George Breen, a Member of the Firm in the Health Care and Life Sciences practice in the Washington, DC, office, was quoted in an article titled “Regulatory Insurance: Worth the Money, or Not What It Seems?”
According to the article, regulatory insurance also raises a public policy question that has yet to be resolved in states such as California, which only recognizes insurance coverage for certain things. California does not recognize insurance coverage for crimes or wrong dealings, so fraud and abuse coverage would be unenforceable since it would be against California law to insure against that kind of loss.
“The carriers like to focus on the penalties, but the penalties often are not the cost driver, as it is the associated costs in dealing with the breach,” Breen said. “You may pay a $250,000 fine but have $7 million in business costs resulting from the HIPAA violation or other breach.”
With a RAC audit, for example, Breen notes that challenging the audit results can be a long and expensive process involving several steps in the appellate courts before the district court.
If the policy provides for a defense, Breen also advises checking the details to determine who has the authority to choose the attorney and whether the carrier can settle the case without your approval.
There is no one answer to whether regulatory insurance is worthwhile, Breen said. The coverage tends to be a better fit for smaller health care providers, such as physician groups, than for large hospitals or health systems, he said.
“If you find the right policy at the right price, you might decide that it gives you enough peace of mind that you’re willing to pay the premium,” he said. “But I worry that a lot of health care providers are going to pay for coverage like this and then find out it is of limited utility, when you look at all the costs involved with an incident.”