You spent a decade in medical school and residency. You didn't spend a single hour learning about insurance. But one uninsured malpractice claim or HIPAA breach can undo everything you've built — and the coverage gap is wider than most physicians realize.
Healthcare providers operate in one of the most heavily regulated, frequently litigated industries in the country. The average medical malpractice claim costs $309,000 to resolve. The average HIPAA breach costs $10.93 million. Employment lawsuits against medical practices have increased 42% over the past five years. And unlike a tech company that can pivot or a restaurant that can rebrand, a medical practice's reputation is its entire business — one public claim can permanently damage patient trust and referral networks.
The challenge is that medical practice insurance isn't a single policy. It's a program — a layered set of coverages that protect against clinical liability, business operations risk, employment exposure, cyber threats, and property loss. Most physicians buy malpractice insurance and assume they're covered. They're not. Here's what a complete medical practice insurance program actually looks like.
Medical malpractice (professional liability) insurance is the non-negotiable starting point. It covers claims alleging that a healthcare provider's treatment caused injury or harm to a patient. This includes misdiagnosis, surgical errors, medication mistakes, failure to treat, birth injuries, and informed consent failures. Every state requires some form of malpractice coverage for licensed physicians, and hospitals and health systems require it for credentialing and privileges.
There are two types of malpractice policies, and the difference matters enormously. Occurrence-based policies cover any incident that occurs during the policy period, regardless of when the claim is filed. If you had an occurrence policy in 2026 and a patient files a claim in 2029 for treatment you provided in 2026, you're covered — even if you've since switched carriers. Claims-made policies only cover claims that are both made and reported during the active policy period. If you cancel or switch a claims-made policy, you need to purchase 'tail coverage' (an extended reporting period) to cover claims filed after the policy ends for incidents that occurred during the policy period. Tail coverage typically costs 150–200% of the annual premium. This is a critical consideration when changing carriers, retiring, or selling a practice.
Malpractice premiums vary dramatically by specialty, state, and claims history. A family medicine physician in Minnesota might pay $8,000–$12,000/year. An OB/GYN in Florida or New York could pay $80,000–$200,000+/year. Surgical specialties, obstetrics, and emergency medicine carry the highest premiums because they generate the most frequent and expensive claims.
Healthcare is the most targeted industry for cyberattacks, and it's not close. Medical records sell for $250–$1,000 each on the dark web — 10 to 40 times the value of a stolen credit card number. In 2025, healthcare organizations experienced an average of 1,463 cyberattacks per week. The average cost of a healthcare data breach reached $10.93 million, the highest of any industry for the 13th consecutive year.
HIPAA adds a regulatory layer that makes cyber insurance essential rather than optional. A breach of protected health information (PHI) triggers mandatory notification to every affected individual, the Department of Health and Human Services (HHS), and in many cases the media. HIPAA penalties range from $100 to $50,000 per violation (per record), with annual maximums of $1.5 million per violation category. The HHS Office for Civil Rights has imposed penalties exceeding $130 million since HIPAA enforcement began.
A cyber liability policy for a medical practice covers breach response costs (forensic investigation, patient notification, credit monitoring), regulatory defense and penalties (HIPAA fines, state attorney general investigations), business interruption (revenue lost while systems are down), ransomware payments and recovery, and third-party lawsuits from affected patients. For a small to mid-size practice, cyber liability costs $1,500–$5,000/year — a fraction of what a single breach would cost out of pocket. Given that 89% of healthcare organizations experienced a data breach in the past two years, this isn't a question of if, but when.
Malpractice insurance protects against clinical liability. But your medical practice is also a business with physical assets, lease obligations, and operational risks. A Business Owner's Policy (BOP) bundles general liability and commercial property insurance into a single policy at a lower cost than buying them separately.
General liability covers non-clinical claims: a patient slips in your waiting room, your office manager accidentally damages a landlord's property, or someone alleges your advertising is misleading. Commercial property covers your office space, furniture, medical equipment, computers, and records against fire, theft, vandalism, and certain natural disasters. For a medical practice, this includes expensive diagnostic equipment (MRI machines, X-ray units, ultrasound equipment) that can cost $50,000–$3,000,000 to replace.
A BOP for a medical practice typically costs $1,200–$3,500/year depending on location, square footage, and equipment value. It should also include business interruption coverage, which replaces lost income if your practice is forced to close temporarily due to a covered event. If a fire damages your office and you can't see patients for three months, business interruption covers your ongoing expenses (rent, payroll, loan payments) and lost revenue.
If you have employees — nurses, medical assistants, front desk staff, billing specialists, or anyone on your W-2 payroll — workers' compensation is required in virtually every state. It covers medical expenses and lost wages for employees injured on the job, and it protects you from employee lawsuits related to workplace injuries.
Medical practices have unique workers' comp exposures that go beyond the typical office environment. Needlestick injuries and bloodborne pathogen exposure are covered events. Lifting injuries from moving patients or heavy equipment are common claims. Repetitive stress injuries from data entry (medical coding and billing staff) are increasingly frequent. And workplace violence — which healthcare workers experience at four times the rate of other industries — is a covered event under workers' comp.
Workers' comp premiums are based on payroll and job classification codes. Office and clerical staff (class code 8810) cost roughly $0.15–$0.30 per $100 of payroll. Nurses and medical assistants (class code 8832) cost $0.50–$1.50 per $100 of payroll. For a practice with $500,000 in total payroll, expect to pay $2,000–$5,000/year for workers' comp. Your experience modification rate (EMR) — based on your claims history — can increase or decrease this cost by up to 50%.
Employment Practices Liability Insurance (EPLI) covers claims from employees alleging wrongful termination, discrimination, sexual harassment, retaliation, wage and hour violations, and failure to promote. Medical practices are particularly vulnerable because they tend to have hierarchical structures, high-stress environments, and power dynamics between physicians and support staff that create fertile ground for employment disputes.
The numbers are stark: the average EPLI claim costs $125,000 to defend and settle. Wrongful termination claims average $200,000. Discrimination claims average $175,000. And these are averages — jury verdicts regularly exceed $500,000. EPLI is especially critical for practices going through transitions: adding or removing partners, restructuring staff, implementing new policies, or responding to performance issues. These are the moments when employment claims are most likely to arise.
EPLI for a medical practice with 10–25 employees typically costs $2,000–$5,000/year. Many policies also include access to an employment law hotline and HR resources that can help you avoid claims in the first place — proper documentation, compliant handbooks, and defensible termination procedures.
Here's the recommended coverage program for a medical practice, in priority order. Medical Malpractice is the foundation — required by law and by credentialing bodies, covering clinical liability. Cost varies dramatically by specialty and state: $8,000–$200,000+/year. Cyber Liability protects against HIPAA breaches, ransomware, and data theft at $1,500–$5,000/year. Business Owner's Policy (BOP) bundles general liability and property coverage for $1,200–$3,500/year. Workers' Compensation is mandatory for all employees at $2,000–$5,000/year for a typical practice. EPLI covers employment claims at $2,000–$5,000/year.
Beyond the baseline, growing practices should also consider: an Umbrella Policy ($1M–$5M additional limits for $1,000–$3,000/year), Commercial Auto (if the practice owns vehicles for home health visits or mobile services), and Directors & Officers insurance (if the practice is structured as a corporation with a board). For a 5-physician family medicine practice with 20 staff members, the total insurance program (excluding malpractice, which varies too widely by specialty) costs approximately $8,700–$21,500/year. Including malpractice for family medicine, the total is roughly $48,700–$81,500/year.
This deserves its own section because it's the most consequential and least understood decision in medical practice insurance. Most malpractice policies sold today are claims-made. They're cheaper in the early years because the premium starts low and increases annually as the 'mature' rate is reached (usually in year 5–7). But the total cost of ownership can be higher than occurrence policies once you factor in tail coverage.
Here's a real-world example. A claims-made policy might start at $5,000/year and mature to $15,000/year by year 5. If you switch carriers or retire after 10 years, tail coverage costs $22,500–$30,000 (150–200% of the mature annual premium). An occurrence policy might cost $18,000/year from day one, but you never need tail coverage. Over 10 years: claims-made total (including tail) = approximately $127,500–$135,000. Occurrence total = $180,000. The occurrence policy costs more in total, but it provides certainty and eliminates the tail coverage risk.
The right choice depends on your situation. If you're early in your career and plan to stay with one carrier long-term, claims-made can save money. If you anticipate changing carriers, joining a group practice, moving states, or retiring within 5–10 years, occurrence provides cleaner transitions. Some carriers offer 'nose coverage' (prior acts coverage) that can replace tail coverage when switching between claims-made carriers, but the terms vary and gaps are possible. An independent agent can model both scenarios with actual quotes and help you make the right call.
Mistake #1: Assuming the hospital's insurance covers your private practice. If you have privileges at a hospital, their malpractice policy covers you while working at their facility. It does not cover your private practice, outpatient procedures, or telehealth consultations. You need your own policy. Mistake #2: Ignoring cyber insurance because you use a cloud-based EHR. Your EHR vendor's insurance protects them, not you. Under HIPAA, the covered entity (your practice) is responsible for breaches — even if the breach originated at a business associate. You need your own cyber policy.
Mistake #3: Skipping EPLI because you have a small, close-knit team. The majority of EPLI claims come from practices with fewer than 50 employees. Small teams mean fewer witnesses, less formal documentation, and more personal relationships that complicate terminations. Mistake #4: Not reviewing your malpractice policy's consent-to-settle clause. Some policies allow the insurer to settle claims without your approval. Others give you 'hammer clause' protection — the right to refuse settlement, but with financial consequences if the case goes to trial and the verdict exceeds the settlement offer. Understand your policy's terms before you need to use them.
Mistake #5: Failing to update coverage when adding services. If your practice adds telehealth, aesthetic procedures, in-office surgery, or new specialties, your existing malpractice policy may not cover these activities. Policy endorsements or new coverage may be required. Review your policy annually with your agent — especially after any change in services, locations, or providers.
Running a medical practice and not sure if your coverage is complete? Text risk | x — we'll audit your current program and identify gaps in minutes.
Get a QuoteGet practical coverage advice, risk management tips, and industry updates from risk | x. No spam — just useful insights for business owners.
Unsubscribe anytime. We respect your inbox.
