On September 24, 2024, the Office of Inspector General (OIG) at the US Department of Health and Human Services issued a report recommending additional oversight of remote physiologic monitoring (RPM) services furnished to Medicare beneficiaries. The full report is available here.
Many of the issues highlighted by OIG are inherent to the current RPM codes established by the American Medical Association (AMA) but may not actually be problematic. Other issues underscore the lack of information the Centers for Medicare & Medicaid Services (CMS) has about the types of health data being monitored and the devices used to provide remote patient monitoring services. Stakeholders should review their current remote monitoring programs to ensure that RPM services are being provided consistent with existing CMS regulations and should be on the lookout for additional potential changes to the requirements for RPM services.
BACKGROUND
Remote Monitoring Background
In 2019, CMS expanded payment for remote monitoring services, which generally use digital technologies (i.e., medical devices, together with software) to collect medical and other forms of health data from patients in one location and electronically transmit the data to the patient’s healthcare provider in a different location for assessment and care management. The data collected is automatically electronically transmitted to health professionals for review and can be used in patient management. In some cases, the technologies can either trigger direct patient engagement or facilitate communication between the patient and health professional.
RPM services involve monitoring physiological metrics or parameters (e.g., weight, blood pressure, blood sugar) through medical devices that transmit data obtained from patients automatically to healthcare providers for assessment and recommendations. In contrast to RPM services, remote therapeutic monitoring (RTM) services involve the use of medical devices to monitor a patient’s health or response to treatment using non-physiological data. RTM can be used to monitor medication adherence, response to therapy, musculoskeletal activity, and respiratory activity.
RPM services include the following five CPT codes, which CMS contemplates together comprise the three basic components of RPM services:
Not surprisingly, the availability of Medicare reimbursement for remote monitoring services has led to substantial interest in furnishing such services, because Medicare is a major payor for healthcare items and services in the United States.
Prior OIG Alerts
In November 2023, OIG issued a consumer alert focused on remote patient monitoring, particularly direct-to-consumer RPM programs that involve the use of advertising (through phone, television, or internet-based marketing) directed towards Medicare beneficiaries. This alert was intended to alert Medicare beneficiaries to the potential for fraud schemes involving bad actors that sign patients up for remote monitoring without an established provider-patient relationship. Of note, the alert mentioned remote monitoring furnished by a durable medical equipment company or pharmacy. The alert recommended that consumers report companies offering unsolicited medical equipment to the OIG hotline. OIG also noted the risks associated with companies “cold calling” Medicare beneficiaries to solicit them to receive remote monitoring services.
KEY TAKEAWAYS
OIG conducted a data-driven analysis of Medicare and Medicare Advantage claims and encounter data. OIG reviewed claims for RPM services furnished between January 1, 2019, and December 31, 2022. This report did not include a review or analysis of RTM services. OIG expressed concern that Medicare lacks certain key information regarding remote patient monitoring. Specifically, OIG asserted that CMS does not have information about the types of health data being collected or information about the types of devices that are being used. Providers are not currently required to report this information, and there is no readily available way for providers to report this information. Similarly, providers are not obligated to report the ordering provider on claims for RPM services.
OIG highlighted the increase in utilization of RPM services between 2019 and 2022. Medicare and Medicare Advantage payments for RPM services totaled more than $300 million in 2022, compared to $15 million in 2019. OIG noted that the increase in payments was due not only to an increase in patients who received services, but also to an increase in the length of time that patients received RPM services. In 2022, patients received RPM services for an average of five months, compared to an average of three months in 2019. There are currently no Medicare national or local coverage determinations limiting the amount of time that a patient may receive remote monitoring services. As OIG noted, the majority of RPM services are furnished to patients with chronic conditions (which by definition tend to last for 12 months or more), and RPM services can serve as a useful tool to manage these conditions.
CMS established payment rates for RPM services in 2019 and provided guidance on certain requirements for and appropriate utilization of remote monitoring services. In response to the COVID-19 public health emergency, CMS also issued several waivers and flexibilities that were explicitly intended to expand providers’ ability to furnish remote monitoring services to patients, including flexibilities regarding who could furnish the services, the types of technology that could be used, and how many days of monitoring were required to be obtained in order to bill. While OIG’s report focused on the increase in utilization of RPM services, much of this increase can simply be attributed to the fact that prior to 2019, Medicare and Medicare Advantage did not provide payment for the majority of the RPM CPT codes. Indeed, the majority of the RPM CPT codes did not exist before 2019.
OIG highlighted that 43% of patients did not receive all three components of RPM services – patient education and device set-up, device supply, and treatment management services. While CMS has suggested that each component of RPM builds on the other, there is no explicit requirement that a provider must furnish all of the RPM services covered by all of the RPM CPT codes to receive payment for any services. To the contrary, specific requirements must be met in order for providers to bill for certain RPM codes. For example, both the patient education and the device supply codes currently only can be reported when a provider collects 16 days’ worth of data from a patient. If these code requirements are not met, it would be improper for a provider to bill for these services. CMS also has previously clarified that the treatment management services can be provided even where the data collection requirements for the device supply code are not satisfied.
OIG also expressed concern that 12% of patients did not receive treatment management services at all, which OIG concluded may indicate that patients did not receive the full benefit of RPM services or that the monitoring services may not have been necessary for the patient. The treatment management codes for RPM services require that the provider furnish at least 20 minutes of treatment management services. It is entirely possible that a provider furnishes treatment management services to a patient but does not meet the time-based thresholds for billing for the treatment management services. For example, a provider who furnishes 14 minutes of treatment services would be unable to bill for a treatment management code. The treatment management services also require a real-time, interactive communication with the patient. Many providers communicate with patients via text message; without a phone call or another live interaction with the patient, the provider will not be able to bill.
OIG ultimately recommended that CMS take the following steps to improve oversight of RPM services:
PRACTICAL IMPACT
Many of the concerns highlighted by OIG are inherent within the current AMA-established CPT codes for RPM services. This includes the requirement to obtain 16 days’ worth of data from a patient in order to bill for the CPT codes corresponding to patient education and the RPM device supply. The AMA recently considered changes to the RPM codes that may address some of these issues. If these code changes are finalized, CMS will have an opportunity to provide additional guidance that could assuage some of the concerns raised by OIG. Alternatively, CMS could choose to establish its own set of HCPCS codes for RPM services, but this would effectively establish two parallel set of codes and likely would be unduly burdensome for providers.
OIG issued specific recommendations for CMS that are intended to improve oversight of remote patient monitoring services. Most of these recommendations would require CMS to establish new or modified regulations. Any regulatory changes would require notice-and-comment rulemaking. Accordingly, companies should carefully review CMS’s annual rulemaking and ensure that comments and feedback to proposed changes are submitted for consideration.
Certain of OIG’s statements in the report are not entirely consistent with prior CMS and Medicare Administrative Contractor guidance on RPM services. Although there may be opportunities for CMS to provide additional clarity through changes to regulations, certain OIG suggestions – in particular, the requirement for an order for RPM services – have previously been addressed by CMS in guidance.
Finally, both providers that furnish RPM or RTM services and digital health companies that help providers furnish these services should continue to monitor OIG and CMS publications on RPM services. While OIG’s report was specifically focused on RPM services, certain issues highlighted may also be relevant to RTM services. More importantly, companies should ensure that their remote monitoring programs (including policies, procedures, and general practices) are consistent with existing CMS regulations and structured to address the concerns highlighted by OIG, if and as appropriate. In light of the increasing scrutiny of remote monitoring services, companies should ensure that their compliance programs fully address the unique risks and considerations presented by these services.
OIG noted that additional work is being performed to examine remote patient monitoring, and that remote patient monitoring remains on the OIG work plan. Stakeholders should be aware that this report may prompt CMS to implement additional measures to ensure that remote monitoring services are furnished consistent with existing requirements and guidance or could prompt CMS to impose additional limitations or requirements on RPM and/or RTM services.
For more information, please contact Deborah Godes, Caroline Reignley (McDermott Will & Emery – Partner), Marshall E. Jackson, Jr. (McDermott Will & Emery – Partner), James A. Cannatti III (McDermott Will & Emery – Partner), or Lisa Mazur (McDermott Will & Emery – Partner).