Red Flag Rules for dentists: An update

May 24, 2010

By Allen M. Schiff, CPA, CFE

What a difference a week makes. The lobbying paid off! The dental industry is now exempt from the Red Flag Rules, which all of us would have been required to implement and maintain by June 1.

The sole purpose of the Red Flag Rules is to safeguard our patients against identity theft. But should we rest easy? Teresa Duncan, MS, of Odyssey Management, offers this advice: “Please consider the consequences if you do not place reasonable safeguards within your dental office. Civil suits against your office could emerge if an employee absconds with patient data, or negative press is created from a patient whose identify was compromised by your computer technician (a business associate). Anytime we are entrusted with our patients’ information — whether medical or financial — we should safeguard it with due care.”

Even though the lobbying paid off, in my opinion we should still take steps necessary to keep our patients’ medical and financial information private and secure. Ms. Duncan continued, “Good business practice prescribes that we become protector not only of our patients’ oral health care, but their personal information as well. By instituting protective measures within your workplace, you are providing a silent and professionally responsible service to your patients.”

As mentioned in last week's e-newsletter, and it is worth repeating here, the Red Flag Rules were designed to prevent patient identity theft. In other words, anytime you are processing a patient’s payment or submitting the patient’s dental insurance claim, the Red Flag Rules will apply. Some examples of identity theft red flags are:

• Altered patient dental insurance cards
• Dental insurance card info that does not match the patient record
• Patient address that does not agree with the dental insurance company info
• Undelivered patient mail or patient returned checks
• A patient using someone else’s credit card
• A patient unwilling to share personal information
• Verifying dental benefits is part of most office’s daily routine. But do we ever stop to think about verifying the identification of the person standing before us?

Also, employee training in this area is a must. Although the following are normal business practices, employee training is key to being assured the procedures are implemented within your dental practice. The employee training should cover:
• Any violation of the patient’s identity could result in possible monetary fines imposed by the FTC against your dental practice
• Negative public relations/press coverage
• Protection of patients’ identity through the protection of their information contained within their patient chart
• Verify, verify, verify a patient’s identity (request a copy of his or her driver’s license)
• Refuse to treat the patient if the patient is using someone else’s identity
• Employees should sign an acknowledgment of the training your office provides for protecting patients’ identity
• Turn the matter over to authorities if the situation warrants

Some final steps to consider:
• Don’t wait for future “Red Flag Rules” to come down the pike. Consider implementation now, and stay ahead of the curve.
• Train your employees so you are compliant with all rules surrounding the protection of your patients’ information.
• Do not let patients bully you, and please take charge of your practice.
• Consider publicizing to your patients through your dental newsletter and/or Web site that your practice has procedures in place to protect their identity.
• For more information on putting together a program for your office, please visit

Allen M. Schiff, CPA, CFE, is a founding member of the Academy of Dental CPAs (ADCPA), established in 2001. The ADCPA is the original, national organization of dental CPAs, consisting of 25 firms that represent more than 7,000 dentists nationwide. To learn more about the ADCPA, visit the organization's Web site at, e-mail Schiff at [email protected], or visit his Web site at