Most industries approach acquisitions and due diligence with special considerations related to risk and mitigation. Acquisitions among healthcare facilities and practices are no exception.
An acquisition can significantly change your risk profile. Successful management of such risks addresses both insurance coverage and the controls and procedures that prevent or mitigate risks. The following is a sampling of issues to take into account.
New Lines of Business: What additional specialties are you acquiring? What additional ancillary services are you acquiring?
Insurance: The acquisition will come with a bundle of insurance policies with the potential for having both redundancies with your current insurance coverage and gaps in the coverage of the target. What insurance coverages will need to be modified, cancelled or acquired? For example, if you are combining fleets, then you will need to combine auto policies or, if the merger is creating an employee leasing arrangement, your Workers Compensation coverage will have to be significantly altered.
Of particular importance in your due diligence is “Claims-Made” policies, to prepare for claims that arise after the merger. It is a certainty that particular types of coverage for the new entity, such as Directors and Officers (D&O), healthcare Errors and Omissions (E&O), Crime and, most notably for healthcare, Malpractice, as well as other policies, will be on a claims-made basis. Special consideration needs to be given to securing “run-off” coverage for any incurred but not reported (IBNR) claims that may not be covered under the combined entity’s policies. Depending on the exposure and statute of limitations considerations, this “run-off” coverage may need to absorb any claims made for several years after the merger.
Prevention and Mitigation: Prevention and mitigation measures can lower your insurance premiums and they definitely reduce the risk you retain after acquiring the optimal insurance. What policies and procedures have to be merged, drafted or updated to fully integrate the acquisition? What new procedures have to be incorporated into the internal audit plan?
Billing: Billing gives rise to a variety of categories of questions.
- What additional third party payers are you acquiring?
- Does the target load all contract allowances and apply them automatically, or does the target look them up and apply them manually? If manually, does the target apply the allowances in time for the bill-drop? How does the target’s approach fit with your approach? Note that this can become a financial reporting problem; if allowances are not applied by the time the bill is dropped, Accounts Receivable may be overstated.
- Are you acquiring a backlog of resubmission work?
- How different is the target’s handling of downcoding, underpayment, adjustments, refunds and write-offs? How does the target’s list of pending items in each of these categories compare with yours?
Billing Performance Measurements: Two overall measures of the target’s billing performance can reveal if there is additional analysis to be performed. What is the target’s Days Sales Outstanding (DSO)? How different is it from yours? What is the target’s net collection rate? How different is it from yours? A difference in either measure may point to important operational differences that have to be addressed.
Data: As is the case with billing, data management also gives rise to a variety of categories of questions.
- How automated are the target’s transfers of data between the Electronic Health Records (EHR), Practice Management (PM) and Health Information Management (HIM) systems? Does the target’s level of automation match your own?
- What amounts and types of data have to migrate from the target’s systems to yours? Do the records that have to migrate conform to your system requirements? If not, can they be easily made to conform?
- Do the target’s EHRs conform to regulatory requirements? If you have to keep the target’s EHR system operational for a period of time, is it compliant with regulatory requirements?
Cyber Security: Ascertain that the target’s IT system has not been vulnerable to any type of breach. Be sure the target is up-to-date on such things as, patch, access and authentication controls. Also, very importantly, be sure the target is compliant with policy and procedure provisions it put in its insurance applications. Click here to read our Cyber Spotlight on Healthcare blog.
Costs and Financing: Has the retention of key personnel been secured? Will personal guarantees of loans or personal loans be continued, or have provisions for refinancing been made?
Operations: Is the target’s scheduling centralized or decentralized (maintained by the individual specialties)? How does that fit with your scheduling?
Contracts: Healthcare entities to have large numbers of complex third party agreements. Physician agreements are one example. These often involve deferred compensation arrangements. A comprehensive contract review, with a comparison to insurance policies for compliance, is a necessary part of the due diligence.
Comprehensive due diligence will incorporate an assessment of insurance coverages and retained risk for the resulting entity. Delivering the value of the deal may involve floating Request for Proposals (RFPs) for additional or replacement coverage, selecting a broker or augmenting the efforts to prevent and mitigate the retained risk. Without these protections, the deal value may be at risk.
Risk management is an important aspect of delivering the value of any deal; however, healthcare mergers require special rigor in risk management. Enterprise Risk Management (ERM) is the answer. Several ERM principles are especially pertinent to healthcare mergers:
- Adequate, meaningful representation of all disciplines on the risk assessment team reflects the extreme amount of coordination and cooperation among the disciplines to realize efficiency and cope with the razor-thin margins of today’s healthcare industry.
- Performing risk identification in conjunction with opportunity identification is an efficient use of resources in assessing the total enterprise risk and reward opportunity.
- Using a quantitative approach, rather than a subjective one, to assess risks is especially appropriate for healthcare. Healthcare provides an abundance of data and metrics, so it makes sense to take advantage of its availability. A subjective approach is much too prone to error and unwelcome surprises.
- Producing a single Risk Register for the entire enterprise is indispensable for (1) allocating mitigation efforts, (2) monitoring risks continually and (3) providing assurance regarding risk to various stakeholders: regulators, investors, lenders, employees, etc.
- The Risk Register allows for the calculation of an enterprise level Risk Appetite and department or function level Risk Thresholds for the enterprise. These are the concrete guidelines that enable meaningful monitoring.
For healthcare mergers, a combination of a specially tailored due diligence and Enterprise Risk Management is the key to delivering deal value.
Contact us if you need help with insurance and risk assessment of a proposed or recent acquisition.