1. A flash drive goes
missing. A laptop
gets stolen. An Data breaches
are costly
employee tosses old patient
files in the trash.
It can happen. Medical
data breaches represented
more than 24 percent of all
data breaches reported
nationwide in 2010, accord-
ing to the Identity Theft
Protect yourself and your practice
Resource Center.
Under HITECH, providers do not need to take any action if lost
However, many breaches go unreported publicly because they
or stolen data is encrypted. Nevertheless, no security plan is 100
involve fewer than 500 records. In those cases, the Health
percent foolproof.
Information Technology for Economic and Clinical Health
In the event of a breach, comprehensive general liability (CGL)
(HITECH) Act requires only that a provider or other covered
policies do not cover any losses. This lack has spurred the rise of
entity notify the secretary of the Department of Health and
cyber liability or data breach insurance.
Human Services of a breach within 60 days of the end of the calendar
Some medical malpractice insurers now include data breach
year in which the breach occurred.
insurance in their general malpractice policies. Some commercial
Providers should have security measures that comply with the
liability insurers offer coverage as an enhancement to a CGL policy.
strengthened enforcement and privacy protections provided under
But most insurers can provide
HITECH and the Health Insurance Portability and Accountability
Act – better known as HIPAA. Protect your data with antivirus
stand-alone policies to help protect
organizations from what can be a
Inside
software, network firewalls and encryption.
financial nightmare.
The cost of dealing with a healthcare
breach averages $301 per compromised
July/August 2011
T he cost of dealing with
a healthcare breach
averages $301 per
record, according to the 2010 U.S. ➜ our practice is a business:
Cost of a Data Breach study released
by Ponemon Institute in March 2011.
Y
Is it managed that way?
For the average physician’s panel of ➜ autious steps wise when
C
compromised record. 2,030 patients, a breach can total more merging medical practices
than $611,000.
Expenses include legal, investigative,
audit and administrative services, as
See Data breaches on page 2
Inside
A financial and management bulletin to physicians and medical practices from:
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade Avenue • Suite 100 • Metairie, Louisiana 70002
(504) 838-9991 • Fax: (504) 833-7971 • www.kl-cpa.com

2. Data breaches continued from page 1 The cost of a $1 million policy can run from a minimum of
$1,500 to $5,000 or more, depending on a practice’s size and
well as the loss of patients and reputation. Of the 15 industries number of data records, policy features and associated risks.
covered in the Ponemon study, health care and pharmaceuticals Underwriters will want to know that a practice is financially
shared the top spot for abnormal turnover of customers after an stable, has not had any losses and has mitigated risk.
incident.
Then there are the federal and state regulators. They can
impose hefty penalties for mishandled data.
In March, Massachusetts General Hospital was fined
$1 million for the loss of 192 patients’ files inadvertently left
on a subway train by an employee. Unintentional employee
action, lost or stolen computing devices, and third-party error
were the major causes of healthcare data breaches, according
E xperts believe the
number of breaches
is certain to rise as we
to a Ponemon study. move toward greater
When purchasing data breach insurance, be aware that
policies vary considerably from carrier to carrier. For example, adoption of electronic
some insurers offer additional coverage for civil penalties or health records.
regulatory fines. Others do not.
Many states prohibit coverage for statutory or regulatory
fines and penalties as against public policy. An insurer might
include third-party exposure but not first-party coverage.
Read exclusions carefully. Although a policy might include Mitigating risk includes written policies and procedures,
first-party coverage, it could exclude the acts of a rogue employee training and monitoring, installation of appropriate
employee. A knowledgeable broker or consultant can help you computer security software, and contractual allocation of
review policy terms to ensure that you get coverage to best fit liability, among other things.
your needs. Purchasing insurance does not absolve an organization
Generally, comprehensive stand-alone policies can cover from complying with federal and state regulations, ensuring
costs, up to certain limits, for items such as: that security measures are in place, or having a plan of action
should a data breach occur.
▲ Legal defense
Experts believe the number of breaches is certain to rise as
▲ Investigation and forensic services we move toward greater adoption of electronic health records.
▲ Notification requirements as stipulated under the The Ponemon Institute has developed a data breach risk
HITECH Act calculator that can estimate an organization’s risk profile, the
average cost per compromised record and the average cost per
▲ Credit monitoring for affected individuals breach.
▲ Data recovery You can also see how your risk profile compares with other
healthcare organizations and industries. To check your risk,
▲ Public relations management
go to http://databreachcalculator.com.sapin.arvixe.com. –
▲ Network and/or business interruption Irene E. Lombardo
The root causes of patient data loss or theft
Unintentional action 52%
Lost or stolen computing device 41%
Third-party snafu 34%
Technical systems glitch 31%
Criminal attack 20%
Malicious insider 15%
Intentional non-malicious action 10%
0% 10% 20% 30% 40% 50% 60%
Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 2010
2 July/August 2011 Your Healthy Practice

3. Your practice is a business:
Is it managed
that way?
M
edical prac tices
succeed by design,
not by accident.
Approximately 80 percent person who shares that vision and has experience managing
of all new businesses fail toward those goals.
because their owners do not The only truly indispensable employee in your practice
take the time to formulate a should be you.
business plan and manage its
execution. In this regard,
3. ractice management does not
P
health care is like any other equate to business management.
business. Practice management focuses on the delivery of care to
Here are four reasons patients. Business management focuses on allowing the
why medical practices fail as practice to be successful.
a business: Unless the business is well managed, the practice cannot
succeed. Running your own medical practice is a for-profit
1. our medical skills do not guarantee operation. It should be run like the business it is.
Y
success.
There are many talented people who are unable to run a 4. atient care is not the key to
P
successful business. Being an expert with a particular set of profitability.
skills that are in high demand is a good start, but it is no It is fair to say that no one is born with basic business
guarantee of financial success. management skills. You should be willing to take a week
History is littered with smart people who could not take a out of your career for a course in business management.
new product or idea and make it into a commercial success. You should also plan to spend 25 to 30 percent of your
time focused on the business of the practice, not on seeing
2. our office manager should not run
Y patients. If you are going to invest in a medical practice,
your medical practice. you must be willing to monitor that investment. If you are
There is a big difference between delegation of authority unwilling to commit to that responsibility, you should find
and abdication of responsibility. Office managers and other a practice where you can sign on as an employee.
employees are essential to the success of your practice. Ask yourself two questions:
But there can be only one CEO. Unless you are willing ▲ Why did you go into medicine?
to take responsibility for vision, strategy and leadership,
you have not taken ownership of your practice. ▲ Why do you want to own your practice?
Hiring an experienced office manager is no guarantee If owning your practice fulfills your purpose, you
that you are hiring the right person for your practice. By need to invest just a fraction of the time you spent on
establishing your vision for the practice and the goals you your medical training to learn business management
want to achieve, you increase the likelihood of hiring a skills. – Michael Redemske, CPA
Cautious steps continued from page 4 They should figure one month to discuss the general terms
of the deal and reach a letter of intent.
It may also be necessary to obtain the services of an Then they should plan on a second
appraiser to value the respective practices and help determine month for each party to conduct due
the appropriate ownership percentages that will reflect each diligence on the other’s practice. Caution
party’s relative contribution to the merged entity. Finally, they should expect the drafting
With proper planning, a merger of two medical practices of the closing documents and the actual
should be accomplished in a reasonably painless fashion over a closing to take another month. –
period of about three months. Michael Redemske, CPA
July/August 2011 Your Healthy Practice 3

4. Cautious steps wise when merging medical practices
Two medical practitioners might merge their practices and particularly the liabilities the parties are transferring into
for any number of reasons. Sharing office space, covering the combined practice.
one another’s patients during vacations and other absences, They must also take income tax considerations into
and preparing for retirement are just a few. account. A merger of two professional corporations can
Once a practice has identified generally be accomplished tax free. However, if one or both
a potential merger candidate, it parties plan to take cash or other assets out of the corpora-
is a good idea to enter into a tion either before or after the merger, a tax liability may
Merger nondisclosure agreement early result.
in the process to protect both A merger of unincorporated practices can usually be
parties’ confidential informa- accomplished tax free. The combined practice can be operated
tion. As the deal progresses, as a partnership, a limited liability company (LLC) or a
they may consider moving to a professional corporation.
letter of intent. If either party to the merger has to disassociate from a
A letter of intent should not be a binding agreement. It multi-owner practice or if co-owners of either of the merged
should only confirm the basic deal terms and commit both practices have to be bought out, a variety of tax consequences
parties to mutual cooperation and exclusivity while due can result from the disassociation or buyout.
diligence is taking place. The parties should plan to involve their accountants and
An open, orderly and professional due diligence benefits attorneys early in the merger discussions. And they should
both parties. During this process, the parties should disclose expect that both proposed merger partners will want their
and fully understand the economics of both practices, including own accountant and attorney involved.
the patient base, the qualifications of all employees, the assets See Cautious steps on page 3
Your Healthy Practice
The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without
further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is
not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International
CERTIFIED PUBLIC ACCOUNTANTS
3330 W. Esplanade Avenue
Suite 100
Metairie, Louisiana 70002