Skip to main content
MorningsideHealth & Risk

Healthcare Practice

NY Healthcare Practice Risk Checklist: 2026 Annual Review

A NY-specific healthcare practice risk checklist for annual use at renewal or before any material practice change. Seven coverage categories, specific NY statutes, and the exact questions every NY practice should answer before flipping the binder.

NY healthcare practice administrator reviewing annual risk checklist against 2026 renewal binder

Reviewed by Akili Hinson, Managing Principal

Every NY medical practice accumulates coverage drift across a renewal cycle. A provider joins or leaves, a new EHR vendor is added, a telehealth platform is rolled out, a new service line launches, a BAA is signed without updating the cyber policy. Year over year, small drifts compound into gaps that surface only at claim time or at regulatory review. A documented annual risk checklist is the operational counter to that drift. It is also, for HIPAA covered entities, a compliance obligation: the Security Rule's risk-assessment requirement at 45 CFR 164.308(a)(1)(ii)(A) has no explicit cadence but HHS OCR has historically treated annual cadence as the defensible standard for practices of meaningful size.

TL;DR. Seven coverage categories with NY-specific questions per category. Run annually at renewal or on material-change triggers. HIPAA risk assessment required under 45 CFR 164.308(a)(1)(ii)(A). SHIELD Act reasonable-safeguards duty compounds the HIPAA framework. Mark each item Covered / Gap / Not Applicable; every Gap triggers a broker conversation. See our NY medical malpractice guide, cyber liability for healthcare guide, and healthcare liability overview insight for the response-line walkthroughs.

How to use this checklist

The checklist is organized in seven categories that align to the standard NY healthcare practice coverage stack and regulatory compliance framework. For each item:

  • Mark Covered if the item is addressed in the current policy, current written procedure, or current documented control.
  • Mark Gap if the item is missing or if the current implementation is materially incomplete.
  • Mark Not Applicable if the item does not apply to the practice's current operations.

Any item marked Gap should trigger a broker conversation before the next renewal cycle completes. The aggregate of Gap items is the agenda for the annual coverage review.

1. Professional liability

NY physicians and most licensed clinicians carry medical malpractice as the primary response line for professional-negligence claims. The statutory framework under CPLR 214-a and Lavern's Law drives most of the retention and tail mechanics.

  • Are all licensed providers currently rendering services listed on the policy declarations?
  • Do the limits meet the credentialing minimums of every hospital, ACO, or health-plan network the practice participates in? (Typical NY minimums are $1.3M/$3.9M for Section 18 Excess Medical Malpractice Program eligibility.)
  • Is the policy claims-made or occurrence? If claims-made, when is the retroactive date?
  • Does the employment agreement for each provider specify who pays tail coverage at departure?
  • Are free-tail triggers (retirement after minimum tenure, disability, death) documented on the current policy?
  • Does the policy's territory language cover telehealth encounters in every state where the practice has patients at the time of the encounter?
  • Is each provider licensed in every state where telehealth patients are located at the time of the encounter?
  • Does the policy address AI-assisted clinical decision support tools used in the workflow?
  • Are locum tenens and independent-contractor providers covered under the practice policy, or do they carry their own?

For the claims-made-versus-occurrence decision, see our occurrence versus claims-made insight. For tail-coverage economics, see our tail coverage explainer.

2. General liability and commercial property

Premises-based and operations-based third-party claims are handled by general liability. Property coverage protects the practice's equipment, tenant improvements, and in most cases, business interruption from physical events.

  • Does general liability cover all locations where the practice sees patients or conducts operations?
  • Are the limits at or above lease-required minimums (typically $1M/$2M for NY commercial leases)?
  • Is the landlord named as an additional insured on each location?
  • Is there a waiver of subrogation per the lease?
  • Is the business personal property limit adequate for all equipment, including diagnostic machines and office buildout?
  • Does business interruption coverage reflect actual practice revenue and realistic recovery timelines?
  • Is equipment breakdown coverage in place for refrigeration, HVAC, and diagnostic equipment?
  • For leased equipment (imaging, lab, electronic health records hardware), is damage coverage confirmed under the policy or under the lessor's insurance?
  • Are tenant improvements and betterments insured at replacement cost rather than actual cash value?

For practices still building out the full coverage stack, see our first-time business insurance guide.

3. Cyber and data security

The HIPAA Security Rule and NY SHIELD Act (General Business Law §899-bb) each impose requirements on any practice touching electronic PHI of NY residents. Cyber insurance is the response line; compliance with the underlying statutes is a separate and prerequisite obligation.

  • Is there a standalone cyber liability policy (not just an endorsement on the malpractice or BOP)?
  • Does the cyber policy include regulatory-defense coverage for OCR and NY Attorney General investigations?
  • Does the policy include social-engineering and fund-transfer-fraud coverage?
  • Is the ransomware sublimit sized realistically given current patient-record volume and ransomware market conditions?
  • Is the business-interruption waiting period 8 to 12 hours or less?
  • Is multi-factor authentication deployed on email, remote access, and administrative accounts?
  • Are backups maintained offline or immutable, with documented restoration testing in the last 12 months?
  • Has the practice completed an annual HIPAA Security Rule risk assessment per 45 CFR 164.308(a)(1)(ii)(A)?
  • Are workforce HIPAA training records current for every employee (HIPAA training required at hire and periodically thereafter)?
  • Has the practice filed any required SHIELD Act notifications in response to past breaches?

For the full policy-form walkthrough, see our cyber liability for healthcare guide and our cyber insurance for NY medical practices insight.

4. Workers' compensation

NY Workers' Compensation Law §10 requires coverage from the first employee with no payroll threshold and no grace period. Misclassification is the most common and most costly error we see at audit.

  • Is every W-2 and 1099 worker classified under the correct NYCIRB class code? (Common codes: 8832 Physicians & Clerical, 8833 Hospital Professional, 9040 Hospital All Other, 8835 Home Health.)
  • Is the current experience modifier documented and understood? Above 1.0 means claims worse than industry average.
  • Does the policy reflect the 7.0% 2026 NY WCB assessment per NYCIRB Bulletin RC 2644?
  • Are corporate officers properly included or properly excluded (via formal WC-338-C exclusion filing)?
  • Are leased employees from a PEO covered under the PEO's policy or the practice's policy? (Confirm in the PEO master service agreement.)
  • Is there a documented return-to-work program for injured employees?
  • Are workplace violence prevention protocols documented, particularly for behavioral health and emergency-adjacent practices?
  • Are needlestick-prevention devices in use and their use documented?
  • Is the NY Paid Family Leave and Disability Benefits Law coverage in force (typically written as a rider to WC)?

For the full NY workers' comp cost math and compliance framework, see our NY workers comp small business cost guide insight and the Morningside workers' compensation service page.

5. Employee benefits

Benefits are an employment-recruitment and retention tool and a compliance-driven operational line. For NY practices, the baseline compliance requirements (DBL, PFL) apply to every employer with at least one NY employee.

  • Is the group health plan compliant with the ACA employer mandate if the practice has 50+ full-time-equivalent employees?
  • Is the Section 125 cafeteria plan document current and filed?
  • Is the Summary Plan Description up to date for every ERISA-governed plan?
  • Are Form 5500 filings current for applicable plans?
  • Have benefits communications been reviewed for ACA, ERISA, HIPAA-privacy, and NY-state accessibility compliance?
  • Has the practice reviewed voluntary benefits (dental, vision, life, disability) as recruitment and retention tools?
  • Are the NY Paid Family Leave and Disability Benefits Law contributions correctly deducted and remitted?
  • Is the 401(k) or Safe Harbor retirement plan competitive with peer NY practices in the relevant market?

For the benefits strategy framework, see our employee benefits 101 guide and our practice benefits for talent retention insight.

6. Compliance and regulatory

Overlapping federal, state, and licensing-body requirements drive an ongoing compliance load for every NY practice. The checklist items below track the most commonly out-of-alignment requirements.

  • Is the NPI current and accurately listed in the CMS NPPES registry?
  • Are all provider licenses current in every state where clinical services are rendered?
  • Is the HIPAA Security Rule risk assessment current (required annually under OCR practice)?
  • Are Business Associate Agreements on file with every vendor that touches PHI?
  • Is the informed-consent language reviewed by counsel and current?
  • Are the practice's insurance marketing and patient-communication materials compliant with NY DFS rules where applicable?
  • Are fraud-and-abuse training and anti-kickback compliance procedures documented under the OIG compliance guidelines?
  • Are medical-records retention policies compliant with NY Education Law §6530, typically 6 years for adults and 6 years post-age-18 for minors (and indefinite retention for certain records)?
  • Are CAQH ProView re-attestations current (typically every 120 days)?
  • Is the practice enrolled in PECOS for Medicare provider enrollment where applicable?

7. Business continuity and continuity-of-care

HIPAA Security Rule §164.308(a)(7) requires a written Contingency Plan with five specific safeguards. Operational continuity is a separate but related discipline.

  • Is there a written Contingency Plan meeting HIPAA §164.308(a)(7)'s five standards (data backup, disaster recovery, emergency mode operation, testing and revision, applications and data criticality analysis)?
  • Has the plan been tested in the last 12 months with documented findings?
  • Is patient record backup to an encrypted, off-site or cloud location confirmed and restoration-tested?
  • Could the practice operate in limited capacity if the primary location were inaccessible for 30 days?
  • Is key-person life insurance in force for providers whose absence would threaten practice operations?
  • Is succession planning documented for the lead clinician, practice manager, and lead coder roles?
  • Is there a documented patient-communication protocol for system outages?
  • Is the cyber business-interruption coverage sized to realistic multi-week outage scenarios?

For the full continuity framework, see our business continuity planning for NY healthcare guide and our healthcare liability overview insight.

What to do after running the checklist

Three post-checklist steps produce a defensible coverage posture at the next renewal.

  1. Tabulate the Gap items. An aggregate list of Gap items is the agenda for the annual coverage review with the broker. Prioritize by coverage-gap severity (lines with no coverage at all take precedence over undersized limits).
  2. Schedule the broker review before renewal. A 60-to-90-minute review with the broker against the Gap list, the current declarations pages, and the current BAAs produces the most complete coverage picture. For the broker-selection framework, see our first-time business insurance guide.
  3. Document remediation. Each Gap item closed should have documented evidence (an endorsement, a new policy, a written procedure, a completed training record, a signed BAA). The documentation is what satisfies regulatory examiners and what makes the next year's checklist more efficient.

For a walkthrough of the current practice coverage stack against this checklist, schedule a consultation with a NY broker who handles healthcare at the small and mid-size practice level.

Frequently asked questions

Ready to talk?

Our team can help you find the right coverage for your situation.