How HIPAA compliant email can combat telehealth scams

According to Combating the Rise of Telehealth Scams, published in the Journal of mHealth, recent federal enforcement actions demonstrate the scope of telehealth fraud: "In 2024, its National Health Care Fraud Enforcement Action pursued felony charges against 193 defendants across the United States. Thirty-six of those were directly tied to telemedicine-related fraud schemes, which involved over $1.1 billion in fraudulent claims submitted to Medicare."

The financial incentives driving these scams are substantial. As Anurag Lal, president & CEO of NetSfere, notes in Maximizing data security and ensuring HIPAA compliance, "medical record data can sell for up to $1,000 on the black market." This high value makes healthcare data an attractive target for cybercriminals, who use this information to commit fraud, identity theft, or sell it to other bad actors.

HIPAA compliant email systems create multiple barriers that make it hard for scammers to overcome, while remaining transparent to legitimate healthcare providers and their authorized staff. These security advantages work together to create a defense against fraudulent communications.

According to How to Ensure Your Email is HIPAA Compliant: Best Practices You Need to Know, "Any communication of PHI must be done through the organization's recommended e-mail platforms." This requirement prevents the use of personal or unsecured email accounts that scammers can more easily compromise or impersonate.

Healthcare IT professionals must watch closely for warning signs that indicate fraudulent activity. According to Combating the Rise of Telehealth Scams, key indicators include: "Watch for sudden increases in telehealth billing codes or claims for services outside the organization's typical offerings. Repeated billing from the same IP address or provider account may also indicate automation or fraudulent activity behind the scenes."

Read also: HIPAA compliant email

Patient protection through verified communications

The patient protection benefits of HIPAA compliant email systems extend beyond technical security measures. These systems create a trusted communication environment where patients can confidently engage with their healthcare providers without fear of exploitation or fraud.

The trust factor is important in healthcare communications. As noted in How to Ensure Your Email is HIPAA Compliant: Best Practices You Need to Know, "Patients also become confident, knowing that their information is safe." 

Encrypted messaging capabilities protect patient communications from interception or tampering throughout the entire transmission process. Even if scammers somehow gain access to network traffic, the encryption makes it impossible for them to read or modify the content of legitimate healthcare communications. This protection extends to any attachments or documents shared through the secure email system. Paubox, for example, provides HIPAA compliant email solutions that integrate directly with existing email platforms like Outlook and Gmail, ensuring healthcare providers can maintain their familiar workflows while automatically encrypting all patient communications without requiring patients to log into separate portals or use complex passwords.

Digital signatures and message integrity verification ensure that patients can trust that communications they receive are exactly as sent by their healthcare providers. Any attempt to modify or tamper with messages after they are sent will be detected by the receiving system, alerting patients to potential fraud attempts. This technical capability provides patients with confidence that the medical advice and information they receive is authentic and unaltered.

Secure document sharing through HIPAA compliant email systems eliminates the need for patients to share sensitive medical information through unsecured channels. When healthcare providers need to share test results, treatment plans, or other sensitive documents, they can do so through encrypted, authenticated channels that scammers cannot access or replicate. This reduces patients' exposure to fraud attempts that often target individuals sharing medical information through insecure methods.

Patient education resources integrated into secure communication systems help individuals recognize and avoid potential scams. Many HIPAA compliant email platforms include educational materials about common fraud schemes, security best practices, and red flags that might indicate fraudulent communications. This educational component empowers patients to become active participants in their own protection against healthcare fraud.

Learn more: Paubox blog

Case study: The $4.5 billion telehealth fraud takedown

The Department of Justice's charges against 345 individuals, including 86 defendants specifically involved in telehealth fraud schemes totaling $4.5 billion, shows why secure communication systems are important for legitimate healthcare providers.

The fraud mechanism

The DOJ investigation proves how fraudulent telehealth operations exploited weaknesses in digital healthcare communications. According to court documents, telehealth executives allegedly paid doctors and nurse practitioners to order unnecessary medical equipment, genetic testing, and medications "either without any patient interaction or with only a brief phone conversation with patients they had never met or seen."

This case demonstrates several vulnerabilities that HIPAA compliant email systems are designed to prevent:

Lack of authentication: Fraudulent operations relied on unverified communications between supposed healthcare providers and patients. HIPAA compliant email systems require verified user identities, making it hard for bad actors to impersonate legitimate providers at scale.

Absence of audit trails: The fraudulent schemes operated through channels that left no reliable documentation of actual patient-provider interactions. Secure email systems maintain audit logs that can verify when, how, and with whom communications occurred, providing the documentation necessary to distinguish legitimate telehealth services from fraudulent operations.

Compromised data integrity: The investigation showed how easily scammers could manipulate patient information and billing records when using unsecured communication channels. HIPAA compliant email systems use encryption and digital signatures to ensure that patient communications cannot be altered or falsified after transmission.

The effects

Beyond the immediate $4.5 billion in fraudulent claims, this case had broader implications for telehealth legitimacy. As Mike Cohen from the Health and Human Services Inspector General's Office noted, the pandemic-era lifting of telehealth restrictions created an environment where "anti-fraud guardrails have been removed." The concern that legitimate telehealth expansion could be undermined by fraudulent activities makes secure communication infrastructure necessary.

The Centers for Medicare and Medicaid Services responded by revoking Medicare billing privileges for 256 additional medical professionals, demonstrating how fraud in one area can impact the entire healthcare system. Legitimate telehealth providers who fail to implement security measures risk being caught in broader enforcement actions or losing patient trust due to association with fraudulent activities.

Prevention through secure communications

This case study shows how HIPAA compliant email systems serve as a  defense mechanism:

Verified provider networks: Secure email platforms maintain verified directories of legitimate healthcare providers, making it difficult for fraudulent operations to establish fake provider credentials or impersonate legitimate practices.

Patient communication records: The logging capabilities of HIPAA compliant email systems create an unalterable record of patient interactions, providing the documentation needed to prove that legitimate telehealth services were actually provided.

Billing integration controls: Advanced secure email systems can integrate with billing platforms to ensure that communications about medical services are properly documented before claims are submitted, preventing the type of phantom billing that characterized the fraudulent schemes.

The $4.5 billion telehealth fraud case shows that the convenience and accessibility of digital healthcare must be balanced with security measures. For legitimate healthcare providers, implementing HIPAA compliant email systems is not just a regulatory requirement—it's a defense against being caught up in the type of widespread fraud investigation that can damage reputations and disrupt patient care for years to come

Implementation best practices for healthcare providers

Healthcare organizations seeking to maximize the anti-fraud benefits of HIPAA compliant email systems must implement strategies that go beyond simply purchasing secure email software. Successful implementation requires careful planning, staff training, and ongoing monitoring to ensure that security measures remain effective against evolving fraud tactics.

The importance of human-centered security cannot be overstated. As Anurag Lal emphasizes in Maximizing data security and ensuring HIPAA compliance, "Human error is the cause of the vast majority of data breaches. In fact, Verizon's 2022 Data Breach Investigations Report found that 82% of breaches involved the 'human element.'" This statistic shows why staff training must be the center of any security implementation strategy.

The scope of this training challenge is broader than many organizations realize. As noted in HIPAA Compliance for Email, "All members of the workforce have access to PHI inasmuch as they can visually identify a patient being admitted for treatment and share that information impermissibly via a personal email account." This means that training programs must address not just IT staff and healthcare providers, but all employees who might have any contact with patient information.

Staff training programs must address both the technical aspects of using secure email systems and the broader context of fraud prevention. Healthcare workers need to understand not only how to use the secure email features, but also how to recognize potential fraud attempts and respond appropriately when suspicious communications are identified. Regular training updates ensure that staff remain current on emerging fraud tactics and new security features.

Policy development should establish clear guidelines for when and how to use secure email communications, what types of information can be shared through different channels, and how to respond to suspected fraud attempts. These policies should be regularly reviewed and updated to address new threats and changes in technology or regulations. Clear escalation procedures ensure that potential security incidents are reported and investigated promptly.

Integration planning must consider how HIPAA compliant email systems will work with existing healthcare information systems, workflow processes, and communication patterns. Successful integration requires understanding current communication flows and designing secure alternatives that are as convenient and efficient as previous methods. Poor integration can lead to workarounds that compromise security and reduce the system's effectiveness against fraud.

Vendor selection should prioritize providers with demonstrated expertise in healthcare security and a track record of maintaining compliance with evolving regulations. Healthcare organizations should evaluate potential vendors based on their security certifications, compliance audit results, and ability to provide ongoing support and updates. The vendor's financial stability and long-term viability are also important considerations, as email systems contain years of sensitive communications that must be protected over time.

FAQs

What makes medical record data more valuable than other personal data on the black market?

Medical records contain a rich combination of identity, insurance, and health data that criminals can exploit for long-term fraud.

How can healthcare providers verify that a third-party email platform is truly HIPAA compliant?

Providers should require a signed Business Associate Agreement (BAA) and verify the vendor's encryption protocols and audit capabilities.

What is the risk of using personal email accounts in telehealth communications?

Personal email accounts lack enterprise-grade security, making them more vulnerable to spoofing, breaches, and unauthorized access.