Insuring Home Health Care and Hospice Firms for Cyber, HIPAA and Regulatory Audit (RAC) Exposures

July 12, 2016

In securing a home health care or hospice firm’s insurance program for your clients, a critical aspect of examining how responsive the organization’s coverage is involves looking at the protection it offers against cyber liability, Health Insurance Portability and Accountability Act (HIPAA) claims and Regulatory Audit Contractor (RAC) exposures. Let’s review each of these risks and the proper insurance protection available for home health care agencies and hospice firms.


Healthcare organizations of all types, including home health care agencies and hospice firms, are increasingly vulnerable to data breaches due to the market value of the confidential protected health information (PHI) they possess on their patients. This confidential information may include patient names; all dates directly linked to an individual, including date of birth, death, discharge, and administration; telephone and fax numbers, email addresses and geographic subdivisions such as street addresses, zip codes and county; medical record numbers and health plan beneficiary numbers; certificate numbers or account numbers; Social Security numbers, driver’s license or state identification card numbers; vehicle identifiers; biometric identifiers, including voice or fingerprints; and photographic images of the full face or other recognizable features.

Home healthcare agencies are responsible for protecting this information but unfortunately the data can end up in the wrong hands, even among firms with best practices firmly in place. For example, home health care workers are busy going from one location to the next, often with a patient’s confidential health information in hand – on a tablet, laptop or even in paper files – and at risk. A device can be stolen out of a caregiver’s vehicle or even hacked. Or, a home health care or hospice business’ computer security can be breached or a programming error can inadvertently result in the disclosure of patient data. Should a breach occur, home health care and hospice providers will face the challenges of notifying patients, potential liability damages, regulatory investigations, and possible fines and penalties.

A Cyber Liability insurance program can be designed to address these exposures including first- and third-party losses, covering the costs of patient notification and a call center to respond to inquiries, forensics to determine the cause and extent of the breach, credit monitoring, crisis management, regulatory investigations, E&O liability due to programming errors, and business interruption as a result of the breach, among other major costs that would be insured under the coverage. Should a computer system be infected with malware, a Cyber policy can be designed to cover the cost to replace or restore damaged electronic data or programs. In addition, a comprehensive policy can be secured to cover the cost of ransomware, an increasingly popular cyber crime impacting more and more organizations throughout the United States.


Under HIPAA, home health care agencies and hospice organizations are required to strictly protect patients’ health information – not only within their own records but in the sharing of information with business associates such as independent contractors and subcontractors/caregivers. If contracts are terminated, protected health information needs to be destroyed. In addition, the Health Information Technology for Economic and Clinical Health Act (HITECH) covers the use of electronic equipment for the recording and storing of PHI. These electronic medical records are subject to various rules and regulations, ensuring their security.

Home health care and hospice firms must ensure they are in compliance with all HIPAA and HITECH regulations. Should a breach occur compromising PHI data, an organization will be subject to an investigation by the Office of Civil Rights (OCR) as well as regulatory proceedings. The cost to defend the organization itself can be costly. Add to this the potential for a significant civil penalty for violating regulations, and a home health care organization’s exposure can be devastating. Depending on the situation, HIPAA civil penalties can range from $50,000 per violation, up to $1.5 million annually, according to the American Medical Association (AMA).

Securing HIPAA coverage as part of a Professional Liability policy is vital for home health care and hospice organizations. Coverage for HIPAA, including proceedings, fines, and penalties, should be an integral component of the policy.

Regulatory Audit (RAC) Coverage

The Centers for Medicare and Medicaid Services (CMS) began conducting regulatory audits in 2006 via Regulatory Audit Contractors (RACs) to detect improper payments and irregularities in the Medicare Fee-for-Service program. In 2010, Congress made RAC permanent for all healthcare providers – including home health care agencies and hospice organizations that bill Medicare for patient care under its Fee-for-Service program. The audits have the potential to open up the home health care industry to exposures involving many types of alleged and unintentional violations. In fact, RACs are highly motivated to identify improper payments, as they are compensated on a contingency-fee basis.

To address this risk, RAC insurance is available as part of a D&O/EPLI policy to provide home health care organizations with coverage for defense, audit fines and penalties, subject to insurability under the law.  Administrative defense coverage can also be put in place to respond to these audits, including crisis management/communication expenses, as well as reimbursement for reasonable legal fees and defense costs.

Manchester Specialty provides an end-to-end insurance solution that addresses each of the risks discussed here for the growing home health care industry. We make it easy for agents and brokers to provide this growing health care sector with “all lines” business insurance coverage – from Cyber Liability to Professional Liability, Directors & Officers Liability, and RAC insurance – that responds to the sector’s specific risks. For more information about our products and services, please contact us at 855.972.9399.