Internal Controls in a Medical Practice – Part I


Every medical practice must implement specific internal controls to protect it from revenue loss and potential employee embezzlement. Although there will never be a guarantee that employee embezzlement, fraud, or similar defalcations will be caught, a practice can still minimize these activities by implementing and monitoring sound internal controls. One of the your duties is to make sure  these controls are in place. This article discusses the basic internal controls that should be found in most physcian practices.

Controls detect and prevent embezzlements, such as an employee at the front desk who pockets the money from a patient’s office visit and then manipulates source documents so that the charge fails to get posted into the computer. Someone should review the computer-generated daily report to ensure that charges related to patients’ visits are actually recorded. Following are some controls that should be implemented to help detect and prevent embezzlements.

Divide job duties Any individual should not be allowed to both open the mail (i.e., initially handle the money) and post payments to the computer. Dividing the two duties prevents an employee from stealing money from the practice and then manipulating patients’ accounts in the computer, usually by writing off balances as contractual adjustments or bad debts. For example, an employee who is responsible for opening the mail and posting payments writes off an account as a bad debt after a patient’s account statement has been mailed. The employee knows this patient will pay within 30 days, so the employee waits for the check to come in the mail so she can intercept it and cash it.

In an ideal situation, one person opens the mail, another person prepares the deposit slips, and a third person posts the payments to the patients’ individual accounts in the computer. However, most small medical practices do not have adequate personnel to carry this out. What usually happens is that the person who opens the mail also posts payments into the computer or onto the ledger cards. Every medical practice should bond all personnel who will or may come into contact with money. Bonding is a type of insurance that will reimburse the practice for embezzlement by office personnel. It is typically referred to as fidelity bond insurance. This type of insurance can also reimburse the practice if money is ever stolen by someone other than a practice employee. For example, a receptionist takes the daily deposit to the bank. On her way to make the deposit, she stops to run an errand. While she is away from the car, her car is broken into and the deposit money is stolen.

Necessitate mandatory consent of the physician for write-offs A patient’s account balance should never be written off as a bad debt without the written consent of a physician. This avoids the situation in which monies can be diverted away from the practice without any kind of a trail. Write-offs are usually documented by printing out the patient’s detail account ledger and having the physician review and initial each ledger page as a way of approving the write-off. If this method is impractical, have the approval documented in the computer. The down side of this activity is that the physician has to become very active and hands-on in the receivable management process. Not all doctors have the inclination nor the time to become this involved.

Reconcile office visit payments, received during the day from patients, to source documents Both the sign-in sheet and the appointment schedule should be reconciled to the computer-generated report of daily charges. In turn, the money from patients who paid for their office visits should be reconciled to the computer-generated report of daily payments. This may be a cumbersome daily task. You should make sure it is done at least two to three times a month. Also, practices with multiple offices may not make deposits daily, resulting in the inability to reconcile the bank deposit slip to the daily computer reports. Branch banking by each office and corresponding cash transfers to a central operating account may solve this problem.

From an internal control standpoint, the practice needs to make daily deposits, if it can, so that the related reconciliation can be performed and situations, such as the following, can be avoided. An office manager reviews daily reports of charges and compares them to the appointment book. The manager finds a visit without a corresponding charge and subsequently locates the related office charge ticket. The ticket indicates that payment was made, so the manager assumes an employee embezzled money. As soon as the manager discovers this, internal controls are put in place. However, if the charge ticket did not indicate payment, the office manager could either post the charge and send the patient a bill or contact the patient directly. In either case, lost money is found.

Have questions? I’m here to help.