Five Often-Overlooked Areas of Medical Practice Risk

By Karen Zupko

Source: Physicians Practice

Physicians are first concerned with treating patients. But they are also business owners. It is a

mistake not to review potential areas of risk.

The end of the year is a great time for physicians to review practice operations and policies and

assess what’s being done well, what can be improved, and where priorities for next year lie.

Reducing overhead and improving collections are no doubt high on that list. But don’t overlook the

importance of managing risks — here are five that we find, all too often, are unaddressed in

practices.

1. Not conducting background checks as part of the hiring process

Running a background check on your chosen candidate for any position is a critical aspect of

effective hiring. You’d be amazed at how many job candidates are up to their ears in debt, have been

convicted of a crime, or never attended the university listed on their resume (or perhaps any

university). For less than $100 per candidate, a background check provides valuable insight, and can

help you avoid adding unsavory characters to your team. Had one been conducted during a Chicago

practice’s recruitment process, for example, the physician wouldn’t have offered a position to a thief

who took off with $250,000 in practice receipts. The employee had previously been convicted of

embezzlement, and a background check would have exposed this. Reduce your risk by conducting background checks for all final candidates. Trusted Employees is one company that provides this service at reasonable rates.

2. Being too casual about electronic safety

Do front-desk staff members keep their computer and clearinghouse login credentials on a Post-It

Note stuck to their desk? Do some employees know each other’s passwords because they’ve been

set up using the names of children or pets? Do physicians and/or the outside billing service login to

the practice management system or EHR remotely, using an unencrypted Internet channel? Is your

practice still using email instead of secure messaging to communicate with patients? If you can

answer yes to any of these questions, you are not alone. A lackadaisical attitude about Internet

safety is a common risk in physician practices. But with the number of healthcare data breaches

increasing, it’s more important than ever to practice good cyber-hygiene.

Start with simple steps, such as insisting that staff use strong passwords and not share them. Hire an

IT consultant to conduct a data security assessment (an annual HIPAA requirement that many

practices skip). Establish encrypted connections between all electronic sites and devices. And cease

and desist with emailing patients; move to secure messaging instead.

3. Under-coding E&M services

This is a revenue risk that can double as an audit risk if you under-code consistently.

First, coding a level below the service you actually deliver and document is a financial faux pas. You

may think that under-coding five established visits each week is no big deal. But, for example, $25

less reimbursement each time you under-code, multiplied by 48 weeks per year, adds up to $6,000

annually. And assuming you under-code new patients at this same volume, you’re up to $12,000.

Second, consistent under-coding can also draw unwanted payer attention to the practice. For

example, CMS analyzes coding patterns of physicians in the same specialty and state, as well as

national averages. Falling outside the bell curve of your peers’ coding patterns can make you a

potential audit target.

If you haven’t reviewed E&M usage in recent memory, generate a report from the computer system

of all E&M codes used for each physician, for a one-year time frame. Create bar graphs that show

each physician’s usage pattern, and request your specialty and state data from CMS to compare it

against the coding patterns of your physician colleagues. Or, to significantly short cut this arduous

process, use a tool such as the E&M Profile Analyzer. Enter your CPT data for each physician and the

product does the rest, producing easy-to-read graphs for analysis.

4. Abdicating vital knowledge

Although physicians and administrators don’t need to know every last software feature or

operational protocol, the medical practice is at risk if physician leaders don’t understand essential

business functions and review vital reports. If you know how to read the clearinghouse report, for

example, you’ll notice when staff has stopped correcting and re-submitting daily front-end claim

edits. If you take the time to review the adjustments report at least quarterly, you’ll be more apt to

ask questions about why so much is being written off to categories you don’t recognize. And if you

ask the billing team to provide a status of the top 10 largest account balances each month, you’ll get

a sense of how well denials and revenue cycle are being managed.

5. Sloppy cash controls

Poor cash controls are still one of the most common risks we discover during our consultations. Make

sure the practice’s "daily close procedure" balances charges and collected amounts with the totals

shown on computer reports. Reconcile patient encounter forms and electronic numbers daily to be

sure each has been "closed out." Make sure the month-end bank balance matches the

practice-management system report of total collections. Don’t allow the person who opens the mail

to post payments or write refund checks. And no one but physician owners should sign checks.

Period.

Contact your accountant and arrange for a year-end assessment of cash handling procedures. Make

2017 the year you seal the holes and make cash controls airtight.

Karen Zupko is president of practice-management consulting and training firm KarenZupko &

Associates, Inc., which has been working for and with physicians for more than 30 years.

Leave Comment

Your email address will not be published. Required fields are marked *