Listen to this post

This is the second in a series of articles addressing critical issues in risk management and insurance for skilled nursing facilities.

How much insurance does my organization need? This conundrum impacts policyholders from small businesses needing single policies to Fortune 500 companies placing complex, multimillion-dollar insurance towers. For owners and operators of skilled nursing facilities, deciding on the right limits of liability insurance is not just a question of evaluating and balancing the risk of third-party claims to your organization – it can be a question of statutory compliance as well.

While many states do not require nursing facilities to maintain minimum levels of liability insurance, those states that do can pose serious regulatory risks to unwary policyholders. For example, in Virginia, certified nursing facilities must maintain minimum general liability insurance limits of $1 million and minimum professional liability limits of $2.65 million (VA ST § 32.1-127). The required professional liability limits increase every year, and by 2030 certified nursing facilities must maintain $2.95 million in limits (VA ST § 8.01-581.15). Failure to maintain these limits can lead to revocation of the facility’s license (VA ST § 32.1-127). Pennsylvania’s complicated statutory scheme of minimum professional liability insurance for non-hospital healthcare providers ranges up to $1 million in minimum per-occurrence limits and $3 million in aggregate limits (40 P.S. § 1303.711). Failure to submit proof of proper insurance can lead to license suspension or revocation. In Colorado, a condition of active licensure for healthcare institutions is maintenance of $500,000 per occurrence and $3 million in aggregate limits (C.R.S.A. § 13-64-301). 

Because minimum liability limits in the healthcare industry are not standardized, identifying the applicable statute may not be simple. For example, the Virginia law is found in the Virginia health code, the Pennsylvania law is found in the Pennsylvania insurance code, and the Colorado law is part of the “Health Care Availability Act” – which is itself part of Colorado’s “Court and Court Procedure” statutory scheme. 

A facility may only discover a failure to comply with regulatory limits when facing a serious liability claim. In that case, the insured may find itself fighting on two or even three fronts – with the underlying claimant to resolve the case, with its insurance company to fight for additional coverage, and potentially with the state to prevent or minimize regulatory consequences.

Because of the potential complexity of compliance and the consequences for noncompliance, insureds should ensure they are complying with minimum liability limits. This includes confirming with their brokers that current policies comply with applicable minimum limits in the states where they operate facilities. If the answer is no, the insured should seek an immediate and retroactive endorsement that complies with state requirements. At renewal, insureds should work with their broker and legal counsel to ensure continuing compliance. The correct solution will depend on the risk management strategy and goals of the policyholder, as well as the organizational structure. For example, policyholders operating numerous facilities may form LLCs for each facility and purchase insurance for each LLC. Others may insure numerous facilities under a master policy.

Insureds operating facilities across numerous states could choose among the following potential options when procuring liability coverage to ensure compliance with minimum limit requirements:

  • A separate policy for each facility providing the minimum limits required for the state where that facility is located;
  • A separate policy for each state where the policyholder operates that provides the requisite minimum limits for each facility in that state;
  • A master policy with separate endorsements amending the policy limits by location; or
  • A master policy providing the highest minimum limits of all states where the policyholder operates.

Operating a skilled nursing facility requires complying with a dizzying array of statutes and regulations. Ensuring that your facilities procure the required insurance limits may be simple by comparison, but it is a crucial step in ensuring protection from both third-party claims and regulatory compliance risk.

Listen to this post

This is the first in a series of articles addressing critical issues in risk management and insurance for skilled nursing facilities.

Owners and operators of skilled nursing facilities know that a claim or lawsuit against their facility is not a matter of if, but when. Procuring the proper insurance is critical to effectively managing and mitigating these risks. A professional liability insurance policy should provide coverage for the facility and its directors, administrators, and employees from claims of negligent care. 

Unfortunately, merely purchasing a professional liability policy without further scrutiny can leave a facility uninsured for certain claims. These policies incorporate exclusions and conditions that insurers could cite to attempt to limit coverage, particularly for claims that allege intentional injury to a patient resident. For example, an injured patient could allege that her injury was not the result of mere negligence, but instead resulted from retaliation by the facility or the facility’s employee in response to a prior complaint. These retaliation claims pose an increased risk to a facility and its insurance coverage, regardless of whether they are alleged as an intentional tort under a state’s common law or as a violation of a state’s anti-retaliation statute.

In states where retaliation is specifically barred by statute, state laws can create additional liability and damages exposure for claims brought by residents who file formal complaints or bring regulatory actions against nursing facilities alleging retaliation. Earlier this year, for example, the Illinois Legislature passed a new anti-retaliation statute for nursing facilities, House Bill 2474, that broadens the scope of anti-retaliation protections. The Illinois bill, which has passed both houses and been sent to the governor’s office for signature, does not require a formal complaint, but can be triggered by a resident taking more informal action, such as making a request to the facility related to the resident’s care. In addition to potential liability for consequential damages, Illinois HB 2474 also makes nursing facilities liable to the plaintiff for attorneys’ fees and additional damages “in an amount equal to the average monthly billing rate for Medicaid recipients in the facility.” The damage provisions of Illinois HB 2474 differentiate it from other broad anti-retaliation statutes. For example, Minnesota expanded its Patients’ Bill of Rights in 2020 to protect nursing facility residents from retaliation for a host of actions, including advocating “for necessary or improved care or services” (M.S.A. § 144.6512). However, Minnesota’s statute does not provide for a private cause of action for residents to sue the facility.  

Even if a state’s anti-retaliation statute does not specify additional damages or provide a private cause of action, retaliation claims brought as common law torts can nevertheless pose the risk of enhanced damages based on the facility’s perceived culpability – a risk not found in ordinary negligence actions.

Retaliation claims are a significant and thorny example of circumstances where allegations of negligent and intentional conduct can intertwine. Unless a statute identifies certain acts that constitute retaliation per se, the patient must necessarily prove an intent to retaliate – retaliation cannot be the result of mere negligence. But ordinary negligence and intentional retaliation could manifest in factually identical ways – with intent being the only distinguishing factor. For example, a resident allegedly injured in a fall while being helped out of bed by a facility employee could assert negligence. But if that same resident had complained to management about the quality of their care prior to the fall, the resident could also allege retaliation, asserting that they were allowed to fall in retaliation for the complaint. 

Insurers could seize on retaliation allegations to deny coverage under several exclusions, including exclusions for expected and intended conduct and for willful violations of laws or regulations.  Depending on the scope of the policy exclusions, insurers could assert that otherwise insured negligence claims are excluded retaliation claims.    

To maximize the potential coverage for claims of retaliation or other intentional conduct bolted on to ordinary negligence claims, insureds should understand that the expected and intended exclusion does not exclude claims that an insured acted intentionally; the insurer must also prove that the insured intended to cause the alleged harm. Unfortunately, a retaliation claim arguably alleges that intent to cause harm if the actions can be attributed to the insured entity or individual.

Insureds can take four steps to mitigate anticipated insurer defenses to coverage for retaliation claims: 

  1. First, insureds should seek language limiting the intentional conduct exclusion. The best limiting language would require a final adjudication of intentional conduct at trial (and after exhaustion of all appeals). Insurers could not invoke this exclusion in cases settled before trial.
  2. Second, insureds should confirm that any exclusions based on alleged willful statutory violations do not inadvertently encompass statutory retaliation claims.
  3. Third, because insurers may attempt to allocate liability among the negligence and retaliation claims to reduce their obligations for a settlement prior to trial, insureds should insist on favorable allocation provisions that do not leave the allocation to insurers’ discretion but instead require reasonable allocation based on an objective assessment of the claim.
  4. Finally, insureds should insist on policy provisions requiring the insurer to defend (or preferably pay the defense of) all asserted claims – including arguably excluded claims – as long as at least one claim potentially falls within coverage. 

These four steps will provide insureds with additional insurance protection against statutory retaliation claims by limiting the defenses that insurers could otherwise assert in response to these claims. And as always, policyholders should scrutinize their professional liability insurance policies during renewal to maximize the coverage available to them. Many coverage enhancements do not impact premium – but they do require insureds’ diligence and awareness of coverage quagmires before binding insurance, as this discussion of retaliation claims shows. 

Listen to this post

Introduction

Cryptocurrency isn’t just for tech startups and X (formerly Twitter) enthusiasts anymore. Mainstream corporations are increasingly forced to consider Bitcoin—the undisputed “king” of crypto—and other investments into digital assets whether they are on board or not. Some, like Tesla and MicroStrategy (now rebranded as “Strategy”), have already poured billions into Bitcoin. Others, like Microsoft and Amazon, have fielded recent shareholder pushes to invest, while companies like GameStop are proactively positioning themselves to invest in Bitcoin and other crypto-related assets through updated, crypto-friendly investment policies. And with regulators starting to soften—think legal shifts and the White House’s recent announcement of a U.S. strategic crypto reserve—justifying a “no” might get tougher.

But whether a company “hodls” (crypto slang for holding an asset long-term) or “folds,” there are insurance and liability risks either way.

  • Reject Bitcoin? Shareholders could claim you failed to act in their best interest, and your directors and officers (D&O) insurers might leave you hanging.
  • Invest in Bitcoin? A cyberattack could wipe out your digital assets, and your crime or cyber insurer may deny coverage.

As recent legal and corporate developments show, companies need to think beyond the investment decision itself and assess the insurance-related implications of their decision to invest (or not invest) in Bitcoin, as well.

The Risk of Saying No: Could Shareholders Sue for Missing Bitcoin Gains?

Most boardrooms don’t associate Bitcoin with D&O insurance, but recent events suggest they should. For example, in December 2023, gaming retailer GameStop approved a policy authorizing CEO Ryan Cohen and a small committee of other executives handle the company’s securities investments—including in digital assets like Bitcoin. In November 2024, the National Center for Public Policy Research (NCPPR) pressed Microsoft to assess if Bitcoin could benefit its $484 billion in assets, mostly tied up in bonds and securities that the NCPPR said “barely outpace inflation.” The proposal urged a study on whether diversifying with Bitcoin would best serve shareholders’ long-term interests, arguing boards might have a fiduciary duty to consider a Bitcoin investment despite its short-term volatility. While Microsoft ultimately rejected the proposal, the retail giant Amazon is now facing a similar push. In December 2024, Amazon shareholders proposed allocating 5% of the company’s assets to Bitcoin.  The proposal is awaiting a vote in April.

Historically, companies like Microsoft and Amazon could cite regulatory uncertainty as a reason to avoid Bitcoin. But with a friendlier U.S. regulatory stance taking shape—including the DOJ’s recent dismissals of their legal cases against crypto exchanges Coinbase and Gemini, increased political support for the industry, and the White House preparing to host its first-ever “Crypto Summit” later this month where it will announce the creation of a national strategic crypto reserve that will house billions of dollars worth of Bitcoin and other large-cap cryptocurrencies—Bitcoin’s legitimacy as a corporate asset could become an issue. As crypto regulation stabilizes, corporate boards may begin to encounter scrutiny over whether they are responsibly considering Bitcoin as an investment option.

This recent shift in corporate and regulatory sentiment towardsBitcoin raises an important question: If Bitcoin’s value rises and a company chooses to stay out, could shareholders claim the board failed in its fiduciary obligations, and, if so, would the company’s insurance program provide protection?

This risk isn’t hypothetical. Bitcoin has surged over 50% just in the past year.  And its decade-long haul has been nothing short of staggering, rising from around $200-$300 in 2015 to peaks over $100,000 earlier this year—a gain of as much as 30,000%-40,000%. Even NVIDIA, one of the best-performing stocks of the era, has returned an estimated 25,000%-30,000%, making it one of the only public assets to come close—yet Bitcoin still edges it out.

While there has not (yet) been any reported litigation challenging a company’s decision not to invest in Bitcoin or other crypto-related assets, shareholders may begin to argue that a company’s refusal to consider a Bitcoin investment improperly disregarded significant potential benefits and undermined shareholders’ best interests. And while the strengths or weaknesses of their case could be debated, these recent instances of shareholder activism over investments in Bitcoin indicate that a lawsuit could be brought. If it is, the company will almost certainly want insurance coverage to defend against such allegations.

So, could a D&O policy cover a shareholder lawsuit alleging the board mismanaged corporate assets by rejecting Bitcoin? Notably, there is no standard form from the Insurance Services Office (ISO) for D&O insurance policies, and many such policies are manuscript—meaning they’re specifically drafted or tailored for an individual insured. Thus, while most D&O policies follow a general structure, and typically provide coverage for shareholder lawsuits alleging breach of fiduciary duty, the policy language can vary significantly between insurers and even between individual policies. Some policies may exclude claims involving speculative investments or financial decisions, which could be relevant in a Bitcoin-related lawsuit. Others may expressly exclude cryptocurrency-related claims altogether. If your company is fielding Bitcoin-related shareholder proposals or considering investment policy shifts to more freely allow investments in digital assets, it may be time to closely review your D&O policy language to ensure proper coverage for digital-asset-related investment decisions.

The Risk of Saying Yes: If You Buy Bitcoin, Can You Insure It?

For companies that do invest, the next challenge is securing those assets—and that’s where things get tricky. Saying “yes” to Bitcoin might juice your balance sheet, but it’s a magnet for thieves and scammers—and your crime or cyber insurers might not have your back. Just last month, crypto exchange ByBit lost $1.5 billion worth of the cryptocurrency Ethereum to an alleged North Korean hack, proving that even “secure” cold wallets (offline storage mechanisms) aren’t immune.

Crypto exchanges aren’t the only targets—corporate treasuries holding crypto are in the crosshairs too, and the losses sting just as bad. In December 2024, Web3 firm Hooked Protocol lost $9 million when hackers exploited a smart contract vulnerability. And in 2021, meatpacking giant JBS paid an $11 million Bitcoin ransom to regain access to its systems after a cyberattack—not a theft of corporate-owned crypto, but a forced payout from company funds. As more non-crypto-native companies move Bitcoin onto their balance sheets—just recently, three U.S.-based biotech firms each publicly pledged to buy $1 million worth—bad actors will be taking note.

So, can your cyber or crime policy cover Bitcoin theft? Cyber insurance might handle hacks or ransomware, but crypto? Policies built for data breaches may exclude “digital assets” or “speculative investments,” potentially leaving stolen Bitcoin uncovered. Crime insurance is better suited—think employee theft or third-party fraud—but many still define “money” as cash or traditional securities, not digital assets like Bitcoin. Social engineering scams (e.g., a CFO tricked into sending Bitcoin to a scammer) might slip through, too, unless you’ve got an endorsement for that.

Custody is another critical factor. If you hold Bitcoin in-house (whether in “hot” or “cold” storage), coverage might apply if “cryptocurrency” is explicitly listed as covered property. Store it with a third party, like Coinbase? Look for coverage for custodial losses. Additionally, insurers often impose exclusions and limitations that could restrict coverage. For example, “voluntary parting” (e.g., sending crypto to a scammer, even if duped) or “unsecured systems” (e.g., failing to implement multi-factor authentication) can endanger coverage. Insurers also hate crypto’s volatility—some cap payouts at the theft-day value, not a later cycle high.

As more companies explore Bitcoin investments, it’s critical to review existing cyber and crime policies to determine whether digital assets are adequately covered. Specialty crypto insurance products are emerging—offered by providers like Evertasand Coincover—but they’re far from standard. For now, companies holding Bitcoin should assume there are gaps in coverage unless their policy explicitly says otherwise and should take action to protect their risks accordingly.

So, What’s the Play? Insurance Takeaways for Corporate Policyholders.

Bitcoin presents a double-edged risk—whether a company invests or not, there’s exposure on both the D&O and cyber/crime insurance fronts.

Here’s what policyholders should do:

  • If you’re rejecting Bitcoin: Review your D&O coverage to ensure it would respond to shareholder suits alleging mismanagement of investment strategy over digital assets, like Bitcoin.
  • If you’re investing in Bitcoin: Review your cyber and crime policies for coverage gaps—especially regarding digital asset theft, exchange insolvency, and fraud.

Bitcoin isn’t just an investment decision—it’s a liability and insurance minefield. Whether your company hodls or folds, the right coverage makes all the difference.