The Department of Justice's (DOJ) focus on telehealth as
an enforcement priority is attempting to keep pace with the
expansion of telehealth platforms and services during the COVID-19
pandemic, and telehealth enforcement has featured heavily in all of
DOJ's nationwide healthcare enforcement actions since the
pandemic's onset. Telehealth arrangements also were the
subject of a 2022 Special Fraud Alert issued by the
Department of Health and Human Services' Office of Inspector
General (HHS-OIG), one of DOJ's principal enforcement
partners. While the pandemic has eased, it's clear that both
telehealth — and DOJ's focus on it — are here to
stay.
June 2024 saw a blitz of activity as DOJ and other federal
enforcement authorities announced a series of telehealth-related
criminal and civil enforcement actions. Most notably, DOJ indicted two executives of online digital
health platform Done Global, Inc. and its affiliated company Done
Health, P.C. for an alleged US$100 million scheme to unlawfully
distribute Adderall and other controlled substances, commit
healthcare fraud, and obstruct justice. This indictment was
something new: DOJ's first-ever drug distribution charges
related to telehealth prescribing via a digital health company. In
addition, DOJ and the Federal Trade Commission announced civil claims against telehealth
companies Cerebral, Inc., Zealthy Inc., Gronk Inc., and Bruno
Health P.A., and certain of their executives, for allegedly unfair
and deceptive privacy, data security, marketing, and billing
practices.
Government enforcement authorities aren't the only ones
interested in pursuing lawsuits against telehealth platforms. In
a qui tam lawsuit unsealed last fall, a relator
is pursuing a False Claims Act (FCA) case against Zocdoc, Inc., a
company that allows users to search for and schedule appointments
with physicians, for allegedly obtaining payments in violation of
the federal Anti-Kickback Statute (AKS).
In this Advisory, we take stock of the government's
telehealth enforcement efforts to date, examine the allegations
from these recent cases, and provide some key takeaways about the
expanded risks facing companies that operate in the telehealth
space.
DOJ's Previous Telehealth Enforcement Actions
DOJ has made telehealth the centerpiece of major enforcement
actions for several years, including before the pandemic. 2019 saw
both Operation Brace Yourself and Operation Double Helix, in which DOJ charged
more than 50 individuals with telehealth schemes involving
unnecessary durable medical equipment (DME) and genetic testing,
respectively. These alleged schemes targeted elderly and disabled
individuals to entice them into agreeing to unnecessary DME or
genetic tests. Among those charged were individuals associated with
telemedicine companies, DME companies, genetic testing
laboratories, and medical professionals. The charges featured
DOJ's two primary criminal healthcare-related enforcement
tools: the healthcare fraud statute, 18 U.S.C. § 1347, and the
AKS, 42 U.S.C. § 1320a-7b(b).
As we explained at the start of the pandemic,
COVID-19 brought with it a rapid expansion and increased use of
telehealth services with reduced regulatory requirements. Medicare
expanded telehealth coverage to include a wider range of locations,
care settings, and services and paused audits of compliance with
prior patient-provider relationship requirements. The Drug
Enforcement Administration (DEA) also permitted telehealth
flexibilities for controlled substance prescriptions. While
telehealth use is lower than it was in the early days of the
pandemic, telehealth remains a popular option for receiving care.
These loosened restrictions coincided with significant telehealth
sweeps by DOJ, as we detailed in our July 2022 Advisory. National enforcement
actions in 2020, 2021, 2022, and 2023 led to criminal charges against more
than 175 individuals, alleging over US$8 billion in fraud. The
charges included allegations regarding:
- Telemedicine executives paying medical professionals to order unnecessary DME, genetic and other diagnostic testing, and pain medications, either without any patient interaction or with only a brief telephonic conversation with patients they had never met or seen
- Laboratories, pharmacies, and DME companies paying kickbacks and bribes to telemedicine companies to induce orders for unnecessary testing, medications, and DME, and then submitting fraudulent claims to federal payors
- Laboratory owners and operators paying kickbacks and bribes to medical professionals working with fraudulent telemedicine and digital medical technology companies in exchange for patient referrals for expensive and medically unnecessary cardiovascular and cancer genetic tests
- Software company executives allegedly using their internet-based platform to facilitate the payment of kickbacks and bribes by pharmacies, DME suppliers, and marketers to telemedicine companies in exchange for fraudulent orders for DME, skin creams, and other medically unnecessary items, with the software company allegedly receiving kickbacks in exchange for the orders from the pharmacies, DME suppliers, and marketers
The charged schemes shared certain features: accusations that telehealth platforms or other facilitators entered kickback arrangements with DME providers, testing labs, or pharmacies; unsolicited outreach to prospective patients and efforts to persuade them to accept services and disclose their insurance information; and payments to physicians to write unnecessary prescriptions related to sham telehealth encounters. These criminal allegations fit neatly within HHS-OIG's Special Fraud Alert on telehealth arrangements between telemedicine companies and healthcare professionals, which highlighted certain characteristics that present (in its view) a heightened risk of fraud and abuse, including:
- Medical practitioners prescribing items or services for patients who were identified or recruited by telemedicine companies
- Medical practitioners compensated based on the number of prescriptions written, or in some other manner that might create incentives to order unnecessary items or services
- Limited patient relationships, such as insufficient contact with the patient or failure to meaningfully examine them, as well as no expectations on following up with patients
- Irregular medical practices, such as limited offerings of products or restrictions on treatment options
DOJ's 2024 Telehealth Enforcement Actions
The Done Global Criminal Charges
On June 13, 2024, DOJ unveiled a seven-count indictment charging Ruthia He, Done
Global's founder and CEO, and David Brody, Done
Health's clinical president and a psychiatrist, for violating
the Controlled Substances Act (CSA) by improperly distributing
Adderall and other stimulants; for conspiring to violate the CSA
and commit healthcare fraud; and for obstruction of justice. The
charges were brought by the Health Care Fraud Unit of the DOJ
Criminal Division's Fraud Section and the U.S.
Attorney's Office for the Northern District of California,
and the matter is pending in that district. Multiple agencies were
credited with conducting the investigation, including DEA, HHS-OIG,
the Internal Revenue Service, and Homeland Security Investigations.
In announcing the charges, DEA Administrator
Anne Milgram asserted that the defendants allegedly facilitated
easy access to “highly addictive” medications that also
“exacerbate[d]” a nationwide shortage of prescription
stimulants.
The indictment alleges that He, Brody, and others conspired to use
Done Global's telehealth platform to distribute Adderall and
other stimulants that were not for a legitimate medical purpose. In
exchange, patients allegedly paid a monthly subscription fee to
Done Global. These operations were massive, allegedly causing the
dispensing of over 40 million pills of Adderall and other
stimulants and earning over US$100 million in revenue.
To effect the conspiracy, through Done Global, He and Brody are
accused to have done the following things, among others:
- Allegedly spent “tens of millions” on “deceptive social media advertisements” that intentionally “target[ed] drug-seeking patients” and broadcast easy access to Adderall prescriptions in exchange for Done Global's monthly fee
- Allegedly made false statements and material omissions about Done Global's ability to accurately diagnose ADHD in shorter appointment times than other clinics, when Done Global had no mechanism to screen out those unlikely to have ADHD
- Allegedly falsely represented that Done Global had a range of medical treatment options besides prescriptions for Adderall and other stimulants
- Allegedly hired prescribers whom they “believed were not overly concerned about drug-seeking patients” and whom they did not expect to resist prescribing Adderall to patients during a first-time telehealth meeting
- Allegedly “pressured” and made “lucrative payments” to Done Global prescribers to cause them to write unnecessary prescriptions
- Allegedly established initial telehealth encounter policies that limited information available to Done Global prescribers; instructed them to write prescriptions even if the Done Global member did not qualify; and ordered that initial patient encounters could last no longer than 30 minutes
- Allegedly paid prescribers based on the number of patients seen per month, while refusing to pay for and discouraging follow-up patient consultations, including issuing policies that did not require follow-up consultations and providing for “auto refills” of ADHD medications at the member's request
- Allegedly enacted a policy that “transferred” members to prescribers who would issue a “bridge prescription” without an in-person examination or tele-consultation at all
- Allegedly caused Done Global prescribers to write prescriptions for members who were in states where the prescribers were not authorized to write controlled substance prescriptions
These practices allegedly resulted in Done Global-affiliated
medical professionals prescribing stimulants for “members
with whom they lacked a pre-existing practitioner-patient
relationship, without an examination, sometimes based solely on a
short video or audio communication and limited patient intake
documents, or without video or audio communications at all.”
According to the indictment, the effect was that Brody and other
Done Global prescribers allegedly wrote Adderall prescriptions
regardless of whether the member met the criteria for an ADHD
diagnosis or posed a risk of diversion. And because of Done
Global's alleged compensation system, DOJ asserted that Done
Global's prescribers obtained “lucrative pay for
minimal work,” sometimes supposedly worth hundreds of
thousands of dollars annually.
In addition to the CSA charges, the allegations above form the
basis of charges that He and Brody conspired to commit healthcare
fraud by causing the pharmacies to dispense — and Medicare,
Medicaid, and commercial insurers to pay for — the supposedly
unnecessary Adderall prescriptions. DOJ asserts that these were
fraudulent claims that led insurers to pay out over US$14 million.
Notably, notwithstanding the indictment's allegations about
how Done Global paid its prescribers, DOJ did not charge violations
of the AKS. Additionally, DOJ charged He and Brody with conspiring
to obstruct justice by allegedly altering, destroying, and
concealing records both before Done Global received a subpoena and
afterward.
The June 27, 2024 National Health Care Enforcement Action
On June 27, 2024, DOJ announced its most recent National Health Care Enforcement Action.
Telehealth again was a cornerstone of the government's
announcement, including charges against 36 defendants who allegedly
submitted over US$1.1 billion in fraudulent claims to Medicare,
including from genetic testing schemes similar to those alleged in
DOJ's earlier enforcement actions.
As part of this national takedown, DOJ announced additional CSA charges against
other Done Global personnel, including Done Global's
executive leader for operations and strategy, as well as four
healthcare providers. Among those charged was a nurse practitioner
who allegedly prescribed over 1.5 million pills of Adderall and
other stimulants and earned over $800,000. According to the
indictment, this practitioner allegedly approved prescriptions for
some patients without any medical review and then continued to
write prescriptions based on auto-generated renewal requests.
Notably, in his press conference remarks announcing these charges as part
of the national takedown, Attorney General Garland made the rare
acknowledgement of how DOJ began its
investigation. According to the Attorney General,
“[u]tilizing proactive data analytics, [DOJ] identified
misuse of telemedicine as a possible source of an increase in
prescriptions for stimulants” which led them to work
“with law enforcement officers to identify potential
schemes,” ultimately leading to Done Global. Although DOJ
infrequently describes its investigative methods, the Attorney
General's crediting data analytics fits with DOJ's
years-long emphasis on its use of data to support its
investigations, particularly in the healthcare space. Indeed, the
Attorney General included the use of data analytics as one of four
fundamental principles of DOJ's healthcare enforcement
efforts, along with protecting patients, defending taxpayer-funded
programs, and ensuring accountability for alleged offenders by
prosecuting them and seizing assets.
The DOJ and FTC Civil Complaints Against Telehealth Companies
On June 10, 2024, DOJ also flexed its civil enforcement
authority by teaming up with the Federal Trade Commission (FTC) to
bring claims against four telehealth companies and some of their
executives for allegedly unfair and deceptive conduct. Using their
authority under the Federal Trade Commission Act, the Opioid
Addiction Recovery Fraud Prevention Act of 2018, and the Restore
Online Shoppers' Confidence Act (ROSCA), DOJ and FTC filed an
amended complaint seeking injunctive relief, damages, and penalties
against Cerebral and two of its executives, as well as Zealthy,
Gronk, Bruno Health, and various executives of those companies.
Along with the filing of the amended complaint, the government
announced that it had settled its claims against Cerebral. The
settlement does not require Cerebral to admit or deny any
allegations, but does require Cerebral to cease its alleged misuse
and improper disclosure of patients' information; cease its
alleged misrepresentation of its data privacy, data security, and
cancellation practices; and pay US$5 million in customer redress
and a US$10 million civil penalty (reduced to US$2 million based on
Cerebral's limited ability to pay).
The civil violations alleged against the above telehealth companies
generally fall into the following categories:
- Concealed tracking of customers: According to the amended complaint, Cerebral and its founder and former CEO allegedly told customers that Cerebral's services were confidential, while secretly tracking them and providing their information to third parties for targeted advertisements and other commercial purposes. Zealthy, which Cerebral's founder created after leaving Cerebral, is alleged to have similarly tracked, collected, and disclosed customer data without the fully-informed consent of its users.
- Failing to protect customers' personal health information (PHI): Cerebral allegedly failed to safeguard customers' PHI from unauthorized disclosure from chronic data breaches, despite claiming that Cerebral's platform was “secure.”
- Posting false online reviews: Cerebral allegedly caused its employees to falsely impersonate patients by posting fake positive reviews online and suppressing negative reviews.
- Failing to disclose material terms to customers: Cerebral, Zealthy, and Bruno Health each allegedly failed to clearly disclose material terms to customers before obtaining their billing information. Cerebral allegedly failed to disclose important terms related to data privacy, data security, and cancellation before charging customers. It also allegedly failed to provide a simple mechanism to prevent recurring charges and collected millions from recurring charges even after the customer asked to cancel. Zealthy and Bruno Health allegedly failed to disclose to their users what they would be charged, how they could cancel and obtain refunds, or how their data would be used.
The Zocdoc FCA Qui Tam Litigation
Telehealth companies may also face civil investigations and
lawsuits under the False Claims Act. In February 2022, a relator
filed a then-sealed qui tam complaint against
Zocdoc, Inc., an online digital health platform that uses a
proprietary algorithm to help patients search for and schedule
appointments with medical providers. The relator is a primary care
physician who allegedly enrolled with Zocdoc in 2014 so he could be
listed on the platform and accept patient appointments through it.
DOJ declined to intervene, the case was unsealed, and the relator
filed a second amended complaint in November 2023.
The amended complaint alleges that Zocdoc charges at least two fees
to providers: a general subscription fee and a discrete
“booking fee” for each new patient who makes an
appointment. The relator characterizes Zocdoc's alleged
solicitation and receipt of a booking fee for each new patient as a
referral fee and kickback that violates the AKS. He also alleges
that the booking fee is actually a “success fee” meant
to illegally reward Zocdoc for:
- Allegedly referring beneficiaries of federal healthcare programs to medical providers who pay booking fees
- Allegedly steering new patients to providers who pay booking fees by misleading new patients about non-paying providers' appointment availability
- Allegedly manipulating search results to prioritize and recommend providers who pay booking fees, while filtering out providers who are unwilling (or unable) to pay such fees and/or who have reached their monthly allocated budget for such fees
Zocdoc allegedly advised the relator that its original flat-fee
model was designed to avoid AKS issues, but it later moved him and
other physicians to a booking-fee model. The relator also alleges
that the booking fee was not calculated based on fair market value,
but rather was a floating rate based on the estimated annual
reimbursement value of the referral for that provider's
medical specialty. Zocdoc also allegedly concealed the truth about
its business model from the public, supposedly misrepresenting its
algorithm and search engine model. Notably, in July 2023, just
before the relator filed his amended complaint, HHS-OIG issued a
favorable advisory opinion regarding Zocdoc's fee
arrangements, finding that they were sufficiently low risk under
the AKS.
Zocdoc has moved to dismiss the amended complaint. The
court's decision is still pending.
Takeaways
These recent telehealth enforcement developments show that the government and private whistleblowers are focused on increasingly sophisticated and established telehealth and digital health platforms. Companies operating or contracting with such platforms should consider the following lessons in light of these enforcement trends:
- DOJ's telehealth playbook is expansive: Prior telehealth enforcement prosecutions generally featured charges of healthcare fraud or AKS violations related to schemes involving unnecessary durable medical equipment, compounded medications, and diagnostic and genetic testing. By bringing CSA charges in the Done Global cases, DOJ is broadening its telehealth enforcement playbook and demonstrating to companies in this space that they are continuing to eye these arrangements very carefully.
- Additional scrutiny for controlled substances: It is significant that the first criminal indictment is one focused on Adderall, a controlled substance with arguably addictive qualities. Telehealth platforms that allow for the prescription of such substances will likely receive higher scrutiny.
- Provider compensation: Notwithstanding the lack of AKS charges, the Done Global indictment reflects DOJ's view that paying telehealth providers in a manner that accounts for the volume of referrals and/or creates disincentives for patient follow-up is potentially problematic and poses an increased risk of fraud. Compensation arrangements should be carefully reviewed so that they do not undermine independent medical decision-making.
- Bona fide patient/provider interactions: The government is concerned about telehealth arrangements or policies that potentially undermine genuine patient/provider interactions. Potential red flags include the lack of a prior in-person relationship; no audio and/or visual observation opportunity; time limits on visits; disincentives for patient follow-ups; and the provision of limited patient medical information to telehealth prescribers.
- Advertisements are subject to scrutiny: Done Global's alleged use of misleading advertisements that targeted individuals seeking to obtain Adderall and other stimulants was included as part of the drug distribution conspiracy charge. Companies are well served by evaluating telehealth advertisements carefully to ensure that they are truthful, not misleading, and do not suggest access to medical items without appropriate evaluation by a healthcare provider.
- Data analytics remains an important tool for identifying targets: DOJ does not often describe how it began a case, but in Done Global, the Attorney General credited data analytics. This serves as an important reminder that a company should review, analyze, and understand the trends and potential concerns reflected in its own data, and in the data available from third-parties with whom it engages, as an essential component of its compliance program.
- Protecting customer data: In line with DOJ's Civil Cyber-Fraud Initiative, covered extensively by our colleagues on Arnold & Porter's Qui Notes blog, the DOJ and FTC claims against Cerebral and the other telehealth companies demonstrate how the government is seeking to address companies that allegedly fail to protect their consumers' information.
- Disclosing material terms to customers: DOJ and FTC found certain billing practices by these telehealth companies to be problematic, particularly the inability to cancel services. Companies should carefully evaluate their intake and billing practices to ensure compliance with the FTC Act and ROSCA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.