Archive for Management

Social Media & Electronic Communication: Asset or Liability

social-media-management-1

Editor’s Note: This article was originally published in the 2015 Winter issue of Alabama Medicine magazine.

You may have heard the adage, “Don’t put anything on the Internet that you wouldn’t want tacked to a bulletin board in the Town Square.” Thanks to smartphones and their applications, that adage is easier than ever to ignore – and isn’t always followed. During the past few years, there have been numerous news stories of physicians being reprimanded after inadvertently identifying patients on social media, nurses being fired for posting photos taken during surgeries, etc. So what may a physician do to minimize liability risk when using smartphones?

There are many areas of concern – social media, email/text, and smartphone applications. While these may be viable tools for communicating with patients, there are inherent risks – confidentiality, data security, and the potential for email and text to replace open communication. The following tips may help minimize your risk.

Social Media

Social media has exploded from Facebook and its ancestor MySpace to Twitter, LinkedIn, Pinterest – the list goes on – and according to Facebook’s third quarter 2014 earnings, more than 1.3 billion people use Facebook monthly.

You’ve heard ad nauseam that patients who perceive they have a good relationship with their physicians are less likely to sue, even in the event of an adverse outcome, and heard more times than you can count that communication is the cornerstone of your relationships with your patients. But, that advice is proffered for the therapeutic, professional setting.

So how do you navigate the boundary between therapeutic and personal – or social?

“As a physician, I understand the perceived value of the ways in which patients tend to rely on Facebook to communicate with family and friends. However, we physicians need to be sure of a couple of things: One, communication about a patient’s therapeutic course happens face-to-face and, at times, is supplemented with phone conversations, with the common thread of give-and-take interaction. And two, ethically, that we don’t blur the line between therapeutic care and the social relationship,” Hayes V. Whiteside, M.D., Chief Medical Officer and Senior Vice President of Risk Resource at ProAssurance, said.

Generally, the best advice is to keep your professional and personal lives separate when using Facebook and not accept friend requests from patients. Facebook friends typically have access to all other friends, to photos posted, and also to notes and messages posted on your wall. No matter how tightly you lock down your privacy settings, there’s no guarantee of privacy.

If you decide to use Facebook or other social media professionally, it’s a good idea to set up an account for your practice only and consider these suggestions:

Add a disclaimer statement along the lines of, “Our clinic cannot give medical advice to any individual over Facebook. This Facebook page is
for general informational purposes only and should not be used in place of a consult with your regular medical provider. The information presented here is not intended to be used as a diagnosis or treatment. If you need emergency medical attention, please call 911 or go to the nearest emergency room. If you need to be seen in our office by a physician, please call [telephone number] for an appointment.”

  • Frequently monitor privacy settings and the page itself.Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.
  • Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.
  • Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.

The American Medical Association has issued “Opinion 9.124 – Professionalism in the Use of Social Media,” and it may be found here.

Communicating via Email and Text

While email and, to a certain extent, texts may be viable tools for communicating with patients, there are some inherent liability risks. Issues such as confidentiality, data security, and the potential for email to replace open communication are examples of those risks. If email or text is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, normal lab results regarding non-sensitive medical issues, appointment reminders, and routine follow-ups may be appropriate to transmit via email.

Confidentiality and security become issues of primary concern. Who will be processing the messages? Will physicians obtain informed consent from patients regarding transmission of information via email? Who has access to the email account? To the computer where emails are stored? If email is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, lab results, appointment reminders, and routine follow-up inquiries are generally appropriate to transmit via email. Physicians should also print emails to and from patients and place them in the patient’s medical record.

The AMA in its “Opinion 5.026 – The Use of Electronic Mail” recommends physicians don’t establish a relationship via email and notes the same ethical obligations apply to any other encounter apply to communication via email. Regarding texts, medical/legal experts note they are subject to the same considerations and parameters as emails when it comes to privacy and protected health information, such as incorporation into the medical record. Risk management experts recommend avoiding using text to communicate patient information, treatment advice, etc. The AMA’s opinion may be found here.

Smartphone Apps

With 8-out-of-10 physicians using smartphones for professional purposes, according to mhealthwatch.com, it’s wise to be concerned about potential risk management implications. While such medical apps are great tools, there are innate risks – the unsecured smartphone, for example. Risk management experts recommend evaluating the types of information stored on a personal device. Research apps, such as Epocrates, should not be subject to HIPAA risks if used for research purposes only. However, apps allowing mobile dictation of information that can be transferred to an electronic medical record may be, as they may contain confidential patient health information. Another consideration is security – apps that transmit information may be vulnerable to hacking. Some medical apps bill themselves as HIPAA compliant; it’s wise to examine an app’s privacy policy and take reasonable steps to verify security. It’s also wise to keep in mind no app – especially free ones – is 100 percent secure.

Regardless of whether a smartphone app transmits, stores, or simply accesses patient health information, physicians should ensure the apps are HIPAA and HITECH compliant.

Tips to keep in mind:

  • HIPAA requires data security and proper destruction and/or file retention of patient health information when appropriate.
  • Physicians should remove patient health information from devices with apps before discarding/replacing the device.
  • Wireless apps should be reviewed to ensure security at all levels.
  • A security policy addressing mobile devices and apps that can be used, along with the appropriate use and destruction of patient health information, should be in place.
  • Work closely with information technology personnel to address security issues.

platinummvpProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at riskadvisor@proassurance.com. ProAssurance is an official Platinum Partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Warning! Do You Have Employees Age 65 or Older?

Warning! Do You Have Employees Age 65 or Older?

Editor’s Note: This article is a special edition to the Medical Association — May 27, 2016

In partnership with the Internal Revenue Service (IRS) and Social Security Administration (SSA), the Centers for Medicare and Medicaid Services (CMS) is using their data matching project more aggressively, to compare their records with other federal programs. CMS is looking for Medicare enrollees who are still working and have access to employer-provided coverage. Medicare Secondary Payer rules prohibit an employer from offering an incentive of any kind to an individual who is Medicare-eligible to enroll in Medicare in lieu of the employer’s group health plan. Employers are subject to severe penalties if they are determined to have encouraged those who are 65 or older to switch from employer-provided coverage to Medicare coverage.

Employers with 20 or more employees are the target of the prohibition. The 20 or more employee threshold is determined by head count and not by full-time status. For example, an employer with five part-time employees and 16 full-time employees would be considered as having 21 employees under this rule.

The penalty is $5,000 per instance, which is severe. However, the greater risk and potential penalty for employers found in violation is repaying CMS for payments on claims that Medicare paid as primary that should have been paid as secondary. For Medicare-eligible employees who have chronic illnesses that require ongoing treatment, the repayment could be significant.

While some employers received these letters in prior years, CMS is stepping up their goal of successful recoveries from below 5 percent to close to 100 percent. That is why they have partnered with the IRS and SSA in the joint data match project. If a Medicare-eligible employee shows up on both the income tax withholding list of an employer and on the Medicare list, a data match generates the letter.

Some employers who get the letter may not realize how seriously they should take the request. There is a 30-day deadline, which puts more pressure on busy owners and managers to be alert and respond correctly and in a timely manner.

Responding to the questionnaire can be complicated. If the process is not followed precisely, the employer could face fines and penalties for the wrong employee. There are three steps of which to be aware:

Step 1 Employer sets up account in the data match program.

Step 2 Complete the information about the health plan and the specific questions on the employees identified by the data match program.

Step 3 After certifying the information is correct, wait for the next request for information.

Protect your business by responding timely and accurately to the CMS letter. Evaluate whether you have risks with any employee aged 65 or older. If you have Medicare-eligible employees who voluntarily declined coverage under your business health plan to take Medicare, you need proof on file. Ask your insurance carrier to provide a form for employees to decline coverage.

Be careful advising your employees with comparisons of coverage and premiums. Remember, an employer encouraging an employee to take Medicare and to decline the group health plan is where this problem begins.

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

bronzemvpContributed by Mark Baker, CPA and Patti Perdue, CPA.CITP, Jackson Thornton. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Five Secrets to Preventing Provider Cardiac Arrest Secondary to Meaningful Use 2 — There’s a Diagnosis Code for This!

Five Secrets to Preventing Provider Cardiac Arrest Secondary to Meaningful Use 2 — There’s a Diagnosis Code for This!

Editor’s Note: This article was originally published in the 2015 Inaugural Issue of Alabama Medicine magazine

Kill two or three measures with one click. Clinical Decision Support Rules, PQRS and Clinical Quality Measures can be managed simultaneously.

Here’s an example of what I mean: Meaningful Use 2 requires the smoking status of all patients 13 years and older to be documented. The Physician Quality Reporting System also requires Providers who select this measure for reporting to screen patients for tobacco use who are 18 years or older and to provide them with cessation counseling if they are tobacco users.

Build a clinical support decision rule to remind you to record the tobacco status of patients 13 years of age (automatic pop-up). You’ve knocked out recording the smoking status of the patient and core measure number 5. The patient then tells you that he or she smokes two packs a day and loves it. At that point, you revel in the opportunity to save a life and conquer measure number 13. Suddenly, you realize that you have just performed PQRS measure number 226, and you do your proverbial happy dance.

If you get that queasy feeling of being “unsure” when you attest to performing a Security Risk Analysis, ask a professional for advice. You can be audited for up to six years – you may be all for doing it yourself to save money, but unless you are a physician as well as a Certified Information Systems Security Professional (CISSP), you could miss something critical. Additionally, the cost for inadvertently allowing a hacker to successfully hack in to your EHR, violate patient privacy, sell your patients’ information to the highest bidder, and give you five minutes of fame in the local news is much higher than the fee for allowing a truly certified professional to prevent this from happening.

Encourage secure messaging with patients by incorporating it into your workflow. The Provider is not the sole individual allowed to manage these messages. Imagine the angry patient who has been sitting in your exam room for 45 minutes, waiting to see you. Unfortunately, you did not anticipate six walk-ins that day and are running a little behind schedule. Fortunately for you, your clinical staff is utilizing the patient engagement template created specifically for this all too common occasion. Medical Assistant Molly walks into the exam room and pulls up the patient’s record. She explains kindly that Mr. Doe can now send the physician a secure message through the patient portal. Mr. Doe does not have an email or know how to set up his portal. No problem! She can assist with that as well. The MA then helps the patient send a secure message stating “Dear Dr. Awesome, thanks for showing me how to contact you via secure message.”

Sending information to a public health registry requires teamwork between both parties involved. Unlike Meaningful Use 1, failed testing does not meet the measure in Meaningful Use 2. Ongoing submission to a registry is the rule. Take heart. Most health departments have a special section set up on their websites for meaningful users. They have the ability to accept submission of things liked diabetes diagnoses, cancer cases and immunizations, and if they don’t, you are probably excluded from the measure. Contact the local health department and find out who is managing Meaningful Use on their end. There are forms to be filled out, calls to vendors and registries to be made, but in the end, Providers will be able to submit vital information to health departments electronically. Some EHRs have a one-directional interface. In this case, make sure the Practice Administrator submits the information at least weekly, and follows-up to insure effective transmission. A bi-directional interface allows for automated transmissions with limited time devoted to monitoring processes.

Qualified professionals can assist the Provider with CPOE. Some EHRs do not recognize orders placed by another “qualified professional” if they are not linked with the Provider. If the number of patients being prescribed medications or for whom labs/radiology are ordered is increasing daily — but the meaningful use stats are not adding up — the problem might be as simple as selecting the supervising provider.
In order to keep your clicking fingers from getting worn out, I suggest creating a “favorites” page of labs, medications and imaging most commonly ordered. This will cut down on the time it takes to rummage through the endless options available in EHRs.

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

bronzemvpContributed by Patti G. Perdue, CPA.CITP, Jackson Thornton. Rebecca Hanif, CCS, CPCO, CPC, also contributed to this article. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Don’t Fall Victim to Cyber-Security Disasters

Don’t Fall Victim to Cyber-Security Disasters

Editor’s Note: This article was originally published in the 2015 Fall Issue of Alabama Medicine magazine

Every day, it seems the news is filled with more and more reports of cyber-security attacks. Unfortunately, the health care community is considered a prime target for those individuals who would seek to gain access to confidential information.

Did you know that stolen medical records can be valued at up to 10 or 20 times that of a credit card number?1 Compounding this is the ever-growing reliance within the medical community upon electronic and digital systems to capture patient data and deliver medical care. So how can health care providers protect themselves from being the victim of a cyber-security incident?

Assess and Manage Your Risk

Medical providers should have a comprehensive knowledge of where their critical information resides, and of any and all vulnerabilities related to the storage and transmission of the data. To ensure that those in the medical community recognize the threat(s) to confidential information, the United States Department of Health and Human Services mandated within the HIPAA Security Rule that all covered entities conduct a thorough risk analysis to identify all potential vulnerabilities as well as determine the probability and magnitude of a possible security event.2

While a risk assessment should be a formal exercise in which all facets of information security are reviewed and vetted for adequacy, the provider should also establish and maintain a strategy for risk management. This involves implementing proper safeguards to secure information as well as communicating and educating personnel throughout the organization on the policies and procedures which continually mitigate risk. By creating and cultivating a culture of compliance, one can significantly reduce the chance of exposing a vulnerability that could lead to unauthorized access.

Increase Detection Capabilities

Recent cyberattacks in the health care community have exposed a very dangerous trend: Many times, hackers have accessed and begun harvesting data several weeks or even months prior to being detected.3 It is no longer sufficient for medical providers to consider security safeguards, such as firewalls and anti-virus software applications as “set-it-and-forget-it” mechanisms. Solutions should be implemented to enable the monitoring and detection of breaches that could trigger proper incident response processes quickly and efficiently.

Health care organizations should consider investing in Next-Generation Firewalls. These security devices provide more than just network filtering – they typically offer advanced security features, such as deep packet inspection (where each specific data part that passes through is examined for viruses or other types of malicious software) as well as intrusion prevention systems that monitor network traffic for malicious activity and are configured to actively prevent or block such attempts once detected.In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

Protect and Secure Mobile Devices

According to the 2014 SANS Health Care Cyber-Security Survey, 52 percent of respondents allow access to health record information via mobile devices. Another 30 percent indicated that sensitive data was being included in instant messaging applications.4 As mobile device usage continues to grow, it becomes more and more important for healthcare providers to implement a mobile device management policy to address and minimize the threat of these devices causing a security incident.Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.

Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

Looking Ahead

The SANS report data shows that the health care industry is slowly starting to make strides and improve when it comes to protecting critical data from attack. However, it has become clear that not only are the hackers getting smarter, but their overall activity and attempts to infiltrate and mine confidential information continue to increase significantly.5 A 2014 report in United States Cyber Security Magazine indicated that the health care industry was the target of more cybercrime incidents than any other market, and this trend is likely to continue as hackers start to realize the value of medical information.6

Health care organizations will need to continue to thoroughly examine and assess the ways in which they are protecting themselves from attack. Analysis will need to be conducted internally and externally, as associated organizations such as payers, insurers, and other entities within community health care networks will be responsible to each other for protection of medical information. By effectively assessing and managing risk and building a risk framework that addresses all areas of critical data, medical providers can take significant steps towards minimizing the likelihood of a cybersecurity attack.

Sources

  1. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
  2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
  3. http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
  4. https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
  5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  6. http://www.uscybersecurity.net/Pages/online_magazine.html

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

Contbronzemvpributed by Nic Cofield, Jackson Thornton Technologies Consultant. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Don’t Overlook Your Deductions this Tax Season

Don’t Overlook Your Deductions this Tax Season

Editor’s Note: This article was originally published in the 2016 Winter Issue of Alabama Medicine magazine.

Holidays are over. The tree has been undressed and put away until next year. Your New Year’s Resolutions are drafted, and you’re waiting for the last piece of Christmas cake to be eaten before starting them. It’s also the time of year when you start looking on the calendar to count the days until the next holiday. First is Valentine’s Day, then Easter, and then National Tax Filing Day. (I’m sure that last one is included on most calendars, right?)To help you get ready for National Tax Filing Day, here are some reminders of often overlooked tax deductions which could help reduce your taxes in 2016.

To help you get ready for National Tax Filing Day, here are some reminders of often overlooked tax deductions which could help reduce your taxes in 2016.Job hunting expenses For many Americans, the cost of finding a job could be considerable if they have been actively looking from city-to-city or state-to-state. The Department of Labor has reported employers adding jobs with net job gains in the number of jobs created. Job hunting expenses includes transportation, food and lodging for overnight stays. It might include secretarial expenses if you paid someone to type or print your résumé.

Job hunting expenses For many Americans, the cost of finding a job could be considerable if they have been actively looking from city-to-city or state-to-state. The Department of Labor has reported employers adding jobs with net job gains in the number of jobs created. Job hunting expenses includes transportation, food and lodging for overnight stays. It might include secretarial expenses if you paid someone to type or print your résumé.Charitable contributions Checks, cash or charge. If you donate cash over $250, be sure to get a receipt. If you donate goods such as good used clothing, those unused golf clubs sitting in the corner of your garage, furniture or computers (wipe all data off first), or appreciated property like stock, these are potential tax deductions.

Charitable contributions Checks, cash or charge. If you donate cash over $250, be sure to get a receipt. If you donate goods such as good used clothing, those unused golf clubs sitting in the corner of your garage, furniture or computers (wipe all data off first), or appreciated property like stock, these are potential tax deductions.Reinvested dividends If you sold stocks or mutual funds during 2015, did you participate in a dividend reinvestment program where your dividends were used to buy more shares? If so, these reinvested amounts add to your cost basis for computing the taxable gain on the sale. Your financial advisor can provide this information.

Reinvested dividends If you sold stocks or mutual funds during 2015, did you participate in a dividend reinvestment program where your dividends were used to buy more shares? If so, these reinvested amounts add to your cost basis for computing the taxable gain on the sale. Your financial advisor can provide this information.Health insurance premiums If you are self-employed (and not covered by an employer plan or your spouse’s plan), you may be eligible to deduct premiums paid for health insurance, premiums for Medicare Parts B and D, Medigap insurance and Medicare Advantage Plan. This deduction is available whether you itemize or not.

Health insurance premiums If you are self-employed (and not covered by an employer plan or your spouse’s plan), you may be eligible to deduct premiums paid for health insurance, premiums for Medicare Parts B and D, Medigap insurance and Medicare Advantage Plan. This deduction is available whether you itemize or not.Retirement plan contributions There are too many options to include the details here. Many entrepreneurs and small business owners who are employed by others but also work in their own business might qualify for an additional retirement plan contribution. You need to talk with your financial advisor and tax preparer. Some of the options include SEP, SIMPLE IRA and 401(k)s.

Retirement plan contributions There are too many options to include the details here. Many entrepreneurs and small business owners who are employed by others but also work in their own business might qualify for an additional retirement plan contribution. You need to talk with your financial advisor and tax preparer. Some of the options include SEP, SIMPLE IRA and 401(k)s.

Inherited IRA or pension If you inherited an IRA or 401(k) or another retirement plan from your spouse or a parent, you may be able to deduct the estate tax paid by the IRA owner. Also remember that withdrawals you take are taxable and could be subject to penalty if you took money out before you were 59 ½.

Expensing vs. capitalizing assets In 2014, the rules changed regarding what was required to be capitalized and depreciated. In 2015, the IRS gave us some additional relief by increasing the amount that could be expensed from $500 to $2,500. This safe harbor exception was good news for business owners to expense eligible purchases costing under $2,500 or less per item or per invoice.

Immediate write-off As 2015 was coming to a close, Congress voted to extend several expired tax provisions that will save businesses and individual taxes. Legislation known as PATH Act extended or made permanent a number of tax provisions including immediate expensing of eligible purchases of up to $500,000. To qualify for these deductions, assets must have been placed in service by no later than the end of your business’s tax year. The legislation also extends the 50 percent bonus depreciation for qualifying property acquired and placed in service during 2015 through 2017.

Credit card purchases This one could easily slip by a business owner or individual. A payment on your credit card is not deductible; neither is the interest paid on the card. However, if you have purchased business items or made tax deductible purchases charged to a credit card in December, you count the expense as having occurred in December and claim your deduction on that year’s tax return. You need to keep the vendor or store receipt. Submitting the credit card statement is not enough. If you haven’t already, consider using a separate credit card used strictly for business purposes.

Roth IRAs for your kids If you have teenaged children who work, some of their earned income could be used to make a ROTH IRA contribution. For 2015, this could be as much as $5,500 depending on the amount of their earned income. There is no tax deduction for this contribution but the savings comes later – when they withdraw the money for college or moving out of your house or for their first car.

Now that you have thoroughly planned for National Tax Filing Day, you can start packing for Spring Break!

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

bronzemvpContributed by Patti G. Perdue, CPA.CITP, Jackson Thornton CPAs and Consultants. Jackson Thornton is a Certified Public Accounting and consulting firm. Our Healthcare group specializes in accounting, practice management, strategic planning, technology and wealth management for physician practices.

Posted in: Management

Leave a Comment (0) →

Managing Your Practice New Overtime Law Could Be a Land Mine

Managing Your Practice New Overtime Law Could Be a Land Mine

Editor’s note: This article was originally published in the 2016 Summer Issue of Alabama Medicine magazine.

This is the time of year when many physician groups are evaluating their employees’ performances for the purpose of giving raises or bonuses. For most groups, the majority of their employees are not exempt from the overtime law. The Department of Labor’s (DOL) Fair Labor Standard’s Act (FLSA or Overtime Law) requires a business to pay its employees at an hourly rate of time-and-a-half if that employee worked more than 40 hours per week. The new law does not affect this group of employees. It’s those employees who are “exempt” from the overtime requirement that could trip a practice up and subject the owners to penalties by DOL and the IRS.

On May 18, 2016, the DOL released new regulations related to employees who are “exempt” from the Overtime Law. The new law is effective Dec. 1, 2016. A practice still has time to determine if the new law applies to any of its employees and what changes should be made to avoid penalties.

The new law changed the wage threshold amount from $23,660 ($455 per week) to $47,476 ($913 per week). This threshold has been frozen since 1975 but will now be adjusted every three years beginning Jan. 1, 2020. Any employee earning less than these thresholds are considered non-exempt; thus, entitled to overtime pay.

Generally, an employee is exempt from the “time-and-a-half” pay if both of these tests are met:

First: Their pay exceeds the new wage threshold amount of $47,476 ($913 per week).

Second: Their duties are primarily executive, administrative, or professional. The regulations have specific criteria that should be reviewed with your CPA or tax advisor to be sure this test is met. The duties test did not change with the new regulations.

Many office managers and nurses are paid by salary rather than an hourly rate. Oftentimes, these individuals work more than 40 hours per week. Until now, it was not important to track their time to know when their hours exceeded 40 in a workweek. Beginning Dec. 1, 2016, if any salaried employee is paid less than $47,476 per year, including the office manager and nurse, their time must be tracked and receive overtime pay. Their overtime pay must be calculated based on their salary converted to an hourly basis for a 40-hour workweek. You can still pay them on a salary basis, but you will need to be sure their hours do not exceed 40 hours in a workweek.

For example, suppose your practice manager is expected to be paid $50,000 this year, which includes a base salary of $46,000 plus a Christmas bonus of $500 and expecting a year-end performance bonus of $3,500 (if the practice has a good collection year; this was the bonus last year). Because the total salary of $50,000 exceeds $47,476, no overtime is required to be paid if the manager worked more than 40 hours per workweek.

However, suppose the practice’s collections are not so good and the performance bonus is not paid. This practice manager’s total salary of $46,500 is less than the threshold of $47,476. If this manager routinely worked more than 40 hours, he/she would be entitled to overtime pay. The problem is that the physician owner would not know until year-end how much the performance bonus will be. It is likely that the practice manager has already worked 250 hours over the 40-hour workweek. Just one extra hour per day for 50 weeks would result in 250 overtime hours. At a salary of $46,500 translated to $894 per week, divided by a 40-hour workweek results in the hourly rate of $22.35. The practice manager would be entitled to overtime pay of $5,587. Because of the changes in the law, this manager would be paid more in a bad year than in a good year simply by working an extra hour per day. (The law requires nondiscretionary bonuses to be included in the calculation of the rate per hour. Consult your tax advisor to determine if this provision affects your situation.)

There are some immediate actions needed by all practices to be sure there are no landmines after Dec. 1. Remember, the new regulation only impacts the exempt employees in your practice.

  • Using last year’s W-2 wages, assess whether any of your exempt employees were paid less than the threshold of $47,476; be sure to evaluate the employee classification as exempt or non-exempt.
  • Do your exempt employees generally work more than 40 hours per week? If you are not sure, this is a conversation you should have right away with your exempt employees: they should begin tracking their time, and all overtime must be pre-approved by you.
  • Compute the amount of overtime pay to which they could be entitled if they continue to work more than 40 hours per week.
  • Determine if the exempt employees earning less than the threshold should be given a raise to avoid having to track their hours and avoid potential penalties.
  • Another consideration is the exempt employee whose overtime hours cannot be avoided. A potential solution might include reducing their salary for the amount expected to be paid by the overtime hours. This is a more difficult conversation to have with your employee and would require careful calculations by your tax advisor.
  • How will hours be tracked for your salaries employees? Discuss with your tax advisor for the best method for an accurate and complete method that will meet the DOL regulation.
  • Determine if you need to meet with your exempt employees to discuss any potential changes. Exempt employees who work from home will have to assist in tracking their own hours. Flexible work schedules must be reviewed as well.
  • It’s important to communicate the reason for this salary change if you do not typically adjust it every year. By doing so, employees’ expectations for a raise next year and disappointment for not getting it will be avoided.

The new law also included an adjustment to the class of highly compensated employees. The threshold for this group also increased from $100,000 to $134,004. Employees whose salary or pay is above those amounts will be deemed as exempt and not entitled to overtime pay. The duties test does not apply to the highly compensated class of employees.

Avoid any landmines for your practice. Start looking at these law changes before Dec. 1.

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

bronzemvpContributed by Patti G. Perdue, CPA.CITP, Jackson Thornton. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →
Page 5 of 5 12345