Whether you’re considering selling your practice, growing your practice, or maintaining the status quo, it’s important to periodically do a checkup on your internal operations and compliance with the law. It’s always preferable to discover problems within your practice and correct them (if possible) before those issues are discovered by third parties, such as the government or a potential buyer.
Explore This Issue
July 2015A failure to review your internal operations prior to selling your practice could limit the interest of potential buyers, delay the closing of a sale, and reduce the economic benefit to you. Increased attention from recovery audit contractors (RACs) and other government agencies that are tasked with finding instances of Medicare and other government expenditure overpayments may also ensue.
This article describes some key areas to address when conducting a checkup of your practice.
Relationships with Referral Sources
Your relationships with referral sources can be a source of potential risk and should be high on your list in an internal review. This may include meeting and interviewing employees in various roles within your organization to best capture an understanding of these relationships.
Consider using the following questions in your review checklist:
- Do you have any business relationships with referral sources or recipients of your referral?
- Do you have any “discount” or other benefits that are provided to referral sources? If yes, these should be vetted by legal counsel to ensure that such arrangements are permissible under fraud and abuse laws.
- Do you have written internal policies and procedures that ensure compliance with all regulatory requirements associated with your referral relationships?
- Marketing and Sales Activities
Review all of your marketing and sales materials to determine if there are any circumstances in which your marketing activities may involve potential fraud and abuse law violations (e.g., referrals from physicians with a financial interest in the practice). Do you have written policies and procedures that address appropriate and inappropriate marketing and sales activities? If not, implementing written policies and procedures and conducting training for all personnel that may be involved in such activities should be a priority.
Financial Documentation Review
Do you regularly review the coding and charge information for your office visits and procedures? This information can change often, and there should be mechanisms in place to capture those changes. Also, do your medical records document the medical necessity of the procedures performed? This could prove important in government audits and post-payment reviews. Accurate financial reporting is important, and your accounting practice should be consistent. Accounting reports must be prepared in accordance with recognized accounting standards.
Licensure and Human Resources
Ensure that both the practice and each professional (e.g., physician, nurse, nurse practitioner) have maintained all required licenses, accreditations, certifications, and other requirements. Review your employee handbook and current employment and independent contractor agreements to ensure they are up to date and that there have not been any changes in law that would affect the validity of any contract provision. For example, if your employment agreement includes a restrictive covenant, such as a noncompetition clause, it’s possible that state law may have changed regarding the enforceability of such a provision since the contract was signed.
Data Privacy and Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations are intended to protect the privacy and security of patients’ protected health information. Ensure your practice has implemented (and enforces) internal policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules. The HIPAA Privacy Rule provides limitations and conditions on the use and disclosure of patients’ protected health information. The HIPAA Security Rule requires implementation of administrative, physical, and technical safeguards and certain other organizational requirements to protect the confidentiality and security of electronic protected health information. The HIPAA Breach Notification Rule outlines the requirements pertaining to responding to breaches of patient protected health information.