In this episode, we welcome back Brenna Jenny, Partner at Sidley Austin LLP, to discuss the recent HHS-OIG Special Fraud Alert, plus DOJ enforcement developments related to telehealth.
Highlights of this episode include:
- How government enforcement authorities been responding to the new billing patterns
- What characteristics the HHS-OIG call out in the Special Fraud Alert
- Enforcement actions that have been taken so far
- Civil enforcement and criminal charges
- What providers should be doing to mitigate compliance risk
Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. . Today, we have Brenna Jenny, a partner in the healthcare group at the law firm of Sidley Austin and is based in the firm’s Washington, DC office. Her practice focuses on defending providers and healthcare companies in government investigations and advising healthcare clients on enforcement risk. For the first year of the pandemic, Brenna served as the chief legal officer for the Centers for Medicare & Medicaid Services. In that role, Brenna supervised an unprecedented wave of regulatory flexibilities during the COVID-19 pandemic, including waivers related to telehealth services. She’s here today to discuss the recent HHS-OIG Special Fraud Alert, plus DOJ enforcement developments related to telehealth. Thank you for joining us today, Brenna.
Brenna Jenny: Thanks for having me back, Kelly.
Kelly: And we’re going to go right into it today. The COVID-19 pandemic served as a spark to ignite a significant increase in patient demand for telehealth services. At the same time, healthcare providers were finally able to expand the telehealth services they could furnish as a result of new billing flexibilities offered by CMS and the federal healthcare programs, as well as broader coverage from many commercial insurance companies. We are now well over two years into this heightened wave of telehealth services. How have government enforcement authorities been responding to these new billing patterns?
Brenna: They have increasingly made clear that they are focused on providers and telehealth companies who are perceived as taking advantage of the pandemic and the heightened demand for telehealth services. This is a real priority for both the Department of Health and Human Services Office of Inspector General, which I’ll refer to as HHS-OIG, and the Department of Justice or DOJ. As I’m sure many listeners know, both of these entities enforce various federal fraud and abuse laws that prohibit billing for medically unnecessary items or services. In addition, HHS-OIG devotes significant resources to enforcing the Anti-Kickback Statute, and DOJ also specializes in enforcing the Federal False Claims Act. At a very high level, the Anti-Kickback Statute is an incredibly broad law that has been interpreted to prohibit various types of payments intended to induce federally reimbursable referrals, and even prohibits arrangements that would be perfectly lawful in almost any other industry. The Federal False Claims Act prohibits providers from submitting false claims, and the concept of falsity here has been interpreted very broadly by some courts to include not just claims that are facially false, but also claims for services furnished while the provider was not fully in compliance with material laws and regulations. Over the past year, HHS-OIG and DOJ have each taken actions demonstrating that telehealth fraud is a priority for them. I’ll address HHS-OIG first.
A great way to readily identify HHS-OIG’s current priorities is to look at the latest HHS-OIG work plan. HHS-OIG comes up with audits and evaluations it wants to conduct in order to target its areas of concern, and it then sets out these projects in a work plan. OIG updates the work plan on a monthly basis. By way of context, HHS’s Office of Inspector General is fairly unique among agency inspectors general. Most inspectors general spend the majority of their time looking internally at their own agency and investigating potential waste or abuse committed by that agency. But HHS’s OIG spends a significant amount of time looking outward at the potential fraud, waste, and abuse committed by third parties against federal healthcare programs. Over the past 12 to 18 months, HHS-OIG has been steadily adding projects to its work plan that relate to telehealth, and there are currently nine open projects touching on telehealth. For example, one project is designed to identify program integrity risks associated with Medicare telehealth services furnished during the pandemic. HHS-OIG can access Medicare claims data and mine that data. And so what it says it plans to do as part of this project is to analyze provider billing patterns for telehealth services and, quote, “describe key characteristics of providers that may pose a program integrity risk to the Medicare program.”
HHS-OIG often takes what it learns in these audits and uses those findings to educate other watchdogs, such as the CMS Unified Program Integrity Contractors, or UPICs, which are administrative contractors that provide fraud and abuse audits for CMS. These findings also serve to educate the Department of Justice and private whistleblowers who file suit under the qui tam provision of the Federal False Claims Act. Against this backdrop of HHS-OIG having a clear interest in learning how telehealth has been used and, in some cases, possibly abused during the pandemic, on July 20, HHS-OIG issued a Special Fraud Alert specifically advising healthcare providers to exercise caution when entering into certain types of arrangements with telehealth companies. Before we get into the substance of that alert, it’s important to understand that Special Fraud Alerts are pretty rare. On average, HHS-OIG issues one every three to five years. So when HHS-OIG issues a Special Fraud Alert, everyone’s ear should perk up, because HHS OIG only does this when it really has concerns about something and wants to provide clear guidance and warning to the healthcare industry about those concerns.
In this Special Fraud Alert, HHS-OIG noted that it has conducted dozens of investigations into telehealth arrangements that allegedly have exploited the growing acceptance and use of telehealth services. Leveraging this experience, HHS-OIG sets forth aspects of telehealth arrangements, what it calls suspect characteristics, that they believe should raise red flags for providers. It’s important for providers to understand this guidance because HHS-OIG and DOJ have historically taken the position that high profile industry guidance such as Special Fraud Alerts create knowledge that the practices specified therein may be unlawful. In other words, the guidance can be used against providers to show a bad intent. I don’t think that’s the right answer legally, but it is a position the government has taken.
Kelly: Well, that’s a lot of great information. Thank you for that. And what characteristics did HHS-OIG specifically call out in the Special Fraud Alert as presenting a heightened risk of fraud and abuse?
Brenna: HHS-OIG prefaced that this is a non-exhaustive list, but they flagged the following as risk factors: one, the patients being seen through telehealth were identified or recruited by the telehealth company or a contracted recruiter who were advertising the availability of free or low out-of-pocket cost items or services. Two, the telehealth company does not give the healthcare provider sufficient contact with or information from the patient to permit the provider to meaningfully assess the medical necessity of the items or services ordered. For example, HHS-OIG specifically criticized telemedicine companies that require providers to use audio only technology with patients, regardless of the provider’s preference. Three, the telehealth company pays the provider based on the volume of items or services ordered or prescribed, which the telehealth company may describe as payment based on the number of medical records the provider reviews. Four, the telehealth company furnishes items and services only to federal healthcare program beneficiaries and does not accept insurance from any other payer. Five, the telehealth company claims to furnish items and services only to individuals who are not federal healthcare program beneficiaries, but may in fact bill federal healthcare programs. HHS-OIG further warns that attempts to carve out federal healthcare program beneficiaries from those types of arrangements do not necessarily eliminate fraud and abuse risk.
Six, the telehealth company limits the healthcare provider’s options to a predetermined course of treatment or furnishes only one product, such as a particular genetic test, DME, diabetic supplies, or prescription creams. And finally, the telehealth company does not expect the healthcare provider to follow up with patients and does not even give the provider enough information to follow up with the patient. It is important to note that HHS-OIG acknowledged that no single characteristic is per se unlawful, but rather the presence of any of these factors I just described suggest, according to OIG, that the arrangement poses a heightened risk of fraud and abuse and providers should exercise care.
Kelly: Thanks, Brenna. You mentioned that the Department of Justice has also made clear that fraud and abuse involving telehealth is an enforcement priority. What enforcement actions have we seen to date from the DOJ in this space?
Brenna: On the same day that HHS-OIG issued its Special Fraud Alert, DOJ announced criminal charges against dozens of defendants involving more than $1.2 billion in alleged fraud relating to telehealth companies and arrangements with genetic testing labs and DME suppliers. DOJ calls this type of coordinated announcement of charges a nationwide coordinated law enforcement action. They’re also commonly referred to as takedowns, and they usually have a theme. DOJ explained in its press release that the charges announced on July 20th primarily targeted alleged schemes involving the payment of illegal kickbacks and bribes by laboratory owners and operators in exchange for the referral of patients by medical professionals working with fraudulent telemedicine and digital medical technology companies. And note the reference here to kickbacks. Proving that lab tests or any healthcare service is not medically necessary can actually be pretty challenging for the government. What is often easier for the government to prove is that an arrangement violates the Anti-Kickback Statute. This is because the Anti-Kickback Statute is a very broad law that can reach a lot of payments intended to induce referrals. That’s likely why many of these cases were brought as kickback cases, even though the government’s ultimate concern is really billing the government for things that aren’t medically necessary.
Last month’s coordinated takedown follows other major takedowns in April of this year and September and May of last year, all of which included multiple charges against defendants for participating in allegedly fraudulent telehealth arrangements. It’s notable that these criminal enforcement actions, as well as the types of arrangements discussed in the HHS-OIG Special Fraud Alert, primarily relate to telehealth arrangements where a focus of the arrangement is prescribing items such as genetic tests during the encounter. In other words, the alleged fraud is really the prescription coming out of the visit and not necessarily a fraudulent bill for a telehealth E&M visit. In fact, in some of these arrangements, providers may not even be billing for a telehealth service. Instead, providers prescribe, say, a genetic test over a phone call, and that phone call is loosely referred to as telehealth, even though the call isn’t being billed as a service furnished through telehealth. It’s just the prescription for the lab test that was billed. But in press releases announcing these telehealth-related takedowns, DOJ has specifically noted at least a couple instances of defendants who were indicted because they were abusing the regulatory flexibilities CMS offered during the COVID-19 public health emergency, and they were billing for telehealth services that were not medically necessary or otherwise did not satisfy applicable billing requirements. So, this is to say that the enforcement interest here extends both to arrangements that focus on prescribing items through a phone call encounter as well as billing Medicare for telehealth services that don’t satisfy even the more flexible pandemic billing rules.
One final note on DOJ enforcement trends involving telehealth, all of the enforcement actions I have discussed so far from DOJ in this space have been criminal, even those involving abuse of the CMS telehealth billing flexibilities. But a few months ago in April, DOJ did announce what I believe to be the first civil settlement under the False Claims Act for abuse of the special telehealth billing rules during the pandemic. In that case, a physician group paid almost $25 million to resolve allegations that it violated the False Claims Act by billing for medically unnecessary telehealth visits. There were also some Stark Law issues at play. According to DOJ, after nonemergency medical procedures were suspended in early 2020 due to the pandemic, the defendant was faced with plummeting revenue, and so it directed its physicians to see patients via telemedicine twice monthly regardless of medical need and to upcode those visits. So, the abuse of the pandemic billing rules for telehealth were really at the heart of this civil settlement.
Kelly: And Brenna, do you expect to see more civil enforcement actions involving telehealth, or will enforcement primarily take the form of criminal charges?
Brenna: We will see more of both. In practice, a Special Fraud Alert is a signal of increased enforcement activity to come not just by HHS-OIG, but also DOJ and whistleblowers. I think that so far telehealth enforcement has been dominated by the announcement of criminal cases because criminal cases are often the low hanging fruit that enforcement agencies target first, and the government can publicly announce criminal cases fairly early in the life of the case when charges are filed. In contrast, civil cases often have a much longer pipeline from the point of initiation to when the case is made public. This is because civil healthcare fraud cases are commonly brought as False Claims Act cases, and those are usually initiated under the False Claims Act’s qui tam provision, which allows private whistleblowers to file a complaint under seal and ultimately receive 15 to 30 percent of the government’s recovery. But those cases on average take two to three years to resolve once filed. There’s really no upper limit. The complaint is maintained by the court under seal, and the government is allowed to ask for extensions until it has time to adequately investigate the allegations. Some courts impose caps on the number of extensions the government can receive, but most don’t. All of the back and forth between the government and the company as part of an investigation is generally not public, except to the extent that the company under investigation discloses the matter, such as through a public SEC filing. I suspect there are other qui tam complaints alleging healthcare fraud that have been filed, some of which the government has begun to investigate, and that we will see more settlements as those cases work through the process.
Kelly: Very interesting. And what should providers be doing to mitigate compliance risk around telehealth services?
Brenna: The flurry of enforcement activity around telehealth right now underscores the importance of providers having vigorous compliance controls. One increasingly important step providers can take is to know and understand their data. The Department of Justice and HHS-OIG have increasingly turned to data mining to combat fraud and abuse in federal healthcare programs. I’m aware of this through my own experience working at both the Department of Justice and at CMS, and DOJ and HHS-OIG have also been very open in their public speeches about describing their data mining work. Both entities have access to an incredible amount of billing data, particularly involving the Medicare program, and they have begun to affirmatively analyze these data for signals of potential fraud and abuse. For example, to identify providers like the one in the Civil False Claims Act settlement I mentioned, who may be over billing for telehealth visits that are not medically necessary, the government can look for outliers in the billing data. Now, we can expect that a lot of providers experienced massive spikes in their telehealth billing from 2019 to the present, but the government can assess which providers are outliers as compared to all other similarly situated providers in the extent to which their telehealth billing has increased and stayed at a heightened level.
I expect that once HHS-OIG releases reports on telehealth usage and identifies those characteristics that may pose a program integrity risks to the Medicare program, that the government will use those characteristics to guide their selection of targets and look for those signals in the billing data. So that’s why it’s important for providers to understand what their data would disclose to the government if analyzed. It is, of course, more difficult for providers to assess the extent to which they are outliers as compared to other providers, but such an assessment is possible, particularly by partnering with third party data experts, and providers can identify outlier physicians or facilities within their own organization. It’s also important to understand that carving out federal healthcare program beneficiaries does not fully cauterize risk, as HHS OIG mentioned at a high level in the Special Fraud Alert. And there are variety of reasons for why this is the case. One reason is that the government is sometimes concerned with so-called swapping arrangements in which something of value involving non-federal healthcare program business is given to a provider to allegedly induce separate referrals of federal healthcare program business. Another reason is that we are increasingly seeing enforcement actions target alleged kickbacks involving commercially insured patients. While it’s true that the Anti-Kickback Statute does not directly reach billing for commercial patients, prosecutors have been discovering other tools that allow them to target the same types of conduct that would give rise to kickback concerns in the federal healthcare programs. For example, there is a law called the Travel Act that makes it a federal crime to use interstate commerce with the intent to promote or facilitate any unlawful activity, which includes bribery that’s defined by state law, and those state bribery laws can cover arrangements alleged to involve kickbacks. The Travel Act has no nexus to federal or state government dollars.
Another law we are increasingly seeing used not only by DOJ but also by whistleblowers is the California Insurance Frauds Prevention Act. This law has been interpreted to reach arrangements similar to those prohibited by the Anti-Kickback Statute, except that the relevant payers are not Medicare or Medicaid, but rather commercial insurance plans in California. Of course, none of this should be taken as an effort to discourage telehealth. Telehealth has become an important option for patients, including federal healthcare program beneficiaries. When I was the chief legal officer for CMS during the first year of the pandemic, I oversaw the rollout of the regulatory waivers that authorized broader use of telehealth services. And I can tell you that CMS affirmatively wanted providers to expand telehealth services to meet evolving patient needs during the pandemic. While many of these flexibilities are tied to the duration of the public health emergency, Congress is actively considering a legislative extension. And whatever happens in the legal and regulatory front, I think we almost certainly are never going back to the pre-pandemic status quo, and the government recognizes this. For example, HHS-OIG specifically stated in the Special Fraud Alert that this guidance is not intended to discourage legitimate telehealth arrangements. So, providers should absolutely continue to embrace telehealth while understanding and reacting to the evolving enforcement landscape.
Kelly: Such great insights, Brenna. If someone wants to get in touch with you, how can they do that?
Brenna: My email address is email@example.com.
Kelly: Thank you so much for joining us today, Brenna Jenny. We really appreciate it.
Brenna: Thanks, Kelly.
Kelly: We appreciate you all joining us for this episode of the Hospital Finance Podcast.
[music] This concludes today’s episode of the Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.com/podcasts. The Hospital Finance Podcast is a production of BESLER, SMART ABOUT REVENUE, TENACIOUS ABOUT RESULTS.
If you have a topic that you’d like us to discuss on the Hospital Finance podcast or if you’d like to be a guest, drop us a line at firstname.lastname@example.org.