Skip to main content
All
August 2, 2024

“Can You Hear Me Now?”: DOJ Expands Telehealth Enforcement Efforts

DOJ Unveils First Ever Drug Distribution Charges Against Telehealth Executives and Joins With FTC to Sue Four Telehealth Companies Over Allegedly Unfair and Deceptive Practices

Advisory

The Department of Justice’s (DOJ) focus on telehealth as an enforcement priority is attempting to keep pace with the expansion of telehealth platforms and services during the COVID-19 pandemic, and telehealth enforcement has featured heavily in all of DOJ’s nationwide healthcare enforcement actions since the pandemic’s onset. Telehealth arrangements also were the subject of a 2022 Special Fraud Alert issued by the Department of Health and Human Services’ Office of Inspector General (HHS-OIG), one of DOJ’s principal enforcement partners. While the pandemic has eased, it’s clear that both telehealth — and DOJ’s focus on it — are here to stay.

June 2024 saw a blitz of activity as DOJ and other federal enforcement authorities announced a series of telehealth-related criminal and civil enforcement actions. Most notably, DOJ indicted two executives of online digital health platform Done Global, Inc. and its affiliated company Done Health, P.C. for an alleged US$100 million scheme to unlawfully distribute Adderall and other controlled substances, commit healthcare fraud, and obstruct justice. This indictment was something new: DOJ’s first-ever drug distribution charges related to telehealth prescribing via a digital health company. In addition, DOJ and the Federal Trade Commission announced civil claims against telehealth companies Cerebral, Inc., Zealthy Inc., Gronk Inc., and Bruno Health P.A., and certain of their executives, for allegedly unfair and deceptive privacy, data security, marketing, and billing practices.

Government enforcement authorities aren’t the only ones interested in pursuing lawsuits against telehealth platforms. In a qui tam lawsuit unsealed last fall, a relator is pursuing a False Claims Act (FCA) case against Zocdoc, Inc., a company that allows users to search for and schedule appointments with physicians, for allegedly obtaining payments in violation of the federal Anti-Kickback Statute (AKS).

In this Advisory, we take stock of the government’s telehealth enforcement efforts to date, examine the allegations from these recent cases, and provide some key takeaways about the expanded risks facing companies that operate in the telehealth space.

DOJ’s Previous Telehealth Enforcement Actions

DOJ has made telehealth the centerpiece of major enforcement actions for several years, including before the pandemic. 2019 saw both Operation Brace Yourself and Operation Double Helix, in which DOJ charged more than 50 individuals with telehealth schemes involving unnecessary durable medical equipment (DME) and genetic testing, respectively. These alleged schemes targeted elderly and disabled individuals to entice them into agreeing to unnecessary DME or genetic tests. Among those charged were individuals associated with telemedicine companies, DME companies, genetic testing laboratories, and medical professionals. The charges featured DOJ’s two primary criminal healthcare-related enforcement tools: the healthcare fraud statute, 18 U.S.C. § 1347, and the AKS, 42 U.S.C. § 1320a-7b(b).

As we explained at the start of the pandemic, COVID-19 brought with it a rapid expansion and increased use of telehealth services with reduced regulatory requirements. Medicare expanded telehealth coverage to include a wider range of locations, care settings, and services and paused audits of compliance with prior patient-provider relationship requirements. The Drug Enforcement Administration (DEA) also permitted telehealth flexibilities for controlled substance prescriptions. While telehealth use is lower than it was in the early days of the pandemic, telehealth remains a popular option for receiving care.

These loosened restrictions coincided with significant telehealth sweeps by DOJ, as we detailed in our July 2022 Advisory. National enforcement actions in 2020, 2021, 2022, and 2023 led to criminal charges against more than 175 individuals, alleging over US$8 billion in fraud. The charges included allegations regarding:

  • Telemedicine executives paying medical professionals to order unnecessary DME, genetic and other diagnostic testing, and pain medications, either without any patient interaction or with only a brief telephonic conversation with patients they had never met or seen
  • Laboratories, pharmacies, and DME companies paying kickbacks and bribes to telemedicine companies to induce orders for unnecessary testing, medications, and DME, and then submitting fraudulent claims to federal payors
  • Laboratory owners and operators paying kickbacks and bribes to medical professionals working with fraudulent telemedicine and digital medical technology companies in exchange for patient referrals for expensive and medically unnecessary cardiovascular and cancer genetic tests
  • Software company executives allegedly using their internet-based platform to facilitate the payment of kickbacks and bribes by pharmacies, DME suppliers, and marketers to telemedicine companies in exchange for fraudulent orders for DME, skin creams, and other medically unnecessary items, with the software company allegedly receiving kickbacks in exchange for the orders from the pharmacies, DME suppliers, and marketers

The charged schemes shared certain features: accusations that telehealth platforms or other facilitators entered kickback arrangements with DME providers, testing labs, or pharmacies; unsolicited outreach to prospective patients and efforts to persuade them to accept services and disclose their insurance information; and payments to physicians to write unnecessary prescriptions related to sham telehealth encounters. These criminal allegations fit neatly within HHS-OIG’s Special Fraud Alert on telehealth arrangements between telemedicine companies and healthcare professionals, which highlighted certain characteristics that present (in its view) a heightened risk of fraud and abuse, including:

  • Medical practitioners prescribing items or services for patients who were identified or recruited by telemedicine companies
  • Medical practitioners compensated based on the number of prescriptions written, or in some other manner that might create incentives to order unnecessary items or services
  • Limited patient relationships, such as insufficient contact with the patient or failure to meaningfully examine them, as well as no expectations on following up with patients
  • Irregular medical practices, such as limited offerings of products or restrictions on treatment options

DOJ’s 2024 Telehealth Enforcement Actions

The Done Global Criminal Charges

On June 13, 2024, DOJ unveiled a seven-count indictment charging Ruthia He, Done Global’s founder and CEO, and David Brody, Done Health’s clinical president and a psychiatrist, for violating the Controlled Substances Act (CSA) by improperly distributing Adderall and other stimulants; for conspiring to violate the CSA and commit healthcare fraud; and for obstruction of justice. The charges were brought by the Health Care Fraud Unit of the DOJ Criminal Division’s Fraud Section and the U.S. Attorney’s Office for the Northern District of California, and the matter is pending in that district. Multiple agencies were credited with conducting the investigation, including DEA, HHS-OIG, the Internal Revenue Service, and Homeland Security Investigations. In announcing the charges, DEA Administrator Anne Milgram asserted that the defendants allegedly facilitated easy access to “highly addictive” medications that also “exacerbate[d]” a nationwide shortage of prescription stimulants.

The indictment alleges that He, Brody, and others conspired to use Done Global’s telehealth platform to distribute Adderall and other stimulants that were not for a legitimate medical purpose. In exchange, patients allegedly paid a monthly subscription fee to Done Global. These operations were massive, allegedly causing the dispensing of over 40 million pills of Adderall and other stimulants and earning over US$100 million in revenue.

To effect the conspiracy, through Done Global, He and Brody are accused to have done the following things, among others:

  • Allegedly spent “tens of millions” on “deceptive social media advertisements” that intentionally “target[ed] drug-seeking patients” and broadcast easy access to Adderall prescriptions in exchange for Done Global’s monthly fee
  • Allegedly made false statements and material omissions about Done Global’s ability to accurately diagnose ADHD in shorter appointment times than other clinics, when Done Global had no mechanism to screen out those unlikely to have ADHD
  • Allegedly falsely represented that Done Global had a range of medical treatment options besides prescriptions for Adderall and other stimulants
  • Allegedly hired prescribers whom they “believed were not overly concerned about drug-seeking patients” and whom they did not expect to resist prescribing Adderall to patients during a first-time telehealth meeting
  • Allegedly “pressured” and made “lucrative payments” to Done Global prescribers to cause them to write unnecessary prescriptions
  • Allegedly established initial telehealth encounter policies that limited information available to Done Global prescribers; instructed them to write prescriptions even if the Done Global member did not qualify; and ordered that initial patient encounters could last no longer than 30 minutes
  • Allegedly paid prescribers based on the number of patients seen per month, while refusing to pay for and discouraging follow-up patient consultations, including issuing policies that did not require follow-up consultations and providing for “auto refills” of ADHD medications at the member’s request
  • Allegedly enacted a policy that “transferred” members to prescribers who would issue a “bridge prescription” without an in-person examination or tele-consultation at all
  • Allegedly caused Done Global prescribers to write prescriptions for members who were in states where the prescribers were not authorized to write controlled substance prescriptions

These practices allegedly resulted in Done Global-affiliated medical professionals prescribing stimulants for “members with whom they lacked a pre-existing practitioner-patient relationship, without an examination, sometimes based solely on a short video or audio communication and limited patient intake documents, or without video or audio communications at all.” According to the indictment, the effect was that Brody and other Done Global prescribers allegedly wrote Adderall prescriptions regardless of whether the member met the criteria for an ADHD diagnosis or posed a risk of diversion. And because of Done Global’s alleged compensation system, DOJ asserted that Done Global’s prescribers obtained “lucrative pay for minimal work,” sometimes supposedly worth hundreds of thousands of dollars annually.

In addition to the CSA charges, the allegations above form the basis of charges that He and Brody conspired to commit healthcare fraud by causing the pharmacies to dispense — and Medicare, Medicaid, and commercial insurers to pay for — the supposedly unnecessary Adderall prescriptions. DOJ asserts that these were fraudulent claims that led insurers to pay out over US$14 million. Notably, notwithstanding the indictment’s allegations about how Done Global paid its prescribers, DOJ did not charge violations of the AKS. Additionally, DOJ charged He and Brody with conspiring to obstruct justice by allegedly altering, destroying, and concealing records both before Done Global received a subpoena and afterward.

The June 27, 2024 National Health Care Enforcement Action

On June 27, 2024, DOJ announced its most recent National Health Care Enforcement Action. Telehealth again was a cornerstone of the government’s announcement, including charges against 36 defendants who allegedly submitted over US$1.1 billion in fraudulent claims to Medicare, including from genetic testing schemes similar to those alleged in DOJ’s earlier enforcement actions.

As part of this national takedown, DOJ announced additional CSA charges against other Done Global personnel, including Done Global’s executive leader for operations and strategy, as well as four healthcare providers. Among those charged was a nurse practitioner who allegedly prescribed over 1.5 million pills of Adderall and other stimulants and earned over $800,000. According to the indictment, this practitioner allegedly approved prescriptions for some patients without any medical review and then continued to write prescriptions based on auto-generated renewal requests.

Notably, in his press conference remarks announcing these charges as part of the national takedown, Attorney General Garland made the rare acknowledgement of how DOJ began its investigation. According to the Attorney General, “[u]tilizing proactive data analytics, [DOJ] identified misuse of telemedicine as a possible source of an increase in prescriptions for stimulants” which led them to work “with law enforcement officers to identify potential schemes,” ultimately leading to Done Global. Although DOJ infrequently describes its investigative methods, the Attorney General’s crediting data analytics fits with DOJ’s years-long emphasis on its use of data to support its investigations, particularly in the healthcare space. Indeed, the Attorney General included the use of data analytics as one of four fundamental principles of DOJ’s healthcare enforcement efforts, along with protecting patients, defending taxpayer-funded programs, and ensuring accountability for alleged offenders by prosecuting them and seizing assets.

The DOJ and FTC Civil Complaints Against Telehealth Companies

On June 10, 2024, DOJ also flexed its civil enforcement authority by teaming up with the Federal Trade Commission (FTC) to bring claims against four telehealth companies and some of their executives for allegedly unfair and deceptive conduct. Using their authority under the Federal Trade Commission Act, the Opioid Addiction Recovery Fraud Prevention Act of 2018, and the Restore Online Shoppers’ Confidence Act (ROSCA), DOJ and FTC filed an amended complaint seeking injunctive relief, damages, and penalties against Cerebral and two of its executives, as well as Zealthy, Gronk, Bruno Health, and various executives of those companies. Along with the filing of the amended complaint, the government announced that it had settled its claims against Cerebral. The settlement does not require Cerebral to admit or deny any allegations, but does require Cerebral to cease its alleged misuse and improper disclosure of patients’ information; cease its alleged misrepresentation of its data privacy, data security, and cancellation practices; and pay US$5 million in customer redress and a US$10 million civil penalty (reduced to US$2 million based on Cerebral’s limited ability to pay).

The civil violations alleged against the above telehealth companies generally fall into the following categories:

  • Concealed tracking of customers: According to the amended complaint, Cerebral and its founder and former CEO allegedly told customers that Cerebral’s services were confidential, while secretly tracking them and providing their information to third parties for targeted advertisements and other commercial purposes. Zealthy, which Cerebral’s founder created after leaving Cerebral, is alleged to have similarly tracked, collected, and disclosed customer data without the fully-informed consent of its users.
  • Failing to protect customers’ personal health information (PHI): Cerebral allegedly failed to safeguard customers’ PHI from unauthorized disclosure from chronic data breaches, despite claiming that Cerebral’s platform was “secure.”
  • Posting false online reviews: Cerebral allegedly caused its employees to falsely impersonate patients by posting fake positive reviews online and suppressing negative reviews.
  • Failing to disclose material terms to customers: Cerebral, Zealthy, and Bruno Health each allegedly failed to clearly disclose material terms to customers before obtaining their billing information. Cerebral allegedly failed to disclose important terms related to data privacy, data security, and cancellation before charging customers. It also allegedly failed to provide a simple mechanism to prevent recurring charges and collected millions from recurring charges even after the customer asked to cancel. Zealthy and Bruno Health allegedly failed to disclose to their users what they would be charged, how they could cancel and obtain refunds, or how their data would be used.

The Zocdoc FCA Qui Tam Litigation

Telehealth companies may also face civil investigations and lawsuits under the False Claims Act. In February 2022, a relator filed a then-sealed qui tam complaint against Zocdoc, Inc., an online digital health platform that uses a proprietary algorithm to help patients search for and schedule appointments with medical providers. The relator is a primary care physician who allegedly enrolled with Zocdoc in 2014 so he could be listed on the platform and accept patient appointments through it. DOJ declined to intervene, the case was unsealed, and the relator filed a second amended complaint in November 2023.

The amended complaint alleges that Zocdoc charges at least two fees to providers: a general subscription fee and a discrete “booking fee” for each new patient who makes an appointment. The relator characterizes Zocdoc’s alleged solicitation and receipt of a booking fee for each new patient as a referral fee and kickback that violates the AKS. He also alleges that the booking fee is actually a “success fee” meant to illegally reward Zocdoc for:

  • Allegedly referring beneficiaries of federal healthcare programs to medical providers who pay booking fees
  • Allegedly steering new patients to providers who pay booking fees by misleading new patients about non-paying providers’ appointment availability
  • Allegedly manipulating search results to prioritize and recommend providers who pay booking fees, while filtering out providers who are unwilling (or unable) to pay such fees and/or who have reached their monthly allocated budget for such fees

Zocdoc allegedly advised the relator that its original flat-fee model was designed to avoid AKS issues, but it later moved him and other physicians to a booking-fee model. The relator also alleges that the booking fee was not calculated based on fair market value, but rather was a floating rate based on the estimated annual reimbursement value of the referral for that provider’s medical specialty. Zocdoc also allegedly concealed the truth about its business model from the public, supposedly misrepresenting its algorithm and search engine model. Notably, in July 2023, just before the relator filed his amended complaint, HHS-OIG issued a favorable advisory opinion regarding Zocdoc’s fee arrangements, finding that they were sufficiently low risk under the AKS.

Zocdoc has moved to dismiss the amended complaint. The court’s decision is still pending.

Takeaways

These recent telehealth enforcement developments show that the government and private whistleblowers are focused on increasingly sophisticated and established telehealth and digital health platforms. Companies operating or contracting with such platforms should consider the following lessons in light of these enforcement trends:

  • DOJ’s telehealth playbook is expansive: Prior telehealth enforcement prosecutions generally featured charges of healthcare fraud or AKS violations related to schemes involving unnecessary durable medical equipment, compounded medications, and diagnostic and genetic testing. By bringing CSA charges in the Done Global cases, DOJ is broadening its telehealth enforcement playbook and demonstrating to companies in this space that they are continuing to eye these arrangements very carefully.
  • Additional scrutiny for controlled substances: It is significant that the first criminal indictment is one focused on Adderall, a controlled substance with arguably addictive qualities. Telehealth platforms that allow for the prescription of such substances will likely receive higher scrutiny.
  • Provider compensation: Notwithstanding the lack of AKS charges, the Done Global indictment reflects DOJ’s view that paying telehealth providers in a manner that accounts for the volume of referrals and/or creates disincentives for patient follow-up is potentially problematic and poses an increased risk of fraud. Compensation arrangements should be carefully reviewed so that they do not undermine independent medical decision-making.
  • Bona fide patient/provider interactions: The government is concerned about telehealth arrangements or policies that potentially undermine genuine patient/provider interactions. Potential red flags include the lack of a prior in-person relationship; no audio and/or visual observation opportunity; time limits on visits; disincentives for patient follow-ups; and the provision of limited patient medical information to telehealth prescribers.
  • Advertisements are subject to scrutiny: Done Global’s alleged use of misleading advertisements that targeted individuals seeking to obtain Adderall and other stimulants was included as part of the drug distribution conspiracy charge. Companies are well served by evaluating telehealth advertisements carefully to ensure that they are truthful, not misleading, and do not suggest access to medical items without appropriate evaluation by a healthcare provider.
  • Data analytics remains an important tool for identifying targets: DOJ does not often describe how it began a case, but in Done Global, the Attorney General credited data analytics. This serves as an important reminder that a company should review, analyze, and understand the trends and potential concerns reflected in its own data, and in the data available from third-parties with whom it engages, as an essential component of its compliance program.
  • Protecting customer data: In line with DOJ’s Civil Cyber-Fraud Initiative, covered extensively by our colleagues on Arnold & Porter’s Qui Notes blog, the DOJ and FTC claims against Cerebral and the other telehealth companies demonstrate how the government is seeking to address companies that allegedly fail to protect their consumers’ information.
  • Disclosing material terms to customers: DOJ and FTC found certain billing practices by these telehealth companies to be problematic, particularly the inability to cancel services. Companies should carefully evaluate their intake and billing practices to ensure compliance with the FTC Act and ROSCA.

The authors are members of Arnold & Porter’s White Collar Defense & Investigations group and Life Sciences & Healthcare Regulatory group, which collectively have decades of experience in handling criminal and civil healthcare-related enforcement actions on both the government and defense sides. Please reach out to them about these cases or healthcare-related enforcement matters generally.

*Meghna Melkote contributed to this Advisory. Ms. Melkote is a summer associate in the firm’s Washington, D.C. office and will graduate in 2025 from Duke Law School. She is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.