Every DSO billing director I've worked with has the same quiet worry. It isn't about the obvious fraud cases, the practice billing for extractions on edentulous patients, the dentist submitting claims under a retired partner's NPI. Those get caught and they make headlines. The worry is about the ordinary Tuesday morning. It's about a biller on her fourth denial of the day who clicks a code she shouldn't, because the patient is already in the chair and the treatment was already done and the denial said "not a covered benefit" and she's seen this work before.
That's how most compliance problems start. Not with fraud. With pressure.
This guide is written for DSO billing directors, practice managers, and compliance officers who want to understand the actual enforcement landscape in dental billing, what's illegal, how it tends to happen, and how to catch patterns before a carrier or the OIG does. I've spent six and a half years building software for dental practices at CareStack. I've seen the audit logs.
I've watched billers handle denial queues at 4:30 on a Friday. What follows is the operational picture, not the legal textbook.
What Counts as Illegal Dental Billing
Let's start with the frame, because the line between "mistake" and "illegal" is less obvious than most people assume.
Dental billing becomes illegal when a claim is submitted that is materially false: meaning the information on the claim does not match what was actually done, to whom, by whom, or for what diagnostic reason: and the practice (or the individual who submitted it) either knew it was false or acted in reckless disregard of whether it was false.
That "reckless disregard" standard is the one most DSOs underestimate. You do not need to have intended fraud. You need to have ignored warning signs that a reasonable billing professional would have acted on.
A biller who repeatedly codes D2740 (porcelain crown) when D2750 (porcelain fused to metal) was placed, because the reimbursement is higher and "the insurance never checks," is operating in reckless disregard. That is illegal, even if nobody sat down and drew up a plan to defraud Aetna.
The three legal frameworks that govern this:
| Framework | What it covers | Who enforces |
|---|---|---|
| Federal False Claims Act | Claims submitted to Medicare, Medicaid, CHIP, TRICARE, VA | DOJ, OIG, whistleblowers (qui tam) |
| State False Claims Acts | State-run Medicaid dental programs, state employee plans | State AGs, state Medicaid Fraud Control Units |
| Commercial payer contracts + state insurance fraud statutes | Private carrier claims: Delta, Cigna, MetLife, etc. | Carrier SIUs (Special Investigation Units), state insurance departments |
Most DSOs assume that because they take very little government dental, they're primarily exposed to commercial audits. That's half-right. Commercial SIUs are where most enforcement action happens in dental.
But if any part of your patient mix includes Medicaid, CHIP, or a TRICARE-eligible family, the federal exposure is disproportionate to the revenue percentage. A single qui tam filing on a Medicaid pattern has sunk practices whose Medicaid revenue was under 5%.
The OIG Work Plan, updated annually, identifies dental billing as a recurring enforcement focus area, including reviews of dental services billed to Medicare Advantage (which now covers a meaningful share of dental procedures under the enhanced benefits some plans offer) and state Medicaid dental programs. Compliance officers should review the current fiscal year's work plan as part of annual risk assessment.
The 7 Most Common Illegal Billing Practices
Here's the operational picture of the seven patterns that show up in almost every enforcement case I've read. I'll describe what each one looks like in the PMS, how it happens at scale, and why it's dangerous for a DSO specifically.
1. Upcoding
What it is: Billing a CDT code that reflects a higher-reimbursing procedure than the one actually performed.
What it looks like in the PMS: The clinical note says "amalgam restoration, 2 surfaces, tooth #14." The ledger and claim show D2392 (composite, 2 surfaces, posterior): which pays $40–80 more in most fee schedules than the amalgam code D2150.
In a typical practice, upcoding doesn't start as fraud. It starts when a biller looks at a denied claim. D2150 billed, insurance paid at a lower alternate-benefit rate than expected, and asks the clinical team, "Did you do a composite or an amalgam?"
The dentist shrugs and says "it's basically the same thing." The biller changes the code. The claim pays.
Next week, a pattern begins.
DSO-scale implication: Upcoding leaves the cleanest audit trail of any violation because CDT codes are standardized and fee schedules are public. A 20-location DSO that upcodes 2% of restorations creates a statistical signal that carrier SIUs detect via outlier analysis. Your D2391/D2150 ratio will not match your peer-group median, and once flagged, the look-back will cover every location.
2. Unbundling
What it is: Splitting a procedure that should be billed under a single comprehensive CDT code into multiple component codes to increase total reimbursement.
Classic example: Billing D2950 (core buildup) alongside D2740 (crown) when the buildup was part of the crown prep, not a separate indicated procedure. Or billing D9110 (palliative treatment) alongside an extraction performed in the same visit when the palliative component was incidental to the extraction itself.
What I see in the audit logs: Unbundling almost always emerges from a single biller or a single site experimenting with what pays. They'll try adding D9230 (nitrous) to a recall visit and watch it pay. They'll add D0180 (comprehensive periodontal eval) to every new patient regardless of periodontal status and watch it pay. Once something pays twice, it becomes the default.
DSO-scale implication: Unbundling is especially dangerous in DSO environments because the learned pattern spreads. A biller who gets transferred to another site brings the habit. Within six months, a pattern that was one person at one location is now fifteen people at eight locations: and the carrier's retrospective review window is typically 24 months.
3. Phantom Billing
What it is: Billing for a service that was never performed.
This is the category most people picture when they hear "dental billing fraud." And yes, it happens, but in DSO environments it almost never happens the way you'd expect. Nobody sits down and invents procedures. What actually happens is more mundane:
- A treatment plan gets converted to completed claims in the PMS before the patient comes in, and then the patient no-shows but the claims don't get voided.
- A hygiene appointment is rescheduled but the prophy (D1110) already hit the claim queue.
- A perio maintenance (D4910) is billed when only a prophy was done, because the patient was on a "perio recall" schedule set up years ago.
DSO-scale implication: Phantom billing is the easiest category for whistleblowers to document, because a disgruntled hygienist or biller only needs to point to one specific patient on one specific date. That one data point is enough for a qui tam filing, which triggers a full-practice audit.
4. Routine Waiver of Patient Copays and Deductibles
What it is: Systematically not collecting the patient's portion: copay, coinsurance, or deductible: while still billing the insurance as if you intend to collect.
Why this is illegal: The patient's financial responsibility is baked into the insurance contract. Your PPO agreement says the fee for D1110 is $85, the insurance pays $68 (80%), and the patient owes $17 (20%). If you routinely waive the $17, you have effectively reduced your fee to $68: which means you should have billed $85 as the fee but told the carrier your effective fee was lower. Not doing so misrepresents the charge structure and, in some states, constitutes insurance fraud on its own.
What actually happens: A front desk calls the patient for balance collection. The patient says "I thought insurance covered this." The staff member, trying to avoid a confrontation, writes off the $17 as "courtesy." Do that for every patient, and you've built a systematic waiver program that your compliance officer didn't authorize.
Important caveats: Hardship waivers are legal when they're case-by-case, documented, and based on financial-need criteria you apply consistently. In-network promotional discounts (new-patient specials, senior discounts) are legal when disclosed to the carrier. The problem is routine, undocumented, universal waiver.
5. Billing as a Non-Participating Provider When Contracted
What it is: Billing the patient the full UCR fee and collecting out-of-network style, when your practice actually has a contract with that carrier.
How it happens at scale: Credentialing at multi-location DSOs is genuinely complex. Dr. Patel is credentialed with Delta at Location A, where he works Monday-Wednesday. On Thursday, he covers at Location B: but the DSO hasn't added him to Delta at Location B yet. Location B's billing system flags him as "out-of-network" for that site, and the front desk collects $850 from the patient for a crown instead of the contracted $620.
This is illegal under the Delta participating agreement. It also creates a patient-facing legal exposure that's independent of the carrier relationship, most state insurance departments treat this as consumer fraud.
DSO-scale implication: This is the #1 credentialing-related compliance risk I see in multi-location groups. The fix is a provider-location-payer matrix that's maintained as a first-class data object, not an afterthought: and verification workflows that check effective dates per location, not just per provider.
6. Credentialing Fraud
What it is: Billing under a provider's NPI for services that provider did not personally perform, render, or directly supervise (where direct supervision is required).
The common dental version: A new associate starts on Monday. Credentialing with the carriers takes 90 days. The practice needs to bill his production, so for 90 days his claims go out under the owner's NPI. Every one of those claims is fraudulent.
A subtler version: an expanded-function dental assistant performs a procedure that requires the dentist's direct supervision under state law. The dentist was at lunch. The claim is submitted under the dentist's NPI. Also fraudulent.
DSO-scale implication: Credentialing fraud is where the personal liability conversation gets sharpest. The individual biller who knowingly submits the claim can be named in a False Claims Act action. So can the office manager who authorized the workflow. So can the billing director who set the policy. The entity pays the settlement, but the individuals go on the OIG exclusion list: which ends a dental career.
7. Duplicate Billing
What it is: Submitting the same claim twice, either to the same carrier, to a primary and secondary carrier inappropriately, or splitting it across two payers in violation of COB rules.
Duplicate billing is the most common "accidental" category. In the PMS audit logs I reviewed at CareStack, duplicates usually came from one of three workflows:
- A claim rejected at clearinghouse level (not a denial, a rejection) gets resubmitted, but the original also went through.
- A front desk staff member, not seeing the claim in the "submitted" tab, submits it again manually.
- A secondary claim gets submitted as if it were primary, and then the secondary is billed again after COB reconciliation.
Accidental duplicates are not fraud when caught and refunded promptly. They become fraud when they're detected, the overpayment sits on the books, and nobody corrects it. The federal 60-day rule is explicit: once you know about an overpayment, you have 60 days to return it. After 60 days, every day it sits there is a potential False Claims Act violation.
Why DSO Scale Increases Compliance Risk
Single-location practices have one biller, one provider roster, one payer mix, and a small transaction volume. Compliance risk is concentrated but also visible, the owner-dentist can literally watch the billing happen.
At DSO scale, the risk surface changes shape entirely:
| Risk vector | Single practice | 20-location DSO |
|---|---|---|
| Billing staff | 1-3 | 20-60 |
| Payer contracts | 5-15 | 15-40 per state × states |
| Provider-location permutations | ~10 | 200-2,000+ |
| Denial queue volume | 20-80/week | 1,000-4,000/week |
| PMS write access (users who can change codes) | 3-5 | 40-150 |
| Statistical visibility to payer SIUs | Low signal | High signal |
The last row is the one most DSO executives miss. Commercial SIUs don't read every claim, they run outlier detection across their book of business. A 20-location DSO is a big enough entity to show up as its own line in that analysis.
If your upcoding rate is 1.5% and the peer median is 0.6%, you are a candidate for review. Your individual billers don't see themselves as outliers. In aggregate, you are.
And the denial pressure scales too, which is where the next section picks up.
How Billers Slide Into Violations Without Realizing It
I want to be clear: most billers are trying to do a good job. The ones who slide into violations are usually the ones who are most invested in getting claims paid. That's the uncomfortable truth.
The financial pressure that precedes that slide is real. A pediatric practice in Texas, running CareStack, 60 to 125 patients per day, roughly $375,000 in monthly production, came to us after losing $200,000 over four months directly tied to inaccurate insurance verification. They had cycled through three different "automated" tools before that.
The owner's summary after all three: "If we're going to double-check it, we might as well do it ourselves." That level of pressure, $50,000 a month in verification-driven denials, is exactly the environment where the shortcuts in the pathway below start to look like problem-solving.
Here's the pathway I've watched dozens of times in the PMS audit trails:
Month 1: A biller gets a denial on D2740 because the patient has a missing tooth clause she didn't catch during verification. She tries appealing. The appeal is denied. She gets frustrated and, on the next similar case, she verifies more carefully upfront: good.
Month 3: A different denial hits: D4341 (periodontal scaling, 4+ teeth per quadrant) denied because the carrier says the pocket depths on the perio chart don't support the code. The biller asks the hygienist, who says "yeah I probably undercharted." On the next appeal, the biller adjusts the pocket depths in the note before resubmitting. The claim pays.
Month 6: That small adjustment has become a pattern. When a D4341 denies for "insufficient documentation," the workflow is now "fix the note, resubmit." Nobody calls this fraud. The biller isn't inventing procedures: she's "correcting documentation errors."
Month 12: A new biller is onboarded. The trainer teaches her the workflow, including the "fix the note" step, because that's how this team handles these denials. The pattern is now institutional.
Month 24: The carrier's SIU flags the practice's D4341 ratio. The audit pulls 18 months of perio charts. Eighty percent of them have timestamp anomalies in the documentation fields. The case becomes an investigation.
Nobody in this story woke up one morning and decided to commit fraud. Every individual decision looked like "doing my job better." That's the pathway, and it is entirely preventable, but only if you design the workflow to remove the pressure in the first place.
5 Audit Patterns That Catch Billing Irregularities Early
Internal audits aren't about catching bad people. They're about catching patterns before a carrier does. Here are the five that I've seen DSO compliance teams use effectively.
Pattern 1: CDT Code Distribution Outliers
Pull your CDT code frequency by location and by provider for the trailing 12 months. Compare to ADA peer-group medians (available through the ADA Health Policy Institute). Any CDT code where a provider is 1.5×+ above the peer-group median is a flag for chart review. This catches upcoding and unbundling both.
Pattern 2: Post-Service Code Change Frequency
Every modern PMS logs code changes after claim submission. Run a report: how many claims per biller per month have had codes changed after the clinical note was finalized? A biller with 30+ post-note code changes per month is either doing heroic denial recovery or systematically adjusting codes. Pull 20 of those charts and look.
Pattern 3: Documentation Timestamp Anomalies
For procedure codes that require specific documentation (D4341, D4342, D0180, D2950), compare the documentation timestamp to the claim submission timestamp. If perio charts are consistently being edited the day before a claim appeal, that's the pattern that ends careers.
Pattern 4: Copay Write-Off Rate by Staff Member
Every PMS has a write-off adjustment code. Pull the report: which staff members are applying "courtesy" write-offs, and at what rate? If one front desk member writes off copays on 40% of visits while the team average is 6%, that is a systematic waiver happening regardless of what the compliance policy says.
Pattern 5: Provider-Location-Payer Credentialing Matches
This is the one most DSOs don't run but should. Build a nightly report that compares every submitted claim against a credentialing table: was this provider credentialed with this payer at this location on this service date? Every mismatch is a potential credentialing fraud event. Most of them will be clerical, effective dates off by a week, but you cannot assume that without checking.
OIG Enforcement Trends in Dental
The OIG and DOJ have been measurably more active in dental enforcement since 2022. A handful of cases shape how I think about risk:
- Benevis / Kool Smile (2022): $23.9 million settlement over allegations of medically unnecessary pediatric procedures submitted to Medicaid. The case centered on documentation patterns and productivity pressure applied to staff dentists.
- Western Dental (multiple states, 2023–2024): state-level Medicaid settlements for patterns including claims for services not rendered and inadequate documentation.
- Multiple qui tam filings against mid-size DSOs (2023–2025): publicly reported settlements in the $2–15M range, most initiated by former billers or hygienists as relators.
Two things are consistent across these cases: the triggering data was PMS documentation patterns that a properly designed internal audit would have caught, and the settlement amounts were materially larger than what an internal remediation program would have cost.
Building a Compliance Program at DSO Scale
A defensible dental billing compliance program has seven components. This is the practical checklist, in the order most DSOs should build them.
- Written compliance policy. A document that names specific CDT coding expectations, copay collection policy, credentialing verification workflow, and overpayment refund policy. Reviewed annually.
- Compliance officer or committee. A named person: not the billing director, because that's a conflict of interest. At DSO scale, typically a VP of RCM or a dedicated compliance role.
- Provider-location-payer matrix, maintained as current-state truth. This is the single highest-leverage artifact. If you know with certainty which providers are credentialed with which payers at which locations effective which dates, you have eliminated 80% of credentialing fraud risk.
- Internal audit calendar. The five patterns above, run monthly, reviewed quarterly.
- Biller training program. Not a one-time onboarding: an ongoing program that includes CDT code updates, payer policy changes, and denial-handling protocols that do not require code or documentation changes.
- Anonymous reporting mechanism. Required for defensibility under the Federal Sentencing Guidelines. A hotline or web form where any employee can report concerns without retaliation.
- Overpayment refund workflow. A defined 60-day process: when an overpayment is identified, who investigates, who issues the refund, and how the disposition is documented.
How Accurate Eligibility Verification Reduces Compliance Risk
Here's the thread that ties this whole guide together. Every pattern in the "how billers slide into violations" section starts the same way: a denial that the biller feels pressure to overturn.
Why do most of those denials happen? Because the eligibility verification at the front of the cycle was incomplete, wrong, or missing entirely.
A biller who knows the patient's missing tooth clause before treatment is planned doesn't have to handle a $2,100 post-treatment denial under pressure. A practice that verifies frequency limitations on periodontal maintenance in advance doesn't have a biller re-reading perio notes looking for a way to make D4910 "stick." A DSO that confirms provider-location-payer credentialing as part of every appointment verification doesn't bill out-of-network when it's contracted.
The compliance conversation almost always focuses on the back end, audits, documentation, remediation. The most effective compliance lever is actually on the front end. If your verification upstream is accurate, the downstream pressure that produces violations never forms in the first place.
Frequently Asked Questions
For related operational guidance, see our guides on dental claim denial prevention, CDT codes and insurance coverage denials, and HIPAA compliance for AI in RCM.
