your healthy practice july/august 2011
DESCRIPTION
TRANSCRIPT
flash drive goes missing. A laptop gets stolen. An
employee tosses old patient files in the trash.
It can happen. Medical data breaches represented more than 24 percent of all data breaches reported nationwide in 2010, accord-ing to the Identity Theft Resource Center.
However, many breaches go unreported publicly because they involve fewer than 500 records. In those cases, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires only that a provider or other covered entity notify the secretary of the Department of Health and Human Services of a breach within 60 days of the end of the calendar year in which the breach occurred.
Providers should have security measures that comply with the strengthened enforcement and privacy protections provided under HITECH and the Health Insurance Portability and Accountability Act – better known as HIPAA. Protect your data with antivirus software, network firewalls and encryption.
Under HITECH, providers do not need to take any action if lost or stolen data is encrypted. Nevertheless, no security plan is 100 percent foolproof.
In the event of a breach, comprehensive general liability (CGL) policies do not cover any losses. This lack has spurred the rise of cyber liability or data breach insurance.
Some medical malpractice insurers now include data breach insurance in their general malpractice policies. Some commercial liability insurers offer coverage as an enhancement to a CGL policy. But most insurers can provide stand-alone policies to help protect organizations from what can be a financial nightmare.
The cost of dealing with a healthcare breach averages $301 per compromised record, according to the 2010 U.S. Cost of a Data Breach study released by Ponemon Institute in March 2011. For the average physician’s panel of 2,030 patients, a breach can total more than $611,000.
Expenses include legal, investigative, audit and administrative services, as
I n s i d e
I n s i d e
July/August 2011➜Your practice is a business:
Is it managed that way?
➜Cautious steps wise when merging medical practices
See Data breaches on page 2
A Data breaches are costly
Protect yourself and your practice
The cost of dealing with a healthcare breach
averages $301 per compromised record.
Two medical practitioners might merge their practices for any number of reasons. Sharing office space, covering one another’s patients during vacations and other absences, and preparing for retirement are just a few.
Once a practice has identified a potential merger candidate, it is a good idea to enter into a nondisclosure agreement early in the process to protect both parties’ confidential informa-tion. As the deal progresses, they may consider moving to a letter of intent.
A letter of intent should not be a binding agreement. It should only confirm the basic deal terms and commit both parties to mutual cooperation and exclusivity while due diligence is taking place.
An open, orderly and professional due diligence benefits both parties. During this process, the parties should disclose and fully understand the economics of both practices, including the patient base, the qualifications of all employees, the assets
and particularly the liabilities the parties are transferring into the combined practice.
They must also take income tax considerations into account. A merger of two professional corporations can generally be accomplished tax free. However, if one or both parties plan to take cash or other assets out of the corpora-tion either before or after the merger, a tax liability may result.
A merger of unincorporated practices can usually be accomplished tax free. The combined practice can be operated as a partnership, a limited liability company (LLC) or a professional corporation.
If either party to the merger has to disassociate from a multi-owner practice or if co-owners of either of the merged practices have to be bought out, a variety of tax consequences can result from the disassociation or buyout.
The parties should plan to involve their accountants and attorneys early in the merger discussions. And they should expect that both proposed merger partners will want their own accountant and attorney involved.
Cautious steps wise when merging medical practices
See Cautious steps on page 3
Merger
A financial and management bulletin to physicians and medical practices from:
The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International
Your Healthy Practice
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade Avenue • Suite 100 • Metairie, Louisiana 70002
(504) 838-9991 • Fax: (504) 833-7971 • www.kl-cpa.com
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade AvenueSuite 100
Metairie, Louisiana 70002
well as the loss of patients and reputation. Of the 15 industries covered in the Ponemon study, health care and pharmaceuticals shared the top spot for abnormal turnover of customers after an incident.
Then there are the federal and state regulators. They can impose hefty penalties for mishandled data.
In March, Massachusetts General Hospital was fined $1 million for the loss of 192 patients’ files inadvertently left on a subway train by an employee. Unintentional employee action, lost or stolen computing devices, and third-party error were the major causes of healthcare data breaches, according to a Ponemon study.
When purchasing data breach insurance, be aware that policies vary considerably from carrier to carrier. For example, some insurers offer additional coverage for civil penalties or regulatory fines. Others do not.
Many states prohibit coverage for statutory or regulatory fines and penalties as against public policy. An insurer might include third-party exposure but not first-party coverage.
Read exclusions carefully. Although a policy might include first-party coverage, it could exclude the acts of a rogue employee. A knowledgeable broker or consultant can help you review policy terms to ensure that you get coverage to best fit your needs.
Generally, comprehensive stand-alone policies can cover costs, up to certain limits, for items such as:
▲ Legal defense
▲ Investigation and forensic services
▲ Notification requirements as stipulated under the HITECH Act
▲ Credit monitoring for affected individuals
▲ Data recovery
▲ Public relations management
▲ Network and/or business interruption
The cost of a $1 million policy can run from a minimum of $1,500 to $5,000 or more, depending on a practice’s size and number of data records, policy features and associated risks. Underwriters will want to know that a practice is financially stable, has not had any losses and has mitigated risk.
Mitigating risk includes written policies and procedures, employee training and monitoring, installation of appropriate computer security software, and contractual allocation of liability, among other things.
Purchasing insurance does not absolve an organization from complying with federal and state regulations, ensuring that security measures are in place, or having a plan of action should a data breach occur.
Experts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records. The Ponemon Institute has developed a data breach risk calculator that can estimate an organization’s risk profile, the average cost per compromised record and the average cost per breach.
You can also see how your risk profile compares with other healthcare organizations and industries. To check your risk, go to http://databreachcalculator.com.sapin.arvixe.com. – Irene E. Lombardo
Data breaches continued from page 1
The root causes of patient data loss or theft
Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 2010
Unintentional action
Lost or stolen computing device
Third-party snafu
Technical systems glitch
Criminal attack
Malicious insider
Intentional non-malicious action
0% 10%
10%
15%
20%
31%
34%
41%
52%
20% 30% 40% 50% 60%
Medical pract ices succeed by design, not by accident.
Approximately 80 percent of all new businesses fail because their owners do not take the time to formulate a business plan and manage its execution. In this regard, health care is like any other business.
Here are four reasons why medical practices fail as a business:
1. Yourmedicalskillsdonotguaranteesuccess.
There are many talented people who are unable to run a successful business. Being an expert with a particular set of skills that are in high demand is a good start, but it is no guarantee of financial success.
History is littered with smart people who could not take a new product or idea and make it into a commercial success.
2.Yourofficemanagershouldnotrunyourmedicalpractice.
There is a big difference between delegation of authority and abdication of responsibility. Office managers and other employees are essential to the success of your practice.
But there can be only one CEO. Unless you are willing to take responsibility for vision, strategy and leadership, you have not taken ownership of your practice.
Hiring an experienced office manager is no guarantee that you are hiring the right person for your practice. By establishing your vision for the practice and the goals you want to achieve, you increase the likelihood of hiring a
person who shares that vision and has experience managing toward those goals.
The only truly indispensable employee in your practice should be you.
3.Practicemanagementdoesnotequatetobusinessmanagement.
Practice management focuses on the delivery of care to patients. Business management focuses on allowing the practice to be successful.
Unless the business is well managed, the practice cannot succeed. Running your own medical practice is a for-profit operation. It should be run like the business it is.
4.Patientcareisnotthekeytoprofitability.
It is fair to say that no one is born with basic business management skills. You should be willing to take a week out of your career for a course in business management.
You should also plan to spend 25 to 30 percent of your time focused on the business of the practice, not on seeing patients. If you are going to invest in a medical practice, you must be willing to monitor that investment. If you are unwilling to commit to that responsibility, you should find a practice where you can sign on as an employee.
Ask yourself two questions:▲ Why did you go into medicine?▲ Why do you want to own your practice?If owning your practice fulfills your purpose, you
need to invest just a fraction of the time you spent on your medical training to learn business management skills. – Michael Redemske, CPA
Your practice is a business: Is it managed
that way?Experts believe the number of breaches
is certain to rise as we move toward greater adoption of electronic health records.
It may also be necessary to obtain the services of an appraiser to value the respective practices and help determine the appropriate ownership percentages that will reflect each party’s relative contribution to the merged entity.
With proper planning, a merger of two medical practices should be accomplished in a reasonably painless fashion over a period of about three months.
They should figure one month to discuss the general terms of the deal and reach a letter of intent. Then they should plan on a second month for each party to conduct due diligence on the other’s practice. Finally, they should expect the drafting of the closing documents and the actual closing to take another month. – Michael Redemske, CPA
Cautious steps continued from page 4
Caution
July/August 2011 Your Healthy Practice2 July/August 2011 Your Healthy Practice 3
well as the loss of patients and reputation. Of the 15 industries covered in the Ponemon study, health care and pharmaceuticals shared the top spot for abnormal turnover of customers after an incident.
Then there are the federal and state regulators. They can impose hefty penalties for mishandled data.
In March, Massachusetts General Hospital was fined $1 million for the loss of 192 patients’ files inadvertently left on a subway train by an employee. Unintentional employee action, lost or stolen computing devices, and third-party error were the major causes of healthcare data breaches, according to a Ponemon study.
When purchasing data breach insurance, be aware that policies vary considerably from carrier to carrier. For example, some insurers offer additional coverage for civil penalties or regulatory fines. Others do not.
Many states prohibit coverage for statutory or regulatory fines and penalties as against public policy. An insurer might include third-party exposure but not first-party coverage.
Read exclusions carefully. Although a policy might include first-party coverage, it could exclude the acts of a rogue employee. A knowledgeable broker or consultant can help you review policy terms to ensure that you get coverage to best fit your needs.
Generally, comprehensive stand-alone policies can cover costs, up to certain limits, for items such as:
▲ Legal defense
▲ Investigation and forensic services
▲ Notification requirements as stipulated under the HITECH Act
▲ Credit monitoring for affected individuals
▲ Data recovery
▲ Public relations management
▲ Network and/or business interruption
The cost of a $1 million policy can run from a minimum of $1,500 to $5,000 or more, depending on a practice’s size and number of data records, policy features and associated risks. Underwriters will want to know that a practice is financially stable, has not had any losses and has mitigated risk.
Mitigating risk includes written policies and procedures, employee training and monitoring, installation of appropriate computer security software, and contractual allocation of liability, among other things.
Purchasing insurance does not absolve an organization from complying with federal and state regulations, ensuring that security measures are in place, or having a plan of action should a data breach occur.
Experts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records. The Ponemon Institute has developed a data breach risk calculator that can estimate an organization’s risk profile, the average cost per compromised record and the average cost per breach.
You can also see how your risk profile compares with other healthcare organizations and industries. To check your risk, go to http://databreachcalculator.com.sapin.arvixe.com. – Irene E. Lombardo
Data breaches continued from page 1
The root causes of patient data loss or theft
Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 2010
Unintentional action
Lost or stolen computing device
Third-party snafu
Technical systems glitch
Criminal attack
Malicious insider
Intentional non-malicious action
0% 10%
10%
15%
20%
31%
34%
41%
52%
20% 30% 40% 50% 60%
Medical pract ices succeed by design, not by accident.
Approximately 80 percent of all new businesses fail because their owners do not take the time to formulate a business plan and manage its execution. In this regard, health care is like any other business.
Here are four reasons why medical practices fail as a business:
1. Yourmedicalskillsdonotguaranteesuccess.
There are many talented people who are unable to run a successful business. Being an expert with a particular set of skills that are in high demand is a good start, but it is no guarantee of financial success.
History is littered with smart people who could not take a new product or idea and make it into a commercial success.
2.Yourofficemanagershouldnotrunyourmedicalpractice.
There is a big difference between delegation of authority and abdication of responsibility. Office managers and other employees are essential to the success of your practice.
But there can be only one CEO. Unless you are willing to take responsibility for vision, strategy and leadership, you have not taken ownership of your practice.
Hiring an experienced office manager is no guarantee that you are hiring the right person for your practice. By establishing your vision for the practice and the goals you want to achieve, you increase the likelihood of hiring a
person who shares that vision and has experience managing toward those goals.
The only truly indispensable employee in your practice should be you.
3.Practicemanagementdoesnotequatetobusinessmanagement.
Practice management focuses on the delivery of care to patients. Business management focuses on allowing the practice to be successful.
Unless the business is well managed, the practice cannot succeed. Running your own medical practice is a for-profit operation. It should be run like the business it is.
4.Patientcareisnotthekeytoprofitability.
It is fair to say that no one is born with basic business management skills. You should be willing to take a week out of your career for a course in business management.
You should also plan to spend 25 to 30 percent of your time focused on the business of the practice, not on seeing patients. If you are going to invest in a medical practice, you must be willing to monitor that investment. If you are unwilling to commit to that responsibility, you should find a practice where you can sign on as an employee.
Ask yourself two questions:▲ Why did you go into medicine?▲ Why do you want to own your practice?If owning your practice fulfills your purpose, you
need to invest just a fraction of the time you spent on your medical training to learn business management skills. – Michael Redemske, CPA
Your practice is a business: Is it managed
that way?Experts believe the number of breaches
is certain to rise as we move toward greater adoption of electronic health records.
It may also be necessary to obtain the services of an appraiser to value the respective practices and help determine the appropriate ownership percentages that will reflect each party’s relative contribution to the merged entity.
With proper planning, a merger of two medical practices should be accomplished in a reasonably painless fashion over a period of about three months.
They should figure one month to discuss the general terms of the deal and reach a letter of intent. Then they should plan on a second month for each party to conduct due diligence on the other’s practice. Finally, they should expect the drafting of the closing documents and the actual closing to take another month. – Michael Redemske, CPA
Cautious steps continued from page 4
Caution
July/August 2011 Your Healthy Practice2 July/August 2011 Your Healthy Practice 3
flash drive goes missing. A laptop gets stolen. An
employee tosses old patient files in the trash.
It can happen. Medical data breaches represented more than 24 percent of all data breaches reported nationwide in 2010, accord-ing to the Identity Theft Resource Center.
However, many breaches go unreported publicly because they involve fewer than 500 records. In those cases, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires only that a provider or other covered entity notify the secretary of the Department of Health and Human Services of a breach within 60 days of the end of the calendar year in which the breach occurred.
Providers should have security measures that comply with the strengthened enforcement and privacy protections provided under HITECH and the Health Insurance Portability and Accountability Act – better known as HIPAA. Protect your data with antivirus software, network firewalls and encryption.
Under HITECH, providers do not need to take any action if lost or stolen data is encrypted. Nevertheless, no security plan is 100 percent foolproof.
In the event of a breach, comprehensive general liability (CGL) policies do not cover any losses. This lack has spurred the rise of cyber liability or data breach insurance.
Some medical malpractice insurers now include data breach insurance in their general malpractice policies. Some commercial liability insurers offer coverage as an enhancement to a CGL policy. But most insurers can provide stand-alone policies to help protect organizations from what can be a financial nightmare.
The cost of dealing with a healthcare breach averages $301 per compromised record, according to the 2010 U.S. Cost of a Data Breach study released by Ponemon Institute in March 2011. For the average physician’s panel of 2,030 patients, a breach can total more than $611,000.
Expenses include legal, investigative, audit and administrative services, as
I n s i d e
I n s i d e
July/August 2011➜Your practice is a business:
Is it managed that way?
➜Cautious steps wise when merging medical practices
See Data breaches on page 2
A Data breaches are costly
Protect yourself and your practice
The cost of dealing with a healthcare breach
averages $301 per compromised record.
Two medical practitioners might merge their practices for any number of reasons. Sharing office space, covering one another’s patients during vacations and other absences, and preparing for retirement are just a few.
Once a practice has identified a potential merger candidate, it is a good idea to enter into a nondisclosure agreement early in the process to protect both parties’ confidential informa-tion. As the deal progresses, they may consider moving to a letter of intent.
A letter of intent should not be a binding agreement. It should only confirm the basic deal terms and commit both parties to mutual cooperation and exclusivity while due diligence is taking place.
An open, orderly and professional due diligence benefits both parties. During this process, the parties should disclose and fully understand the economics of both practices, including the patient base, the qualifications of all employees, the assets
and particularly the liabilities the parties are transferring into the combined practice.
They must also take income tax considerations into account. A merger of two professional corporations can generally be accomplished tax free. However, if one or both parties plan to take cash or other assets out of the corpora-tion either before or after the merger, a tax liability may result.
A merger of unincorporated practices can usually be accomplished tax free. The combined practice can be operated as a partnership, a limited liability company (LLC) or a professional corporation.
If either party to the merger has to disassociate from a multi-owner practice or if co-owners of either of the merged practices have to be bought out, a variety of tax consequences can result from the disassociation or buyout.
The parties should plan to involve their accountants and attorneys early in the merger discussions. And they should expect that both proposed merger partners will want their own accountant and attorney involved.
Cautious steps wise when merging medical practices
See Cautious steps on page 3
Merger
A financial and management bulletin to physicians and medical practices from:
The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International
Your Healthy Practice
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade Avenue • Suite 100 • Metairie, Louisiana 70002
(504) 838-9991 • Fax: (504) 833-7971 • www.kl-cpa.com
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade AvenueSuite 100
Metairie, Louisiana 70002