The trusted source for
healthcare information and
Regulatory insurance: Worth the money, or not what it seems?
Cover regulatory liability, but is it too good to be true?
With providers facing potentially costly RAC audits and crackdowns on violations of everything from HIPAA and Stark to EMTALA, the idea of an insurance policy that will cover your fines and other costs can be quite appealing. But experts tell Healthcare Risk Management that you must be skeptical and consider all the fine print before paying that premium.
If the coverage sounds too good to be true, it probably is, they say.
The basic idea behind regulatory insurance is that the carrier will pay some or all of the expenses associated with audits and violations of government regulations: fines, penalties, legal fees, and other costs. Regulatory insurance coverage has been around for years, but it is getting more attention now because healthcare providers are feeling besieged by the federal government's efforts to root out fraud and abuse, says R. Stephen Trosty, JD, MHA, CPHRM, president of Risk Management Consulting in Haslett, MI. Trosty previously worked for an insurance company.
Insurance of this type can be a good investment, Trosty says. With the right type of policy, at the right price, regulatory insurance can take the sting out of a government investigation that finds wrongdoing, he says. If the policy covers legal expenses, that coverage alone can be worth the cost of the insurance, he says.
"When you have a government audit or investigation, even if you haven't done anything wrong, the legal costs can break you," Trosty says. "One of the things you have to look at is whether the policy includes or excludes legal fees, because they vary. If you get one that excludes legal fees, it may not have the same value to you."
Many insurance companies offer regulatory insurance. The best place to start is with the company that already provides your other liability coverage for your health system, Trosty says.
Deciding whether regulatory insurance makes sense for your organization can require a careful study of the policy and your risks. If your organization is involved with the purchase of hospitals, clinics, and physician groups, for example, the risk of a Stark violation increases. That's an argument in favor of regulatory insurance. "There are an increasing number of products offered, so there is more price competition now and the ability to negotiate is better," Trosty says. "I absolutely suggest that risk managers take a look at this type of coverage, especially as we see the number of audits increasing. As with any other financial risk, it is the responsibility of the risk manager to assess the risk, the likelihood of that risk actually happening, and do a cost benefit analysis."
That analysis might show that the coverage is worthwhile, though Trosty notes that some healthcare providers will find the cost can't be justified by the potential savings.
Read policy carefully
Watch out for the fine print that can dramatically affect the value of the policy. For example, some policies will have a maximum payout for a violation, whereas others might promise coverage for all expenses, Trosty says. Some policies might limit coverage to a certain number of violations or audits per year, he says.
Policies also might limit coverage for intentional violations, such as an employee stealing patient information.
"We're seeing more limitations in these policies now, with certain things being excluded and a cap of some sort on the amount to be paid or how many violations will be covered," Trosty says. "A lot of them will require a compliance program be in effect, and some will do an audit themselves to make sure there is some minimum protection, like the correct policies and procedures. Otherwise, most will deny you coverage, and the others will hit you with higher premiums and more exclusions."
Attorneys not sure of value
Health care attorneys tend to be skeptical about the value of regulatory insurance. Jonathon E. Cohn, JD, a partner in the health care practice of law firm Arent Fox in Los Angeles, says clients have been asking him about these products, but that he cautions them to be careful.
The products he has seen concern him because they offer limited coverage with lots of exclusions, he says. Considering the cost of premiums, Cohn often advises health care providers that they would be better off to self-insure.
"I'm not particularly impressed by the products I've seen," Cohn says. "What you need in a policy like this is the obligation to defend and the obligation to indemnify. I've seen products where the carrier does not indemnify and will reimburse attorney fees, which isn't the same as providing a defense, with the attorney fees capped at about $25,000. You're not getting much."
Last year Cohn worked with a chain of nursing facilities that was considering regulatory insurance, and he told them not to buy it. Once he sorted through the limitations, the policy wasn't worth the premium, he told the client. "This one offered indemnification along with the defense, so it looked promising," he says. "But there were so many carveouts and exemptions for the indemnification that I thought the policy was very, very limited."
Coverage not valid in some areas
Regulatory insurance also raises a public policy question that has yet to be resolved in states such as California, which only recognizes insurance coverage for certain things. California does not recognize insurance coverage for crimes or wrong dealings, so fraud and abuse coverage would be unenforceable since it would be against California law to insure against that kind of loss.
"Even if your state allows this coverage, the insurer is not going to pay for intentional misdeeds, and they'll be looking for a way to call it intentional. So if you have a violation, you're going to get a reservation of rights letter that says maybe they'll pay if it was negligence, but if it wasn't you're on your own," Cohn says. "When you're expecting a check, you might get a runaround instead."
Similar concerns come from George B. Breen, JD, an attorney with the law firm of Epstein Becker Green in Washington, DC. Breen is co-chair of the Health Care and Life Sciences Litigation and Government Investigations Practice Group. "The carriers like to focus on the penalties, but the penalties often are not the cost driver, as it is the associated costs in dealing with the breach," Breen says. "You may pay a $250,000 fine but have $7 million in business costs resulting from the HIPAA violation or other breach."
With a RAC audit, for example, Breen notes that challenging the audit results can be a long and expensive process involving several steps in the appellate courts before the district court. The costs associated with the appeal might not be covered, or they might consume the total value of the policy.
If the policy provides for a defense, Breen also advises checking the details to determine who has the authority to choose the attorney and whether the carrier can settle the case without your approval.
There is no one answer to whether regulatory insurance is worthwhile, Breen says. The coverage tends to be a better fit for smaller health care providers, such as physician groups, than for large hospitals or health systems, he says. Government penalties can be more damaging to a smaller provider, which can argue in support of the premium.
"If you find the right policy at the right price, you might decide that it gives you enough peace of mind that you're willing to pay the premium," he says. "But I worry that a lot of health care providers are going to pay for coverage like this and then find out it is of limited utility, when you look at all the costs involved with an incident."
George B. Breen, JD, Attorney, Epstein Becker Green, Washington, DC. Telephone: (202) 861-1823. E-mail: email@example.com.
Jonathon E. Cohn, JD, Partner, Arent Fox, Los Angeles. Telephone: (213) 443-7515. E-mail: firstname.lastname@example.org.
R. Stephen Trosty, JD, MHA, CPHRM, President, Risk Management Consulting, Haslett, MI. Telephone: (517) 339-4972. E-mail: email@example.com.