Medical Fraud and Embezzlement

Strategies to prevent it happening to you

Prepared for the
American Association of Orthopaedic Surgeons®
September 2007
Michael J. McCaslin, CPA

Somerset, CPAs, P.C.

While the medical practices have made significant strides toward automation, specifically in the area of electronic filing of claims, medical practices are still cash intensive. This makes them highly susceptible to fraud, which is defined in its broadest sense as "a deception made for personal gain, and to embezzlement, defined here as, "the act of an employee stealing money or assets of the company." The average size of most orthopaedic practices, based upon a full-time equivalency of physicians, does not allow for the development of an infrastructure that enables a proper segregation of duties. Accounting principles encourage segregation of duties as one of the key elements in safeguarding a medical practice's assets. This article will address organizational and hiring issues, in addition to strategies to prevent and detect fraud and embezzlement activities.

Organizational Issues

In the prevention and detection of fraud, the starting point for any medical practice is its commitment to a culture of honesty, integrity, and ethical behavior. These characteristics become part of the core value system for the practice. The core value system provides guidance to all employees (physicians, management, and staff) on how individuals in the group will conduct themselves. By example, physicians and management demonstrate to the staff the values and ethical behaviors all members of the group are expected to embrace. Consistent and frequently reinforcement is important. This can be done formally, via in-service training, and also informally, when situations arise and discussion can ensue. Incorporate the core values into a Code of Conduct Policy, which will serve as a guide to all practice personnel in making appropriate decisions during the course of the day. Developing a core value system will also assist in establishing the tone for the practice's Medicare Compliance Plan. A Medicare Compliance Plan is necessary so that the practice can avoid violations that are subject to civil fines, criminal penalties, and can result in exclusion from the Medicare and Medicaid programs.

The next step is to develop a positive work environment. Research indicates that wrongdoing occurs less frequently when employees have positive feelings about the company versus when they feel abused, threatened, or ignored. A negative work environment potentially increases the risk of fraud. Some factors that contribute to a negative work environment include lack of positive feedback and/or recognition, perceived inequities (or showing favoritism), autocratic management versus participatory management, unreasonable financial expectations placed on employees, less than competitive compensation and benefits, inadequate training, lack of advancement opportunities, and overall poor communication.

Conversely, attributes that create a positive work environment include an appropriate recognition and reward system, team oriented goals versus individual goals, collaborative/ participatory decision making, competitive compensation and benefit programs, and appropriate training and career development programs.

Hiring Process

An important key in the prevention of fraud and embezzlement lies within the hiring process. A well-developed hiring process should include reference checks, background investigations that include follow up with the most recent employer, criminal background checks, confirmation of a candidate's education, semi-annual and annual performance evaluations.

Once the employee has joined the staff, in addition to providing training on the specifics of the job, the practice should hold regular, formal training sessions on the practice's Medicare Compliance Program and Code of Conduct Policy. All training related to these practice policies should involve a physician so the employees understand how important they are to the practice.

The practice should have a written policy stating that it does not tolerate unethical behaviors, dishonest actions, and fraud or embezzlement by any member of the practice. The policy should also state that in addition to termination and referral to the appropriate authorities, the offender may be subject to further civil or criminal action.

Dishonest actions or acts of fraud can only occur when employees feel that management is not paying attention to these issues. It is management's responsibility to communicate to employees that measures are in place to manage this risk. Physicians must recognize that fraud can occur in organizations of any size and that any employee is capable of committing fraud given the right set of circumstances. Often in a small medical practice setting, the most trusted employee may be carrying out the fraudulent activities.

Safeguarding Practice Assets

The accounting profession refers to "internal controls" when helping physicians evaluate how well assets of the practice are safeguarded. A well-established set of internal controls in the medical practice will serve as deterrents to prevent employees from considering embezzlement or fraudulent activities. While there are a number of resources a practice can utilize to review and/or establish internal controls, typically the first resource should be the independent certified public accountant who services the practice. The general objective of the internal control review performed by your independent certified public accountant should be to:

  1. Ensure proper controls exist to safeguard the assets of the practice.
  2. Document the transaction cycles. Review with the physician(s) the systems, as they currently exist. Discuss and ensure an understanding of the systems that should be in place to protect practice assets.
  3. Review the billing process. Determine if controls exist to ensure that all services provided by the practice are billed, billed correctly and patients are not "lost" in the system.
  4. Review the procedures in place for monitoring contractual adjustments.
  5. Review the procedures in place for writing off patient account balances.
  6. Review the procedures for cash receipts. Ensure proper segregation of duties, as well as proper accounting of cash receipts between cash posted to the billing system, cash posted to the accounting system, and cash posted to the bank accounts. This review should also include the timeliness and accuracy of recording the transactions.
  7. Review the purchase order system. Determine if appropriate procedures exist for authorizing purchases and that paid invoices reflect items received. Review the purchase order, packing slip, and invoice trails.
  8. Review check-signing procedures. Determine proper documentation and authorization procedures prior to signing and mailing of checks.
  9. Review payroll and transactions procedures. Ensure every employee listed in the payroll report is a true and actual employee.

The ideal environment for a medical practice is to have enough employees that enable a segregation of duties between those who collect the cash and those who post the cash receipts to the billing system. For example, the person who receives the cash should not be the same person who posts the cash to the general ledger. The individual who reconciles the bank statements, should not be same person who handles cash or checks at the front counter during patient visits, or opens the mail. Unfortunately, it is impractical for many practices to have all the employees necessary to have a true segregation of duties as noted. Therefore, a medical practice must evaluate what measures can be adopted to mitigate, or reduce the opportunities for employee fraud and embezzlement. It is important to note that mitigating embezzlement is the best that a medical practice can do. Even in a practice environment where there is proper segregation of duties, any collusion between employees can supersede the internal controls.

General Control Measures:

Some general key measures the practice can put into place include the following:

  1. An annual independent internal control review by the practice's independent certified public accounting firm is crucial. In addition to an annual review, surprise inspections by your independent accountant are an excellent tool for managing employee fraud and embezzlement; employees will always wonder when the next surprise inspection will occur.
  2. Periodically, have the bank statement and canceled checks mailed to one of the physician's homes. The physician, or the physician and an independent accountant, should review all the canceled checks to ensure that the payees are approved vendors and that signatures are authentic.
  3. The physician should also look for changes in staff lifestyles that may point to extravagant vacations, new automobiles, new homes, etc. Do not begin making accusations upon becoming aware of these. You might, however, consider whether the individual might be in a position where cash or other practice assets could be compromised to support the lifestyle; remember that many employees have spouses who make a living that will enable them to have many of these nice things too.
  4. Mandatory vacations are an appropriate control measure. They take personnel out of their job function, and by rotating others into the position, any embezzlement activity will become noticeable within a short period. Employees who refuse to take vacations may require scrutiny of the job and duties they perform.
  5. There is another key signal that warrants your attention. When an employee is involved in an accounting function, e.g., check handling function, payment posting function, or other similar functions, and he/she makes a significant amount of "noise" about having an outsider either assist them or review their work, pay attention. This employee may say, "The practice doesn't need to pay for this outside help, as I know what I'm doing better than they will." Although this statement may appear to imply the employee has the "best interest of the practice" at heart, it also often means the employee wants to avoid scrutiny.

Specific Control Measures:

While it is not possible to list all of the control features that a practice can implement, here are some listed by category.

Cash Receipts:

  • A bank lock box can ensure that majority of the cash received by a practice goes straight to the bank. A cost benefit analysis is required prior to making this type of decision.
  • Reconcile the cash drawer daily.
  • Reconcile the bank accounts monthly and have your independent accountant review the bank account reconciliations frequently and on an unscheduled basis.
  • Implement controls on the volume and dollar amount of cash wire transfers.
  • Maintain fidelity bond insurance.
  • Individuals posting payments to patient accounts should have no role in posting payments to the general ledger, making deposits or reconciling the bank statements.

Billing and Receivables Management:

  • Pre-number encounter forms/fee tickets/super bills for all office visits; account for all forms daily.
  • Pre-number surgical slips and matching of surgical slips with the surgery schedule books; account for all pre-numbered forms daily.
  • Require that adjustments made to patient accounts are reviewed by a physician.
  • A physician should authorize (based upon a dollar amount established by the practice) accounts sent to collections.
  • Track denied claims by payer and by reason; establish benchmarks to track unusual volume, and to establish performance criteria.

Accounts Payable:

• Utilize pre-numbered purchase orders to ensure accountability.

• Establish annual capital equipment and furnishings budgets.

• Attach receiving slips to the purchase orders.

• Attach invoices to the purchase orders and receiving slip.

• Establish cash disbursements/purchase levels that require Executive Committee level approval.

Cash Disbursements:

  • Do not allow the use of a physician's signature stamp for signing checks.
  • Require two signatures on all checks, e.g., the administrator/CEO, CFO or controller and a physician; insist that all documentation be attached to each check (purchase order, packing slip, and invoice). In the event it would be too difficult to obtain two signatures on a regular basis, then establish a dollar threshold of expenditure (i.e., $5,000) which would then require two signatures on the check.
  • Deface invoices with a block stamp once they are paid.
  • Lock blank checks in a secure location.

Other Control Measures:

  • All personnel files should be in a centralized location and locked.
  • The person with access to the personnel files should not be involved in the payroll record keeping, time keeping, or disbursement process.
  • Perform network and information system backups nightly; store the backup off site.
  • Develop an information technology contingency plan in the event your practice management system and network are disabled.
  • General ledger review and reconciliation by an independent accountant should occur on a regular basis.
  • The practice should have a written Policies and Procedures Manual covering all operating aspects of the practice including billing, collections, accounts payable, payroll processing, general ledger processing, etc.

These internal control measures are preventative steps. Practices that seriously consider the risk of fraud and embezzlement, and proactively take steps to create the right kind of climate to reduce the possibility, are going to have the greatest amount of success in preventing these activities. Orthopaedic practices must confront whether to spend money on prevention, or to take the chance that no fraud or embezzlement activity will occur, thereby choosing to save money in the short term. The true cost of an event of fraud or embezzlement includes the amount of dollars or assets lost, the costs associated in determining the magnitude of the embezzlement, and any costs related to subsequent legal actions. There are also other costs, including the physician's time and the emotional toll taken to see such an event through to its conclusion. Combined, these costs certainly dwarf the cost of prevention. While there is no perfect system and collusion among personnel (including management) can offset preventative measures, the "pay me now or pay me later" commercial tag line is most applicable when considering fraud and embezzlement prevention.

Michael J. McCaslin, CPA, is a principal in Somerset CPAs, P.C., a full-service certified public accounting and professional services firm in Indianapolis, Indiana. He is a member of the Somerset CPAs Health Care Team, providing services for health care clients across the country.Mr. McCaslin can be reached at (317) 472-2200 and via email,