What 2018 Has Taught About Managing Risk
Risk management lessons to take into 2019
by Bill Wilson

As one year draws to a close and another begins, most business owners and providers reflect on what they’ve learned. What went right, what went wrong and what issues need to be addressed in 2019. Every year we learn new lessons to continue to improve. Here’s what 2018 has taught us about managing business risks in 2019.

#MeToo and What It Means for Your Business

According to the U.S. Equal Employment Opportunity Commission (EEOC), the number of workplace sexual harassment claims filed in the wake of the #MeToo movement has risen dramatically. The EEOC, which is responsible for enforcing civil rights laws in U.S. workplaces, reported receiving an increase in sexual harassment complaints of more than 12 percent in the 12 months ending Sept. 30, 2018.

So, what does all this mean to a business owner, especially the owner of a small business?

Harassment of any kind in the workplace should not be tolerated, and receiving a complaint from an employee is both a serious yet, delicate matter. Employers must determine how to respond to a harassment charge, how to investigate the allegation, and what guidelines will be used to assess the validity of the claim. The employer’s response can have a dramatic effect on whether or not they’re found liable for the alleged behavior if the complaint reaches litigation.

Sexual Harassment: What You Can Do

It’s in the best interest of all businesses to implement a formal sexual harassment policy. To help protect your business and your employees in the event of a sexual harassment claim, you should develop and implement a company-wide program that addresses workplace harassment. The program should include policies that outline workplace conduct, as well as reporting procedures that include at least two channels through which employees can report harassment. It is your company’s legal duty to communicate those policies, and ensure all employees understand and adhere to them.

Consider an annual workplace harassment education program, as well. All employees should be required to attend and sign proof of participation and an agreement of understanding and willingness to comply with company standards. Such a program can demonstrate to a court that your company makes a concerted effort to prevent harassment in the workplace. The education program should include training of specified employees who will receive sexual harassment claims and who will conduct investigations to determine whether or not the allegations are valid.

Should a sexual harassment claim occur, those trained employees should:

  • Protect private information
     
  • Consider any conflicts of interest
     
  • Seek legal guidance
     
  • Maintain confidentiality throughout the investigation
     
  • Keep written records
     

Detailed records are critical as you will need to provide proof in the form of documentation. Your company will need to prove that proper steps were taken to avoid problems, to educate employees about their rights, and that when the issue took place, the company responded quickly and appropriately.

Finally, defending a sexual harassment lawsuit can be very costly to an organization, so health care providers should consider purchasing an Employment Practice Liability Insurance (EPLI) policy. A properly structured EPLI policy will assist in associated expenses from defending the suit, court costs and judgments brought against an organization. 

Cybersecurity, Ransomware and Securing Your Data

The health care industry has become one of the top targets for hackers. Health care data is rich with very sensitive and very valuable information that hackers can exploit.

Small businesses are particularly vulnerable to one of the latest forms of cyberattacks: ransomware. This attack involves hackers encrypting data, meaning it is locked, and then requesting a ransom payment to unlock the files/data. According to the FBI, ransomware payments alone exceeded $1 billion in 2016. Along with the costs of recovery, breach-related fines from the government, added expenses and damage to brand reputation can severely harm a business.

Alarming statistics confirm why hackers target small businesses. According to the Small- to Medium-Size Business Threat Awareness Poll, a majority of small- to medium-size businesses don’t use web-based security or antivirus on all computers. Phones, tablets, computers and laptops typically access the infrastructure and can contain patient data or access to patient data.

In today’s environment of data-driven business solutions, it has never been more important for small-business owners to be proactive in understanding threats to their business and invest in data breach protection.

Cybersecurity: What You Can Do

Cybersecurity threats are an ever-evolving problem. Health care providers should create and update IT policies to address newer technologies and cybersecurity threats. Review policies at least annually, and communicate any revisions to staff members.

Other proactive steps include hiring third-party security experts to expose known threats, utilizing software that allows for IP lockdown and two-factor authentication. These measures can stop a hacker in their tracks.

But, one of the most important things you can do is train your staff. According to McAfee, 43 percent of all company data loss or breaches are caused by employees. Regular training helps build an additional line of defense, ensuring your company and customer data remain secure and protected from hackers and other online threats.

Finally, health care providers should consider purchasing a Cyber Liability insurance policy. Cyber policies can cover a business’s financial liability for a data breach. In addition to providing coverage, the insurance company may go through a list of best practices with you and even offer additional training resources.

Reducing Your Risk of RAC/UPIC/TPE Audits

Being audited by a RAC (recovery audit contractor) or UPIC (unified program integrity contractor) can be incredibly stressful for any health care provider. Getting fined for billing errors that result in overpayment from an insurance carrier can be downright frightful. There are stories galore about health care providers shutting their doors because they were found guilty and fined for receiving overpayments.

Mistakes may be minor, but they can make the provider susceptible to fines and penalties. According to The van Halem Group, the average cost of a regulatory proceeding defense is $80,000, and fines and penalties can approach hundreds of thousands of dollars.

Audit Protection: What You Can Do

It's more important than ever to be proactive and protect your business from audits. Ensure you’re operating in compliance by investing in proactive assistance and having the correct insurance coverage. These are essential to managing your risk.

Medical Billing Errors and Omissions (E&O) and Regulatory Defense Insurance coverage helps protect your business against alleged billing errors. It provides first-party coverage for claims brought by:

  • Government agencies (e.g., CMS)
     
  • Contractors working on behalf of the government (e.g., RACs and UPICs)
     
  • Qui tam plaintiffs
     
  • Commercial health insurance payers
     
  • Similar entities
     

Coverage also insures for regulatory actions, such as:

  • Billing error proceeding
     
  • HIPAA violations
     
  • Physician self-referral (STARK)
     
  • Emergency Medical Treatment and Active Labor Act (EMTALA)
     

You can also choose proactive services that will help you avoid the audit in the first place. Look into your reimbursement compliance program, and pick a company with experts who will work with your compliance officer and your specific needs to develop your proactive compliance program.

A good compliance program will mitigate the cost of itself, and you’ll see a return on your investment through better processes, efficiencies, and quality of care. And, a Medical Billing E&O and Regulatory Defense policy will mitigate the cost of alleged billing errors and the fines and penalties assessed because of them.

The beginning of a new year is the perfect time to start implementing risk-mitigating changes. From sexual harassment to cybersecurity to audits, there are plenty of areas for businesses to grow and improve. Use the lessons we learned in 2018 to better manage your business risk—for 2019 and beyond.