Insuring virtual care risks: Captives as a safety net for telehealth expansion

As telehealth grows at an unprecedented rate, it brings with it not only opportunities but significant risks that medical practices need to address proactively. While the promise of telehealth is clear—more convenient, accessible, and cost-effective health care—its rapid expansion introduces unique challenges in cybersecurity, malpractice, and regulatory compliance that traditional insurance may not fully cover.

Telehealth’s projected growth into a $175.5 billion industry by 2026 highlights just how quickly this sector is evolving, according to research by Global Market Insights. But this growth also means increased exposure to risks that medical practices must manage. A tailored approach to risk management, such as captive insurance, is now more critical than ever to safeguard your practice as you embrace this new frontier of healthcare delivery.

The current state of telehealth and its accelerating growth

The telehealth market, which was already experiencing growth before the COVID-19 pandemic, has exploded in the years since. A recent poll citedthat by 2025, more than 43% of Americans will use telehealth services regularly, driven in part by a massive uptick in online consultations, which are expected to rise by 13.7 million between 2024 and 2028. Telehealth has proven to be more than a temporary solution; it has become a long-term component of health care delivery.

Yet, this growth is not without risks. Telehealth is inherently different from traditional face-to-face visits and brings a new set of liabilities, including data privacy concerns, potential misdiagnosis, technical failures, and the complexity of obtaining proper patient consent. These challenges are compounded by the rise in cyberattacks targeting telehealth platforms. Practices that embrace telehealth need to ensure their risk management strategies are as forward-thinking as their service offerings.

The regulatory minefield: Cross-state licensing and compliance risks

Navigating the regulatory environment for telehealth is a daunting task, as each state has its own licensing, prescribing, and reimbursement requirements. With telehealth services offered across state lines, medical practices must comply with a complex web of state-specific rules that vary widely. For instance, an article in the National Library of Medicine explains that while the easing of some regulatory barriers during the pandemic allowed health care providers to practice across state lines, not all states have adopted permanent solutions, leaving telehealth providers in a state of flux.

Telehealth providers must address not only these compliance issues but also the legal risks that come with them. Cases such as those involving telehealth company Cerebral, which faced legal action from the Department of Justice over improper prescription practices, illustrate the severe consequences of non-compliance.

Reimbursement issues also present challenges. Many of the temporary measures put in place during the pandemic, including expanded insurance coverage for telehealth services, are set to expire. For example, as noted by Infectious Disease Advisor, Medicare coverage for telehealth during the pandemic was extended but is set to end March 31, 2025. This could leave practices at the mercy of insurers, who may choose to limit or discontinue coverage for virtual care. This regulatory uncertainty can have significant financial implications for your practice, especially if insurers don’t maintain telehealth coverage parity with in-person visits.

Cybersecurity threats in virtual care

As telehealth expands, so too does its vulnerability to cyberattacks. In fact, health care organizations, including telehealth providers, have become prime targets for cybercriminals. A recent report on cyber intel from the American Hospital Association noted a dramatic rise in cyberattacks on health care organizations, with ransomware and data breaches becoming more frequent and sophisticated.

The interconnected nature of telehealth platforms means that once a hacker gains access to one part of a system, they can infiltrate the entire network. This makes telehealth platforms especially susceptible to breaches. Moreover, sensitive patient data is stored, transferred, and sometimes processed by third-party platforms, creating multiple potential points of vulnerability.

The financial and reputational costs of a data breach can be astronomical for a practice. The average cost of a healthcare data breach exceeds $10 million, a significant amount compared to other industries, according to an IBM Security Report. These costs arise not only from fines and penalties but also from the loss of patient trust, which is often harder to recover than finances. A breach in data security could lead to a long-term negative impact on your practice’s reputation, possibly causing patients to seek care elsewhere.

Malpractice liability in telehealth: A growing concern

Malpractice liability is another growing concern as telehealth continues to expand. Providing care remotely presents limitations, such as the inability to conduct a full physical exam, which can lead to missed diagnoses or errors in judgment. In some cases, virtual visits can result in miscommunication between patients and providers, making it difficult to establish an accurate diagnosis.

Take, for instance, a case where a telehealth provider fails to diagnose deep vein thrombosis after a virtual consultation. The patient’s condition worsens due to the lack of a physical exam, resulting in serious complications that could have been avoided with in-person care. This hypothetical case exemplifies the risks of telehealth and the potential legal ramifications when care does not meet the standard of in-person visit.

The insurance conundrum with telehealth

While traditional malpractice insurance does cover some risks associated with telehealth, other prevalent risks associated with telehealth expansion aren’t as straightforward to insure against. For example, technical failures, regulatory violations, and data breaches are often not fully covered under conventional policies. This is where captive insurance can complement traditional policies to fill the gaps and exclusions for more comprehensive coverage.

How captive insurance can mitigate telehealth risks

Captive insurance allows medical practices to create their own insurance company to cover specific risks that traditional insurers may not adequately address. This tailored approach ensures that practices can manage telehealth-related risks—such as cybersecurity, malpractice, and regulatory compliance—more effectively.

By using a captive insurance program, practices can benefit from:

Tailored Coverage: Captive insurance allows medical practices to design policies that directly address the unique risks of telehealth, including cybersecurity breaches, malpractice claims, and regulatory violations. This customization can ensure that all areas of risk are covered.

Cost Control: Establishing a captive insurance company can also help control costs. Traditional insurance premiums can be expensive, but captives typically offer lower administrative costs and favorable underwriting terms, allowing practices to save money while managing risk effectively.

Risk Retention: Captives also enable practices to retain more of their own risk, which can be a benefit if the practice has a strong internal risk management program in place. This can reduce dependency on external insurance providers and give practices more control over their risk exposure.

Conclusion

The rapid growth of telehealth presents exciting opportunities for medical practices, but it also introduces significant risks. From regulatory hurdles and cybersecurity threats to malpractice liability, the risks faced by telehealth providers are evolving and require innovative risk management solutions. It’s important for practices to understand their unique risk profile while regularly assessing their insurance policies to uncover any gaps or exclusions, especially considering the ever-evolving regulatory, compliance, and cyber risk environments.

Randy Sadler started his career in risk management as an officer in the U.S. Army, where he was responsible for the training and safety of hundreds of soldiers and over 150 wheeled and tracked vehicles. He graduated from the U.S. Military Academy at West Point with a Bachelor of Science degree in International and Strategic History with a focus on U.S. – Chinese Relations in the 20th century. He has been a Principal with CIC Services, LLC for 8 years and consults directly with business owners, CEOs, and CFOs in the formation of captive insurance programs for their respective businesses. CIC Services, LLC manages over 100 captives.