Implement these 6 safeguards against fraud accusations in telehealth
During times of social distancing, telehealth has been essential for continuity of care. However, in the rush to implement the technology, providers may have overlooked one important detail: If they don’t follow coding, documentation and other requirements, they could be at risk for a post-payment recoupment or even payer accusations of fraud in the months ahead.
“When it comes to fraud, ignorance is not a defense,” said Jenna K. Godlewski, healthcare reimbursement and compliance attorney at Nexsen Pruet, LLC. “You need to know your payer policies.”
During the first month or so of COVID-19, payer telehealth policies changed frequently. If providers didn’t pay attention to these changes — or they don’t update their processes if/when policies change again — they could put themselves at risk for costly recoupments. In cases of fraud, they could face financial penalties, criminal punishment or even revocation or suspension of their medical licenses or Medicare privileges, Godlewski said.
Proactive telehealth compliance
The good news is there’s still time to correct errors and ensure compliance going forward. Consider these six telehealth vulnerabilities and how to avoid them:
1. Billing for telehealth visits that require audio and visual when a provider uses only audio
Although some payers, including certain Medicare Advantage plans, permit providers to render audio-only telehealth during the current public health emergency (PHE), many do not,
Godlewski said. Medicare, for example, requires the use of audio-visual technology for certain telehealth services and permits audio-only for others. Physicians can render a telehealth visit for advanced care planning using audio only, but they must use audio-visual technology for a new or established patient telehealth office visit.
“I think this will be a huge area of investigation,” Godlewski said.
Medicare will most likely investigate telehealth claims by sending questionnaires to beneficiaries asking them for feedback about their recent visit and whether they have a smartphone with audio-video capability, Godlewski said. The information the agency collects helps it deduce whether providers had a legitimate reason to bill telehealth that requires audio-visual communication, she adds.
In addition, Medicare and other payers send an explanation of benefits (EOB) for each service rendered. Beneficiaries may question why their provider billed an office visit when it was only a phone call and then reach out to their payer for clarification, said Toni Elhoms, CEO of Alpha Coding Experts, LLC. “It only takes one patient to question this, and Medicare may take a closer look at the provider’s billing,” she said.
How to be compliant: Document the specific technology platform used for the telehealth, Elhoms said. If a provider uses audio-only technology for a patient with Medicare (or any other payer that hasn’t relaxed its audio-visual requirements during the current PHE), providers should bill a CPT code from the 99441-99443 range for telephone services.
If audio-visual technology fails during the telehealth visit and the payer doesn’t permit audio-only services, it’s best to err on the side of caution and bill a code from the 99441-9443 range, Elhoms said.
If necessary, submit corrected claims within the payer-specific timelines, said Godlewski. For Medicare, that timeline is 12 months from the date of service.
2. Upcoding
During the current PHE, Medicare and some commercial payers permit providers to assign codes for telehealth office visits based on time or medical decision-making. However, if documentation supporting the coding isn’t specific, payers may suspect upcoding, a practice in which a provider attempts to increase payment by assigning the wrong code. Payers also may downcode services and recoup payments, Godlewski said.
How to be compliant: Ensure detailed documentation, especially in the absence of a physical exam. How did the provider spend their time with the patient? What did they discuss and why? What is the patient’s level of risk? What data did the provider consider? What tests, if any, did they order?
Also be sure to include these additional details:
- Patient’s location
- Provider’s location
- Method of communication
- Names and roles of anyone participating in the encounter
3. Using a non-HIPAA compliant telehealth platform if or when waivers are no longer in effect
During the current PHE, Medicare and some commercial payers permit providers to use non-public facing audio or video communication products. However, experts agree that those waivers are likely temporary and that continued use of these platforms after waivers are lifted could subject providers to HIPAA penalties.
How to be compliant: Start looking for a HIPAA-compliant telehealth solution now, Elhoms said. It could take time — several weeks or more — to vet options, secure an agreement, adjust workflows and educate patients, she adds. In the meantime, make a good faith effort to protect patient privacy by enabling all available encryption and privacy settings, and notify patients of the increased risk of using non-HIPAA compliant technologies.
4. Ignoring state licensure requirements for telehealth
During the current PHE, some — but not all — states relaxed their licensure and scope of practice rules, Godlewski said. However, even well-intentioned providers could face violations if they or their patient are in a state that didn’t, she adds.
How to be compliant: Know the rules, and the effective dates of any waivers, Godlewski said. Then, look at each claim to determine whether the provider followed the appropriate rule for each date of service. If the provider violated the rules, they should submit a corrected claim within the payor’s time frame for filing.
Another option is to join the Interstate Medical Licensure Compact, Elhoms said. The Compact, which includes 29 states, the District of Columbia and the territory of Guam, streamlines the licensing process for physicians who want to practice in multiple states.
5. Billing telehealth when no services are rendered
Although nefarious providers may intentionally do this, it’s actually more common for it to occur unintentionally, Elhoms said. She provides this scenario: A telehealth appointment is scheduled, and on the day of the appointment, a medical assistant opens the record and pre-populates it with information from a previous visit. Then the patient forgets to attend the appointment, and a claim is generated even though no encounter occurred.
How to be compliant: Perform end-of-day charge reconciliation for telehealth visits, Elhoms said. Ensure that all charges include a supporting physician note and signature.
6. Failing to authenticate patient identity
Providers could unknowingly contribute to identity theft if they don’t authenticate patient identity before telehealth services are rendered. Although established patients may have a copy of their license or other ID on file, new patients don’t, making it easy for individuals to pose as someone else, Elhoms said. “It’s not hard for fraudsters to come up with name, date of birth and address for another patient,” she said.
How to be compliant: Require patients to provide a picture of their ID when scheduling the telehealth visit online or ask patients to show their ID during the visit and document this in the note, Elhoms said.