Billing Errors, HIPAA, EMTALA and Stark proceedings can lead to severe civil fines and penalties for medical practices. And in today's digital world, cyber liabilities have never been more threatening. The harsh reality is that regulatory and cyber-related claims can stem from a multitude of unforeseen events and can be settled for hundreds of thousands - even millions - of dollars with significant legal expenses incurred.
That’s why LAMMICO includes MEDEFENSE® Plus/Cyber Liability insurance in most policies, and then offers the option to purchase higher limits of protection through our subsidiary agency, Elatas Risk Partners (formerly LAMMICO Insurance Agency).
Duration: 20 months
Nature of Risk: Orthopedic Hospitals, outpatient centers, etc.
The Insured was served with two subpoenas by the Department of Health and Human Services/Office of the Inspector General requesting extensive and unrestricted production of paper and electronic records related to an investigation of Anti-Kickback and Stark violations. More specifically, the OIG is alleging that the Insured improperly referred hospital patients to MRI or outpatient centers owned by the Insured or owners of the Insured. It is also alleged that the Insured entered into improper lease arrangements with the owners of such centers. The Insured retained counsel to assist with responding to the subpoenas.
The DHHS/OIG investigation is still pending, but underwriters have already paid more than $820,000 in legal expenses and vendor fees.
Duration: 13 months and still pending
Nature of Risk: Orthopedic Surgeons
The Insured received notice of the Department of Health and Human Services, Office for Civil Rights complaint alleging that the Insured was not in compliance with the Federal Standards for Privacy of Individually Identifiable Health Information. It appears that the OCR complaint originated from a privacy breach reported by the Insured to the OCR in compliance with HIPAA.
The underlying privacy breach involved the theft of medical records for 12,000 patients from a storage shed. While the records were recovered by the police within 48 hours, the Insured was required to notify the affected patients. Furthermore, given the number of affected patients, the Insured was required to issue a press release and to report the matter to the OCR within 60 days. The OCR investigation is pending.
To date, the Insured has incurred approximately $97,000 in legal expenses, PR expenses and notification costs as a result of the underlying privacy breach. We anticipate that the Insured will incur an additional $25,000 in legal fees as a result of the OCR investigation.
Qui Tam – Whistleblower
Duration: 20 months
Nature of Risk: Senior Psychological Care
The Insured received notice of a U.S. Non-Intervention Order that was filed as part of a sealed qui tam complaint filed in 2010 alleging multiple violations of the Federal False Claims Act relative to Medicare Claims. More specifically, the complaint alleged, among other things, that in addition for charging for the services rendered by clinical psychologists, the Insured also charged for services provided by nurses, technicians and other therapist even when such services were not “incident to” the clinical psychologist’s professional services. This upcoding resulted in the Insured being reimbursed at a higher rate. The complaint sought damages of no less than $5,500 and no more than $11,000 for each violation of the False Claims Act.
The matter is still pending. Projected legal/expert expenses: $320,000.
Coverage for defense costs and regulatory fines and penalties resulting from actual or alleged billing errors. Coverage extends to allegations made by governmental agencies, qui tam plaintiffs and contractors working on behalf of the government, such as Recovery Audit Contractors (RAC) and Zone Program Integrity Contractors (ZPIC) as well as Commercial Payors.
Coverage for defense costs and fines and penalties arising out of governmental agency actions/investigations of HIPAA (Patient Privacy), EMTALA (Emergency Medical Treatment and Active Labor Act) and STARK (Physician Self-Referral) violations
Coverage for third party claims resulting from a network security or privacy breach. Includes coverage for both online and offline information, virus attacks, denial of service attacks, and failure to prevent the transmission of malicious code
Coverage for defense costs and fines/penalties resulting from government investigations of privacy law violations, including, but not limited to, violations of HIPAA, Red Flag Rules, and the Hi-Tech Act
Coverage for third party claims resulting from the dissemination of online or offline media, including claims alleging copyright/trademark infringement, libel/slander, advertising, plagiarism, and personal injury
Coverage for all reasonable and necessary sums required to recover and/or replace data that is compromised, damaged, lost, erased or corrupted due to a covered cause of loss. Coverage for income loss and business interruption expenses directly resulting from a total or partial interruption, degradation in service or failure of the insured’s computer system due to a covered cause of loss. “Covered cause of loss” includes accidental damage or destruction, administrative or operational mistakes, and computer crime and attacks.
Coverage includes all reasonable legal, public relations, advertising, IT forensic, call center, credit monitoring and postage expenses incurred by the insured in response to a privacy breach. Also includes Proactive Privacy Breach Response Costs which covers the amounts incurred to retain a PR expert before the publication of an adverse media report of a security or privacy breach in order to avoid or mitigate the potential reputational harm resulting from the bad press, and Voluntary Notification Expenses which provides coverage for the costs to notify individuals of a privacy breach where there is no legal requirement to do so.
Covers extortion expenses incurred, and extortion monies paid, as a direct result of a credible cyber extortion threat
Coverage for income loss and business interruption expenses directly resulting from a total or partial interruption, degradation in service or failure of the insured’s computer system due to an act of terrorism
Provides coverage for the fines and penalties levied by the Payment Card Industry Data Security Standards council (VISA, Mastercard, AmEx, Discover, and JCB) against merchants who are not PCI DSS compliant
Coverage for lost revenue directly resulting from an adverse media report and/or notification to customers of a security or privacy breach
Rates are based on the number of full time equivalent physicians to be covered under a policy. The pricing chart below is an example of the cost for one physician to purchase higher limits for Medefense™ Plus/Cyber Liability.
|Option||Annual Total Premium|
|$1M Medefense™ Plus Limit||$1,263.84|
|$1M Medefense™ Plus with $100K Medical Board
|$1M Cyber Liability Limit||$1,148.50|
|$1M Medefense™ Plus / Cyber Liability Combined Limit||$2,134.09|
|$1M Medefense™ Plus / Cyber Liability Combined Limit with
$100K Medical Board Proceedings Coverage
To request an application for higher limits, please contact your Elatas Risk Partners representative.
Preexisting policyholders simply need to fill out a Warranty Statement to apply for higher limits. Elatas Risk Partners also offers insurance policies to protect against the threat of cyber liability to providers who are not insured by LAMMICO.
*Some exceptions apply.
This summary article is not intended as a substitute for the actual policy provisions and will not be part of your policy.