How telehealth providers can mitigate healthcare fraud risk
Healthcare law experts discuss how telehealth providers can stay compliant and vigilant as the Department of Justice accelerates fraud enforcement actions.
Among health IT stakeholders, it is well-known that with greater technology utilization comes a greater risk of healthcare fraud and, by extension, government scrutiny. Telehealth providers have learned this lesson firsthand after utilization soared to new heights during the COVID-19 pandemic, and the Department of Justice started to examine the telehealth arena more closely.
The DOJ has cracked down heavily on telehealth-related healthcare fraud in the last few years. One estimate shows that enforcement actions from 2020 through 2023 led to criminal charges against more than 175 individuals and allegations of over $8 billion in telehealth fraud.
Healthcare law experts noted that the unique characteristics of telehealth that benefit patients also increase the potential for fraud.
"For the last five years, maybe six years, telehealth has been one of the preeminent enforcement focuses for the DOJ," said Jay Dewald, head of healthcare investigations for the United States at law firm Norton Rose Fulbright and a former federal prosecutor. "Telehealth can be deployed very effectively to bring patient care where it doesn't otherwise exist or to bring it to folks in their homes when they really shouldn't be out and about. That said, the distance and the deploying of technology creates issues [and] the potential for fraud."
Telehealth providers are ultimately responsible for remaining in regulatory compliance and avoiding fraudulent activity. In addition to staying up-to-date on regulatory changes, providers need to understand how the DOJ approaches fraud enforcement in the telehealth arena and establish protocols to reduce fraud risk.
What telehealth providers can learn from recent DOJ enforcement actions
Though telehealth faced DOJ scrutiny before the pandemic, there has been an uptick in enforcement in the last few years. Among these, one case stands out as an especially vital lesson for telehealth providers: the Done Health indictments.
In June, the DOJ arrested and charged the leaders of telemental health company Done Health for an alleged Adderall distribution and healthcare fraud scheme. Done Health founder and CEO Ruthia He and clinical president David Brody, MD, allegedly instructed Done prescribers to prescribe Adderall and other stimulants even if the healthcare consumer did not qualify, as well as ordered that initial patient encounters be under 30 minutes, among other allegations.
According to Dewald, the Done indictments include several hallmarks of telehealth-enabled fraud, including kickback payments.
"A fundamental element of these things is paying kickbacks," he said. "In almost every one of these announcements, you'll see kickbacks to the physicians, to the marketers, even to the companies themselves. And these are often schemes that just couldn't even exist without those kickbacks, without that multilevel marketing kind of flow of funds down to the people who really make it happen."
In the Done case, He allegedly created a compensation structure that paid Done prescribers only for the number of patients who received prescriptions rather than medical visits, telehealth consultations, or time spent caring for patients after an initial consultation.
Then when you combine that with drug distribution, and especially with controlled drug distribution, the DOJ will take that very seriously because they don't want the use of telemedicine to [be linked to] e-prescribing drugs and controlled substances that are not necessary.
Jolie ApicellaPartner, Wiggin and Dana LLP
The indictments are especially pertinent as mental healthcare is one of the most popular use cases for telehealth. Even as telehealth visit volume dropped by 45.8% from the second quarter of 2020 to the fourth quarter of 2022, the share of telehealth visits for behavioral health conditions jumped from 41.8% in the first quarter of 2020 to 62.8% in the fourth quarter of 2022.
"Then when you combine that with drug distribution, and especially with controlled drug distribution, the DOJ will take that very seriously because they don't want the use of telemedicine to [be linked to] e-prescribing drugs and controlled substances that are not necessary," said Jolie Apicella, partner at law firm Wiggin and Dana LLP. " And that's exactly what we saw in the Done case."
The Done case presents one of the worst-case scenarios of unfettered virtual prescribing capabilities, which might influence the Drug Enforcement Administration's (DEA) decision-making around telehealth prescriptions.
"It's definitely a difficult balance," Apicella said. "I think we saw the same thing in the opioid space because people obviously do need painkillers, but it's highly, highly addictive. So, it's difficult for the DEA, and I think it's the same thing here."
Outside of virtual prescribing, telehealth-related healthcare fraud schemes typically lack a genuine physician-patient relationship and involve aggressive marketing and upselling. Dewald noted that the elderly and disabled are especially susceptible to schemes in which the physician spends very limited or no time with the patient but signs off on treatments, including drugs, testing, and durable medical equipment orders.
In fact, in one of the largest DOJ crackdowns of 2024, 36 people were charged in connection with a $1.1 billion telemedicine and laboratory fraud scheme. Laboratory owners allegedly paid illegal kickbacks and bribes to various entities, including telehealth companies, in exchange for referring orders for unnecessary genetic testing.
Similarly, in 2023, the DOJ charged 11 people in connection with telehealth fraud schemes that involved software and service company leaders generating and selling templates of clinicians' orders for medically unnecessary orthotic braces and pain creams in exchange for kickbacks and bribes.
The rules are becoming more complex and sophisticated, and they change.
Douglas GrimmHead of the healthcare practice and telehealth groups, ArentFox Schiff
"When you have a remote workforce and that lack of day-to-day coming into the office and knowing each other, sometimes you just have people operating out on their islands and working to promote and just doing their little part of the process, and they're their own tree, and they can't see the full forest," Dewald said. "And the fraudsters are the ones who put the forest in place, and then they have all their little individual trees doing their part to facilitate the grander scheme."
However, not all fraud is carried out by bad actors intent on exploiting the system. Douglas Grimm, head of the healthcare practice and telehealth groups at law firm ArentFox Schiff, noted that sometimes telehealth fraud occurs due to the complexity of the legal landscape.
"The rules are becoming more complex and sophisticated, and they change," he said. "We had one set of rules, and then there was a big push to expand or lower the level of intensity of the rules. Then COVID came along, and some of the rules went away, and now COVID is going away, and some, but not all, of the rules are coming back."
What telehealth providers can do to avoid potential fraud
The ever-evolving regulatory landscape can leave even well-intentioned telehealth providers at risk of unknowingly committing fraud. As a result, protecting against fraud is critical for any provider in the virtual healthcare arena.
One significant action telehealth providers can take is to continuously monitor their care delivery protocols to ensure they comply with federal and state laws, which can sometimes conflict. Grimm noted that there are specific rules regarding data privacy and security when working with virtual care technology vendors. Typically, individual technology companies will develop HIPAA-compliant telehealth platforms, but healthcare providers are bound not only by federal HIPAA regulations but also by state-specific laws.
For example, under HIPPA, healthcare providers have 60 days to notify the federal government of a data breach. However, if the state in which the provider is located has a law stating that data breach notifications must occur within 30 days, they are then bound to the 30-day timeline. On the flip side, if the state law says the provider has 80 days to provide data breach notifications, HIPAA supersedes this, mandating that providers notify the government within 60 days.
Grimm suggests getting a healthcare attorney involved early in building a telehealth program to ensure federal and state laws are accounted for. Additionally, he recommends providers work with a health technology vendor that has a comprehensive compliance program.
"They may have sufficient policies and procedures in place, but [it needs to be] consolidated into a compliance program where you have a compliance officer, where you have a data privacy officer, where you have a data security officer, all of which you're required by law," Grimm said.
Another critical action to mitigate fraud risk is to document telehealth visits meticulously. Apicella stated that in telemental healthcare, for example, documentation is essential as reimbursement is usually doled out according to the length of a visit.
"If you have a billing requirement that you need behavioral health visits to be 16 minutes at minimum to be billable, make sure that you have that documented and make sure your bills reflect that," she said. "Make sure that you're doing the requisite audits and that the notes reflect what's in that metadata."
Apicella suggests conducting regular audits using six months to one year of data to determine documentation gaps or billing errors.
Further, regarding telehealth-based prescriptions, healthcare providers should not have auto-refill policies without the appropriate patient encounters, Apicella said. Prescribers must conduct virtual visits with patients and document those visits to detail why the prescriptions are necessary.
The platform a telehealth provider chooses to use can also help mitigate inadvertent fraud risk. Apicella suggested that providers who selected virtual care platforms pre-2020 compare their capabilities to newer platforms launched during the pandemic. The latter may have more robust capabilities that can better support broader telehealth utilization.
Not only must telehealth providers have compliant platforms and protocols in place, but they should also be wary of suspicious payment structures when they work with third parties.
A 2022 special fraud alert released by the HHS Office of Inspector General (OIG) highlighted potential indicators of fraud, such as limited contact between a provider and a patient and reimbursement being tied to the number of services provided.
According to Dewald, one strategy for telehealth providers to avoid falling into an illicit virtual care arrangement is to follow the money.
"How are you being paid? What are you being paid for? How much is it? Am I being compensated for doing something that really doesn't require a lot of effort? Am I authorizing large reimbursements?" he said.
Leading with good judgment and asking the right questions can help physicians avoid being part of a fraud scheme. Dewald added that physicians should not be afraid to raise alarm bells when working with virtual care companies with questionable compliance protocols.
"A compliant company will, regardless of what profitability looks like, shut it down if a physician complains and the complaint appears legitimate," he said.
Ensuring compliance with evolving regulations will continue to be critical for telehealth providers as the DOJ does not appear to be slowing down its enforcement efforts. Dewald, Grimm and Apicella agree that the potential for fraud and consequent government crackdowns will continue to grow as telehealth and other digital health tools become further integrated into healthcare delivery.
The ongoing scrutiny of telehealth means providers must be iron-clad in their compliance efforts and remain vigilant in protecting against fraud.
Anuja Vaidya has covered the healthcare industry since 2012. She currently covers the virtual healthcare landscape, including telehealth, remote patient monitoring and digital therapeutics.
