Five Often-Overlooked Areas of Medical Practice Risk

November 9, 2016

Physicians are first concerned with treating patients. But they are also business owners. It is a mistake not to review potential areas of risk.

The end of the year is a great time for physicians to review practice operations and policies and assess what's being done well, what can be improved, and where priorities for next year lie. Reducing overhead and improving collections are no doubt high on that list. But don't overlook the importance of managing risks - here are five that we find, all too often, are unaddressed in practices.

1. Not conducting background checks as part of the hiring process

Running a background check on your chosen candidate for any position is a critical aspect of effective hiring. You'd be amazed at how many job candidates are up to their ears in debt, have been convicted of a crime, or never attended the university listed on their resume (or perhaps any university). For less than $100 per candidate, a background check provides valuable insight, and can help you avoid adding unsavory characters to your team. Had one been conducted during a Chicago practice's recruitment process, for example, the physician wouldn't have offered a position to a thief who took off with $250,000 in practice receipts. The employee had previously been convicted of embezzlement, and a background check would have exposed this.

Reduce your risk by conducting background checks for all final candidates. Trusted Employees is one company that provides this service at reasonable rates.

2. Being too casual about electronic safety

Do front-desk staff members keep their computer and clearinghouse login credentials on a Post-It Note stuck to their desk? Do some employees know each other's passwords because they've been set up using the names of children or pets? Do physicians and/or the outside billing service login to the practice management system or EHR remotely, using an unencrypted Internet channel? Is your practice still using email instead of secure messaging to communicate with patients? If you can answer yes to any of these questions, you are not alone. A lackadaisical attitude about Internet safety is a common risk in physician practices. But with the number of healthcare data breaches increasing, it's more important than ever to practice good cyber-hygiene.

Start with simple steps, such as insisting that staff use strong passwords and not share them. Hire an IT consultant to conduct a data security assessment (an annual HIPAA requirement that many practices skip). Establish encrypted connections between all electronic sites and devices. And cease and desist with emailing patients; move to secure messaging instead.

3. Under-coding E&M services

This is a revenue risk that can double as an audit risk if you under-code consistently.

First, coding a level below the service you actually deliver and document is a financial faux pas. You may think that under-coding five established visits each week is no big deal. But, for example, $25 less reimbursement each time you under-code, multiplied by 48 weeks per year, adds up to $6,000 annually. And assuming you under-code new patients at this same volume, you're up to $12,000.

Second, consistent under-coding can also draw unwanted payer attention to the practice. For example, CMS analyzes coding patterns of physicians in the same specialty and state, as well as national averages. Falling outside the bell curve of your peers' coding patterns can make you a potential audit target.

If you haven't reviewed E&M usage in recent memory, generate a report from the computer system of all E&M codes used for each physician, for a one-year time frame. Create bar graphs that show each physician's usage pattern, and request your specialty and state data from CMS to compare it against the coding patterns of your physician colleagues. Or, to significantly short cut this arduous process, use a tool such as the E&M Profile Analyzer. Enter your CPT data for each physician and the product does the rest, producing easy-to-read graphs for analysis.

4. Abdicating vital knowledge

Although physicians and administrators don't need to know every last software feature or operational protocol, the medical practice is at risk if physician leaders don't understand essential business functions and review vital reports. If you know how to read the clearinghouse report, for example, you'll notice when staff has stopped correcting and re-submitting daily front-end claim edits. If you take the time to review the adjustments report at least quarterly, you'll be more apt to ask questions about why so much is being written off to categories you don't recognize. And if you ask the billing team to provide a status of the top 10 largest account balances each month, you'll get a sense of how well denials and revenue cycle are being managed.

5. Sloppy cash controls

Poor cash controls are still one of the most common risks we discover during our consultations. Make sure the practice's "daily close procedure" balances charges and collected amounts with the totals shown on computer reports. Reconcile patient encounter forms and electronic numbers daily to be sure each has been "closed out." Make sure the month-end bank balance matches the practice-management system report of total collections. Don't allow the person who opens the mail to post payments or write refund checks. And no one but physician owners should sign checks. Period.

Contact your accountant and arrange for a year-end assessment of cash handling procedures. Make 2017 the year you seal the holes and make cash controls airtight.

Karen Zupkois president of practice-management consulting and training firm KarenZupko & Associates, Inc., which has been working for and with physicians for more than 30 years.