HHS watchdog flags potential remote monitoring fraud. Stakeholders say concerns about misuse are overblown

Last Updated September 25, 3:45 p.m.

The Department of Health and Human Services’ Office of the Inspector General clarified that it wants remote physiologic monitoring to continue, despite its report that prods Medicare to develop more oversight for billing.

But according to five experts, OIG’s claims in the September RPM oversight report are confusing, inaccurate and could jeopardize the future of the service.

The Alliance for Connected Care sent a letter to OIG on Wednesday that asks it to retract and re-publish the report due to its “inaccuracies and subjective nature.”

OIG told Fierce Healthcare in an interview that the report does not claim there is fraud in remote monitoring; but, some of the billing patterns raise questions that should be addressed to prevent misuse of the codes.

OIG representatives said that the goal of the report was to "raise areas of concern" for CMS. They said “Medicare lacks complete information” about how remote monitoring is being used and billed for in CMS programs.

“Approximately 43 percent of enrollees who received remote patient monitoring did not receive all 3 components of the monitoring, raising questions about whether the monitoring is being used as intended,” a subheading in the OIG report reads.

OIG clarified their concern to Fierce: “When the high proportion of enrollees who are missing one of the components of remote patient monitoring raises question, especially when they're missing the treatment management portion,” a representative of OIG said in an interview.

One lawyer that works on remote monitoring compliance agreed that this claim is reasonable.

However, some of the more reasonable claims in the report were not highlighted, they and other stakeholders claim. Instead, the prominent information in the report, such as pull quotes, bullet points and infographics are inaccurate or misleading, they say.

Another lawyer expressed skepticism towards OIG’s reasoning. They said that some conditions, like obesity, often do not require 16 days of monitoring per month because weight does not fluctuate that quickly. “Is it okay that you should go and have a protocol where you will never hit 20 minutes [of treatment management], but you will hit 16 days? I haven't seen anything expressly saying that that's contrary to codes,” he said.

He continued: “Now, if they went back and actually looked at the electronic health records and did see…  that there was no documentation, that can be a problem … It's not clear based on the report.”

A representative of OIG said the office understands that the family of remote monitoring codes can be billed separately, but that a provider doing so repeatedly over the course of twelve months prompts questions.

OIG said: “There could be reason to not bill that code, but it's more these patterns that you look at overall on all of the data, and these are things that we're seeing to raise to that level.”

The chief reason OIG representatives gave for this concern was that CMS considers the RPM codes a family of codes that should be billed together. The representatives cited the final CY2021 Medicare Physician Fee Schedule.

The Alliance for Connected Care letter cites the CY2024 MPFS, which they say dismisses the premise. CMS wrote: “We would like to offer clarification that the 16 day data collection requirement does not apply to CPT codes 99457, 99458, 98980, and 98981. These CPT codes are treatment management codes that account for time spent in a calendar month and do not require 16 days of data collection in a 30-day period.” 

CMS did not point out any inaccuracies in its response to OIG’s report. A letter of response to OIG from CMS Administrator Chiquita Brooks-LaSure merely says the agency will take OIG’s recommendations into consideration and determine next steps. 

"Prior to the report’s release, CMS reviewed the report and recommendations for technical issues and accuracy and provided feedback to OIG," CMS said in an email to Fierce. "However, the OIG is an independent entity. Their report details their findings and position on the issue, as well as recommendations to CMS. CMS’s response to each recommendation is published within OIG’s report and notes that we are working to determine appropriate next steps." 

Thomas Ferrante, partner at Foley & Lardner, said that it would be useful for CMS to release additional guidance about how to bill RPM codes. There was a MLN (Medicare Learning Network) guidance document for chronic care management, but no such sub-regulatory guidance exists for remote monitoring, he said.

“When people try to do the right thing, there's like, a great ambiguity, so they have to guess,” he said.

There has been a multi-year effort to overhaul the remote monitoring code set, spurred in part because the billing thresholds are too high for providers to be able to bill.

For example, there are many efforts to lower the 16-day reporting requirement for the device supply code and give providers an option to bill it – likely at a different rate – for less than 15 days of data collection. Stakeholders also want to decrease the amount of time a provider spends on “interactive communication” with the patient to bill the treatment management codes, down from 20 minutes to 10 minutes. 

If these changes were to make it through the American Medical Association’s coding panel and subsequently be adopted and paid for by CMS, Ferrante said OIG’s report may have had more color on cases where the services were provided but the provider did not meet the time-based billing threshold.

Ferrante said the timing of the report was eye catching. He pointed out that this is the first document OIG has put out on remote monitoring after its consumer alert in November 2023. Typically, after a consumer alert OIG puts out a consumer alert, an enforcement action follows soon after, Ferrante said.

“We just don't know what devices are being used, what health data is being [collected], who's the referring [provider] and as the technology continues to be integrated in our care, it's so important that we have some just common sense monitoring and information so we know what we're paying for [and] we pay for it properly, and then we can figure out what's working and for who. And I think that's the overall goal of this work,” OIG said.


Editor's Note: This story has been updated with comments from OIG. 

The Department of Health and Human Services’ Office of Inspector General (OIG) released a report Tuesday that enumerates its concerns with current remote monitoring practices and billing. 

It recommends that the Centers for Medicare & Medicaid Services (CMS) reform billing codes and collect additional data on remote physiologic monitoring to prevent fraud, waste and abuse in CMS programs.

Remote patient monitoring advocates say the fraud prevention office is crying wolf. “This is what they did with telehealth … now they're picking on RPM,” Krista Drobac, founder of the Alliance for Connected Care, said.

OIG recommends that CMS implement safeguards for appropriate billing. OIG suggests making providers “order” RPM, including the ordering provider information on billing and claims data, developing methods to identify what health data are being monitored and what devices are being used, conducting provider education on billing; and, identifying and monitoring companies that bill for RPM.

In an interview with Fierce Healthcare, OIG representatives said that the office supports the continued use of remote monitoring. 

"We want to state that we support the continued use of RPM," a representative said. "We're looking to provide additional oversight, further information that we cite in 'More Transparency.' We provided some specific recommendations about how we think we can work together to provide that information so we can have more appropriate oversight as this benefit continues to grow."

CMS responded to OIG's report and said it will take its recommendations into consideration. Some of the recommendations could require notice and comment rulemaking from CMS.

The report states that over half a million patients received RPM services in 2022 in both traditional fee-for-service Medicare and Medicare Advantage; this is a ten fold increase from 2019 levels, OIG says. Additionally, CMS paid over $300 million in 2022 for RPM, compared to $15 million in 2019, and its spend per patient more than doubled. OIG also found that the length of time for which patients are receiving RPM has increased since 2019. The average amount of time is now five months, up from three months in 2019, and a quarter of RPM patients are receiving monitoring for more than nine months, compared to 5% in 2019.

OIG reviewed Medicare claims data from January 2019 through December 2022 for its analysis. 

OIG’s report found that CMS is paying 20 times more for remote monitoring now than it did in 2019. Providers started billing for RPM in January 2019, and Drobac said it took the industry several years to adopt the codes.

According to the analysis, 94% of remote monitoring patients received the services for chronic conditions, while 6% received them for acute conditions. Moreover, the majority of RPM patients were solving for hypertension (55%), while a much lower percentage were for other diseases: diabetes (16%), sleep-wake disorder (5%), heart failure (4%) and chronic kidney disease (4%). RPM was most commonly provided by primary care providers and cardiologists, the report found.

Drobac said the report shows that RPM increases health equity. For example, the report found that Black and Hispanic patients are receiving RPM at nearly double the rate of white patients; and, dually eligible enrollees are also receiving RPM more often.

But OIG warned about potential fraud and overbilling because it found that in 43% of claims, patients only received one or two of the three services that providers are able to bill for RPM: device education and setup, device supply and treatment management services. The remote physiologic monitoring codes do not require a provider to bill for all three components.

Most often, providers did not bill for patient education and set up of the device (28% of claims). In 12% of cases, providers did not bill for treatment management services. The lack of comprehensive coding raises alarm for OIG and could point to fraud, the watchdog says.

A digital health advocate who worked on the creation of RPM billing codes said the report lacks understanding of the coding policies and valuation components.

“We're looking at this family of codes and how they're being used," a representative of OIG said. "Our ultimate goal is for people to benefit from this technology and for us to use it appropriately. And so this family of codes we're expecting to see together, there may be good reasons not to use it, but it just raises some questions, and we all have to look at it more closely.”

Drobac said that just because providers aren’t billing all three codes at once does not mean the services are not occurring. Rather, she asserted that CMS should be glad that providers are doing patient education for free without billing the patient education code.

“When a provider is going to prescribe a pill to a patient, usually they talk to them about the side effects and other things,” Drobac said. “They're not billing for it. So there's many, many examples in healthcare where providers are explaining to patients their course of treatment without billing for that discussion.”

OIG seems to say that CMS should reform RPM billing codes now because adoption of the services will only continue to increase: “Remote patient monitoring is likely to continue to grow, given that more than 60% of all Medicare enrollees have hypertension, yet a very small fraction of these enrollees currently receive it,” the watchdog wrote in the report.

Drobac said the tenor of the report is "hyperbolic" considering the pennies CMS pays for remote monitoring compared to other services. "The entire RPM industry reimbursement was $311 million in 2022," Drobac said. "Do you know what just the improper payments were in 2022 in Medicare? $31 billion." 

From its claims analysis, OIG says that CMS often can’t tell what providers are ordering RPM services because many aspects of the service can be performed by auxiliary staff who bill “incident to” the provider.

“In one case, a single provider billed 23,569 hours of treatment management for remote patient monitoring in 2022, far more hours than in the year,” the report says. “However, because CMS does not know how many individuals delivered these services, it cannot determine whether this is an unreasonable number of hours.”

OIG also raised concerns about RPM companies and suggested CMS keep a closer eye on for improper payments. OIG pointed to its November 2023 consumer alert, which identified fraudulent actors pretending to be providers and signing up Medicare enrollees for RPM.

OIG found that 1 in 10 enrollees who receive RPM appeared to get the services from an RPM company. OIG identified 41 such companies in the claims data.

“CMS should first develop a method to identify companies that specialize in remote patient monitoring,” OIG wrote. “This could include developing a provider enrollment classification for companies who primarily deliver remote patient monitoring services.”