“There are a lot of guns pointed at our heads these days,” an administrator friend of mine often says. Why? Providing health care today is an increasingly risky endeavor – especially for small or solo practices. They simply do not have the staff dedicated to managing the risks that larger practices do. And, between medical malpractice, human resources, and HIPAA data breaches, there is a lot to manage.
Managing risk falls into two categories: internal controls (policies, procedures, trainings) and external risk sharing products (insurance).
Internal Controls: In Malcolm Gladwell’s book, “Blink,” he states, “…the risk of being sued for malpractice has very little to do with how many mistakes a doctor makes…It’s how they (patients) were treated, on a personal level, by their doctor.” Physicians and staff alike must respect and listen to their patients.
External Risk Sharing: Maintain a malpractice liability policy; consider pricing higher limits.
Human resources/Labor law
Internal Controls: Policies and procedures are crucial.
- Have an employee handbook.
- Have all employees acknowledge, in writing, that they have read and understand the policies.
- Consistently and without discrimination implement those policies.
- Develop job descriptions for all staffing positions.
External Risk Sharing: Consider Employer Protective Liability Insurance (EPLI). These policies offer a level of protection (risk share) in the event of an employee lawsuit for issues such as sexual harassment, discrimination, wrongful termination, etc.
HIPAA data breaches
- Develop and maintain a HIPAA Manual.
- Train new employees when hired and all staff members annually. Have employees acknowledge, in writing, that they understand the policies.
- Educate business associates on HIPAA requirements and require signed business associate agreements that comply with the HIPAA Omnibus Rule of 3/26/13.
- Perform an annual Risk Analysis as per the Security Rule of the HIPAA/HITECH Act.
External Risk Sharing
- “Cyber Policies” are available from many carriers. These policies offer some level of protection for fines or penalties associated with HIPAA violations or data breaches. Some of these policies also offer some level of risk sharing for fines associated with Medicare audits or OSHA violations.
- Outside HIPAA compliance contractors are available for hire.
Three good first steps to mitigate risk are:
- Identify the areas of risks in your office.
- Develop policies and procedures to address those risks.
- Train all employees on these policies and hold them accountable.
And remember, it’s cheaper and easier to stay out of trouble than it is to get out of trouble.
J. Kelly Davis, BS, CMPE, practice manager, Covenant Allergy & Asthma Care, PLLC