Question
What cyber and technology E&O insurance does a telehealth platform need?
Short answer
A telehealth platform needs cyber liability for the patient data it holds - protected health information under HIPAA, plus payment and account data - covering breach response, notification, regulatory exposure, and ransomware, and it needs technology errors and omissions for claims that the platform software or connectivity failed to perform. For a company whose product is the platform, both are core lines. The detail that goes wrong is the boundary between these policies and the clinical malpractice policy: a software failure that leads to patient harm can fall between cyber, tech E&O, and professional liability unless the program is built so it does not.
The short answer
A telehealth platform holds sensitive data and delivers care through software, so it faces two technology exposures. Cyber liability responds when that data is breached; technology E&O responds when the software or connectivity itself fails. A platform company needs both, and because it holds protected health information, the breach-response side is driven by HIPAA and state privacy law.
Cyber liability - the data exposure
Cyber covers the first-party costs of an incident (forensics, breach notification to patients and regulators, credit monitoring, legal counsel, ransomware response, and business interruption if the platform goes down) and the third-party liability to patients whose data was exposed. For a telehealth platform holding electronic health records, the volume and sensitivity of that data make cyber a core line, and HIPAA breach-notification obligations make the regulatory exposure concrete.
Technology E&O - the software exposure
Technology errors and omissions responds to claims that the platform failed to perform - a scheduling or records error, an outage that disrupted care, an integration failure with a pharmacy or payor. For a software-driven care company this is a distinct exposure from a data breach, and the two are often written together in a combined technology E&O and cyber form.
The boundary with clinical malpractice
The gap to watch is where technology failure and patient harm meet. If a platform defect contributes to a clinical injury, the claim can implicate cyber, technology E&O, and the clinical professional liability policy at once - and each policy may point at the others. Because the platform (MSO) and the clinical entity (PC) are usually separate, the policies are separately placed, which makes the seam more likely. Reviewing the exclusions across all three together, and using additional-insured status between the entities, is what closes it.
Limits and what drives them
Cyber limits for a telehealth platform commonly run $1M to $5M, scaling with the volume of patient records held, revenue, and any payor, partner, or pharmacy contract that specifies a required cyber limit. Premium is driven more by security controls - multifactor authentication, encryption, tested backups, access controls, and HIPAA risk assessments - than by size, so a platform that can evidence strong controls at underwriting prices better.
Primary sources
Sources and references
This answer draws on the following regulatory, statutory, and standards-body sources. Coverage availability and program structure also depend on carrier appetite and underwriter discretion not captured by these sources.
- HHS - HIPAA Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- CISA - Cyber Essentials (security controls)https://www.cisa.gov/resources-tools/resources/cyber-essentials
Related practice areas
Insurance clauses in this area
Related questions
Have a more specific question?
A specialist will reach out by the end of the day.
Request a free coverage review