Stopping Waste, Fraud, and Abuse by Eliminating Information Silos: A HIPAA Guide

Executive Order 14243 Overview

Executive Order 14243, Stopping Waste, Fraud, and Abuse by Eliminating Information Silos, directs federal agencies to break down barriers to unclassified data access and interagency data sharing so officials can detect overpayments, waste, fraud, and abuse faster. It instructs agency heads to provide designated officials with full and prompt access to unclassified records, systems, and datasets, and to remove internal guidance that unnecessarily restricts such access.

The order also calls for interagency data consolidation and, where lawful, access to data from state programs that receive federal funding. Crucially, every directive is “to the maximum extent consistent with law,” which means HIPAA data privacy, the Privacy Act, and other statutes continue to govern protected health information (PHI). In practice, the EO sets a government-wide framework for interagency collaboration while preserving HIPAA safeguards.

Enhancing Data Access and Sharing

To eliminate information silos without compromising HIPAA data privacy, agencies and covered entities should standardize how they inventory, classify, and share data. Begin with a system-of-record inventory, tag data elements that may include PHI, and map lawful purposes for access (treatment, payment, healthcare operations, program integrity, or other permitted uses).

Adopt interoperable formats and APIs—such as FHIR—for consistent exchange and implement role-based access control with “minimum necessary” filtering at query time. Use data-sharing agreements that specify purpose, lawful basis, retention, and security controls. For analytics, route PHI into secure enclaves, apply de-identification or limited data sets with data use agreements, and maintain immutable audit logs for every access and disclosure.

When interagency data sharing is needed, establish a governance board that approves use cases, validates legal authorities, and monitors outcomes. Align workflows with the 21st Century Cures Act’s push for interoperability while documenting HIPAA-compliant rationale for each exchange to avoid inadvertent information blocking.

Healthcare Fraud Prevention Strategies

Reducing waste, fraud, and abuse requires tightening controls across the claim lifecycle and using data to spot risk early. Start with rigorous provider enrollment screening, identity proofing, and continuous monitoring against exclusion lists. Implement prepayment edits and predictive scoring to flag outlier billing behaviors before dollars leave the door.

Leverage cross-program matching to confirm eligibility, detect phantom providers or beneficiaries, and spot impossible service patterns. Use targeted post-payment review to recover overpayments, escalate schemes to investigators, and provide corrective education to providers. When risks escalate, CMS payment suspensions—authorized under federal regulations—temporarily withhold Medicare payments during credible-fraud investigations while protecting beneficiaries and program funds.

• Strengthen front-end edits and prior authorization for high-risk services.
• Correlate claims with pharmacy, laboratory, and device data to expose upcoding and unbundling.
• Monitor referral patterns to detect collusion and kickbacks.
• Feed confirmed fraud typologies back into prepay models for continuous improvement.

Addressing Information Blocking

The 21st Century Cures Act defines information blocking as practices likely to interfere with access, exchange, or use of electronic health information, unless an exception applies. ONC regulations outline privacy and security exceptions that permit withholding information when required by law or necessary to reduce risk, provided strict conditions are met.

Enforcement spans multiple levers: OIG may impose civil monetary penalties of up to $1 million per violation on health IT developers, HIEs, and HINs; healthcare providers face CMS-administered disincentives tied to Medicare programs, such as Promoting Interoperability, MIPS, and the Medicare Shared Savings Program. Operationally, document your legal basis for any denials, design patient- and provider-facing APIs for timely data access, and never cite HIPAA as a blanket reason to withhold EHI when an information blocking exception does not apply.

Leveraging AI for Fraud Detection

Artificial intelligence fraud detection amplifies program integrity by finding subtle, cross-entity patterns that rules miss. Use supervised learning to catch known schemes (e.g., upcoding, duplicate billing) and unsupervised anomaly detection to surface new behaviors. Graph analytics reveals collusive networks by linking providers, beneficiaries, addresses, devices, and payment flows.

NLP can parse claim notes and prior authorization narratives to spot inconsistencies, while streaming models flag suspicious activity in near real time. Build model governance around fairness, explainability, version control, and concept-drift monitoring. Keep PHI secure via zero-trust architecture, encryption in transit and at rest, fine-grained access tokens, and auditable human-in-the-loop reviews that convert high-risk alerts into actionable investigations.

HIPAA Compliance Requirements

EO 14243 does not override HIPAA. The HIPAA Privacy Rule permits uses and disclosures for treatment, payment, and healthcare operations, as well as public health and certain oversight activities, subject to the minimum necessary standard. The Security Rule requires a documented risk analysis, administrative, physical, and technical safeguards, access controls, integrity protections, and audit capabilities.

Execute business associate agreements where vendors touch PHI, apply de-identification (expert determination or safe harbor) for secondary analytics, and use limited data sets with data use agreements when appropriate. Maintain breach response plans and workforce training, and calibrate sharing so it supports interagency data sharing goals without exceeding lawful scope. Clear policies and logs help demonstrate that expanded access under the EO remains fully compliant with HIPAA data privacy.

Federal Agency Collaboration

Effective interagency collaboration aligns mission objectives, legal authorities, and technical standards. Establish a joint data governance council across HHS, CMS, OIG, DOJ, and other partners to approve use cases, harmonize data dictionaries, and standardize APIs for secure exchange. Use reciprocal agreements that define purpose, stewardship roles, retention, and redress for errors.

Operational playbooks should cover identity resolution, consent and authorization logic, and shared risk indicators for investigations. Define performance metrics—dollars prevented or recovered, time-to-detection, false-positive rates, and complaint resolution time—and share feedback loops so analytics models improve across agencies while remaining “consistent with law.”

Conclusion

By pairing Executive Order 14243’s mandate to eliminate information silos with the 21st Century Cures Act’s interoperability rules—and grounding every exchange in HIPAA—agencies and healthcare organizations can accelerate fraud detection, protect beneficiaries, and safeguard taxpayers. The balance is practical: expand lawful access, prove necessity, and secure PHI at every step.

FAQs.

How does Executive Order 14243 impact healthcare data sharing?

It compels agencies to remove unnecessary barriers to unclassified data access and enable interagency data sharing for program integrity, including, where lawful, access to data from state programs funded by the federal government. For healthcare, that means faster, lawful sharing to detect waste, fraud, and abuse—always subject to HIPAA and other privacy laws.

What measures does CMS use to prevent fraud and abuse?

CMS uses prepayment edits and predictive analytics, targeted post-payment reviews, provider enrollment screening, overpayment recoupment, law enforcement referrals, and CMS payment suspensions during credible-fraud investigations. These tools work together to stop improper payments early and recover funds when issues are found.

What are the penalties for information blocking under HIPAA?

There are no information blocking penalties “under HIPAA.” Penalties stem from the 21st Century Cures Act: OIG can fine health IT developers, HIEs, and HINs up to $1 million per violation, and CMS can impose disincentives on providers via Medicare programs. Separately, misusing HIPAA to deny lawful access may trigger HIPAA Right of Access enforcement by OCR.

How is AI used to detect healthcare fraud?

AI scores claims and entities for risk, detects anomalies, and maps relationships to uncover collusion. NLP reviews notes and prior authorization text for inconsistencies, and streaming models flag suspicious activity in near real time. Strong governance, explainability, and HIPAA-aligned security ensure reliable, privacy-preserving results.