A physician in Texas billed Medicare for over 5,000 hours of home health services in a single year. That's roughly 14 hours a day, 365 days straight — no weekends, no holidays. Nobody on the compliance team flagged it. The claim sailed through for three years before federal investigators showed up.

This is what fraud waste and abuse looks like when compliance programs fail. And in my experience, most HIPAA teams aren't equipped to catch it — not because they don't care, but because nobody trained them to look.

If you work at a covered entity, a business associate, or any organization that touches PHI, fraud waste and abuse prevention isn't someone else's problem. It's yours. Here's what you need to know to protect your organization, your patients, and your career.

Fraud, Waste, and Abuse Are Not the Same Thing

I can't tell you how many compliance officers I've met who lump these three terms together like they're interchangeable. They aren't. The distinctions matter because each one requires a different response.

Fraud: Deliberate Deception for Gain

Fraud is intentional. It's a knowing act — submitting false claims, upcoding procedures, billing for services never rendered, or stealing patient identities. The Department of Justice prosecutes healthcare fraud aggressively. In fiscal year 2023 alone, the DOJ recovered over $1.8 billion in healthcare fraud judgments and settlements.

Fraud always involves intent. If your billing department knowingly submits claims for phantom patients, that's fraud.

Waste: Overuse Without Intent

Waste is the overutilization of resources — ordering unnecessary tests, prescribing medications that aren't indicated, or running inefficient processes that drain the system. There's no criminal intent, but the financial damage is real. HHS estimates that waste accounts for a significant portion of the roughly $100 billion lost to improper payments annually.

Abuse: Bending Rules Without Breaking the Law

Abuse lives in the gray area. It's practices inconsistent with sound fiscal, business, or medical standards — but without the deliberate deception that defines fraud. Charging excessively for services or consistently upcoding because "everyone does it" qualifies as abuse.

Why Your HIPAA Program Can't Ignore FWA

Here's what I've seen happen at dozens of organizations: the HIPAA compliance officer handles privacy and security, while fraud waste and abuse falls to the billing department or a separate compliance function. The two teams rarely talk.

That's a dangerous gap. PHI is the raw material for most healthcare fraud schemes. Stolen patient records fuel identity theft and false billing. Improperly accessed ePHI enables insider fraud. Every major fraud case I've reviewed involved a breakdown in access controls, audit logging, or workforce training — all HIPAA fundamentals.

OCR has made clear that its enforcement scope includes situations where breaches of PHI connect directly to fraudulent activity. When patient data leaks because an employee was running a side billing scheme, your organization faces HIPAA penalties on top of fraud prosecution.

The $4.3 Million Wake-Up Call at a University Health System

In 2019, the University of Rochester Medical Center agreed to a $3 million settlement with OCR for failing to encrypt mobile devices — a failure that exposed PHI and created conditions ripe for abuse. While that case centered on security, the underlying lesson is universal: when you don't control access to PHI, you can't control what people do with it.

Organizations that treat HIPAA compliance and fraud waste and abuse prevention as separate silos are building a house with no locks on half the doors.

What Does Fraud Waste and Abuse Look Like in Practice?

This is the question I get most from compliance teams. They understand the definitions. They want to know what to actually watch for. Here's my shortlist from two decades of consulting.

Red Flags Your Team Should Monitor

  • Billing anomalies: Claims that consistently hit the maximum allowable amount, sudden spikes in a specific procedure code, or services billed under a provider who wasn't on-site.
  • Access pattern irregularities: Staff accessing patient records they have no treatment relationship with. This is a HIPAA violation and often the first step in a fraud scheme.
  • Kickback arrangements: Referral patterns that always flow to one vendor or lab. The Anti-Kickback Statute under 42 U.S.C. § 1320a-7b prohibits offering or receiving anything of value to induce referrals.
  • Ghost employees or patients: Payroll entries or patient records that don't correspond to real people.
  • Duplicate billing: Submitting the same claim multiple times, sometimes with slight modifications to avoid automated detection.

If your audit logs aren't set up to flag these patterns, you're flying blind.

The Training Gap That Keeps Costing Organizations

I've reviewed compliance programs at organizations ranging from three-person dental offices to 10,000-employee hospital systems. The single most common deficiency? Workforce training that covers the HIPAA Privacy and Security Rules but never mentions fraud waste and abuse.

Your staff are your first line of defense. Front-desk workers see the billing patterns. Nurses notice when documentation doesn't match patient encounters. IT staff spot the unusual access logs. But if nobody has trained them on what to report — or how — those observations die on the vine.

CMS requires fraud waste and abuse training for Medicare Advantage and Part D plan sponsors. But even if your organization doesn't fall under that specific mandate, building FWA awareness into your HIPAA training program is a best practice that every covered entity should adopt.

Our HIPAA training catalog includes workforce education that connects the dots between PHI protection and fraud prevention — because your team needs both.

Seven Steps to Build FWA Prevention Into Your Compliance Program

1. Unify Your Compliance Functions

Stop treating HIPAA and FWA as separate tracks. Your privacy officer and compliance officer should sit in the same meetings, review the same audit data, and report to the same leadership.

2. Implement Robust Audit Controls

HIPAA's Security Rule already requires audit controls under 45 CFR § 164.312(b). Use those same logs to flag billing anomalies and suspicious access patterns. One investment, two compliance objectives.

3. Train Everyone — Not Just Billing Staff

Every member of your workforce who handles PHI should understand the basics of fraud waste and abuse. Clinical staff, administrative teams, and IT personnel all play a role. Explore comprehensive workforce training options that cover both HIPAA and FWA fundamentals.

4. Establish a Confidential Reporting Channel

Staff won't report suspicious activity if they fear retaliation. Create anonymous hotlines, online portals, or ombudsman offices. Then publicize them relentlessly.

5. Conduct Regular Risk Assessments

Your HIPAA risk assessment should include fraud risk as a category. Where is PHI most vulnerable to misuse? Which departments have the highest rates of manual claims entry? Those are your hotspots.

6. Monitor, Don't Just Audit

Annual audits aren't enough. Continuous monitoring — automated alerts on billing thresholds, real-time access logging, regular claims sampling — catches problems before they become federal cases.

7. Document Everything

If OCR or OIG comes knocking, your documentation is your defense. Maintain records of every training session, every investigation, every corrective action. If you didn't document it, it didn't happen.

What Happens When You Report Fraud Waste and Abuse?

This is a question that deserves a direct answer. If you suspect FWA at your organization, you have several reporting options:

  • Internal compliance department: Always start here if you trust the process.
  • HHS Office of Inspector General (OIG): File a complaint online or call the OIG hotline at 1-800-HHS-TIPS.
  • State Attorney General: Many state AG offices have healthcare fraud units.
  • False Claims Act (qui tam): Whistleblowers can file lawsuits on behalf of the government and may receive a percentage of recovered funds.

Federal law protects whistleblowers from retaliation. If your organization fires someone for reporting fraud, that's a separate legal liability you don't want.

The Cost of Looking the Other Way

Healthcare fraud waste and abuse costs the U.S. healthcare system tens of billions of dollars every year. But the cost to individual organizations goes beyond fines. It includes exclusion from federal healthcare programs, criminal prosecution of executives, loss of patient trust, and the slow erosion of organizational culture that happens when bad behavior goes unchecked.

I've watched organizations recover from data breaches. I've seen them bounce back from OCR settlements. But I've never seen one fully recover from a fraud prosecution that revealed a culture of indifference.

Your HIPAA compliance program is already built to protect PHI. Extend that same rigor to fraud waste and abuse prevention, and you protect something even bigger — the integrity of your organization.

The tools and training exist. The enforcement landscape is only getting more aggressive. The question isn't whether your organization will face scrutiny. It's whether you'll be ready when it arrives.