Building a Compliant and Protected Telehealth Program

During the COVID-19 Public Health Emergency (PHE), the Centers for Medicare & Medicaid Services (CMS) increased the allowable types of telehealth services from 118 to 264, and private health plans experienced substantial growth in telehealth—now considered a convenient, cost-efficient means to provide needed services that patients and providers alike generally support (with some caveats). While research¹ is still evolving on telehealth’s impact, there’s evidence that its use can lead to fewer ER visits, lower healthcare costs for vulnerable populations, better access to behavioral healthcare, and increased health equity in long-term care.²

Now that many CMS-issued temporary waivers expanding access to medical care through telehealth have been made permanent, or left in place until at least December 2024, treatment through telehealth is expected to not only persist in a post-pandemic world but to increase.

A Double-Edged Sword

Without necessary safeguards in place, though, the promise of telehealth can turn into a liability. The flexibilities afforded by pandemic-era accommodations—including waivers for selected Health Insurance Portability and Accountability Act guidelines and out-of-state provider limitations—have helped increase care access and public safety.

They’ve also left the door open for bad actors to exploit existing or new weaknesses in healthcare delivery generally and telehealth specifically. Criminals continue to take advantage of the growing acceptance of telehealth to expand the scope and reach of historic fraud, waste, and abuse (FWA) schemes and to create new ones.

The Regulatory Response

CMS has prioritized investigating telehealth fraud and is monitoring claims data to detect and respond to potential emerging FWA schemes. Similarly, the U.S. Department of Health and Human Services’ Office of Inspector General (OIG) and the U.S. Department of Justice (DOJ) have been increasing scrutiny of telehealth providers and pursuing nationwide enforcement actions.

If you’re a hospital general counsel, health system compliance officer, or legal counsel to provider enterprises, you know that regulatory agencies have already discovered billions of dollars in questionable or fraudulent billings for telehealth services paid for by Medicare and private insurers. For example, the DOJ brought criminal charges³ in June 2023 against defendants alleged to have participated in one of the nation’s largest telehealth fraud schemes, involving more than $2 billion in phony claims.

Indeed, the DOJ has concentrated its efforts on investigating situations in which defendants appear to place profits above patient care. Some of the recent telehealth enforcement operations focused on unnecessary and fraudulent service charges against defendants involving genetic testing, durable medical equipment, and overutilization. The penalty for telehealth fraud has included multimillion-dollar fines, incarceration, and/or exclusion from Medicare and Medicaid programs.

How to Build a Fraud-Resistant Telehealth Program

What if you’re responsible for building or transforming a health system or provider telehealth delivery offering? What should you be doing to mitigate telehealth fraud risks?

To help facilitate telehealth’s potential for driving down costs and improving equity and access, you’ll need to develop or adapt your telehealth approaches with fraud tools and regulatory compliance as top priorities. The following information may help you understand and identify relevant risks.

1. Know your ever-changing and evolving telehealth risks

Understanding the most prevalent schemes in telehealth fraud is essential to its analysis, detection, and prevention. In many cases, bad actors have been repurposing common fraud schemes in traditional healthcare delivery and applying them to telehealth services. Here are some examples of common schemes and their accompanying red flags, which are helpful to consider when configuring systems to trigger internal investigations when they arise.

Telemarketing companies using deceptive practices to overbill
While there’s nothing inherently suspect about providers hiring telemarketers to expand their patient populations, regulators have focused their enforcement efforts on telemarketing companies that use deceptive marketing practices to obtain new patients for the purpose of overbilling healthcare programs.

Some marketing companies offer free services to patients in exchange for personal information, then those patients are subject to excessive, unnecessary submission of claims. Some genetic testing labs and durable medical equipment companies have commonly been associated with this scheme as well, offering kickbacks for the referral of services.

Red flags include:

• Billing for a telehealth service and ordering medical equipment for a high proportion of patients.
• Not spending sufficient time with the patient to adequately assess the medical necessity of services or items being billed.

Billing for telemedicine services that should be in-office
Physicians must use caution when billing for services that are not typically provided through telehealth. Certain codes should not be billed through telehealth because a doctor would not be able to properly assess a patient’s condition remotely or because it’s not approved as a telehealth service by CMS.

Red flags include:

• Claims involving certain types of providers or services (such as orthopedic specialists or anesthesia services) that are not typically feasible for telehealth delivery.
• Billing for a telehealth visit when an in-person visit is needed for proper care and evaluation.

Billing telehealth for a high number of beneficiaries, services, and days
Healthcare providers who bill for significantly high volumes of telehealth services likely trigger CMS’s attention. Similarly, this would also apply to patients who receive an unusually large volume of telehealth services. In both scenarios, the identified outliers could be an indicator of fraud that would require further investigation.

Red flags include:

• “Impossible or improbable day” scenarios where a telehealth provider bills for more than 24 hours in a day or for a high number of days a year (recognizing that this situation could occur without actual fraud in cases where a healthcare professional is allowed to bill for certain services using someone else’s provider number).
• A provider bills for multiple telehealth and telemedicine services for the same patient during a short period.

As part of your Governance & Integrity program strategy, conduct regular fraud risks and program assessments that allow you to identify and prioritize relevant risks. Ongoing risk identification activities also help create a culture of compliance to monitor your internal controls to prevent improper claims submissions.

2. Be proactive in mitigating your telehealth fraud risks

The best practice in mitigating your known telehealth risks, including the schemes previously mentioned, is implementing controls that can analyze large amounts of claims data and proactively detect potential anomalies before claims are approved or money goes out the door. By establishing an effective system with controls that are regularly reviewed and tested, you lower the risk of potential fraud, ensure the integrity of healthcare systems, and provide a defensible argument if faced with government scrutiny.

Conducting a fraud technology controls review will help determine if your current claims analytics tools need tuning or if new tools are needed. We have found that organizations often have the right tools but are not optimizing them. These tools often include:

• Intelligent Classification and Clustering
• Peer Grouping and Network Generation
• Lookback and Damages Analyses
• Referral Pattern Analysis (e.g., Identification of Stark Law Issues)
• Statistical Sampling and Extrapolation
• Machine Learning model that identifies fraud characteristics

3. Comply with U.S. regulatory guidance

CMS, DOJ, and OIG acknowledge emerging fraud trends in telehealth services and the need to provide guidance to combat them. Together, they emphasize the importance of creating and implementing systems and proactive data analytics to detect telehealth FWA schemes. OIG has reinforced the need to strengthen monitoring and oversight of telehealth services by developing the “Analyzing Telehealth Claims to Assess Program Integrity Risks” toolkit.⁴

This toolkit provides a uniform approach to analyzing telehealth claims data and identifying areas where additional safeguards may be necessary. The analyses can also help spotlight billings that might pose a FWA risk and warrant further scrutiny. The toolkit includes detailed descriptions of seven data analysis measures that can be applied to your own data. You can also modify the measures to meet your organization’s individual needs, such as identifying providers at varying levels of FWA risk.

4. Make sure you are providing regular, frequent patient and provider education

CMS stresses the importance of creating robust awareness programs for patients and healthcare providers alike about potential telehealth FWA schemes. It is important to provide an effective communication system and workflow that encourages, investigates, and responds to patient and provider questions, feedback, and tips regarding knowledge or inquiries surrounding possible schemes. To be effective, such communication programs should be implemented through multiple channels and could include an acknowledgment component on certain electronic forms, or prominent whistleblower hotline details.

It is equally important to align such communications in your compliance program to ensure there is swift action to minimize the impact. For instance, ensuring whistleblower allegations of FWA are directed to a responsible person for action and review.

5. A necessary transition to reducing risks

While the PHE accelerated the use and acceptance of telehealth, it also contributed to its use by bad actors to commit fraud. As we transition to a post-pandemic era, it’s now more important than ever for health systems and providers to adapt their risk profiles and implement appropriate controls to mitigate the evolving and growing fraud risks related to telehealth services. Guidehouse will help you develop a framework that combines governance, assessment, fraud prevention and detection, as well as monitoring and reporting.

Guidehouse’s Financial Crime, Fraud, & Investigative Services (FFI) practice is composed of experienced professionals including former regulators, federal prosecutors, attorneys, compliance professionals, and law enforcement officers responsible for preventing, detecting, and remediating fraud risks, enhancing controls, assessing compliance programs, and helping address anti-bribery, and anti-corruption matters. Our team members have substantive data analytics experience and IT skills to assist clients in responding to regulatory enforcement actions, audits, inquiries, and investigations.