Risk Management

Who is a Disqualified Person in a Nonprofit Organization?

Business Pressure  It is vitally important for leaders managing nonprofit organizations to understand who may be a “disqualified person” within the nonprofit organization to avoid engaging in transactions that may jeopardize the organization’s tax-exempt status. A disqualified person generally is a person who has a close relationship to the nonprofit organization such that they perceivably can exert substantial influence over the affairs of the organization. When identifying persons who may substantially influence the operations of the nonprofit, titles are not as important as actual responsibility. For instance, if an influential volunteer is given wide discretion, control and responsibility over a defined segment of the organization, he or she may be deemed to be a “disqualified person” despite the fact that he or she is a volunteer with segmental responsibility. Substantial contributors may also be classified as “disqualified persons” depending on the amount of influence the contributor holds over the organization. Determining who is a “disqualified person” is vital if the organization engages in any transaction involving persons involved with the organization. This is because there are certain IRS rules that penalize transactions with disqualified persons, especially if such transaction confers an excess benefit on the disqualified person. If the organization anticipates entering into a major financial transaction such as a loan with a potential disqualified person, the organization should seek the guidance of a lawyer or nonprofit tax advisor.

Medical Malpractice Risk Management



Picture Surgeon 2

A study conducted by Stephen W. Heath, MD, MPH found that there is a correlation between our increasing litigious society and the reason litigants file malpractice claims.  Continuous consumer advertisements targeting medical providers has become commonplace. As such, a 2010 report by the American Medical Association found that 60 percent of doctors over the age of 55 have been sued at least once.  Moreover, medical malpractice jury awards are 17 time higher than general tort awards according to the U.S. Department of Justice Bureau of Justice Statistics. With the high probability of experiencing a medical malpractice claim, medical providers should address the risk of financial loss systematically.  By focusing on high risk areas such as informed consent, informed refusal and patient documentation, a provider can reduce the risk of claims filed against his or her medical practice.  It is equally important to implement new policies, procedures and forms that address high risk areas.  Finally, research studies show that patients rarely bring tort actions against providers they like.  For this reason, conducting patient satisfaction surveys should play a role in a provider’s risk management strategy.

HIPAA Compliance Audits – Make Sure You Are Ready



Pre-Audit Surveys

On February 24, 2014, the Department of Health and Human Services announced its plans to conduct a pre-audit survey of up to 1,200 HIPAA “covered entities” and “business associates” to determine whether such entity is suitable for the HIPAA Audit Program conducted by the Office of Civil Rights (OCR). The pre-audit will potentially collect recent data about the number of patient visits, use of electronic information, revenue and business locations. The pre-audit information will be shared with the OCR, who is mandated to conduct audits of covered entities and business associates to assess compliance with the Privacy, Security and Breach Notification Rules under HIPAA.

Expansion of HIPAA Requirements under Final Rule

The Omnibus Final Rule, which became effective March 26, 2013, increased penalties for violations of HIPAA, signaling to affected parties heightened regulatory scrutiny. The Final Rule expanded the regulatory requirements of HIPAA in several ways. For instance, the Final Rule made business associates of covered entities directly liable for compliance with certain requirements under privacy and security rules. The Final Rule also expanded certain patient rights and adopted the HITECH breach notification requirements pertaining to unsecured protected health information. We have recently seen the Department of Health & Human Services enforce these provisions in a recent settlement with Concentra Health Services, a subsidiary of Humana. Concentra agreed to pay more than $1.7 million to HHS due to a breach in security from unencrypted stolen laptops.

Being Prepared and in Compliance 

What all this means is that health providers and their business associates should be prepared by engaging in proper risk assessments to identify, evaluate and correct vulnerabilities in the protection of patient health information. In previous posts, we made the comment that it is no longer sufficient to have a compliance program in name only. We add to this by stating that regulations require covered entities to review its policies and procedures so that vulnerabilities are corrected. Boilerplate policies not reflective of the security risks present at the provider’s practice is wholly insufficient. Policies and procedures should be implemented in response to identified vulnerabilities. The public comment period regarding the HIPAA pre-audit survey closed on April 25, 2014. We will attempt to make updates on pre-audit surveys as information is made available.

The False Claims Act after ACA


Healthcare providers are confronted with a heighted regulatory landscape since the enactment of the Affordable Care Act. Congress has been patently devoted to prosecuting provider practices that conspicuously overbill Medicare or Medicaid. The ability to prosecute providers under the False Claims Act has significantly changed in recently years including recent legislation under the Fraud Enforcement and Recovery Act of 2009 and the formation by the Department of Justice and Health and Human Services of the Health Care Fraud Prevention and Enforcement Action Team (“HEAT”). On the State level, Section 6031 of the Deficit Reduction Act of 2005 created a financial incentive for States to establish legislation to prosecute individuals or entities who submit false or fraudulent claims to the Medicaid program.

In addition to these dramatic changes in the law, language in the Affordable Care Act ushered in a new era of enforcement against fraud, waste and abuse. This new era includes enhanced use of technology such as sophisticated data mining, and other fraud detection methods which has resulted in the Federal government becoming more efficient in identifying false claims. Nevertheless, the government still greatly depends on qui tam relators (private citizens who initiate false claim actions and report such claims to the government for investigation and possible prosecution). Provider liability under the Act can be massive, with penalties between $5,500 to $11,000 per false claim, plus three times the total loss to the government. Qui tam relators, can receive fifteen to thirty percent of the total recovery. Moreover, recent amendments to the False Claims Act enacted under the Affordable Care Act has widened the scope of potential claims that can be successfully initiated and sustained by qui tam relators, especially given the whistleblower protections afforded to these potential claimants. This means, in essence that there is a more definite probability of claims being initiated by past and present employees of health practices under the False Claims Act.

In the last couple of years, Congress has increased funding as part of its committed effort to fight fraud, waste and abuse in the Federal healthcare programs. Approximately $350 million through 2020 has been allocated under the Affordable Care Act toward investigation and prosecution of fraud, waste and abuse. To be found liable under the act, no proof of specific intent is required. Providers can be found liable under the act for knowingly making a false statement to have a Medicare or Medicaid claim paid or approved. The term “knowingly” can mean that the provider or entity acted in deliberate ignorance or reckless disregard of the truth of information submitted to receive payment. If a provider is accused of knowingly submitting a false claim, the provider could see all of  their Medicare and Medicaid payments for care suspended by CMS if there is deemed to be a “credible allegation of fraud” as defined by the Department of Health and Human Services.

What this means is that provider practices should be diligent in their billing practices and institute and evaluate periodically proper controls regarding their revenue cycle. The penalties are too severe not to have proper policies and procedures in place.  In addition, provider practices regardless of size should implement a compliance program in response to these changes in the law and heightened government enforcement actions.  For more information, please contact our firm at info@scottpractice.com.

Operational Risk – Risk of Nonpayment

OnRiske way to think about contract risk is that there are two veins: the likelihood of a breach and the impact of a breach. When a breach of contract occurs, it often requires significant of time, information-gathering, and negotiations in order to prosecute or defend the action.  The lost opportunity cost associated with a breach of contract dispute is in addition to actual costs due to lawyer fees, court cost and other litigation related expenses.  Therefore, it is to entities advantage to minimize the risk and costs associated with breach of contract.

There are risks involved in every agreement for performance of services.  On the buyer’s side there is the risk of nonperformance – meaning the buyer does not receive the services bargained for under the contract.  On the seller’s side there is a risk of nonpayment – meaning the seller does not receive payment for services rendered.  This article focuses on the risk of nonpayment and how to most effectively minimize such risks.

Unless the agreement you have with the other party requires all payment upfront – the contractor accepts some form a credit risks when he or she agrees to provide services to the buyer.  Credit risks is defined as the probability that a party will fail to meet his or her obligations in accordance with the agreed upon terms.  The level of inherent risk (level of risk before considering controls) that a service provider faces with respect to nonpayment for services may depend on a number of factors – but the largest factor will be the parties involved.

Inherent Risks – First step is to identify what is the inherent risk involved when you are contemplating entering into a relationship with the other party. What can go wrong with this relationship?  What could impede your business objectives if you engage with this entity or organization? You need to go through this exercise to better appreciate the risk involved.  Without acknowledging the inherent risk  it is difficult to create effective controls to mitigate risks.  Again, inherent risks is the level of risk prior to assessing the effectiveness of controls. It shows the level of risk that exists if no controls are present.

It is impossible to control for every risk, especially since certain risk remain unknown.  Therefore,  after we assess the risk – we may skew our controls toward those risks that are most probable and with the potential for the greatest lost.  The greater the risk- the more controls that may need to be implemented.