Payers Warned of Telehealth Compliance Risks

The upcoming 2026 telehealth regulations are a direct result of the massive shift to virtual care during the COVID-19 pandemic, which saw Medicare telehealth visits jump from roughly 840,000 in 2019 to 52.7 million in 2020. Many temporary pandemic-era waivers are now being made permanent, including the removal of geographic restrictions and allowing patients to receive care from their homes. A key change for 2026 is the introduction of new Remote Patient Monitoring (RPM) codes by the Centers for Medicare & Medicaid Services (CMS). These codes, such as CPT 99445 and 99470, allow providers to bill for shorter monitoring periods of just 2-15 days and for as little as 10 minutes of clinical interaction time, a significant change from the previous 16-day and 20-minute thresholds. While these new rules are designed to increase flexibility and patient access, they also create new avenues for fraud, waste, and abuse (FWA). Cotiviti's analysis points to specific schemes such as billing for multiple monitoring devices for a single member in the same month, or providers rapidly increasing the number of members they bill for who have no prior history with their practice. The Office of Inspector General (OIG) has signaled a clear intent to increase its scrutiny of telehealth claims, focusing on billing patterns, medical necessity, and compliance with remaining geographic and site requirements. Payers are now expected to have robust monitoring systems in place to detect anomalies and patterns of abuse. One area of concern is the upcoding of behavioral health services, a sector that saw telehealth volume for procedure codes increase from 0.53% in 2019 to nearly 47% in 2021. Cotiviti has identified schemes where providers bill for more expensive individual therapy sessions when, in fact, they provided lower-reimbursing group therapy, leading to significant overpayments. Payers must also watch for "impossible days," where a provider bills for more than 24 hours of services in a single day. For example, one analysis found a provider coding 96% of their tele-behavioral claims as 60-minute psychotherapy visits, a rate significantly higher than their peers and a major red flag for auditors. In response, payers are being urged to update their policies to require clear evidence of a provider-patient relationship before RPM device deployment and to define acceptable standards for interactive communication, such as favoring real-time audio/video over simple text messaging. Incomplete documentation, such as failing to specify the telehealth method (video vs. audio-only) or not recording patient and provider location, can lead to denied claims and audit failures. The financial penalties for non-compliance are substantial, ranging from OIG fines and Department of Justice settlements to multi-year corporate integrity agreements. Beyond direct fines, payers face the hidden costs of legal defense, payment holds, and increased insurance premiums, making proactive compliance and advanced analytics essential to navigate the new landscape.