By Mark A. Master, CPA
Although fraud can occur in numerous ways in a medical practice, the good news is there are many excellent ways to protect yourself. A good system of internal controls goes a long way toward deterring fraud and detecting it if it occurs.
Here are some suggestions to safeguard your practice against fraud:
Pre-number and reconcile all encounter forms. Embezzlement of patient co-payments is common. To ensure that all payments and charges are accounted for, reconcile encounter forms against the patient sign-in sheet or daily appointment record.
A gap in the numbering sequence could indicate that an employee is trying to cover up theft, or there may simply be a misplaced document. Either way, the form should be located and the patient’s account examined to ensure it reflects the appropriate payment or charge.
An additional check to ensure all patient visits and payments are accounted for is to reconcile payments received against the sign-in sheet and appointment schedule and against the record of daily receipts. All patients should receive a receipt for their co-pay from a cash receipt book that creates a copy of the original receipt. The cash receipt book can be reconciled with the daily deposit ticket to ensure all co-pays were deposited.
Screen prospective employees. Many problems can be averted by adequately screening prospective employees. Verify previous employment and check references from at least two or three prior jobs. If a previous employer hesitates to recommend a prospective employee or, certainly, if you receive negative information, it’s better to pass on the candidate.
You may also want to run a criminal and credit check. A person with a lot of debt could present a risk. In addition, you may want to screen for violations of federal programs by going to the Department of Health and Human Services exclusions database at oig.hhs.gov.
Segregate cash-related functions as much as possible. Dividing responsibility for duties such as opening and posting payments and making out deposit slips helps minimize opportunities for fraud.
Not only does this prevent a single person from diverting payments and manipulating patient accounts, it also helps reduce innocent bookkeeping errors. Any action you can take to add another layer of checks and balances to cash functions is worthwhile. It is also a good practice to have bookkeeping and cash functions cross-trained among employees. Mandatory vacations are necessary so an employee does not have control of certain functions year round.
Implement controls over checks. Medical practices can take several steps to safeguard both their own checks and the checks they receive from others. They should limit check-signing authority to a very small number of people, maybe even to one physician owner. They should also ensure that access to blank checks is restricted. Checks that are received should be stamped “for deposit only” immediately upon receipt and promptly deposited.
Use computer passwords to restrict access to sensitive functions. Very few people should have the ability to manipulate patient accounts by entering adjustments, write-offs, or refunds. Use a password to control these functions, and restrict password knowledge to authorized personnel. Passwords should be changed periodically since personnel frequently turnover in a physician’s practice. We recommend changing password at least once a year.
Review and approve all adjustments, write-offs and refunds. A physician owner should review and approve all such transactions. Significant revenue can be lost if an employee wants to embezzle in this way and has the opportunity.
All adjustments, write-offs or refunds should have supporting documentation, such as an explanation of benefits, explaining why the insurer paid what it did. It is also a good idea to categorize adjustments by major payors, such as Medicare and Medicaid, so that adjustment percentages can be tracked and analyzed for inconsistencies. The practice should have a written policy for these procedures so the employees have guidelines to follow.
Another control is to periodically review selected patient accounts. You may want to have your computer system identify accounts with certain characteristics for review, such as any account that has been written off entirely in the last year.
Match invoices with checks. If a physician is the person with check-writing authority, he or she should see the invoices that go with the checks. If this is too burdensome, the physician can randomly sample invoices by occasionally asking to see the supporting invoice. All invoices must be approved before checks are being processed. A paid stamp with the person’s initials should be on all invoices. All invoices should be filed by vendor name and retained for three years
Receive unopened bank and credit card statements for review. A physician owner should always receive these statements first. Even though it is unlikely that the physician will be involved in reconciling the statements, it is an excellent fraud deterrent to simply receive the unopened statement, scan it for unusual transactions and review canceled checks, paying special attention to the endorsing party. There is no excuse for the physician not to perform this procedure. It is one of the best deterrents against fraud.
The active involvement of a physician owner is ultimately the most effective control a medical practice can have. There is no substitute for a concerned owner looking over the staff’s shoulder and asking questions.
Ideally, at least one physician is designated to oversee business functions. Although this personal should be as involved as possible in activities such as check signing, review and approval of adjustments, and statement review, just the perception that someone is doing this goes a long way to deter fraud.
One physician keeps his staff guessing by periodically calling for a particular patient’s account ledger or asking for a certain invoice. Usually the request to inspect a certain document is completely random and done entirely for effect, but the unpredictable nature of the requests gives the staff the impression that the physician is actively monitoring the business side of the practice.
Even with a strong system of internal controls, medical practices may still want the benefits of an external review of controls or an operational audit to ensure the practice is operating efficiently and effectively and with few risks. After all, internal controls, combined with scrutiny, offer your best protection against fraud.
Reviewing the general measures most helpful in preventing fraud are as follows: strong internal controls, background checks for new employees, ethics training for employees, willingness for practices to prosecute fraud, workplace surveillance, strong office policies and procedures and physician evolvement.
In conclusion, it is up to the physician to institute and maintain the internal control procedures in his or her practice. An active role by the physician is the best deterrent against fraud and abuse by the staff.
Mark A. Master, CPA, is Partner-in-Charge of Business Advisors to Physician Practices, Goldenberg Rosenthal, LLP in Jenkintown, Pa.