HIPAA, PHI and Fraud

Health Insurance Portability and Accountability Act (HIPAA) and Privacy Laws

HIPAA Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. 

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 

Steps to avoid HIPAA Violations:

  • Know and follow company HIPAA and Privacy policies and procedures.
  • Do not discuss anyone’s protected health information (PHI) with fellow employees unless it is for the purposes of treatment, payment or healthcare operations.
  • Do not share anyone’s PHI with family or friends.
  • Do not leave PHI unattended or allow it to be visible to visitors.
  • Confirm you are following company policy before sending PHI in an email or by fax to anyone inside or outside the agency.

 Fraudulent conduct in regards to billing includes:

  • Billing for items or services not rendered or medically unnecessary
  • Billing for services at a higher level then what was provided
  • Billing for more time than is actually spent on the service
  • Billing for services that were performed by an improperly supervised, unqualified, or unlicensed employee
  • Billing for services that were performed by an employee who has been excluded from participation in federal healthcare programs
  • Billing separately for services already included in a global fee
  • Billing for services covered by a third party payer
  • Charging excessively for services or supplies
  • Failing to identify and refund credit balances
  • Filing false cost reports

Even if you are not directly involved in billing, you must keep in mind that your actions may support your organization’s ability to submit claims for payment. If you document something that you did not do, then the claim that your organization submits for care that was not rendered is fraudulent. Documentation must support the claims submitted for payment.