June 5, 2019
Conferring with your attorney before terminating an employee and making sure the malpractice premium is paid on time are obvious risk management activities. Others are less obvious and require a bit more sleuthing to assess the level of risk and create a plan of action.
Here are six we find many practices overlook, along with how to address them.
1. Non-encrypted storage of patient credit card numbers.
It’s worrisome when we find an Excel spreadsheet of patient names and credit card numbers floating around the billing office. It happens a lot more often than you’d think.
Do we recommend that practices collect credit card numbers so they can offer automated, monthly payments by credit card? Absolutely. But managing this data by spreadsheet is very risky. If you are doing this or use Post-It Notes instead, stop immediately. If there are charges on the card the practice is on the hook for the theft because it was stored carelessly.
There are multiple cases involving employees stealing patient data such as this. Here’s an example of one that made headlines: Two office assistants in Florida medical offices stole patient information and sold it to co-conspirators. They were charged with fraud and HIPAA violations. To reduce the risk of this happening to your practice, use a secure payment processing system that is PCI-compliant. Credit card numbers are stored in an encrypted database and none of the staff have access to the full number.
2. E/M coding patterns.
It’s no secret that CMS has stepped up its audits of level 4 and 5 office visit codes. That means if your physicians submit more level 4 and 5 codes than their peers, they may be targeted for a Medicare audit or take back.
The risk mitigation strategy is to pull a year’s worth of E/M coding pattern data for each physician or NPP, and the entire practice, and compare it to the Medicare data for your specialty and state, as well as nationally. Ideally, do this analysis twice a year.
Generate a CPT frequency report from the practice management system and compare it with Medicare data in your specialty and state. Save loads of time by purchasing our E/M Profile Analyzer, which does all this for you after you enter your E/M frequency data. The comparative graphs make it easy to spot physician outliers. Or, purchase the data directly from CMS, sort out and parse the data for your specialty and state, and create comparative graphs using a spreadsheet program. Remember: outliers don’t necessarily indicate incorrect coding. They simply indicate that you must take a deeper look by pulling some records and reviewing the documentation to be sure it supports the code. If not, education is in order.
3. Cash handling and accounts payable protocols.
The front desk is a common place we uncover employee embezzlement. We’ve also caught schemes where staff create and pay invoices to fake vendors for products you never ordered or received.
Certain standard accounting procedures guard against theft at the front desk, and modern practices know how to set them up. For instance, the daily close process must include specific steps to ensure the amounts posted to the computer system match money collected and deposited daily at the bank, and that all charge tickets, paper or electronic, are accounted for. And, good cash controls dictate that certain tasks – such as collecting money and preparing/making the deposit – must be separated. Review your cash handling systems and check signing protocols to make sure they are tight, and ask the accountant to perform a checks and balances review annually.
4. Online reputation management.
If someone on your team isn’t reviewing patient ratings on a weekly or monthly basis, you need to add that to your to-do list.
Patients who rate physicians or the practice poorly on rating sites, or post negative experiences in social media, are a practice risk. Proactively monitor what’s being said about your practice and its physicians, and work with an attorney to develop a protocol for addressing negative reviews.
5. Credit balances.
A group of six surgeons we worked with thought they only needed to make refunds when a patient or payor requested them. They hadn’t run a credit balance report for quite a while. When we asked them to, the report was 65 pages long and totaled $74,000. Big problem.
Credit balances are monies you owe to patients or payors. You can’t wait until they are asked for – you must refund the money or risk non-compliance. For more detail, read this recent KZA Blog by attorney Daniel Shay – Key Questions and Answers for Medicare Voluntary Repayments. It’s good advice even if Medicare isn’t in the picture.
Review the credit balance report monthly and create a refund policy and protocol that expedites repayments so you aren’t carrying credit balances. Your practice should be cutting refund checks on at least a monthly basis.