Chapter 7: Privacy and Fraud Laws in Healthcare
🛡️ The Right to Privacy and the U.S. Constitution in Healthcare
The right to privacy is a fundamental concept in American law, especially in healthcare, though it is not explicitly stated in the U.S. Constitution. Instead, it has been interpreted and upheld through several constitutional amendments and key Supreme Court rulings.
📜 Constitutional Foundations of Privacy:
While not directly written, the right to privacy has been derived from the following amendments:
🔹 1st Amendment
Protects freedoms of speech, religion, and association.
Implies personal autonomy in making decisions (e.g., medical, spiritual).
🔹 3rd Amendment
Prohibits forced quartering of soldiers.
Supports the idea of privacy in one’s home.
🔹 4th Amendment
Guards against unreasonable searches and seizures.
Crucial for protecting medical records and personal data from unwarranted intrusion.
🔹 5th & 14th Amendments
Ensure due process and equal protection under the law.
Support the individual’s right to make personal decisions about health, family, and body.
⚖️ Key Court Cases on Privacy:
🏛️ Griswold v. Connecticut (1965)
Struck down a law banning contraception for married couples.
Recognized a “zone of privacy” implied by the Bill of Rights.
🏛️ Roe v. Wade (1973) (partially overturned in 2022)
Based decision on the right to privacy regarding reproductive choices.
🏛️ Whalen v. Roe (1977)
Upheld state collection of prescription data but acknowledged a limited right to informational privacy.
🏥 Implications in Healthcare:
Protects patient decisions (e.g., reproductive care, end-of-life choices).
Underpins laws like HIPAA to secure health information.
Balances patient autonomy with public health and safety needs.
Introduction to Privacy, Security and Fraud Laws
🛡️ 1. Privacy Laws in Healthcare
Privacy laws protect patients’ personal health information (PHI) and ensure confidentiality.
🔐 HIPAA (Health Insurance Portability and Accountability Act of 1996)
Sets national standards for protecting PHI.
Applies to healthcare providers, insurers, and clearinghouses.
Patients have rights to access, amend, and request restrictions on their medical records.
🔍 Key HIPAA Privacy Rules
Only the minimum necessary information should be disclosed.
PHI can only be shared with patient consent or for treatment, payment, or healthcare operations.
🔒 2. Security Laws in Healthcare
Security laws focus on protecting electronic PHI (ePHI) from breaches or unauthorized access.
🧩 HIPAA Security Rule
Covers how ePHI is stored, accessed, and transmitted.
Requires administrative, physical, and technical safeguards:
Administrative: Policies, training, risk analysis.
Physical: Facility access controls, workstation security.
Technical: Passwords, encryption, audit controls.
💥 HITECH Act (2009)
Promotes the use of electronic health records (EHRs).
Strengthens HIPAA by increasing penalties and breach reporting requirements.
🚨 3. Healthcare Fraud and Abuse Laws
These laws target intentional deception or misuse of healthcare programs for profit.
💸 False Claims Act (FCA)
Prohibits submitting false or fraudulent claims to government health programs.
Includes whistleblower (qui tam) provisions.
🔁 Anti-Kickback Statute
Prohibits offering or receiving anything of value for referrals of services covered by federal healthcare programs.
⚖️ Stark Law
Bans physician self-referrals for Medicare/Medicaid patients if the physician has a financial interest in the referred entity.
❗ Examples of Fraud:
Billing for services not provided.
Upcoding or unbundling.
Accepting bribes or kickbacks.
🛡️ Federal Privacy Laws in Healthcare
These laws protect patients’ medical information and regulate how it can be used and disclosed.
🔐 1. HIPAA (Health Insurance Portability and Accountability Act) – 1996
Purpose: Protects protected health information (PHI) and gives patients rights over their data.
Key Provisions:
Privacy Rule: Limits who can access and share PHI.
Security Rule: Sets standards for securing electronic PHI (ePHI).
Breach Notification Rule: Requires notification if PHI is compromised.
Covered Entities:
Health providers
Health plans
Healthcare clearinghouses
Business associates
💻 2. HITECH Act (Health Information Technology for Economic and Clinical Health) – 2009
Purpose: Encourages the use of electronic health records (EHRs) and strengthens HIPAA.
Key Provisions:
Increases penalties for privacy violations.
Expands breach notification requirements.
Requires encryption and secure sharing of EHRs.
⚖️ 3. 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records)
Purpose: Provides stricter privacy protections for patients receiving substance use disorder (SUD) treatment.
Key Provisions:
Requires patient consent to release SUD treatment information.
Protects records from being used in criminal proceedings.
🧒 4. FERPA (Family Educational Rights and Privacy Act) – 1974
Purpose: Applies to student education records, including school-based health services.
Key Point:
Sometimes overlaps with HIPAA, but HIPAA does not apply to schools that receive federal funding.
📲 5. Genetic Information Nondiscrimination Act (GINA) – 2008
Purpose: Prohibits the use of genetic information in health insurance and employment decisions.
Key Point:
Health insurers and employers can’t request or use genetic test results to make coverage or job decisions.
Privacy, Communication and Privileged Communication in Healthcare
🛡️ 1. Privacy
Definition:
The right of individuals to keep their personal health information (PHI) and bodily integrity protected from intrusion.
Key Points:
Rooted in constitutional and common law.
Patients have the right to make decisions about their care and who accesses their information.
Protected by laws like HIPAA, GINA, and the Privacy Act.
Example: A patient refuses to disclose certain information during a physical exam—this is exercising their right to privacy.
🔒 2. Confidentiality
Definition:
The duty of healthcare professionals to protect patient information that has been shared with them in the course of care.
Key Points:
Applies to all forms of health information (spoken, written, electronic).
Violations can lead to legal action or professional discipline.
Covered under HIPAA and professional codes of ethics.
Example: A nurse discussing a patient’s condition only with the treating team and not with others in the hallway.
⚖️ 3. Privileged Communication
Definition:
A legal concept that protects certain confidential communications from being disclosed in court without the patient’s consent.
Key Points:
Applies to physician-patient, therapist-client, and similar relationships.
Can be waived by the patient or overridden by court order in certain cases (e.g., abuse, public safety threats).
Varies by state law.
Example: A doctor cannot be forced to testify about a patient’s mental health in court unless privilege is waived.
✅ Summary Table
|
Concept |
Who It Protects |
Who Has the Duty |
Legal Basis |
|
Privacy |
Patient’s rights |
Society & institutions |
Constitution, HIPAA |
|
Confidentiality |
Patient’s information |
Healthcare providers |
HIPAA, ethics codes |
|
Privileged Communication |
Legal testimony rights |
Healthcare providers in court |
State & federal law |
🔐 Maintaining Confidentiality: Electronic Devices & Office Equipment
Confidentiality breaches can easily happen if healthcare staff are careless with technology. Below are key strategies to protect patient information:
💻 1. Computer & EHR Use
Log off or lock screens when leaving a workstation.
Use unique, strong passwords and change them regularly.
Enable automatic screen locks and session timeouts.
Access only the minimum necessary information for your task.
Never share login credentials.
📱 2. Mobile Devices (Phones, Tablets, Laptops)
Encrypt all devices that access PHI.
Use remote wipe capabilities in case of loss or theft.
Avoid texting PHI unless using a HIPAA-compliant messaging app.
Never leave devices unattended in public areas.
🖨️ 3. Printers, Copiers, and Fax Machines
Retrieve printouts immediately and verify recipients.
Place devices in restricted-access areas.
Use secure fax lines and confirm numbers before sending.
Shred misprints or unwanted documents containing PHI.
📂 4. Scanners and External Storage
Save documents only on secure, encrypted drives.
Avoid storing PHI on USBs or unapproved cloud services.
Use only authorized scanning software that complies with HIPAA.
🛑 5. Avoid Common Pitfalls
Don’t discuss patient info near voice assistants or smart speakers.
Don’t post or share screens or devices showing PHI on social media.
Don’t use personal devices for work unless authorized and secured.
✅ Best Practices
Follow your organization’s privacy and security policies.
Report lost devices or potential breaches immediately.
Complete regular HIPAA and cybersecurity training.
Maintain awareness—confidentiality is everyone’s responsibility.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
🔐 HIPAA Privacy Rule
Effective Date: April 14, 2003
Regulated by: U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR)
🎯 Purpose:
To protect individuals’ medical records and other protected health information (PHI) while ensuring the flow of health data necessary for high-quality healthcare and public health operations.
📦 What It Covers:
PHI in any form: oral, paper, or electronic
Applies to:
Covered entities (healthcare providers, health plans, healthcare clearinghouses)
Business associates (vendors who handle PHI on behalf of covered entities)
🗂️ Examples of PHI Protected:
Patient name, address, birthdate, SSN
Medical diagnoses, treatment, test results
Health insurance details, billing records
⚖️ Key Patient Rights Under the Privacy Rule:
Access: Right to access and obtain a copy of their health records
Amendment: Right to request corrections to inaccurate information
Restrictions: Right to request limits on how PHI is used or shared
Confidential Communication: Right to request PHI sent to specific locations
Accounting of Disclosures: Right to see who has accessed their PHI
🚫 When Can PHI Be Used or Disclosed Without Consent?
Treatment, payment, and healthcare operations (TPO)
Public health reporting (e.g., disease outbreaks)
Legal requirements (e.g., court orders, law enforcement)
Abuse or neglect reporting
Organ donation or workers’ compensation
✅ Core Principles:
Minimum Necessary Standard: Only the least amount of PHI needed should be shared
Notice of Privacy Practices (NPP): Patients must be informed about their privacy rights and how their data is used
📌 Violations & Penalties:
Fines can range from $100 to $50,000 per violation, up to $1.5 million per year
Criminal charges possible in cases of willful misuse
There are some circumstances when protected health information (PHI), also called permitted uses and disclosures can be used or disclosed without patient authorization:
✅ 6 Permitted Uses and Disclosures of PHI Under HIPAA
1. 🏥 Treatment
PHI can be shared among healthcare providers to coordinate and manage a patient’s care.
Example: A patient presents to their primary care doctor’s office with chest pain. The PCP refers the patient to a cardiologist for further assessment. The PCP’s office will send the patient’s medical records to the cardiologist’s office for continuity of care.
2. 💰 Payment
PHI can be disclosed to obtain reimbursement for services or to verify coverage.
Example: Submitting claims to insurance companies or confirming benefits with a health plan.
3. 🏢 Healthcare Operations
PHI can be used for internal business tasks that support healthcare delivery.
Example: Quality assessment, training, credentialing, audits, and compliance reviews.
4. ⚖️ When Required by Law
PHI may be disclosed if a law mandates it (state, federal, or court order).
Example: Reporting child abuse or complying with a subpoena.
5. 🧪 Public Health Activities
PHI can be shared to protect the public’s health and safety.
Example: Reporting communicable diseases to public health authorities or notifying the FDA of adverse drug reactions.
6. 🕵️♂️ Law Enforcement and Legal Proceedings
PHI can be disclosed to law enforcement under specific conditions, or during judicial proceedings.
Example: Providing information about a victim of a crime or complying with a court order.
🔒 Important Notes:
These uses do not require prior patient authorization, but disclosures must follow the “minimum necessary” standard.
Any other use—such as for marketing or research—does require written patient authorization.
Notice of Privacy Practices
HIPAA Privacy Rules mandate that all Covered Entities (CEs) must post and distribute a Notice of Privacy Practices (NPP):
📜 Notice of Privacy Practices (NPP)
Required By: HIPAA Privacy Rule
Purpose: To inform patients of their rights and how their protected health information (PHI) may be used or disclosed by a healthcare provider or plan.
🏥 Who Must Provide It?
Covered entities: Healthcare providers, health plans, and healthcare clearinghouses
Must also ensure business associates uphold privacy practices
📅 When Must It Be Provided?
At first service delivery (in person or electronically)
Upon request by the patient
Posted visibly in the facility and on the provider’s website (if applicable)
📋 What Must Be Included?
1. Patient Rights
Right to access, inspect, and copy PHI
Right to request amendments
Right to request restrictions on disclosures
Right to confidential communications
Right to an accounting of disclosures
Right to file a complaint
2. Provider’s Duties
Statement that the provider must:
Maintain the privacy of PHI
Follow the terms of the notice
Notify patients of any breach of unsecured PHI
3. Permitted Uses and Disclosures
Without authorization: treatment, payment, healthcare operations, public health, law enforcement, etc.
With authorization: marketing, psychotherapy notes, most sharing with third parties
4. Contact Information
How to file a complaint (internally or to the U.S. Dept. of Health & Human Services)
Contact info for the privacy officer or representative
🖊️ Acknowledgment of Receipt
Covered entities must make a good-faith effort to get written acknowledgment from the patient that they received the NPP
🔄 Revisions
The notice must be updated and redistributed whenever privacy practices change in a significant way.
🔒 HIPAA Security Rule
📅 Effective: April 20, 2005
🔎 Purpose:
Sets standards for protecting electronic protected health information (ePHI) from unauthorized access, alteration, deletion, or transmission.
🧾 What It Covers:
ePHI only (not verbal or paper).
Applies to the same covered entities and business associates.
✅ Key Safeguards:
1. Administrative Safeguards
Security management processes
Workforce training and access control
Contingency plans and risk analysis
2. Physical Safeguards
Facility access controls
Secure workstation and device use
Disposal and reuse policies for hardware
3. Technical Safeguards
Access controls (e.g., login credentials)
Encryption and secure transmission
Audit trails and activity logs
📌 Together, the Privacy and Security Rules:
Ensure confidentiality, integrity, and availability of health information.
Support patient trust and legal compliance.
Are enforced by the Office for Civil Rights (OCR) with fines for noncompliance.
What Happens if there is a HIPAA Breach?
Since 2016, the Health and Human Services (HHS) Department of Civil Rights (OCR) has increased its enforcement of HIPAA violations. According to The HIPAA Journal, in 2024 the OCR has been focusing its increased enforcement efforts on entities who are non-compliant with the risk analysis portion of the HIPAA Security Rule.
🚨 HIPAA Breach Notification Rule
Established by: The HITECH Act (2009)
Enforced by: U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR)
Applies to: Covered Entities (CEs) and Business Associates (BAs)
🎯 Purpose:
To ensure that patients and regulatory authorities are notified when unsecured protected health information (PHI) is accessed, used, or disclosed in a way that compromises privacy or security.
📦 What Qualifies as a Breach?
A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security.
A breach must be presumed unless the CE/BA can show there is a low probability of compromise, based on a risk assessment.
🔎 Risk Assessment Factors:
Nature and extent of PHI involved
Who accessed or used the PHI
Whether the PHI was actually acquired or viewed
Extent to which the risk was mitigated
🛡️ Unsecured PHI:
PHI that is not encrypted or otherwise rendered unreadable or indecipherable.
📢 Notification Requirements:
🧍♂️ 1. To Affected Individuals
Written notice within 60 calendar days of discovering the breach
Delivered by first-class mail or email (if agreed)
Must include:
What happened
What information was involved
Steps individuals should take
What the organization is doing to mitigate harm
Contact info for further questions
📋 2. To HHS
Breaches involving:
Fewer than 500 individuals: report annually
500 or more individuals: report to HHS within 60 days
📰 3. To the Media
Required if 500+ individuals in the same jurisdiction are affected
Must notify prominent media outlets within 60 days
❗ Business Associates’ Role
Must notify the covered entity of the breach without unreasonable delay and no later than 60 days
⚠️ Penalties for Noncompliance:
Up to $1.5 million per year, depending on the nature and extent of the violation
A covered entity must report a HIPAA breach to the media when the breach involves the unsecured protected health information (PHI) of 500 or more individuals in a single state or jurisdiction.
📢 Media Notification Requirements Under HIPAA:
Trigger: Breach affects ≥500 individuals in the same geographic area
Deadline: Must notify prominent media outlets serving that area within 60 calendar days of discovering the breach
Method: Via press release or public statement to the media
Purpose: To ensure affected individuals who may not be directly reachable are informed
📌 Also Required:
Notify affected individuals directly (e.g., by mail or email)
Notify the U.S. Department of Health and Human Services (HHS) via the OCR breach portal
Maintain documentation of the breach and the notifications
Healthcare Abuse and Fraud
Controlling healthcare fraud and abuse is essential to maintaining trust, reducing costs, and ensuring that healthcare programs (especially Medicare and Medicaid) are used properly. Here’s a clear breakdown:
🚨 Controlling Healthcare Fraud and Abuse
🧾 What is Healthcare Fraud?
Fraud is the intentional deception or misrepresentation that a person makes to receive unauthorized healthcare benefits.
Examples:
Billing for services not provided (“phantom billing”)
Upcoding (billing for a more expensive service than provided)
Falsifying patient diagnoses to justify procedures
Kickbacks for patient referrals
⚠️ What is Healthcare Abuse?
Abuse refers to improper behavior or practices that result in unnecessary costs to healthcare programs, but not necessarily intentional deception.
Examples:
Overusing medical services
Billing for non-covered services as covered
Providing services not medically necessary
🛡️ Key Laws to Prevent Fraud and Abuse
|
Law |
Purpose |
What It Prohibits |
|
False Claims Act (FCA) |
Holds individuals liable for knowingly submitting false claims |
Fraudulent billing to Medicare/Medicaid |
|
Anti-Kickback Statute (AKS) |
Prevents financial incentives for referrals |
Giving/receiving anything of value for referrals |
|
Stark Law |
Limits self-referrals |
Physicians referring to entities they have a financial interest in |
|
HIPAA |
Also includes provisions for fraud enforcement |
Criminal penalties for healthcare fraud |
Controls and Strategies to Prevent Fraud and Abuse
✅ 1. Compliance Programs
Written policies and procedures
Training for staff
Appointing a compliance officer
✅ 2. Internal Audits
Regularly review billing, coding, and documentation
Use software to detect billing outliers or anomalies
✅ 3. Reporting Systems
Anonymous reporting hotlines
Whistleblower protections
✅ 4. Credentialing and Monitoring
Verify provider qualifications
Monitor provider behavior and service patterns
🏛️ Government Oversight Agencies
Office of Inspector General (OIG)
Centers for Medicare & Medicaid Services (CMS)
FBI and Department of Justice (DOJ) for criminal cases
💬 Why It Matters
Fraud and abuse cost billions annually
Undermines patient trust
Drains resources from those in genuine need
⚖️ Federal False Claims Act (FCA)
📜 What It Is:
The False Claims Act is a federal law that imposes liability on individuals or entities that knowingly submit false or fraudulent claims for payment to the U.S. government.
Originally enacted during the Civil War (1863) and significantly amended in 1986 to strengthen enforcement.
🏥 Why It Matters in Healthcare:
The FCA is one of the most powerful tools the government uses to combat healthcare fraud, especially involving Medicare, Medicaid, and TRICARE.
🚫 Examples of FCA Violations in Healthcare:
Billing for services not provided
Submitting duplicate claims
Upcoding (charging for more expensive services than performed)
Falsifying diagnoses to justify unnecessary tests
Kickbacks disguised as legitimate fees
🔎 Key Elements of an FCA Violation:
To violate the FCA, a person must:
Submit a claim to the government
Know that it is false or fraudulent
Act with knowledge, deliberate ignorance, or reckless disregard
👩⚖️ Whistleblower (Qui Tam) Provisions:
Private individuals (“relators”) can file lawsuits on behalf of the government.
Whistleblowers may receive 15%–30% of the recovered funds.
Protects whistleblowers from retaliation.
💸 Penalties:
Civil penalties: $13,508 to $27,018 per false claim (adjusted annually)
Treble damages: Up to 3 times the amount of the false claim
✅ Summary Table
|
Feature |
Description |
|
Who It Targets |
Providers, vendors, billing companies, etc. |
|
What It Prohibits |
Knowingly submitting false claims to federal programs |
|
Enforcement |
Department of Justice (DOJ), often with HHS OIG |
|
Rewards Whistleblowers |
Yes (15–30% of recovered funds) |
|
Applies to |
Medicare, Medicaid, TRICARE, and other federal programs |
💰 Federal Anti-Kickback Statute (AKS)
📜 What It Is:
The Anti-Kickback Statute is a criminal law that prohibits offering, soliciting, giving, or receiving anything of value to influence referrals or generate business for services reimbursed by federal healthcare programs (e.g., Medicare, Medicaid).
Enacted as part of the Social Security Amendments of 1972, strengthened by the Medicare and Medicaid Patient Protection Act of 1987.
⚠️ Why It Matters in Healthcare:
The AKS protects patients from biased medical decisions based on financial incentives rather than clinical need.
🚫 Prohibited Actions:
It is illegal to knowingly and willfully:
Offer or pay kickbacks, bribes, or rebates for referrals of patients
Solicit or receive rewards in exchange for using certain drugs, devices, or services covered by a federal program
💡 Examples of Violations:
Paying doctors for patient referrals
Hospitals rewarding staff with bonuses based on Medicare admissions
Labs giving providers free equipment in exchange for referrals
🔓 Safe Harbors (Exceptions):
Certain arrangements are allowed if they meet strict regulatory criteria, including:
Personal services agreements
Space and equipment rentals
Investment interests
Certain discounts or managed care arrangements
Providers must structure financial relationships to fit into a safe harbor to avoid penalties.
👩⚖️ Penalties for Violations:
Criminal fines up to $100,000 per violation
Up to 10 years in prison
Exclusion from federal healthcare programs
Civil penalties under the Civil Monetary Penalties Law
✅ Summary Table
|
Feature |
Details |
|
What It Bans |
Exchange of anything of value for referrals |
|
Applies To |
Anyone (not just physicians) |
|
Programs Covered |
Medicare, Medicaid, TRICARE, etc. |
|
Enforced By |
Office of Inspector General (OIG), DOJ |
|
Exceptions |
Safe harbors under federal regulations |
🏛️ Stark Law (Physician Self-Referral Law)
📜 What It Is:
The Stark Law prohibits physicians from referring Medicare or Medicaid patients to an entity for “designated health services” (DHS) if the physician or their immediate family has a financial relationship with that entity—unless an exception applies.
Named after Congressman Pete Stark, it was enacted in 1989 and expanded in later amendments.
⚠️ Purpose:
To prevent conflicts of interest and overutilization of services due to financial incentives rather than patient need.
🧾 Examples of Designated Health Services (DHS):
Clinical lab services
Imaging (e.g., MRI, CT scans)
Physical and occupational therapy
Home health services
Durable medical equipment (DME)
Inpatient and outpatient hospital services
🔒 What’s Prohibited:
A physician may not:
Refer a Medicare/Medicaid patient to a DHS provider if the physician (or family) has a financial interest in that provider
The DHS provider may not bill for services resulting from such a referral
✅ Exceptions (Safe Harbors):
Stark Law is strict but not absolute—there are numerous detailed exceptions, including:
In-office ancillary services
Ownership in publicly traded companies
Fair market value compensation arrangements
Rental of office space or equipment (with terms in writing)
💸 Penalties for Violations:
Denial of payment or required repayment of reimbursement
Civil fines up to $15,000 per prohibited service
Exclusion from Medicare and Medicaid
Potential liability under the False Claims Act
✅ Quick Reference Table
|
Feature |
Details |
|
Applies To |
Physicians, immediate family, and DHS entities |
|
Covers |
Medicare and Medicaid referrals |
|
Prohibits |
Financially motivated self-referrals |
|
Enforced By |
Centers for Medicare & Medicaid Services (CMS) |
|
Has Exceptions |
Yes — numerous technical safe harbors |
🚨 Criminal Health Care Fraud Statute
Citation: 18 U.S. Code § 1347
Enacted: As part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996
📜 What It Is:
A federal criminal law that makes it a felony to knowingly and willfully:
Defraud any healthcare benefit program or obtain money/property owned by a healthcare program through false or fraudulent means.
🎯 Purpose:
To criminally prosecute individuals or organizations that intentionally cheat or deceive healthcare programs, both public (e.g., Medicare/Medicaid) and private.
🚫 Examples of Violations:
Billing for services not rendered
Falsifying medical records or diagnoses
Upcoding or unbundling procedures
Creating fake patients or claims
Accepting or offering bribes in exchange for referrals
👩⚖️ Penalties:
Up to 10 years in prison per violation
Up to 20 years if the fraud results in serious bodily injury
Life in prison if the fraud results in death
Substantial fines and restitution may also apply
✅ Who It Applies To:
Anyone: physicians, nurses, billing staff, executives, vendors, and others
Applies to both government and private healthcare benefit programs
⚠️ Key Differences from Civil Fraud Laws:
|
Criminal Statute |
Civil Laws (e.g., False Claims Act) |
|
Intentional and willful deception |
Can include reckless or negligent behavior |
|
Criminal prosecution (DOJ) |
Civil lawsuit or administrative penalties |
|
Prison time possible |
Fines, exclusion from programs |