COI Requirements for Healthcare Vendors
Inori Team
COI Compliance Experts
Healthcare vendors operate in one of the most heavily regulated and highest-liability industries in the United States. A single medical malpractice claim can produce a seven-figure settlement. A data breach exposing protected health information (PHI) triggers mandatory notification requirements, regulatory investigations, and class-action lawsuits. A vendor who fails to comply with HIPAA can expose both themselves and the healthcare organization they serve to civil and criminal penalties.
The insurance requirements for healthcare vendors reflect this elevated risk environment. Standard commercial GL and WC coverage is not sufficient. Healthcare vendors need specialized coverages — professional liability, cyber liability, and sometimes pollution liability — at limits that account for the severity of potential claims. This guide covers the specific COI requirements that healthcare organizations should enforce for their vendors.
The Healthcare Vendor Landscape
Healthcare organizations engage a wide range of vendors, each with distinct risk profiles:
Clinical service providers — staffing agencies providing nurses, therapists, and technicians; traveling clinician agencies; locum tenens providers; telemedicine platforms. These vendors provide clinical care and face direct medical malpractice exposure.
Health IT vendors — electronic health record (EHR) systems, practice management software, telehealth platforms, medical device connectivity, health information exchanges. These vendors process, store, and transmit PHI and face cyber liability and E&O exposure.
Facility service vendors — medical waste disposal, biohazard cleaning, medical equipment maintenance, sterilization services, HVAC for cleanrooms and operating suites. These vendors face both standard premises liability and healthcare-specific environmental and regulatory exposure.
Business service vendors — medical billing and coding, revenue cycle management, transcription services, credentialing verification, utilization review. These vendors handle sensitive patient and financial data and face E&O and cyber exposure.
Professional Liability / Medical Malpractice
Professional liability is the cornerstone coverage for any vendor providing clinical services or clinical decision support in a healthcare setting.
Standard Limits
| Vendor Type | Per Claim | Aggregate |
|---|---|---|
| Staffing agencies (clinical) | $1,000,000 | $3,000,000 |
| Individual clinicians (locum tenens) | $1,000,000 | $3,000,000 |
| Telemedicine platforms | $2,000,000 | $4,000,000 |
| Medical device manufacturers | $2,000,000 | $5,000,000 |
| Clinical laboratories | $1,000,000 | $3,000,000 |
| Pharmacy services | $1,000,000 | $3,000,000 |
The $1,000,000/$3,000,000 standard for clinical providers matches the most common requirement across hospital systems and health networks. Some states have medical malpractice damage caps that effectively reduce the needed limits, but best practice is to require the $1M/$3M standard regardless of state caps because caps can be challenged, modified, or found inapplicable in specific circumstances.
Claims-Made vs. Occurrence
Medical professional liability is almost universally written on a claims-made basis, not occurrence. This distinction is critical for COI compliance.
Occurrence policies cover claims arising from incidents that occurred during the policy period, regardless of when the claim is filed. If the policy was in effect when the incident happened, coverage exists.
Claims-made policies cover claims that are both made and reported during the policy period. If the policy expires and a claim is filed after expiration — even for an incident that occurred during the policy period — there is no coverage unless the insured purchases an Extended Reporting Period (ERP), commonly called "tail" coverage.
What This Means for COI Verification
When verifying a claims-made professional liability certificate:
-
Check the retroactive date. The retroactive date on the certificate defines the earliest date for which claims are covered. If the vendor has been working for you since 2020 but the retroactive date on the current policy is 2024, claims arising from work performed in 2020-2023 are not covered by the current policy.
-
Confirm the retroactive date has not moved forward. When a vendor switches carriers, the new carrier may set a new retroactive date at the policy inception date. This creates a "nose" gap — prior acts are not covered. Require that the retroactive date remain the same or earlier when carriers change.
-
Plan for tail coverage. When a vendor relationship ends, their claims-made policy only covers claims reported while the policy is in force. If the vendor cancels their policy after the contract ends, claims filed later (which is common in medical malpractice) will be uncovered. Require the vendor to maintain tail coverage for a minimum of three to five years after the contract ends, or purchase an ERP.
Cyber Liability for PHI
Any healthcare vendor that accesses, processes, stores, or transmits PHI must carry cyber liability insurance. This is not optional in the healthcare context — it is a practical necessity driven by HIPAA breach notification requirements, the high cost of healthcare data breaches, and the frequency of attacks targeting healthcare data.
Standard Limits
| Vendor Type | Cyber Liability Minimum |
|---|---|
| EHR / Health IT vendors | $2,000,000 – $5,000,000 |
| Medical billing / coding | $1,000,000 – $2,000,000 |
| Transcription services | $1,000,000 |
| Cloud hosting for healthcare data | $2,000,000 – $5,000,000 |
| Telemedicine platforms | $2,000,000 – $5,000,000 |
| Medical device connectivity | $2,000,000 |
Coverage Components
The cyber liability policy for healthcare vendors should include:
- Privacy liability — covers claims from individuals whose PHI was exposed, including regulatory defense costs and HIPAA fines
- Network security liability — covers claims from third parties arising from the vendor's failure to prevent a security breach
- Breach notification costs — covers the mandatory notification process (individual notice, credit monitoring, call center) required by HIPAA and state breach notification laws
- Regulatory proceedings — covers defense costs and penalties from HHS Office for Civil Rights (OCR) investigations
- Business interruption — covers the vendor's lost income and extra expenses resulting from a cyber event (important because a vendor outage can disrupt healthcare operations)
- Cyber extortion / ransomware — covers ransom payments and response costs from ransomware attacks, which disproportionately target healthcare organizations and their vendors
Healthcare-Specific Cyber Considerations
Standard commercial cyber policies may contain exclusions that create gaps in healthcare coverage:
-
Bodily injury exclusion. Some cyber policies exclude claims involving bodily injury. In healthcare, a cyber event can cause bodily injury — a ransomware attack that disables a medical device, an EHR outage that prevents access to critical patient information, a medication error caused by corrupted data. Ensure the cyber policy either does not exclude BI or has a carve-back for technology-related BI.
-
Regulatory sublimits. Some cyber policies cover regulatory fines and penalties but with sublimits far below the policy limit. A $2,000,000 cyber policy with a $100,000 regulatory sublimit provides inadequate HIPAA protection. Require that regulatory coverage be at or near the full policy limit.
General Liability
Healthcare vendors need standard CGL coverage in addition to their specialized coverages. A medical equipment technician working in a hospital can cause a slip-and-fall, a property damage incident, or a personal injury claim that falls outside the professional liability policy.
Standard GL requirements apply: $1,000,000 per occurrence / $2,000,000 general aggregate, with additional insured status for the healthcare organization, waiver of subrogation, and primary and non-contributory language.
For vendors working in hospital or clinical environments, confirm that the GL policy does not contain a healthcare or medical services exclusion. Some CGL policies exclude liability arising from the rendering of professional medical services — this exclusion should be addressed by the vendor's professional liability policy, but a gap can exist if the GL excludes it and the professional liability policy is narrower than expected.
Workers' Compensation
Standard WC requirements apply: Statutory limits, Employers' Liability at $500,000/$500,000/$500,000 minimum (some healthcare systems require $1,000,000), waiver of subrogation.
Healthcare-specific WC considerations include:
- Needlestick and bloodborne pathogen exposure. WC covers these occupational injuries, but the ongoing medical monitoring and treatment costs can be significant.
- Violence in healthcare settings. Assault by patients is a recognized occupational hazard in healthcare. WC covers these injuries, but employers' liability claims may also arise if the healthcare organization failed to provide adequate security.
HIPAA Compliance Intersection
HIPAA compliance and insurance requirements are distinct but interconnected. HIPAA requires Business Associate Agreements (BAAs) with vendors who handle PHI. The BAA imposes data security obligations and breach notification responsibilities on the vendor. Insurance — particularly cyber liability — provides the financial backstop when those obligations are breached.
What Insurance Cannot Replace
Insurance does not substitute for HIPAA compliance. A vendor with $5,000,000 in cyber liability coverage but no encryption, no access controls, and no employee training is a compliance disaster waiting to happen. The insurance will pay claims after a breach, but it does not prevent the breach, the regulatory investigation, or the reputational damage.
What HIPAA Compliance Cannot Replace
Conversely, a vendor with perfect HIPAA compliance but no cyber insurance is exposed to the financial consequences of a breach. Even the best security program cannot eliminate breach risk entirely. Insurance provides the financial capacity to respond to a breach — notification costs, forensic investigation, legal defense, regulatory penalties — that even a well-funded vendor may not be able to absorb from operating cash flow.
Best practice: Require both. The BAA ensures the vendor is contractually obligated to protect PHI. The cyber liability insurance ensures the vendor can financially survive a breach and pay for the response.
Putting It All Together: Healthcare Vendor COI Checklist
For a clinical service vendor providing staffing to a hospital:
| Coverage | Minimum | Key Verification Points |
|---|---|---|
| Professional Liability | $1,000,000 / $3,000,000 | Claims-made: check retroactive date, tail requirements |
| Cyber Liability | $1,000,000 – $2,000,000 | PHI coverage, regulatory defense, no BI exclusion |
| Commercial GL | $1,000,000 / $2,000,000 | AI status, WOS, primary/non-contributory |
| Workers' Comp | Statutory | WOS, verify state-specific compliance |
| Employers' Liability | $500,000 – $1,000,000 | Per healthcare system requirements |
| Commercial Auto | $1,000,000 CSL | If vendor operates vehicles |
| Umbrella | $2,000,000 – $5,000,000 | Follow-form over GL, auto, EL |
For a health IT vendor providing EHR services:
| Coverage | Minimum | Key Verification Points |
|---|---|---|
| Technology E&O | $2,000,000 | Covers software failures, data loss, service disruption |
| Cyber Liability | $2,000,000 – $5,000,000 | Full HIPAA coverage, ransomware, BI |
| Commercial GL | $1,000,000 / $2,000,000 | Standard AI, WOS, P&NC |
| Workers' Comp | Statutory | Standard |
| Umbrella | $2,000,000 – $5,000,000 | Follow-form |
Healthcare COI compliance requires more specialized knowledge than general commercial compliance. The intersection of clinical risk, data privacy regulation, and complex corporate structures makes healthcare one of the most demanding environments for insurance verification. The cost of getting it wrong — an uncovered malpractice claim, an uninsured data breach, a regulatory penalty without defense coverage — is among the highest in any industry.
Related Articles
Ready to automate COI compliance?
Start with our free COI checker — no sign-up required. Or try the full platform free.