On September 24, 2024, the Office of the Inspector General (OIG), US Department of Health and Human Services, published a report detailing the need for increased oversight over the billing and use of remote patient monitoring (RPM) services under the Medicare program.
Background
Medicare began covering remote patient monitoring (RPM), also referred to as “remote physiologic monitoring,” in 2018. RPM services involve the collection of physiologic data (e.g., heart rate, blood pressure, glucose levels) via various digital devices, and electronic transfer of the collected health information to a patient’s healthcare provider for the purpose of monitoring chronic and acute conditions. In 2019, CMS expanded payment for RPM services by adding additional billing codes covering chronic care remote physiologic monitoring. The Current Procedural Terminology (CPT) codes for RPM services fall into three components: (1) Patient Education and Device Setup; (2) Device Supply; and (3) Treatment Management Services.
OIG’s Key Findings
INCREASED UTILIZATION OF RPM
In compiling its report, OIG reviewed claims and encounter data for RPM services furnished between January 1, 2019, and December 31, 2022. OIG found that, during this timeframe, there was a tenfold increase in the number of Medicare beneficiaries who utilized RPM services—from 55,000 patients in 2019 compared to 570,000 patients in 2022. The audit did not involve a review of remote therapeutic monitoring (RTM) claims or data. This expansion, in addition to a significant increase in the average amount of time for RPM services utilized by Medicare beneficiaries, resulted in significantly higher costs to the Medicare program.
THREE COMPONENTS OF RPM
In its report, OIG highlighted its determination that 43% of Medicare beneficiaries who utilized RPM services did not receive all three components—Patient Education and Device Setup, Device Supply, and Treatment Management Services. OIG noted that, although CMS does not require providers to bill for all three components, the large share of beneficiaries who did not receive all three components suggests that RPM services are potentially not being utilized as intended by CMS. In these cases, beneficiaries most commonly did not receive education or support regarding use and setup of their device, did not receive a connected device from the provider, or did not take and transmit readings of their physiologic data for at least 16 days in any month. However, this can potentially be attributed to the requirements attached to the related RPM codes, i.e., a provider is not permitted to report a patient education or device supply codes unless the provider collects patient data for 16 days.
OIG also determined that 12% of beneficiaries did not receive treatment management services. This raised concern for OIG that such beneficiaries may not have received the full benefit of the RPM services and that the monitoring may not have been necessary to treat the beneficiary’s condition.
FRAUD CONCERNS
In a November 2023 Consumer Alert, OIG identified concerns with companies recruiting Medicare beneficiaries, through unsolicited communications, to receive RPM services without regard to medical necessity. Similarly, OIG noted in its report that CMS reported risks related to companies “cold calling” beneficiaries to solicit for RPM services despite having no established history or patient-practitioner relationship with the beneficiary. CMS also identified risks such as companies employing insufficient staff to appropriately monitor patients, overbilling monitoring time, and failing to train beneficiaries on the use of monitoring devices.
MEDICARE’S LACK OF KEY INFORMATION ON RPM
Another issue identified by OIG was Medicare’s lack of key information regarding RPM services utilized by Medicare beneficiaries. OIG expressed concern that Medicare does not receive information regarding the types of health data collected as part of billed RPM services, nor does it receive information about the types of devices used. Medicare does not require providers to report this information. OIG also found that Medicare does not explicitly require that a provider order RPM services or that an ordering provider be listed on a claim. According to OIG, this lack of key information creates challenges in determining the medical necessity of RPM services, preventing and detecting fraud and abuse, and ensuring billing and utilization compliance.
OIG’s Recommendations
To address the concerns identified in its report, OIG recommended the following steps aimed at strengthening oversight of RPM:
- Implement additional safeguards to ensure that RPM is used and billed appropriately under the Medicare program.
- Require that RPM be ordered and that information about the ordering provider be included on claims and encounter data.
- Develop methods to identify the health data being monitored.
- Conduct provider education about RPM billing.
- Identify and monitor companies that bill for RPM.
CMS concurred with recommendations 1, 4, and 5, and agreed to take into consideration recommendations 2 and 3.
Going Forward
The report signals that the rapid expansion of RPM services has garnered the attention of OIG and increased oversight should be anticipated. Although the report only focuses on RPM services, RTM providers should also take notice, as many of the issues concerning RPM noted by OIG may apply to RTM as well. Providers of RPM and RTM services should review their practices and compliance programs to ensure adherence with current regulations and guidance, with an eye toward addressing the issues identified in OIG’s report.
Given the meteoric rise in Medicare reimbursement for RPM and RTM services and the general widespread adoption of telehealth during the pandemic, the industry has often been slow to implement compliance oversight over the delivery of technology-enabled healthcare services. By way of example, RPM services are paid under Part B of the Medicare Program, and RPM billing codes are considered Evaluation & Management (E&M) services. Because state healthcare laws often limit the types of legal entities that may provide such medical services, provision of RPM services on a national basis requires close alignment with both legal and compliance functions. Additionally, RPM and RTM providers should monitor state and federal guidance and other publications for any updates regarding relevant billing and encounter rules.