Daniel: Welcome to, “The Future Adjustment – Chiropractic Economics Podcast Series,” on what’s new and notable in the world of chiropractic. I’m Daniel Sosnoski, the Editor-in-Chief of Chiropractic Economics. And our guest today is Stuart Oberman. He’s the principal of the Oberman Law Firm, a prominent practice in Georgia, and he’s a specialist in medical law. He has particular expertise in the chiropractic field and has contributed articles and blogs to Chiropractic Economics.
Stuart Oberman, thank you so much for joining us today. As everybody in our audience is aware, the medical field is tightly entwined with the legal arena. But not every legal firm works the medical space. So what led you to focus on this area specifically chiropractic and dentistry?
Stuart: Well, when I first started out, I was actually in-house counsel for a Fortune 500 company. And I’m also a claims adjuster. And so I naturally just sort of gravitated to the medical field. And to me, it’s just a fascinating field. The doctors are so individual-based more so than the physician side. They are more entrepreneurial in spirit and they are just great to work with. They’re very easygoing, is client-based, and the medical side is fantastic on the chiro. So just sort of naturally somewhere we just gravitated to. And we’ve been doing it for, you know, 20-25 years and I love it. I love our doctors. I love being involved in the industry. It’s a pleasure to serve these guys.
Daniel: Yeah. And the articles that you’ve written for Chiro Eco have been very authoritative. They really show that you are very familiar with this particular subset of the medical field and their needs. And I tend to agree with you. I find that doctors of chiropractic are quite a bit more easygoing than some of the type A surgeons and whatnot that you need.
Stuart: That is true. That is true.
Daniel: One of the things that you have some particular expertise in is in the area of medical practices need for cybersecurity. And we know that’s an especially difficult problem because cyber thieves, cyber criminals they find that medical records are some of the most valuable bit of information that you can hack. Those medical records allow for identity theft because they tend to contain things like well, you know, protected health information, social security numbers and that sort of thing. What are some of the threats out there and how can doctors of chiropractic defend themselves against it?
Stuart: The biggest threat, are employees. A substantial part of the breaches, are employee-based. It’s that they got to know how to handle the emails before you get into the encryption and we have like a cybersecurity checklist that we would be glad to provide your listeners. But majority of the problems are with staff, not knowing how to handle incoming emails, not knowing what is a threat, what is not a threat, how to handle certain protocols as far as where they should be surfing on the internet, where their inner cookies are being, you know, found on the internet, their footprints, and then honestly, their IT guys. We find a substantial part of the, “IT guys,” that these offices have, have no idea how to protect against ransomware.
Stuart: Yeah. It’s amazing. We’ll send these and we have like a certain checklist, that we have maybe 8 or 10, 12 topics. And only that would probably have like maybe five to seven areas that there should be a checklist on, “Do I have this? Do I have this?” And we get calls all the time and my IT guy doesn’t know what to do or is not sure of this, “What do I need to do?” I figure you need to get another IT guy or hire a specialist.
Ransomware is probably the biggest hit right now, where it has become so pervasive that they now have customer service departments for ransomware. So not only do they hijack your information, they now have customer service representatives to help you get your information supposedly back without being breached. But we all know that it is an absolute HIPAA Breach that the cybersecurity occurs. But it’s ransomware that’s the biggest threat right now, phishing and what to do.
Daniel: Well, hey, Stuart. If I can just get you to pause on there for our listeners who aren’t familiar with what ransomware is. Could you just give us a really quick overview of what that is?
Stuart: Yeah. Yeah. That’s like I’d say a four-hour topic but it’s really amazing. So what happens is, is that once you’ve been breached and you may not know you’ve been breached for four, five six months eventually some point comes up on your screen that basically, “Your computer has been hijacked.” And they’ll give you instructions on how to get your software and data back, to get control of your computer. So they literally, have a virus, that control your computer, you know, from Lord knows what country or where.
And then, you don’t get that back or control of it until you send Bitcoin currency through international wires. And then once it hits you get your information back or access to it. You never really know where it goes once that information is hijacked. But it’s basically this is it’s a lockdown system, where somebody else has the key to your computer and you got to pay to get it back.
Daniel: Yeah. You mentioned phishing and then I know another area that’s difficult, it’s what they call a human engineering attack. Are you familiar with that?
Stuart: Vaguely, vaguely as far as that goes. And it has, like, a lot of different names. But depends on the topic of, “Oh, we’re right on that,” but…
Daniel: Well, generally speaking, it’s not that a hacker is using a, you know, sophisticated software to get past your defenses, they just call your secretary up on the phone and say, “Hey,” you know, “I’m with your IT department and I got locked out. What’s your password?” And, you know, there you go.
Stuart: Interesting. For a couple of hundred bucks, you can buy software to hack a computer on the Black Net. It’s actually pretty easy. Then one of the things is that there’s a lot of disguised emails where you are from a billing department or from a bank it made you just easily give away information from the office. That’s where the staff has got to be trained like some most of the breaches come from the staff.
Daniel: Yeah. Well, you know earlier this year in January, a chiropractor was in the news because he had to shutter his practice. His business partner was embezzling funds out of the practice, you know, doing the keeping two sets of books. And by the time that this was discovered, it was way too late. There was no way to recover the funds. And this is certainly not unheard of. What kind of steps could a practice take to mitigate that particular risk?
Stuart: You know, it’s a maze in the industry probably 40% to 60% of all practices are probably embezzled. And then the IRAs embezzlement is in excess of $100,000. It doesn’t take one shot, it takes years to do. And I always say this, is that at some point, a doctor realizes something is not right, something is just not right. Maybe collections have slowed. Maybe they’re not getting financial information in a timely manner. Maybe they can’t explain adjustments for certain patient charts.
My recommendation is an internal review probably 15 to 20 charts every month. Track your EOBs, track your credit card authorizations, track your cash payments, track your incoming, your invoices, and map along what your day sheets to show what you did that day, determine what you did. It won’t take you that long to do an audit. But at some point, we’ve got, you know, or an employee refuses to take vacation, not that they really love you, it’s because when they’re gone, that’s when things blow up, and they find out what’s going on. So it’s just internal controls.
Well, some of our manuals now we’re running where employees have to take vacations mandatory. There’s no question about it. And then it’s amazing what you find out when they’re when you’re gone. But again, there are certain signs and doctors get so busy, you know, day-to-day and adjustments in running, you’re running this department, you’re running that department, they lose track of what they’re doing practice-wise.
Daniel: For sure.
Stuart: It’s not easy. It’s not hard to do for our doctors.
Daniel: Well, I really like your suggestion of making that a monthly activity because if you’re doing that on an annual basis, it could be way too late by the time you find out that something.
Stuart: Yeah. I mean there’s always something to look at. And again, you sort of connect the dots what happened before. It’s hard to connect to going forward obviously. But you’ll see the signs and our doctors will ignore them, they’re like, “Oh, you know I knew that…I knew something right or something wasn’t right.” But, I mean, now you got staff members opening up fake bank accounts, diverting your insurance checks, taking cash. I mean honestly, I would be glad to provide the readers with a embezzlement checklist. And I think it’s almost like two or three pages. One thing is just to take a look at it and what to look for and how to, you know, what the signs are.
Stuart: There are signs. It’s just that doctors ignore them.
Daniel: Let’s talk a little bit later about it. Maybe we can talk later about possibly putting together an article on that subject because that could be a lifesaver.
Stuart: Oh, yeah, absolutely. Yeah. Oh, yeah. I mean it’s a lot, you know, we’ve got to practice that, they got hit pretty hard. And they tend to either decide whether or not they’re going to keep you on or shut it down.
Stuart: Yeah. When you get partners in embezzling, you get employees that embezzle, you know, thousands of thousands of thousands. It hurts and it hurts. I’d be glad to do that for you for sure.
Daniel: I’ve heard that one way that like one first line of defense is to avoid a situation, where a single employee is handling the money, either collecting the mail alone or going to the bank with deposits alone and that you should try to make [inaudible 00:11:33] their activities. Is that on your radar as a possible solution or one of the steps to take?
Stuart: That’s a great suggestion. And yeah, cross-training across disciplines of the office and switching things around every couple of years or you know, monitoring cross-referencing, cross-reviews. Yeah, that not giving the one employee, too much control is key and honestly, I do a lot of talking on embezzlement and I will not give an embezzlement speech to an office manager association.
Stuart: I mean we get those offers all the time. And I just will not do it because that’s leading the fox to the. And it’s just a recipe for disaster. But then that’s a great suggestion is have two controls when it’s tough to verify.
Daniel: Well, you know, what we’ve been talking about for the last few minutes here really has just been a conversation about risk management and risk mitigation, in general. And I know that you have actually said that risk management is a process. Could you explain what you mean by that in a little more detail?
Stuart: Yeah. I have my top 10 list of mistakes that chiropractors make. But it is a process, “Do you have your employee manuals in place? Are you doing the background checks on your employees? Are you doing the things necessary, new hires? Are you giving the reviews? Are you recognizing problem patients? Are you sending patients to collections?” which is a recipe for disaster.
Daniel: Oh, yeah.
Stuart: “Are you checking your notes? Who’s writing your notes? Who’s doing your charts? What’s your HR policy? Do you have OSHA in place? Do you have HIPAA in place?” you know, or, “Do you have a social media policy? What are you going to do when all of a sudden you got negative comments in the chart because one of your employees put something in there and appears on the Facebook page?”
Daniel: Wow, yeah.
Stuart: You’re dead in the water. You stay out of water, “Do you have an internet policy where your employees are restricted in certain areas? Do you have a software policy? We got to take a people who would or staff members recording conversations now? Staff meetings?” You know, there’s a lot of stuff that are privacy breaches. You know, “Are you getting rid of the problem patients that you just can’t help?” There are just some patients you’re just not going to help. And if you don’t learn how to get rid of those, they’re a recipe for disaster.
So, all those things make up the process, from the beginning to the end. And I know a lot of our doctors do not understand how to fire an employee. I mean they could say that but they don’t understand that at a certain stage, you got to file separation notices, you got to file stuff for the State, “And what are you going to do if you got a Federal audit for U.S. Department of Labor matter because one employee complained to U.S. Department of Labor you weren’t paying overtime?” [crosstalk 00:14:54] text messages, emails. So it’s all apposite[SP]. It’s having that control over what you’re doing day-to-day. And to stop me control, where somebody doesn’t have control over it, it is a recipe for disaster.
Daniel: Got you.
Stuart: That’s a lot of information.
Daniel: Yeah, I know and insanely good…
Stuart: That’s a lot of information.
Daniel: …at your fingertips. Hey, are there any other areas that you see DCs having trouble within the legal area?
Stuart: Compliance is the biggest part. I think well, in Medco, I’d say compliance, and employment law, and doctors don’t understand it. They don’t understand what’s required if you have a employee, who is expecting a child four or five months from now. They don’t understand the hiring process. They don’t understand the firing process. They don’t understand what compliance is or how they should be in compliance, what their cybersecurity is.
But I think by and large, the biggest problem is employment law that they don’t understand it. And things change so much. It’s so hard to keep track of. It goes down to the basics to me, you know, “Are you doing things you need to hire the employees correctly? Monitoring the employees? Are your internal controls? Are you good with OSHA? Are you good with HIPAA? How’s your HR? Are you doing things right for the employees? Do you have your employee manual?” without an employee manual, you will never win a labor dispute. It’s just not the way this…that’s not going to happen.
Stuart: Then, “Are you going onto the internet and getting a six-page manual? Content access to your information the technology side? Do they have disassociate agreements? Are those secured?” And, you know, and then honestly, one of the areas is, “How do you respond to a board complaint?” Our guys don’t know how…they don’t know how to respond to a board complaint. They let it go. They blow it off. They don’t properly respond. And next, you know they’re getting on probation or getting suspended for a while.
Daniel: Oh, yeah.
Stuart: And then Medicaid is a huge issue right now.
Daniel: It is, yeah.
Stuart: That’s coding. That’s a huge issue and how to deal with the Medicaid audit. That’s just an area they just don’t understand and they’re afraid to ask for help.
Daniel: Well, you know if I can just teach you to pause right there. I just wanted, well, I just would like to say that if there was a subtitle for our talk today, I would have to say it’s, “Things change so much,” which is what you just said. That all of the things we are talking about today would be what I would call moving targets. They aren’t a, “Set it and forget it,” with arrangement. The compliance law threats to a practice, these things are constantly evolving. And that’s why we run articles often on the same topic throughout the year because we want to stay abreast of the changes and we know that the regulatory and legal picture facing practices is constantly in motion.
Stuart: Well, you guys do a great job on a publication basis on covering things. If you look at like a 12-month subscription to your magazine all the areas you cover. You cover the clinical side, the practice side, the billing side, the accounting side, the audit side, client side.
Stuart: And my God, there’s not much more you guys can cover on a monthly basis, as much you guys cover. So I mean you guys do a fantastic job getting the word out to the industry. And there’s not many publications frankly that do that. And most are just they’re not very informative, they’re just sort of filling space but honestly, I think you guys do a fantastic job doing that. And that’s why I’m so proud to be on this podcast and can contribute to what you guys are doing because you guys do a fantastic job doing that.
Daniel: Well, hey, thank you so much. And I really appreciate that. Hey, I just wanted just to thank you again for spending this time with us. Today Stuart the legal challenges facing the modern medical practice are varied and complex. Thanks for making them easier to understand. You’ve given us a judicious look at, “The Future Adjustment.” I’m Daniel Sosnoski. See you next time.