OIG’s Remote Patient Monitoring Audits Are Here: What You Need to Know
In September 2024, the Office of Inspector General (OIG) released a report urging additional oversight of Remote Patient Monitoring (RPM) services for Medicare patients. In response, we are now seeing a significant increase in audits of Remote Physiological Monitoring (RPM), Chronic Care Management (CCM), and other virtual care management services by CMS through its Medicare Administrative Contractors (MACs).
Through our work defending clients who are the subject of these audits, we’ve gained interesting insights into what auditors are focusing their attention on, their understanding (or lack thereof) of the requirements for implementing the RPM and CCM codes, and best practices for RPM companies and their customers to follow when billing for these services.
What Auditors are Focusing On
Documentation of Practitioner “Orders” for RPM/CCM
A common issue emerging in audits that we are seeing is documentation of practitioner orders for RPM and CCM services. CMS does not actually require a specific format for ordering these virtual care management services, and most providers simply note an order to enroll a patient in RPM and/or CCM in the assessment and plan section of the medical record. However, some auditors argue that no valid order exists if there isn’t a document clearly labeled as an “order” for RPM and/or CCM; they seem to expect to see something akin to a prescription in the medical record, though no such requirement exists.
Documentation of Beneficiary Consent
We are also seeing auditors require that a patient’s consent to receive RPM or CCM services must be documented in a signed beneficiary consent form. This is explicitly NOT required under CMS’s regulations. Instead, CMS indicates that consent may be obtained verbally from the patient and documented as such in the medical record. CMS rules and guidance underscore that, as a component of beneficiary consent, is important to ensure that a patient is informed of potential copays for these services, that only one practitioner should be providing RPM or CCM services for the same conditions at any one time, and that the patient has the right to terminate services at any point.
Documentation of Medical Necessity
In order for a claim for services to be paid by Medicare, the ordering practitioner must determine that a service is “medically necessary” – meaning, it is reasonable and necessary for the diagnosis or treatment of the patient’s condition. Medicare audits often focus on whether the services provided were medically necessary, and clear documentation of medical necessity is critical to support claims. However, we are seeing some auditors require “evidence of a precipitating event or exacerbation of a chronic condition” as support for medical necessity of RPM services. Interestingly, there is no such requirement for a “precipitating event” or an “exacerbation” in CMS rules or guidance. It is, however, a best practice to document in the patient’s care plan how RPM and/or CCM services for underlying condition(s) will facilitate treatment for the patient. For example, a note in the care plan may state: “prescribing Remote Patient Monitoring with blood pressure cuff to track the patient’s blood pressure over time and monitor the progress the hypertension treatment plan.” This ensures that auditors can clearly see the connection between RPM services and the patient’s ongoing medical care.
Documentation in the Treatment/Care Plan
The creation and maintenance of a “Comprehensive Care Plan” is an important component of a patient’s medical record for purposes of meeting CCM billing requirements. For RPM services, auditors seem to expect to find significant detail within the text of a treatment plan about a patient’s diagnoses and why RPM is appropriate to manage those conditions. For example, one auditor indicated that the treatment plan should include 1) the need for RPM services; 2) the anticipated duration of RPM services; 3) the type of medical device that will be used; 4) how that device is related to the patient’s condition(s); and 5) defined parameters for the physiologic metrics being monitored. While these requirements are not articulated in CMS rules or guidance, this example highlights the degree of specificity that some auditors expect to see.
Appropriate use of Clinical Staff
We are seeing auditors take a close look at the state licensure and scope of practice of clinical staff who are providing monitoring and care management services “incident to” the billing practitioner – meaning, their services are billable as part of the ordering physician’s services. In general, clinical staff must be licensed in the state where the patient is located and must be operating within their scope of practice as established by the state(s) in which they are licensed. This means that health coaches and even Medical Assistants are not considered “clinical staff” in most states for purposes of providing care management services.
Documentation of Time and Readings Transmitted
The RPM, CCM, and other virtual care management code sets are time-based – meaning, a code for monitoring or care management services may not be billed unless at least 20 minutes of combined time by the billing practitioner and/or clinical staff is accrued during the course of a calendar month. For RPM services, the code for “supply of device” used to measure and transmit a patient’s physiologic readings may not be billed unless 16 days of data out of 30 are transmitted by the patient. (Note: these requirements may change in 2026. Stay tuned!) Utilizing a software platform that can accurately capture time and number of readings transmitted AND document this clearly is important for accurately documenting the requirements of these codes.
How to Prepare for an RPM Audit
Audits can simply be random or can be triggered by claims that seem excessive or unusual in some way; for example, if a practice submits claims for supply of an RPM device but rarely submits claims for the associated treatment management services. The best way for a medical practice or a vendor of RPM, CCM, or other virtual care management services to prepare for the potential of an audit is to engage an external expert for a compliance assessment. For our clients in the RPM/care management space, we typically do a deep dive review of the customer and/or patient onboarding and consent processes, billing/reimbursement practices, core documents, and marketing practices. A compliance assessment identifies gaps in compliance and provides steps to address those gaps, reducing exposure if and when an audit occurs.
What to Do in the Event of an Audit
First and foremost, DON’T PANIC! Do NOT haphazardly send off a bunch of notes in the medical records and hope for the best. Seek immediate assistance from an experienced digital health attorney who can guide you through the audit process and review the records to determine what is appropriate to submit in response. (We’ve seen some practices make a critical misstep by assuming that either the EHR records OR the notes in the care management software platform are the only ones that matter.) An experienced attorney can provide rebuttals to denied claims based on what is actually required by CMS for billing these codes.
It is important to note that valid audit findings of insufficient documentation to support medical necessity or disregard of key requirements of the care management code sets (e.g. inappropriate use of staff) can lead to a formal investigation by the Department of Justice for potential violations of the False Claims Act, which may result in civil monetary fines and treble damages or, in the most egregious cases, criminal liability.
Key Takeaways
As CMS ramps up audits of Remote Physiological Monitoring (RPM) and Chronic Care Management (CCM) services, providers and vendors must take proactive steps to ensure compliance and mitigate risk.
• Be Prepared for Increased Scrutiny: Auditors are focusing on documentation practices, including practitioner orders, medical necessity, and compliance with scope of practice requirements for clinical staff.
• Document Thoroughly and Clearly: Ensure that orders for RPM and CCM services are explicitly documented, that medical necessity is well-supported in the patient’s record, and that compliance with all billing requirements is evident.
• Consider a Compliance Assessment: A comprehensive review of your onboarding, billing, and documentation practices by experienced digital health attorneys can identify and address compliance gaps before an audit occurs.
• Stay Informed: As audit trends and regulatory guidance evolve, staying updated on best practices and new requirements will help ensure your practices remain compliant and audit-ready.
If you are interested in a compliance assessment or you need assistance responding to an audit, our team is here to help.