Digital Health Insurance for a Series A Raise

Insurance becomes a real diligence line at Series A. Lead investor counsel will ask for in-force coverage summaries, sample certificates of insurance, and policy declarations pages as part of the diligence package. Gaps surface late, usually after the term sheet is signed, when binding new coverage under deadline pressure narrows the options available.

Digital health startups face a more demanding version of this process than generic software companies. PHI exposure, FDA-regulated software components, telehealth services, and Business Associate Agreements introduce coverage requirements that bundled startup packages do not address. The decisions a founder makes about insurance pre-Series A will affect program structure, cost, and gap exposure through Series B and beyond. For the full arc across rounds rather than Series A alone, see how insurance changes at each funding stage. For the cross-segment view of Series A insurance requirements, see what investors require at Series A for a life sciences company.

This walks through the four coverage lines investors typically examine, the limit ranges that come up in negotiation, the structural mistakes that show up repeatedly in pre-Series A reviews, and how to time the placement so the program lands cleanly with the close.

Why Series A Investors Care About Insurance

Three reasons.

Board protection. The institutional director placed by the lead investor will require Side A D&O coverage before accepting a board seat. Side A is the structural mechanism that indemnifies directors and officers personally when the company cannot or will not, which is the protection institutional directors need to serve.

Investment protection. D&O Side B reimburses the company for indemnification provided to directors and officers. Side C covers the company directly for securities claims. Cyber, technology errors and omissions, and employment practices coverage protect operating P&L from losses that would otherwise erode the runway purchased with the round.

Operational signal. A coherent insurance program reads as further along in operational maturity than a generic bundled package or an absent one. Diligence reviewers form impressions about how the company will handle other operating decisions based on what they see in the program structure.

Investor counsel typically reviews three documents: the in-force coverage summary, sample certificates, and policy declarations. The checks are mechanical. Is coverage in place and current. Are limits commensurate with round size. Does the named insured properly cover the operating entity. Does D&O include Side A. Does cyber include regulatory defense and breach response.

The Four Coverage Lines

Directors and Officers (D&O)

D&O is structured in three sides. Side A indemnifies directors and officers personally. Side B reimburses the company for indemnification it provides. Side C covers the company directly for securities claims.

The decision at Series A is not whether to buy D&O. It is whether the policy is structured to satisfy investor counsel and to underwrite the actual risk profile of the company.

Underwriting questions focus on pivot history, founder backgrounds, regulatory posture, PHI volume, and FDA-regulated product status. Some specialty markets restrict appetite based on therapeutic area. Mental health and substance use platforms have seen claim severity run higher in recent years, which has tightened appetite in those segments.

A weak D&O placement at Series A propagates to Series B, where the company will face questions about why limits were not increased, why exclusions exist, and what the claim history is. Getting the structure right early reduces friction later.

Cyber and HIPAA

Cyber covers first-party costs from a security incident: forensic investigation, breach notification, credit monitoring, business interruption from a covered event, and cyber extortion. It also covers third-party claims for breach of PHI, breach of contract under Business Associate Agreements, and network security and privacy actions. Regulatory defense and penalty coverage funds OCR investigations, state attorney general inquiries, and FTC actions.

For digital health, the structural question is whether the cyber policy explicitly contemplates PHI and Business Associate Agreements. A policy that covers generic data breach is not the same as a policy that addresses BAA-flowed contractual liability and HIPAA-specific regulatory exposure. Standard tech-startup cyber forms often cap regulatory coverage at limits that do not reflect actual OCR enforcement activity.

The regulatory floor has moved. The 2026 HIPAA Security Rule updates introduced mandatory multi-factor authentication, network segmentation, encryption of ePHI at rest and in transit, and 72-hour breach notification to OCR. Risk analysis is now the central enforcement focus. OCR scrutinizes whether covered entities and business associates maintain current BAAs and demonstrate ongoing risk management, not whether they produced a one-time analysis document.

HIPAA penalty tiers, as adjusted by HHS effective January 28, 2026, run from $145 per violation at the lowest tier (no knowledge) up to a $2,190,294 annual cap at the willful-neglect tier. OCR’s 2019 Notice of Enforcement Discretion still functions to reduce annual caps for the lower tiers in practice, but the upper-tier maximums are what regulatory defense coverage is built to address.

The decision at Series A is calibrating limits and sub-limits to actual PHI volume and contractual BAA obligations. A cyber policy sized for a generic B2B SaaS company leaves structural gaps if the company processes PHI for one or more covered entities or operates under signed BAAs.

Technology Errors and Omissions (Tech E&O)

Tech E&O addresses claims arising from software failures, service downtime, technical errors, and professional service delivery that cause financial loss to clients or end users. The complication for digital health is that pure-SaaS Tech E&O does not anticipate the clinical decision-impact dimension.

A pure software company faces Tech E&O exposure when its product fails to perform. A digital health platform making clinical recommendations, delivering telehealth, or operating as Software as a Medical Device faces hybrid exposure: software failure that creates a clinical decision impact. FDA-regulated SaMD with 510(k) clearance carries products-liability-style exposure that traditional Tech E&O policies can explicitly exclude.

In 2024, all 168 AI/ML-enabled medical devices the FDA cleared came through at Class II. The PCCP framework finalized in August 2025 allows pre-authorized modifications for AI-enabled SaMD, which changes how product-iteration risk is underwritten. The Quality Management System Regulation compliance date of February 2, 2026 aligned U.S. QMS requirements with ISO 13485:2016, raising the documentation bar for any 510(k) submission supporting a SaMD product.

The decision at Series A is whether the Tech E&O policy contains language contemplating clinical decision support, telehealth professional liability, and SaMD where applicable. Generalist tech E&O forms will not. The placement needs to come from a market that writes life sciences product liability, not from a generic technology MGA.

Employment Practices Liability (EPLI)

EPLI covers wrongful termination, discrimination, harassment, retaliation, and wage-and-hour claims. The reason this matters at Series A is that the round typically coincides with team scaling past 15 to 20 employees. Most EPLI claims emerge during growth-stage scaling. Terminations after rapid hiring. Culture conflicts as teams cross integration thresholds. Policy gaps that did not matter at five employees and start to matter at twenty-five.

EPLI is often packaged with D&O under a single management liability program. The decision is sub-limit adequacy and whether the policy covers third-party claims, meaning claims by non-employees (contractors, clinical site staff) against the company for harassment or discrimination.

How Coverage Scales at Series A

Coverage levels in Series A diligence negotiations depend on round size, headcount, PHI volume, FDA-regulated product status, lead investor preference, and the company’s specific exposure profile. The framing below describes the factors that drive each placement.

D&O scales with investor diligence expectations, board composition, and securities risk profile. Companies with institutional capital and independent directors typically carry larger primary and excess programs than founder-led companies with smaller rounds.

Cyber and HIPAA limits are calibrated to PHI volume under management, BAA contractual obligations, and the regulatory defense exposure inherent in the company’s data handling profile. Companies operating as a Business Associate for multiple covered entities or processing large PHI volumes secure larger primary limits and higher regulatory defense sub-limits than companies with lighter PHI exposure.

Tech E&O scales with the company’s service delivery footprint and the severity exposure of clinical decision support, telehealth, or SaMD functions. Companies with FDA-regulated software components or clinical decision support carry higher primary limits than pure-SaaS B2B operations.

EPLI scales with headcount, geographic footprint, and historical employment claim frequency. The coverage typically enters meaningfully at Series A as the team scales past early-stage hiring patterns.

The digital health specialty market is concentrated. Most Series A programs land with a recognizable subset of carriers regardless of which broker writes the placement. The question is structure and wording, not which logo appears at the top of the declarations page.

Common Founder Mistakes

Several patterns appear repeatedly in pre-Series A program reviews.

Buying bundled startup packages that exclude PHI or SaMD. Programs sold to general technology startups often have HIPAA exclusions or cap cyber coverage to non-PHI data exposure. The exclusions section of any quote is where the structural gaps live. Reading it before binding is the cheapest diligence in the program.

Waiting until investor counsel asks. By the time the diligence list arrives, the company is under deadline pressure with narrowed market options. Specialty underwriters prefer to write business when the placement is not a transaction emergency, and they price accordingly.

Under-buying cyber relative to actual PHI exposure. A cyber policy sized for a generic B2B SaaS company leaves structural gaps for a company that processes PHI for one or more covered entities or operates under signed BAAs. The 2026 Security Rule update raised the floor on what carriers expect to see in security controls before they write meaningful regulatory limits.

Missing the Business Associate exposure in policy wording. Standard cyber forms address generic data breach. They do not always explicitly cover BAA contractual liability, indemnification owed to covered entities, or contractual breach notification obligations. With OCR shifting enforcement focus toward business associates in 2025-2026, the wording is the placement.

Mistiming the program with the close. Effective dates need to align with the close milestone, not legacy pre-formation entity dates. Investor counsel checks this. A policy effective the day after close looks worse on the diligence call than a policy effective the day of close.

Not coordinating Tech E&O with medical professional liability. Clinical decision support, telehealth platforms, and SaMD operate in a coverage gray zone where software failure and clinical decision exposure can be triggered by the same event. A program that addresses one and not the other leaves a structural gap that surfaces under claim.

How to Time the Placement

The cleanest sequence starts the placement 30 to 60 days before the expected close.

Each line gets underwritten on its merits rather than under deadline. Certificate of insurance, declarations pages, and broker presentation are ready when investor counsel asks. Effective dates can be matched to the close milestone. Sub-limits and endorsement language can be negotiated without sacrificing terms for speed. If a market comes back with conditional terms, there is time to address the conditions or pivot to a different placement.

Founders who get the program in place before diligence opens reach close with one fewer thing to negotiate. Founders who wait until the term sheet face options narrowed by appetite restrictions or by rushed underwriting that leaves coverage gaps the next round will inherit.

A Note on Placement

MedTech Coverage works with digital health and SaMD founders on programs structured around FDA-regulated software, clinical decision support, and Business Associate exposure. Coverage is placed through Tower Street Insurance’s appointments with the specialty markets writing this segment.

If a Series A is approaching and the current program needs to be reviewed before diligence opens, a structured coverage review produces a working document calibrated to segment, stage, FDA-regulated product status, and PHI exposure.