Telehealth Compliance Programs Avoid and Mitigate Risk

Physicians Practice

The dramatic expansion of telehealth across the United States in response to the COVID-19 pandemic has allowed providers to continue servicing their patients during this stay-at-home era while minimizing disruption to their business. Telehealth expansion also has spurred innovation by enabling companies to harness technology, identify new ways of delivering patient treatment, collect and aggregate patient data, and lower costs associated with brick and mortar provider facilities.

While telehealth represents tremendous opportunity for providers, it also poses substantial risk. The current proliferation of telehealth services has been prompted in large part by changes to federal and state regulations and requirements in response to the COVID 19 pandemic. The shifting landscape and complex web of federal and state regulations makes legal compliance for telehealth providers extraordinarily difficult. Moreover, even prior to the COVID 19 pandemic, federal enforcement authorities prioritized rooting out fraud in the telehealth industry, as evidenced by the prosecution in the past year of several telemedicine providers accused of improper billing, kickbacks, bribes, and prescribing medically unnecessary drugs or devices. The federal government is now providing hundreds of millions of dollars in stimulus funds to support the delivery of telemedicine services. The flow of federal dollars to telehealth providers and the overall visibility of this industry means that law enforcement actively will pursue bad actors in this space, particularly those who seek to profit unlawfully from the circumstances created by the pandemic.

Telehealth Providers Should Implement Strong Compliance Programs

Compliance programs are designed to prevent misconduct from occurring. They ensure that applicable laws and regulations are followed, provide mechanisms for reporting suspected misconduct, and set clear expectations and obligations for employees of an organization. Law enforcement authorities look to the adequacy of companies’ compliance programs in assessing culpability and criminal and civil penalties.

Given the current environment and the importance of compliance programs, telehealth providers should take immediate steps, with input from legal counsel, to implement effective and comprehensive compliance programs. Among other measures, providers should consider the following:

  • Implement/review written policies – Ensure that written policies are in place that expressly require compliance with applicable federal and state laws, regulations, and requirements. Considering recent changes, policies that were put into place prior to the COVID-19 outbreak should be reviewed and revised as necessary.
  • Designate a compliance officer – Identify an individual to serve as a compliance officer to oversee the implementation of the organization’s compliance program. Designating a compliance officer is an important step in ensuring the allocation of adequate resources to the implementation of a compliance program.
  • Trainings and education – Conduct regular trainings of business management, administrative staff, physicians, and other affected employees regarding existing compliance policies. Provide refreshers and updates to employees through newsletters, memoranda, and the like.
  • Reporting mechanisms for suspected misconduct – Implement reporting mechanisms, such as an anonymous tip line, so that instances of suspected wrongdoing can be reported by employees at all levels of the organization. Put in place processes to act upon reports and to assess and investigate allegations.
  • Regular auditing/monitoring of compliance program – Conduct annual audits of the compliance program to assess compliance activity and effectiveness. In addition, stay apprised of changing laws and requirements to ensure that existing compliance policies are effective and up to date.

Considerations When Facing a Possible Enforcement Action

Companies that are prepared properly to deal with law enforcement put themselves in a favorable position to minimize or avoid corporate liability, prevent missteps which can lead to additional criminal or civil exposure, and move on quickly from any misconduct that has occurred. The high visibility of the telehealth industry underscores the need for healthcare providers to be equipped to interface with law enforcement authorities in the event of allegations of misconduct. In this regard, companies should keep in mind the following:

  • Outside counsel may be helpful – Outside counsel can assist in conducting internal investigations and can draw on their experience to advise companies with respect to the potential risks and exposure they face, including, for example, consideration of whether to refer a matter to prosecutors or make a voluntary disclosure.
  • Preserving documentation is critical – Immediately upon being made aware of allegations of misconduct, organizations should take steps to preserve any materials and records related to the allegations. Document preservation is critical to enabling the company to assess the merits of the allegation and to respond to requests for information or subpoenas from law enforcement.
  • The need for an internal investigation – Among other things, internal investigations enable companies to assess the merits and scope of credible reports of misconduct and determine how to proceed. They typically are led by a compliance officer and/or outside counsel and may involve the assistance of an outside forensic examiner. Investigation findings are often based upon a review of applicable policies and relevant electronic communications and records, and interviews of affected employees.


Providers hoping to succeed in expanding or integrating telehealth capabilities should act promptly in dealing with the risks associated with this industry. Comprehensive and effective compliance programs will help prevent misconduct from occurring in the first instance and will enable companies to stay compliant with an evolving legal landscape. Moreover, organizations that are prepared to address allegations of misconduct when they arise will be in a favorable position to assess the allegations, respond appropriately, interface with law enforcement if necessary, and move on quickly to focus on their business.

“Telehealth Compliance Programs Avoid and Mitigate Risk,” by Ariel S. Glasner and Jane Thomas was published in Physicians Practice on May 29, 2020. Reprinted with permission.