Printable versionSend by emailPDF version
June 3, 2021

Minimizing the likelihood and impact of enforcement actions for healthcare providers who utilized CMS and HHS rule waivers and flexibilities during the COVID-19 pandemic.

On March 26, 2021, the United States Department of Justice (DOJ) announced a historic number of civil and criminal enforcement actions aimed at rooting out COVID-19 fraud in the Paycheck Protection Program (PPP), the Economic Injury Disaster Loan (EIDL) program and Unemployment Insurance (UI) programs. Thus far, 474 individuals have been charged in 56 federal district courts with criminal offenses, based on fraud schemes connected to the pandemic. These cases involve fraudulent attempts to obtain more than $569 million from the U.S. government and unsuspecting American businesses, workers and consumers. On May 26, 2021, DOJ announced another coordinated national law enforcement action also aimed at COVID-related fraud schemes, this time with a particular focus on healthcare fraud in the laboratory and telemedicine areas.

To accomplish this, federal healthcare enforcement officials have also been vigorously using both traditional and cutting-edge analytic tools to closely monitor healthcare provider behavior in the COVID-19 era. Much of that work is undoubtedly focused on certain COVID-related accommodations provided in response to the pandemic.

On January 31, 2020, in order to help healthcare organizations navigate care provision changes necessitated by “stay at home” and other public health intervention measures, the U.S. Department of Health and Human Services (HHS)/Centers for Medicare & Medicaid Services (CMS) began implementing more than 400 waivers, flexibilities and rule changes related to Medicare and Medicaid program requirements. Federal rules related to Medicare conditions of participation, licensing requirements and sanctions related to physician referrals, among others, were waived during the HHS declared Public Health Emergency (PHE). Additionally, hundreds of “flexibilities” in the form of CMS and HHS rule re-interpretation and enforcement discretion were also issued. Rule changes and program instructions also provided additional reimbursement for certain COVID-related tasks. These accommodations were designed to achieve two important goals – protect access to care for millions of program beneficiaries and minimize the spread of COVID-19. CMS has already begun to rescind some waivers because they were deemed to be too risky or were no longer needed. Others will remain in place until either the HHS Secretary terminates those waivers or the PHE ends. On April 21, 2021, HHS Secretary Xavier Becerra renewed the COVID-19 PHE through July 20, 2021. 

While the immediate aim of the waivers was met – providing uninterrupted patient care during the pandemic – HHS/CMS officials are concerned that these waivers and flexibilities may also present serious, unintended program integrity and fraud risk. HHS and CMS officials know from experience that unscrupulous providers and their affiliates are adept at identifying and exploiting program weaknesses created by accommodations like the COVID-era rule waivers. To meet that threat, from the outset government program integrity and enforcement personnel have conducted real-time, waiver-by-waiver and flexibility-by-flexibility monitoring and analysis in high-risk, high-dollar areas.

The impact of those efforts to fight COVID-era healthcare fraud is starting to emerge. Providers and payers across all payment systems are likely to see much more enforcement in the next two to three years as coordination and collaboration between CMS, DOJ, FBI and Office of Inspector General (OIG) ramps up to historic levels. The past two years have already seen historic enforcement actions by these agencies. Massive national healthcare fraud takedowns like Operation Brace Yourself (DME), Operation Double Helix (lab fraud, especially genetic testing) as well as multiple opioid-related administrative, civil and criminal enforcement actions have produced record numbers of charged defendants, convictions and dollars recovered. These include Civil Monetary Penalties, civil fraud judgments and settlements, and criminal judgments and restitution orders. While primarily targeted at bad actors, all healthcare providers will feel the effects of this ramped-up enforcement activity for years to come. It is critically important for providers and payers across federal programs to understand which programs, products and service lines are in the enforcement crosshairs right now, where enforcement investigative resources are focused and how they can move meaningfully and proactively to minimize or eliminate organizational risk.

Most Likely Focus Areas for Enforcement Activity

There are six categories that federal enforcement officials will likely focus on, where the greatest levels of program vulnerability exist: durable medical equipment (DME), skilled nursing facilities (SNFs), laboratories, inpatient hospitals, telehealth services and home health. Within these areas, waivers, flexibilities and rule changes are likely viewed as posing the greatest potential threat to the federal treasury and to the safety of insured beneficiaries. 

Durable Medical Equipment (DME)

DME payment and provision have long been scrutinized by Medicare and Medicaid enforcement officials due to the relative ease with which DME fraudsters have been able to exploit these benefits. This area has historically received high levels of enforcement attention that will likely continue and be enhanced to address increased COVID-era exposures. This will be driven in part by a likely and dramatic increase in DME provider enrollments in 2020. Data analytics and enforcement resources can closely review waivers of several DME screening requirements related to supplier applications and accreditation to determine if anticipated risks are emerging. Because waivers initially included application fees, accreditation, site visits, background checks and were likely to prompt substantial increases in new enrollments, enforcement officials will be aggressively reviewing providers – especially newly enrolled providers – for signs of fraud risk and connections to known schemes. 

Skilled Nursing Facilities (SNFs)

For SNFs, the three-day qualifying hospital stay rule was waived during the pandemic but not the requirement that the patient needs to qualify for SNF services. While this will result in increased numbers of admissions without a prior three-day stay, it is also likely to prompt much higher levels of enforcement inquiry as to whether patients admitted during the waiver period otherwise qualified for SNF services based on their diagnosis or condition.


CMS and HHS granted several rule waivers to laboratories, including a waiver of the requirement of an order from the treating physician or practitioner to obtain COVID-19 testing. Enforcement officials are likely to focus on how suspending certain rules on physician order for lab tests may incentivize labs to solicit patients for COVID-19 testing and then submit large amounts of inappropriate billing for tests and infectious disease panels as well as other unnecessary add-on codes. Advanced data analytics will allow enforcement officials to see potential problem areas, including the most common “add-on” codes, the addition of unrelated codes such as those associated with the genetic testing schemes, beneficiary sharing schemes and connections between unusual add-on billing and known bad actors. Additionally, a rule change allowed additional reimbursement for COVID-related travel and specimen collection for testing of homebound beneficiaries. This will likely prompt heightened scrutiny of claim and spending trends for travel and specimen collection as well as intensive analysis of suspect or unusual behavior across the lab space.

Inpatient Hospitals

CMS provided an additional twenty percent in diagnosis-related group (DRG) reimbursement for hospital discharges of individuals diagnosed with COVID-19. CMS and the OIG may probe whether discharges were actually related to a diagnosed case of COVID-19. Through waivers, CMS also allowed hospitals to establish SNF swing beds payable under the SNF prospective payment system (PPS) to provide additional options for patients who no longer require acute care but are unable to find placement in an SNF. Hospitals using this waiver were required to attest they had made good faith efforts to exhaust other options, that there were no SNFs within the hospital’s catchment area willing or able to accept patients due to the PHE and that the hospital met all waiver eligibility requirements. Additionally, hospitals were required to have a plan to discharge the patients as soon as practicable, either when an SNF bed was available or the PHE ended, and were prohibited from billing for SNF PPS payments when swing bed patients required acute level care or continued acute care at any time while the waiver was in effect. Heightened enforcement scrutiny is likely to include intensive data analysis around trending COVID-19 diagnoses and related DRG codes to reveal geographic anomalies or other potential aberrancies. It also may include a close review of the terms of swing bed attestations through advanced data analytics and other means to ensure the waiver requirements were followed. 


The massive expansion of telehealth services during the PHE is certain to prompt continued scrutiny by the enforcement community. Waivers, flexibilities, enforcement discretion and rule changes for telehealth included:

  • expanding the telehealth services covered by Medicare and the providers who can offer them,
  • permitting providers to offer services from home,
  • not performing audits to check whether a patient relationship existed before telehealth services were provided, and;
  • increased payments for audio-only evaluation and management (E&M) codes.

Next generation data analytics will likely be deployed to look for telehealth services billed but never provided or which were not medically necessary. Enforcement officials will also look for fraudulent telehealth billing by providers for services to beneficiaries with whom they have no apparent relationship, and potential abuse of increased payments for E&M. New or revised system edits may also be brought to bear to address conduct that program officials believe could pose a potential threat to the financial integrity of federal programs.

DME, lab services, SNF payments, COVID-19 inpatient payments and telehealth services are not the only COVID-areas and services that will receive the hot light of heightened enforcement scrutiny in the coming years. Providers in these areas should also know that their businesses are at the top of the list for sustained, coordinated administrative and law enforcement review. Any provider perceived to be an outlier following data analysis, or due to other investigative evaluations, may be subject to review, audit and even a visit from the OIG, even if any errors were made in good faith.

Battening Down the Hatches

To prepare for increased enforcement scrutiny and, more importantly, ensure that a government review does not result in a devastating financial impact, providers should act now by conducting focused, informed and proactive internal COVID-related reviews and performing an in-depth analysis of their COVID-related government business. Companies should closely review payment, documentation and medical necessity requirements for items and services they provide. They should perform a COVID-19 risk assessment refresher and provide additional, focused COVID-19 compliance education to staff as well as C-suite and board leaders. Companies should also recalibrate outcomes assessment measurement tools to ensure they accurately reflect the effectiveness of their COVID-era compliance operations. Companies should also assess the state of their fundamental compliance operation hygiene and take the necessary steps to address and correct weaknesses. All of this requires a clear understanding of the configuration, focus and priorities of the administrative and law enforcement structure. To be successful, companies must also know and understand the nature, scope and extent of their COVID-19 enforcement exposure to address and resolve it before enforcement officials begin knocking at their door.