Remote Patient Monitoring Enforcement Initiatives

In recent years, there has been a significant increase in the use of digital technologies and innovative solutions in healthcare, including the increased use of remote patient monitoring (RPM) services. Telehealth and other digital therapies proliferated during the COVID-19 pandemic, particularly as entities took advantage of the relaxation of telehealth rules and the need to provide patient care remotely. Rules have adapted and changed over the years to accommodate the growing field. In addition, the increased utilization of telehealth and digital technologies to treat patients has been followed by a robust government response.

This article discusses RPM topics and key takeaways RPM providers must know about the 2024 Physician Fee Schedule Final Rule, including various billing requirements, recent RPM Department of Justice (DOJ) enforcement actions, related Department of Health and Human Services (HHS) Office of Inspector General (OIG) consumer alerts, and guidance regarding how providers can avoid compliance issues when providing RPM services. In this time of continuous technological development, it is especially important for providers to stay up to date on the various legal requirements and guidance in this area in order to ensure adherence to the latest compliance standards.

Remote Patient Monitoring

RPM involves the collection and analysis of patient physiologic data used to develop and manage a treatment plan related to a chronic and/or acute health illness or condition. The HHS defines RPM as “a set of codes that describes non-face-to-face monitoring and analysis of physiologic factors used to understand a patient’s health status.” In simpler terms, RPM is the use of a device that collects various patient data and transmits them electronically to the patient’s care team. This allows the patient’s care team to collect and evaluate a wide range of health data, such as vital signs, blood pressure, heart rate, glucose levels, and other biometric data. Various CPT codes have been issued to cover remote monitoring and encompass either use of clinical staff under general supervision of a physician or qualified health professional or auxiliary personnel under general supervision of the billing practitioner. Medicare reimbursement for RPM services is also conditioned on compliance with applicable state law.

RPM and the Physician Fee Schedule

Notably, on November 23, 2023, the Centers for Medicare and Medicaid Services (CMS) released the final calendar year 2024 Physician Fee Schedule (PFS) Final Rule, which took effect on January 1, 2024. The Rule, which implements certain changes to the PFS and other Medicare Part B payment policies, among other things, ensures that payment systems are updated to reflect changes in medical practices. The Rule provides helpful clarifications regarding RPM services, some of which are explained below.

• Following the end of the COVID-19 public health emergency (PHE), CMS required RPM services to be furnished only to established patients. An established patient is a patient who has received within the past three years any professional services from a provider who belongs to the same group practice. The Rule, however, clarifies that patients who received RPM services during the PHE are considered established patients.
• Billing for remote monitoring codes requires data collection for at least 16 days in a 30-day period, and this data collection minimum applies to existing RPM code families for calendar year 2024.
• Services associated with all the medical devices can be billed by only one practitioner, only once per patient per 30-day period, and only when at least 16 days of data have been collected. CMS clarifies that providers can bill RPM or remote therapeutic monitoring (RTM), but not both concurrently.
• RPM and RTM services can be furnished separately during global periods for surgery, provided they are unrelated to the diagnosis for which the global procedure is performed.
• To reduce administrative burdens for rural health clinics (RHCs) and federally qualified health centers (FQHCs), RHCs and FQHCs may include RPM and RTM services under the general care management code G0511.

The 2024 Fee Schedule also reiterates the 2021 fee schedule requirements. Some of these are notable changes since the pandemic, particularly the requirement to establish a physician-patient relationship. CMS also signaled the potential for future changes and adaptations as it aims to achieve the “intention [] to allow the maximum flexibility for a given practitioner to select the appropriate mix of care management services, without creating significant issues of possible fraud, waste, and abuse associated with overbilling of these services.”

Fraud Concerns with RPM

The advent of new services, particularly those utilizing new remote technology, comes with the potential for fraud, waste, and abuse. The OIG announced that as part of work plan W-00-21-35862, phase two audits of Part B telehealth services will include, among other areas, an audit of RPM. The OIG also expressed concern at various times over the last few years regarding the potential for exploitation of the rules surrounding RPM and the potential for fraud, waste, and abuse. For example, on July 20, 2022, the OIG issued a special fraud alert noting that it had conducted dozens of investigations of fraud schemes involving companies purporting to provide telehealth, telemedicine, or telemarketing services, but which had exploited the growing acceptance of telehealth. These schemes involved telemedicine companies providing providers with kickbacks resulting in the fraudulent billing of federal health programs. The special fraud alert set forth suspect characteristics of these arrangements, including but not limited to recruitment of patients from health fairs, call centers, social media, or the internet, and a lack of sufficient contact or physician-patient relationship.

Additionally, on November 21, 2023, the OIG released a consumer alert regarding a fraudulent RPM scheme that involved targeting Medicare enrollees, signing the Medicare enrollees up for RPM services, stealing Medicare numbers and other personal information, then billing Medicare a monthly fee for services that were unnecessary or never provided. These alerts show a common concern that there is not a foundational physician-patient relationship for services and a lack of medical necessity and follow up. Medical necessity also continues to be a concern in these arrangements and a basis for potential false claims act liability. The focus of this was illustrated by the DOJ on December 18, 2023, when a settlement was announced with an entity and its subsidiary whereby the entities agreed to pay more than $14.7 million to resolve allegations that they violated the False Claims Act by knowingly submitting claims to federal healthcare programs for a higher level of remote cardiac monitoring than physicians had intended to order or than was medically necessary. The DOJ alleged that the entities knew the design of their online enrollment portal for their device caused unwitting clinical staff to select options that would enroll the patient in the most expensive service, even when the doctor intended to order a less expensive service.

Requiring the establishment of a physician-patient relationship may assist with mitigating fraudulent RPM schemes; it is one of the through lines of compliance that exists in the regulations and is noted in the various alerts by OIG. Lack of sufficient contact between the physician and patient, and recruitment through health fairs or other recruiters in the abstract, are some of the key focuses by OIG and DOJ based on their enforcement experience. In addition, providers and patients protecting their personal information with adherence to the HIPAA Security Rule is yet another protective measure. Overall, patients and providers should consider exercising increased awareness and heightened diligence; this will likely be combined with continued government audits and enforcement measures to combat the potential for any RPM fraud schemes.

Conclusion

In the face of this heightened government scrutiny related to providing RPM services, providers must be sure to conduct thorough due diligence on any entities with which they do business. A focus on and review of policies and procedures to document medical necessity is essential. In addition, the interplay of state law and federal law is important in RPM, and providers should closely evaluate their compliance and billing practices to prevent potential instances of fraud. The increased utilization of RPM services provides new and innovative healthcare solutions; however, providers must keep in mind that these services are also ripe for compliance concerns. It is therefore essential for providers of RPM services to stay up to date on the evolving legal requirements in this area and ensure subsequent compliance.