Banner

Remote patient monitoring under scrutiny: Top compliance mistakes to know

Fact checked by Keith A. Reynolds
Blog
Article

Remote patient monitoring is rapidly expanding, but with heightened federal scrutiny and OIG audits underway, medical practices must ensure full compliance to protect revenue and reduce audit risk.

gavel stethoscope computer | © yavdat - stock.adobe.com

© yavdat - stock.adobe.com

Remote patient monitoring (RPM) is booming. Driving this momentum are the likes of technological advances, increased patient comfort with digital health tools, and growing provider recognition of RPM's potential to boost efficiency, patient engagement, and outcomes. Plus, RPM is generating reliable, scalable revenue — all during a time when many practices are facing increasing financial pressure. The Centers for Medicare & Medicaid Services (CMS) and commercial payers have also shown increasing support for RPM, reinforcing its role in modern care delivery.

But as RPM becomes an undeniable fixture in the healthcare landscape, it's also coming under greater federal scrutiny.

In late 2024, the Department of Health and Human Services Office of Inspector General (OIG) announced its plans to audit Medicare Part B RPM services throughout 2025, focusing on whether providers are furnishing and billing for RPM correctly. This followed a 2024 OIG report calling for tighter oversight, which was influenced in part by a 2023 fraud scheme that raised red flags.

As RPM's growth further accelerates and federal investment in remote care expands, increased regulatory attention is inevitable. While some actors knowingly bend or break Medicare rules for financial gain, many RPM compliance failures are the result of oversights and misunderstandings or partnerships with vendors that take shortcuts. Regardless of intent, both errors and fraud can put providers with RPM programs at serious risk.

Whether you're already running a program or just beginning to consider one, achieving and maintaining compliance, and thus being audit-ready, is no longer optional — it's essential.

I recently presented a webinar on RPM compliance, focusing on what we see as the most challenging and misunderstood rules for remote patient monitoring. Based on attendee questions and feedback, I've identified several key areas of RPM non-compliance that I believe are the most noteworthy at this time.

16 measurements, not just "programmed alerts"

CPT code 99454 covers the supply and monitoring of RPM devices. Per CMS guidance, this includes daily recordings and/or programmed alerts — but some RPM vendors have interpreted this loosely. Certain devices can be set to send automated daily alerts to providers, even if the patient hasn't submitted a reading. That opened an exploitable loophole: by programming devices to send daily alerts, software could log them toward the 16-day threshold required for billing, even if no actual patient data was ever collected and submitted.

CMS has explicitly warned that only physiologic readings should be considered in the 16 measurement-day requirement. Yet, some software vendors — including well-known companies — offer toggles to count non-measurement alerts toward billing requirements. This is a bright red flag for Medicare. Audits often begin with a review of device logs and patient data. A lack of real readings will quickly reveal improper billing.

Some vendors advise their customers not to count non-measurement alerts for their Medicare patients but that they can for patients with private insurance. Although there is less explicit guidance from private payors against this practice, I would be wary of doing so given the intent of the codeset and how private payors are particularly on the lookout for bad-faith RPM programs.

Messaging as a substitute for "interactive communication"

RPM requires at least one instance of real-time, two-way communication between patients and providers to qualify for CPT codes 99457 and 99458. Medicare has repeatedly emphasized that this interaction must be synchronous and conducted via phone or video. While texting can support patient communication and be counted towards care management time, Medicare has made it clear that it does not count as the required "interactive communication" for billing purposes.

Medicare regulations do not specify how long the interactive communication must be, so even a brief live conversation qualifies. It just needs to include real-time dialogue between the participants. Leaving a voicemail or exchanging text messages does not qualify. The key here is immediacy, with a live exchange that supports timely clinical assessment and intervention.

Overlooking the "established patient" requirement

During the COVID-19 public health emergency (PHE), CMS temporarily waived the need for a pre-existing provider-patient relationship before starting RPM. That flexibility ended in November 2023.

Now, RPM services must begin with an established relationship, which is defined as a provider-patient interaction within the past year. Noncompliance in this area usually takes two forms:

  • Third-party billing without a prior encounter: Some RPM vendors enroll and monitor patients under their own national provider identifier (NPI) without an initial evaluation or annual wellness visit.
  • Providers engaging patients they haven't seen in over a year: Once a patient is inactive beyond 12 months, they are no longer considered an active patient for the purposes of delivering RPM.

Missing or insufficient patient consent documentation

Initially, Medicare required written patient consent for RPM services. While verbal consent is now allowed, it still must be well-documented, and that documentation must include these five elements:

  • RPM service availability
  • Potential cost-sharing
  • That only one practitioner may bill RPM per month
  • The patient's right to opt out anytime (effective end-of-month)
  • A provider explanation and patient acceptance

I have seen many programs get into trouble for poor consent documentation even when they were performing the actual consent conversations appropriately. Providers can't simply note "patient consented" in a medical record. The documentation must detail what was explained and when. If a patient disputes a co-pay or claims they did not understand that they were enrolling in RPM, poor documentation can be costly.

Failing to meet supervision requirements when outsourcing RPM

When providers outsource RPM to a third-party vendor, their compliance responsibilities do not cease. Providers must give an individualized recommendation that the patient be enrolled in an RPM program and then continue to meet the general supervision requirements each month, meaning oversight, involvement, and a set escalation protocol remain essential. In other words, a provider cannot completely hand off the program and disengage.

Some vendors promote full-service RPM solutions that require minimal provider involvement. That's a compliance risk. Even if day-to-day interactions are handled by a vendor, the provider must retain responsibility and oversight to satisfy Medicare's "incident to" supervision standards.

Key takeaways

Medicare has expanded coverage and shown to be a firm proponent of remote patient monitoring over the last few years and has determined that heightened enforcement of the program requirements is needed so that adoption of good patient-focused RPM programs can continue to increase. Luckily, it is relatively easy to stay within the program requirements for a good-faith program if you pay attention and have the right tools.

What does the increased focus on RPM compliance mean for you? Keep these in mind:

  1. With OIG audits here, it's more important than ever that your RPM program is compliant with payer requirements.
  2. There are potential compliance issues throughout the RPM process. Good software, devices, and partner support can help you run an impactful, profitable RPM program that also meets payer requirements.
  3. Selecting a trustworthy RPM technology and service partner, especially when outsourcing, can help limit potential exposure during an audit.

Stay ahead of RPM audits — and out of compliance trouble

The federal government is dialing up its crackdown on Medicare fraud, and remote patient monitoring is in the spotlight. By recognizing common compliance pitfalls, like those noted above, and working proactively to address them, providers can position themselves to either avoid auditor attention altogether or navigate audits confidently and successfully.

For practices offering or planning to offer RPM, compliance isn't just about avoiding penalties and passing audits. It's about creating a sustainable patient-focused program that's built for long-term growth and success.

Daniel Tashnek is the co-founder of Prevounce Health, a healthcare software and services company that simplifies the provision of preventive medical services, chronic care management and remote patient management. Daniel is also a practicing healthcare attorney specializing in regulatory compliance, reimbursement, scope of practice, and patient care issues.

Recent Videos
Acing the interview
Handling phone calls with difficult patients
Moving from quantity to quality
Price transparency tips
5 KPIs to monitor regularly
MGMA comments on automation of prior authorizations
Ike Devji, JD and Anthony Williams discuss wealth management issues
Related Content
lightbulb doodle © Matias - stock.adobe.com

Practice tip of the week: Does your practice stink?

Keith A. Reynolds
Published: April 14th 2025 | Updated: April 14th 2025
Article

Your weekly dose of wisdom from the Physicians Practice experts.

Ep. 59: AI and claim denials with Neal K. Shah, co-founder of Counterforce Health

Ep. 59: AI and claim denials with Neal K. Shah, co-founder of Counterforce Health

Austin Littrell
April 7th 2025
Podcast

Neal K. Shah, CEO of CareYaya Health Technologies and co-founder of Counterforce Health, joins the show to talk about claim denials and how AI can help fight them.

8 steps to address a bad review of your medical practice

8 steps to address a bad review of your medical practice

Physicians Practice Staff
April 9th 2025
Article

With the right strategy and tone, you can transform a critical review into an opportunity to strengthen patient relationship.

Off the Chart: A Business of Medicine Podcast - Ep. 57: Tariffs and the medical device industry with Rohit Harve of PA Consulting

Ep. 57: Tariffs and the medical device industry with Rohit Harve of PA Consulting

Austin Littrell
March 24th 2025
Podcast

Rohit Harve of PA Consulting talks tariffs and their impact on the medical device industry.

10 tips to protect revenue when costs rise

10 tips to protect revenue when costs rise

Keith A. Reynolds
April 4th 2025
Article

Discover expert strategies for medical practices to manage rising supply and device costs driven by inflation and tariffs.

employee quit | © adrian_ilie825 - stock.adobe.com

Wave of turnover looms as nearly half of healthcare executives plan to exit in 2025

Keith A. Reynolds
April 3rd 2025
Article

Healthcare organizations face ongoing challenges in leadership retention, engagement, and recruitment amid financial pressures, evolving career expectations, and a shifting talent landscape.

© 2025 MJH Life Sciences

All rights reserved.