CMS to audit remote patient monitoring: What practices need to know

Compliance must be an integral component of a practice's RPM program.

In news that has largely flown under the radar, the Office of Inspector General recently announced that the Centers Medicare & Medicaid Services (CMS) will be conducting a series of audits of Medicare Part B telehealth services over two phases. Among the services named in these audits is remote patient monitoring (RPM).

For practices that have already established RPM programs or those that are thinking about launching a program, this news is significant. It will be some time before we find out what auditors are focusing on and discovering during these audits. However, there are a few areas where practices are more likely to get tripped up concerning compliance, particularly given the general confusion on the requirements in the industry. In addition, there are actions practices can take now to more clearly follow the spirit and letter of the regulations to increase their program compliance and avoid auditor scrutiny.

RPM audits: The silver lining

Before we get into those areas and actions, understand that while the announcement concerning RPM audits may have come as a surprise, it's not unexpected. RPM, like other telehealth services, has witnessed rapid and significant growth due to the COVID-19 pandemic, and Medicare reaffirmed its long-term commitment in providing coverage for RPM in the 2021 final rule. The push for normalization of RPM enforcement is an indicator that RPM is now firmly established as a viable and important care management service.

RPM compliance areas of high risk

Practices with RPM programs that find themselves in hot water following an audit are likely to do so because of two reasons:

  1. They are violating rules by choice to try to make more money. Hopefully, these will be outliers.
  1. They misunderstand rules and requirements and/or partner with a vendor that cuts corners, either unintentionally or intentionally. While this is more likely to be the case, the billing provider is responsible for each RPM claim they file, and auditors are not known for accepting ignorance as an excuse and reason to not levy a penalty.

What are auditors likely to focus on during their audits? We expect at least these areas to receive close scrutiny:

Number of measurement days

The rules concerning the number of days in which RPM services are rendered is an area causing billing confusion and errors for many practices. The confusion generally stems from a federal waiver issued early in the pandemic that permitted providers to deliver and bill for RPM services to patients with suspected or confirmed cases of COVID-19.

The waiver stated that CMS would allow RPM services to be reported to Medicare for periods of time of fewer than 16 days, but no less than two days, during the pandemic. This has been referred to as the "2-day requirement." Where this requirement gets confusing is that CPT 99453 and 99454 require the use of a medical device that digitally collects and transmits 16 or more days of data every 30 days for the billing of these codes. This has been referred to as the "16-day requirement."

To make a long story short, Medicare publications after the first announcement of the 2-day waiver did not clearly associate the 2-day requirement with patients having suspected or confirmed cases of COVID-19. This led some RPM providers to interpret that the waiver requirement could apply to all patients during the public health emergency.

Such an interpretation is incorrect. Last month, CMS took the unusual step to publish a correction document that seems to put the question about the 2-day requirement to bed. If a practice with an RPM program is found by auditors to be applying the 2-day requirement to patients who do not have suspected or confirmed diagnosis of the coronavirus, this is likely to be problematic.

Definition of "interactive communication"

Another area of confusion with RPM concerns the technology that CMS would permit providers to use to perform "interactive communication" with patients, as referred to in CPT 99457 and 99458. CMS has defined interactive communication as a conversation occurring in real time that includes synchronous, two-way interactions that can be enhanced with video or other kinds of data. Some RPM providers and software vendors have interpreted that this definition meant text messaging could be used as an acceptable method for delivering billable interactive communication time.

As of the final 2021 rule, this is no longer the case. Time spent texting with patients can be counted towards RPM management time but does not satisfy the requirement for interactive communication. As such, at least some of the billable time for each RPM code must be audio communication with the patient or caregiver. The clarification presents a potential problem for some practices as text messaging is a communication option found in many RPM software platforms. If practices continue to use texting for RPM, they need to ensure that at least some of the service time is spent on a phone or video call for each billed RPM care management code (99457/99458) or the program will be found to be out of compliance with CMS rules.

Patient-reported measurements

A common misconception is that practices can permit their patients to self-report measurements into an app or patient portal or otherwise manually convey measurements to their physician. Although this may qualify for other services, data captured this way cannot be counted towards Medicare RPM. While practices should encourage their patients to be active participants in their care and cognizant of their RPM readings, RPM device measurements must automatically sync—usually via Bluetooth, Wi-Fi, or cellular data—with the RPM platform without any transcription by the patient.

Basic coding rules

We're not going to spend too long on this topic, but the key takeaway here: understand and properly follow RPM coding and billing rules. If you're outsourcing RPM coding and billing, make sure the vendor you partner with follows the rules. Violations of coding rules—especially those associated with generating higher payments than a practice deserves (e.g., upcoding)—can lead to significant problems.

Staying on the right side of the Medicare

While the Medicare RPM rules can be tricky, and are undergoing regular changes, the keys to maintaining compliance and avoiding an audit are fairly straightforward: ensure you understand and follow the most current rules and partner with vendors that do the same.

Compliance must be an integral component of a practice's RPM program. Although this is true for any service, it is particularly important with services such as RPM where multiple clinical staff may be furnishing different parts of the service throughout the month. If compliance is not built into the program workflow, a practice can easily find itself in legal jeopardy.

About the Author

Daniel Tashnek is the co-founder of Prevounce Health, a healthcare software company that simplifies the provision of preventive medical services, chronic care management and remote patient management. Daniel is also a practicing healthcare attorney specializing in regulatory compliance, reimbursement, scope of practice, and patient care issues.