. That can lead to significant expenses particularly if a large number of files have been released. In addition, some policies will provide coverage for public relations expenses to help protect the practice’s reputation.

SECURITY BREACH: An unauthorized intrusion into a practice’s computer system can cause damage to a practice’s system by infecting it with malicious code and transmitting that code to other computer systems. This coverage provides compensation for covered losses of digital assets and for lost income sustained by a practice while it is affected by a security breach. Some unauthorized intrusions into a computer system can lead to “cyber extortion” in which control of a computer system is lost unless compensation is made to the intruder. These events are covered by some of these policies.

MULTIMEDIA LIABILITY: This coverage protects against electronic media release of information that defames, libels or slanders; infringes on another’s right of privacy, misappropriation of name or likeness or disclosure of private facts; plagiarism; copyright or trade name infringement; and, similar conduct.

LICENSING ACTIONS: Many healthcare practitioners have experienced one or more complaints from disgruntled patients to the local board of licensing. More often than not, these are benign, answered easily and dismissed by the board. Some are not benign and require assistance from an attorney. This coverage provides funds to pay for these legal services. Some policies extend this coverage to hospital and insurance company credentialing issues. Many Malpractice insurance policies provide $25,000-$50,000 in coverage as part of that policy. But for serious Board actions that may not be enough. The cost per dollar of coverage should be discussed with you insurance professional before opting for this coverage. At about $300 per $100,000 of coverage, it is a reasonable purchase. At $750, it may be better to self-insure.

Please let us know if you have any questions or comments about this subject or would like to see posts on other subjects.