On September 24, 2024, the Department of Health and Human Services Office of Inspector General (“OIG”) published a report (the “Report), reviewing and recommending increased oversight of remote patient monitoring (“RPM”) services and billing in the Medicare program. In the Report, OIG focused on three main issues: (1) Patients and providers are not using RPM as intended; (2) RPM presents an increased risk of fraud and abuse; and (3) there is a lack of information and transparency related to enrollees’ use of RPM. Read on for additional background with regards to the growing use of RPM by Medicare providers, these three OIG findings, additional recommendations, and how regulators may respond.
Background on Remote Patient Monitoring
RPM is the use of digital devices to remotely monitor a patient’s health outside of a traditional clinical setting. The device automatically transmits a patient’s health data to their healthcare provider, allowing the provider to receive updates about the patient’s health without seeing the patient for a traditional in-office visit. RPM is often used to monitor blood pressure, weight, or glucose levels. Indeed, OIG noted that in 2022, RPM was most commonly used for hypertension and diabetes.
The Medicare population’s use of RPM has grown rapidly. From 2019 to 2022, the Medicare population’s use of RPM grew from approximately 55,000 to 570,000. Similarly, payments for RPM in Medicare increased twenty times between 2019 to 2022, growing to more than $300 million (from $15 million in 2019). Due to the increased use of RPM, the average payment per Medicare enrollee doubled in 2022. Currently, the Centers for Medicare & Medicaid Services (“CMS”) does not limit the length of time that an enrollee can be monitored using RPM, making it popular to assist in the treatment of chronic conditions. The Report provides that only 7% of Medicare enrollees use RPM for acute conditions.
Enrollees May Not Receive All Required Components of RPM
There are three main components to properly utilize RPM for Medicare fee-for-service enrollees. These components include: (1) ensuring the enrollee has a chronic or acute condition; (2) using an internet connected device as defined by the U.S. Food and Drug Administration (“FDA”); and (3) collecting and transmitting health data during a 30-day period. In addition, billing providers must ensure there is education, set up, and supply of a device as well as treatment management related to each patient using RPM.
Despite these basic requirements, OIG found that 43% of enrollees using RPM did not receive a component of the process. Frequently, enrollees did not receive training on the device or assistance in preparing the device for use. This failure could result in patients using the device incorrectly or providers receiving improper data.
Increased Concerns of Fraud and Abuse
In some instances, enrollees did not receive treatment management, which raises the issue of whether RPM is being used appropriately for such enrollees. In November 2023, the OIG issued a consumer alert (the “Alert”) about suspected fraud by providers offering RPM. In the Alert, OIG discussed schemes involving companies signing up Medicare enrollees for RPM without considering medical necessity. The Alert notes that often the enrollee never receives any device or treatment through RPM; however, the company still bills Medicare for the RPM services. Because CMS does not consider companies that offer RPM in conjunction with practices or other Medicare-enrolled suppliers to be a provider of care to Medicare enrollees, CMS does not have a method to systematically identify these companies to increase oversight.
CMS Lacks Key Information about the Use of RPM
Additionally, OIG has concerns about CMS’s ability to collect information about enrollees utilizing RPM. According to the Report, CMS does not collect adequate information about what devices enrollees are using and what health data providers are collecting. This may reflect a lack of specificity in billing codes related to RPM as providers billing Medicare need only list what component of RPM is being provided. Currently, providers do not need to give Medicare any specifics about the patient’s use of RPM. OIG found that the use of unspecified billing codes results in CMS not gaining information about a patient’s condition requiring RPM. Further, the Report found that 44% of RPM claims did not have information about who ordered the services, which means CMS is likely unable to accurately track order provider trends.
OIG Recommendations for CMS and RPM
As a result of the issues identified above, OIG issued several recommendations that CMS “concurred with or will take into consideration” to increase Medicare RPM oversight:
- CMS should implement audits to identify providers billing for RPM when the three-component requirement is not met. This would assist in targeting fraud schemes as well as ensuring Medicare enrollees receive proper care.
- CMS should require additional billing information including all information critical to the use of RPM. For example, providers would include information such as the condition being treated, the ordering provider, and the service provider.
- CMS should develop methods to identify and collect the health data that RPM is utilizing. CMS could create new procedure codes or collect information on the types of RPM devices in use.
- CMS should continue to educate providers about appropriate billing methods. OIG recommends that CMS issue resources about billing guidelines and the three-component process, the proper uses of RPM, and benefits of coordinating the use of RPM with an enrollee’s other healthcare treatments.
- CMS should establish the ability to identify companies that bill for RPM. By identifying companies that primarily bill for RPM, CMS can expand its oversight on RPM.
More Regulations are Likely to Come
Due to both the explosion of RPM use with growth after the COVID-19 public health emergency and the increased possibility that fraudsters abuse the service, the Report foreshadows a need for new regulations. Moreover, CMS concurs with the Report or states it will take the recommendations into consideration, which is an indication that the agency may consider new safeguards for RPM after seeking to expand its adoption. Further, OIG is more aware of fraudulent acts involving RPM. The Alert from November 2023 encouraged enrollees to be aware of the potential solicitations from scammers regarding RPM. OIG’s knowledge of such schemes likely suggests enforcement actions will come. Finally, in recent years, there have been new policies aimed at RPM. In the 2021 Medicare Physician Fee Schedule, CMS clarified policies for RPM billing, including the need for an established patient-physician relationship for RPM to be used and that the RPM device must be a medical device as defined by the FDA.
Given the current climate around RPM, including OIG’s focus, entities that provide patients with RPM services should make an effort to ensure that their current policies are compliant with regulations. This could include verifying that devices used for RPM fit into the definition of medical device. This also means verifying that proper reporting and billing policies are in place and auditing the same. Providers that proactively address these concerns will be better positioned for the inevitable RPM scrutiny, after such massive growth.
McGuireWoods LLP will continue to monitor changes in RPM regulations and guidance. For more information, please consult one of the authors.