Telehealth is here to stay: Steps companies can take to maintain compliance

With the complexities and lockdowns of the COVID-19 pandemic, telehealth became essential in providing health care to millions of Americans. What was once a tool to connect rural patients to urban doctors, telehealth became a staple to help provide care for all patients. During COVID, to facilitate telehealth for more patients, federal and state regulators relaxed laws to allow more people easier access to this technology. For instance, Congress enacted telehealth waiver rules, which loosened Medicare coverage requirements by increasing the population eligible to receive telehealth treatments. The U.S. Centers for Medicare & Medicaid Services and many states also relaxed licensure requirements to allow doctors to provide telehealth services across state lines more easily.

Unfortunately, along with these more permissive regulations came the misuse of telehealth to facilitate fraud by certain bad actors. In July 2022, the Department of Health and Human Services (HHS) Office of the Inspector General issued a special fraud alert warning practitioners about fraud schemes relating to telehealth and the potential for these schemes to implicate the Federal Anti-Kickback Statute, False Claims Act and other federal laws. The alert highlighted a list of suspect characteristics to look out for when working with telehealth companies, including recruiting patients for free or low-cost items or services, compensating practitioners based on the number of prescriptions written, and offering only one type of product, among others.

On the same day that HHS issued its alert, the Department of Justice (DOJ) announced criminal actions against 36 defendants accused of $1.2 billion in fraudulent schemes involving telemedicine, cardiovascular and cancer genetic testing, and durable medical equipment. These schemes allegedly involved illegal kickbacks in exchange for referrals for unnecessary tests and medical equipment, which were made after a short virtual interaction with the patient or no patient contact at all.

These investigations came on the heels of a series of DOJ enforcement actions from 2019 to 2021 related to telehealth, which involved more than $8 billion in fraud. They also followed the launch of the DOJ’s investigation into Cerebral, a provider of virtual mental health services. The Cerebral investigation focuses on telehealth prescribing practices of certain controlled substances. Through these and other investigations, the DOJ has signaled its heightened scrutiny into telehealth and its commitment to investigate any potential fraud linked to telehealth.

Related: Mental health startup Cerebral admits sharing health data with Facebook, Google, TikTok

With the worst of the pandemic (hopefully) behind us, federal regulators are considering methods to tighten regulations in the telehealth sphere to address the widespread fraud and also to keep the tool accessible for those who need it. This article explores those federal regulations and proactive steps that telehealth companies may consider to mitigate risk in this evolving space.

The DEA’s and HHS’ proposed telehealth rules and potential side effects

The virtual prescriptions underlying the Cerebral investigations became possible during the pandemic when the Drug Enforcement Administration (DEA) and HHS made exceptions to the Ryan Haight Online Pharmacy Consumer Protection Act of 2008, which required that a provider meet with a patient in-person before prescribing certain medication. This change allowed providers to prescribe certain controlled substances and other medications without an in-person appointment.

These exceptions have been extended through the end of 2024, and in the meantime, the DEA has proposed new rules that would establish parameters for prescriptions of controlled substances where the provider has not met the patient in person. The rules would, among other things, limit telehealth providers to writing a 30-day prescription for certain non-narcotic medications before requiring patients to be examined in person unless an in-person relationship has already been established.

Some industry participants are concerned that the DEA’s proposed rules may negatively affect legitimate patients and interrupt the flow of medically necessary treatments. The DEA has received tens of thousands of comments on the proposed rules, and a bipartisan group of six senators wrote to the DEA administrator expressing concerns that allowing only a 30-day prescription before patients must have an in-person meeting with a doctor risked the patients abruptly losing access to medication.

Advocates for telemedicine claim that relaxing the regulations helped patients start and maintain necessary care for many medical conditions, including opioid-use disorder. For instance, according to a 2023 study in JAMA Psychiatry, between September 2019 and February 2021, patients who were treated through telehealth for opioid-use disorder had 33% lower adjusted odds of a fatal overdose than those who did not receive medication treatment. Additionally, a 2021 study in the Journal of Substance Use and Addiction Treatment found that telemedicine has allowed patients to start certain opioid-use disorder treatment without the delay of an in-person evaluation, whereas, the pre-pandemic average wait for an in-person visit was up to 12 weeks in upstate New York.

In sum, throughout COVID, regulations to expand telehealth helped ensure that patients could receive uninterrupted care, and it might be difficult for regulators to reverse those expansions and reinstate hard limits on telehealth.

Considerations for mitigating risk—getting ahead of an investigation

With increased government scrutiny on telehealth and potential changes to COVID-era telehealth flexibilities on the horizon, it is critical that companies utilizing telehealth strategies consider compliance measures to mitigate potential regulatory risk. Below are some steps companies may take.

• Survey current policies and modify accordingly. As the legal landscape on telehealth evolves, companies can protect themselves by staying abreast of new developments and adjusting their own policies to comply. For example, companies may create a taskforce to evaluate current policies and work with legal counsel to determine potential gaps that make the company susceptible to risk. Companies can develop tailored telehealth policies that establish guardrails relating to the physician-patient relationship, electronic prescribing and in-person follow-up.

• Proactively plan for new rulemaking regarding virtual prescriptions. With COVID-era flexibilities on virtual prescriptions set to expire at the end of 2024, companies may consider creating a plan for how to handle their prescription policies so they adhere to any and all updated regulatory requirements, at both the federal and state levels. Companies can proactively establish policies that mandate in-person appointments under certain circumstances, in compliance with the new rules. It is also crucial that companies plan in advance for any situations that will require in-person appointments so patient care is not interrupted.

• Encourage employees to report legal concerns. It is important that telehealth companies encourage employees to report potential legal violations because many federal and state investigations are the result of whistleblowers who felt unheard within the company and feel the need to voice their concerns about their company’s practices. In addition to creating anonymous reporting methods, telehealth companies can create a non-retaliation policy to ensure that employees feel comfortable reporting any suspicious conduct. The company can take internal complaints seriously by following up on them in a substantive manner.

• Be cognizant of the Anti-Kickback Statute and Safe Harbor Regulations. In developing policies to mitigate risk, it is useful for companies to be aware of the Anti-Kickback Statute and how it may affect telehealth arrangements. The Anti-Kickback Statute prohibits offering or receiving payment to induce referrals of federal health care program business. For example, one area for telehealth companies to avoid is compensating a practitioner “based on the volume of items or services ordered or prescribed;” instead, they may consider arranging compensation through one-year consulting agreements. Similarly, companies should be aware that providing real estate or office space to providers at less than the market rate can increase kickback risk. Notably, there are various Safe Harbor Regulations, which describe arrangements that would be shielded from prosecution under the Anti-Kickback Statute; understanding these exceptions can help companies in assessing risk.

Telehealth is an exciting industry that has made health care more accessible to many patients, but certain bad actors have raised alarm bells, subjecting the practice to increased government scrutiny and regulation. The future of telehealth as we’ve known it may be uncertain, but it is important for legitimate telehealth companies to understand the current environment and where others went wrong, and prepare to adapt to new rulemaking to help mitigate the risk of potential litigation or investigation.

Randy Luskey is a partner with extensive experience representing leading health care and pharmaceutical companies and organizations in False Claims Act and Anti-Kickback Statute investigations and Marc Price Wolf is counsel at Paul, Weiss, Rifkind, Wharton & Garrison.