In late September 2024, the Office of Inspector General (OIG) issued a report recommending additional oversight of Remote Patient Monitoring (RPM) in Medicare. The report highlights key areas where OIG believes more safeguards and transparency are necessary to ensure RPM services are being properly utilized and billed. 

Below, we summarize the OIG’s main findings and explain why we believe certain recommendations may be unnecessary and could actually reduce patient access to remote monitoring services as an effective means of managing acute or chronic conditions.

The OIG Report: Key Findings

The OIG indicates that this report was triggered in part by the rapid increase in Medicare claims for RPM between 2019 and 2022, with the number of enrollees using RPM services increasing more than tenfold during that time. Key findings from the report state:

•  43% of Medicare enrollees did not receive all three components of RPM services (setup and education, device supply, and treatment management), raising concerns about whether RPM is being used as intended.

• OIG and CMS have concerns about fraud and abuse, noting that some companies appear to have signed up enrollees for RPM services without legitimate medical necessity or failed to provide monitoring altogether.

• A lack of information, including which health data is being monitored by whom and who the ordering provider is, limits CMS’ ability to oversee RPM properly.

The OIG report poses a series of recommendations to CMS, including the development of additional safeguards, requiring that ordering provider information be listed on claims, increasing provider education about RPM billing, and monitoring companies that specialize in RPM to prevent fraud.

Where the OIG Report Misses the Mark

While we recognize the need for oversight and fraud prevention, our experience advising over 70 remote monitoring companies since the introduction of RPM reimbursement codes in 2019 suggests that the OIG’s findings and recommendations require closer scrutiny. Below are some areas where we believe OIG’s approach may be flawed and/or fail to recognize the clinical realities of RPM.

1. The significant increase in claims from 2019 to 2022 is not a cause for concern.

As we note above, the RPM code set was introduced in 2019.  While adoption of new reimbursement codes by physicians is often slow – in part due to lack of education on how and when to use the codes – the COVID-19 pandemic had healthcare practitioners searching desperately for every means of virtual care for patients as live office visits shut down completely. 

CMS highlighted RPM services as a means of managing patient treatments for chronic and acute conditions remotely, and physicians responded, utilizing RPM services to treat and manage COVID patients and patients with chronic conditions. It should be no surprise to anyone that RPM claims increased dramatically during the pandemic.

2. Billing all three RPM components is not required for RPM services to occur.

According to the OIG, 43% of enrollees receiving RPM did not receive at least one of the three key components of RPM services. However, the report does not fully consider certain clinical and logistical factors. 

For example, the fact that not all three components of the RPM code set were billed for a patient during a month does not necessarily mean that the patient did not receive the service – it may simply mean that the billing criteria for each code was not fully met and the code therefore could not be billed. 

For example, in order to submit a claim for “supply of device” of the remote monitoring device under CPT code 99454, the CPT Manual and CMS require that the patient transmit their data “16 days out of 30.”  Physician advocates of Remote Patient Monitoring have long argued that the so-called “16-day requirement” is arbitrary, and that meaningful information can be gathered with fewer than 16 days of data transmissions, and real-world evidence bears this out. In cases where patients already own a connected device, the supply of device code would not be billed even though data is being monitored. The “patient education and setup” code is also tied to the 16-day requirement and can’t be billed unless and until that requirement is met even though the service may have occurred more than a month earlier. 

Finally, some conditions may not require the full 20 minutes of interaction with a clinician in a given month, meaning that the treatment management services code would not be billable, though services occurred.

3. Fraud concerns are justified, though not all “specialist” RPM companies are bad actors. 

The OIG report highlights concerns about RPM being offered to enrollees who may not need the services or about inadequate monitoring. While these are legitimate concerns, the report seems to focus on RPM companies with a clinical arm, where practitioners actually order and bill for RPM services. 

Like any other aspect of the healthcare industry, RPM is subject to abuse by bad actors targeting vulnerable patients. CMS’ robust existing fraud detection mechanisms should suffice to identify these bad actors without overburdening compliant providers. 

In highlighting medical practices specializing in remote monitoring as particularly suspect, the report fails to acknowledge that RPM specialty practices can – compliantly – play a significant role in increasing access to RPM services for patients whose local provider may not have the capacity to implement an RPM program.

4. Including all information on the claim itself is overly burdensome.

The OIG recommends that CMS require listing of the ordering practitioner, the type of health data being monitored, the type of device used, and all staff billing “incident to” a practitioner’s service on RPM claims submitted for reimbursement. 

While we support transparency, the process of including this level of detail on the claim form itself may be confusing and overly burdensome, deterring some practices that are already overwhelmed with administrative work from offering RPM services. The ordering practitioner is typically the billing practitioner, which is listed on the claim form. 

Additionally, many RPM services are coordinated among multidisciplinary care teams, making it difficult to attribute the service to a single ordering provider. In cases where the ordering and billing practitioners are different, the medical record should include documentation of the order and any providers involved. The devices used, staff involved, time spent, and other billing elements OIG seeks information about is also typically found in the medical record. Documenting the same on the claim form would be duplicative and administratively burdensome.

What does the OIG Report Mean for Remote Patient Monitoring Companies?

The growth of RPM has been a bright spot in digital health, particularly in chronic disease management. While sensible oversight to prevent fraud and ensure appropriate use is important, we urge policymakers and enforcement agencies to avoid overly restrictive requirements and oversight that could inhibit the continued growth and innovation in this area of care.

The practical reality of the OIG’s report is that RPM companies will face increased scrutiny in the coming years. In our practice, we have already seen a number of audits and Civil Investigative Demands involving RPM companies and practices who bill for RPM services. 

To prepare for this increased scrutiny, companies that facilitate RPM and other virtual care management services – Chronic Care Management (CCM), Principal Care Management (PCM), Behavioral Health Integration (BHI), etc. – should consider a full legal and regulatory compliance assessment to pre-emptively identify and address any compliance issues, ideally before an audit occurs.

If you are a Remote Patient Monitoring or other Virtual Care Management company interested in conducting one of these assessments, please click here for more information.