Government and health systems are scrutinizing the practices of remote patient monitoring (RPM) companies.
The amount of auditing of RPM companies has increased in the last two years, two lawyers told Fierce Healthcare, and the audits have gotten more aggressive and informed. The audits have ranged from mundane billing denials by Medicare Administrative Contractors (MACs) to criminal investigations by the Department of Justice (DOJ).
But some RPM companies have become frustrated with audits in which the auditors are not informed about the billing practices and are incorrectly identifying issues.
The scrutiny is likely to continue under the Trump administration as it seeks to root out fraud, waste and abuse in federal programs.
RPM includes the monitoring of physiologic data, like blood glucose levels, and therapeutic monitoring, like medication adherence. The two types have distinct code sets and billing rules.
The federal government started to increase scrutiny of remote monitoring claims in April 2023, when the Department of Health and Human Services' Office of Inspector General (OIG) added remote monitoring to its ongoing Work Plan. The Work Plan stated that remote monitoring services were increasing in use, but little was known about the patients and conditions RPM was used for.
In November 2023, the OIG released a remote monitoring consumer fraud alert to Medicare beneficiaries. The fraud alert detailed a scheme in which durable medical equipment (DME) providers were soliciting beneficiaries via phone to initiate, and bill for, remote monitoring services.
Advocates dismissed the alert as an issue for the DME industry and not an issue for legitimate remote monitoring companies. The dismissal did not discourage the OIG.
In September 2024, the OIG released a report that identified suspect billing practices for remote monitoring based on Medicare claims data from 2019 to 2022. The federal watchdog raised warning flags about billing practices they considered inconsistent with the intent of the remote monitoring codes.
The report called for enhanced oversight of remote monitoring in Medicare.
Advocates thought the OIG report was underinformed about the CPT codes for RPM. Remote monitoring experts pointed out that many of the so-called inconsistencies the OIG raised, like billing for all three components of remote monitoring at once, were not required by Medicare rules.
“About 43% of enrollees who received remote patient monitoring did not receive all 3 components of it, raising questions about whether the monitoring is being used as intended,” the OIG wrote.
Digital health lawyer Carrie Nixon, partner at Nixon Law, said she has defended four RPM companies in the last six months during audits by MACs, which process Medicare claims by region.
Nixon claimed that auditors have not been aware of all the billing requirements for RPM. During an audit in early 2024, Nixon said, “they really didn't know or understand much about these codes, because frankly, they missed a lot of stuff.”
In a March 11 blog post for the firm, Nixon wrote that auditors misunderstood documentation requirements for medical necessity, patient consent and practitioner orders for RPM and chronic care management.
Audits that happened later in 2024 were more refined, Nixon said. Auditors pointed to specific claims they believed to be improper and pulled medical charts and other records to review documentation. However, the firm has still had to educate auditors about the codes and point out misunderstandings of the codes.
Nixon said she is not sure whether the auditors were being paid by the MACs or by the OIG, but she attributes the uptick in audits to the OIG’s September 2024 report.
Thomas Ferrante, partner at Foley & Lardner, has also seen an increase in audits, from MACs and from health systems.
He explained to Fierce Healthcare that because of the government’s increased focus on RPM billing practices, health systems have begun internal reviews of their RPM programs and third-party RPM vendors.
“So a lot of the physician group practices, or maybe even large health systems where this may not have been on their radar to look at, and they may be outsourcing some or all of the remote physiologic monitoring service line to a third party, when they saw the fraud alert come out, they said, ‘Hey, let's add that to our work plan,’ and so they'll audit it,” Ferrante explained.
They have found legitimate issues. Nixon did as well. The audits have ranged from mundane internal audits to criminal investigations, Ferrante said.
Ferrante noted that some clients had to make self-disclosures of overbilling to the government. Other clients have been subpoenaed by the DOJ for billing for deceased Medicare patients. MACs have refused to pay out claims because they claimed the services were not medically necessary.
In some cases, vendors had not met the 16-day data collection requirement but still billed Medicare for the service. Ferrante also said that documentation of the medical need for the individual patient is often missing from the records. Each patient needs a documented reason for using RPM.
“Key elements of the code criteria are just blatantly missing and those claims are still being submitted, and part of that is happening most prominently in situations where there's the third-party RPM companies,” Ferrante said.
Ferrante said medical practices have relied too heavily on third-party vendors and have not realized their billing practices have been suspect. He attributed a portion of the billing mistakes to the newness of the codes—they went live in 2019—and non-healthcare companies entering the RPM market that don’t understand healthcare reimbursement.
“A lot of the advertising that goes on with those companies, they say, ‘Hey, we know you're a busy hospital. We know that you're a busy physician practice, so we're going to help you manage this.’ And sometimes those practices rely too heavily on that third-party vendor,” he said.
A handful of RPM companies have been intentionally deceitful and misused the codes for profit.
In January, the DOJ charged a South Florida RPM company up to a $4.9 million settlement fee for allegedly offering gift cards for patients that met the 16-day data collection requirement and dressing barely trained health coaches in scrubs to appear as healthcare professionals.
“No one's completely squeaky clean,” Ferrante said. “It's just so complicated. There's always some error rate of mistakes. So, not surprisingly, things come up in those audits. Sometimes it's not worrisome. Sometimes it's, 'What the heck has been going on?'”
Beyond legitimate issues, auditors have thrown red flags without having all of the recorded medical data for the claim. Third-party vendors often keep separate files from healthcare providers, and there have been many cases where the auditor is missing information, Nixon explained.
“There isn’t a standardized way to build the platform or standard ways that some things have to be documented—like the 'orders' for RPM,” Nixon explained. “Sometimes even the practices themselves, when they're turning over documents to support the claims, they are not realizing that they should be providing both the platform records and the EHR records.”
It’s not clear whether the Trump administration will continue to probe RPM companies. Nixon said all the audits she’s working on started in 2024. Ferrante said he’s had some audits start in the weeks since Trump took office, but he explained that the cases could have been built by the Biden administration.
The Trump administration should be deliberate in striking a balance between auditing for fraud, waste and abuse while not overburdening health technology companies with expensive and unnecessary audits, Nixon warned.
“It's causing a lot of frustration and uncertainty,” Nixon said. “[CMS] gave us these programs to bill for and to code, and now we're getting in trouble for doing it. A lot of times you're just saying we're doing something wrong, and we're not.”