As someone who holds honesty and trust as important personal values, it is easy to be a bit naïve and bury your head in the sand to the fact that there can be  people in any position within a practice who are not completely honest or trustworthy. Fortunately it is not a frequent problem in most practices, but it can happen. Some months ago, we were all horrified to hear in the media about the fake doctor who practiced in Australia for over 10 years, without any real medical qualifications at all. Even those working with him, who thought he was lacking in skills trusted that he must have the proper qualifications and did not see a need to report any concerns.

Recently I attended an excellent AAPM - AVANT webinar regarding practice fraud, and was quite shocked to learn the ways that practices have suffered at the hands of dishonest staff and doctors. As practice managers, it is one of our core work areas to manage risk in our practices. From my learnings, I have considered the risk controls and auditing processes that I use as a practice manager.

Credentialing Processes

Prior to employment and annually:

Registration of Doctors, Nurses and Aphra Registered Allied Health. Sight the registration. Look for any conditions which apply and if there are any conditions how will they be met. Put a clause in the employment contract or service agreement, that any investigations or conditions must be reported immediately to the practice owners. Check that the role for which they have registered is the same as the position you are filling. E.g. RN actually has RN registration and is not an EN.

Proof of Indemnity

Prior to employment and annually when indemnity is renewed: Sight the indemnity and that it covers the scope of practice. For example, if the doctor is involved in cosmetic procedures, ensure the indemnity covers this.

Review CPD statements, both prior to employment and annually (not just at completion of the triennium for doctors). Request for copies of certificates for activities undertaken each year

Written Testimonials

When looking to offer a position, check verbally with the person who has written the testimonial, as they can be forged. Look for over embellished testimonials on websites and try to verify these with organisations

Reference Checks

When looking to offer a position, always phone the referees. At least 2 where possible.

Google the person’s name and look for a public social media profile. Check that there is not any concerning information that comes up in a google search, including criminal activities

Training

When a doctor starts at the practice, part of their induction process should require them to complete the Medicare MBS compliance online training. The practice manager should also complete this as part of their training.

There should be active training on your expectations around billings including that billing is their responsibility and the receptionist is not to be given discretion of choosing item numbers based on the time taken.

The doctor is asked to check item numbers billed versus the items they expected at the end of each day. It may be best to only submit online claims once the doctor confirms that the billing is correct.

A doctor’s contract should stipulate that they are responsible for any repayments to Medicare that are required, due to incorrect billing practices, even if they have paid a service fee to the practice.

All doctors are to be made aware of the 80/20 rule (investigation will occur if they have invoiced >80 items in one day for 20 or more days in the year)

Insurance

The practice should have a practice indemnity policy to cover incidents such as an unqualified person acting in a role where they should not be. Doctors professional indemnity will not cover this.

Medical Records

Limit access to medical records to only those who need to perform a clinical role.

Ensure that only doctors have access to prescribing and test referral.

Administrative staff should have access to only the things they need to use. Different staff may have different levels of access. Typically, as practice manager, you have administrator access, with full access to everything.

All staff should have their own unique password and they are responsible for what occurs on their own login. Staff should be trained to log off if another staff member is taking over the desk, and not share their login with others.

When a practitioner leaves, ask that the provider number is cancelled and all passwords are changed and the practitioner is made inactive. Remember to remove their provider from your system for PIP and e-health too.

Random audits of records should be made by the management team to review that appropriate supporting documentation is present for items that have been billed and that appropriate billing is used when there is not a Medicare rebate available (e.g. cosmetic procedures). Care plans are reviewed for content that is personalised to the patient for their condition and that “copy and pasted” plans are not used. Check that referrals and services are clinically indicated.

Practice Billing Processes

More than one person should perform online claiming processing. Do not have a sole operator and be aware of red flags of someone not being willing to let anyone else do it or they don’t take holiday leave so no one can take over.

Put controls in place over invoice reversals. They should be double signed, not all staff should be able to do and audit reports on reversals should be checked.

Passwords on EFTPOS machines should be changed regularly and only known by people who need to operate the machine.

Random audits should be performed:

•    Drs to compare items they advised reception to bill vs items actually billed

•    Compare cash flow with the previous month and previous year to pick up any major changes.

•    Banking should be reconciled at the end of each day and reported if not able to be. In a bigger, private billing practice, I would get staff to do this twice a day, once at the end of a morning session and then again at the end of the day, as it helps pick up mistakes and makes staff on each shift take responsibility for reconciling the money they have taken.

•    Banking to be carried out by different staff and counted/checked by a 2nd staff member.

•    Banked amounts should be checked against weekly banking reports

•    EFT Merchant statements to be checked against EFT takings in practice management software.

Don’t make it a secret that you perform audits either.

Payroll and bookkeeping

The payroll officer job should be rotated if you have the capacity to do this.

Consider using technology where staff electronically sign in or out to create a time sheet. You need a little flexibility when using these systems, as staff can forget to sign in, but it limits false time claims.

Review at each payroll that only known staff are on the payroll run.

Review at each payroll that amounts are what you expect them to be and seek the explanation of any anomalies, such as excess overtime, or a higher rate of pay than a person normally gets in a given pay cycle.

Use Bank feeds in your bookkeeping software to match payments and outgoings.

Reconcile bank accounts in your software regularly to keep an eye on activity. It is much harder to track something if you only look once every quarter when doing the BAS.

A second person to approve online banking payments. When adding pay anyone bank details in online banking, a second person should need to approve the addition.

Errors to be entered in contra account rather than deleted so that eventual correction can be traced.

Do not give open access to the petty cash box and regularly reconcile petty cash. I recommend weekly or fortnightly as if it is left longer it is hard to track down missing receipts and people do not remember that they took money for milk three weeks ago.

Medications

Ensure all medications including samples are in a locked cabinet. This is also a duty of care to employees who could be tempted to take medications that are easily accessed.

Ensure that drug logbooks tally and where whole vials are not used, those amounts are documented and double signed.

Ensure doctors know the documented procedures for reporting when treating patients for an extended period with S8 medications.

Keep prescription pads locked away from the public and general staff access, even if they are part of your emergency or power failure kit. Keep computerised script paper securely also- excess locked away with restricted access.

Maintenance of Practice & Equipment

All larger maintenance to be approved by the management team, not by an individual. You may set a cost limit on what a staff member is authorised to go ahead and arrange.

----------------------------------------

Using risk management strategies to prevent theft and fraud and setting clear expectations around these areas does not mean that you don’t trust the people you work with. It is important to me, that I can trust people who I work with and I think most of us feel that way. It is part of working together as a team.  But as practice manager, it is our responsibility to ensure we manage the risks of the business and to use strategies which give us the opportunity to become aware of any problems before they turn into something big and unpleasant. I am sure you may already be using some of these strategies, but I hope this may give you additional tips on tightening things up and minimising the risk in your practice.