A $4.7 Billion Problem Hiding in Your Organization's Blind Spots

In 2023, the Department of Justice recovered over $2.68 billion in settlements and judgments from cases involving fraud and false claims against federal health care programs. That number only captures what gets caught. The actual cost of fraud waste and abuse in healthcare runs far higher — the National Health Care Anti-Fraud Association has estimated it at tens of billions annually.

I've seen small clinics assume this is a "big hospital problem." It's not. A single billing clerk submitting upcoded claims. A nurse sharing login credentials. A front-desk employee selling patient lists. These are the scenarios I encounter regularly during compliance audits, and they sit squarely at the intersection of fraud, waste, abuse — and HIPAA.

If you're a covered entity or business associate, fraud waste and abuse in healthcare isn't just a billing issue. It's a PHI issue. And ignoring it can cost you everything.

What Fraud, Waste, and Abuse Actually Look Like on the Ground

Let's strip away the textbook definitions and talk about what I actually see in the field.

Fraud: Intentional Deception for Gain

Fraud is the deliberate act. It's the physician who bills for services never rendered. It's the DME supplier who ships cheap equipment and invoices for premium models. It's the employee who steals a patient database and sells it on the dark web.

Every one of these scenarios involves protected health information. You can't bill for phantom services without manipulating PHI. You can't steal a patient list without accessing ePHI. Fraud and HIPAA violations are conjoined twins.

Waste: Careless Spending That Nobody Questions

Waste isn't malicious — it's negligent. Ordering duplicate lab tests because nobody checked the chart. Running reports nobody reads. Maintaining access permissions for employees who left two years ago.

That last one is a HIPAA time bomb. I audited a mid-size orthopedic practice last year that still had active EHR accounts for 14 former employees. No fraud intended. Pure waste. But any one of those orphaned accounts could have been exploited to access PHI — turning waste into a reportable breach.

Abuse: Bending Rules Until They Break

Abuse lives in the gray zone. It's billing for a higher complexity visit than what was performed — not because you're trying to steal, but because "that's just how we code around here." It's a provider who self-refers patients to a lab they own without disclosing the financial relationship.

Abuse erodes compliance culture. When your workforce sees leaders cutting corners, they stop taking HIPAA seriously too. I've watched it happen at organization after organization.

The $5.1 Million Fine That Started With a Billing Scheme

In 2017, Memorial Healthcare System paid $5.5 million to the Office for Civil Rights (OCR) to settle potential HIPAA violations. The root cause? Employees at an affiliated physician practice had been using login credentials to access patient data in the hospital's information systems — data that was then used in a fraud scheme. You can review the HHS enforcement page for Memorial Healthcare System for details.

The organization failed to review records of information system activity, failed to limit access to ePHI, and didn't have adequate audit controls. Fraud was the spark. HIPAA was the fuel.

This is the pattern I warn clients about constantly. Fraud waste and abuse in healthcare doesn't just trigger Department of Justice scrutiny. It triggers OCR investigations. And OCR doesn't care whether the fraud was someone else's idea — if your HIPAA safeguards didn't prevent or detect it, you're on the hook.

Why Your Compliance Program Must Address Both FWA and HIPAA Together

Most organizations treat anti-fraud programs and HIPAA compliance as separate workstreams. Different committees, different training modules, different reporting channels. That's a structural mistake.

Here's what a unified approach looks like:

  • Access controls that prevent fraud and protect PHI simultaneously. Role-based access means employees only see the data they need — reducing both the opportunity for fraudulent billing and the risk of unauthorized PHI disclosure.
  • Audit trails that serve double duty. HIPAA requires you to track access to ePHI. Those same logs are your first line of defense for detecting suspicious billing patterns or unauthorized data exports.
  • A single reporting hotline. When your workforce can report both billing irregularities and potential PHI breaches through one channel, they actually use it. Two systems means confusion and underreporting.
  • Integrated workforce training. Your staff needs to understand that accessing a patient record without a legitimate treatment, payment, or operations purpose isn't just a HIPAA violation — it can also be evidence of fraud or abuse.

Building this kind of integrated program starts with training that connects the dots. The HIPAA training catalog at HIPAACertify covers both compliance fundamentals and the workforce behaviors that prevent fraud, waste, and abuse from taking root.

What Is the Difference Between Fraud, Waste, and Abuse in Healthcare?

Fraud is an intentional act of deception for unauthorized benefit — like billing for services not provided. Waste is the overuse or misuse of resources without intent to defraud — like ordering unnecessary tests. Abuse is practices inconsistent with accepted standards that result in unnecessary costs — like upcoding visits. All three can involve PHI and trigger HIPAA violations when patient data is accessed, used, or disclosed improperly.

The 7 Red Flags I Tell Every Compliance Officer to Watch

After years of consulting, I've distilled the warning signs into a practical checklist. If you spot any of these, investigate immediately:

  • Employees accessing records of patients they don't treat. This is the classic "curious coworker" scenario — but it can also indicate identity theft or data harvesting for fraudulent billing.
  • Unusual after-hours EHR activity. Legitimate clinical work happens at odd hours. But consistent late-night access by non-clinical staff deserves scrutiny.
  • Billing codes that don't match clinical documentation. A disconnect between what the chart says and what the claim says is abuse at minimum, fraud at worst.
  • Resistance to audit processes. When a department pushes back hard against access reviews or documentation audits, something is usually hiding underneath.
  • High volumes of amended or voided claims. This can indicate a pattern of submitting inflated claims and then correcting them when questioned — a common abuse tactic.
  • Terminated employees with active system access. Every day an orphaned account exists is a day your ePHI is at risk.
  • No documented sanctions for policy violations. If people violate your policies and nothing happens, you don't have a compliance program. You have a suggestion box.

The Federal Framework You're Already Required to Follow

If your organization participates in Medicare or Medicaid, you're already subject to anti-fraud requirements under the False Claims Act, the Anti-Kickback Statute, and the Physician Self-Referral Law (Stark Law). HHS Office of Inspector General publishes detailed compliance program guidance that every covered entity should have on file. You can access the OIG Compliance Program Guidance directly.

Here's what most people miss: the OIG guidance explicitly recommends training, auditing, and reporting mechanisms that overlap almost entirely with HIPAA's administrative safeguards. If you're already building a HIPAA compliance program, you're halfway to a solid anti-fraud program — and vice versa.

The HIPAA compliance training courses at HIPAACertify are designed with this overlap in mind, helping your workforce understand their obligations under both frameworks.

Breach Notification: When Fraud Becomes a Reportable Event

Here's a scenario I've walked clients through more than once. An employee accesses ePHI to create fraudulent insurance claims. The fraud gets discovered. Now you have two problems.

First, the fraud itself — a DOJ and OIG issue. Second, an impermissible use of PHI under 45 CFR § 164.502. That triggers your breach notification obligations under the HIPAA Breach Notification Rule. You must notify affected individuals, HHS, and potentially the media if 500 or more individuals are impacted.

I've seen organizations so focused on the fraud investigation that they miss the 60-day breach notification window. That's a separate HIPAA violation with its own penalty structure. OCR has imposed civil monetary penalties ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category.

Build the Culture Before the Crisis Hits

Fraud waste and abuse in healthcare doesn't start with a criminal mastermind. It starts with a culture that tolerates shortcuts. A supervisor who looks the other way. A training program that checks boxes but changes no behavior.

Your compliance program needs teeth. Real sanctions for real violations. Regular audits that people know are coming. Anonymous reporting channels that leadership actually monitors. Training that connects everyday actions — like who you let see a patient chart — to the larger consequences of fraud, waste, and abuse.

I've spent years watching organizations pay millions in settlements because they treated compliance as paperwork. Don't be one of them. Start with workforce training that actually sticks, build audit processes that catch problems early, and treat your HIPAA program and your anti-fraud program as one unified defense system.

Your patients trust you with their most sensitive information. Your payers trust you to bill honestly. Those two obligations aren't separate. They never were.