The Risk of Doing Business

kayak navigating icy water

Help for owners navigating the unique risks of private practice PT.

By Sarah Black, MS

The biggest question business owners ask when starting out is often, “What if it fails?”

The consequences of failure seem significant and dire, so owners work diligently for just the opposite: success. However, there is a series of questions that come with doing business that are far-reaching and all-encompassing, and that can equally define success or failure for a business: those that come with risk management.


Risk management is the process of finding, assessing, and controlling threats to your company’s financial security.1 What constitutes a threat varies wildly by company and industry; a bank may have a very different set of threats to the business than a physical therapy practice, for example.

In risk management, business leaders define and analyze the risk to the business, and take dedicated actions to create solutions and be prepared for those potential risks. For a physical therapy practice, risks can range from social risks—say, the probability of a pandemic affecting patients’ ability or willingness to seek in-person care—to technology risks—such as the potential for a data breach to compromise the safety of patient data—to environmental risks affecting the safety of the space in which care is provided.

The depth of risk to a business can be overwhelming, which is why owners must evaluate and determine their level of tolerance for risk. An owner who is particularly averse to risk might choose to invest more significant resources in risk management, perhaps in the form of a full-time staff member dedicated specifically to the topic, while an owner with a higher risk tolerance level might consider risk management a part of normal business activity and include preventative discussions in quarterly review meetings.


Mark Reitz, PT, owner of Penn Therapy Associates, the sole owner of his two practices, relies on asking himself “What could go wrong?” when running his practice.

The answer always lies in patient safety.

“Where could I be putting myself at risk?” said Reitz. “The biggest risk is patient safety, assessing your patient risk, and trying to nullify your risk of liability cases is huge.”

Reitz advises that owners’ central concern must be that the whole practice is safe. From the time a patient opens the door to a practice until they exit, are they in a safe environment? Components of the environment could pose risks to patient safety, such as tape on the floor that could cause patients to trip, thresholds in and out of exam rooms that may be fall hazards, or gym equipment that patients must maneuver around. Even if an owner has considered every step, threshold, and surface, accidents are bound to happen. Like when a patient tripped on an exam table and injured herself at one of Reitz’s practices. “Despite all the precautions I took, the patient tripped on the exam table,” said Reitz. “My insurance covered it, but even if you’re as careful as you can be, things still happen.” In this situation, having a solid reporting structure is critical to manage the fallout of such an accident.


While the rare patient injury might be legitimate, there are instances where practices must be prepared to protect themselves against fraud. Reitz experienced this when a former patient fraudulently sued Reitz, the therapist, and Penn Therapy Associates for malpractice.

Reitz had been instructed by his attorney and his accountant to invest in malpractice and liability insurance, which covered Reitz and the therapist, but not Penn Therapy Associates. Without medical malpractice insurance to cover the corporation, Reitz ultimately paid nearly $25,000 in lawyers’ fees before the former patient dropped the lawsuit.

“That was a very expensive lesson learned that there’s a risk that I did not account for,” said Reitz. “I never knew that the corporation could be sued.”


While the physical safety of patients is important, so is their personal information. A practice’s front office is the first line of defense for patient information. They are the ones that collect patients’ information and set up appointments, making sure that patient information is safely documented and stored. “Safety and information security, that’s the biggest thing my employees are involved with on a day-to-day basis,” said Reitz.

Reitz’s practices use a mix of paper and digital forms, but in the next three years the practices will be fully digital. The physical paperwork is locked in a safe area that only employees have access to. After the paperwork is digitized, it is safely shredded by an outside company. The digital information is saved on a secured server that can only be accessed by employees.

For Health Insurance Portability and Accountability Act (HIPAA) compliance,2 evaluations should be done in a private exam room, but Reitz says that he’s seen too many practices, especially bigger practices, taking patient information out in the open area gym.

“I find it unconscionable that people are providing their own personal medical information in the area where multiple people can hear it,” said Reitz. “That’s a huge risk people are taking, and I have always set up my practice to have all that information dispensed in a very private setting.”

Reitz’s patients appreciate his therapists using the exam room as the only place to discuss their personal and private information.

“Patients have told me that was a huge difference in what they’ve experienced elsewhere,” said Reitz. “The therapists don’t spend their whole time typing and not paying attention to what the patient is doing, that’s all done in the therapists’ office.”


While patients and their information are paramount, another question private practice owners need to ask themselves is, “How am I getting paid?” This might sound like an odd question for some, but this is a real risk for practice owners who are just starting their practice.

According to Reitz, any new practice owner needs to decide what insurance companies they want to align with. Most of the big insurance companies like Blue Cross Blue Shield and Aetna will only accept a certain number of therapists in a geographical area.

“That’s a huge risk that you’re taking if you can’t get into some of those networks. If they’re a large percentage of your payment community, you could be in trouble,” said Reitz.

Another option is running a cash-only business, but that, too, comes with risk. By not taking the guaranteed payment from insurance and only taking cash you run into the potential of not getting paid or having too small of a client-base willing to pay. Location plays a significant role in the success of a cash-only business. For example, a cash-only practice in a city center, with a larger pool of potential patients, might have better outcomes than one in a suburban community with a smaller population.


Risk management is a diverse and extensive effort for business owners but is necessary to ensure the financial safety of the company. Whether you devote time yourself to evaluating and mitigating your potential risks or delegate risk management to staff members, risk management is critical to ensuring the long-term viability of your business. 

action item

1Western Governors University. What is Risk Management in Business? WGU Blog. Published March 20, 2020.

2PPS Impact. “The Importance of a Security Risk Assessment in HIPPA Compliance.” Paul J. Welk, PT, JD

Sarah Black

Sarah Black, MS, is director of content and creative at Association Headquarters in Mount Laurel, New Jersey, and publication manager for Impact. She may be reached at

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.

Are you a PPS Member?
Please sign in to access site.
Enter Site!