When starting a new private practice, all allied healthcare providers, like speech therapists, occupational therapists and physical therapists, share the goal of supporting patients with excellent care. Providing that care requires staying current on operational best practices that constantly change.
Compliance expert and experienced physical therapist Daniel Hirsh, PT, DPT, CHA, OHCC, COCAS focuses on what allied health professionals need to know about outpatient practice compliance. It’s the support he wishes he had while running his outpatient private practice. “We provide everything I wish I had in my clinic. I was recreating the wheel, which felt like a waste of time since nothing out there was specific to what I needed,” says Hirsch.
As CEO of Risk and Compliance Analytics, he and his team support outpatient practice owners with due diligence, internal audit services, documentation training, enterprise-wide risk management, weekly compliance guidance, monthly webinar training, liability insurance reviews and unique resources and content for all their compliance needs. Additional resources include some of the following:
- Medical records policy specific to all 50 states
- CEU harassment training requirements for all 50 states
- Outpatient HIPAA manual
- Outpatient OSHA manual
- Outpatient Documentation Manual
- Waivers and Release of Liability for Alternative Services
- Outpatient Information Technology Manual
Staying compliant is necessary for doing business as a private practice owner. Billing, coding, and documentation reviews are widely implemented in most practices, but compliance is a constantly moving target that’s always being updated. Based on current enforcement trends in healthcare compliance, Hirsh recommends focusing on five areas of compliance for 2023.
Proactively prepare for an audit
The pandemic meant that private practice owners got a reprieve from enforcement of certain compliance categories, but auditing is back in full force for 2023. Those private practice owners who proactively prepare for audits save significant amounts of resources, money, and time compared to those who are forced to address errors retroactively.
“People are getting a little bit shell shocked when all of a sudden they receive an audit and are now having a hard time understanding whether it was worthwhile to ignore the routine auditing and monitoring or work on the front end to prevent any errors and deficiencies,” says Hirsh.
Instead of spending tremendous time and resources on appealing a denial, Hirsh recommends simply implementing a routine auditing and monitoring program. This can be completed by an internal compliance department with trained auditors and a compliance officer or by using a specialized external compliance resource like Risk and Compliance Analytics.
An auditing program doesn’t just look at documentation but also should include reviewing and assessing all areas of your practice, such as billing and coding, front desk HIPAA requirements for protected health information, ADA and OSHA safety requirements for your facility space and even department-specific audits. “The important concept to start with is implementing a narrow focus area to review rather than a large, overwhelming initial audit. Determine what needs you will be measuring, identify an objective tool for scoring and benchmark your findings with references and industry standards,” says Hirsh.
Choose a continuing education system that’s right for your practice
Not knowing the requirements is not an acceptable defense for professional competency issues. Many resources are on the market for online CEU and compliance training, but they must be role-specific to be effective. Ask if this will benefit your patients before signing up for a CEU course. For example, the front desk team will have different compliance requirements at the facility level than a licensed therapist. “Having an LMS (learning management system) that includes role-based training is incredibly lacking,” says Hirsh.
Anti-harassment training also varies by state, so staying current on state requirements is important.
Hirsh recommends finding a staff onboarding and annual training platform that’s updated every year so that the content doesn’t get boring and meets any new compliance requirements.
Perform a risk assessment
An annual risk assessment helps therapy practices identify any exposures and vulnerabilities. Exposures might include how you’re coding treatments or even a website vendor that’s not HIPAA compliant. “It doesn’t matter how big or small your company is. All practices can have exposures and strategies to mitigate those risks must be easy to perform,” says Hirsh.
Hirsh also recommends performing an annual IT risk assessment, a free Department of Health and Human Services tool. That first time you answer the question is likely to be overwhelming, says Hirsh. But in the following year, after addressing some of the issues, you’ll likely be surprised by the improvement. “It’s about not having all the answers. It’s about identifying your exposure and addressing them in a systematic process,” says Hirsh.
Having a dedicated compliance officer to support your practice
Whether you outsource compliance or have a compliance officer on staff, someone must manage practice compliance. This often falls on the owner or an administrative team member in small practices. That works, says Hirsh, as long as the individual receives the necessary training to manage compliance successfully.
Tasks like managing an incident report or a HIPAA breach from an accidental email recipient are procedural and require specific steps to address. “You have a certain amount of time to report this, perform an investigation and summarize the findings. Having a trusted compliance resource to call when things go wrong is worth every penny. You can’t wait three days for someone to reply to your request since you need an immediate and meaningful response,” says Hirsh.
Look closer at vendor oversight, privacy and security
Finally, Hirsh recommends performing an annual business associate agreements (BAA) audit. The nature of running a busy practice might create vulnerabilities you haven’t considered. For example, says Hirsh, a cleaning crew with physical access to the office at night shouldn’t have a key to the storage area where the IT hardware is located. A digital marketing company or app managing your online reviews should not respond to a positive or negative post with protected health information.
“Know who’s accessing your information and who’s partnering with you to ensure that there aren’t any unintended exposures. Don’t assume everyone out there offering services knows the rules for maintaining healthcare compliance,” says Hirsh.
Compliance is a necessary part of doing business as an allied health professional. Having the right support to meet compliance standards proactively protects you from risks, vulnerabilities and headaches later.
As Hirsh says, “Almost every week there’s another therapy company making headlines in the news because they’re getting caught for inappropriate business practices that could have easily been prevented if they had a thoughtful, specific and meaningful compliance program.”
CM&F Group provides professional liability insurance for allied health providers, like speech therapists, physical therapists and occupational therapists. Click here to learn more.