Practice evaluation: Are you compliant?

Areas where many fall short, part one.

In the past year, I have visited many practices where leadership was thinking of selling to private equity (PE). On those occasions, my role was to ensure the practice was compliant before entertaining prospective buyers. Conversely, I also have experience working for the buyer/PE firm, usually entering the proceedings after a Letter of Intent (to purchase) has been extended to a practice.

Regardless of whether I am representing the buyer or seller, my role has focused on the due diligence process — specifically, I evaluate practice operations, business opportunities and compliance. I often find several areas of compliance being neglected — sometimes by very well-respected practices.


While your practice may not currently be considering selling to PE, that could change. Allow your practice to take advantage of business opportunities when they arise by ensuring it is compliant in the following five essential areas, listed in no particular order.

1. OSHA training

The Occupational Safety and Health Administration (OSHA) program, which focuses on workplace safety, requires annual training for physicians and staff.

Each person attending a training session must sign a signature log, which is then entered into the OSHA manual.

  • Issue: While many facets of OSHA ensure a practice is committed to workplace safety, I often see a lack of knowledge from staff about what to do in case of an incident (eg, an encounter with a dirty needle).
  • Solution: To remain compliant, the practice must maintain the OSHA manual, properly manage sharp containers and biohazardous waste and effectively display safety posters and Material Safety Data Sheets (MSDS). Additionally, the practice should have an onboarding/staff training program in place to ensure new staff members are educated and veteran staff remain compliant.


The Health Insurance Porta-bility and Accountability Act of 1996 (HIPAA) program, which focuses on the protection of private medical information, teaches data privacy and mandatory security provisions.

  • Issue: Recently, I have found practices are often missing the patient privacy manual — typically located in the lobby or at the front desk — that should be readily available to patients. I have also found that practices do not always complete their annual IT risk analysis and certification through their EHR/IT vendors.
  • Solution: To remain compliant, HIPAA training must be administered to physicians and staff upon hire, with annual retraining. Additionally, the privacy manual should be readily available to patients, and IT risk analyses must be conducted yearly.

3. Medicare Signature on File

Every Medicare patient must provide a Signature on File, which authorizes payment of medical benefits to the physician or supplier. The signature can be obtained on a paper form or electronically. Usually, the form is a lifetime occurrence, meaning once the practice has a signature on file, the form does not need to be updated.

  • Issue: When visiting practices, I often find the Signature on File paperwork incomplete or missing. If the practice uses a patient financial agreement it has created, the forms often do not include required language for the authorization for mandated Medicare Supplement Insurance (Medi-gap) payments.
  • Solution: Practices can create their own patient financial agreements, but the important item that must be included on the form is the authorization of payment for mandated Medigap benefits. The patient then signs the practice’s form or the Signature on File form, which can be downloaded from the Centers for Medicare and Medicaid Services (CMS) website.

4. OIG Exclusions Database

The OIG Exclusions Database (which is published by the Office of the Inspector General and available at ) was designed to inform the health-care industry, patients and the public of individuals and entities currently excluded from participation in Medicare, Medicaid and all other federally funded health-care programs. If a physician or staff member is on the exclusions list, he or she is not permitted to handle or receive reimbursements from any Medicare or state-funded medical entity or recipient.

  • Issue: Nearly all the practices I have worked with are not using the OIG Exclusions Database.
  • Solution: Practices should check all physicians and employees against the exclusions list before hiring. They should also check the existing employee roster against the OIG Exclusions Database periodically throughout the year. Generally, I recommend practices check the exclusions list once per quarter as required by some Medicare Part C payers.

5. Fraud, Waste and Abuse

Also known as FWA, this training is designed to help physicians and staff recognize possible abuses to the Medicare system and how to correct or report violations. The training program also seeks to educate medical professionals about federal laws that combat fraud and abuse and about how to comply with CMS regulations.

  • Issue: When visiting practices, I find administrators or staff are occasionally unaware of FWA training requirements.
  • Solution: To remain compliant, practices must facilitate FWA training within the first 90 days of hire and annually thereafter. OM

Part two of this column will explore five more essential areas.