A front-desk employee at a Florida clinic bills Medicare for physical therapy sessions that never happened. A physician upcodes patient visits — documenting complex evaluations when the actual appointment lasted seven minutes. A billing manager pulls up patient records to check whether a neighbor was treated for a substance use disorder, then mentions it at a block party. Each of these scenarios answers a question I get asked constantly: what is fraud and abuse in healthcare, and how does HIPAA fit into the picture?

If you work at a covered entity — a hospital, health plan, clearinghouse, or their business associates — this isn't academic. It's the kind of thing that triggers federal investigations, seven-figure penalties, and criminal charges. Let me walk you through exactly what fraud and abuse look like in practice, where HIPAA intersects, and what your organization needs to do about it right now.

What Is Fraud and Abuse in Healthcare? The Straight Answer

Healthcare fraud is the intentional submission of false or misleading information to a health plan or government payer for financial gain. Healthcare abuse is behavior that's improper but may not involve deliberate deception — think billing errors caused by sloppy practices rather than outright schemes.

The distinction matters legally, but in practice, the line blurs fast. An "innocent" billing mistake that happens hundreds of times starts to look a lot like fraud to an auditor from the Office of Inspector General (OIG) or the Department of Health and Human Services (HHS).

Here's what I've seen trip up organizations most often:

  • Upcoding: Billing for a higher-level service than what was provided.
  • Unbundling: Separating services that should be billed as one to inflate reimbursement.
  • Phantom billing: Charging for services or supplies never delivered.
  • Kickbacks: Accepting or offering payment in exchange for patient referrals.
  • Identity theft and PHI misuse: Using stolen protected health information to submit fraudulent claims.

That last one is where HIPAA enters the conversation with full force.

The HIPAA Connection Most People Miss

Most compliance officers think of HIPAA as a privacy and security framework. It is. But Title II of HIPAA — the Administrative Simplification provisions — was explicitly designed to combat fraud and abuse in healthcare transactions. The law didn't just protect PHI for the sake of patient dignity. It created standardized electronic transactions and safeguards partly to make fraudulent billing harder to pull off.

When someone exploits ePHI to submit false claims, they've violated both the False Claims Act and HIPAA's Privacy and Security Rules simultaneously. OCR investigates the privacy breach. The OIG and Department of Justice handle the fraud prosecution. Your organization gets hit from multiple directions.

I've watched this play out in real enforcement actions, and it's never pretty.

The $5.5 Million Wake-Up Call from Memorial Healthcare System

In 2017, Memorial Healthcare System in Florida agreed to a $5.5 million settlement with OCR after employees accessed the ePHI of 115,143 individuals without authorization. The access wasn't just curiosity — the investigation revealed that login credentials were being used by unauthorized individuals, creating conditions ripe for fraud. OCR cited failures in access controls, audit controls, and workforce training.

This case is a textbook example of how abuse of system access creates a direct pipeline to healthcare fraud. When your workforce can browse patient records without oversight, you've built the infrastructure for someone to misuse that data — whether for identity theft, fraudulent billing, or selling information on the black market.

You can review OCR's enforcement actions and resolution agreements on the HHS Enforcement Highlights page.

Five Types of Healthcare Fraud That Trigger HIPAA Violations

In my experience consulting with covered entities, these are the fraud schemes most likely to create simultaneous HIPAA exposure:

1. Insider PHI Theft for False Claims

An employee copies patient identifiers — names, dates of birth, insurance IDs — and uses them to bill for services those patients never received. This violates the HIPAA Privacy Rule's minimum necessary standard and the Security Rule's access control requirements.

2. Medical Identity Theft

Stolen PHI gets used to obtain prescriptions, medical devices, or treatments under someone else's insurance. The patient often discovers it when they receive an explanation of benefits for a procedure they never had — or worse, when incorrect information in their medical record leads to a dangerous clinical decision.

3. EHR Manipulation

Providers alter electronic health records to justify higher reimbursement. This corrupts the integrity of ePHI, which the HIPAA Security Rule specifically requires organizations to protect under 45 CFR § 164.312(c)(1).

4. Business Associate Data Exploitation

A business associate with access to claims data uses it for unauthorized purposes — selling patient lists, running side billing operations, or mining data for commercial gain. Your Business Associate Agreement should prevent this, but I've seen plenty of BAAs that are signed and filed without anyone actually monitoring compliance.

5. Prescription Fraud Using Patient Records

Staff access patient records to forge or alter prescriptions. This intersects with both HIPAA and the Controlled Substances Act, and it's more common than most practice managers want to believe.

How OCR and OIG Work Together on Fraud Cases

Here's something that surprises a lot of compliance officers: OCR and OIG don't operate in silos. When OCR investigates a breach and discovers evidence of fraud, they refer the case to OIG and the Department of Justice. The reverse happens too — a fraud investigation by OIG can uncover HIPAA violations that get referred to OCR.

The federal government has built an enforcement ecosystem specifically designed to catch organizations from multiple angles. The OIG Work Plan publishes its enforcement priorities annually, and healthcare fraud remains at the top every single year.

This means a single incident — one employee accessing records they shouldn't — can cascade into a Privacy Rule violation, a Security Rule violation, a False Claims Act case, and criminal prosecution under the Anti-Kickback Statute or the federal healthcare fraud statute (18 U.S.C. § 1347).

What Your Organization Must Do Right Now

If you're reading this and thinking, "We have a compliance program," I'd push back and ask: does your compliance program specifically address the intersection of fraud, abuse, and HIPAA?

Here's the checklist I use when advising covered entities:

  • Audit access logs monthly. Not quarterly. Not annually. Monthly. Look for patterns — employees accessing records outside their department, after-hours logins, bulk record views.
  • Train every member of your workforce on fraud indicators. Your staff should know what upcoding looks like. They should know how to report suspicious activity. Workforce training isn't optional under HIPAA — 45 CFR § 164.530(b) requires it. Our HIPAA training catalog covers both privacy fundamentals and fraud awareness in modules designed for clinical and administrative staff.
  • Implement role-based access controls. The minimum necessary standard isn't a suggestion. Every user should only see the PHI they need for their specific job function.
  • Establish an anonymous reporting mechanism. Whistleblower protections under the False Claims Act have generated billions in fraud recoveries. Your employees need a safe way to report concerns without retaliation.
  • Review your Business Associate Agreements. Make sure they include specific language about prohibited uses of PHI and audit rights. Then actually exercise those audit rights.
  • Conduct an annual risk analysis. The Security Rule requires it, and it's your best tool for identifying vulnerabilities that could enable both breaches and fraud.

The Cost of Getting This Wrong

The numbers are staggering. The National Health Care Anti-Fraud Association estimates that healthcare fraud costs the United States tens of billions of dollars every year. HHS and DOJ's annual Health Care Fraud and Abuse Control Program Report consistently shows billions in recoveries, but that's just what gets caught.

For individual organizations, the penalties are severe. HIPAA civil monetary penalties can reach $2,067,813 per violation category per year under the updated penalty tiers. Criminal penalties for healthcare fraud carry up to 10 years in prison — or 20 years if the fraud results in serious bodily injury.

And that's before you factor in reputational damage, loss of patient trust, and exclusion from federal healthcare programs.

Fraud Prevention Is HIPAA Compliance

Here's the point I drive home with every client: you cannot separate fraud prevention from HIPAA compliance. They share the same infrastructure — access controls, audit trails, workforce training, risk analysis, incident reporting. When you build a strong HIPAA program, you're simultaneously building your best defense against fraud and abuse.

If your compliance training treats HIPAA as a privacy checkbox and fraud as someone else's problem, you've got a gap that federal investigators will find. Consider enrolling your team in role-specific HIPAA compliance training that connects these dots for clinical, administrative, and leadership staff.

Understanding what fraud and abuse in healthcare really means — and how deeply it's woven into your HIPAA obligations — is the first step toward building a compliance program that actually works. The second step is acting on it before OCR or OIG comes knocking.