Security: Embezzlement Busters

It started with a few missing checks, a shrinking profit margin, and a sneaking suspicion that something was wrong. The husband-and-wife physician team in Orlando, Fla., who maintained separate offices across the hall from one another, had shared a practice manager for years, granting her exclusive bookkeeping authority and, eventually, power of attorney over the practice. Busy with patients, the physicians rarely took time to review their own accounts, certain that their financial affairs were safely in the hands of a professional they could trust.

They were wrong.

By the time consultant Jennifer Wilkes arrived to sift through the rubble, the office-manager-turned-white-collar-criminal had fled the state. But not before relieving the physicians of tens of thousands of dollars that would never be recovered. “This case was one of the more blatant I’ve seen,” says Wilkes, of Ocoee, Fla. “The office manager had bought airline tickets in her own name, she took out a credit card and bought an in-ground swimming pool for $30,000 for her home, and she opened a bank account for the practice, which allowed her to take the checks coming in as payment to the provider and cash them for herself.”

Employee embezzlement has reached epic proportions, costing U.S. businesses some $652 billion annually, according to the Association of Certified Fraud Examiners. Medical groups are particularly vulnerable.

There are ways to spot crooks before they get their hands in your cookie jar, and there are safeguards you can enlist to trip up even the cleverest thief. But to stay a step ahead, you need to know your enemies - and your friends.

According to Wilkes, her clients (for whom she requested anonymity) made all the classic mistakes. They rarely looked at their credit card statements, which would have alerted them that something was wrong, and they committed the cardinal sin of giving their office manager full signing privileges, which allowed her to sign and cash checks. “These are the kinds of things doctors don’t want to line themselves up for,” says Wilkes. “You need a certain amount of trust in your employees, but you don’t want to give them enough ammunition to ruin you.”

Stephen Pedneault, owner of ForensicAccountingServices.com, based in Glastonbury, Conn., has worked with dozens of practices on embezzlement cases and says they’re at greater risk for being cheated than most other businesses. That’s largely because physicians rely on office managers and other employees to run their clerical business for them, which includes collecting and depositing payments. Many fail to take the necessary precautions to keep their practices safe. “Physician practices are the No. 1 choice victim [for embezzlers],” says Pedneault. “There are just too many areas of opportunity.”

Know thy enemy

Becoming familiar with some of the most prevalent employee theft and embezzlement schemes can help you formulate some safeguard strategies. Not surprisingly, the bulk of thefts occur at the front desk, where employees simply pocket the cash paid for copays and other fees. “With larger copays these days and [cash-only] practices popping up across the country … there’s a lot more money in doctors’ offices than you think,” says Deborah Mathis, a certified public accountant and director of the healthcare services group for Cowan, Gunteski & Co. in Toms River, N.J.

Here are some other common schemes:

Bad checks: The office checkbook is a popular, if unsophisticated, tool for misappropriating funds. The person committing fraud simply writes company checks for personal use and then records them in the check register as legitimate practice expenses, notes the American Academy of Family Practitioners (AAFP). In one scenario, the employee writes out an office check to pay his credit card bill but records the money as paying the office electric bill.

Secret accounts: Dishonest employees in smaller practices (who handle most if not all of the accounting responsibilities) have been known to open a second account in the practice’s name, deposit money into it using a signature stamp, and treat it as their own. The physician never knows the account exists.

The ATM scheme: Patient refunds are another favorite among petty thieves. “Larger practices process hundreds of refunds a month, so it’s easy to process five or six fictitious ones using a patient’s name (or an invented one),” says Pedneault. The employees then take the falsified refund checks and deposit them into their own account using an automated teller machine (ATM). They almost always get away with it. Embezzlers use the same technique to deposit insurance receipts into their own accounts, which can amount to a far greater loss to the practice. “I see a lot of theft surrounding insurance checks,” says Pedneault. “The checks come in, payable to the practice, but the employee can simply put them in with their personal ATM deposits where a teller isn’t there to check it. It works, and embezzlers have figured that out.”

The invisible write-off: Noncash adjustments, used to write off charges that insurance companies deny and cannot be submitted to patients, are another target for abuse. By cashing insurance checks for themselves, employees can make those payments virtually disappear by moving them off the “balance due” record and marking them instead as noncash adjustments under the patient’s account. Doing so removes that sum from the accounts-receivable record, which prevents coworkers from asking questions. “It’s easy to conceal theft through noncash adjustments, and many practices get in trouble that way,” says Pedneault, noting that one medical group he worked with lost $250,000 over 18 months through such a scheme.

High-tech crime: Complex EMRs can also aid criminals. In an unusual case he handled, Pedneault says a provider robbed her practice blind for three years with help from its billing system. The three other providers in her practice, who were paid based on productivity, would key in charges each day for their patients. After hours, she shifted her colleagues’ work to her own code, which gave her a grossly inflated productivity number. She went back into the system after she got paid and undid her work. It took three years to catch her.

Screen your employees

To protect their practice and their money, Mathis says all medical groups should perform basic background checks of any potential new hire. Such screenings identify those with a criminal history, verify that the applicant possesses a valid Social Security number, and uncover any motor vehicle reports containing drug- or alcohol-related driving offenses or information about arrest warrants or suspended licenses. “We recommend background checks for all employees, especially those handling money,” says Mathis. Practices should also cross-check the name of any potential applicant against the Medicare and Medicaid exclusions list, maintained by the Health and Human Services Office of Inspector General. The list identifies any healthcare professional who has been found guilty of Medicare or Medicaid fraud.

Gregory Piche, an attorney and head of the healthcare practice group for the Denver-based Holland & Hart law firm, adds it’s often worthwhile to also secure a credit check for job candidates as well - with their consent. “Credit checks allow you to see how responsible this person has been at handling money and whether they’ve been accruing large amounts of debt,” he explains. A significant debt burden, of course, is not itself a reason to toss their résumé in the trash, notes Piche, but it’s an important piece of their personal profile - especially considering the temptation to dip their hands into the company coffers to pay their own bills.

Other reasons most often cited for employee theft at medical groups? “Sometimes it’s jealousy over the physician’s earning capacity,” says Mathis. Others use stolen funds (or prescription samples) to support a drug or alcohol problem. And sometimes, she says, “they just want to see if they can get away with it.” One thing is clear, however: Employee theft is more common among practices that underpay them. “When employees don’t feel appreciated, that turns to a feeling of entitlement,” says Mathis.

A good offense

Background checks, of course, aren’t the only effective weapon in the war against embezzlement. One of the best ways to protect your practice is to separate financial responsibilities. In short: Be sure the person who handles accounts receivable is not the same person handling accounts payable.

Teri Arseneau, practice manager of UP Rehab Medicine Associates, a four-physician practice in Marquette, Mich., implemented a similar policy at her own office after hearing countless stories of theft at practices in her community. “My front-office personnel receive cash copays and account payments, and they are responsible for writing receipts for every payment they take in, but they’re not the ones who actually post those payments to an account,” she says. Arseneau, who processes all refund checks herself, even took steps to keep her own work responsibilities separate. “My physicians wanted to give me signature authority on our office checks, and I refused it,” she says. “They have to be the ones to sign all checks. You never want to create even the appearance of impropriety.”

Check your receipts: Receipts can also help thwart would-be thieves. “The staff should write a receipt for every payment, whether cash or check, and keep the other copy in the office book,” says Pedneault. “That way, the physicians can quickly look at the deposits at the end of the day and say, ‘OK, does that match what the receipts say?’” Practices should compare the receipts with what was posted for payment and what made it to the bank. “It’s a triangle of what comes in, gets posted, and gets deposited,” Pedneault says. “Practices that don’t do that get caught.” Medical groups can help ensure their office staff issues receipts by posting a sign alerting patients that they should expect a receipt for any payment made. “That keeps the staff honest and puts the other side on notice that they should get a receipt too,” Pedneault says.

Cross-train staff: Piche notes it’s equally important to cross-train the clerical staff (where possible) so multiple employees know how to balance the books. “There has to be more than one person who knows how to update accounts and make deposits,” he says. The same goes for the physicians. The AAFP recommends physicians train themselves to use their accounting system and practice management software, making sure they’re aware of how cash is collected in their practices.

Enforce vacation policies: It’s also wise to require that employees take at least five consecutive days of vacation annually, AAFP suggests, which not only improves staff morale, but also gives coworkers a chance to look over accounting records for a full week. Arseneau agrees. Physicians, she says, should remain watchful of office managers or other employees responsible for financial transactions who resist taking time off. “If an employee never allows anyone else to be involved in financial transactions or anyone else to help monitor their work, there’s no way to discover there’s a problem,” she says.

Guard your statements: Physicians can stay abreast of their group’s financial affairs and send a message to their staff by requiring that all bank statements be delivered to them unopened, writes the Texas Medical Association (TMA) in a tip sheet designed to help practices prevent embezzlement. Pedneault takes the idea a step further: “Monthly bank statements should be mailed right to the owners’ homes, not to the practice.”

Sign your own checks: Virtually all experts recommend physicians sign each check their practice issues. For those in larger medical groups, the TMA suggests two signatures be required - one being that of a physician. When possible, avoid using signature stamps, and never presign checks.

Follow the numbers: A simple line graph in Excel or another software program that tracks monthly charge trends, collections, and adjustments can reveal financial misconduct early on. In cases in which employees are abusing noncash adjustments, for example, the line chart would show the adjustments climbing higher each month. Similarly, practices should track their “aging” report, which identifies past-due accounts. “Most people who steal receipts aren’t smart enough to take it off the aging report or accounts-receivable record,” says Pedneault. “That report is going to get bigger and bigger and older and older, which you would easily see by trending it against the last 12 months.”

Write a policy on theft: Too few practices distribute a clear and concise policy statement outlining the expectations of the practice and specifically addressing how they will deal with employee theft. “Most practices don’t pay enough attention to this,” says Piche, adding some practices set up a hotline that staff can call to anonymously report suspicious activity. “You need to have an open-door policy at the very least, so employees feel comfortable coming in and discussing these issues with management,” he says.

Test your controls: You should also regularly test the checks and balances you have in place. This ensures that your safeguards are working and alerts staff that you are watching. “One of the best deterrents to potential embezzlers is the knowledge that someone will be reviewing their work,” says Mathis.

Check your statements: Practices that accept credit cards for copay balances and other fees receive a monthly merchant statement or an activity report of all charges. If an employee processes a fictitious refund charge through her own credit card, it’ll show up on the merchant statement. Yet few physicians bother to read it.

Offer to help: In cases in which employees are struggling with personal debt, practices might consider directing them to a debt-counseling service or implementing advance salary payments or short-term loans to help them over the hump. “A lot of it has to do with morale in the office,” says Piche. “If there’s a lot of tension in the office and the staff is not getting along, that breeds a willingness to take advantage of the situation.”

Protect your patients, too: Of course, fraud and embezzlement don’t just affect businesses. You should take the same precautions to protect your patients’ financial records as well. “Identity theft is an increasingly common problem in the healthcare setting,” says Piche. “In many practices, employees can easily access patients’ financial records, so there needs to be levels of access granted to computerized patient information, or, if it’s still in a paper file, that information needs to be kept under lock and key with limited access to who gets to look at it.”

Most fraud perpetrated at medical groups involves unsophisticated schemes, easily uncovered through basic monitoring and internal controls. The best defense, of course, is a good offense - taking the time to separate financial responsibilities, spending a little extra to screen job candidates, testing your safeguards, and cross-training staff can prevent such crimes from happening to begin with.

Shelly K. Schwartz is a freelance writer in Maplewood, N.J., who has covered personal finance, technology, and healthcare for 12 years. Her work has appeared on CNNMoney.com, Bankrate.com, and Healthy Family magazine. She can be reached via editor@physicianspractice.com.

This article originally appeared in the April 2007 issue of Physicians Practice.