Going Boutique? How Concierge Services Can Work
As the U.S. continues to move toward a three-tiered health care system, much attention has been directed at the top tier of “concierge medicine” — a generally more personalized and convenient form of care provided in exchange for an annual fee.
Many physicians, increasingly disenchanted with filing claims and wresting reimbursements from public and private payers, are now considering whether to “go boutique.”
How It Works
In a concierge practice, patients pay an annual retainer or subscription fee of between $1,500 to $5,000 (for an individual) and $2,500 to $6,000 (for a couple), depending on the services received. Those services might include:
- Immediate and 24/7 access to physicians via phone, e-mail or personal visits;
- Same – or next-day appointments; and,
- An emphasis on wellness, prevention and health counseling.
Beyond that, the practice can offer whatever premium services its patients desire and are willing to pay for: spa-like amenities and décor, house calls and out-of-office care and telephone or e-mail consultations, for example.
A caveat: The concierge fee doesn’t and can’t apply to clinical services for which third-party reimbursement may be sought from Medicare or private payers. The practice can either: 1) continue to perform the third-party billing function for its patients, or 2) forgo that responsibility entirely, leaving it up to patients to deal with their insurers.
A substantial investment may be necessary to get started. You’ll likely want a redesigned office space, for instance, along with staff retraining for greater customer sensitivity and new EMR capabilities for enhanced follow-up.
Because your practice will want to get the word out about its concierge services, you’ll also incur some marketing expenses. It can take one or two years to build up the patient volume to turn a significant profit.
Say Goodbye to Stress
Once a concierge practice becomes fully operational with satisfactory patient flow, several benefits could begin to emerge. First, if you choose to eliminate third-party coding and billing from your practice entirely, you’ll remove the stress and distraction of this difficult function. You also may be able to downsize your existing coding and billing staff, potentially cutting payroll expenses. And, with a smaller daily patient volume, you may need fewer front desk staff. Plus, moving to the concierge model often lets physicians focus on areas of medicine about which they are truly passionate.
Of course, there are risks to the concierge model. Once patients remit their annual fees, you’ll be the only manager of how they use your services. Be aware that patients will have virtually unlimited access to you and your physicians at any time. Above all, you’ll be solely accountable for the fiscal welfare of the practice.
10 Steps to a Safe Transition
If the notion of a concierge practice interests you, do your homework before you make the switch. Here are 10 steps that can help you transition to this new practice model:
- Ask your physicians whether they are willing to adapt to a more interactive relationship with patients.
- Decide whether the new practice format will continue to bill third-party payers or operate as a totally direct-pay operation.
- Research patient demographics and the local market to see if there is sufficient demand with the necessary financial resources to participate.
- Determine which noninsured services and amenities you’ll offer.
- Decide whether you’ll need additional training for staff and physicians.
- Calculate the monthly or annual fee/retainer that you’ll charge patients to cover costs for the new services.
- Set a timetable for initiation and phase-in of the new format.
- Communicate with patients about the transition via letters, e-mails, or phone calls, or during office visits or in focus groups.
- Ascertain how to handle existing patients who won’t convert to the new practice model.
- Create marketing materials and launch a campaign.
If the transition process seems overwhelming, ask your health care advisor for help or look into franchise opportunities.
Know What You’re Getting Into
Under the right circumstances, morphing into a concierge practice could be a good decision — perhaps even the best you’ve ever made. Just be sure to know what you are getting into.
For help with understanding if a concierge practice makes sense for you or with questions, contact us at 312.670.7444. Visit orba.com to learn more about our Health Care Group.
How to Avoid Data Breaches in Your Practice
GREG KOELLING, CPA
Did you know that the three most common ways that a data breach occurs are theft (29% of all breaches), hacking (23%), and accidental public access or distribution (20%)? Over half of all data breaches occur to health care entities, as health data is more valuable to thieves than credit card information because it can be used to access bank accounts and obtain prescriptions for controlled substances.
Minimizing the Threat
The steps for minimizing or preventing breaches of patient data are well established. The first step is to identify all areas of potential vulnerability. This includes overall security for the practice’s premises, records and computer equipment. Facilities should be equipped with security systems, including video monitoring in common areas. Computers must be protected by adequate electronic security for protected health information (PHI). That is, devices, such as desktops, laptops, tablets, smartphones, memory sticks and servers that may carry PHI, must be encrypted. Loss or theft of such devices is one of the most common breach risks and encryption is the best defense.
So, how can you ensure that your practice is safe? First, the practice needs to train all staff on how to protect PHI, using HIPAA-compliant policies, including restricting open discussion of patient PHI among staff members. Your practice should also audit or test physical, electronic and procedural security policies regularly, including the steps that will be taken if a breach occurs. Last, insure your practice against the high costs that can result from a security breach.
Many practices already have these defensive measures in place. However, even the most sophisticated agencies incur data breaches. And often, they occur because of human error. In any case, breaches can happen and it is prudent to plan in advance how the practice will respond.
Act Quickly if a Breach Occurs
Taking action in the first 24 hours after a breach is recognized will influence how the government and your patients view your practice. It’s critical to minimize the damage for both monetary and reputation reasons.
The first step is to prevent the situation from getting worse. If the practice is found guilty of willful neglect, it could face higher civil monetary penalties. If an employee appears to have mishandled patient data or inappropriately distributed it, that person may have to be suspended and denied continued access to the data. If the breach involves criminal activity, the police must be notified. If the protected information has been placed on the Internet, it must be removed. In addition, failing to respond promptly to a breach by one of your business associates may be attributed to the practice.
After the initial damage has been contained, the practice must assess the gravity of the breach. One of the first steps is to contact an attorney experienced in advising health entities and their HIPAA obligations. Together, a four-part risk assessment described in the HIPAA Breach Notification Rule will be done to determine whether PHI was truly compromised. The four elements of that assessment are:
- The nature and extent of the PHI involved;
- The person or party to whom the PHI was exposed;
- Whether the PHI was actually acquired or viewed; and,
- The extent to which the risk has been mitigated.
If you conclude that PHI was compromised, numerous other agencies must be notified. Federal law requires specific notifications. Many states have data breach laws that impose additional requirements. If more than 500 patient records have been breached, you must inform the HHS and be prepared to notify local media, as required by the HIPAA Security Rule.
The greatest challenge is likely to be breaking the news to patients. The basic message should be candid. State what happened, what steps already have been taken and what steps will be taken in the future.
Quickly notify all staff and business associates of the breach and prepare them for the questions they will receive from patients in the coming weeks. A notification letter is required to be sent to all patients whose PHI was compromised within 60 days of the breach.
Train Staff on How to Address Patient Questions
A good first step is to identify specific staff members that will be responsible for answering patient questions. They should be trained on how to handle calls, including providing them with a list of answers to frequently asked questions. Next, new security measures should be implemented to prevent the reason(s) that the breach to occur. The HHS will want a report stating what is being done to prevent another breach from happening. This report will involve creating new policies, physical and electronic controls, as well as privacy and security training for employees.
Document All Actions
Next, an investigation by the Office for Civil Rights is likely to occur. This process can take as long as a year. The practice must document all actions taken and new preventive changes introduced and include a copy of your risk assessment.
Once the practice has tested the entire process, document a plan for future incidents. Based on lessons learned from the current breach, designate the person who will be responsible for monitoring any future breaches. Finally, contact your health care advisor. He or she can help you work through the red tape.
For questions about avoiding or addressing data breaches or to discuss defensive measures to put in place to avoid breaches, contact Greg Koelling at [email protected] or call him at 312.670.7444 or your CPA at ORBA. Visit orba.com to learn more about our Health Care Group.