Common Questions – and their Answers.

There is no right or wrong answer to this question, and the answer to this question may change over time and evolve as your practice evolves and as new and different practitioners enter and exit. There is no “best practice” standard, though we generally see two approaches: (1) a nominal buy-in and buy-out, or (2) a buy-in and buy-out based on the fair market value of the practice. Even within these general approaches, there are significant variations.

Generally, a threshold question to answer is when do you want to make your money? Do you want to make money as you’re practicing or do you want to defer compensation and receive a big pay-out when you retire? Perhaps it is a combination of both. Will you be an employee of your practice receiving a salary and bonuses, in addition to an owner who receives dividends or distributions? The personal tax implications of these arrangements should not be overlooked, particularly because of the self-employment tax exposure, and you should consult with your financial advisors as you evaluate the compensation structure of your practice.

There are many factors you should consider as you and your partners negotiate buy-in and buy-out requirements.

• If you expect to receive compensation in real-time, as the practice generates profits, then a nominal buy-in and buy-out amount might work for you. Instead of receiving a significant lump-sum at your retirement or withdrawal, you will make money through distributions or dividends and/or employment compensation. We have seen buy-in and buy-out amounts as little as $10.00, even in practices with significant operating revenue and profits. Usually the practice, not the other partners, pay the withdrawing or retiring partner the buy-out amount.

2. Is my practice required by law to hold regular shareholder, partner, or board meetings?

Generally, regular meetings are not expressly required by law. Annual meetings may be required by law, depending on whether your practice is a PC, LLC, or LLP.

For PCs, a meeting of the shareholders is required annually for the purpose of electing directors. Otherwise, the certificate of incorporation and by-laws may set forth the rules regarding calling of other meetings. A PC also has a Board of Directors. The law does not require that the board meet regularly. Rather, the by-laws will specify if and when regular and special board meetings shall or may occur. If the by-laws are silent, then the board determines when it will meet. A regular meeting of the Board may be held without notice if the time and place of such meetings are fixed by the by-laws or the board. Special meetings for the board require advance notice to the directors. Usually the by-laws specify the rules for providing any required advance notice. If they do not, then the PC should look to state law to determine the notice requirements.

A PLLC must hold an annual meeting of its owners (called members) annually, unless the operating agreement specifies otherwise. Written notice of such meeting must be provided to the owners in accordance with the operating agreement. If the operating agreement does not specify the notice requirements, then the PLLC should look to state law to determine what must be done. Depending on its structure, a PLLC may also have one or more managers responsible for the management and operations of the practice (similar to the Board of Directors of a PC). The law does not require regular meetings of the managers, and the PLLC’s operating agreement may specify any applicable meeting requirements.

For LLPs, the law does not require regular meetings of the partners. Rather, the partnership agreement may specify any applicable meeting requirements.

If the by-laws, operating agreement, or partnership agreement require meetings and set forth specific notice requirements for such meetings, the practice should comply with these self-imposed requirements or change the requirements to mirror its actual practices. Failure to have meetings when required or to provide the requisite notice for meetings could undermine the action taken by the practice. If a person (including another owner or employee of the practice) wanted to challenge the action taken by the practice, they could cite these procedural failures as grounds to overturn and undermine the decision reached.

Regular meetings of the practice owners and board or managers is a best practice. Additionally, if a practice fails to conduct regular meetings of its shareholders and board of directors (in the case of PCs), members or managers (in the case of PLLCs), or partners (in the case of LLPs), it may be evidence that the owners failed to observe corporate formalities. Generally, owners of PCs, PLLCs, and LLPs enjoy limited liability for non-medical malpractice related liabilities of the practice. However, if a court deems that the owners abused this privilege and failed to observe corporate formalities (like meetings), it could “pierce the corporate veil” and hold the owners responsible for all liabilities of the practice.

Yes, a practice can reference a specialty in its legal name or assumed name as long as all of the owners have board certification in that specialty.

The New York State Education Department (DOE) exercises supervision and jurisdiction over the formation of and organizational changes related to professional corporations, limited liability companies and partnerships. In this role, the DOE must approve the formation of all professional entities and any changes to such entities’ name, purposes, and ownership. The DOE will not approve the formation of a practice where the proposed name does not comply with legal requirements.

Specifically, New York law requires that the name of a practice appropriately describe the profession practiced and the services to be provided. The law also requires that, if the name includes a reference to a specialized area of professional practice, satisfactory evidence is submitted to the DOE demonstrating compliance with the rules of professional conduct regarding the use of specialty titles.

The rules of professional conduct applicable to dentists specifically require that a dentist may not advertise or indicate a specialty area of practice unless the dentist has completed a program of specialty training approved by the Board of Regents in a specialty recognized by the Board of Regents.

The rules of professional conduct applicable to physicians do not have the same express regulatory requirement. However, the DOE has interpreted the advertising rules applicable to physicians as requiring board certification in order for any specialty designation to be permitted. Specifically, the DOE takes the position that it is misleading for a physician or practice to hold itself out to the public as practicing a particular specialty without the proper qualifications. Additionally, the DOE will only recognize and approve those specialties for which board certification currently exists. The DOE only accepts board certification from the American Board of Medical Specialties, American Osteopathic Association, and the Rural College of Physicians of Canada. It does not accept certification from the National Board of Physicians and Surgeons or evidence of years of experience, residency programs, or CME credits in a particular specialty. Historically, the DOE has indicated that it could temporarily accept proof that a person is board eligible, pending formal board certification. But the physician at issue would still need to pass the boards and present a copy of the board certification or passing exam scores from the specialty board recognized by the DOE.

A physician or practice which advertises a specialty without the requisite board certification could face professional discipline. Therefore, it is important that a specialty practice ensures all owners obtain and maintain board certification in the applicable specialty.

4. I would like to retire in the next year or so. What should I do with my practice and patients?

The decision to retire is significant. Not only does it affect your daily life and finances, but it affects the lives of your employees and patients. Undoubtedly, you have concerns about sustaining your life style in the next phase of your life, but you also have obligations to your patients to ensure that they receive the care they need. There are a number of approaches to consider. They can be implemented independently of one another or combined into a broader approach. The ultimate course of action also depends on whether you are a solo practitioner or part of a group practice.

5. Is my covenant not to compete enforceable?

If you are a practitioner subject to a non-compete or a practice looking to enforce a non-compete against a former employee or owner, the question of enforceability is important. Generally, whether or not you can enforce or be held to the restrictions stated in the non-compete depends on the scope of the provision. Scope is evaluated based on both the stated duration and geographic limits of the non-compete clause.

Most courts in New York will enforce a non-compete against a physician or dentist that prohibits competitive practice for one year following termination at any location within five (5) miles of any office where the former employee or owner practiced. Parties to a contract can include a longer duration and larger geographic scope than this, however, if a practitioner violates the non-compete a court will only enforce what is reasonable. If a practice has multiple locations, a court is also not likely to enforce a non-compete in relation to an office where the former employee or owner did not practice or ever see patients.

While the purpose of your practice’s non-compete is ultimately to protect its business interests, it is important to remember that your business interests cannot override patient choice. While practices should take any potential violations of a former employee or owner’s non-compete seriously, a practice should never hinder a patient’s ability to receive services from the practitioner of their choice. This means that your practice should always answer patients’ questions about former employees and owners honestly and accurately and should never refuse to send medical records to another practice.

First, you should consult any employment agreement, shareholder agreement, partnership agreement, or operating agreement for applicable rules and requirements. If the departing practitioner is an owner of the practice, the shareholder agreement, partnership agreement, or operating agreement will specify the rules for his or her buy-out. You may need to consult with legal counsel to appropriately document the buy-out.
The departing practitioner does not own the records of patients he or she provided services to during his or her time at your practice. The practitioner cannot take copies of medical records, unless a patient signs a HIPAA authorization. The departing practitioner also should not be permitted access to patient information for purposes of contacting them unilaterally, as the possession of this information post-employment would be a HIPAA violation.
Your practice should also consult and comply with applicable patient notification rules. Often the letter sent to patients notifying them of the practitioner’s departure is a source of contention. However, the practice should control the messaging and limit the content to the minimum required by law.
You should consider whether the medical malpractice insurance for such provider was claims-made or occurrence-based.
Lastly, any applicable non-compete restrictions should be reviewed and you should remind the departing practitioner of these obligations.

7. We want to partner with other practices to reduce costs and improve reimbursement rates. What are our options?

This question is increasingly common as practices face increasing costs and stagnant reimbursement rates. However, partnering with other practitioners requires careful navigation of significant federal and state law issues, including the Stark Law, the Anti-Kickback Statute, fee-splitting, antitrust issues, and corporate practice restrictions. The options below vary in the mechanics and regulatory hurdles that must be overcome to successfully implement each of them. Moreover, each model has greater cost savings and reimbursement potential as more practitioners join the model.

Yes, as long as the relationship complies with applicable laws like the federal Stark Law and the Anti-Kickback Statute and state fee-splitting restrictions. These legal requirements and restrictions generally require, among other things, that:

Additionally, when leasing space, you should be careful of any restrictions on subleasing that might be contained in your lease (if you rent your office) or any mortgage or other financing (if you own your office). Often these documents require that you obtain the landlord or bank’s consent to any subleasing arrangement.

Sharing employees also carry co-employment risks. This means that you could be held responsible for the incidents of and issues related to a shared employee, even if the conduct at issue occurred while the employee was providing services to the other practice.

Medical Records

9. Who owns a patient’s medical records?

For practitioners in group practices or practicing through a professional entity (such as a PC, PLLC or LLP), patient records belong to the practice and not the individual treating physician or dentist. For solo practitioners, patient records belong to the practitioner.

Under HIPAA, patients have an undeniable right to inspect, review and receive a copy of his or her own medical records and billing records. Providers can charge a fee for copying and mailing records, but cannot deny access to a patient who has not yet paid for medical or dental services rendered by the practice.

When a practitioner leaves a practice, the practitioner may not take patient medical records with him or her unless the practice is directed by a patient to send a copy of his or her medical records to the practitioner at his or her new office. It is a HIPAA violation if a practitioner makes copies or takes patient information with him or her when he or she leaves a practice.

When a practice is sold to another physician or a hospital, patient records are also usually transferred. However, the selling practice and the buyer must enter into a medical records custody agreement in order to comply with applicable regulations.

10. How much can I charge lawyers who request copies of patient medical records?

The privacy rule only sets a price for patients requesting their own records. Attorneys and other third parties can be charged any reasonable rate that the practice determines is adequate for their time, effort and supplies.

11. How long am I required to maintain patient records?

Professional Conduct

12. When do I have an obligation to report another provider’s conduct to the state licensing board? Is there any other organization I have to report to?

As a provider you have the professional obligation to report the misconduct of other providers to the Office of Professional Misconduct (OPMC) unless that misconduct was discovered within the confines of a peer review or morbidity and mortality meeting pursuant to the bylaws of a hospital or other applicable healthcare organization. A Hospital Medical Staff or the hospital itself has a reporting requirement to the National Practitioner Databank when an instance of misconduct or practice issue results in an impact of a providers license that lasts longer than 30 days.

HIPAA

13. Can a patient sue me if we disclose their information in violation of HIPAA?

Yes, patients can sue a physician, dentist, or practice for a HIPAA violation. However, a patient’s right to sue does not arise under HIPAA. HIPAA does not provide individual patients with any private right of recovery for breaches and HIPAA violations. This is usually a surprise to many patients.

Patients whose information has been disclosed in violation of HIPAA are increasingly using state laws as the basis for lawsuits against the physician, dentist, or practice. Patients seek damages on grounds of negligence or breach of implied contract. This requires the patient to prove that they suffered damage as a result of the practice’s negligence or the theft of unsecured health information. Often, damage is difficult to prove, unless the patient can substantiate additional costs incurred as a result of the breach (for example, credit protection insurance, identification theft insurance, expenses incurred because the patient’s identity was stolen). State laws also protect the confidentiality of personal and health information and, depending on the circumstances, a patient may use these state laws as the basis for a lawsuit. A practice is particularly vulnerable to these types of claims if it fails to establish appropriate and adequate policies and procedures to protect patient information or train their workforce to effectively and appropriately implement these policies and procedures.

14. If I have a business associate agreement with a third party, it’s okay to share patient information with that person, right?

No. Patient information may only be shared in compliance with certain specified permitted and required uses and disclosures under HIPAA. In some instances, a business associate agreement is also required when a permitted use or disclosure is made. However, it is never the only requirement. Even if you have a business associate agreement in place, the disclosure still must be permitted or required under HIPAA.

HIPAA permits you to disclose (without patient consent) patient information with a third party for “treatment,” “payment” or “health care operations.” Each of these terms is specifically defined under HIPAA and should be consulted and reviewed before sharing patient information. This is particularly important when you are considering sharing information with other health care providers for purposes of establishing new practice arrangements, joint ventures, or other business arrangements.

In turn, a business associate can only use and disclose patient information to the same extent that the covered entity would be permitted or required to use and disclose patient information. Moreover, a business associate agreement is not appropriate or required in every circumstance and should only be put in place if the recipient of the information actually is a “business associate” as defined under HIPAA. Many practitioners exchange business associate agreements with other practitioners or third parties (like landlords and vendors) when no business associate agreement is actually required. However, a business associate agreement only needs to be in place with third party service providers who actually receives or has access to patient information in the course of providing administrative or management services like claims processing, data analysis, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, legal, actuarial, accounting, consulting, management, or financial services. A health care provider who receives patient information in connection with treatment of an individual is not a business associate.

A practice should have physical and technical safeguards in place to protect its PHI (ie. Unique passwords for computer access, automatic logoff for devices containing PHI, locks on doors, sign in sheets etc). A practice should have an individual to whom HIPAA security is assigned to that will manage all aspects of security and the risk assessment and be responsible for updating anything that isn’t working and investigating any breaches or suspected breaches. A practice should perform a yearly risk assessment to assess the confidentiality of it’s PHI and the adequacy of it’s physical and technical safeguards in place to protect that PHI. There should be measures in place to assess breaches and potential breaches of PHI. There should be a facility security plan in place to protect equipment that stores PHI form unauthorized access and theft. This should include an inventory of all of these devices and who has them to make sure that all devices are maintained and returned if an employee’s role changes or if they separate from the organization. There should be policies and procedures in place to sanction and retrain employees who are involved in breaches or fail to comply with policies and procedures. There should be procedures in place to determine who should access what PHI and to take any unneeded access away. There should be policy in place to control what PHI and data can be removed from the system and if PHI is being transmitted via phone or personal devices those devices should be fitted with HIPAA compliant software and monitored. There should be procedures to monitor outside access and business associate access and terminate or modify the access of any individual that does not comply with the policies and procedures. Protection from hackers and malicious software should be priority. Computer log-ins should be auditable and regularly monitored to avoid unauthorized access of PHI. Password management should be in place to further secure logins and make sure passwords are adequate and being changed regularly. Practice should have a data backup plan to be sure they are able to retrieve PHI lost to malfunction or breach. There should be a disaster plan in place to determine what to do in the event that PHI is compromised or if there is a massive breach. The practice should have a BAA and should be sure to have them in place with all applicable vendors.

16. What types of coding, billing and documentation practices put our practice at risk of an audit?

Any coding practices that involve upcoding or purposely having patient interactions coded to qualify for a higher reimbursement than they should will place a practice at a higher risk of audit. The regulatory and law enforcement agencies regularly mine data and they have benchmarks of how much a particular code or level should be used so if a particular practice is seen as an outlier for a certain code that will generally trigger an audit. Incorrect use of modifiers or not understanding the modifiers for and area and using the wrong one over and over. Any billing procedures where a practice is billing Medicaid as primary when there is a secondary payor or any billing practices that result in billing payors in the wrong order are problematic. Billing separately for services that should be bundled. Duplicate billing where 2 providers provide and bill for the same service without communicating. Billing for services provided by staff that doesn’t meet the requirements or have the certifications (RN as opposed to LPN/Medical assistant as opposed to LPN nurse/uncertified techs/non-board-certified physicians). Documentation practices is overuse of copy forward, not justifying the code in the documentation, changing of the documentation to meet a higher code, not including necessary hard copy notices and documents in the chart, not having the right professional doing certain documentation, having individuals document thing that are outside of their scope of practice.

Compensating a billing company based on percentage of collections is considering fee-splitting and not permitted. For government payors this also creates an opportunity for abuse if the billing company is also doing coding as it incentivizes non-compliant coding practices. You must set compensation in advance for these services and the agreement should be multi-year as not to appear as if the compensation is changing yearly based on amount collected as that creates the same issue.

18. How often should we update our employee handbook?

The employee handbook should be updated whenever there is a major change in law or practice that requires something in the handbook to change but no less often than annually. Additionally, whenever there is a change to the handbook all employees should receive a summary and training (if necessary) of the changes so that they may ask questions and adjust their practice accordingly.

19. I collect and maintain certain health information about my employees. Do I have to comply with HIPAA when sharing and securing this information?

No. Even though you may possess health-related information about your employees in the context of drug testing, workers compensation claims, and employee benefits (like medical leave), HIPAA does not require you to protect the privacy and security of this information the same way that you must protect your patient’s health information. Moreover, this information is not considered protected health information under HIPAA. The regulations expressly state that PHI excludes individually identifiable health information in employment records held by a covered entity in its role as an employer.

The caveat to this rule is that an employer who maintains a self-insured group health plan. The plan is considered a “covered entity” subject to HIPAA and, as such, these employers are responsible for the plan’s compliance with HIPAA.