HIPAA & Fraud, Waste, & Abuse Training
Required annually for all employees, contractors, transportation providers, and drivers of Medi Trans.
Go through each section, then continue to the quiz.
🔒 What is HIPAA?
Privacy Rule, PHI & more
📄 Uses & Disclosures
How PHI is shared
🛡 Your Responsibility
Safeguarding member data
✅ Compliance
Privacy Office & policies
👥 Members' Rights
Complaints & protections
⚖ FWA Training
Laws & penalties
What is HIPAA?
Understanding the Health Insurance Portability and Accountability Act and why it matters to Medi Trans.
HIPAA Overview
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996. HIPAA created national standards for protecting the privacy and security of health information.
The HIPAA Privacy Rule
The Privacy Rule establishes standards for how Protected Health Information (PHI) may be used and disclosed. It applies to all "covered entities" and their "business associates."
What is Protected Health Information (PHI)?
PHI is the combination of two types of information:
Medical Information
- Medical records & billing info
- Health plan enrollment data
- Any health info that can identify a person
Personally Identifiable Information (PII)
- Names, addresses, birth dates
- Social Security & phone numbers
- Email addresses, medical record numbers
- Vehicle identifiers, photos, biometrics
Key Formula
Medical Info + PII = PHI (Protected Health Information)
Covered Entities & Business Associates
Covered Entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
Medi Trans as a Business Associate
A Business Associate is any person or company that works with or for a Covered Entity and handles PHI. Medi Trans is a Business Associate and is legally required to protect PHI under a Business Associate Agreement (BAA).
HITECH Act & HIPAA Omnibus Rule: The HITECH Act strengthened HIPAA enforcement and increased penalties. The Omnibus Rule expanded requirements to Business Associates and their subcontractors.
What is a HIPAA Breach?
HIPAA Breach Definition
A HIPAA Breach is the access, use, or release of PHI that is not allowed by HIPAA.
Breach Notification Rule: When a breach occurs, affected individuals and HHS must be notified. If 500+ individuals are affected, the media must also be notified.
Important
Even accidental or unintentional access to PHI you were not authorized to see can constitute a breach. Always report suspected breaches immediately.
Uses & Disclosures of PHI
Learn how Protected Health Information may and may not be shared.
Use of PHI
When PHI is accessed or reviewed within the organization. Example: A Medi Trans associate looks at a member's PHI to determine eligibility for transportation services.
Disclosure of PHI
When PHI is shared outside the organization. Example: A Medi Trans associate shares information with a transportation provider so they may safely transport a member.
Examples of PHI Violations
- Discussing a member's PHI with others who have no need to know (in person, on social media, by email, etc.)
- Leaving a member's information where others can access it (on desks, seats, etc.)
- Selling or releasing medical information
- Throwing away printed materials containing personal information (these must be shredded)
- Providing information to others without the member's permission
Remember
It is NOT acceptable to simply throw away a member's PHI. All printed materials containing PHI must be properly shredded.
Disciplinary Actions
For transportation providers and other subcontractors, corrective actions that Medi Trans may take when HIPAA rules are broken are defined in your contract, the Business Associate Agreement, and any other agreements between the organizations.
Your Responsibility
What you must do to protect member information every day.
All associates, subcontractors, and vendors of Medi Trans are responsible for:
- Preventing access to or use of PHI that is not allowed by HIPAA
- Watching out for illegal use or release of PHI
- Reporting illegal use or release of PHI to your supervisor or Medi Trans' Privacy Office
Golden Rule
Protect a member's PHI as if it were yours!
Safeguarding PHI
💻 Computer Security
Secure your primary work device.
- Never let anyone use your device
- Never share your username or password
- Always lock your device when stepping away
- Use a strong password
Be aware of email security risks.
- Don't email PHI unless needed for a specific task
- Don't email PHI outside Medi Trans without permission
- Never send PHI to personal email accounts
- Use IT encryption for external PHI
💬 Instant Messaging
IM is not secure for PHI.
- Do not chat about PHI through IM
- Do not send PHI documents through IM
🖨 Faxes
Fax PHI only when absolutely necessary.
- Use the Confidentiality Statement cover sheet
- Double-check the fax number
- Report misdirected faxes to Privacy Office immediately
💼 Workspace
Store PHI in locked containers.
- Never leave PHI documents out
- Shred paper PHI when no longer needed
- Home offices must comply with all PHI policies
🏢 Public Areas
Be aware of your surroundings.
- Avoid discussing PHI in public
- Don't use identifying information if unavoidable
- Secure all PHI documents before leaving an area
Common Privacy Mistakes
- Leaving your ID badge visibly unattended
- Leaving PHI out at your workspace or public areas (copier/fax machines)
- Leaving keys to lockable cabinets in the lock
- Leaving your computer unlocked and unattended
- Leaving portable devices out in the open and unattended
HIPAA Compliance
Medi Trans' Privacy Office and how compliance is maintained.
Human Resource / Privacy Office
HIPAA regulations require Medi Trans to designate a Privacy Office / Officer to perform specific privacy tasks. The Privacy Office is operated by the Director of Human Resources, in conjunction with the COO.
When to Contact the Privacy Office
Report any suspected HIPAA violation, accidental PHI disclosure, or any questions about how to properly handle member information.
Members' Rights
What rights members have regarding their Protected Health Information.
Member Rights Under HIPAA
📄 Limit Use of PHI
Members can request to limit the use or release of their PHI.
🔎 View & Correct PHI
Members can see the PHI used to make decisions and request corrections.
💬 Communication Preferences
Members can request how we communicate their PHI.
👁 See Released PHI
Members have the right to see all PHI that we may have released.
Member Complaints
If a member thinks their privacy has been violated, they have the right to file a complaint through Member Services or directly with the U.S. Department of Health and Human Services.
Important Protections
- We cannot interfere with members' rights to complain
- We cannot require members to give up their rights to receive service
- We may not intimidate, threaten, or retaliate against members who file a complaint
Fraud, Waste, & Abuse
Reducing inappropriate and wasteful use of federal funds. This covers the key laws that protect federal healthcare programs.
The False Claims Act (FCA) & Deficit Reduction Act (DRA)
The Federal False Claims Act (FCA) protects the government from being overcharged or sold low quality goods or services. It holds any person responsible who knows or has reason to think a claim is false, but submits it for payment anyway.
A transportation provider intentionally submits a claim for transportation they know they did not provide. This is fraud.
Deficit Reduction Act (DRA)
The DRA of 2005 reduces Medicaid fraud and abuse. It applies to all healthcare providers receiving at least $5 million in Medicaid payments annually.
⚠ Violation Penalties
- Pay the federal government three times the damages
- Civil penalties of $10,781 to $21,562 per violation
- Banned from federal and state government contracts
Qui Tam (Whistleblower Provision)
The "qui tam" provision allows any person with evidence of fraud against federal programs to file a lawsuit on behalf of the U.S. Government.
Incentive
Whistleblowers may be awarded a part of any money collected from a qui tam lawsuit.
Protection
Medi Trans has a zero-tolerance policy for retaliation against anyone who reports suspected FWA in good faith. Whistleblowers who face retaliation can seek double the lost pay.
The Fraud Enforcement & Recovery Act (FERA)
The FERA was signed into law in 2009. It makes it easier for the government to investigate and punish those who violate the False Claims Act.
The Anti-Kickback Statutes (AKS)
Congress passed the first Anti-Kickback rules in 1972 to prevent fraud and outlaw dishonest behavior. It is a crime for individuals or companies to offer, pay for, ask for, or receive something of value in exchange for referrals under federal healthcare programs.
A transportation provider offers to pay customer service representatives to assign them more expensive trips.
⚠ AKS Penalties
- Fines up to $25,000 per violation
- Felony conviction with jail time
- Banned from federal healthcare programs
The Physician Self-Referral Law (Stark Law)
The Stark Law prohibits a doctor from sending a patient to a medical facility owned by the doctor or their family member. It ensures financial interests don't influence medical decisions.
⚠ Stark Law Penalties
- Denial of payment from Medicare or Medicaid
- Illegal referral payments must be returned
- Up to $15,000 fine per service
- Up to $100,000 fine per scheme
- Banned from Medicare and Medicaid programs
FWA Compliance Office
Your Responsibility
Report suspected Fraud, Waste, or Abuse to MediTrans FWA Compliance Office. Your report is strictly confidential and cannot be used against you.