Risky Business

ACR is taking steps to manage risk and protect itself. But how do you protect your own practice?


April 2015

Under the leadership of Lawrence A.Liebscher, MD, FACR, the ACR Audit Committee has focused its most recent efforts on a risk assessment of the College.

The committee examined potential vulnerabilities, past issues, system safeguards, and employee and member training. Although this work is a key ongoing function, the committee also responds to increased scrutiny of non-profit organizations by the IRS. The risk of internal threats such as theft,embezzlement, and employee or vendor lawsuits always exists and could result in monetary loss. However, government action by entities like the IRS could cause much greater harm to the College. For example, if the IRS were to revoke its 501(c)(3) tax exempt status, the results would be disastrous for nearly every aspect of the College and its members. The College would lose the public appeal of serving the community as a (c)(3) organization. Additionally, members would not be able to contribute to the ACR and obtain a charitable deduction. This type of risk underscores why we spend so much effort to ensure that the ACR complies with federal and state laws and regulations.

Your radiology or radiation oncology practice is no different in having to anticipate and manage risk. A malpractice lawsuit, employee misconduct, fire, or cyber-attack on IT systems might be the most obvious threats to a practice. Yet even greater risk could lay in routine daily activities that federal and state governments — and payers — closely regulate by imposing strict referral, coding, claims reimbursement, and reporting requirements.

Law enforcement focuses intensely on health care, particularly since the Affordable Care Act became law in 2010. Each year, the U.S. Department of Health and Human Services' Office of Inspector General (OIG) issues its work plan of current and new activities. Why does this matter to radiologists? Because the work plan details arrangements OIG believes cost too much or could violate federal fraud and abuse laws. Therefore, you and your staff should understand what's on OIG's radar and prepare for more oversight of your practice. You can access the OIG's 2015 Work Plan at http://bit.ly/OIGWorkPlan15.

In FY2015, OIG listed three ongoing imaging-related projects. The regulator will continue to audit payments for Medicare Part B imaging services. It will examine "selected imaging services" practice expense components, including the controversial equipment utilization rate. A report should emerge by September 2015. Additionally, OIG will continue to audit Medicare payments for high-cost imaging studies, such as MRIs. Auditors will determine whether those studies were medically necessary and the degree to which "use has increased for these tests." The ACR will continue to monitor this project closely.

Finally, OIG will carry over a third imaging project from prior years: auditing hospitals' security controls over networked medical devices. OIG indicated that it will decide whether such controls "effectively protect associated electronically protected health information (ePHI) and ensure beneficiary safety." Significantly, OIG identified radiology systems as one venue in which computerized medical devices may jeopardize the privacy and security of patient data. The ACR also will closely track this audit's progress. If OIG issues an audit, its findings might influence hospitals to impose additional IT requirements on radiologists and their electronic records systems.

As physicians, you've dedicated yourselves to care for others. As members of a practice — whether a partnership, corporation, or limited liability company — you also need to protect your business vigorously. We have written in prior columns that ACR members must develop and use compliance programs.1 Why? The government rewards physician practices that commit to these programs and often penalizes those that lack effective programs. Follow these important compliance steps to help minimize business risk:
• Hire a compliance officer or appoint someone from within the group. This individual should have worked in at least one health care organization and be able to teach essential health care laws and rules. She or he also must lead a culture of compliance throughout your practice.

• Educate your team and yourself about new developments. You can take advantage of a substantial library of resources that OIG has established for physicians at http://bit.ly/OIGLibrary.

• Promptly act on allegations that your practice may have violated federal or state law. Work with your compliance officer and qualified outside counsel to decide whether and how to report incidents to government agencies. We urge all ACR members not to "self-disclose" potential violations without first knowing the impact. It is the legal equivalent of getting informed consent from patients.

• Reinforce among your team how to stay compliant. You already communicate with referring colleagues and patients. Here, you have to lead decisively on compliance matters.

• Enforce disciplinary standards through clear, practical guidelines. Post these on your practice website and refresh everyone through training.

• Apply disciplinary measures consistently but flexibly. For instance, an employee who accidentally transposed one or two CPT® codes when preparing a long claim form should receive less correction than someone who intentionally offers and gives kickbacks to referring physicians.

Your practice has to reinforce that acting in a non-compliant way has consequences. Will disciplining colleagues cause hard feelings? Yes. But would you rather risk dealing with a whistleblower lawsuit because your practice failed to address problems?

By Bill Shields, JD, LLM, CAE, and Tom Hoffman, JD, CAE

1. "More Enforcement: Would Your Practice's Compliance Program Pass the Test?" ACR Bulletin; November 2013.
©Davey Heuser

Share this content

Submit to FacebookSubmit to Google PlusSubmit to TwitterSubmit to LinkedIn