A conversation with our insureds often begins with them asking, “Am I covered if…?” As an insurance carrier Risk Manager, I’m happy that they’re asking (and I’m really happy if it turns out they are asking before starting the business, practice, procedure or service that prompts the question). The question gives us all an opportunity to refocus on applying the risk management process to identify, analyze, treat and then re-evaluate the risk.
Increasingly, these types of questions among healthcare providers are related to some kind of telemedicine service or activity, and they are interesting questions.
The applications for telemedicine are growing exponentially (as is the variety of providers), much as TV and microwaves caught fire decades ago (figuratively, not literally, although hazards are also a domain of risk management). Why the surge in interest?
For starters: healthcare cost containment; an increasing financial incentive; increasing market share; access to specialists and other care providers in rural or other underserved areas; access to healthcare for those who are unable to travel; convenience and time management (both for patients and providers) and continuity of care.
Although “risk avoidance” is a legitimate risk technique, it can be an easy-out and may be a natural reaction to an emerging risk area such as telemedicine, it is critically important that today’s healthcare risk managers not be known as “the just say no people.” As a former clinician, I have seen how cutting-edge approaches to medicine have advanced the state of healthcare. And, telehealth is here to stay!
Let’s get back to the “Am I covered?” question. The short answer would hopefully be: “Of course you’re covered. Telemedicine is a good thing for patients.” Right?
But, (yes, risk managers like to say “but,” usually after saying, “I don’t want to be negative about this idea, service, procedure, etc.”) a certain road is paved with good intentions, and there are some significant possible risk exposures and obstacles to implementing a safe, compliant and effective telemedicine program. Although risk managers are generally fun people – honest – we can be perceived as wet blankets at times, because we always look at the world through the “risk vs. benefit” lens. So, in reality, insurance carrier risk managers may need to say, “It depends. . . .” and then, “I have some questions”. This is where you can help by confidently putting your best foot forward and saying, “Ask away, I have the answers you need.”
A risk manager’s job (yours and mine), first and foremost, is to protect the assets of the organization. And that protection certainly includes helping to appropriately support and defend good clinical care and those who provide it, especially when someone registers a complaint or pursues a professional liability claim. To do that, we need to not only look at specific professional liability insurance policy language, but we must also consider all of the risks and exposures associated with telemedicine and determine whether you are adequately treating those risks. Insurance coverage is just one of the risk treatment techniques (risk transfer) used to address risk exposures – even though it can feel like the most important one to those who are kept awake at night worrying about an organization’s risk exposures, liability and finances.
In today’s complex healthcare environment, there is a need for an operational (enterprise) risk management approach to decision making to help manage liability exposure across all of the domains of risk. Along with that, the role of the healthcare risk manager is evolving too into taking a leadership role in this approach. But developing a culture and discipline of identifying, analyzing and treating risks is more of a journey than a sprint, so try not to get daunted by the process right away. You can be more “tactical” (a rapid response) as the circumstances may require once you establish process.
Let’s take an example of one risk exposure for a telemedicine program, credentialing and privileging, and illustrate how we can help answer the “Am I covered…” question by using the risk management process (the first 3 steps anyway; I’ll leave the “monitor/re-evaluate” steps to you).
What do we already know about some of the key risk exposures related to telemedicine? We recognize that they generally may include the following, but you’ll need to also identify any other risks unique to your program:
- Information privacy/data security
- Potential technology-related issues (e.g. failure, resolution, accuracy, etc.)
- Data ownership/retention/destruction/e-discovery
- Credentialing/privileging of providers
- Patient selection, communication, education
- Documentation of communication and encounters
- Consent for use of technology/treatment
- Health insurance payer coverage/reimbursement
- Liability insurance coverage
Analyzing the Risk
Here’s a series of questions that I’d like to know the answers to as your carrier in evaluating you as a “risk”. You should have done your due diligence already. The sample list is not meant to be exhaustive, but illustrates developing a discipline around a comprehensive analysis:
- Does your governing body understand its role and responsibilities regarding credentialing and privileging? (Standards of care, scope of practice, negligent credentialing, non-delegable duty, D&O, E&O, etc.) Even when a third-party credentialing verifications organization is used, privileging decisions are still the responsibility of the hospital’s governing body.
- Are you a hospital telemedicine site? A free-standing telemedicine site? An originating site or distant site? Is there a solid understanding about how telemedicine credentialing and privileging should be done depending on your role?
- Have you met all applicable state statutory requirements for a telemedicine license? How about applicable state medical/licensure board requirements for all licensed practitioners? Non-licensed? What are the exceptions to requirements?
- Have you met all accreditation standards and requirements (if applicable)?
- Are there written policies and procedures in place that outline the credentialing and privileging appointment and reappointment processes, criteria for telemedicine activities, scope of practice protocols, OPPE and FPPE, and the data from the originating and distant sites that must be collected and analyzed (and acted on)? How will the originating site be notified of privilege or license revocations or suspensions?
- Do your hospital and/or medical staff bylaws and rules and regulations accurately reflect these issues for telemedicine: federal regulatory and state specific licensure requirements (for all providers); current CMS CoPs; health insurer panel requirements for credentialing; the privileged provider’s medical staff category?
- Does the current structure of your quality-improvement and peer review programs adequately protect shared data between originating and distant sites?
- Is there a compliance plan that addresses billing practices and regulatory noncompliance?
- Are there written agreements in place between the distant site hospital or entity and the hospital seeking services?
- Do you have the appropriate medical staff leadership and medical staff services resources to manage your credentialing and privileging activities?
- Are there appropriate, required governing body, medical staff leadership and medical staff services training and education on credentialing and privileging for telemedicine?
Analyzing Insurance Coverage
By way of this next series of questions, you can begin to bring into focus some possible strategies for treating telemedicine risk exposures by using the risk transfer technique to ensure you have the right coverage for those risks:
- Will existing health professional liability (HPL) coverage address errors and omissions on the part of distant-site physicians and practitioners?
- Do you have adequate coverage limits for the telemedicine activities and providers?
- Are there subcontractors allowed? If so, confirm the subcontractor’s insurance coverage and limits.
- Are there shared or individual coverage limits? Which should be required to meet your risk financing needs?
- Are there any jurisdictional limits for coverage under the policy? State-to-state provider licensure?
- Are there practitioners practicing outside of the U.S.? Do you have any exposure in countries outside of the US? Will (HPL) coverage extend to such services?
- Is your insurance carrier licensed to write coverage in multiple states? Foreign countries?
- What types of insurance coverage are in place for negligent credentialing, where claims are based on reliance on credentialing and privileging information submitted by a distant-site hospital or distant-site telemedicine entity?
- Does the hospital have appropriate coverage for business disruption (the third-party vendor stops offering the service)?
- Insurance coverages (at limits set in medical staff bylaws approved by the governing body) are in place for credentialing and privileging legal exposures:
- Does the telemedicine provider have professional liability coverage for this service?
- Does the telemedicine provider have cyber risk coverage?
- Does your cyber risk / technology E&O coverage extend to the telemedicine activities?
- What types of insurance coverages and limits will be required by contract of the distant-site hospital and distant-site telemedicine entities?
- Will the contract preclude shared coverage among the (ever-changing) list of care providers and the distant-site hospital or distant-site telemedicine entity?
- Will the insurance coverage include indemnification coverage for cost of defense up to the point of disposition of a regulatory investigation based on the telemedicine services furnished by the distant-site hospital or distant-site telemedicine entity?
- Review of your Insurance coverages should extend to the various layers of an insurance program – excess carriers – and also to specialty programs such as RRGs, insurance trusts and captive insurance plans.
How can you develop a discipline of comprehensive risk identification, analysis, treatment and evaluation to address risks such as telemedicine credentialing? Here are some key steps in the process to consider:
- First, create or gather your “Operational/ERM Committee” (or whatever you wish to call it). There should be a core group for this, and then perhaps create ad hoc “tactical taskforces” for each specific issue as necessary. In this case, this may mean consulting with internal and external resources such as legal , insurance carrier, risk managers, medical staff, medical staff services, marketing, finance, regulatory, accreditation, quality, compliance and IT professionals.
- Gather data and input. As a side note, this is an area where some insurance carriers provide valuable tools and resources for their clients to use, for example, OneBeacon Healthcare has a web-based Telemedicine Risk Assessment Tool that will efficiently perform a “risk inventory” to help in your data gathering and risk identification. So be sure to tap into that expertise.
- Create /document your “Risk Inventory” (include all of the domains of risk).
- Perform your risk “gap analysis”. Where are your weaknesses or gaps?
- Determine your risk evaluation (for each weakness/gap determine the domains impacted and the degree of impact to the organization).
- Make a decision on how you wish to treat each risk exposure (the proposed risk treatment technique and proposed action plan).Develop or revise your written operational plans, policies and procedures and credentialing & privileging services agreements as necessary.
- Talk to your producer/agent to determine what type of coverage, at what limits of liability, are best for your organization.
- Put your requirements for coverage in your organization bylaws or medical staff bylaws.
- Monitor, measure (develop dashboards/scorecards), re-evaluate and re-design as necessary.
In the End
To circle back to the initial question, “Am I covered?”, as you can see, the answer may not be a simple, immediate “yes”. “It depends” is what you may be more likely to hear. But despair not. Remember, we’re all Risk Managers, in this together, trying to protect the assets of the organization by treating risk exposures adequately and effectively. Be prepared to present your ERM analysis and treatment results in response to questions (or even better, preemptively present them when you ask the question about insurance coverage) and you’ll be on your way to an answer which is hopefully more like “Of course you’re covered. Your telemedicine program is a good thing.” than, “Houston, we have a problem.” And, you, your carrier and your broker can all breathe a sigh of relief and get a good night’s sleep.
About the Author: Patty Hughes, SVP Healthcare Risk Management, is responsible for OneBeacon Healthcare’s risk management resources and services for healthcare policyholders. Recognizing that the role of the healthcare risk manager is changing, Hughes continuously strives to develop and position offerings in a unique way that support the evolution of this role across all healthcare settings and that help to demonstrate the value of an effective risk program in an organization.
The materials referenced herein are prepared by the author and as such do not necessarily represent the views or opinions of OneBeacon Healthcare Group. OneBeacon Healthcare Group makes no claims concerning the completeness or accuracy of these materials and takes no responsibility for supplementing, updating or correcting such materials.
This document is for general informational purposes only and does not constitute and is not intended to take the place of legal or risk management advice. Parties should contact their own personal counsel for any such advice.