HHS OIG Develops Toolkit to Analyze Telehealth Claims to Assess Program Integrity Risks - McDermott Will & Emery

HHS OIG Develops Toolkit to Analyze Telehealth Claims to Assess Program Integrity Risks


On April 20, 2023, the United States Department of Health and Human Services Office of the Inspector General (HHS OIG) released a new toolkit designed to help analyze telehealth claims to assess federal healthcare program integrity risks. The toolkit is OIG’s latest action in its continued focus on telehealth services that OIG considers to be high risk. The toolkit is based on methodologies highlighted in OIG’s September 2022 data brief, which identified billing practices by Medicare providers that OIG was concerned posed a high risk to program integrity based on a review of Medicare fee-for-service claims data and Medicare Advantage data from March 1, 2020, through February 28, 2021 (OIG Data Brief). The September 2022 OIG Data Brief is discussed in detail in this prior On The Subject article.

OIG intends for the toolkit to be used by public and private parties, including Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units, and other federal healthcare agencies to analyze program integrity risks and identify providers whose billing may pose a high risk and warrant further scrutiny.

In Depth

The toolkit is divided into two components for analyzing potential program integrity risk associated with telehealth claims: (1) steps for analyzing telehealth claims and (2) program integrity measures.

  1. Steps for analyzing telehealth claims. The first toolkit component consists of OIG-recommended steps for reviewing telehealth claims data.
    1.1. Review program policies. OIG notes that, as a starting point, organizations need to be aware of the specific payment and coverage policies of the program in which they participate. Program requirements for telehealth coverage and claims data vary across programs. The toolkit was based on Medicare fee-for-service payment and coverage policies in place during the first year of the COVID-19 pandemic. While many of these policies were extended through December 31, 2014, by the 2023 Consolidated Appropriations Act (CAA 2023), certain telehealth policies will end with the end of public health emergency for COVID-19 on May 11, 2023. We covered the CAA 2023 telehealth extensions in a prior On the Subject article.
    1.2. Collect claims data. The toolkit is designed to be used for claims data from individual providers, including physicians and non-physician practitioners. OIG expressly does not intend the toolkit to be used for claims data from institutions, such as hospitals and nursing homes. The toolkit focuses on the limited set of services that may be provided to Medicare beneficiaries via telehealth and certain virtual-care services not designated by CMS as telehealth services, including e-visits, virtual check-ins and remote monitoring. Telehealth services may include office visits with primary care providers or specialists, behavioral health services, and preventive services. OIG used modifiers or place-of-service codes to identify the services provided via telehealth, which are billed using codes that are also used for in-person services. (A list of services that can be provided via telehealth is available here.) The other set of virtual care services are billed using codes specifically designated for the services, with no in-person counterpart. (A list of such virtual care services is available in an appendix to the toolkit.)
    1.3. Conduct quality assurance checks. OIG recommends conducting internal quality assurance checks on the data being analyzed. OIG identified the following steps for testing the completeness and accuracy of the data: (1) identification number of the provider who rendered the service, (2) identification number of the billing provider associated with the service, (3) identification number for the patient who received the service, (4) date of the service, (5) procedure code billed, (6) quantity of services units billed, and (7) modifiers or place-of-service codes attached to the service. The toolkit also includes a reminder that data should be reviewed to check for and remove any errors.
    1.4. Analyze data to identify program integrity risks. Once the data in step 1.3 is gathered and checked for quality, users should undertake an analysis to review the data to identify potential program integrity risks. The toolkit specifically identifies seven program integrity measures to be used for evaluation (discussed in detail in Section 2). However, OIG cautions that these measures are intended to be a starting point, not an exhaustive lists of all potential program integrity risks associated with claims for telehealth services. OIG further cautions that the thresholds for categorizing what constitutes a high-risk claim should be tailored according to the specific program involved and the goals of the review. OIG also notes that the toolkit was intentionally designed with “incident to” billing in mind.
    1.5. Interpret the results of the analysis. As data analysis is completed, users can use the toolkit to benchmark their results against those flagged by OIG as potential threats to program integrity. This phase may result in the identification of overpayments or the need to reevaluate how a provider bills for telehealth services. Of course, exceeding a potential threshold noted in the toolkit is not itself evidence of fraud and abuse. Once a concern is identified, further investigation of the facts and circumstances involved would be necessary to determine the extent of any potential non-compliance and remediation required.
  2. Program integrity measures. Once an organization has analyzed its telehealth claims data, the second toolkit component is designed to help the organization determine if its data represent program integrity risk. Here, OIG has developed a three-pronged approach: (1) measure, (2) analysis and (3) threshold. “Measure” refers to the particular type of program integrity risk to be reviewed, “analysis” explains how to calculate the measure and “threshold” provides guidance about the level of activity that OIG views as a potential risk to program integrity. The toolkit contains seven measures, each focused on different billing activities that may raise program integrity concerns. Many of the measures can and should be tailored to the specific goals of the user and includes either limiting analysis to those providers who provide a minimum number of telehealth services, or setting a specific threshold in accordance with the compliance goals of the organization. OIG recommends that users review measures of central tendency (e.g., mean and median) and the distribution of the data, including outliers, to set the threshold at an appropriate level to suit the goals of the review and data.
    2.1. Billing telehealth services at the highest, most-expensive level for a high proportion of services. This measure is used to identify providers who routinely bill telehealth services at the highest, most-expensive level. Such a pattern may indicate that a provider is upcoding telehealth services claims. The toolkit recommends identifying services that are billed at different rates for higher-level service. (For example, the toolkit notes that there are five Medicare codes for established patient office visits, with the highest being reimbursed at eight times the rate of the lowest service level.) Next, the toolkit suggests determining the percentage of a particular provider’s services that were billed at the highest level. In the OIG Data Brief, OIG considered Medicare providers to be high risk if they billed 100% of their telehealth services at the highest level of service.
    2.2. Billing a high number of hours of telehealth services. The toolkit next includes a measure to identify providers who bill a high average number of hours per telehealth visit, which may indicate that a provider is billing for medically unnecessary services or for services not rendered at all. The toolkit’s approach categorizes a “visit” as all of the telehealth services rendered to a patient one-for-one date. In the OIG Data Brief, high-risk providers were those that billed for an average of more than two hours of telehealth services per visit, excluding “extra-long” services and psychological testing and evaluation. The toolkit also highlights checking for the so-called “impossible day,” such as instances where providers billed for 25 hours of services in a single day. OIG notes that impossible-day analysis is not a good fit in instances where incident to billing is permitted, but is another tool in the toolkit when evaluating providers who bill for abnormally high hours of telehealth services. OIG again notes that users may change this threshold to fit different needs and data.
    2.3. Billing telehealth services for a high number of days in a year. Another measure in the toolkit is for identifying providers who billed telehealth services for a high number of days per year. This is calculated by counting the total number of unique dates in a year that a provider billed at least one telehealth service. In the OIG Data Brief, OIG considered a provider to be high risk if they billed more than 300 days in a year, as the median for all providers who billed Medicare for telehealth services was 26 days.
    2.4. Billing telehealth services for a high number of patients. This measure seeks to identify providers who bill for a high number of unique patients, which OIG indicates may suggest that the provider is billing for services not rendered. The toolkit suggests calculating this measure by taking the total number of unique patients for whom at least one telehealth service was billed during a one-year time frame. In the OIG Data Brief, OIG considered providers who bill telehealth services for 2,000 or more beneficiaries in a one-year period to be high risk under this measure. For context, the 2,000 patient threshold is approximately 100 times the median of 21 beneficiaries for all providers who billed for telehealth Medicare services.
    2.5. Billing multiple plans or programs for the same telehealth services for a high proportion of services. The toolkit provides a measure to capture providers who bill a high proportion of claims to multiple plans or programs for the same telehealth services. OIG states this may indicate that a provider is intentionally submitting duplicate claims. This analysis is conducted by identifying telehealth services that were billed to more than one program by matching information submitted to both programs and identifying the percentage of the provider’s claims that were submitted to more than one plan. For example, OIG’s analysis looked at providers who billed the same services to both Medicare Advantage and Medicare fee-for-service. OIG recognizes there are instances in which it is appropriate for a beneficiary to be enrolled in both programs, so this measure should be customized to account for such patients. In the OIG Data Brief, OIG determined that a high-risk provider was one who billed both Medicare Advantage and Medicare fee-for-service for more than 20% of their claims.
    2.6. Billing for a telehealth service and then ordering medical equipment for a high percentage of patients. Another measure in the toolkit involves the relationship between providing services and ordering equipment for patients. The measure is used to identify providers who bill for telehealth services and subsequently order medical equipment and supplies for a high number of patients, which raises program integrity concerns because of its similarity to what OIG characterized as “known fraud schemes.” OIG’s concern is that providers may be ordering unnecessary medical equipment and supplies for patients. To identify high-risk providers using this measure, OIG suggests calculating the percentage of patients for whom a provider billed a telehealth service and then also ordered medical equipment and supplies. In the OIG Data Brief, OIG considered providers to be high risk where they billed for a telehealth service and then ordered medical equipment within three months of the telehealth visit more than 50% of the time. The median occurrence for providers billing for a telehealth service and then ordering equipment was 3%. OIG further noted that this analysis can be further customized to identify providers who billed audio-only telehealth services, which OIG suggests could indicate providers are cold calling Medicare beneficiaries to increase orders for medical equipment, supplies and services.
    2.7. Billing for both a telehealth service and facility fee for most visits. The seventh toolkit measure is to identify providers that bill for both a telehealth service and facility fee for most of their visits. The facility fee (also known as an originating site facility fee) is allowable under Medicare where a healthcare facility hosts a patient on-site and the patient receives telehealth services from a provider located offsite. The provider performing the telehealth service then bills for the telehealth service separately. Medicare does not allow a provider to bill for both telehealth services and the facility fee. In the OIG Data Brief, OIG identified providers who billed at least 10 telehealth visits and billed for both the telehealth services and facility fees more than 75% of the time to be high risk. Most providers did not bill for both fees. OIG further noted that identifying providers who are part of the same medical practice and providers who are associated with one or more telehealth companies could further identify risky activity.


  • The toolkit takes OIG’s leveraging of data analytics to the next level by promoting the use of the toolkit’s analytical framework to identify providers who are billing outside of standards expected by the toolkit’s intended users (Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units and other federal healthcare agencies). The adoption of the framework could result in further enforcement action against telehealth and other virtual-care providers.
  • Telehealth and other virtual care providers, particularly those who bill Medicare fee-for-service and Medicare Advantage plans, should carefully review the toolkit in conjunction with their own internal compliance policies and procedures and consider incorporating related analyses as part of their compliance monitoring activities. The toolkit may offer opportunities to enhance and supplement existing compliance programs to stay up to date with OIG enforcement priorities.
  • The toolkit can be used as an indication of OIG’s priorities for telehealth billing and program integrity enforcement reviews. Telehealth services and their relationship to program integrity efforts remain an area of focus for OIG.