Telemedicine has long promised to expand access to health care. While telemedicine has historically been focused on rural and remote areas, the COVID-19 pandemic has redefined the reach of remote health care, and regulators and enforcement authorities have followed suit.
For example, in March 2020, the Centers for Medicare & Medicaid Services (CMS) announced that it would temporarily allow all Medicare beneficiaries to receive telehealth services from any location, including their homes.1 CMS also temporarily expanded the types of health care providers that can offer telemedicine services, and allowed providers to bill for telemedicine services at the same rate as in-person services. The HHS Office for Civil Rights announced that it would exercise enforcement discretion and waive potential penalties for HIPAA violations against providers who use widely available communications technologies (e.g., Skype) in good faith for telehealth treatment or diagnostic purposes.2
These regulatory flexibilities were followed by a rise in telemedicine use. According to a HHS report published on July 28, 2020,3 in February 2020—the month before President Trump declared the pandemic a national emergency—less than one percent (0.1%) of Medicare primary care visits were provided through telehealth. In April 2020, nearly half (43.5%) of these visits were provided through telehealth. Further, only 14,000 CMS beneficiaries received a telehealth service each week in the pre-pandemic world. A combined 10.1 million beneficiaries received a telehealth service in the period from mid-March through early-July.
These regulatory flexibilities, however, have created opportunities for fraud and abuse, and thus prompted a new priority area for enforcement and compliance. Recent enforcement efforts led by the U.S. Department of Justice (DOJ) allege that telemedicine has facilitated billions in false and fraudulent claims to health care programs. As remote health care continues to scale, this increased scrutiny is poised to grow.
The focus on telemedicine enforcement: Examining recent enforcement actions
The DOJ signaled its growing interest in fraud and abuse facilitated by telemedicine in 2019, prior to CMS temporarily expanding the scope of reimbursable telemedicine services. In April 2019, the DOJ charged 24 individuals, who were associated with five telemedicine companies and 130 medical equipment companies, for their alleged participation in health care fraud schemes that billed Medicare for over $1.2 billion in unnecessary durable medical equipment (DME).4 In general, the alleged schemes began with call centers, including off-shore call centers, contacting Medicare patients to solicit their personal information. The unsuspecting Medicare patients would then have a remote "consultation" with a medical provider, who then ordered prescriptions for the unnecessary medical equipment. Finally, the medical equipment companies fulfilled the orders, billed Medicare, and sent kickbacks to the original conspirators. In September 2019, the DOJ charged 35 individuals for their alleged participation in a similar telemedicine scheme (this time involving cancer genetic testing laboratories and medically unnecessary cancer genetic tests) that was responsible for over $2.1 billion in losses.5
Enforcement scrutiny has expanded during the pandemic. In April 2020, for example, the DOJ charged an owner of two Georgia-based telemedicine companies and others for participating in a scheme that allegedly involved over $60 million in fraudulent claims.6 The prosecution is part of a series of cases that implicate a range of service providers in the telemedicine ecosystem—physicians, telemedicine companies, patient data brokers, and DME companies—totaling a combined $480 million in fraud. Pleadings in the case highlight how the individuals behind the schemes would identify providers who would write orders for the DME billed to federal health programs, and then pay these providers a fee for each diagnostic consultation.
Most recently, in September 2020, as part of a nationwide operation, the DOJ charged hundreds of defendants for their alleged role in submitting $4.5 billion in false and fraudulent claims to federal health care programs and private insurers related to telemedicine, following a similar pattern.7 The breadth of these cases covered not only DME orders, but the use of telemedicine to cause the submission of medically unnecessary pharmaceutical, laboratory, and other claims to federal payors.
Returning to the status quo is unlikely: What to expect for future telemedicine enforcement actions
As the expansion of telemedicine enables providers to broaden the scope of patient care, these investigations show that the opportunities for fraud and abuse will follow suit and investigations and enforcement actions will increase. The DOJ and HHS-OIG will continue to increase their scrutiny of the manner in which care is being provided through the expanded telehealth platforms to ensure that the lack of direct patient care does not cultivate an environment in which fraud can occur. The prior investigations, for example, demonstrate that there can be a real risk of payments in violation of the federal Anti-Kickback statute, warranting increased compliance review of new telemedicine offerings.
From a risk/compliance perspective, providers should be cautious of the convenience that telemedicine offers. Enforcement actions will likely target arrangements where providers appear to be offering shorter telemedicine visits with patients in order to maximize billing. Investigators may be similarly drawn to providers with an increased number of new engagements that appear to lack a genuine patient relationship. Regulators are likely analyzing how historical data from in-person patient visits compares to that of remote visits, in order to identify outlier providers. Patient confirmations regarding their visits and resulting treatment may later serve to guard against claims of so-called "phantom visits" and unnecessary services.
Though the virus is far from defeated, providers should begin considering their telemedicine systems and practices in a post-pandemic world. A full return to the status quo is unlikely. Indeed, CMS has already proposed a rule that, if finalized, would permanently add several services to the Medicare telehealth services list.8 At the same time, many of the temporary regulatory flexibilities were issued, in part, pursuant to the President's March 13, 2020, order designating the coronavirus outbreak a national emergency, and may therefore expire when the designation is lifted. Careful attention to both enforcement actions and regulatory developments will be essential.
2 See https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html#:~:text=Today%2C%20the%20Office%20for%20Civil,serve%20patients%20through%20everyday%20communications.
Great (Data) Expectations
The world’s most sophisticated ‘big data’ and technology companies are advised by law firms. This will continue as organizations operate in increasingly complex regulatory regimes.