A version of this article was published in the June 2024 edition of
Healthcare News.
After telehealth programs surged into common use during the COVID-19 pandemic, virtual visits continue to thrive to access health care—and so have associated compliance risks along with increasingly stringent regulations.
A string of developments from the Office of Inspector General (OIG)—such as a 2022 telehealth fraud alert and a 2023 tool kit for telehealth integrity—signal intentions of increased audits and focus. Is your program resilient enough to withstand the expected scrutiny ahead?
Brian Conner, a partner at Moss Adams, sat down with telehealth compliance professional Kim Hodson, a senior manager, to discuss how compliance officers should be evaluating and mitigating their risks.
Background on Telehealth
By the second quarter of 2020, 47% of Medicare beneficiaries used telehealth—a large jump from the 7% just months prior. IT and billing leaders had to pivot quickly to expand telehealth programs in response. Many took advantage of Centers for Medicare & Medicaid Services waivers that enabled visits over various virtual mediums. The Office for Civil Rights (OCR) also noted that they wouldn’t enforce applicable regulations during the public health emergency (PHE).
Beyond the PHE, a newer challenge has emerged with regulators cracking down on telehealth billing compliance.
Telehealth programs have matured to support a stable utilization rate of between 13% and 20%, depending on the specialty, leaders have established a rhythm for how those interactions are documented and coded to meet regulations.
Why Should Health Care Organizations Worry About Telehealth Billing Compliance? And Why Now?
The OIG has been concerned about telehealth billing since before the pandemic, but it’s become more important since 2020 as the number of telehealth services have increased in amount and complexity, highlighting areas of risk for fraud and abuse.
These risks have become more of a day-to-day concern, though the PHE has been removed. Compliance leaders should be thinking about how to oversee and monitor their telehealth program now that the pandemic crisis and things have stabilized. It’s an opportunity to evaluate your risk profile, especially given expected scrutiny in the years ahead.
What Should Provider Organizations Do to Identify and Mitigate Telehealth Compliance Risks?
Organizations have developed an organization-wide compliance program built on the seven elements of an effective compliance program to reduce fraud, waste, and abuse. One of many resources is the OIG General Compliance Program Guidance released in November 2023.
That framework covers oversight, policies and procedures, education and training, lines of communication, internal audits and monitoring, standards, and issue reporting. Review your compliance work plan to include telehealth in some way.
Consider the telehealth compliance implications and assess your organization’s unique risks and vulnerabilities—at least annually. If you’re not meeting one of these risk areas, you’ll need to plan to address it. The higher the risk, the more quickly it should be addressed.
What Are Top Areas to Focus on for Telehealth Billing Compliance?
The risk varies with the health care entity, and with level of internal auditing and monitoring.
Internal Auditing and Monitoring
One of the most deficient areas is internal auditing and monitoring. During COVID-19, providers were quick to set up telemedicine documentation, but reviewing that documentation fell to the bottom of the priority list as telehealth care delivery itself evolved so rapidly.
Now’s a good time to give it another look—to make sure documentation is complete and that it supports the services that you’re currently billing for, particularly around documentation of time for services. This is important because telehealth compliance may require monitoring of details that traditional visits don’t, such as provider location, patient location, communication channel, and start and stop times.
Perform retrospective audits of telehealth services provided during the PHE. It would be better to identify if there were noncompliant issues before a regulator may come calling to audit.
Policies and Procedures
Policies and procedures comprise another high-risk area. Before the PHE, policies and procedures may not have reflected guidance pertinent to telehealth. For example, current compliance plans may not be accounting for digital literacy or accessibility—something that could be essential for telehealth access.
Your organization’s policies and procedures need to reduce your risk. You validate that with a risk assessment. Understand what the risk to the organization is from the context of telehealth medicine and update policies and procedures accordingly. Additionally, have a mechanism to update policies and procedures based on the outcomes of audits or investigations coming in through the fraud, waste, and abuse (FWA) hotline.
What Are the Stakes? What Happens to Unmitigated Telehealth Billing Risks?
Risks of noncompliance includes OIG fines, Department of Justice settlements, corporate integrity agreements, patient safety risks, patient privacy violations and associated fines.
Have You Worked on Projects Where Someone Was Put Under a Corporate Integrity Agreement for Telehealth Noncompliance?
Not yet, but it’s coming.
Again, the biggest risk area we see tends to be documentation. OIG has been more lenient with the PHE, but with the end of flexibilities, they’re going to start enforcing compliance. Showing that you’re putting strategies in place to correct issues can help. It’s always better to be proactive.
Does This Only Apply to Medicare and Medicaid?
Yes and no.
The guidance and associated enforcement affect providers who serve Medicare and Medicaid populations. But the guidance established by the OIG is still a good framework, regardless of payer source. And most commercial health plans have a government arm anyway like Medicare Advantage, which means everyone should be paying attention to these practices.
What Else Is Important to Know?
Telehealth isn’t going away. Utilization rates have ebbed and flowed over the past four years, but virtual care is here to stay. Providers need to be thinking about telehealth compliance, and now’s the time to do it as the pandemic dust settles and enforcement actions pick up.
Compliance that Evolves
Compliance needs to evolve to account for the increasing prevalence and complexity of virtual encounters.
We’re Here to Help
If you have questions about telehealth compliance, please reach out to us at Moss Adams for support.