OIG RPM data show compliance, outline enforcement priorities

When the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) released its initial report on remote patient monitoring (RPM) in September 2024, the telehealth industry was taken aback. The report outlined what OIG considered program integrity concerns and called for enhanced oversight measures. Less than a year later, the OIG has issued a new data snapshot report that proposes these enhanced oversight measures and provides concrete data on RPM billing patterns that should prompt serious discussion about regulatory approach and the balance between fraud prevention and innovation in digital health.

By the numbers: What the OIG actually found

To develop its new report, the OIG analyzed 4,639 medical practices that routinely billed for RPM services in 2024, representing $536 million in Medicare payments across nearly 1 million enrollees. The agency developed five measures to identify potentially problematic billing patterns.

Here is a breakdown of those measures, along with the OIG’s findings associated with them:

1. Sudden spikes in new patient enrollment: 32 practices (0.69%) showed concerning patterns
2. Lack of prior patient relationships: 45 practices (0.97%) lacked relationships with >80% of RPM patients
3. Absence of treatment management billing: 52 practices (1.12%) never billed treatment management for >75% of patients
4. Multiple practices billing for same patients: 34 practices (0.73%) frequently shared patients with other practices
5. Billing multiple devices per patient monthly: 20 practices (0.43%) repeatedly billed for multiple devices

Across all measures, roughly 99% of practices showed no concerning patterns. This finding provides important context for understanding the scope of problematic billing practices in the RPM sector.

Vendor problem hidden in plain sight

Perhaps the most significant insight from the OIG’s latest analysis isn’t what they explicitly state, but what can be inferred from their data. Many of the “medical practices” flagged for lacking prior patient relationships are likely RPM technology vendors billing under their own national provider identifiers (NPIs) rather than facilitating billing through the referring physician’s practice.

One flagged practice billed RPM for over 30,000 patients without prior relationships. Such scale suggests a vendor operation rather than a traditional medical practice. This represents a different challenge from traditional health care fraud. These vendors often provide legitimate monitoring services but circumvent the intended billing structure. The OIG correctly identifies this as concerning, yet the solution isn’t to restrict RPM access broadly but to clarify and enforce proper billing relationships.

When measures miss the mark

While the OIG’s analytical approach deserves credit for its data-driven methodology, two of the five measures are not directly correlated with misuse and differ from the billing guidance of the Centers for Medicare & Medicaid Services (CMS).

The treatment management measure (i.e., absence of treatment management billing) assumes all patients receiving RPM should regularly receive 20 minutes of monthly treatment management to justify billing. However, the American Medical Association deliberately split the RPM Current Procedural Terminology codes between treatment management and device supply specifically because both components would not always be required each month. This was a purposeful decision, as the older codes for RPM bundled them together.

Additionally, the measure flagging sudden enrollment spikes fails to account for legitimate growth scenarios, like new RPM programs launching or existing programs expanding to cover additional conditions. These situations would naturally show significant enrollment increases until reaching steady state, yet the OIG’s measure treats all such surges as potentially concerning. For example, a practice that just started offering RPM or expanded its program to include diabetes management alongside hypertension would legitimately experience the pattern the OIG flags as suspicious.

The OIG’s measures may effectively identify major outliers that warrant investigation, but they must be interpreted with the understanding that legitimate clinical variation and normal business growth will also trigger these flags. When oversight measures don’t distinguish between legitimate program development and actual fraud indicators, it risks creating unnecessary administrative burden for compliant providers and potentially discouraging innovation in RPM adoption. The key is using these measures as screening tools rather than definitive indicators of improper billing.

Regulatory implications: Precision versus broad strokes

The OIG’s findings present CMS with a decision point. With these new data showing possible problematic billing at 1% of practices, the question becomes how to most effectively address these outliers while maintaining program access.

The OIG has essentially provided CMS with a short list of organizations that may warrant investigation. This precision capability should inform the regulatory response. Rather than new billing restrictions or documentation requirements that burden all providers, CMS could focus investigative resources on these statistical outliers, many of which are likely to be outsourced RPM vendors versus traditional medical clinics.

Moreover, the distinct patterns identified (e.g., vendor billing under its own NPI, sudden enrollment spikes, lack of prior relationships) suggest different underlying issues requiring different solutions. A vendor inappropriately billing under its own NPI needs different intervention than a practice that might be upcoding or billing for services not rendered.

It is important to note that the 1% of practices associated with problematic billing could account for a disproportionately higher percentage of patients, given the size of their programs.

Path forward: Using data for strategic enforcement

The OIG’s data provide a road map for CMS, which should consider taking the following steps:

• Clarifying billing relationships between vendors and referring providers rather than restricting services
• Focusing audit resources on the identified outliers rather than creating new administrative burdens for all
• Aligning oversight measures with existing billing guidance to avoid confusion
• Recognizing legitimate clinical variation in how RPM services are delivered

The health care industry should view these latest RPM data as validation that the vast majority of clinics with remote patient monitoring programs maintain compliance, while regulators must remain vigilant about the bad actors that exist. The data enable precision in both enforcement and compliance efforts.

As digital health continues to evolve, this development offers a lesson: Data-driven oversight can identify problems with precision, but regulatory responses must be equally precise to avoid stifling innovation and beneficial care services. The OIG has provided concrete data to guide effective oversight that protects both program integrity and patient access to beneficial services. Now it’s up to CMS to use it wisely, targeting enforcement where needed while protecting access to innovative care delivery models that are demonstrably improving patient outcomes. This level of enforcement will be especially important given the expected expansion of the RPM code set in 2026 and the anticipated subsequent growth in the number of patients able to access and benefit from remote patient monitoring.

Daniel Tashnek, JD, is the co-founder of Prevounce Health, a health care software and services company that simplifies the provision of preventive medical services, chronic care management and remote patient management. Daniel is also a practicing health care attorney specializing in regulatory compliance, reimbursement, scope of practice and patient care issues.