The COVID-19 pandemic rapidly expanded telemedicine use. Telehealth currently addresses everything from routine to pandemic-related care.
To facilitate this expansion, federal healthcare programs have loosened, at least temporarily, telehealth restrictions.
These eased restrictions, however, create increased opportunities for healthcare fraud and abuse, including Anti-Kickback Statute (AKS) and False Claims Act (FCA) violations.
Recent telehealth regulation changes and telehealth scrutiny
The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services adjusted their telehealth requirements to expand telehealth’s ability to serve patients during the pandemic:
- Patients no longer need to reside in designated rural areas or have preexisting relationships with their providers.
- Patients can have their telehealth appointments from the convenience and safety of their homes without traveling to medical facilities.
- More services can now be offered via telehealth, including evaluations to determine continued eligibility for hospice care.
- Telehealth providers can waive patient deductibles and copayments without penalties for offering impermissible kickbacks.
- In some circumstances, Medicare and Medicaid no longer require physicians to be licensed in the state in which their patients are located.
- Providers can use a number of everyday communication technologies to provide telehealth services without being fined by HHS’ Office for Civil Rights. Providers are, however, required to make good faith efforts to protect patients’ privacy, including, among other things, enabling all available encryption and privacy settings and notifying patients of the increased risk of using such technologies.
Despite these changes, some constants remain, such as the scrutiny telehealth providers face from regulators, particularly for AKS and FCA violations.
In the past year, well before the rise of COVID-19, telehealth providers saw two of the biggest Department of Justice (DOJ) takedowns in history for rampant kickback and fraudulent billing schemes. First, in April 2019, the DOJ charged 24 telemedicine and durable medical equipment company executives and physicians for allegedly paying $1.2 billion in illegal kickbacks and bribes related to prescribing unnecessary back, wrist, shoulder and knee braces.
Second, in September 2019, the DOJ charged 35 individuals in a $2.1 billion fraudulent Medicare billing scheme involving alleged kickbacks to telehealth providers ordering genetic tests. Regulators made clear that COVID-19 will not reduce their focus on prosecuting wrongdoing.
For example, the DOJ recently arrested a Georgia man for his alleged role in a conspiracy involving unnecessary COVID-19 tests. Pandemic or not, the telehealth industry is firmly in the crosshairs of heightened government scrutiny and oversight.
Changed regulations may Increase, rather than decrease, enforcement actions
While easing regulations lead many to assume a decrease in enforcement actions, enforcement actions may increase as regulators respond to new opportunities for fraud. Specifically, telehealth services make it easier for fraudsters to pose as physicians and lure patients into sharing their protected health information or installing malware on their devices.
The relaxed telehealth regulations greatly expand the number of patients for whom fraudulent claims can be submitted. Reduced cybersecurity requirements for telehealth communications increase the risk of hackers intercepting or stealing the protected health information necessary to submit fraudulent claims or commit healthcare identity theft.
Such practices will not go unchecked, and telehealth providers should establish protocols to keep from being unwittingly pulled into the crosshairs. Here are 10 considerations to reduce the risk of enforcement action:
- Establish mechanisms to verify patient identity.
- Establish or maintain protocols for informed consent and beneficiary initiation.
- Identify states that have waived in-state licensure requirements for telehealth, and establish protocols for disengaging telehealth with patients where the provider is not licensed in the patient state after the pandemic emergency is lifted.
- Establish practice standards for patient examinations and remote prescribing.
- Document and maintain patient encounter records, including all regularly mandated documentation (such as patient eligibility for hospice care).
- Properly code telehealth services to ensure coverage.
- Review vendor agreements and patient incentives to ensure compliance with the AKS, FCA and Civil Monetary Penalties Law.
- Ensure compliance with state credentialing and scope of practice requirements.
- Establish privacy and security protocols for telehealth offerings and related systems.
- Notify patients of the increased risk of privacy issues when using telehealth services and strongly consider using telehealth vendors willing to execute a HIPAA-compliant business associate agreement.
Patricia Carreiro and Erin Hoyle are attorneys at Carlton Fields. Ms. Carreiro is a data privacy and cybersecurity litigation attorney. Ms. Hoyle is a white-collar crime defense attorney.