Introduction
There has been a growing interest in the acquisition and sale of telehealth providers. While the COVID-19 pandemic may have laid the foundation, a recent wave of success for online compounding pharmacies producing weight loss drugs has enhanced the interest in telehealth companies. Such telehealth companies are focusing on “diseases du jour,” some of which have drawn negative attention from lawmakers over their potentially misleading advertising and prescribing practices. Given the recent interest by the Criminal Division of the Department of Justice in compliance-related due diligence, private equity and venture capital companies interested in telehealth companies must ensure that they perform adequate due diligence prior to the purchase of the company, have an adequate and appropriate compliance plan and, if appropriate, voluntarily self-disclose any misconduct they become aware of to avoid criminal charges.
The potential sale of a telehealth company involves the review of a variety of legal and regulatory considerations relating to privacy, practice of medicine, and marketing. This article briefly discusses each of the above in the context of state and Drug Enforcement Agency requirements, Federal Trade Commission expectations, and Food and Drug Administration recommendations. Finally, we review recent telemedicine-related enforcement actions by the Department of Justice.
State Requirements
Telehealth laws can vary from state to state. States may differ on licensing requirements, supervision requirements, distance limitations, the type of technology that must be used, the types of services that are allowed, minimum staffing requirements, recordkeeping requirements, inspections, and more.
It is also important to note that telehealth is a broad category that can involve different types of providers. For example, some companies that provide medications might be using telehealth not only for prescribers to evaluate and prescribe medicines but also for pharmacists to actually dispense the drugs from a variety of locations (telepharmacy). Therefore, review of state licenses for each type of provider and telehealth service provided is key.
Privacy Laws
As one would expect, the storage and sharing of data raises important privacy and security considerations that must be considered while developing a compliant telehealth program. At the federal level, telehealth companies must comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. There are also a variety of relevant state-level privacy requirements, including some specific to health privacy such as California’s Confidentiality of Medical Information Act or the Washington My Health My Data Act. It is important to note that while some state privacy laws may generally apply to medical information privacy, others target specific disease states such as Pennsylvania’s Confidentiality of HIV-Related Information Act (also known as Act 148). Act 148 generally prohibits the sharing of an individual’s HIV-related information without written permission.
Practice of Medicine
The practice of medicine is also regulated on a state-by-state basis. Telehealth companies must ensure that they comply with the varying requirements of states. One particular concern is that telehealth companies that operate in multiple states must consider whether their physicians need to be licensed in different states. For example, Florida requires out-of-state telehealth providers to register.
Disease-Specific Considerations
While telehealth providers must follow general rules related to telemedicine, certain states have disease-specific considerations, such as additional requirements imposed on providers treating obesity. For example, the Florida Commercial Weight-Loss Practices Act has specific body mass index requirements, additional informed consent rules and specific follow up care concerns. Alternatively, Virginia requires a physical examination to prescribe controlled substances for weight reduction or control, which limits the extent and scope of telehealth services.
Federal Requirements
Telehealth has recently been in the news because of companies making unvalidated claims and inappropriate sale of controlled substances. For example, as discussed below, the Drug Enforcement Administration (DEA), along with the Department of Justice, has targeted certain telehealth companies due to their noncompliant sale of controlled substances. To avoid future noncompliance, in 2023 the DEA and the Department of Health and Human Services proposed rules for prescribing controlled medications using telehealth options.
Additional telemedicine flexibilities regarding prescription of controlled medications were put in place during the COVID-19 pandemic but are currently set to expire at the end of 2024. There has been significant discussion about extending many of these flexibilities, and the DEA has been intently listening. For example, it arranged a public listening session on September 12 and 13, 2023, in addition to receiving over 38,000 comments. Despite the uncertainty, telehealth companies have continued with the prescription of controlled substances, which has brought on additional scrutiny from the Department of Justice.
Advertising Requirements
Federal Trade Commission (FTC)
The FTC works to ensure that all marketing materials are truthful and not misleading. This is generally broadly interpreted and enforced. In the context of telehealth, this could include the regulation of advertising and marketing; the use of endorsements, influencers, and reviews; online advertising and marketing; and making health claims. Companies should also pay attention to guidance specific to particular health claims. In fact, given the number of companies now focusing on weight loss, the FTC even put out a reference guide on making weight loss claims. It is worth noting that the Commission can penalize a noncompliant company as much as $50,120 per violation.
Food and Drug Administration (FDA)
While the FTC does have jurisdiction over the promotion of pharmaceutical products, the FDA primarily regulates drug manufacturers to ensure that their products are neither adulterated nor misbranded and are safe and efficacious. Accordingly, if done appropriately, the FDA should not be involved in claims being made by telepharmacy companies. However, there is a growing interest in having the FDA, primarily through the Office of Prescription Drug Promotion, regulate unsupported claims related to prescription drugs.
Telepharmacy and telemedicine companies selling compounded drugs and making drug-like claims for compounded products generally believe that they are safe from FDA scrutiny since the FDA primarily targets manufacturers of pharmaceuticals. However, it is important to note that the FDA has exerted jurisdiction over healthcare providers who are making claims about products for unapproved uses.
Enforcement
Companies and individuals using deceptive marketing in connection with telehealth are subject not only to regulatory oversight, but also civil and criminal penalties.
In July 2022 the Department of Justice (DOJ) announced criminal charges against thirty-six defendants, including a telemedicine company executive and clinical laboratory executives, for more than $1.2 billion in alleged fraudulent schemes involving telemedicine. In one of the cases, an operator of several clinical laboratories “was charged in connection with a scheme to pay over $16 million in kickbacks to marketers who, in turn, paid kickbacks to telemedicine companies and call centers in exchange for doctors’ orders.”
In 2023, Joelson Viveros faced criminal charges related to his allegedly investing in and assisted with a kickback scheme regarding a network of pharmacies that operated a call center. At this call center, telemarketers persuaded Medicare beneficiaries to accept prescriptions for expensive medications that they neither needed nor wanted. Viveros allegedly obtained signed prescriptions by paying kickbacks to two telemedicine companies.
In 2023 executives and owners of DMERx, an internet-based platform for doctors’ orders, were also indicted. The indictments included the CEO prior to a corporate acquisition and the CEO and vice president of the company that operated it after the acquisition. Defendants were allegedly paid for connecting pharmacies, durable medical equipment suppliers, and marketers to telemedicine companies that “would accept illegal kickbacks and bribes in exchange for orders that were transmitted using the DMERx platform.” Allegedly, the prescriptions were not medically necessary and were based on a brief telephone call with the alleged patient or no interaction at all.
In another case, David Antonio Becerril, a medical doctor, was indicted in connection with a scheme in which he allegedly signed more than 2,800 fraudulent orders for genetic tests and medical for patients he was not treating and had never spoken to. The indictment alleged that telemarketers obtained beneficiary information and prepared fraudulent orders that Becerril signed with an average of less than forty seconds of review, and few or no orders were denied. In some cases, braces were approved for patients whose relevant limbs had already been amputated.
In May 2024, the DOJ charged a Long Island woman in connection with allegedly selling misbranded and adulterated weight loss drugs, including Ozempic. The defendant allegedly obtained the weight loss drugs from Central and South America and then posted dozens of videos advertising and selling the drugs.
Conclusion
As described above, investors in telehealth companies are exposed to significant risks ranging from lack of appropriate registration of providers, to privacy concerns, to inappropriate promotion. As previously discussed, the DOJ continues to target healthcare fraud and requires compliance oversight prior to and after an M&A transaction. Failure to have adequate compliance programs exposes acquirers to significant liability not only from the FDA, but also the DOJ, FTC, DEA, state regulators, and more.