At a time when reimbursement rates are being squeezed, what you don’t need is someone surreptitiously removing money from your practice. Yet, that’s exactly what some staff members are doing to the practices that employ them.
Because medical practices are often an easy target, the amount of money that employees steal can quickly impact the operation. For all industries worldwide, that amount runs into the billions of dollars, according to the Association of Certified Fraud Examiners’ 2018 Report to the Nations on Occupational Fraud and Abuse. Fortunately, there are ways to protect your practice.
The best way to deal with employee theft is to prevent it from happening in the first place, but this requires implementing sound internal controls, including:
Risk assessment. Examine your practice’s policies, procedures, and processes for any faults in the system for protecting integrity and ethics. Conduct a risk assessment every two years or whenever there’s a major system change (such as a new Electronic Health Records (“EHR”) or personnel change (such as a new billing clerk). Establishing a system of strong financial controls that deliver accountability is critical in reducing the likelihood of fraud and theft.
Separation of staff duties. Avoid having a single employee in charge of purchasing and of approving and adding vendors. Although it may be difficult to spread duties among several employees in smaller practices, it is critical to implement internal controls that let employees know they’ll likely be caught if they steal.
Also, never let a non-physician employee sign checks — which is perhaps the easiest avenue for fraud. Instead, checks with invoices should be given to the appropriate physician for him or her to approve and sign, or require a dual signature with a physician over a set threshold amount for your practice.
Monitoring employee behavior. Look for behavioral indicators that an employee is involved with or considering fraud. For example, an employee who never goes on vacation or takes a day off and is unwilling to share job duties is common warning sign associated with illicit activity. To combat this behavior, require all employees to take scheduled vacations and regularly rotate duties among staff.
Other behavioral indicators of which to be aware include when an employee has an unusually close association with a vendor or customer, is experiencing financial problems, is living beyond their means, or exhibits a significant change in lifestyle or behavior.
Conducting surprise audits
Practice leaders should conduct periodic spot checks and be willing to bring in independent accountant to review the practice’s financial records. Employees should know that unannounced audits are possible, but they shouldn’t know what data they’ll cover. Such audits need not be top-to-bottom reviews of the practice’s finances. They can focus on specific areas.
Also, periodically reconcile overlapping financial records. For example, compare receipts that are recorded in the billing system to revenues recorded in the accounting system, and then cross-check those numbers with your bank deposits. Ensure someone other than the person who prepares the records conducts the reconciliation.
Training staff
Educate your staff about what constitutes fraudulent, illegal, and unethical actions; their role in preventing and deterring fraud; and how to recognize the signs of prohibited behavior. Doing so will not only make them more likely to notice suspicious behavior but also diminish their ability to defend themselves if they’re caught in the act of defrauding the practice.
Ultimately, the practice’s culture must embody high ethics and integrity from the top down. Fostering a culture where employees know what is expected of them will, in turn, encourage them to care about their work environment. When that culture is ingrained in your employees, they’ll be much less likely to even think about theft.
Electronic restrictions
Finally, because computers are often instrumental in committing fraud, restrict employee access to only those computers, programs, and electronic data that they need to perform their jobs. Only the office manager, system administrator, and the managing physician should have access to modify user permissions, and no employee should be given rights beyond what is warranted with the job duties of their position. For example, a front office employee that collects payments that has rights to edit and delete charges from the billing software should not be granted rights to edit notes and delete charges from the EHR system.
Over time, employee rights tend to compound upon themselves out of necessity when granting access for a special project, cross training, or filling in for an employee on leave. Removing these temporary permissions is often overlooked, leaving systems vulnerable to fraud and data breaches. Having a system administrator run IT audits of rights and permissions on a regular basis keeps your practice protected and employees in compliance with practice policies. If you haven’t done so already, consider purchasing employee bond or employee dishonesty insurance. If theft does occur in your practice, you’ll be happy to have this coverage.
Remember, your CPA or financial advisor can be instrumental in helping you deter fraud and in investigating the crime once it comes to light.
Don’t hesitate to bring in the cavalry if you suspect fraud is going on in your practice, and contact us today