How to protect your practice against financial impropriety

Todd Petersen, CEO of VitalSkin Dermatology

Todd is the Chief Executive Officer of VitalSkin Dermatology, a world-class dermatology and aesthetics practice management firm., Mr. Petersen has over two decades of C-suite experience, including CEO, COO, CFO, and CHRO roles. He is a growth expert with a passion for new entrepreneurial challenges, revenue growth, improving operations, and building teams and partnerships.

Nobody likes to lose money, but according to the American Academy of Family Physicians, 40% of health clinics surveyed have experienced some form of financial crime in the past five years. Additionally, KPMG estimates that the majority of financial crimes are not caught or go unreported, meaning that the reported 40% is likely much higher.

MORE: How to maintain a good dermatology practice income

Financial impropriety is defined as any dishonest, illegal or unethical activity that can result in the loss of capital. Unfortunately, financial impropriety can come from many sources: employees, vendors, patients, and even the owners of the practice. Financial impropriety comes in many forms, but the forms most relevant to medical practices are cash embezzlement, inventory theft, and timecard theft.  Fortunately, there are many simple ways to protect against it.

Protecting your practice from cash embezzlement
Cash embezzlement is the crime that typically makes the most headlines because if it is undiscovered over a long period of time, the sums embezzled can get quite large. In a study performed by the Medical Group Management Association, thefts over $100,000 accounted for the majority of embezzlement losses reported. The accounting firm Wipfli, estimates the typical medical organization will lose about 5% of annual revenue to fraud.  Furthermore, they report that dermatology practices are among the most vulnerable in the medical industry because they often have extensive retail product lines and by extension, do a significant amount of cash transactions.

Protecting your practice from embezzlement is possible, but requires continuous diligence, sound hiring processes, solid internal controls, the use of simple internal audit procedures, and the purchase of an insurance policy to protect your practice from employee fraud. For smaller practices, these procedures can sound daunting and expensive. However, there are several ways to mitigate risk through efficient use of time and with minimal investment for the practice.

First, make sure your team knows you’re actively engaged in the business side of the practice and you are continually monitoring the practice’s checking account and petty cash drawer, reviewing all cash receipts and disbursements, and reviewing system edit reports every day. Active oversight and continual diligence may be the most important step in preventing embezzlement.

Second, complete a comprehensive background and credit check before hiring new employees.  Most embezzlement schemes are perpetrated by insiders. Background and credit checks will help you determine if the applicant was truthful and forthright during the interview process, and it will help to identify individuals who have a history of poor financial management.  After the hire, pay attention to what is happening in your staff’s personal lives.  Individuals who fall on hard times can be tempted to do something they would not normally contemplate, and individuals who are living beyond their means could be a warning sign of potential impropriety.

RELATED: Safeguard your practice from a data breach

Third, develop a solid internal control structure. In a smaller practice, developing a robust control structure like those found at larger companies can be implemented on a down-sized scale. A sound internal control structure should include the following steps:

• Keep the petty cash drawer under lock and key. Do not comingle it with the practice’s change drawer used to make change for patients. Only the practice owner, not the business or office manager, should have access to the petty cash drawer and all petty cash disbursements should be logged. Reconcile and record the petty cash drawer activity regularly.

• Embezzlement at the front desk is perhaps one of the most common areas for impropriety.  Closing out all patient encounter tickets is an essential element to a solid internal control design for front desk activities. All encounter tickets should have billed charges and/or collected payments tied to it. In the event an encounter ticket had a cancelation or no-show tied to it, it should be closed out with a reason code of “cancelled” or “no-show.” 

• At the end of each day, the encounter tickets, posted payments and collected cash should be balanced. All three should agree with each other. After the daily reconciliation has been completed, the practice manager or business owner who did not complete the reconciliation should review and sign off on the reconciliation. Following completion of the reconciliation, the daily bank deposit should be made and a bank receipt that ties to the collected cash balance should be attached.

• Any patient account that is adjusted or written off should be done by someone other than the person responsible for handling and posting customer payments. One of the most common forms of front desk fraud occurs when check payments are intercepted at the front desk and the corresponding patient balances are written off by the same person. 

• We suggest you not give up check writing responsibilities to your practice. In the event you have delegated check writing to your practice manager, do so only if your practice manager is not responsible for bookkeeping too. Segregation of duties is a hallmark to any good internal control structure. A practice should never place all of its bookkeeping, check writing and reconciliation responsibilities with one person. Ideally, this should be distributed to two or three individuals. Segregating check writing responsibilities from bookkeeping responsibilities will allow the check writer to review all vendor checks. Vendors that are not recognizable should be reviewed more carefully and the actual vendor invoice, not vendor statements, should be attached to the check.

• Finally, perform monthly bank reconciliations. Download your monthly bank statement from your bank account and review the checks written and the daily deposits. As noted earlier, have someone other than the bookkeeper and check writer reconcile the bank account. For smaller practices, we recommend you hire your outside accountant to perform the reconciliation if you do not want to complete the reconciliation yourself.

Fourth, the following simple “internal audit” procedures should be implemented at the practice to help prevent any financial impropriety.

• Run an encounter report at the end of the day. Your practice management software will assign a sequentially generated encounter number. All encounters should be accounted for without a gap or missing encounter. Gaps or missing encounters could be an indication the cash encounter was deleted. 

• At the end of each day, generate a system edit report to identify and review all deleted transactions.

• Periodically select a random sample of cancelled or no-show appointments and review the appropriate electronic medical record to ensure no medical note exists.

• Weekly, review all account receivable adjustments and write-offs to ensure these balances were appropriate and approved.

Fifth, insurance policies, called employee bonds, can be purchased to reimburse a practice in the event of a loss from employee fraud. These policies are inexpensive, and they will provide the practice owner with some peace of mind.

RELATED: Why are so many physicians selling their practices?

Protecting your practice from inventory theft
For many dermatology practices, medical supply and small equipment expenses are their second largest expense category behind personnel expenses.  It can make up anywhere between 5 to 10% of a practice’s expenses.  With the increased prevalence of neurotoxins, fillers, and aesthetic products in today’s dermatology practices, they are more prone to inventory and equipment theft than ever before.

Today’s dermatology practices should consider implementing an inventory management system, which is often an integrated module in its practice management software, if it has not already done so. This system will help create an inventory control environment that will help prevent theft, and it will have the added benefit of improving cash flow.  An inventory control system will allow the practice to see what inventory it has in stock, where it’s located, and it will allow the practice to set predetermined inventory reorder levels, automating much of the reorder process.  

We suggest high-dollar inventory, like Botox, should be kept under lock and key in the supply room.  Only the practice manager and physician have access to the high-value supplies.  These supplies are pulled from inventory and scanned out as needed.  Additionally, to avoid theft from shoplifting, products available for resale should be behind the counter and not easily accessible to patients.  Furthermore, as part of your security system, we suggest placing a security camera in the supply closet, by retail showcases, and in hallways and waiting areas, to monitor for potential theft. 

When orders are made, use a prenumbered purchase order to place the inventory order.  When the order is received, the order should be received against the purchase order and the order should be counted and verified. Segregation of duties is a key attribute to any good internal control design. For example, the person placing the order shouldn’t also be the person receiving the order. 

Month-end inventory counts should be conducted and the results should be reconciled to the inventory control system.  Significant areas of shrinkage should be more carefully examined and investigated.

Protect your practice from timecard theft
Employers have the responsibility under the Fair Labor and Standards Act to collect and pay their employees for the time worked. Unfortunately, simple solutions are easily manipulated.  For example, timecard manipulation is one of the most common forms of impropriety in a medical practice. 

RELATED: Selling your practice: Understand the financial, legal implications

Paper-based systems are easily manipulated, allowing employees to easily round up or down.  Imagine an employee arriving to work at 8:10 and leaving at 4:15 pm with a half hour break on site.  If the employee reports an 8:00 am arrival and a 4:30 pm departure, you will pay for 25 minutes of time not worked.  Done five days a week, this amounts to 120 minutes of overpayment. 

Timecard manipulation can come in many forms: buddy punching, when an employee has a coworker clock them in/out when they are running late or leaving early; “forgetting”  to clock in/out when they are late or leave early, and then reporting a different time to their supervisor at the end of the week when time is being reported.  It can also take the form of an employee who leaves the office to run a quick 30-minute errand and does not clock out or back in. 

Today’s time and attendance solutions help employers stay compliant, ensuring they are properly paying employees for time at work, but it also serves to protect the employer from time theft.  Many new time and attendance solutions use something called “geo-fencing.”  This allows employees to punch in on their smartphones only when they are within a certain radius of their worksite.  Additionally, some time and attendance solutions take it a step further and require some form of biometric identification (index finger or eye scans) to punch in. Most employers find that investing in high-tech solutions are worthwhile and will more than pay for themselves over time.