By now, you’ve likely read hundreds, if not thousands, of stories about telehealth and its precipitous rise sparked by the pandemic. While telehealth usage has dipped from its peak in April 2020, overall utilization is still 38 times higher than before the pandemic. The numbers lend credence to the numerous benefits touted throughout the public health emergency, most notably serving as a vital lifeline for high-risk patients, reducing the risk of exposure for staff, alleviating patient demand on facilities, and more. The reality is that telehealth has solidified itself as a permanent fixture within our healthcare system.
However, the explosion in adoption has drawn bad actors who are taking advantage of the relaxed regulatory environment and technological vulnerabilities. Capturing and combatting fraud in today’s healthcare landscape requires the convergence of innovation and experience to drive value beyond the margins. Organizations must take a multi-layered approach to identify, address, and prevent fraud.
Identification to Inform Action
As a precursor to taking effective action, stakeholders must first be attuned to the various types of telehealth-related fraud. In general, there are three types of fraud being committed – true telehealth fraud, indirect fraud, and cyberattacks.
The first type of fraud is one that we’ve seen prior to the pandemic, albeit outside the context of telehealth. True telehealth fraud typically takes the form of upcoding to more expensive full telehealth sessions, billing for services not rendered, and other familiar tactics. When the Centers for Medicare & Medicaid Services (CMS) granted payment flexibilities to facilitate access to telehealth amid the public health emergency, they also unwittingly created vulnerabilities. For example, Medicare now reimburses telehealth visits at the same rate as services rendered in person. Providers may therefore be incentivized to bill for a full telehealth visit when, in fact, only a brief virtual check-in or e-visit, conducted without video, took place.
The second type, indirect fraud, involves several bad actors that coordinate their efforts. Typically, in this type of scheme, executives at telehealth companies collude with telemarketers to contact mass amounts of people, entice them to participate in a telehealth session, and harvest their personal information. Patients’ personal data is then used to fraudulently bill government programs and insurers for products and services such as durable medical equipment and cancer genomic, pharmacogenetic and allergy testing. In August 2020, for example, Humana sued QuivvyTech, a Florida-based telehealth company, for allegedly cold calling patients and conspiring with providers to issue fraudulent prescriptions for medications.
When the Department of Health and Human Services (HHS) lifted restrictions pertaining to HIPAA and consumer-grade telecommunications software such as Zoom, this inadvertently created an opportune environment for cybercriminals. Last year, overall usage of Zoom – including for telehealth – increased ten-fold. The uptick in volume caught the attention of cybercriminals, and soon the phenomenon of “Zoom bombing” came into play, highlighting the exploitable security vulnerabilities associated with consumer-grade software many providers have used. Zoom’s recent agreement to settle an $85 million privacy-related lawsuit illustrates how the lack of standardized, battle-tested, purpose-built telehealth technology poses significant risks for patients, providers, and the overall integrity of our healthcare system.
The importance of recognizing the differences in fraud extends beyond payers and providers. Telehealth advocacy groups such as the American Telemedicine Association and the Center for Connected Health Policy are eager to make the distinction between the three types of fraud. It’s important to them that indirect fraud and cyberattacks not be counted as true telehealth fraud in studies that will determine the future of the industry.
Turning Insight into Action
Preparing for and protecting against telehealth’s inherent fraud-related risks requires a multi-layered approach combining strategic direction and technological innovation. Awareness is a crucial first step. Stakeholders can provide education, employee training, and simulated cyberattacks to foster a culture of enhanced security.
For most telehealth fraud, deploying program integrity services and fraud detection through advanced analytics and special investigation units (SIUs) is a sufficient line of defense. If an interaction is billed as telehealth, for example, it is important for SIUs to validate that all minimum requirements for a telehealth visit were met, including whether audio and video were both required for the service billed. Spike reporting and outlier detection can be a useful tools in detecting ordering and referral schemes, particularly involving durable medical equipment (DME). For example, a high ratio of orders between a particular healthcare provider and DME supplier may signify potential collusion.
Ultimately, demonstrative evidence, such as charts and graphs, combined with strong benchmarking data, is key to identifying suspicious connections and unusual trends. Individuals involved in a fraud scheme sometimes have a history of criminal behavior, such as accepting bribes. For this reason, conducting thorough background research encompassing criminal and civil litigation records is critical to identifying ownership connections that could indicate a kickback or collusion scheme. Additionally, speaking with clinical experts can help to determine whether an event makes sense in a clinical context.
Beyond these foundational tactics, stakeholders may also want to consider emerging technologies such as machine learning and natural language processing (NLP). Applying machine learning to program integrity processes enables systems to automatically learn and improve from experience. This sharpens the focus on the attributes and triggers that not only merit an enforcement event, but also lead to an effective resolution. When reviewing medical records for potential fraud, NLP-enabled tools like smart text detection, predictive text and optical character recognition can help streamline workflows and minimize human error. NLP when integrated with machine learning algorithms, can drive continuous improvement in fraud detection for more accurate decision-making.
Charting a Safe Path Forward
In the context of COVID-19, telehealth delivered on its promise to maintain continuity of care while mitigating exposure risk for patients and providers. Beyond the pandemic, telehealth has the potential to create a more efficient, equitable and consumer-centric healthcare system. To fully realize this potential, stakeholders must commit to investing in the proper educational, administrative, cybersecurity and technological tools.
About Julia Twaddle Julia Twaddle, CFE, is a Senior Director at Gainwell Technologies, where she leads the company’s FraudCapture solution. Julia is an accomplished healthcare fraud services product owner and leader, with extensive experience in building and branding full-spectrum anti-fraud services.