Your Existing Policy Probably Covers Telehealth. Probably.
Most small practice owners we talk to assume their existing malpractice policy automatically extends to telehealth visits. About 80 percent of the time, they're right. The other 20 percent is where the trouble starts.
Carriers split into three rough buckets. Some treat telehealth as a routine extension of in-person care with no policy change required. Some require a written endorsement or rider before they'll cover a virtual visit. A handful exclude telehealth entirely unless you buy a separate product. You don't know which bucket you're in until you ask, and "I assumed I was covered" is not a defense if a claim hits.
Stop reading this and email your carrier. Ask one question: "Does my current policy cover patient encounters conducted by video, phone, and secure messaging, including across state lines where I hold an active license?" Get the answer in writing. Save the email. That single email is the cheapest risk reduction you'll do this year.
The Coverage Questions That Actually Matter
"Are we covered" is too blunt a question to be useful. When you sit down with your carrier or broker, work through this list one at a time and write the answers down.
- Visit modalities. Does the policy cover video, audio-only (phone), and asynchronous SMS or store-and-forward visits? Some policies cover video but exclude phone-only, which is a problem if half your Medicare patients prefer the phone.
- Patient location. Are you covered when the patient is in a state where you hold an active license but you are physically in your home state? This is the common cross-state visit, and most carriers cover it. But "most" is not "all."
- Provider location. Are you covered when you are traveling and conduct a visit from a different state? This one trips people up. Snowbird providers, conference attendees, and anyone working remotely from a vacation rental.
- International patients. Covered, excluded, or available with a separate rider? Almost always excluded by default. Don't assume.
- Technology failures. If a video connection drops mid-visit and you miss a symptom that would have been visible on camera, does the carrier cover the resulting claim? Some policies treat technology failures as an excluded "non-medical" cause.
- Asynchronous decisions. You review a symptom photo a patient sent and respond by text. If that's the basis of a claim, is it a covered visit or an uncovered consultation?
- Independent contractors and locums. If you bring in coverage for vacation, does your policy extend, or does the locum need their own?
- Defense costs inside or outside the limit. Defense outside limits is meaningfully better, especially in states with high settlement values. Cheaper policies usually have defense inside the limit.
Get answers in writing for all of these. A confirmation email from your underwriter is worth more than a glossy brochure.
Claims-Made vs. Occurrence: The One Distinction That Costs You Money
Two policy structures dominate the medical malpractice market, and the difference matters more when you add telehealth.
An occurrence policy covers any incident that happened during the policy period, no matter when the claim is filed. If you saw a patient in 2026 and they sue you in 2031, your 2026 occurrence policy responds. Premium is higher, but you can walk away from the policy any time without worrying about old claims.
A claims-made policy only covers claims that are both filed and reported while the policy is active. If you let it lapse without buying tail coverage, every patient you saw under that policy is exposed. Premium is lower in early years, then ramps up, and tail coverage at the end can cost 150 to 300 percent of your last annual premium.
Telehealth makes the claims-made structure messier. Claims can be filed years later, sometimes from a state different from where the patient now lives, and statutes of limitations vary by state. If you're seeing patients in five states and you let a claims-made policy lapse without tail, you've accepted years of unfunded liability across multiple jurisdictions.
Practical rule. If you can afford it, choose occurrence. If you're on claims-made, budget for tail coverage from day one. Treat the tail as a debt you've already incurred, not as a future decision.
Multi-State Coverage Without the Surprise Bill
Crossing state lines is where telehealth malpractice gets expensive and where small practices most often get blindsided. A licensed provider seeing a patient in another state is practicing medicine in that other state, and the rules and rates of that state apply. Your carrier prices and underwrites accordingly.
Three things to confirm before you take a single visit in a new state.
First, the carrier has to be admitted in the patient's state, or the policy needs to extend coverage to non-admitted states. Some regional carriers only operate in a handful of states, and a patient visit in a state outside their footprint isn't covered at any price.
Second, premium often varies by the patient's state, not just yours. A solo internal medicine provider in Indiana pays a very different rate than the same provider treating patients in Florida or New York. Carriers know the per-state claim severity and they price the rider to match. Don't be surprised when adding three states raises your premium 20 to 40 percent.
Third, ask whether the policy follows you or follows the patient. "Follows you" means coverage extends wherever you hold a license. "Follows the patient" means each patient location has to be specifically listed. For a practice using state-aware booking that filters providers by patient location, follows-the-patient is fine. For a practice that improvises, follows-you is safer.
If you're licensed in five or more states through the Interstate Medical Licensure Compact, ask specifically about Compact coverage. Some carriers have streamlined endorsements for Compact-licensed providers that come in cheaper than per-state riders.
Cyber Liability Is Not Optional Anymore
Traditional medical malpractice covers clinical errors. It does not cover what happens when patient data leaks, your practice gets ransomed, or a video session is recorded and posted somewhere it shouldn't be. For those, you need a separate cyber liability policy.
This is the coverage small practices most often skip and most often regret. The average ransomware demand against a healthcare provider in 2025 ran into the six figures, and the operational cost of a week without scheduling or EHR access is far worse than the ransom. A cyber policy that costs $1,500 to $3,500 a year for a small practice will cover ransomware response, breach notification, regulatory fines, credit monitoring for affected patients, and PR costs.
What to look for in a cyber policy for a telehealth practice:
- HIPAA and HITECH coverage for fines and breach notification, including the per-patient mailing requirement.
- Ransomware coverage with negotiation and payment if needed, plus business interruption while you're locked out.
- Social engineering and wire fraud coverage. Small practices get spear-phished into wiring "payroll" to an attacker more often than you'd think.
- Vendor breach coverage. If your telehealth platform, EHR, or billing vendor has the breach, you still face notification costs and reputational damage.
- Defense for state attorney general actions. HIPAA fines come from HHS, but state AGs can sue too, especially after high-profile breaches.
You can sometimes get cyber liability bundled with malpractice through the same carrier at a discount. Worth asking. Don't accept a sub-limit so small it's meaningless. If a carrier offers $25,000 in cyber sublimits inside a malpractice policy, treat it as marketing, not coverage.
Documentation: The Single Biggest Lever on Your Premium and Your Risk
Carriers price risk on two things they can measure: your specialty and your claims history. They price the third thing, your habits, with discounts and surcharges that often surprise providers. Documentation is the single biggest habit they care about for telehealth.
What a defensible telehealth note looks like, every time:
- Patient identity verified. Two identifiers, usually full name plus date of birth, confirmed verbally at the start of the visit and noted.
- Patient location confirmed. The patient's physical location at the time of the visit, in their own words, written in the note. This protects against cross-state licensure questions.
- Modality documented. Video, phone, or asynchronous. If video, note whether it was full audio plus video for the entire visit. If something dropped, note that too.
- Informed consent for telehealth on file. Referenced in the note, with the date the consent was signed.
- Clinical limitations acknowledged. A short note when the modality limited what you could assess, and why you still felt the visit was appropriate (or referred to in-person).
- Plan, follow-up, and red-flag instructions. When to call back, when to seek emergency care, when to schedule in-person.
This isn't busywork. In a claim, the difference between defensible care and indefensible care is often a single sentence about why telehealth was clinically appropriate for the visit. More on this in our guide to telehealth consent forms.
What Carriers Actually Discount
Premiums for solo and small-group practices have crept up since 2022, and telehealth-heavy practices have seen the steepest jumps in a few states. The good news is most carriers will discount specific things you can document. Ask for each one.
- Risk management course completion. Usually 5 to 10 percent off, sometimes more. Many carriers run free online CME-eligible courses that double as discount triggers.
- Use of a HIPAA-compliant telehealth platform with a signed BAA. Some carriers explicitly reward platforms that meet healthcare-grade standards over consumer video tools.
- Documented informed consent process. A written telehealth consent on file before the first visit.
- Documented patient identity and location verification. Often built into the platform's intake flow.
- Tail coverage for prior carriers. Continuous coverage history reduces your premium because it removes the gap question.
- Specialty-specific protocols. Especially in psychiatry and behavioral health, having written protocols for suicidality assessment over telehealth is sometimes a discount and almost always a defense.
- Multi-year prepay. Two- and three-year prepaid policies often save 3 to 7 percent.
Don't be shy. Brokers earn commission on the premium they sell you, so they don't always lead with discounts. Bring a checklist to renewal and walk through it.
Limits and Aggregates: How Much Coverage Is Enough
The reflexive answer for primary care, internal medicine, and family practice is $1 million per claim and $3 million aggregate. That's the floor most hospital privileging committees and many state requirements use. For a small private practice running outpatient telehealth, it's usually adequate.
Where you raise limits:
- High-risk specialties. OB/GYN, surgery, emergency medicine, and interventional specialties live with higher claim severities. $2 million per claim is the more common floor.
- States with high settlement values. New York, Illinois, Florida, and a handful of others see settlements that can exceed standard limits. If you treat patients in those states, run the math on $2 million or $3 million per claim.
- Group practice with multiple providers. Each provider's claims chip at the same aggregate unless the policy is structured per-provider. A four-provider practice on shared $3 million aggregate can exhaust limits faster than partners realize.
- Significant personal assets. An umbrella personal liability policy doesn't substitute for higher professional limits, but high-net-worth providers often raise limits as basic asset protection.
Going below $1 million almost never makes financial sense for a practicing physician. The premium savings are small and the exposure is enormous. For nurse practitioners and PAs running independent telehealth panels in states that allow it, the same logic applies, just at slightly different base rates.
The Takeaway
Telehealth malpractice insurance is not a separate product for most small practices. It's a set of questions to ask your existing carrier, a few endorsements you may or may not need, and a cyber liability policy that sits next to your malpractice policy. The work is in the asking and the documenting, not in buying expensive new coverage.
The short version of what every small practice should do this month:
- Email your carrier and confirm telehealth coverage across all your licensed states, in writing.
- Decide whether you're on a claims-made or occurrence policy and budget the tail if applicable.
- Buy a real cyber liability policy with sub-limits that aren't a joke.
- Standardize your telehealth documentation so every note has identity, location, modality, consent reference, limitations, and follow-up plan.
- Walk through the discount checklist at your next renewal.
None of this is glamorous. None of it is expensive relative to the protection it buys. A small practice doing modern telehealth without going through these five items is taking a risk it doesn't need to take. Spend the hour, send the emails, and get back to seeing patients.