In 2023, the Department of Justice recovered over $2.68 billion in settlements and judgments related to healthcare fraud. Behind that staggering number is a long list of fraud waste and abuse schemes — many of which directly intersect with HIPAA obligations around the protection and proper use of protected health information. If your organization doesn't know what these schemes look like, you're exposed on multiple fronts: federal enforcement, civil monetary penalties, and exclusion from federal healthcare programs.

The Complete List of Fraud Waste and Abuse Every Covered Entity Must Know

Healthcare fraud, waste, and abuse (FWA) aren't interchangeable terms. Each carries distinct legal meaning, and understanding the differences shapes how your compliance program responds.

Fraud involves intentional deception or misrepresentation that results in unauthorized benefit. Waste refers to the overuse of services or practices that result in unnecessary costs without intent to deceive. Abuse involves practices inconsistent with accepted standards that result in unnecessary costs, improper payment, or reimbursement for services not medically necessary — even without proven fraudulent intent.

Here is a detailed list of fraud waste and abuse examples your workforce should be trained to recognize:

Common Healthcare Fraud Schemes

  • Upcoding: Billing for a more expensive service or procedure than what was actually performed. This is one of the most frequently prosecuted fraud schemes in OCR and OIG enforcement actions.
  • Unbundling: Submitting separate bills for services that should be billed as a single bundled code, inflating reimbursement amounts.
  • Phantom billing: Billing for services, procedures, or supplies that were never provided to the patient.
  • Kickbacks and self-referrals: Offering, paying, soliciting, or receiving remuneration to induce referrals for services covered by federal healthcare programs — a direct violation of the Anti-Kickback Statute (42 U.S.C. § 1320a-7b).
  • Identity theft and PHI misuse: Using stolen protected health information to submit fraudulent claims. This directly triggers HIPAA Breach Notification Rule requirements under 45 CFR §§ 164.400-414.
  • False certifications: Falsely certifying that a patient meets eligibility criteria for services such as home health care or durable medical equipment.
  • Double billing: Submitting duplicate claims for the same service rendered to the same patient on the same date.

Examples of Waste in Healthcare Operations

  • Ordering unnecessary diagnostic tests: Performing tests without clinical justification, driven by defensive medicine or habit rather than patient need.
  • Overprescribing medications: Prescribing brand-name drugs when generics are equally effective, or prescribing beyond clinical necessity.
  • Inefficient administrative processes: Failing to implement electronic claims processing, resulting in excessive manual errors and resubmissions.
  • Excessive lengths of stay: Keeping patients in inpatient settings beyond what is medically necessary without proper utilization review.

Examples of Abuse in Healthcare

  • Billing for services not medically necessary: Providing and billing for treatments that don't align with accepted clinical standards for the patient's condition.
  • Misusing billing codes: Consistently using incorrect codes — not through intentional fraud, but through negligent disregard for proper coding standards.
  • Charging excessively for services: Setting fees substantially above the prevailing rate for comparable services without justification.
  • Violating the minimum necessary standard: Disclosing more PHI than necessary for billing or claims purposes, which constitutes both a HIPAA violation and a potential abuse indicator under 45 CFR § 164.502(b).

Where HIPAA Intersects with Fraud Waste and Abuse Prevention

Healthcare organizations consistently underestimate how deeply HIPAA compliance connects to FWA prevention. The Privacy Rule's minimum necessary standard exists precisely to limit PHI access — and when that standard breaks down, fraud becomes easier to commit and harder to detect.

Consider a workforce member with unrestricted access to patient records. That access creates the opportunity for phantom billing, identity theft, and improper claims submission. Your HIPAA Security Rule risk analysis under 45 CFR § 164.308(a)(1) should identify these access vulnerabilities as part of your broader compliance program.

OCR enforcement actions have repeatedly shown that organizations lacking proper access controls and audit trails are more vulnerable to both HIPAA violations and fraud schemes. The two risks compound each other.

Building a Compliance Program That Addresses the Full List of Fraud Waste and Abuse

The OIG's Seven Elements of an Effective Compliance Program aren't optional suggestions — they're the framework that federal regulators use to evaluate whether your organization took reasonable steps to prevent FWA. Here's how to operationalize them:

Written policies and procedures: Your compliance manual must include a comprehensive list of fraud waste and abuse scenarios specific to your organization's services. Generic policies won't satisfy regulators.

Designated compliance officer: This individual must have direct reporting authority and independence from operational leadership. Burying compliance under revenue cycle management creates conflicts of interest.

Workforce training: Every member of your workforce — not just billing staff — needs training on recognizing and reporting FWA. HIPAA requires training under 45 CFR § 164.530(b), and effective HIPAA training and certification programs integrate FWA awareness into their curriculum because the two areas are inseparable.

Internal monitoring and auditing: Conduct regular claims audits, access log reviews, and coding accuracy assessments. Waiting for an external audit or OIG investigation is not a compliance strategy.

Reporting mechanisms: Establish anonymous reporting channels. Workforce members who witness potential fraud or abuse of PHI need a clear, protected path to report it without fear of retaliation.

Reporting Suspected Fraud Waste and Abuse

Your organization is obligated to report suspected fraud to the OIG, CMS, or your state's Medicaid Fraud Control Unit depending on the payer involved. Failure to report known fraud can itself result in penalties under the False Claims Act, including treble damages and per-claim penalties that currently range from $13,508 to $27,018 per false claim.

For HIPAA-specific violations — such as PHI being used in fraudulent billing — your covered entity must also evaluate whether a breach has occurred under the Breach Notification Rule. If PHI was accessed, used, or disclosed without authorization in connection with fraud, notification to affected individuals, HHS, and potentially the media may be required within 60 days.

Workforce Training Is Your First Line of Defense

In my work with covered entities and business associates, the organizations that catch FWA early are invariably the ones that invest in continuous workforce education. Annual checkbox training doesn't cut it. Your team needs scenario-based training that walks through the specific list of fraud waste and abuse schemes relevant to their roles — from front desk staff handling patient registration to coders submitting claims.

A robust workforce HIPAA compliance program ensures that every team member understands not only how to protect PHI, but how improper PHI handling enables the fraud and abuse schemes that put your entire organization at risk.

Regulators aren't slowing down. Neither should your compliance efforts.