OIG Intensifies Scrutiny of Telehealth Fraud and Abuse in Medicare and Medicaid Work Plan

Introduction

The Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) plays a critical role in protecting the integrity of federal healthcare programs, including Medicare and Medicaid. With the rapid expansion of telehealth services, particularly accelerated by the COVID-19 public health emergency (PHE), the OIG has significantly ramped up its oversight activities. Its annual Work Plan consistently highlights ongoing and new audits, evaluations, and investigations aimed at identifying and preventing fraud, waste, and abuse in telehealth. This sustained focus underscores the OIG's commitment to ensuring that telehealth services are medically necessary, appropriately delivered, and correctly billed.

Understanding the OIG Work Plan

The OIG Work Plan is a publicly available document that outlines the OIG's planned audits, evaluations, and investigations for the upcoming fiscal year, as well as ongoing projects. It serves as a roadmap for the agency's oversight activities, signaling areas of heightened scrutiny to healthcare providers and stakeholders. For telehealth, the Work Plan has consistently featured projects related to:

• Appropriateness of Telehealth Services: Evaluating whether telehealth services were medically necessary and whether the modality used was appropriate for the patient's condition and the service rendered.
• Billing and Coding Compliance: Assessing whether providers are correctly billing for telehealth services, adhering to specific CPT codes, modifiers, and place of service requirements.
• Program Integrity Risks: Identifying vulnerabilities in telehealth programs that could lead to fraud, such as billing for services not rendered, upcoding, or providing medically unnecessary services.
• Provider Licensure and Location: Ensuring providers are appropriately licensed in the state where the patient is located at the time of the telehealth service.
• Telehealth During and Post-PHE: Analyzing the impact of temporary flexibilities granted during the PHE and evaluating the risks associated with their potential permanence or expiration.

For instance, the OIG's Work Plan for Fiscal Year (FY) 2024, building on previous years, includes projects specifically targeting telehealth. These may involve reviews of specific provider types, types of services, or geographic areas. The OIG's approach is often data-driven, using claims data to identify outliers or unusual billing patterns that warrant further investigation.

Key Areas of OIG Telehealth Scrutiny

Several recurring themes emerge from the OIG's telehealth oversight activities:

1. Medical Necessity and Documentation

The cornerstone of compliant healthcare billing is medical necessity. For telehealth, this means demonstrating that the virtual service was clinically appropriate for the patient's condition and that an in-person visit was not required or feasible. OIG audits frequently examine patient medical records to verify that documentation supports the billed services. Insufficient or generic documentation is a common reason for recoupments and penalties.

2. Billing and Coding Accuracy

Telehealth billing has specific nuances, including the use of appropriate CPT codes, modifiers (e.g., 95 for synchronous telehealth), and place of service (POS) codes (e.g., POS 02 for telehealth provided other than in a patient's home, or POS 10 for telehealth provided in a patient's home). Errors in these areas, whether intentional or unintentional, can lead to incorrect payments and trigger OIG scrutiny. The OIG also looks for instances of upcoding, where a more complex or expensive service is billed than was actually provided.

3. Fraud Schemes and Vulnerabilities

The OIG has identified several common fraud schemes involving telehealth, including:

• Billing for services not rendered: Providers billing for telehealth visits that never occurred.
• Unnecessary services: Ordering or providing medically unnecessary tests, equipment, or services via telehealth, often in conjunction with marketing schemes.
• Identity theft: Using stolen beneficiary information to bill for fraudulent telehealth services.
• Kickbacks: Offering or receiving remuneration for patient referrals or ordering services, often disguised as marketing or administrative fees.

4. Prescribing Practices via Telehealth

Another significant area of concern for the OIG, often in conjunction with the DEA, is the prescribing of controlled substances via telehealth. While temporary flexibilities were granted during the PHE, the OIG continues to monitor for inappropriate prescribing practices, particularly for opioids and other high-risk medications. This includes ensuring proper patient evaluation, monitoring, and adherence to state and federal prescribing guidelines.

5. Telehealth Equipment and Devices

Beyond professional services, the OIG also scrutinizes the provision of durable medical equipment (DME) and other medical devices ordered via telehealth. This often involves examining whether the equipment was medically necessary, properly prescribed, and whether there were any improper financial relationships between providers and DME suppliers.

Enforcement Actions and Trends

The OIG's work plan projects often culminate in reports detailing findings and recommendations, and in more severe cases, lead to enforcement actions in collaboration with the Department of Justice (DOJ). Recent years have seen numerous enforcement actions related to telehealth fraud, resulting in significant monetary penalties, corporate integrity agreements (CIAs), and even criminal charges. These cases often highlight schemes involving large-scale billing for medically unnecessary services, often facilitated by aggressive marketing tactics and improper kickbacks.

For example, the OIG has participated in national health care fraud enforcement actions that have included significant components related to telehealth fraud, targeting schemes that exploited the expansion of telehealth during the PHE. These actions serve as a stark reminder of the OIG's proactive stance.

Implications for Healthcare Businesses

Healthcare businesses, including telehealth platforms, medspas, dental practices, and chiropractic offices, must recognize that the OIG's focus on Medicare and Medicaid telehealth fraud creates a significant compliance benchmark. Even if a practice primarily serves private pay or commercial insurance patients, the principles of medical necessity, accurate documentation, and anti-fraud measures are universally applicable and often adopted by other payers and state regulatory bodies.

Key Compliance Considerations:

1. Robust Compliance Program: Implement and maintain an effective compliance program that includes policies and procedures specific to telehealth services, regular risk assessments, and ongoing staff training.
2. Documentation Excellence: Ensure all telehealth encounters are meticulously documented, clearly demonstrating medical necessity, patient consent, and the appropriateness of the virtual modality. This includes documenting the patient's location, the provider's location, and the technology used.
3. Accurate Billing and Coding: Stay updated on the latest billing and coding guidelines for telehealth, including specific CPT codes, modifiers, and place of service codes. Conduct regular internal audits of billing practices.
4. Licensure and Scope of Practice: Verify that all providers are appropriately licensed in the state where the patient is located at the time of service and that services are within their professional scope of practice.
5. Anti-Kickback Statute and Stark Law Compliance: Scrutinize all financial arrangements, particularly with marketing companies, lead generators, and third-party vendors, to ensure compliance with federal anti-kickback statutes and Stark Law (if applicable).
6. Prescribing Protocols: If prescribing controlled substances via telehealth, adhere strictly to federal and state regulations, including the Ryan Haight Act and any state-specific requirements for initial in-person exams or subsequent monitoring.
7. Data Security and Privacy: Ensure robust safeguards are in place to protect patient health information (PHI) during telehealth encounters, complying with HIPAA and other relevant privacy regulations.

Conclusion

The OIG's consistent inclusion of telehealth fraud and abuse in its Work Plan signals an enduring commitment to program integrity in the virtual care space. Healthcare providers and businesses leveraging telehealth must view this as a clear directive to prioritize compliance. Proactive measures, including comprehensive compliance programs, meticulous documentation, and adherence to billing and ethical standards, are essential to navigate this heightened regulatory environment successfully and mitigate the significant risks associated with OIG scrutiny.

Sources

• Office of Inspector General (OIG) Work Plan: https://oig.hhs.gov/reports-and-publications/workplan/
• OIG Telehealth Reports and Resources: https://oig.hhs.gov/reports-and-publications/telehealth/
• OIG Enforcement Actions (Search for Telehealth): https://oig.hhs.gov/newsroom/news-releases/