Although there may be numerous benefits to using telehealth services, patients and providers should also consider the substantial telehealth risks involved.
With the sudden uprising of COVID-19, the Department of Health & Human Services quickly took significant steps in securing better access to telehealth services. Now, with patients being able to talk to their doctor live through phone or video chat, send and receive messages through email, secure messaging, and secure file exchange, and use remote patient monitoring using home check-up devices, telehealth has become extremely popular due to its accessibility and safety from COVID-19.
By expanding U.S. telehealth offerings and utilizing such technology, this also presents potential severe liabilities, such as a laundry list containing cybersecurity, data, and compliance risks. As the regulations governing telehealth still remain to be relaxed, now is the time to be vigilant regarding various telehealth risks.
Cybersecurity and Data Risks
Healthcare criminals are notoriously creative, and the relaxed standards for telehealth-related data exchanges have opened more opportunities for bad actors to exploit the pandemic for financial gain.
With the onset of COVID-19, phishing attempts have grown remarkably. To date, phishing is one of the most effective methods that attackers use to compromise accounts and access data and resources.
With phishing relying heavily on social networking methods, the sudden dependence on telehealth services and virtual visits makes users even more susceptible to falling victim to phishing. For example, Google reported blocking 18 million malware and phishing emails per day related to COVID-19.
At the end of October, two phishing campaigns emerged. One masqueraded as a Microsoft Teams alert, and the other as a COVID-19 vaccine tracker from the HHS.
According to Healthcare IT News, Patricia Carreiro, a data privacy and cybersecurity litigation attorney at Carlton Fields, states, “Healthcare data carries an extraordinary high-value on the black market, typically worth 10 to 40 times more than a credit card number.”
With HHS allowing for greater accessibility to telehealth services, the transfer of such valuable unencrypted information is prime real estate for hackers. Carreiro adds, “Hackers can simply insert themselves in the unsecured communication, take the information they desire, and proceed to sell the information to perform various types of healthcare fraud or identity theft.”
A current trend is targeting healthcare providers in hopes of discovering unpatched systems or other comparable vulnerabilities. Due to the current COVID-19 climate and longevity, individuals are distracted and stressed. Opening up the wrong email or clicking on a malicious link could be an easy mistake but could take down a whole healthcare system.
According to HHS, ransomware is a type of malware (malicious software) that attempts to deny access to data, usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid. Most ransomware attacks are sent in phishing campaign emails, asking the target to either open an attachment or click on an embedded link.
Details about a major wave of ransomware attacks on U.S. hospitals began to emerge at the end of September when computer systems for Universal Health Services, one of the biggest hospital chains in the country, were hit, forcing some doctors and nurses to use pen and paper to file patient information.
“Ransomware attacks have been a consistent threat to American industry and local governments for several years, but attacks on the country’s health care systems have risen this year,” said Allan Liska, an analyst at the cybersecurity firm Recorded Future, who monitors known infections.
Liska and his team have tracked 62 reported healthcare ransomware infections this years compared to 50 last year.
Before COVID-19, CMS based Medicare reimbursements for virtual services off of a tight set of circumstances, which still required some patients to leave their home for care. With COVID-19, the resulting public health emergency, and the passage of the Coronavirus Assistance, Relief, and Economic Security Act, the Secretary of HHS is utilizing the waiver authority granted under Section 1135 of the Social Security Act to permit CMS to expand the permissible range of virtual services that qualify for federal reimbursement.
Overview of what’s currently allowed/not allowed
The shifting landscape and an intricate network of federal and state regulations make legal compliance incredibly tricky for telehealth providers. Before COVID-19, federal enforcement authorities prioritized uncovering fraud in the telehealth industry, revealing telemedicine providers suspected of bribes, improper billing, prescribing medically unnecessary drugs or devices, and kickbacks.
With the federal government presently providing millions of dollars in stimulus funds to support telemedicine services, law enforcement is actively pursuing bad actors who may be profiting illegally.
Telemedicine fraud can take many different forms, such as up-coding, misrepresenting a virtual service, billing for services not rendered, and kickbacks. While there’s a lot of opportunity for telehealth fraud, it’s important to know what to look for and why it’s more common than in-person care.
To combat up-coding and complexity fraud, CMS is closely monitoring reimbursement requests, detailing instances where providers increased the time spent providing telemedicine services. A provider’s failure to accurately bill for accurate time and services rendered could result in False Claims Act liability. For example, providers may bill for services that bring in higher reimbursements even though the services provided do not meet the billing description.
Now that Medicare can reimburse for numerous virtual interactions, including telemedicine visits, virtual check-ins, telephone visits, and e-visits, providers must understand specifications, CPT codes, and billing processes for each interaction. This should help aid in providers misrepresenting the virtual service provided.
Billing for telehealth services not rendered (e.g., a patient doesn’t show up for a scheduled telehealth appointment and you bill for the visit anyway), is a criminal offense. One scam involved 29 defendants in the Middle District of Florida. A telemedicine company and medical professionals working for it billed Medicare for medical equipment for patients they never spoke to.
With the DOJ’s close attention to telemedicine service fraud, it recently charged 86 defendants in 19 judicial districts with $4.5 billion in fraud loss related to national telemedicine kickback schemes. During this instance of fraud, the defendants used marketing strategies to make unsolicited communication with beneficiaries. During this contact, the defendant referred the beneficiary for unnecessary testing, medications, or medical equipment, which granted the defendant kickbacks.
“Given that telehealth is a new medium for delivering health care, the areas more susceptible to fraud may be unique and unknown to the federal agencies, making it more difficult to detect and stop,” says Nicol Turner Lee, director of Brookings’ Center for Technology Innovation, and Niam Yaraghi, a nonresident fellow of Brookings’ Center for Technology Innovation.
With the increase of telehealth services in March, the HHS announced it would not impose penalties for non-compliance around telehealth during COVID-19. Under the provision, covered healthcare providers can use any non-public facing remote, audio, or video communication product available to provide telehealth and communicate to patients during the public health emergency.
Healthcare providers can use any popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth services without OCR imposing a penalty for HIPAA non-compliance.
“Covered healthcare providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products,” says OCR.
Providers should first equip all available encryption and privacy modes when using these applications, and second, clarify (to their patients) that these third-party applications introduce privacy risks. As an example of the level of risk, Facebook has been accused of several privacy-related complaints, such as exposing user health data.
OCR has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies.
Adapting and Mitigating Risks
While telemedicine is not a new trend, COVID-19 has rapidly increased its popularity in US households. With the expansion of telehealth services, there’s one thing that’s certain: it’s in the best interest of healthcare organizations and patients to fully invest in educating and training staff on the telemedicine platform, compliance, and risks.
In order to be more proactive, providers should look for ways to build comprehensive compliance programs that address telehealth, including implementing the following:
Designate a compliance officer
Create a plan for operations
Implement/review written policies
Provide training and education
Establish reporting mechanisms for suspected misconduct
Regularly audit/monitor compliance program
As a result, healthcare providers can provide more convenient and accessible care, improve patient engagement, achieve telemedicine cost-effectiveness and healthcare savings, and detect fraud.