A Target on Telehealth: Government Action Against Telehealth Fraud in the Wake of COVID-19

The COVID-19 Public Health Emergency (PHE) is expected to prompt unprecedented levels of regulatory enforcement activity that is focused on the use of telemedicine. In fact, fraudulent and abusive telehealth practices was an area identified by the Department of Justice (DOJ) as an enforcement priority even prior to the COVID-19 PHE. Telehealth has been an important tool for ensuring access to necessary health care services during the PHE, and it has the potential to alleviate provider shortages, ensure access to care for vulnerable patients, including those living in rural areas, and ensure continuity of care. A study conducted by the Department of Health and Human Services (HHS), Office of the Assistant Secretary for Planning and Evaluation, found the percentage of Medicare primary care visits provided via telehealth increased from 0.1% to 43.5% between February and April 2020.¹ In addition, the HHS Office of Inspector General (OIG), Centers for Medicare and Medicaid Services (CMS), and Office for Civil Rights (OCR) issued rules and guidance allowing a number of regulatory flexibilities in the use of telehealth that encouraged the use of telehealth during the PHE.

Those who have watched telehealth’s rapid expansion in the wake of the PHE, and who have admired the ability of health care professionals to quickly adapt to provide necessary care to patients via this medium, have a strong belief that telehealth’s expanded presence is here to stay after the end of the PHE. It follows that, with telehealth becoming a permanent fixture in health care, it will be on the government’s enforcement radar for years to come.

Enforcement Discretion During the COVID-19 PHE

With the expansion of any health care sector comes the attention of regulators dedicated to protecting against health care fraud. For instance, the OIG’s Work Plan contains seven different types of planned telehealth audits, including an audit on home health services provided via telehealth during the PHE, and audits of Medicare Part B telehealth services provided during the PHE.² Nevertheless, HHS has, in limited circumstances during the PHE, relaxed enforcement. For example, on March 17, 2020, OIG announced it would not subject providers to administrative sanctions for waiving patient cost-sharing obligations for telehealth services subject to certain conditions (thereby reducing AKS enforcement risk for providers).³ Additionally, on January 20, 2021, the OCR announced it would “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth” during the PHE.⁴

However, on September 30, 2020, DOJ announced the creation of the National Rapid Response Strike Force (the Strike Force), whose mission is to “investigate and prosecute fraud cases involving major health care providers that operate in multiple jurisdictions, including major regional health care providers . . . .”⁵ Telemedicine falls squarely into the Strike Force’s ambit: providers sometimes practice health care across state lines, especially during the PHE when provider licensure waivers have enabled more cross-state telehealth practice than is typical. The Strike Force is thus another enforcement tool for the government to use—in addition to audits, penalties, lawsuits, and charges—to target telehealth.

DOJ’s Telehealth “Takedowns”

DOJ’s focus on telehealth fraud pre-dates the PHE. Since early 2019, DOJ has undertaken several “takedowns” related to telehealth. However, these takedowns largely have focused on call centers and other schemes that do not represent the complex telehealth practices in place today.

For example, in April 2019, DOJ announced federal indictments of 24 defendants, including some associated with five telehealth companies, for alleged fraud schemes involving more than $1.2 billion in losses.⁶ The allegations stemming from this takedown, Operation Brace Yourself, involved payment of illegal kickbacks and bribes to telehealth companies, which then allegedly paid physicians to write medically unnecessary orders for durable medical equipment (DME).⁷

More recently, in September 2020, DOJ announced charges against 86 criminal defendants who purportedly submitted $4.5 billion in false and fraudulent claims connected to telehealth.⁸ Here, DOJ alleged “telemedicine executives paid doctors and nurse practitioners to order unnecessary [DME], genetic and other diagnostic testing, and pain medication, either without any patient interaction or with only a brief telephonic conversation with patients they had never met or seen.”⁹ In connection with this activity, CMS announced that it had revoked the billing privileges of 256 medical professionals due to their alleged involvement in the scheme.¹⁰

Predictions for Combatting Telehealth Fraud in the Post-PHE World

Based on DOJ’s historic enforcement against telehealth companies and the fervor with which providers have embraced telehealth technologies in the wake of the COVID-19 PHE, we predict the government’s enforcement resources will likely focus on the following areas related to the PHE.

1.  Improper coding of health care services provided via telehealth

During the PHE, CMS and private payers relaxed restrictions on the types of services clinicians may provide via telehealth and the types of providers that may furnish telehealth services. For instance, during the PHE, CMS allows providers to conduct evaluation and management services via telephone, but otherwise has maintained the audio-video requirement for office visit evaluation and management codes.¹¹ CMS also covers emergency department visits, home visits, and therapy services via telehealth during the PHE.¹² Moreover, Section 3704 of the Federal Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) temporarily allows certain types of providers, including Federally Qualified Health Centers (FQHC) and Rural Health Clinics (RHC), to serve as distant telehealth sites during the PHE, meaning these providers may provide telehealth services to patients not in the same location as the FQHC or RHC.¹³

However, because many providers did not offer telehealth services prior to the PHE, they may not have prior experience in the nuances of CMS telehealth rules and requirements, including requirements related to proper coding and billing. The government may investigate providers’ provision of services via telehealth technology and whether providers selected the appropriate codes to reflect the service(s) actually provided (including based on visit length and level of medical decision making).

For instance, CMS’ waiver allowing provision of evaluation and management services via telehealth may have resulted in more providers utilizing these codes, and the government may focus on whether provision of these services was medically necessary or whether providers “up coded” when a different code was more appropriate for the services rendered. Simply put, more claims often means more scrutiny.

2. Inappropriate use of telehealth technology, including inappropriate use of technology to provide unnecessary medical services

As providers rushed to adapt to the changing landscape during the PHE, providers employed new technology or rapidly scaled existing telehealth technology. Administrative agencies and state licensing boards may investigate whether providers’ use of telehealth technology met the applicable standard of care or complied with the required telehealth practice standards to support billing for such telehealth services.

For instance, prior to the PHE, many states that allowed physician telehealth practice regulated the telehealth modality, often requiring real-time audio-visual communication. However, many of these states allow audio-only communication during the PHE to increase the ability for patients to access needed care via telehealth.¹⁴ Similarly, CMS allows some services, including behavioral health and patient education, to be provided via audio-only telehealth during the PHE.¹⁵ State licensing boards and federal and state administrative agencies may review providers’ compliance with these waivers and whether the providers otherwise met applicable requirements related to provision of these services via telehealth.

Moreover, DOJ’s enforcement activity previously has focused on the alleged provision of unnecessary services, including DME and genetic testing, via telehealth platforms. We anticipate that provision of potentially unnecessary services will continue to be a focus and will likely expand in scope because of the expansion in the types of services that were provided via telehealth during the PHE.

3. Increase in fraud theories involving HIPAA and data privacy laws and state fee-splitting and corporate practice of medicine laws

During the PHE, the OCR is exercising its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under HIPAA; however, this discretion will not likely remain in place after the PHE. Telehealth providers should be prepared for increased government scrutiny concerning HIPAA and ensure its HIPAA policies and practices are current with all applicable law.

In addition, we anticipate an uptick in enforcement of state corporate practice of medicine, fee-splitting, and patient referral laws to keep up with the telehealth industry. For instance, a bill recently introduced in California seeks, among other things, to amend the “patient bill of rights” by expressly including “internet-based” activities in its fee-splitting and referral prohibitions.¹⁶ If passed, this could have the effect of prohibiting certain telehealth activities if deemed to fall within California’s fee-splitting and/or patient referral prohibitions. Telehealth providers should stay abreast of movement in this area to ensure continued compliance with applicable law.

4. Provision of telehealth services without a sufficient doctor-patient relationship or without other elements required by CMS and private payers

Early in the PHE, HHS announced that it would not conduct audits to ensure the presence of a physician-patient relationship for the duration of the PHE.¹⁷ However, when investigating fraudulent billing schemes or other fraud, the government still may consider whether providers met the telehealth practice standards required to create the requisite provider-patient relationship to bill for services actually rendered. For instance, CMS allows providers to conduct brief, virtual check-ins with patients in their homes but limits these services to patients with an established, pre-existing relationship with the provider.¹⁸ While CMS announced it would not audit services to ensure the presence of a prior relationship for claims submitted during the PHE, that does not mean CMS—or DOJ—would not consider the presence or absence of a proper relationship when investigating other aspects of telehealth noncompliance.

5. Increased Government Data Analytics to Identify Improper Use of Relief Funds

DOJ and other enforcement agencies have, and likely will continue to, devote significant resources to the investigation and prosecution of fraudulent schemes arising from pandemic relief efforts. We anticipate one area the government is likely to focus on is the identification of “double-dippers.” A double dipper is a person or entity who received COVID-19 relief funds from multiple programs (i.e., telehealth provider receives payment from the Provider Relief Fund and a Paycheck Protection Program loan for the same expenses). Through the government’s increased use of data analytics, it will likely be able to more easily, and efficiently, identify potential double dipping of COVID-19 funding and prioritize its enforcement resources.¹⁹ Thus, we will likely continue to see a tidal wave of enforcement activity related to relief funds. Telehealth providers will not be spared.

6. Continuing to Operate Under COVID-19 Temporary Waivers

The COVID-19 PHE waivers put in place by HHS and other federal and state authorities are largely temporary and set to expire upon the end of the PHE. However, many provider and health systems have relied heavily on these temporary waivers and may have difficulty scaling back their reliance.

For instance, some states waived certain licensure requirements to improve the states’ ability to provide care to COVID-19 patients. A survey conducted by the Federation of State Medical Boards reports that as of June 23, 2021, 26 states have waivers in place modifying telehealth requirements including allowing telehealth practice by out-of-state physicians and audio-only communication, or waiving the requirement that there be a preexisting provider-patient relationship.²⁰ We predict some out-of-state providers may face sanctions from state licensing boards related to continued practice via telehealth after the temporary licensure waivers expire.

Providers may also have difficulty rolling back reliance on waivers issued by HHS that exempt certain types of remuneration and referral arrangements from sanctions under the physician self-referral (Stark) law. For instance, under the Blanket Waivers, HHS exempted the following arrangements (among others) from sanctions under Stark (provided the remuneration and referrals are solely related to a COVID-19 purpose), both of which without this temporary waiver would constitute a technical violation of the Stark:

• Remuneration from an entity to a physician that is above or below fair market value for services personally performed by the physician; and
• Referral by a physician of a Medicare patient to a home health agency in which the physician has an ownership interest.²¹

Providers may have difficulty quickly bringing their operations into compliance once the temporary waivers expire, which may expose providers to state and federal sanctions, including liability under the False Claims Act. Reliance on these temporary COVID-19 waivers past the termination of the PHE may present an easy opportunity for government enforcement.

In light of the foregoing, it is clear that telehealth will likely remain an enforcement priority after the PHE ends. As such, telehealth providers and companies should protect themselves by taking steps such as: (1) ensuring continued compliance with the applicable laws and regulations, including after the COVID-19 PHE waivers are terminated, especially with respect to telehealth practice standards and coding and billing compliance; (2) adopting, implementing, and maintaining a robust compliance program; and (3) staying up-to-date on enforcement actions.

¹ See U.S. Department of Health & Human Services, Assistant Secretary of Planning and Evaluation, Medicare Beneficiary Use of Telehealth Visits: Early Data From the State of the COVID-19 Pandemic (Jul. 28, 2020), https://aspe.hhs.gov/system/files/pdf/263866/hp-issue-brief-medicare-telehealth.pdf

² See U.S. Department of Health & Human Services, Audit of Home Health Services Provided as Telehealth During the COVID-19 Public Health Emergency, https://oig.hhs.gov/reports-and-publications/workplan/summary/wp-summary-0000553.asp (last visited Apr. 30, 2021); see also U.S. Department of Health & Human Services, Audits of Medicare Part B Telehealth Services During the COVID-19 Public Health Emergency, https://oig.hhs.gov/reports-and-publications/workplan/summary/wp-summary-0000556.asp (last visited Apr. 30, 2021).

³ See U.S. Department of Health & Human Services, Office of Inspector General, OIG Policy Statement Regarding Physicians and Other Practitioners That Reduce or Waive Amounts Owed by Federal Health Care Program Beneficiaries for Telehealth Services During the 2019 Novel Coronavirus (COVID-19) Outbreak (Mar. 17, 2020), https://oig.hhs.gov/fraud/docs/alertsandbulletins/2020/policy-telehealth-2020.pdf.

⁴ U.S. Department of Health & Human Services, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (last reviewed Jan. 20, 2021), https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

⁵ U.S. Department of Justice, National Health Care Fraud and Opioid Takedown Results in Charges Against 345 Defendants Responsible for More than $6 Billion in Alleged Fraud Losses (Sep. 30, 2020), https://www.justice.gov/criminal-fraud/hcf-2020-takedown/press-release.

⁶ See U.S. Department of Justice, Federal Indictments & Law Enforcement Actions in One of the Largest Health Care Fraud Schemes Involving Telemedicine and Durable Medical Equipment Marketing Executives Results in Charges Against 24 Individuals Responsible for Over $1.2 Billion in Losses (Apr. 9, 2019), https://www.justice.gov/opa/pr/federal-indictments-and-law-enforcement-actions-one-largest-health-care-fraud-schemes.

⁷ See id.

⁸ See U.S. Department of Justice, National Health Care Fraud and Opioid Takedown Results in Charges Against 345 Defendants Responsible for More than $6 Billion in Alleged Fraud Losses (Sep. 30, 2020),.

⁹ Id.

¹⁰ See id.

¹¹ See Centers for Medicare & Medicaid Services, Medicare Telemedicine Health Care Provider Fact Sheet (Mar. 17, 2020), https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet.

¹² U.S. Department of Health & Human Services, Telehealth: Delivering Care Safely During COVID-19 (Jul. 15, 2020), https://www.hhs.gov/coronavirus/telehealth/index.html.

¹³ See Coronavirus Aid, Relief, and Economic Security Act, H.R. 748, 116th Cong. §3704 (2020); see Medicare Learning Network, New & Expanded Flexibilities for RHCs & FQHCs during the COVID-19 PHE (revised Feb. 23 2021), https://www.cms.gov/files/document/se20016.pdf.

¹⁴ See e.g., Federation of State Medical Boards, U.S. States and Territories Modifying Requirements for Telehealth in Response to COVID-19 (last updated June 23, 2021), https://www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf.

¹⁵ See Centers for Medicare & Medicaid Services, COVID-19 Frequently Asked Questions (FAQs on Medicare Fee-For-Service (FFS) Billing) (updated Jan. 7, 2021), https://edit.cms.gov/files/document/medicare-telehealth-frequently-asked-questions-faqs-31720.pdf.

¹⁶ See Assembly Bill No. 457, California Legislature 2021-22 Regular Session, at 4-5 (“Notwithstanding this section or any other law, the payment or receipt of consideration for internet-based advertising, appointment booking, or any service that provides information and resources to prospective patients of licensees shall not constitute a referral of a patient if the internet-based service provider does not recommend, endorse, arrange for, or otherwise select a licensee for the prospective patient.”).

¹⁷ See  id.

18 See Centers for Medicare & Medicaid Services, Medicare Telemedicine Health Care Provider Fact Sheet (Mar. 17, 2020), https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet.

¹⁹ Matthew D. Krueger, Pamela L. Johnston, Michelle A. Freeman, Bracing for the New Wave of Health Care Enforcement, Foley & Lardner Health Care Law Today, May 12, 2021, available at: https://www.foley.com/en/insights/publications/2021/05/bracing-next-wave-health-care-enforcement.

²⁰ See Federation of State Medical Boards, U.S. States and Territories Modifying Requirements for Telehealth in Response to COVID-19 (last updated June 23, 2021), https://www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf.

²¹ See U.S. Department of Health & Human Services, Blanket Waivers of Section 1877(g) of the Social Security Act Due to Declaration of COVID-19 Outbreak in the United States as a National Emergency (Mar. 1, 2020), https://www.cms.gov/Medicare/Fraud-and-Abuse/PhysicianSelfReferral/Spotlight.

Copyright 2021, American Health Law Association, Washington, DC. Reprint Permission Granted.