Next-Generation IT

Government enforcement agencies increasing focus on telehealth fraud

Gabriel Perna | January 5, 2021

Thanks to the COVID-19 pandemic, telehealth usage significantly increased across the country in 2020. More doctors found it to be an acceptable way to connect with their patients and incentives finally lined up with the technology’s capabilities, as CMS and private payers temporarily offered flexible reimbursement and cross-state licensure.

For those reasons, the October announcement by the Department of Justice that it was charging 86 defendants with telehealth fraud should not have surprised anyone in the industry. Erin Hoyle, a lawyer with Carlton Fields, focuses her practice on False Claims Act (qui tam/whistleblower) defense, corporate internal investigations, white collar criminal defense, cybersecurity and privacy. She says when the money flows in health care, especially during a national emergency, enforcement of fraud will soon follow.

“With the COVID-19 pandemic, [the health care industry] received significant monetary distribution in federal money to ramp up these telehealth services. What you typically see is once enforcement agencies get their feet under them, they will begin looking for bad actors because they recognize it’s very important to ensure program integrity when there are large sums of money at play and patient safety is an issue,” says Hoyle.

The DOJ, along with Health and Human Services’ Office of the Inspector General (OIG) and other agencies, charged 86 defendants with $4.5 billion in telehealth fraud. The charges allege telemedicine executives paid doctors and nurse practitioners to order unnecessary durable medical equipment, genetic and other diagnostic testing, and pain medications, either without any patient interaction or with only a brief telephonic conversation with patients they had never met or seen.

This is only the beginning of the enforcement, says Amy Lerman, who is with the Health Care and Life Sciences practice at Epstein Becker Green. “The OIGs, the DOJs of the world, they’re looking now. They know a lot better than they did 2-3 years ago what to look for, the schemes that are being run,” says Lerman, who predicts regulators will focus on the type of kickback ploys that came up in the October bust. She also wouldn’t be surprised if they examine other potential areas of vulnerability to fraud.

“Payers and government entities are really looking very closely because there’s such an uptick in telemedicine services. They’re looking for the ways that people may not be doing the billing and collection aspect of their business correctly,” she says.

No mistake goes unnoticed

Kyle Zebley, ATA director of public policy, says that the advocacy group expects increased oversight from the government and other payers as usage of the technology increases. However, he says there is a clear difference between organizations acting with intent and those who are trying to keep up with the changing rules and that needs to be a consideration by fraud watchdogs.

“There are people who are new in this space, expanding their presence and trying to keep up with the evolving laws and regulations. We think government should understand this factor when trying to bring oversight and attention to telehealth fraud. That needs to be considered,” says Zebley.

Government regulators may not be that forgiving though, even as providers are trying to keep up with the changing rules. Hoyle says that “failure to comply with billing and documentation requirement will be huge.” She points to an example from last year, in the height of the pandemic, that shows how serious CMS and others are taking telehealth fraud.

“In late spring to early summer, my colleagues and I witnessed a flurry of audit requests coming out from CMS contractors to providers who had been involved with telehealth durable medical equipment [DME] companies over the past few years. They had been working with DME companies that had been taken out in an April 2019 [Justice Department indictment]. The providers were no longer providing services in the DME space, but a year later they received an audit request for a very small patient population, about 20 patients. For a variety of reasons, some of these providers may have not been able to provide those records,” says Hoyle. “In one case, this failure to provide documentation resulted in a revocation of Medicare billing privileges and a ten-year re-enrollment bar.”

The moral of the story, she says, is that the smallest telehealth compliance details cannot be ignored. The fact that a provider lost CMS billing privileges in the middle of a pandemic shows Hoyle that the government is serious about telehealth fraud.

COVID has prompted some of the bigger changes we’ve seen to well-established law. Thinking ahead if I had a crystal ball, we’re going to see states say, ‘Wow this worked well during COVID. Let’s make it more permanent.’

Amy Lerman, Epstein Becker Green

Lerman, who counsels health care organizations on regulatory matters related to telehealth, agrees with the notion that federal watchdogs are closely investigating billing and documentation in virtual health. They’re also looking at consent as it relates to telehealth, she says.

“There are rules and laws in every state around patients consenting to receiving health care services. How is consent being handled in a virtual environment? Are telemedicine providers making it clear patients have to give their consent first? Are they following laws in different states around how that consent must be?” Lerman says.

Finding fraud in a complex environment

The challenge for telehealth providers, especially those working in different regions, is that while there are federal privacy and security laws, most compliance is regulated at the state level. And then depending on the type of telehealth care a provider is offering, different areas of medicine have different rules and regulations both within and across state lines. Of course, this was all true before COVID-19, but the pandemic has made this regulatory landscape even more complex.

“COVID has prompted some of the bigger changes we’ve seen to well-established law. Thinking ahead if I had a crystal ball, we’re going to see states say, ‘Wow this worked well during COVID. Let’s make it more permanent.’ It’s a potential catalyst to what we’re going to see in the years to come,” says Lerman.

In October, Lerman’s firm released its annual “Telemental Health Laws survey,” which looks at state telehealth laws, regulations, and policies. The survey found that half of the states have data privacy/confidentiality laws, regulations, or guidance specific to the provision of telehealth services that generally go above and beyond requiring health care providers merely to follow federal and state privacy/confidentiality requirements pertaining to medicine.

Zebley recommends that providers allocate necessary resources to ensure compliance across the organization. “It’s incumbent on good faith actors to do all they can to follow the law, hire the right lawyers, and rectify mistakes, even if they’re not called out by the proper authorities,” he says.

Hoyle recommends three steps for health care CEOs to consider when ensuring telehealth fraud doesn’t become a rampant problem within their organizations.

  1.  Have a strong compliance program. Most organizations likely have one, but it’s important to ensure it’s up to date with the various changes that have happened around telehealth regulation and compliance. The program should provide mechanisms for internal reporting of any suspected misconduct and set clear expectations, says Hoyle. These programs should also include regular training for providers and use of analytics and digital tools to identify outliers in billing and coding for telehealth services.  
  1.  Document everything. “When it comes to telehealth, did folks document how they started implementing telehealth technology at their sites? What platform is being used? Is it HIPAA compliant? What evaluation went into selecting a platform if it wasn’t HIPAA compliant?” Hoyle says a waiver allowing use of non-HIPAA compliant platforms won’t last long. The documentation should also include details on how long they spend time with patients virtually, where the patient and provider are located and if they could authenticate the patient’s identity. “The more materials you can have to refute allegations of fraud, the better,” she says.  
  1.  Don’t retaliate against whistleblowers. Lastly, Hoyle says telehealth providers need to remember that the technology doesn’t make them immune from Stark Law or laws that protect whistleblowers. Moreover, she says, it’s important for health care organizations to avoid taking any steps that would retaliate against a whistleblower or the individual that’s raising a report on potential telehealth fraud.

Going forward, she predicts that fraud won’t dictate how CMS and other payers shape regulations around telehealth, but what’s happened during the pandemic will shape the compliance landscape for years to come.

“You’re going to have industry officials come in and provide recommendations for what they saw worked, what they saw didn’t work and that is going to be what guides the long-term goals and regulations,” Hoyle says.

About the Author

Gabriel Perna, Senior Manager, Digital Content

Gabriel Perna is the Senior Manager of Digital Content at Health Evolution. He brings 10+ years of experience in covering the intersection of health care and business. Previously, he was at Chief Executive, Physicians Practice and Healthcare Informatics. You can reach him via email at or on Twitter at @GabrielSPerna