Telehealth has forever changed the way healthcare is delivered. It’s also changed the way fraudsters operate.
From “maybe one day” to “here to stay”
COVID-19 obliged providers everywhere to offer telehealth services, and patients are pleased. At this point, the telehealth bell can’t be unrung.
To quickly ramp up access, CMS introduced several policy waivers and expansions, such as permitting services to be delivered to patients’ homes, rather than a designated facility, and allowing the use of consumer-grade software such as Zoom, Skype and FaceTime.
Providers are seeing 50-175 times the number of patients via telehealth than they did before.
Unfortunately, as many feared, the explosion in adoption and the use of consumer-grade software have proved fertile ground for criminal enterprises.
Patients love telehealth. So do the bad guys.
Last October, the Department of Justice (DOJ) descended on 345 people—including many medical professionals—and charged them with committing 6 billion (yes, with a “B”) dollars’ worth of fraud. Of that, $4.5 billion was connected to telehealth. It was the largest healthcare fraud bust in history.
And in May of this year, the DOJ charged 14 people, including telehealth executives and physicians, with creating fraudulent schemes that victimized patients and stole over $143 million from federal programs. These are just a couple of examples plucked from hundreds of cases.
Generally, three types of fraud are being committed:
1—True telehealth fraud
Upcoding phone calls, virtual check-ins and e-visits to more expensive full telehealth sessions; billing for services not rendered, etc. The kind of fraud we’ve tackled for years, just in a new environment. This type of fraud can be defeated the same way it was before telehealth blew up—program integrity services and fraud detection using advanced analytics and special investigation units (SIUs).
2—Indirect telehealth fraud
Criminals use telehealth as a low-effort way to cast a wide net. They will often collude with telemarketers to contact huge numbers of people, entice them to participate in a telehealth session, and harvest their personal information. Patients’ personal data is then used to fraudulently bill government programs using all the usual ploys: crooked billing of durable medical equipment (DME), cancer genomic (CGx), pharmacogenetic (PGx) and allergy testing, and so on. This type of fraud can result in patients delaying treatment from their primary doctors, often with dire results. The solution is similar to true telehealth fraud, but requires tailored analytics and a deep understanding of the mechanics of these schemes.
The consumer-grade software many providers are using can have exploitable security holes. Hackers are taking advantage of the lack of standardized, battle-tested, purpose-built telehealth platforms to capture email addresses for phishing attacks or to mount ransomware assaults. Combatting these attacks requires patient outreach and education on safe computer practices.
Last year, Zoom saw a tenfold increase in usage in a few months and was found to be easily exploitable. People had strangers popping into their video chats. Now imagine they were speaking to their doctor.
The difference is important
Telehealth advocacy groups such as the American Telemedicine Association (ATA) and the Center for Connected Health Policy (CCHP) are eager to make the distinction between the three types of fraud. It’s important to them that indirect fraud and cyber-attacks not be counted as true telehealth fraud in studies that will determine the future of the industry.
Now that consumers have experienced the convenience of visiting a doctor virtually, there will be a lot of pressure on CMS to retain at least some of the relaxed regulations. If they do, it will incumbent on them, along with industry advocates, payers and providers, to ensure that new guardrails are put in place to protect patients and their privacy, and to defend payers against those who would take their money.
The cat, as they say, is out of the bag, but it’s important that we watch out for its claws.