We rely on our members to assist us in reporting questionable practices for investigation. Please call (303) 488-9700, ext. 3270 or email MDDS WatchDog to inform us of your concerns.

Check in with the MDDS Watch Dog on a regular basis - it is a service that will enhance your operational success.

Updated (10/23/08)

Red Flag Rule

The Federal Trade Commission (FTC) announced yesterday that they are suspending the enforcement of the Red Flag Rule until May 1, 2009. Please go to http://ftc.gov/opa/2008/10/redflags.shtm to see the official announcement.

How many patient records do you have? Think about every storage box, every file cabinet, and every laptop or hard drive in your office. If you lost even a fraction of those records, would you have $1,000 per record on hand to pay in fines? The numbers are terrifying, and the fines are real, starting May 1, 2009. This is the compliance deadline for the Red Flag Rule. The Red Flag Rule targets all businesses with a credit-based customer relationship. If this is the first time, you have heard of the Red Flag Rule, time is short to become compliant.

Bryan Thornton, the director of Information Security Planning for idBUSINESS.com, a web site that offers a Red Flag Compliance Module, says, “The Red Flag Rule is an indicator of a larger trend that we’ve seen in both legislation and in court decisions. Businesses, and business owners, are being held to a higher standard. They are entrusted with safeguarding customer data, and if they are negligent in that regard, they will face some pretty serious consequences.”

Does the Red Flag Rule apply to a dental practice? The answer, in short, is yes. A dental practice extends credit, creating a covered account as defined by the law, for any number of reasons: while waiting for payment from an insurer; as a payment plan for elective and cosmetic procedures not covered by insurance; or for procedures that exceed a patient’s annual insurance. In a conversation that Terri Gilpin, MDDS Executive Director had with the FTC, any deferred payment by a patient is considered a covered account under the Red Flag Rule.

Other circumstances also apply to the rule such as when a dental practice utilizes patient financing plans through companies such as CareCredit. If the patient completes the financing application in the dental office and the office submits the application to the financing company on behalf of the patient, then this situation applies to the rule, according to the FTC.

In addition, the nonprofit World Privacy Forum has called upon the Federal Trade Commission to strengthen the medical language in the Red Flag Rule, stating, “Medical identity theft is not adequately recognized in the proposed rule…This lack of attention, if continued, could serve to allow [identity theft] to increase and cause public health, safety, and financial issues.”

There are seven main stipulations of the Red Flag Rule that a plan must meet to be considered compliant:

A business must have a formal, written Identity Theft Prevention program.
Controls must mitigate and prevent the risks associated with identity theft.
The plan must be administered by a Board of Directors or by Senior Management.
A compliance report must be generated on at least an annual basis.
The plan must be updated periodically.
The plan must include an incident response capability.
The plan must account for the risks associated with vendors, suppliers and third parties.

Many dentists have pointed to inconsistent enforcement of HIPAA compliance as an indicator that the Red Flag Rule will be “just more paperwork.” According to Thornton, “Compliance for compliance’s sake should never be the issue. As more data breaches affect more consumers, smart businesses will use their Red Flag compliance as a selling point to build trust with patients, and longer, more profitable relationships.”

Updated (10/21/08)

The Colorado Dental Association reports that many members are receiving misleading information regarding the following matters that we wanted to bring to your attention:

1. You may have received an official looking document from Colorado Corporate Compliance, Administrative Clerk Division, 303 S. Broadway, Ste. 200, PMB 376, Denver, CO 80209 that has a header “Annual Minutes Disclosure Statement.” The solicitation leads you to believe that you need to pay a $150 disclosure and processing fee ($175 if after the remit date) to have them record your Annual Minutes for Shareholders and Directors (there is no phone number for contacting them). While state law does require that corporations maintain records of having an annual meeting, please know that there is no such requirement that you should pay this company to maintain copies of your Board Minutes. Please see the Colorado Secretary of State’s Alerts Regarding Potentially Deceptive Solicitations at http://www.sos.state.co.us/pubs/business/alert_notices.htm

2. You may have received a fax from First National Merchant Services telling you that your credit card processing terminal is no longer “compliant.” They then offer to sell you new equipment for $379 (there is no phone number for contacting them). This is a marketing ploy to try to get you to purchase a new terminal that has an internal pin pad. Since nearly 800 dental offices use our endorsed company, Best Card, for their credit card processing, please know that all downloads from Best Card are “compliant.” Best Card’s back-end processor is First Data, the largest merchant processor in the world. They have also verified that any terminal serviced by First Data meets compliance needs. Very few dental offices even use a pin pad because patients tend to not want to enter their PIN number, however, if your office does have a pin pad, call your merchant to verify that it is compliant with current standards.

3. You may have received a notice from your current credit card processor indicating that you need to document that you are compliant with Payment Card Industry (PCI) Data Security Standards for your credit card processing merchant account. Cardservice has started charging a $19.95 monthly fee if you have not faxed them verification of a written document relating to your compliance. Many other processors also have a PCI monthly fee (Best Card has no such fee). PCI compliance is complex, but for the most part, it focuses on protecting your patients’ credit card numbers (the lowest level of compliance is required for merchants that process less than $1M in credit cards annually and use a terminal (not an online system) – nearly all dental offices process less than this amount). Security documentation is especially necessary for those offices who use an online processing system for their credit cards and not a terminal. If your online system stores the credit card number (whether you host the number or a third party hosts the number), security measures need to be taken to ensure that those credit card numbers are protected from a security breach where an outsider can “obtain your patients’ credit card numbers and use them for identity theft purposes.” Please go to https://www.pcisecuritystandards.org for more information about PCI compliance requirements. For the average office that uses a credit card terminal and closes their batch daily, you can meet these requirements by completing the self-assessment questionnaire on the above mentioned Website and preparing a simple written document that states that (a) all patient records that show the patients credit card number are properly secured and not available to others such as patients in the office, cleaning services, etc.; (b) credit card receipts and related records are properly shredded after the three-year bookkeeping retention time (or whatever your policy is); and (c) credit card processing batches are closed daily (this process deletes any merchant numbers stored in the terminal).

4. Please also be aware of the following:

Two states now require that both the merchant and customer copy of printed credit card receipts are truncated (the process where all but the last four digits of the credit card number are removed from the receipt). Colorado law only requires that the customer copy not show the entire card number. If, for security purposes, you would like to truncate both receipts now, please call your merchant processor with this request and your processor will have you do a partial download. If you accept American Express, there have been some programming changes in the past two months that necessitate that you re-download your terminal to become compliant. Should you have additional credit card processing questions, please feel free to call Rose McKee, Jennifer Nieto or any of the Best Card team at 303.482.2773 / 877.739.3952.

Updated July 2008

Colorado State Board of Pharmacy’s Electronic Prescription Drug Monitoring Program (PDMP) program is now live and available for queries from prescribers of controlled substances. This program provides a database of controlled substance prescriptions that have been dispensed by Colorado pharmacies and from non-resident pharmacies that ship prescriptions into Colorado. The purpose of the database is to provide objective information to assist practitioners and pharmacists in providing appropriate treatment for their patients. For instance, if a patient is taking OxyContin, the prescriber would be able to review when the patient was first prescribed the drug, how many providers prescribe for the patient, how often and from what pharmacies the patient is receiving controlled drugs. The prescriber would determine whether the patient is taking the medication appropriately or making other uses of it. For more information, please visit www.coloradopdmp.org or call (303) 894-5957.
Advertising Rules - As a result of a rulemaking hearing in October 2006, the Colorado State Board of Dental Examiners has adopted new regulations to govern all types of advertising by dentists and dental hygienists in Colorado, effective January 1, 2007. Visit www.mddsdentist.com/AdRules.asp for completer rule.
Dental Amalgam Reclassification - Recent news focus on the U.S. Food and Drug Administration’s dental amalgam lawsuit settlement may mean your patients will be asking you about the safety of amalgam fillings. The recent settlement between the FDA and the consumer group Moms Against Mercury has resulted in the deadline of July 2009 for final regulation on how to classify encapsulated amalgam and its components. So far, the FDA has not changed its stance on amalgam and its uses. The ADA intends to file comments with the FDA regarding the reclassification in July. Based on extensive studies and scientific reviews of dental amalgam by government and independent organizations worldwide, the ADA believes that dental amalgam remains a safe, affordable and durable cavity filling choice for dental patients. Stay current on the progress of the FDA classification so you can advise your patients with the most up-to-date information on this topic.
Medicaid Provider Rate Increase - The Department of Health Care Policy and Financing announces payment rate increases for provider services that take place effective July 1, 2008. This year is the third year of substantial rate increases for providers serving Medicaid clients. The maximum allowable reimbursement for dental codes has been raised to 52% of commercial rates (American Dental Association median). Providers should continue to refer to the December 2006 Bulletin for determining appropriate coding and procedures that require prior authorization.The Colorado Medicaid fee schedule is now available free of charge on the Department’s website at http://www.chcpf.state.co.us/HCPF/refmat/Reference_Include.asp. If you would like to enroll as a Medicaid provider you may access the provider application through the provider services link at http://www.chcpf.state.co.us/ACS/Provider_Services/provider_services.asp