Chapter 7: Privacy and Fraud Laws in Healthcare
Introduction
- 7.1 List the U.S. Constitutional amendments and privacy laws that pertain to healthcare.
- 7.2 Briefly outline the responsibilities of healthcare practitioners concerning privacy, confidentiality, and privileged information.
- 7.3 Distinguish between HIPAA’s Privacy and Security Rules.
- 7.4 Describe the federal laws that cover fraud and abuse within the healthcare business environment.
This chapter explains the legal and ethical foundations of privacy in U.S. healthcare, clarifies the differences between HIPAA’s Privacy and Security Rules, summarizes related federal privacy statutes, and outlines major fraud and abuse laws. Practical guidance is included for protecting information in day-to-day practice and complying with breach notification requirements.
Constitutional & Legal Foundations of Privacy
The Right to Privacy and the U.S. Constitution in Healthcare
The right to privacy is fundamental in American law and highly relevant to healthcare, though it is not explicitly stated in the U.S. Constitution. Courts have interpreted several amendments to protect personal autonomy and informational privacy in clinical contexts.
Constitutional Foundations of Privacy
| Amendment | Relevance to Privacy |
|---|---|
| 1st Amendment | Protects freedoms of speech, religion, and association; supports personal autonomy in decisions, including medical. |
| 3rd Amendment | Prohibits forced quartering of soldiers; supports privacy in one’s home. |
| 4th Amendment | Guards against unreasonable searches and seizures; critical to protecting medical records and personal data. |
| 5th & 14th Amendments | Due process and equal protection; support individual decision-making about health, family, and bodily integrity. |
Key Court Cases on Privacy
| Case | Holding/Impact |
|---|---|
| Griswold v. Connecticut (1965) | Recognized a “zone of privacy” implied by the Bill of Rights; struck down a contraception ban for married couples. |
| Roe v. Wade (1973) (partially overturned in 2022) | Grounded reproductive decision-making in privacy doctrine. |
| Whalen v. Roe (1977) | Upheld state collection of prescription data but acknowledged a limited right to informational privacy. |
Healthcare Implications
- Supports patient decisions (e.g., reproductive care, end-of-life choices).
- Underpins laws safeguarding health information (e.g., HIPAA).
- Balances autonomy with public health and safety needs.
HIPAA Privacy Rule
Overview
Effective: April 14, 2003 Regulator: HHS Office for Civil Rights (OCR)
The HIPAA Privacy Rule protects individuals’ protected health information (PHI) while allowing information flow needed for high-quality care and public health. It applies to covered entities (providers, health plans, clearinghouses) and their business associates.
What the Privacy Rule Covers
- PHI in any form: oral, paper, electronic.
- Examples of PHI: identifiers (name, address, DOB, SSN), diagnoses, test results, billing details.
Patient Rights
- Access to inspect and obtain copies of records.
- Amend inaccurate information.
- Request restrictions on uses/disclosures.
- Confidential communications (alternate address/phone).
- Accounting of disclosures (non-TPO).
Permitted Uses & Disclosures Without Authorization (Minimum Necessary Applies)
- Treatment: Sharing PHI among providers to coordinate care. Example: PCP sends records to a cardiologist for continuity of care.
- Payment: Claims, benefits verification, coverage determinations.
- Healthcare Operations: Quality assessment, training, credentialing, audits, compliance.
- Required by Law: Court orders, mandated reporting (e.g., child abuse).
- Public Health Activities: Report communicable diseases, adverse events to FDA.
- Law Enforcement/Judicial Proceedings: Disclosures under specific conditions or valid orders.
Other uses (e.g., most marketing, research without waiver) require written authorization.
Notice of Privacy Practices (NPP)
| Requirement | Details |
|---|---|
| Who provides | Covered entities; ensure business associates follow privacy practices. |
| When provided | At first service; upon request; posted in facility and on website (if applicable). |
| Content | Patient rights; permitted uses/disclosures; provider duties; breach notification; complaint process; privacy contact. |
| Acknowledgment | Good-faith effort to obtain written acknowledgment of receipt. |
| Revisions | Update and redistribute when practices change materially. |
3. HIPAA Security Rule & Breach Notification
HIPAA Security Rule
Effective: April 20, 2005 Scope: Electronic PHI (ePHI) only
Sets standards to ensure the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards.
| Safeguard | Examples |
|---|---|
| Administrative | Risk analysis; workforce training; sanction policies; contingency plans. |
| Physical | Facility access controls; secure workstations; device/media controls; disposal. |
| Technical | Unique user IDs; access controls; encryption; audit logs; secure transmission. |
What Happens If There Is a HIPAA Breach?
HHS OCR enforces HIPAA, with increased focus on entities non-compliant with risk analysis. The Breach Notification Rule (HITECH, 2009) requires notifications when unsecured PHI is compromised.
HIPAA Breach Notification Rule
| Topic | Key Points |
|---|---|
| Definition | Impermissible use/disclosure of unsecured PHI presumed to be a breach unless a risk assessment shows low probability of compromise. |
| Risk Assessment | Nature/extent of PHI; who used/received it; whether it was actually acquired/viewed; mitigation extent. |
| Unsecured PHI | Not encrypted or otherwise rendered unusable, unreadable, or indecipherable. |
Notification Requirements
- Individuals: Written notice without unreasonable delay, no later than 60 days; include what happened, data involved, steps to take, mitigation, and contact info.
- HHS/OCR: Fewer than 500 individuals—annual report; 500 or more—within 60 days.
- Media: Required if 500+ individuals in the same jurisdiction are affected; notify prominent media within 60 days.
Business Associates: Must notify the covered entity without unreasonable delay and no later than 60 days.
Penalties: Significant civil monetary penalties; criminal charges possible for willful misuse.
4. Federal Privacy Laws: Landscape & Roles
HIPAA & HITECH
- HIPAA (1996): Privacy Rule, Security Rule, and (with HITECH) Breach Notification.
- HITECH (2009): Encouraged EHR adoption; strengthened enforcement; expanded breach reporting.
42 CFR Part 2 (Confidentiality of SUD Records)
Provides stricter protections for federally assisted substance use disorder programs than HIPAA.
| Situation | Allowed? | Conditions |
|---|---|---|
| Patient consent | Yes | Detailed, specific consent required. |
| Medical emergency | Yes | Only information necessary to address the emergency. |
| Court order | Yes | Must meet Part 2 criteria; ordinary subpoenas insufficient. |
| Research/audit | Yes | De-identified or approved with safeguards. |
FERPA (Family Educational Rights and Privacy Act) – 1974
Protects student education records, including school-based health records. Where FERPA applies, HIPAA usually does not for those records.
GINA (Genetic Information Nondiscrimination Act) – 2008
Prohibits use of genetic information in health insurance and employment decisions; insurers and employers generally cannot request or use genetic test results for coverage or employment decisions.
5. Privacy, Confidentiality, and Privileged Communication in Practice
Core Concepts
| Concept | Definition | Who It Protects | Who Has the Duty | Legal Basis |
|---|---|---|---|---|
| Privacy | The right to keep personal health information and bodily integrity free from intrusion. | Patients | Society & institutions | Constitution, HIPAA, other statutes |
| Confidentiality | The provider’s duty to safeguard information shared in the course of care. | Patients’ information | Healthcare professionals | HIPAA, professional ethics |
| Privileged Communication | Legal protection for certain confidential communications from disclosure in court without patient consent. | Patients’ legal testimony rights | Providers when subpoenaed/testifying | State & federal law (varies) |
Examples
- Privacy: A patient declines to disclose sensitive information during an exam.
- Confidentiality: A nurse discusses a patient’s condition only with the treating team.
- Privileged Communication: A physician cannot be compelled to reveal certain therapy notes unless privilege is waived or a valid exception applies.
Maintaining Confidentiality: Electronic Devices & Office Equipment
Computer & EHR Use
- Lock screens; enable automatic timeouts.
- Use strong, unique passwords; never share credentials.
- Access only the minimum necessary information.
Mobile Devices
- Encrypt devices; enable remote wipe.
- Use only HIPAA-compliant messaging for PHI.
- Do not leave devices unattended.
Printers, Copiers, Fax
- Retrieve printouts immediately; verify recipients.
- Place devices in restricted areas; use secure fax lines; confirm numbers.
- Shred misprints or unwanted PHI.
Scanners & Storage
- Use secure, encrypted drives; authorized software only.
- Avoid unapproved cloud services and removable media for PHI.
Avoid Common Pitfalls
- Do not discuss PHI near voice assistants or smart speakers.
- Never post screens showing PHI to social media.
- Do not use personal devices for work unless authorized and secured.
Best Practices
- Follow organizational policies; complete HIPAA/cybersecurity training.
- Report lost devices or suspected breaches immediately.
- Maintain constant awareness—confidentiality is everyone’s responsibility.
6. Fraud & Abuse: Laws, Controls, and Enforcement
Fraud vs. Abuse
| Term | Definition | Examples |
|---|---|---|
| Healthcare Fraud | Intentional deception or misrepresentation to obtain unauthorized benefits. | Phantom billing; upcoding; falsifying diagnoses; kickbacks. |
| Healthcare Abuse | Improper practices that result in unnecessary costs; not necessarily intentional deception. | Overutilization; billing non-covered services as covered; not medically necessary services. |
Controls & Strategies to Prevent Fraud and Abuse
- Compliance Programs: Written policies; training; compliance officer.
- Internal Audits: Review billing/coding; use analytics to detect outliers.
- Reporting Systems: Anonymous hotlines; whistleblower protections.
- Credentialing & Monitoring: Verify qualifications; monitor utilization patterns.
Key Federal Laws
False Claims Act (FCA)
Imposes liability for knowingly submitting false or fraudulent claims to the U.S. government (e.g., Medicare/Medicaid/TRICARE).
- Examples: Billing for services not provided; duplicate claims; upcoding; falsifying diagnoses; disguising kickbacks.
- Knowledge Standard: Actual knowledge, deliberate ignorance, or reckless disregard.
- Qui Tam: Whistleblowers (relators) may sue on the government’s behalf and receive 15–30% of recoveries; anti-retaliation protections apply.
- Penalties: Civil penalties per claim (adjusted annually) and treble damages.
Anti-Kickback Statute (AKS)
Criminal law prohibiting offering, paying, soliciting, or receiving anything of value to induce referrals for items/services reimbursable by federal healthcare programs.
- Examples: Paying for referrals; bonuses tied to Medicare admissions; free equipment in exchange for test orders.
- Safe Harbors: Personal services, space/equipment rentals, certain investments/discounts, managed-care arrangements (must meet strict criteria).
- Penalties: Criminal fines, imprisonment, exclusion from federal programs; civil monetary penalties.
Stark Law (Physician Self-Referral)
Prohibits physicians from referring Medicare/Medicaid patients for designated health services (DHS) to an entity with which the physician or an immediate family member has a financial relationship, unless an exception applies.
- DHS Examples: Clinical lab, imaging, PT/OT, home health, DME, hospital services.
- Exceptions: In-office ancillary services; publicly traded companies; fair-market-value compensation; written space/equipment rental.
- Penalties: Denial/repayment of claims, civil fines, possible FCA liability, exclusion.
Criminal Health Care Fraud Statute (18 U.S.C. § 1347)
Makes it a felony to knowingly and willfully defraud any healthcare benefit program or obtain money/property by false or fraudulent means.
- Examples: Billing for services not rendered; falsifying records; upcoding/unbundling; creating fake patients/claims; bribes for referrals.
- Penalties: Up to 10 years per violation; up to 20 years if serious bodily injury results; life if death results; fines and restitution.
Who It Applies To
- Anyone involved in healthcare: physicians, nurses, billing staff, executives, vendors, and others.
- Applies to both government and private healthcare benefit programs.
Key Differences from Civil Fraud Laws
| Criminal Statute | Civil Laws (e.g., False Claims Act) |
|---|---|
| Requires intentional and willful deception. | Can include reckless or negligent behavior. |
| Prosecuted criminally by DOJ; potential imprisonment. | Civil lawsuits or administrative penalties. |
| Prison time possible; criminal fines; restitution. | Fines, treble damages, exclusion from programs. |
Adapted from Oregon Health & Science University, funded by the U.S. Department of Health and Human Services
Media Attributions
- HIPAA healthcare requirements document on office desk