Telehealth Enforcement Is on the Rise. Transparency Will Help

The telehealth industry is entering a new phase of scrutiny marked by intensified enforcement actions across civil and criminal fronts that reflect a coordinated, whole-of-government approach.

In addition to traditional enforcement areas such as the Anti-Kickback Statute and False Claims Act, telehealth companies and health-care providers should expect heightened oversight involving advertising and consumer protection practices, data privacy and security, billing and subscription practices, prescribing and clinical oversight, Medicare enrollment integrity, and arrangements implicating genetic testing and durable medical equipment.

Understanding five major enforcement actions within the last 18 months and learning five corresponding practical steps can help telehealth companies mitigate risk.

Telehealth Enforcement Actions

Federal authorities have advanced both civil and criminal prosecutions targeting deceptive marketing, privacy and data misuse, unlawful subscription billing, and health-care fraud schemes linked to telemedicine models.

• The Federal Trade Commission finalized an order against NextMed, a telemedicine company selling GLP‑1 weight-loss programs, to cease deceptive advertising, review manipulation, and unfair billing and cancellation practices. The order mandates clear disclosures of costs and cancellation terms, substantiation of outcome claims, informed consent for charges and recurring debits, prohibitions on misrepresentations about reviews, and a $150,000 payment for consumer refunds.
  
• The Department of Justice, working with the FTC, partially resolved a case against Cerebral, a telehealth mental health services provider. The company allegedly misused and disclosed sensitive health information, used deceptive data security claims, and violated the Restore Online Shoppers’ Confidence Act (ROSCA) for nontransparent subscription practices and obstructive cancellation processes. The proposed order requires Cerebral to cease the challenged practices and pay about $5 million in consumer redress plus a suspended civil penalty judgment, while claims continue against the former CEO and others, and against related companies allegedly using similar practices.
  
• A federal jury convicted the founder/CEO and clinical president of Done, a digital health company, for a $100 million scheme involving unlawful online distribution of Adderall and related health-care fraud between 2020 and 2023. The case emphasized deceptive advertising, suppression of clinical discretion, use of “auto-refill” technology without clinical interaction, manipulation of prior authorization processes, and obstruction of investigations.
  
• As part of the Justice Department’s 2025 National Health Care Fraud Takedown, 49 defendants were charged in connection to telemedicine and genetic testing schemes alleging more than $1.17 billion in fraudulent claims. In the Southern District of Florida, prosecutors charged telemedicine companies with a $46 million scheme to target Medicare beneficiaries with deceptive telemarketing campaigns designed to prompt claims for medically unnecessary genetic testing, durable medical equipment, and Covid‑19 tests.
  
• A UK citizen was indicted for orchestrating a Medicare telehealth fraud scheme involving medically unnecessary genetic testing and for filing false Medicare enrollment documents to conceal ownership and adverse legal history. This emphasizes the Centers for Medicare and Medicaid Services’ expectations for full disclosure of ownership and control.

Best Practices

Telehealth companies and provider organizations should recalibrate compliance programs to align with these enforcement developments. Consider the following best practices:

Substantiate advertising, endorsements, and outcomes claims. Use competent and reliable evidence, with clear disclosures of costs, refund and cancellation terms, and any material connections to endorsers. The NextMed order makes clear that review hygiene must avoid suppression or manipulation of information that can help consumers understand their obligations and rights. Consumer consent for charges and recurring billing should be explicit, documented, and revocable through simple mechanisms consistent with ROSCA expectations.

Carefully vet privacy and tracking technologies. Given the Cerebral settlement, companies should ensure that any deployment of tracking pixels or similar tools is consistent with public-facing privacy representations. Obtain informed consent for data collection and sharing practices and align data security controls with representations about confidentiality and security.

Preserve independent medical judgment. In the wake of the convictions related to Done, telehealth companies should avoid business rules that constrain diagnosis or prescribing time, prohibit clinically indicated discontinuation, or automate refills absent clinical evaluation. For controlled substances, maintain compliant prescribing practices, robust diversion safeguards, and documentation that reflects medical necessity and continuity of care. Avoid any instructions or incentives that could be construed as encouraging unlawful prescribing or misrepresentations to payers.

Ensure enrollment integrity and ownership transparency. As demonstrated by the Harrison indictment, the Justice Department expects companies to accurately disclose owners with at least 5% interest or control and any adverse legal actions in Centers for Medicare and Medicaid Services enrollment materials. Establish procedures to detect and update changes in ownership and control.

Exercise rigorous medical necessity oversight. This includes telemarketing, durable medical equipment, and genetic testing arrangements. The Southern District of Florida’s actions as part of the 2025 National Health Care Fraud Takedown indicate that companies should require documented patient relationships, clinically appropriate examinations, and clear, physician‑led determinations of necessity. Prohibit remuneration tied to volume or referrals, and vet marketing partners to prevent deceptive lead generation and misuse of beneficiary data.

The Bottom Line

The risk profile for telehealth has shifted decisively. Civil and criminal authorities are aligning around deceptive consumer practices, privacy and security misrepresentations, ROSCA violations, prescribing abuses, and traditional fraud schemes exploiting telemedicine’s scale.

Telehealth companies and provider organizations that invest now in substantiated advertising, transparent billing, robust privacy controls, strong clinical governance, enrollment integrity, and real‑time monitoring will be best positioned to sustain growth while mitigating enforcement risk in the year ahead.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Hillary Stemple is a partner at ArentFox Schiff focused on life sciences and complex health-care regulatory matters.

Pascal Naples is an associate at ArentFox Schiff focused on the health-care industry.

Write for Us: Author Guidelines