By Alex R. Thiersch, JD, CEO of the American Med Spa Association (AmSpa)
For a medical aesthetics practice to best serve its patients and maintain a viable business, it needs to understand the ways in which it may be compromising patient safety or otherwise violating the law. Therefore, if your practice has not undergone a thorough risk assessment recently, it should do so as soon as possible.
“A risk assessment establishes the baseline of where a practice is from a compliance perspective and helps identify risk areas that need to be fixed,” said Michael Byrd, partner at ByrdAdatto, a Dallas-based law firm that specializes in business and health care law. “Let’s get a baseline of where you are so we can figure out what needs to happen.”
A properly conducted risk assessment will cover both business and medical concerns, and it will identify areas where the practice is compliant, areas where the practice needs to be mindful to remain in compliance, and areas where the practice is not compliant that need to be corrected.
“A risk assessment is essentially a blend of legal and clinical evaluation of compliance,” Byrd said. “From a legal perspective, we’re making sure that the ownership is set up in a compliant way, and then that the policies and procedures are set up in a compliant manner. Clinically, do they have appropriate policies and procedures as it relates to treatment, delegation and supervision, OSHA, telemedicine, HIPAA, etc.? A lot of times when we’re doing a risk assessment, we have a lawyer look at it, plus a clinical person, and sometimes even an IT person helping to evaluate if there’s a cyber-security risk from a HIPAA perspective.”
To begin the process of conducting a risk assessment, a practice should engage with a health care law firm that has a great deal of experience conducting such investigations. Additionally, stakeholders need to be prepared to be as open as possible so evaluators can get a clear idea of what is going on at the practice.
“We’ll identify the ownership documents to send us, and then if it’s a full risk assessment, we’ll involve a clinical consultant who’ll look at it from a clinical perspective, and then we’ll work together to make sure that the policies and procedures navigate that particular state’s laws,” Byrd said. “There’s a big element of knowing who’s doing the initial exams and who can be delegated to provide the treatment, and even by procedure, there are certain procedures that are only appropriate for certain providers. That’s a lot of the back and forth we’ll have with the consultant.”
If this sounds like a major undertaking, well… it is. However, it is assuredly better to know the areas in which your practice falls short of compliance and what can be done to correct that rather than remain ignorant and be surprised when an investigation uncovers violations.
“It can be overwhelming, but if it can be integrated as part of the culture of the business, our clients are very successful,” Byrd said. “A risk assessment is really just a starting point, but then you have a culture of following these procedures and evaluating as laws change, technology and procedures change, and your personnel changes, evolving your compliance plan with that. The clients that adopt that as part of the culture of their business have been really successful in minimizing that risk.”
Byrd says that after his firm conducts a risk assessment, it typically will check in with clients every three months to make sure that everything is on track. If a firm does not offer periodic check-ins, he recommends repeating the risk assessment process annually.