chevron-down Created with Sketch Beta.
October 31, 2022

The Hunt Is On

OIG Targets Telehealth Fraud During the COVID-19 Pandemic

By Stephen Bittinger, Michael Phillips and Jessica Franzese


On September 2, 2022, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a data brief (OIG Data Brief) that summarized findings of OIG’s review of Medicare program integrity risks related to telehealth services rendered in the first year of the COVID-19 Public Health Emergency (PHE). This auditing by OIG and any subsequent auditing by the Centers for Medicare and Medicaid Services (CMS) marks the first significant COVID-19 PHE-related telehealth government auditing. This wave of audits was predicted and even expected given the heightened risk of fraud presented by PHE-related telehealth expansion and the concomitant increase in government scrutiny in this arena.

This article will provide an overview of the OIG Data Brief and OIG’s recommendations to CMS, examine the role of coding and data analytics with telehealth fraud investigations, and set forth some best practices and recommendations for providers and suppliers, including recommendations for conducting telehealth self-auditing. 

OIG’s September 2022 Data Brief

To conduct its review of Medicare program integrity risks in relation to telehealth services provided during the PHE, OIG analyzed Medicare fee-for-service (FFS) claims data and Medicare Advantage (MA) encounter data from March 1, 2020, to February 28, 2021.

The OIG established the following seven criteria to identify high risks to Medicare and to determine if fraud, waste, or abuse exists:

  1. "[B]illing both a telehealth service and a facility fee for most visits;
  2. [B]illing telehealth services at the highest, most expensive level every time;
  3. [B]illing telehealth services for a high number of days in a year;
  4. [B]illing both Medicare FFS and a[n] [MA] plan for the same service for a significant proportion of services;
  5. [B]illing a high average number of hours of telehealth services per visit;
  6. [B]illing telehealth services for a high number of beneficiaries; and
  7. [B]illing for a telehealth service and ordering medical equipment for a significant proportion of beneficiaries.”

Of the approximately 742,000 providers in the review period, OIG found billing concerns for 1,714 providers on at least one of those seven criteria, which may indicate fraud, waste, or abuse of telehealth services. Notably, 991 of these 1,714 providers “are a part of the same medical practice as at least one other provider whose telehealth service billing poses a high risk.” Additionally, 41 of the 1,714 providers who had concerning billing practices are associated with telehealth companies, and the OIG expressly noted the high risk to program integrity that billing by telehealth companies can pose.

Based on its review and findings, OIG recommended that CMS take the following actions:

  1. “Strengthen monitoring and targeted oversight of telehealth services,” including a targeted review of providers identified through the seven OIG criteria that would consist of monitoring billing patterns and reviewing medical records;
  2. “Provide additional education to providers on appropriate billing for telehealth services”;
  3. “Improve the transparency of ‘incident to’ services [where] clinical staff primarily rendered the telehealth service”;
  4. “Identify telehealth companies that bill Medicare” by updating the Medicare provider enrollment application; and
  5. “Follow up on the [1,714] providers identified” in the OIG Data Brief.

While CMS has already agreed to follow up with the providers OIG identified, CMS has not otherwise indicated it will accept OIG’s recommendations. Those 1,714 providers identified in the OIG Data Brief can expect that CMS will engage with Unified Program Integrity Coordinators (UPICs) to investigate any potential fraud, waste, and abuse. CMS contracts with UPICs to fulfill program integrity functions of the Medicare Program, and these UPICs are assigned to one of five geographic jurisdictions.

Understanding the Coding and Data Analytics Behind Telehealth Fraud Investigations

An understanding of how the government identifies suspect telehealth services can better position providers and suppliers to identify and address improper telehealth arrangements before the government does. While there are significant technical differences in the telehealth coding and compliance issues across provider and supplier types, a common, central issue is ensuring that documentation and claims data reflect an actual patient-physician relationship and the related course of treatment. In the durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) space, pre-PHE, the government focused on whether an evaluation and management (E/M) code was billed prior to prescribing. Given the regulatory flexibility allowed for DMEPOS suppliers during the PHE, the government will now focus its analysis on whether claims data can establish a patient-physician relationship via telehealth.

For medical reference laboratories, the pre-PHE enforcement action Operation Double Helix can provide some insight into where the government’s focus could lie in identifying suspect telehealth services in the wake of the PHE. There, the government focused on: (i) genetic testing that was prescribed either without any patient interaction or with only a brief telephonic conversation with patients the provider had never met or seen and (ii) the absence of certain clinically-related information in patients’ histories that would necessitate a cancer-screening genetic test. Post-PHE, the government will still focus on patients’ individual treatment histories, but will also closely analyze the propriety of a patient-physician relationship via telehealth. Laboratories will need to address how to identify and manage the ever-growing list of telehealth concerns (e.g., specimen collection and travel allowances based on a telehealth visit) to avoid enforcement actions. These laboratories should proactively develop a strong understanding of compliant documentation of appropriate telehealth services to support test orders to mitigate future risk of False Claims Act liability for submitting claims for tests where a legitimate patient-physician relationship does not exist.

More generally, the OIG’s Data Brief and pre-PHE government investigations highlight several best practices for telehealth providers and those who rely on the validity of a telehealth visit to bill for a service. Such entities should put compliance plans into place to mitigate liability. Providers rendering telehealth services across state lines should also carefully consult state laws (e.g., licensure requirements, corporate practice of medicine, fee splitting, requirements for prescribing drugs and ordering DMEPOS, and supervision requirements) to ensure compliance. To aid providers and suppliers, government agencies have made available a number of resources, including: (1) HHS resources for delivering telehealth safely during the PHE and billing appropriately, (2) CMS’ Medicaid & CHIP (Children’s Health Insurance Program) Telehealth Toolkit, and, (3) the Health Resources and Services Administration’s (HRSA) Medicare Telehealth Payment Eligibility Analyzer.

Telehealth Self-Auditing Recommendations

Medical practices or organizations providing telehealth services should perform self-audits, or internal audits, to ensure compliance with Medicare telehealth guidance. When performing a self-audit, there are a number of steps to bear in mind.

The first step for a medical practice or organization is to select the timeframe that will be reviewed during the audit. The timeframe should be large enough to produce meaningful results. For example, in its OIG Data Brief, the OIG looked at a year’s worth of data, from March 1, 2020, through February 28, 2021. There are some key dates and regulations that practices or organizations need to consider when selecting the timeframe. These include:

  • January 31, 2020: HHS announced the COVID-19 PHE, which was determined to have existed since January 27, 2020.
  • March 27, 2020: The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law.
  • March 31, 2020: CMS’ “Policy and Regulatory Revisions in Response to the COVID-19 Public Health Emergency” became effective.

The next step in performing a self-audit is for the practice or organization to select a category of service to review. If the practice or organization provides multiple types of services, the focus should be on one category, such as office visits, for review. When reviewing office visit services, the Current Procedural Terminology (CPT®) codes applicable to telehealth visits include, but are not limited to, Office or Other Outpatient Services (99201-99205 [new patient] and 99211-99215 [established patient]) and Non-Face-to-Face Telephone Services (99441-99443 [practitioners who may report E/M services] and 98966-98968 [practitioners who cannot bill independently]). Practitioners who cannot bill independently are qualified non-physician health care professionals, such as social workers, clinical psychologists, and certain therapists. Please note, CPT® code 99201 was deleted effective January 1, 2021.

Place-of-service (POS) codes and modifiers can be useful in identifying telehealth services for review. When selecting claims to review, telehealth services may be easily identified by looking for the telehealth-related POS code 02 (telehealth provided other than in patient’s home) or the telehealth-related modifiers: 95 (synchronous telemedicine service rendered via a real-time interactive audio and video telecommunications system), GT (via interactive audio and video telecommunication systems), GQ (via asynchronous telecommunications system), G0 (telehealth services for diagnosis, evaluation, or treatment, of symptoms of an acute stroke), and FQ (the service was furnished using audio-only communication technology).

Prior to beginning the review, be sure you know the billing requirements and coverage criteria, such as CPT®/HCPCS code descriptors and related guidelines, the CMS List of Telehealth Services, COVID-19 Frequently Asked Questions (FAQs) on Medicare FFS Billing, the CARES Act and associated information, and the Policy and Regulatory Revisions related to the PHE. Of note, CPT® E/M guidelines underwent significant changes that took effect on January 1, 2021.

When performing the documentation review itself, be cognizant that guidelines and regulations changed rapidly during the first year of the PHE. Be sure to apply guidelines applicable to the date of service being reviewed rather than applying a blanket guideline across the entire universe of claims. Key items and issues to be looking for include: documentation that supports the level of service reported, patient consent for telehealth services, the modality used to perform the service (e.g., audio-only, real-time [synchronous] and store-and-forward [asynchronous]), and, the location of the patient and the provider at the time of service.


The government will likely continue to audit PHE-related telehealth for years to come. From the OIG Data Brief and prior telehealth-related investigations and enforcement actions, providers can see where government focus has been and can anticipate the focus of future audits. Providers should work proactively to put in place compliance programs and conduct self-auditing to ensure compliance with applicable Medicare telehealth guidance.

    Stephen Bittinger

    K&L Gates LLP, Washington, District of Columbia and Charleston, South Carolina

    Stephen Bittinger is a partner in the Health Care & FDA Practice Group at K&L Gates. He focuses his practice on health care reimbursement compliance, defense, and litigation, with an emphasis on government and private payer disputes on behalf of providers, suppliers, and manufacturers involved in the healthcare system within the United States and abroad. He frequently represents healthcare clients in Medicare and Medicaid audits, private payer audits, federal regulatory termination and exclusion proceedings, False Claims Act defense, and healthcare revenue disputes. His practice also includes disputes regarding the use of statistical sampling and extrapolation in the review and analysis of healthcare claims, and Stephen has served as an expert witness in this arena. He can be reached at [email protected].

    Michael Phillips

    K&L Gates LLP, Charleston, South Carolina

    Michael Phillips is an associate in the Health Care & FDA Practice Group at K&L Gates. His practice includes reimbursement compliance, defense, and litigation with a focus on Medicare and Medicaid audits and private payer audits. Mike also provides practical advice on compliance with the Anti-Kickback Statute, Civil Monetary Penalties Law, and other health regulatory issues. He can be reached at [email protected].

    Jessica Franzese

    K&L Gates LLP, Charleston, South Carolina

    Jessica Franzese is a healthcare coding and compliance consultant at K&L Gates. She has over 25 years of experience in the healthcare industry, including over 15 years of experience in the medical coding and audit arena. Jess has been a Certified Professional Coder (CPC) since 2005 and a Certified Professional Medical Auditor (CPMA) since 2015. She can be reached at [email protected].

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.