It’s well known among health IT stakeholders that increased use of technology increases the risk of healthcare fraud and, in turn, government scrutiny. Telehealth providers learned this lesson firsthand as usage surged to unprecedented levels during the COVID-19 pandemic and the Department of Justice began scrutinizing the telehealth sector more closely.
The Justice Department has been cracking down on telehealth-related health care fraud in recent years, with enforcement actions from 2020 to 2023 resulting in criminal charges against more than 175 people and more than $8 billion in alleged telehealth fraud, according to one estimate.
Health care law experts said the unique features of telehealth that benefit patients also increase the potential for fraud.
“For the last five, maybe six years, telehealth has been one of the Department of Justice’s most significant enforcement focuses,” said Jay Dewald, director of U.S. health care investigations at law firm Norton Rose Fulbright and a former federal prosecutor. “Telehealth can be deployed very effectively to provide patient care where none exists or to provide care in the homes of people who shouldn’t be out. That said, distance and the deployment of the technology pose problems. [and] Possible fraud.”
Telehealth providers are ultimately responsible for complying with regulations and avoiding fraud. In addition to staying current on regulatory changes, providers should understand how the DOJ is working to crack down on fraud in the telehealth space and establish protocols to mitigate the risk of fraud.
What Telehealth Providers Can Learn from Recent Department of Justice Enforcement Actions
Telehealth was under the Department of Justice scrutiny even before the pandemic, but enforcement actions have increased in recent years, with one case in particular offering a cautionary tale for telehealth providers: the prosecution of Done Health.
In June, the Department of Justice arrested and indicted executives of telemental health company Done Health on charges of distributing Adderall and committing health care fraud. Done Health founder and CEO Lucia Ho and clinical director David Brody, M.D., are accused of directing Done prescribers to prescribe Adderall and other stimulants to medical consumers even when they did not qualify, and of limiting initial consultations with patients to 30 minutes or less.
Dewald said Dorn’s indictment contains some of the hallmarks of telehealth fraud, including the payment of kickbacks.
“The fundamental element of this is the payment of bribes,” he says. “In almost every one of these announcements, you’ll see bribes to doctors, to marketers, and even to the companies themselves. And without those bribes — without the multi-level marketing kind of money flowing to the people who are actually making it happen — these schemes often couldn’t even exist.”
In the Done case, He allegedly created a compensation structure that paid Done prescribers only for the number of patients who filled prescriptions, rather than the time spent in office visits, telemedicine consultations, or caring for patients beyond the initial consultation.
And when you combine that with drug distribution, especially controlled drug distribution, the Department of Justice is going to take that very seriously, because they’re going to be looking at the use of telehealth. [be linked to] Electronic Prescribing of Unnecessary Medications and Controlled Substances. Jolie Apicella, Partner, Wiggin and Dana LLP
This indictment is particularly pertinent because mental health care is one of the most common use cases for telehealth: While the number of telehealth visits fell 45.8% from Q2 2020 to Q4 2022, the share of telehealth visits for behavioral health conditions jumped from 41.8% in Q1 2020 to 62.8% in Q4 2022.
“And when you combine that with drug distribution, especially controlled drug distribution, the Department of Justice is going to take that very seriously, because they’re going to be looking at whether the use of telehealth is [be linked to] “They’re e-prescribing medicines and controlled substances that they don’t need,” said Jolie Apicella, a partner at the law firm Wiggin & Dana LLP, “and that’s exactly what we saw in the Dawn case.”
Done’s case illustrates one of the worst-case scenarios in which virtual prescribing capabilities are not limited, and could impact the Drug Enforcement Administration’s (DEA) decision-making regarding telehealth prescribing.
In 2023, the DEA announced that it would end regulatory flexibilities that allowed health care providers to remotely prescribe Schedule II controlled substances, such as Adderall, Oxycodone, Vicodin, and Ritalin, without a prior in-person consultation. After significant backlash from the industry, the DEA backed down and agreed to extend the flexibilities through the end of 2024.
“It’s definitely a difficult balance,” Apicella said. “I think the same thing happened in the opioid space, because obviously people need painkillers, but opioids are highly addictive. So it’s a difficult problem for the DEA, and I think it’s the same thing here.”
Outside of virtual prescriptions, telehealth-related healthcare fraud schemes typically lack a true doctor-patient relationship and involve aggressive marketing and upselling. Dewald noted that seniors and people with disabilities are particularly vulnerable to schemes in which doctors spend little to no time with patients to authorize treatments, such as ordering medications, tests or durable medical equipment.
In fact, one of the Justice Department’s largest crackdowns of 2024 saw 36 people indicted in connection with a $1.1 billion telemedicine and testing fraud scheme. Laboratory owners allegedly paid illegal kickbacks and bribes to various entities, including telemedicine companies, in exchange for referring orders for unnecessary genetic tests.
Similarly, in 2023, the Department of Justice indicted 11 people in connection with a telemedicine fraud scheme in which the leader of a software and services company created and sold templates of clinician orders for medically unnecessary orthotics and pain-relieving creams in exchange for kickbacks and bribes.
The rules are becoming more complex, sophisticated and changing. Douglas Grimm, head of Arent Fox Schiff’s Healthcare Practice and Telehealth Group
“When you have remote employees and they don’t have the opportunity to come into the office every day and get to know each other, sometimes you end up in a situation where employees are isolated and doing their own part of the promotion or the process, and they’re only looking at their own trees and not the whole forest,” Dewald says. “And so the scammers trim the forest, and then their little trees do their thing and facilitate the bigger scheme.”
But not all fraud is perpetrated by bad actors looking to game the system. Telehealth fraud can occur due to complex legal environments, said Douglas Grimm, head of the health care practice and telehealth group at law firm Arent Fox Schiff.
“The rules are becoming more complex and more sophisticated and changing,” he said. “Initially there was one rule, then there was a big movement to expand and reduce the level of stringency of the rules. Then COVID-19 hit, some of the rules were repealed, and now COVID-19 is receding, some of the rules are coming back, but not all of them.”
What telehealth providers can do to avoid potential fraud
The regulatory environment is constantly changing and even well-intentioned telehealth providers may be at risk of unknowingly committing fraud, which is why fraud protection is so important for all providers in the virtual health space.
One important action telehealth providers can take is to continually monitor their care delivery protocols to ensure they are in compliance with potentially conflicting federal and state laws. Grimm noted that when working with virtual care technology vendors, there are specific rules around data privacy and security. Typically, individual technology companies develop HIPAA-compliant telehealth platforms, but providers must follow state-specific laws as well as federal HIPAA regulations.
For example, HIPPA requires that healthcare providers notify the federal government of a data breach within 60 days. However, if the state in which the healthcare provider is located has a law that requires notification of a data breach within 30 days, the healthcare provider is bound by the 30-day deadline. Conversely, if state law requires that healthcare providers notify the government within 80 days, HIPAA supersedes this and requires the healthcare provider to notify the government within 60 days.
Grimm suggests involving a healthcare lawyer early on in building a telehealth program to ensure federal and state laws are followed. Additionally, he encourages healthcare providers to work with health technology vendors that have comprehensive compliance programs.
“There may be adequate policies and procedures in place, [it needs to be] “We’re integrating it into a compliance program where we have compliance officers, data privacy officers, data security officers, all of which are required by law,” Grimm said.
Another important measure to mitigate the risk of fraud is to keep careful records of telehealth visits. Apicella says that in telepsychiatry, for example, reimbursement is typically based on the length of time spent in the clinic, so documentation is essential.
“If your billing requirements state that behavioral health consultations must be a minimum of 16 minutes, make sure you document that and reflect it in your billing,” she said. “Perform any necessary audits and make sure your notes reflect what the metadata is.”
Apicella suggests conducting regular audits using six months to a year’s worth of data to identify missing documentation or billing errors.
Additionally, when it comes to telemedicine-based prescriptions, Apicella said providers shouldn’t have an auto-refill policy without a proper patient meeting. Prescribers should conduct a virtual meeting with the patient and document that meeting to detail why the prescription is needed.
The platform a telehealth provider chooses to use can also help mitigate the risk of inadvertent fraud. Apicella suggested that providers who selected a virtual care platform before 2020 compare its features with newer platforms that have launched during the pandemic, as the latter may have more robust features that can better support broader telehealth use.
Not only do telehealth providers need to have compliant platforms and protocols in place, but they also need to be wary of questionable payment structures when working with third parties.
A special 2022 fraud alert released by the HHS Office of Inspector General (OIG) highlighted potential indicators of fraud, such as limited provider-patient contact and reimbursement being tied to the number of services provided.
Dewald said one strategy telehealth providers have to avoid falling victim to illegal virtual care contracts is to follow the money.
“How are they being paid? What are they being paid for? How much? Are they being paid for things that don’t require a lot of effort? Are they approving big refunds?” he said.
Using good judgment and asking the right questions can help doctors avoid getting caught up in fraud schemes, Dewald said, adding that doctors shouldn’t be afraid to sound alarm bells when working with virtual care companies with questionable compliance protocols.
“If a doctor files a complaint and the complaint appears to be valid, a compliant company will shut it down regardless of profitability,” he said.
Ensuring compliance with evolving regulations will remain important for telehealth providers, as the Department of Justice shows no signs of slowing down its enforcement efforts. As telehealth and other digital health tools become further integrated into health care delivery, the potential for fraud and associated government crackdowns will continue to grow, Dewald, Grimm and Apicella agree.
The ongoing scrutiny of telehealth means that healthcare providers need to be rigorous in their compliance efforts and remain vigilant in defending against fraudulent activity.
Anuja Vaidya has been in the healthcare industry since 2012. He currently focuses on the virtual healthcare space including telehealth, remote patient monitoring and digital therapeutics.
