I spent my youth working in retail and at restaurants—two industries rife with high turnover rates and employee theft. Still, I was always shocked when I heard that an employee had been fired for pocketing cash from the registers or stealing merchandise from the shelves. Believe it or not, theft isn’t relegated to these two industries. Private medical practices also must combat theft—and it occurs way more often than you think. According to this Physicians Practice article, “A 2009 study by the Medical Group Management Association (MGMA) found that 83 percent of the 945 practices that responded had at some point been the victim of embezzlement.” Furthermore, according to Medical Economics, “The U.S. Chamber of Commerce reports that one out of every three business failures are the direct result of employee theft.”

It seems nearly inevitable that your private practice will be the victim of employee theft, so what to do? In this article, I’ll first outline the areas with the highest risk for theft; then, I’ll detail some loss prevention tactics.

Where are the risks?

According to this Advance article, accounting and billing are the two areas of a PT practice where embezzlement occurs most often, and the greatest risk of theft “lies in a patient’s cash co-payments received over the counter at the time of service…An embezzling employee can cover their tracks by using the billing system to perform unauthorized write-offs, to ‘zero out’ charges, or to delete charges.”

Another practice that intensifies risk: dumping all cashflow responsibilities on one person. Practitioners “assign bookkeeping responsibilities to their staff while they remain focused on patient care,” Shelly K. Schwartz explains in this Physicians Practice piece. “At smaller groups, the person who collects copays and deductibles is often the same person who posts charges and makes bank deposits.”

There are myriad other avenues to theft in a clinical setting. Check out this list I paraphrased from Medical Economics:

  • Swiping petty cash
  • Altering deposit statements
  • Using company checks and/or credit cards for personal expenses or purchases, or applying for company credit cards for personal use
  • Inaccurately recording transactions and payments—and pocketing the difference
  • Creating false invoices, patients, accounts, and/or transactions
  • Issuing fake refunds
  • Billing for personal medical expenses under clinic patients
  • Diverting clinic payments to private accounts

Oh, the many ways you can rip someone off. This list makes steam shoot from my ears—as I’m sure it does to you, too. You can triumph over the liars and the cheats, though. Here’s how.

How do I prevent theft?

Keep the Duties Separated

“The person who opens the mail and receives the checks is not the same person who enters payments into the bookkeeping system, and is not the same person who prepares the deposit,” explains Peter Lucash in AllBusiness. The American Academy of Orthopedic Surgeons (AAOS) offers a similar take: “the person who submits a check request should not be the person who approves it or signs the check…Charges should be posted by one person and receipts posted by someone else. Write-offs should be approved by a third person.” Here are a few other duty separation tips:

  • Use automated online bill-pay or check-writing systems.
  • Have all bank and credit card statements mailed directly to you at an address other than the office, and review them monthly.
  • Issue receipts for all on-site patient copays.

Implement Internal Controls

“Internal controls have several purposes, the most important of which is to insure that all revenue and expenses are recorded, and assets are recorded and placed where they belong,” says Lucash in AllBusiness. Essentially, internal controls are checks and balances; they require time and effort, but they also protect your business. Here are some examples, thanks in part to Medical Economics:

  • Rotate roles among employees. It’ll help you “detect discrepancies more quickly and help prevent employees from stealing from you in the first place, because they will be aware that someone else will be reviewing their work soon.” Plus, training employees in all positions and having them switch up roles eliminates monotony and single points of failure; anyone can cover for anyone else, if needed.
  • “Enforce regular work hours.” Plain and simple, those handling money shouldn’t take their work home with them.
  • Ensure your liability insurance “includes coverage for employee theft or embezzlement.”

Lastly, make sure your patient intake forms are numbered or systematized, and retain all of your forms—even when patients cancel. That way, you can compare the number of patient visits with the number of patients who generated charges. This will ensure you account for all charges and that there isn’t anything missing, added, or falsified.  

Lock Up the Kitty

It’s hard to eliminate petty cash, especially when you have to collect patient copays. Thus, you must watch your cash drawer like a hawk. Count the cash daily—in the morning, at the end of the day, and anytime people switch shifts. Make sure you’re tying that count to cash receipts. Here’s the formula for reconciling your cash drawer, as explained by AllBusiness: “starting cash balance, plus cash paid in, less any cash out, equals the ending cash balance.” Compare that “against the receipt books that record cash payments and any cash paid out.” (This is a lot easier when your practice’s software has payment collection and tracking, like WebPT’s Patient Payment System.)

A few more pointers:

  • Make it a rule: No one is allowed to “borrow” from petty cash.
  • Deposit checks received into a lock-box. Even better: Set up online bill-pay for patients, and switch all payers to electronic remittance.

Clean Up Your Billing

Just like you should reconcile your cash drawers, your billing department should reconcile everything. As Franklin J. Rooks Jr., PT, MBA, Esq. explains in Advance, “reconciliation should tie in the amount of daily payments received with the bank deposit for that date. The payments report should distinguish insurance payments from patient payments.” Ensure this process classifies payment mode (debit, credit, check, or cash) and includes a close out—that is, a summary of “the amount of charges entered for the day, the number of visits performed for that day, and the number of units billed that day.” Furthermore, make sure your team generates write off reports and that you have security protocols in place. Lastly, make sure your billing software is up to snuff. It should:

  • be integrated with your EMR to link charges billed with monies received;
  • generate a wealth of specific reports;
  • have its own checks and balances in place as well as an alert system to notify you when things are off; and
  • be web-based, so it’s always up-to-date and includes bank-level security encryption.

Hire Slow

It’s a WebPT rule, and it should be a rule for your practice as well: Take your time with the hiring process, and be thorough. You may have HR or an office manager help out, but don’t skimp on hiring due diligence, which includes:

  • Screening all potential employees. “As a general rule, avoid all nepotism,” states Modern Medicine.
  • Conducting background checks. (Make sure you get a signed authorization and release form from all prospective hires; it’s illegal to run background checks without their consent.)
  • Vetting personal references, and verifying employment history, licenses/certifications, and education. (Check the Office of Inspector General’s List of Excluded Individuals and Entities “to ensure the applicant has not been excluded from Medicare, Medicaid, or any other federal healthcare program,” recommends Modern Medicine.
  • Investigating criminal history, or least performing “the minimum checks that you possibly can” by conducting “an online search using one of the major search engines (such as Google or Bing) to find any negative information, arrests, etc.,” advises Modern Medicine.

Train Smart

First, establish a zero-tolerance policy, and run it by an attorney (that way you know what legal steps to take should you suspect theft). Then, make sure it’s clearly outlined in your employee handbook. Finally, train every employee—from front and back office staff to managers and therapists—annually or bi-annually on the policy, the associated internal controls, and how to identify red flags.

Audit Regularly

Bring in an outside accountant to conduct financial reviews on occasion. The AAOS also recommends letting your staff know that these outside audits will occur at random and without notice. Make sure your accountant provides advice and pointers based on the audit.


Hopefully, you already have many of these loss prevention initiatives in place. If not, then let this blog post serve as a guide. Remember to review your efforts and policies with an accountant, attorney, and liability insurance provider. Theft is a very real—and very common—threat to your business, and you want to make sure that not only are your loss prevention efforts airtight, but your procedures for identifying and prosecuting theft are as well.