Business Spotlight: Confidence in Compliance

SBJ photo by Wes Hamilton

UP TO CODE: Left to right, Stephen Sheppard, Bill Rabourn and Rob McCarville are working to help firms ensure they are HIPAA compliant.

Medical Consulting Group LLC

Owners: Bill Rabourn, Stephen Sheppard and Rob McCarville
Founded: 1989
Address: 2808 S. Ingram Mill Road, Bldg. B, Springfield, MO 65804
Phone: (417) 889-2040
Web: MedCGroup.com
Services: Ambulatory surgery center development and management, practice and ASC billing, compliance, creative branding and marketing
2017 Revenue: $6 million
Employees: 45   

Small dental practices, large ambulatory service centers, optometrists and basically any medical practice under the sun all have one thing in common: They have to be compliant to the Health Insurance Portability and Accountability Act.

Medical Consulting Group LLC is working to seize that opportunity.

The company operates several small businesses under the MCG name, offering development and management services to creative branding and marketing, for medical practices, ASCs and medical device manufacturers. In summer 2017, MCG launched a new division, MCG Compliancy.

Bill Rabourn started Medical Consulting Group 29 years ago, along with Wes Dunn. But in 1995, the two split the company in half, and Dunn went to work for the St. Louis company they sold a portion to, now known as TLC Vision.

Today, MCG is owned by Rabourn and the other managing principals, Stephen Sheppard and Rob McCarville.

Revenue in 2017 was about $6 million, with roughly half of sales from the management divisions, such as billing and ASC services. Sheppard says the remainder is from the creative team for marketing and branding work. With recent growth, the creative team is moving to another building across South Ingram Mill Road.

MCG Compliancy is the brainchild of Brock Fick, compliancy implementation specialist; Tripp Rabourn, a client development specialist; and Brenden Gallagher, director of information technology.

Sheppard says MCG started the compliancy division after years of helping manage medical practices and ASCs. MCG has developed 65 ASCs in 29 states and one in Canada.

“As we started to look into (compliancy), we realized just how complicated it really is,” he says. “Probably three or four years ago, the federal government kind of switched philosophically from educating health care organizations about how to comply with all these requirements to enforcement.”

MCG Compliancy partnered with Greenlawn, New York-based Compliancy Group, which educates and provides software to safely and securely store important medical information into one database. Called The Guard, the software not only provides security, but also trains employees of medical centers on how to be HIPAA compliant.

Tripp Rabourn says MCG Compliancy lifts clients’ burdens brought on by regulations.

“They don’t have to worry about accounting, business operations and stuff like that,” he says. “We found (compliancy) to be a good piece, because there’s a lot of complexity in understanding HIPAA and protecting yourself from fines that could really impact your business health.”

Citing stats from Compliancy Group, Fick says HIPAA fines in 2017 exceeded $19 million across the medical field in the United States, and there’s been almost a fourfold increase in fines over the past two years.

World of compliance
Marc Haskelson, president and CEO of Compliancy Group, says there are multiple layers to being HIPAA compliant and remaining so is a constant process.

“An office that is HIPAA compliant and is doing it correctly, what they’re doing is looking at their office and assessing all the risks they have,” Haskelson says. “Is information displayed on the screen when you walk in? Are there file cabinets in the hall where someone could steal something? Is the staff trained where they know not to discuss certain topics close enough to the exam room where people could be hearing it?”

He says those are the details to identify and fix.

Haskelson says patients often think it’s hackers and cybersecurity issues that pose the risks, and they do, but the biggest problem in health care security is actually lost information.

Not only can compliance failures get a practice fined by the federal government, Haskelson says it also can lose patients, as now more people are worried about protecting their information in a doctor’s office.

“Fifty-three percent of the people who had an identity theft believe it originated from health care and that the doctor’s office was the cause of it,” he says. “To put it in perspective, with the Anthem/Blue Cross breach a few years ago, it affected 79 million people. That’s a quarter of the U.S.”

Due diligence
Unfortunately, there is not a perfect formula to being HIPAA compliant 100 percent of the time. Whether by cyberattack or by an employee sending information through a nonencrypted email to another employee, mistakes are bound to happen.

“You can’t keep your information in the silo in health care,” Gallagher says. “If I get hit by a truck in Oklahoma, I have to be able to go to the hospital there and have to be able to get my records. You have to share in health care.”

However, due diligence makes a difference not only in preventative measures, but also in how hard the fines will hit a practice, Sheppard says.

“You’ve trained your people, you’ve updated your policies, you’re annually reviewing all this stuff,” he says. “You don’t just buy a binder and put it on the shelf. It actually becomes part of your culture to be HIPAA compliant. At that point, no one’s perfect, but you’ve made a good faith, sincere effort to comply with those regulations. That’s a presumption in your favor.”