Your healthy practice July/August 2011


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Your healthy practice July/August 2011

  1. 1. A flash drive goes missing. A laptop gets stolen. An Data breaches are costlyemployee tosses old patientfiles in the trash. It can happen. Medicaldata breaches representedmore than 24 percent of alldata breaches reportednationwide in 2010, accord-ing to the Identity Theft Protect yourself and your practiceResource Center. Under HITECH, providers do not need to take any action if lost However, many breaches go unreported publicly because they or stolen data is encrypted. Nevertheless, no security plan is 100involve fewer than 500 records. In those cases, the Health percent foolproof.Information Technology for Economic and Clinical Health In the event of a breach, comprehensive general liability (CGL)(HITECH) Act requires only that a provider or other covered policies do not cover any losses. This lack has spurred the rise ofentity notify the secretary of the Department of Health and cyber liability or data breach insurance.Human Services of a breach within 60 days of the end of the calendar Some medical malpractice insurers now include data breachyear in which the breach occurred. insurance in their general malpractice policies. Some commercial Providers should have security measures that comply with the liability insurers offer coverage as an enhancement to a CGL policy.strengthened enforcement and privacy protections provided under But most insurers can provideHITECH and the Health Insurance Portability and AccountabilityAct – better known as HIPAA. Protect your data with antivirus stand-alone policies to help protect organizations from what can be a Insidesoftware, network firewalls and encryption. financial nightmare. The cost of dealing with a healthcare breach averages $301 per compromised July/August 2011 T he cost of dealing with a healthcare breach averages $301 per record, according to the 2010 U.S. ➜ our practice is a business: Cost of a Data Breach study released by Ponemon Institute in March 2011. Y Is it managed that way? For the average physician’s panel of ➜ autious steps wise when C compromised record. 2,030 patients, a breach can total more merging medical practices than $611,000. Expenses include legal, investigative, audit and administrative services, as See Data breaches on page 2 Inside A financial and management bulletin to physicians and medical practices from: CERTIFIED PUBLIC ACCOUNTANTS 3330 W. Esplanade Avenue • Suite 100 • Metairie, Louisiana 70002 (504) 838-9991 • Fax: (504) 833-7971 •
  2. 2. Data breaches continued from page 1 The cost of a $1 million policy can run from a minimum of $1,500 to $5,000 or more, depending on a practice’s size andwell as the loss of patients and reputation. Of the 15 industries number of data records, policy features and associated risks.covered in the Ponemon study, health care and pharmaceuticals Underwriters will want to know that a practice is financiallyshared the top spot for abnormal turnover of customers after an stable, has not had any losses and has mitigated risk.incident. Then there are the federal and state regulators. They canimpose hefty penalties for mishandled data. In March, Massachusetts General Hospital was fined$1 million for the loss of 192 patients’ files inadvertently lefton a subway train by an employee. Unintentional employeeaction, lost or stolen computing devices, and third-party errorwere the major causes of healthcare data breaches, according E xperts believe the number of breaches is certain to rise as weto a Ponemon study. move toward greater When purchasing data breach insurance, be aware thatpolicies vary considerably from carrier to carrier. For example, adoption of electronicsome insurers offer additional coverage for civil penalties or health records.regulatory fines. Others do not. Many states prohibit coverage for statutory or regulatoryfines and penalties as against public policy. An insurer mightinclude third-party exposure but not first-party coverage. Read exclusions carefully. Although a policy might include Mitigating risk includes written policies and procedures,first-party coverage, it could exclude the acts of a rogue employee training and monitoring, installation of appropriateemployee. A knowledgeable broker or consultant can help you computer security software, and contractual allocation ofreview policy terms to ensure that you get coverage to best fit liability, among other things.your needs. Purchasing insurance does not absolve an organization Generally, comprehensive stand-alone policies can cover from complying with federal and state regulations, ensuringcosts, up to certain limits, for items such as: that security measures are in place, or having a plan of action should a data breach occur. ▲ Legal defense Experts believe the number of breaches is certain to rise as ▲ Investigation and forensic services we move toward greater adoption of electronic health records. ▲ Notification requirements as stipulated under the The Ponemon Institute has developed a data breach risk HITECH Act calculator that can estimate an organization’s risk profile, the average cost per compromised record and the average cost per ▲ Credit monitoring for affected individuals breach. ▲ Data recovery You can also see how your risk profile compares with other healthcare organizations and industries. To check your risk, ▲ Public relations management go to – ▲ Network and/or business interruption Irene E. Lombardo The root causes of patient data loss or theft Unintentional action 52% Lost or stolen computing device 41% Third-party snafu 34% Technical systems glitch 31% Criminal attack 20% Malicious insider 15% Intentional non-malicious action 10% 0% 10% 20% 30% 40% 50% 60% Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 20102 July/August 2011 Your Healthy Practice
  3. 3. Your practice is a business: Is it managed that way? M edical prac tices succeed by design, not by accident. Approximately 80 percent person who shares that vision and has experience managing of all new businesses fail toward those goals. because their owners do not The only truly indispensable employee in your practice take the time to formulate a should be you. business plan and manage its execution. In this regard, 3. ractice management does not P health care is like any other equate to business management. business. Practice management focuses on the delivery of care to Here are four reasons patients. Business management focuses on allowing the why medical practices fail as practice to be successful. a business: Unless the business is well managed, the practice cannot succeed. Running your own medical practice is a for-profit 1. our medical skills do not guarantee operation. It should be run like the business it is. Y success. There are many talented people who are unable to run a 4. atient care is not the key to P successful business. Being an expert with a particular set of profitability. skills that are in high demand is a good start, but it is no It is fair to say that no one is born with basic business guarantee of financial success. management skills. You should be willing to take a week History is littered with smart people who could not take a out of your career for a course in business management. new product or idea and make it into a commercial success. You should also plan to spend 25 to 30 percent of your time focused on the business of the practice, not on seeing 2. our office manager should not run Y patients. If you are going to invest in a medical practice, your medical practice. you must be willing to monitor that investment. If you are There is a big difference between delegation of authority unwilling to commit to that responsibility, you should find and abdication of responsibility. Office managers and other a practice where you can sign on as an employee. employees are essential to the success of your practice. Ask yourself two questions: But there can be only one CEO. Unless you are willing ▲ Why did you go into medicine? to take responsibility for vision, strategy and leadership, you have not taken ownership of your practice. ▲ Why do you want to own your practice? Hiring an experienced office manager is no guarantee If owning your practice fulfills your purpose, you that you are hiring the right person for your practice. By need to invest just a fraction of the time you spent on establishing your vision for the practice and the goals you your medical training to learn business management want to achieve, you increase the likelihood of hiring a skills. – Michael Redemske, CPACautious steps continued from page 4 They should figure one month to discuss the general terms of the deal and reach a letter of intent. It may also be necessary to obtain the services of an Then they should plan on a secondappraiser to value the respective practices and help determine month for each party to conduct duethe appropriate ownership percentages that will reflect each diligence on the other’s practice. Cautionparty’s relative contribution to the merged entity. Finally, they should expect the drafting With proper planning, a merger of two medical practices of the closing documents and the actualshould be accomplished in a reasonably painless fashion over a closing to take another month. –period of about three months. Michael Redemske, CPA July/August 2011 Your Healthy Practice 3
  4. 4. Cautious steps wise when merging medical practices Two medical practitioners might merge their practices and particularly the liabilities the parties are transferring into for any number of reasons. Sharing office space, covering the combined practice. one another’s patients during vacations and other absences, They must also take income tax considerations into and preparing for retirement are just a few. account. A merger of two professional corporations can Once a practice has identified generally be accomplished tax free. However, if one or both a potential merger candidate, it parties plan to take cash or other assets out of the corpora- is a good idea to enter into a tion either before or after the merger, a tax liability mayMerger nondisclosure agreement early result. in the process to protect both A merger of unincorporated practices can usually be parties’ confidential informa- accomplished tax free. The combined practice can be operated tion. As the deal progresses, as a partnership, a limited liability company (LLC) or a they may consider moving to a professional corporation. letter of intent. If either party to the merger has to disassociate from a A letter of intent should not be a binding agreement. It multi-owner practice or if co-owners of either of the merged should only confirm the basic deal terms and commit both practices have to be bought out, a variety of tax consequences parties to mutual cooperation and exclusivity while due can result from the disassociation or buyout. diligence is taking place. The parties should plan to involve their accountants and An open, orderly and professional due diligence benefits attorneys early in the merger discussions. And they should both parties. During this process, the parties should disclose expect that both proposed merger partners will want their and fully understand the economics of both practices, including own accountant and attorney involved. the patient base, the qualifications of all employees, the assets See Cautious steps on page 3 Your Healthy Practice The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International CERTIFIED PUBLIC ACCOUNTANTS 3330 W. Esplanade Avenue Suite 100 Metairie, Louisiana 70002