Page 1

Cautious steps wise when merging medical practices Two medical practitioners might merge their practices for any number of reasons. Sharing office space, covering one another’s patients during vacations and other absences, and preparing for retirement are just a few. Once a practice has identified a potential merger candidate, it is a good idea to enter into a nondisclosure agreement early in the process to protect both parties’ confidential information. As the deal progresses, they may consider moving to a letter of intent. A letter of intent should not be a binding agreement. It should only confirm the basic deal terms and commit both parties to mutual cooperation and exclusivity while due diligence is taking place. An open, orderly and professional due diligence benefits both parties. During this process, the parties should disclose and fully understand the economics of both practices, including the patient base, the qualifications of all employees, the assets

Merger

and particularly the liabilities the parties are transferring into the combined practice. They must also take income tax considerations into account. A merger of two professional corporations can generally be accomplished tax free. However, if one or both parties plan to take cash or other assets out of the corporation either before or after the merger, a tax liability may result. A merger of unincorporated practices can usually be accomplished tax free. The combined practice can be operated as a partnership, a limited liability company (LLC) or a professional corporation. If either party to the merger has to disassociate from a multi-owner practice or if co-owners of either of the merged practices have to be bought out, a variety of tax consequences can result from the disassociation or buyout. The parties should plan to involve their accountants and attorneys early in the merger discussions. And they should expect that both proposed merger partners will want their own accountant and attorney involved. See Cautious steps on page 3

Your Healthy Practice The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International

A

flash drive goes missing. A laptop gets stolen. An employee tosses old patient files in the trash. It can happen. Medical data breaches represented more than 24 percent of all data breaches reported nationwide in 2010, according to the Identity Theft Resource Center. However, many breaches go unreported publicly because they involve fewer than 500 records. In those cases, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires only that a provider or other covered entity notify the secretary of the Department of Health and Human Services of a breach within 60 days of the end of the calendar year in which the breach occurred. Providers should have security measures that comply with the strengthened enforcement and privacy protections provided under HITECH and the Health Insurance Portability and Accountability Act – better known as HIPAA. Protect your data with antivirus software, network firewalls and encryption.

Data breaches

are costly

Protect yourself and your practice

T

he cost of dealing with a healthcare breach averages $301 per compromised record.

Under HITECH, providers do not need to take any action if lost or stolen data is encrypted. Nevertheless, no security plan is 100 percent foolproof. In the event of a breach, comprehensive general liability (CGL) policies do not cover any losses. This lack has spurred the rise of cyber liability or data breach insurance. Some medical malpractice insurers now include data breach insurance in their general malpractice policies. Some commercial liability insurers offer coverage as an enhancement to a CGL policy. But most insurers can provide stand-alone policies to help protect organizations from what can be a financial nightmare. The cost of dealing with a healthcare breach averages $301 per compromised record, according to the 2010 U.S. ➜ Your practice is a business: Cost of a Data Breach study released Is it managed that way? by Ponemon Institute in March 2011. For the average physician’s panel of ➜ Cautious steps wise when 2,030 patients, a breach can total more merging medical practices than $611,000. Expenses include legal, investigative, audit and administrative services, as

Inside

July/August 2011

See Data breaches on page 2

Inside

A financial and management bulletin to physicians and medical practices from:

100 Second Avenue South, Suite 600, St. Petersburg, Florida 33701 | (727) 821-6161 | www.gsscpa.com


Data breaches continued from page 1 well as the loss of patients and reputation. Of the 15 industries covered in the Ponemon study, health care and pharmaceuticals shared the top spot for abnormal turnover of customers after an incident. Then there are the federal and state regulators. They can impose hefty penalties for mishandled data. In March, Massachusetts General Hospital was fined $1 million for the loss of 192 patients’ files inadvertently left on a subway train by an employee. Unintentional employee action, lost or stolen computing devices, and third-party error were the major causes of healthcare data breaches, according to a Ponemon study. When purchasing data breach insurance, be aware that policies vary considerably from carrier to carrier. For example, some insurers offer additional coverage for civil penalties or regulatory fines. Others do not. Many states prohibit coverage for statutory or regulatory fines and penalties as against public policy. An insurer might include third-party exposure but not first-party coverage. Read exclusions carefully. Although a policy might include first-party coverage, it could exclude the acts of a rogue employee. A knowledgeable broker or consultant can help you review policy terms to ensure that you get coverage to best fit your needs. Generally, comprehensive stand-alone policies can cover costs, up to certain limits, for items such as: ▲ Legal defense ▲ Investigation and forensic services ▲ Notification requirements as stipulated under the HITECH Act ▲ Credit monitoring for affected individuals ▲ Data recovery ▲ Public relations management ▲ Network and/or business interruption

The cost of a $1 million policy can run from a minimum of $1,500 to $5,000 or more, depending on a practice’s size and number of data records, policy features and associated risks. Underwriters will want to know that a practice is financially stable, has not had any losses and has mitigated risk.

E

xperts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records.

Mitigating risk includes written policies and procedures, employee training and monitoring, installation of appropriate computer security software, and contractual allocation of liability, among other things. Purchasing insurance does not absolve an organization from complying with federal and state regulations, ensuring that security measures are in place, or having a plan of action should a data breach occur. Experts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records. The Ponemon Institute has developed a data breach risk calculator that can estimate an organization’s risk profile, the average cost per compromised record and the average cost per breach. You can also see how your risk profile compares with other healthcare organizations and industries. To check your risk, go to http://databreachcalculator.com.sapin.arvixe.com. – Irene E. Lombardo

The root causes of patient data loss or theft 52%

Unintentional action 41%

Lost or stolen computing device 34%

Third-party snafu

that way?

M

edical practices succeed by design, not by accident. Approximately 80 percent of all new businesses fail because their owners do not take the time to formulate a business plan and manage its execution. In this regard, health care is like any other business. Here are four reasons why medical practices fail as a business:

person who shares that vision and has experience managing toward those goals. The only truly indispensable employee in your practice should be you.

3. Practice management does not equate to business management.

1. Your medical skills do not guarantee success. There are many talented people who are unable to run a successful business. Being an expert with a particular set of skills that are in high demand is a good start, but it is no guarantee of financial success. History is littered with smart people who could not take a new product or idea and make it into a commercial success.

2. Your office manager should not run your medical practice. There is a big difference between delegation of authority and abdication of responsibility. Office managers and other employees are essential to the success of your practice. But there can be only one CEO. Unless you are willing to take responsibility for vision, strategy and leadership, you have not taken ownership of your practice. Hiring an experienced office manager is no guarantee that you are hiring the right person for your practice. By establishing your vision for the practice and the goals you want to achieve, you increase the likelihood of hiring a

Practice management focuses on the delivery of care to patients. Business management focuses on allowing the practice to be successful. Unless the business is well managed, the practice cannot succeed. Running your own medical practice is a for-profit operation. It should be run like the business it is.

4. Patient care is not the key to profitability. It is fair to say that no one is born with basic business management skills. You should be willing to take a week out of your career for a course in business management. You should also plan to spend 25 to 30 percent of your time focused on the business of the practice, not on seeing patients. If you are going to invest in a medical practice, you must be willing to monitor that investment. If you are unwilling to commit to that responsibility, you should find a practice where you can sign on as an employee. Ask yourself two questions: ▲ Why did you go into medicine? ▲ Why do you want to own your practice? If owning your practice fulfills your purpose, you need to invest just a fraction of the time you spent on your medical training to learn business management skills. – Michael Redemske, CPA

31%

Technical systems glitch 20%

Criminal attack Malicious insider

Cautious steps continued from page 4

15% 10%

Intentional non-malicious action 0%

10%

20%

30%

40%

50%

Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 2010

2

Your practice is a business: Is it managed

July/August 2011 Your Healthy Practice

60%

It may also be necessary to obtain the services of an appraiser to value the respective practices and help determine the appropriate ownership percentages that will reflect each party’s relative contribution to the merged entity. With proper planning, a merger of two medical practices should be accomplished in a reasonably painless fashion over a period of about three months.

They should figure one month to discuss the general terms of the deal and reach a letter of intent. Then they should plan on a second month for each party to conduct due diligence on the other’s practice. Finally, they should expect the drafting of the closing documents and the actual closing to take another month. – Michael Redemske, CPA

July/August 2011 Your Healthy Practice

Caution

3


Data breaches continued from page 1 well as the loss of patients and reputation. Of the 15 industries covered in the Ponemon study, health care and pharmaceuticals shared the top spot for abnormal turnover of customers after an incident. Then there are the federal and state regulators. They can impose hefty penalties for mishandled data. In March, Massachusetts General Hospital was fined $1 million for the loss of 192 patients’ files inadvertently left on a subway train by an employee. Unintentional employee action, lost or stolen computing devices, and third-party error were the major causes of healthcare data breaches, according to a Ponemon study. When purchasing data breach insurance, be aware that policies vary considerably from carrier to carrier. For example, some insurers offer additional coverage for civil penalties or regulatory fines. Others do not. Many states prohibit coverage for statutory or regulatory fines and penalties as against public policy. An insurer might include third-party exposure but not first-party coverage. Read exclusions carefully. Although a policy might include first-party coverage, it could exclude the acts of a rogue employee. A knowledgeable broker or consultant can help you review policy terms to ensure that you get coverage to best fit your needs. Generally, comprehensive stand-alone policies can cover costs, up to certain limits, for items such as: ▲ Legal defense ▲ Investigation and forensic services ▲ Notification requirements as stipulated under the HITECH Act ▲ Credit monitoring for affected individuals ▲ Data recovery ▲ Public relations management ▲ Network and/or business interruption

The cost of a $1 million policy can run from a minimum of $1,500 to $5,000 or more, depending on a practice’s size and number of data records, policy features and associated risks. Underwriters will want to know that a practice is financially stable, has not had any losses and has mitigated risk.

E

xperts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records.

Mitigating risk includes written policies and procedures, employee training and monitoring, installation of appropriate computer security software, and contractual allocation of liability, among other things. Purchasing insurance does not absolve an organization from complying with federal and state regulations, ensuring that security measures are in place, or having a plan of action should a data breach occur. Experts believe the number of breaches is certain to rise as we move toward greater adoption of electronic health records. The Ponemon Institute has developed a data breach risk calculator that can estimate an organization’s risk profile, the average cost per compromised record and the average cost per breach. You can also see how your risk profile compares with other healthcare organizations and industries. To check your risk, go to http://databreachcalculator.com.sapin.arvixe.com. – Irene E. Lombardo

The root causes of patient data loss or theft 52%

Unintentional action 41%

Lost or stolen computing device 34%

Third-party snafu

that way?

M

edical practices succeed by design, not by accident. Approximately 80 percent of all new businesses fail because their owners do not take the time to formulate a business plan and manage its execution. In this regard, health care is like any other business. Here are four reasons why medical practices fail as a business:

person who shares that vision and has experience managing toward those goals. The only truly indispensable employee in your practice should be you.

3. Practice management does not equate to business management.

1. Your medical skills do not guarantee success. There are many talented people who are unable to run a successful business. Being an expert with a particular set of skills that are in high demand is a good start, but it is no guarantee of financial success. History is littered with smart people who could not take a new product or idea and make it into a commercial success.

2. Your office manager should not run your medical practice. There is a big difference between delegation of authority and abdication of responsibility. Office managers and other employees are essential to the success of your practice. But there can be only one CEO. Unless you are willing to take responsibility for vision, strategy and leadership, you have not taken ownership of your practice. Hiring an experienced office manager is no guarantee that you are hiring the right person for your practice. By establishing your vision for the practice and the goals you want to achieve, you increase the likelihood of hiring a

Practice management focuses on the delivery of care to patients. Business management focuses on allowing the practice to be successful. Unless the business is well managed, the practice cannot succeed. Running your own medical practice is a for-profit operation. It should be run like the business it is.

4. Patient care is not the key to profitability. It is fair to say that no one is born with basic business management skills. You should be willing to take a week out of your career for a course in business management. You should also plan to spend 25 to 30 percent of your time focused on the business of the practice, not on seeing patients. If you are going to invest in a medical practice, you must be willing to monitor that investment. If you are unwilling to commit to that responsibility, you should find a practice where you can sign on as an employee. Ask yourself two questions: ▲ Why did you go into medicine? ▲ Why do you want to own your practice? If owning your practice fulfills your purpose, you need to invest just a fraction of the time you spent on your medical training to learn business management skills. – Michael Redemske, CPA

31%

Technical systems glitch 20%

Criminal attack Malicious insider

Cautious steps continued from page 4

15% 10%

Intentional non-malicious action 0%

10%

20%

30%

40%

50%

Source: Benchmark Study on Patient Privacy and Data Security, Ponemon Institute LLC, Nov. 9, 2010

2

Your practice is a business: Is it managed

July/August 2011 Your Healthy Practice

60%

It may also be necessary to obtain the services of an appraiser to value the respective practices and help determine the appropriate ownership percentages that will reflect each party’s relative contribution to the merged entity. With proper planning, a merger of two medical practices should be accomplished in a reasonably painless fashion over a period of about three months.

They should figure one month to discuss the general terms of the deal and reach a letter of intent. Then they should plan on a second month for each party to conduct due diligence on the other’s practice. Finally, they should expect the drafting of the closing documents and the actual closing to take another month. – Michael Redemske, CPA

July/August 2011 Your Healthy Practice

Caution

3


Cautious steps wise when merging medical practices Two medical practitioners might merge their practices and particularly the liabilities the parties are transferring into for any number of reasons. Sharing office space, covering the combined practice. They must also take income tax considerations into one another’s patients during vacations and other absences, account. A merger of two professional corporations can and preparing for retirement are just a few. Once a practice has identified generally be accomplished tax free. However, if one or both a potential merger candidate, it parties plan to take cash or other assets out of the corporais a good idea to enter into a tion either before or after the merger, a tax liability may nondisclosure agreement early result. A merger of unincorporated practices can usually be in the process to protect both parties’ confidential informa- accomplished tax free. The combined practice can be operated tion. As the deal progresses, as a partnership, a limited liability company (LLC) or a they may consider moving to a professional corporation. If either party to the merger has to disassociate from a letter of intent. A letter of intent should not be a binding agreement. It multi-owner practice or if co-owners of either of the merged should only confirm the basic deal terms and commit both practices have to be bought out, a variety of tax consequences parties to mutual cooperation and exclusivity while due can result from the disassociation or buyout. The parties should plan to involve their accountants and diligence is taking place. An open, orderly and professional due diligence benefits attorneys early in the merger discussions. And they should both parties. During this process, the parties should disclose expect that both proposed merger partners will want their and fully understand the economics of both practices, including own accountant and attorney involved. the patient base, the qualifications of all employees, the assets See Cautious steps on page 3

Merger

Your Healthy Practice The technical information in this newsletter is necessarily brief. No final conclusion on these topics should be drawn without further review and consultation. Please be advised that, based on current IRS rules and standards, the information contained herein is not intended to be used, nor can it be used, for the avoidance of any tax penalty assessed by the IRS. © 2011 CPAmerica International

100 Second Avenue South, Suite 600, St. Petersburg, Florida 33701 www.gsscpa.com | gss@gsscpa.com

(727) 821-6161 If we may answer any of your questions on the information contained in this publication, please contact us.

A

flash drive goes missing. A laptop gets stolen. An employee tosses old patient files in the trash. It can happen. Medical data breaches represented more than 24 percent of all data breaches reported nationwide in 2010, according to the Identity Theft Resource Center. However, many breaches go unreported publicly because they involve fewer than 500 records. In those cases, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires only that a provider or other covered entity notify the secretary of the Department of Health and Human Services of a breach within 60 days of the end of the calendar year in which the breach occurred. Providers should have security measures that comply with the strengthened enforcement and privacy protections provided under HITECH and the Health Insurance Portability and Accountability Act – better known as HIPAA. Protect your data with antivirus software, network firewalls and encryption.

Data breaches

are costly

Protect yourself and your practice

T

he cost of dealing with a healthcare breach averages $301 per compromised record.

Under HITECH, providers do not need to take any action if lost or stolen data is encrypted. Nevertheless, no security plan is 100 percent foolproof. In the event of a breach, comprehensive general liability (CGL) policies do not cover any losses. This lack has spurred the rise of cyber liability or data breach insurance. Some medical malpractice insurers now include data breach insurance in their general malpractice policies. Some commercial liability insurers offer coverage as an enhancement to a CGL policy. But most insurers can provide stand-alone policies to help protect organizations from what can be a financial nightmare. The cost of dealing with a healthcare breach averages $301 per compromised record, according to the 2010 U.S. ➜ Your practice is a business: Cost of a Data Breach study released Is it managed that way? by Ponemon Institute in March 2011. For the average physician’s panel of ➜ Cautious steps wise when 2,030 patients, a breach can total more merging medical practices than $611,000. Expenses include legal, investigative, audit and administrative services, as

Inside

July/August 2011

See Data breaches on page 2

A financial and management bulletin to physicians and medical practices from:

Inside

Your Healthy Practice Newsletter July-Aug Edition  

In this newsletter: • Data Breaches are costly • Your practice is a business: Is it managed that way? • Cautious steps wise when merging med...