Telehealth has changed healthcare, and with change comes new fraud risks. Telehealth fraud has been an increasing focus of federal regulators, and current regulatory trends show this is unlikely to slow down any time soon. To keep your practice safe, it's important to know the common telehealth fraud red flags that regulators look for when evaluating telehealth practices. This article provides a telehealth compliance checklist of 10 common red flags, how to spot them, and solutions for preventing and mitigating these risks in your practice.

1. Overlapping Appointments for Multiple Patients

What it is: Scheduling or billing for telehealth visits that occur at the same time (i.e. one provider treating two patients for appointments at 10:00 AM on the same date). In telehealth, providers may see patients in back to back appointments, which creates the possibility of small overlaps in appointment times. But billing for multiple visits at the same scheduled time is a big warning sign that at least one of the appointments never took place, or failed to meet the standard of care required for a valid, reimbursable service.

Why it’s a concern: It's physically impossible for one provider to give full attention to more than one patient at once. If claims for these overlapping visits go to Medicare/Medicaid, it could be a False Claims Act (FCA) violation. Regulators have providers liable under the FCA for scheduling appointments that never occurred. For example, one provider was found liable under the FCA for  scheduling and subsequently billing for telehealth visits for dates where the provider was out of the country. Similarly, in 2024, a U.S. academic health center paid nearly $50,000 to settle allegations relating to false claims billed to Medicare for services that were allegedly provided when the listed provider was on leave.

How to prevent it: Monitor your providers’ schedules closely to ensure patients aren’t double-booked for the same appointment time. Consider utilizing scheduling systems that flag  overlapping appointments to ensure providers aren’t booked for two visits at once. Alternatively, train your billing team to regularly check claims against the calendar to ensure each time slot is for one patient.

As always, in addition to ensuring the correct date and time are entered, billing for the appropriate service type is essential. Group sessions should be billed as group sessions, not individual visits, to prevent accusations of overlapping patient visits.  By keeping your scheduling tight, you can make sure each claim is for a real, attended telehealth service.

2. Using Non-Compliant Billing Codes for Virtual Services

What it is: Billing for telehealth with the wrong codes. This mistake happens when practices treat virtual visits like in-person appointments by using incorrect CPT codes or failing to add special telehealth modifiers.

Why it’s a concern: Both Medicare and private payors have strict rules for telehealth codes, and using the incorrect codes can lead to denied claims, overpayments, or audits. Where coding errors result in improper payments from payors, too many improper payments may trigger a fraud, waste, and abuse audit, which may lead to investigative referrals to federal regulators. Intentionally misusing CPT codes to obtain higher reimbursement rates, or “upcoding,” can also violate the False Claims Act, exposing practices to civil and even criminal penalties.

How to prevent it: Stay up to date on telehealth coding rules. Ensure your billing team receives training on the approved CPT codes and how to appropriately use each in billing claims, providing continuing education as codes are updated. Additionally, consider conducting regular audits of your practice’s billing and coding department to identify and address compliance risks early.

3. Partnerships with Non-Licensed Telehealth Marketers

What it is: Agreements with third-party marketers, or so-called “telemedicine companies,” that promise to recruit patients or facilitate telehealth services for your practice. These might be lead generation firms, call centers, or DME suppliers posing as telehealth coordinators. Often, these companies propose arrangements where providers are paid per consultation or per prescription order written.

Why it’s a concern: These arrangements are hotbeds for kickbacks and fraud schemes. Under the Anti-Kickback Statute (AKS), providers can face substantial civil and criminal penalties for participating in any arrangement that results in monetary “kickbacks” to the provider, which includes paying for referrals. Many telehealth fraud schemes involve marketing middlemen illegally exchanging money for patient leads or orders. In 2022, the HHS OIG issued a Special Fraud Alert after “dozens of civil and criminal investigations” revealed companies claiming to offer telehealth services were actually paying bribes to providers and generating medically unnecessary orders.

In these schemes, unlicensed telemarketers cold-call patients, solicit interest in a particular medical service (like durable medical equipment or genetic tests), then refer them to telehealth providers who are paid to approve the orders. For example, a national takedown in 2022 charged 36 defendants in a $1.2 billion telehealth fraud – including telemedicine executives, lab owners, DME companies, and marketing groups – for bribing doctors to sign off on unnecessary tests and devices for patients they never properly examined. These arrangements violate the AKS and result in false claims, and OIG warns practitioners to be extremely cautious with any telehealth contract that has “suspect characteristics” like payment per volume of orders or patients recruited by a marketing firm.

How to prevent it: Be sure to vet your telehealth partners carefully. If you are contacted by a third party company proposing a partnership, carefully review the proposal with your compliance officer to ensure the partnership is compliant with all applicable laws. In particular, ask clarifying questions to discern who the patients are, where they are located, and how they are contacted and referred to your practice for care. Any arrangement that involves the payment of fees based on referrals or orders bears significant legal risk, and should be approached with extreme caution.

Avoid deals where your practice is limited to one product or paid per consultation. For practices eager to form partnerships with other telehealth companies, it’s best to stick to legitimate telehealth networks and insist on full transparency throughout the course of the partnership.

Finally, as with any business relationship, be sure to do your homework on prospective partners. Before entering into any engagement with another company, be sure to conduct thorough background checks and require indemnification.

Approached by a telehealth company for a partnership, but unsure of whether to proceed? Our attorneys are experienced healthcare compliance professionals who can help you navigate any partnership and ensure your practice steers clear of risky referral relationships.

4. Inconsistent Patient Documentation in Telehealth Sessions

What it is: Incomplete or missing documentation of telehealth visits. Documentation that uses generic, boilerplate encounter notes, omits evidence of the patient’s informed consent, or fails to  clinical findings that support the services billed can result in denied claims and payor audits.

Why it’s a concern: If it isn’t documented, it didn’t happen. Payors need medical records to support billed services. In telehealth, specific details are key. Missing or cloned documentation can lead to claims being deemed unallowable.

A 2020 OIG audit of Medicare fee-for-service telehealth claims in South Carolina found that a staggering 96% of telemedicine claims were not documented properly. Inadequate records raise concerns about upcoding or billing for services not rendered. They also violate Medicare’s billing rules and can lead to FCA liability.

From a patient safety angle, inconsistent documentation can indicate substandard care. Copy-pasting notes without personalizing them could mean the provider isn't assessing each patient individually.

How to prevent it: Treat telehealth documentation like an in-person visit – with a few extra steps. Use a telehealth-specific documentation template to ensure you capture all required elements, including the patient’s location and the type of call (video or phone). Providers should also be sure to obtain the patient’s consent to conduct a telehealth visit and always verify the patient’s identity at the start of each appointment.

Document all clinical information thoroughly. This includes the patient’s history, assessments, and any virtual exam limitations. If you're prescribing or ordering tests, clearly state the reason. Using standardized templates and training providers helps create consistent records and makes you audit-ready.

Regularly auditing telehealth charts helps to ensure that the encounter documentation supports the claims made. Good documentation protects your practice against fraud allegations and helps promote continuity in patient care.

5. Excessive Use of Audio-Only Appointments Without Justification

What it is: Relying too much on telephone-only telehealth visits without a good reason. For example, a practice might use audio calls for most visits, even when video is available. Or, they might bill a lot of phone consultations for patients who could see a doctor in person or via video.

Why it’s a concern: Audio-only telehealth is okay for some patients, like those with tech issues. But, billing mostly for audio-only services can raise red flags for fraud or quality issues. Medicare prefers video for telehealth and only covers audio-only visits in certain cases, like mental health services with patient consent.

If a provider always uses audio-only without a good reason, payers might think they are “gaming” the system by conducting visits through brief phone calls or cold-calling patients for unnecessary services. During the pandemic, regulators allowed phone visits, but warned of fraud. In one case, a health system was accused of billing non-compliant phone calls as video visits physicianspractice.com. These practices violate Medicare rules and can lead to repayment demands or penalties.

How to prevent it: Use audio-only appropriately – and document why. Always prioritize video telehealth when you can. If video isn't possible, document the reason and get the patient's consent for a phone call. Use the right billing codes for audio-only services, not video visit codes.

Watch your audio-only usage. If one provider or service uses a lot of phone calls, check if patients face tech barriers. Stay up to date on payor requirements to ensure your billing policies and procedures align. Audio-only services should only be used where the modality is appropriate for the patient and follows all appliable Medicare requirements.

6. Billing for Services Without Clear Patient Consent

What it is: Not getting the patient’s informed consent for telehealth services. This includes not telling the patient they'll be billed or explaining telehealth's nature. It also means not following state rules for consent.

In some cases, patients didn't know they were being seen by a telehealth provider. For example, a doctor might sign an order after a brief call from a marketer, surprising the patient with a bill later.

Why it’s a concern: Patient consent is a non-negotiable. Every U.S. state requires some form of informed consent for telehealth, whether written or verbal, to ensure patients understand the scope and limitations of telehealth visits before any care is rendered. Without consent, providers might break state law, facing penalties or sanctions.

Not getting consent can also lead to disputes and complaints. A patient might refuse to pay, report fraud, or say they didn't authorize the service. Without consent, services billed to Medicare or Medicaid might not meet program rules, giving rise to false claims.

How to prevent it: Implement a clear telehealth consent process. Before the first telehealth appointment, explain the process to the patient. Get their consent, either verbally or in writing, as required by your state. Keep a record of this consent in the patient's file.

Use updated consent forms that include details about telehealth. This includes the scope and limitations of virtual care and the technology used and important security considerations.

Finally, be sure to verify the patient’s location and identity at the start of each session. This ensures you comply with legal requirements and builds patient trust.

7. Offering Telehealth Services Across State Lines Without Proper Licensing

What it is: Providing telehealth to a patient in a state where you are not licensed or authorized to practice. For example, a New York doctor treats a Florida patient without a Florida license. Offering telehealth services across state lines has become more complicated following the COVID-19 pandemic, with a dizzying landscape of licensure laws that providers must navigate.

Why it’s a concern: State licensure laws make it illegal to practice medicine without a license. This can lead to fines or even criminal charges. Billing Medicare or Medicaid for services in a state without a license is considered an improper claim.

Many states now require out-of-state telehealth providers to have a full license or a special telehealth registration. Not following these rules can result in license suspension or hefty fines.

Regulators are closely watching cross-state telehealth, especially after the Public Health Emergency ended. The flexibility that allowed doctors to render telehealth across state lines is ending by late 2025 for Medicare. Providers must now be careful to follow each state’s requirements before providing care to an out-of-state patient.

How to prevent it: Know where your patient is – and have a license there. At the start of every telehealth visit, confirm the patient’s current physical location, and be sure to document it in your encounter notes. Make sure you are licensed in that state or that an exception applies. This could be a state-specific telehealth registration, an emergency public health exception, or a licensing compact.

To manage this, consider creating a state-by-state telehealth licensing checklist for your practice. If you often see patients in different states, consider joining the Interstate Medical Licensure Compact, which can help you get licenses for multiple states more easily. Some states also have special licenses for telehealth, so be sure to check the rules for any state where you  regularly see patients.

It’s also smart to track the status of emergency waivers and when they expire. Medicare’s waiver of geographic and site restrictions is extended through September 30, 2025. But remember, this is separate from state licensing, which is local.

In summary, add licensure checks to your telehealth workflow. Your intake form or staff should ask “What state will you be in during the visit?” Do not proceed if you aren’t authorized in that state. Taking these steps will help you follow state laws and avoid compliance issues.

8. Overuse of High-Reimbursement Services for Every Patient

What it is: Billing the most expensive or high-intensity telehealth services for all (or most) patients, even if they don’t need them. This includes always using the longest evaluation and management code for every visit, or ordering expensive tests and equipment for every patient. Any practices that could indicate a provider is using telehealth for profit, and not for the patient’s benefit, is a red flag to regulators.

Why it’s a concern: Patterns of unnecessary or upcoded services is a classic example of a red flag for fraud. Payers look closely at how services are used and expect variation based on patient needs. If every telehealth visit is billed at the highest level or every patient gets the same test, it suggests that the provider is upcoding or billing for unnecessary services.

The HHS OIG has flagged “billing telehealth services at the highest, most expensive level, every time” as a sign of fraud. Some providers might use telehealth to inflate bills by 2-8x through upcoding, knowing it’s harder to verify virtually. There’s also telehealth-specific abuse, like providers using telemarketing to sign orders for pricey items without need, seen in DOJ prosecutions.

Consistently maxing out billing or doing high-cost treatments for all patients will draw scrutiny. It risks overpayment recoupments and patient harm. Unnecessary tests or equipment can create bills and risks for patients.

How to prevent it: Always practice evidence-based, individualized care, and audit your billing patterns. Make sure the level of service or add-on orders for each telehealth visit is supported by medical necessity and documentation. Use different billing levels based on the encounter’s complexity.

Implement an internal utilization review: run reports on your telehealth billing to check if you’re an outlier. If 95% of your telehealth E/M visits utilize the same high-reimbursing codes, that’s a problem. Regularly provide training on proper coding criteria to ensure that all employees know how to code services appropriately.

If every patient ends up with the same expensive prescription or referral, determine whether these prescriptions or referrals were appropriate. Look out for implicit biases or financial incentives. Medicare watches for signs like “high average hours per visit” or “high number of patients per provider” as fraud signals. Create flags in EHRs to warn clinicians if they select the highest code too often.

The key is to always put patient needs before profit. Focus on providing necessary care efficiently. Remind staff that extreme consistency in coding triggers audits. Remember: quality over quantity. Sustainable telehealth means delivering appropriate care, not chasing every dollar at the expense of compliance.

9. Failing to Update Policies with Regulatory Changes

‍

What it is: Continuing to use outdated telehealth practices or policies even after laws change. This could mean failing to adapt once temporary COVID-19 waivers expire, not updating your HIPAA/privacy practices when enforcement discretion periods end, or failing to update your compliance manuals to align with new rules (such as billing rules in the latest Medicare Physician Fee Schedule). Essentially, the organization’s “telehealth playbook” is frozen in last year (or 2020) and does not reflect current requirements.

Why it’s a concern: Telehealth rules are continuously changing. What was permissible last year might not be today. If you don't update your rules, you could break them without knowing it.

For example, during the Public Health Emergency, using certain applications to conduct telehealth visits was permitted. But after it ended, providers were expected to use HIPAA-compliant telehealth platforms again. If you didn't switch, you might still be using unsafe methods, putting patient data at risk and potentially violating HIPAA requirements.

Medicare billing rules also change. Congress extended some telehealth rules until September 2025. But some services have specific deadlines. If you don't update your billing, you might charge for services that aren't covered anymore.

Not knowing the rules is not an excuse in audits, and failure to keep policies up to date can lead to fines or penalties. Equally important is ensuring that staff are trained on new rules. Regulators expect you to stay up to date, and failure to do so can be costly.

Experts say you must regularly check and update your policies to keep up with laws and risks. If you don't, it shows you're not serious about following the rules.

How to prevent it: Make “continuous improvement” a mantra in your telehealth program. Assign someone (e.g. a compliance officer or telehealth coordinator) to track regulatory changes at both federal and state levels. This includes Medicare updates (CMS releases an update annually and mid-year), state telehealth laws (licensure, consent, etc.), and even payer policy bulletins for private insurers. Schedule a policy review at least annually (and after any major law change) to update your telehealth protocols.

When evaluating your policies for compliance, be sure to review your practice’s HIPAA/privacy policies (ensure your telehealth technology meets current security standards), coding/billing procedures (add new codes and remove expired ones each year), patient consent procedures, and provider licensure tracking. Train your team as soon as possible whenever there’s a change to ensure your staff stays abreast of new requirements and understands how to carry out their roles in a compliant manner.

It’s also helpful to maintain a telehealth compliance checklist that you update frequently so you can quickly audit whether you’re following the latest rules. By staying proactive, you will not only avoid regulatory pitfalls but also position your telehealth services to continue thriving as new rules arise.

10. No Internal Audit or Compliance Program for Telehealth

What it is: Not having a compliance program for telehealth means no checks on claims. There's no one responsible for ensuring telehealth is done right, and there's no training on how to avoid risks in telehealth.

Why it’s a concern: In healthcare, a good compliance program is essential to stopping fraud before it happens. Telehealth is only continuing to grow, and it needs to be part of your compliance efforts. Without checks, errors might not be caught until regulators come knocking. This could lead to big fines.

OIG officials stress the need for self-auditing and oversight in telehealth. In the first pandemic year, over 1,700 providers were found to have billing issues. OIG suggested watching telehealth claims closely. Not checking telehealth means problems might not be found. Also, not having a compliance program can make a provider seem recklessly indifferent to fraud, which could create significant reputational harm to your practice.

Failing to audit telehealth claims can lead to mistakes and overpayments. But providers that invest in compliance can catch problems early, allowing practices to avoid the headache of fraud investigations. Not having a telehealth compliance program in place is like flying without a map in a storm.

How to prevent it: Build telehealth into your compliance plan now. Start by creating written policies and procedures for telehealth. This includes checking location and licensure, coding, and documentation for virtual visits.

Designate a compliance officer or team for telehealth. They should oversee it or add it to the existing compliance committee’s agenda. Perform regular internal audits of telehealth services. Review a sample of telehealth claims every quarter for proper coding and documentation.

Use the OIG’s Telehealth Toolkit and data measures to assess your risk. Provide telehealth-specific training to providers and billing staff. General compliance training may not cover new telehealth pitfalls, so be sure to tailor your trainings based on your audit findings, being sure to emphasize your practice’s specific risk areas.

By following these steps, you can catch mistakes early and show a good faith effort at maintaining compliance with federal, state, and payor requirements. Regulators are more lenient with organizations that have an active compliance program. By treating telehealth with the same rigor as the rest of your practice and integrating continuous oversight to improve your practice,  you can prevent fraud and foster a culture of safety and quality in your telehealth services.

Conclusion: Proactive Compliance – The Key to Sustainable Telehealth

Telehealth is here to stay, and so is regulatory scrutiny. The good news is that by following a solid telehealth compliance checklist, providers can protect their practice. The key is proactive compliance: identify risk areas, implement controls, and address issues before they become fraud investigations. This approach isn’t just about avoiding penalties – it’s about building a sustainable, ethical telehealth practice that can thrive in the long run.

Providers who invest in compliance measures find it pays dividends. It builds patient trust, improves operations, and brings peace of mind.

In today's world, staying ahead in telehealth means focusing on compliance. Fraud prevention in telehealth is a continuous effort. It's about doing things right every day.

Watch out for red flags like those mentioned. Act quickly to fix any issues. This keeps your organization safe and helps telehealth grow.

Don’t wait for an audit or subpoena to tighten up your practices – start today by reviewing your telehealth program against these red flags. Fix what needs fixing, teach your team, and talk openly about following the rules. This way, you avoid costly mistakes and keep your services reliable and compliant for patients.

The future of telehealth belongs to providers who prioritize compliance and integrity – lead that future by taking action now.

‍