Background

In 2019, CMS began expanding payment for RPM services, which generally involve the use of digital technologies (i.e., medical devices together with software) to collect medical and other forms of health data from a patient in one location and electronically transmit the information to the patient’s healthcare provider in a different location for assessment and care management. In some cases, the technologies can either trigger direct patient engagement or facilitate patient communication. Remote physiological monitoring services (CPT codes 99091, 99453, 99454, 99457, and 99458) involve monitoring physiological measurements (e.g., weight, blood pressure, blood sugar) through medical devices that automatically transmit data obtained from patients remotely to healthcare providers for assessment and recommendations. In addition to the remote physiological monitoring CPT codes, CMS has established payment for other RPM services, including remote therapeutic monitoring services. The August 2025 OIG report focuses only on remote physiological monitoring services.

Prior OIG alerts and reports on RPM

OIG has increasingly scrutinized RPM services in recent years. For example, in November 2023, OIG issued a consumer alert focused on RPM, particularly direct-to-consumer RPM programs that involve advertising (i.e., through phone, television, or internet-based marketing) directed toward Medicare beneficiaries. This alert was intended to raise awareness among Medicare beneficiaries about the potential for fraud schemes involving bad actors that allegedly sign patients up for remote monitoring without an established provider-patient relationship.

In November 2024, OIG issued a report recommending additional oversight of RPM services furnished to Medicare beneficiaries. The report recommended that CMS take several steps to improve oversight of RPM services, including:

• Implementing additional safeguards to ensure that RPM is used and billed appropriately in Medicare
• Requiring that RPM services be ordered and that information about the ordering provider be included on claims and in encounter data for RPM
• Developing methods to identify what health data are being monitored
• Conducting provider education about billing of RPM
• Identifying and monitoring companies that bill for RPM.

For more information on this report, please see our prior On the Subject, “OIG recommends additional oversight of remote monitoring services.”

In December 2024, OIG announced it was adding an audit of RPM services to its work plan, citing the dramatic increase in Medicare payments for RPM services and the services’ susceptibility to fraud, waste, and abuse (e.g., unsolicited device shipments, inadequate monitoring, and inappropriate billing).

New report findings

Most recently, OIG, through its evaluation shop, conducted a data-driven analysis of Medicare claims and Medicare Advantage encounter data for RPM services (CPT codes 99091, 99453, 99454, 99457, and 99458) furnished between January 1, 2024 and December 31, 2024. OIG outlined its findings in response to six key questions in the August 25, 2025 report:

• How much is Medicare paying for RPM? RPM use continued to grow in 2024, with Medicare and Medicare Advantage payments exceeding $500 million. This represents a 31% increase from 2023 and continues an upward trend that has occurred every year since Medicare began widely covering RPM services in 2019. The number of Medicare beneficiaries receiving RPM services also continued to grow, with nearly one million patients receiving RPM services in 2024.
• How many new patients do medical practices bill for? About 4,600 medical practices routinely billed for RPM in 2024, typically billing RPM for about 70 patients during the year and adding about five new patients each month. However, OIG found that certain medical practices experienced sudden large increases in the volume of patients treated. OIG noted that while significant increases in the volume of patients treated may represent legitimate growth in a practice’s uptake of RPM, such billing spikes have been a marker of fraud for other Medicare services.
• Do medical practices have a prior relationship with their patients? Before billing for RPM, a medical practice must establish a relationship with the Medicare beneficiary by having either an in-person or telehealth visit. OIG found that most medical practices had prior relationships with nearly all of their patients. However, OIG found 45 practices that it asserted did not have a prior relationship with 80% or more of their patients.
• Are medical practices billing for treatment management? Treatment management services are provided when a provider or clinical auxiliary staff spend at least 20 minutes in a month using the patient’s RPM data to make decisions about the patient’s treatment and communicating with the patient about their care. OIG found that certain practices did not bill for any treatment management services in 2024 for 75% or more of their patients, warranting further scrutiny to ensure that RPM is being effectively used to treat patients’ conditions.
• Do multiple medical practices bill for services provided to the same patient? OIG found that the vast majority of medical practices did not bill for RPM services for the same beneficiaries, although certain practices frequently billed for the same beneficiaries that two or more other practices also billed for. OIG noted that when practices frequently bill for the same patients, it raises concerns that the practices may be billing for monitoring that is either not medically necessary or not actually provided.
• Do medical practices bill for multiple devices per patient? Medicare generally allows practices to bill for only one RPM device per month per patient. OIG found that most medical practices never billed for more than one device per month, but certain practices frequently billed Medicare for two or more devices per patient per month. OIG noted that frequent billing for multiple devices may indicate that practices are double billing for the same device or billing for devices that are either not medically necessary or not actually provided.

OIG stated that monitoring billing can help:

• Safeguard the Medicare program
• Prevent fraud, waste, and abuse
• Ensure that Medicare beneficiaries receive the benefits of RPM while also minimizing program integrity risks.

OIG stated that the billing patterns highlighted in its report (including billing for a high proportion of patients who have no prior history with the medical practice and billing for multiple monitoring devices a month for a patient) can help OIG identify medical practices that warrant further scrutiny.

Takeaways for stakeholders

Providers that furnish RPM services and digital health companies that help providers furnish these services should continue to monitor OIG and CMS publications on RPM services. Companies should ensure that their remote monitoring programs (including their policies, procedures, and general practices) are consistent with existing CMS regulations and structured to address the concerns highlighted by OIG, as appropriate. In light of increasing scrutiny of remote monitoring services, companies should ensure that their compliance programs fully address the unique risks and considerations these services present.

The American Medical Association’s CPT Editorial Panel finalized new and updated RPM codes that will be effective January 1, 2026. As part of the regular review process for new and updated CPT codes, CMS proposed new and updated payment rates for the revised CPT codes in the CY 2026 Medicare Physician Fee Schedule Proposed Rule. While CMS could have used this opportunity to provide guidance or implement additional requirements for RPM services to respond to the November 2024 OIG report, CMS did not propose any changes or guidance clarifications to address the concerns raised by OIG. In response, in its August 2025 report, OIG reiterated the importance of CMS implementing the OIG’s 2024 recommendations to strengthen CMS’s oversight of RPM services. RPM also remains on the OIG workplan.

OIG’s August 2025 report is based on a claims data analysis. Providers should expect that CMS contractors, such as Medicare Administrative Contractors, Recovery Audit Contractors, and Unified Program Integrity Contractors, will rely on similar claims data analyses to target providers for audits and other potential program integrity reviews.

Stakeholders also should be aware that OIG continues to focus on RPM services as a fraud and abuse concern. This concern may prompt discussions with CMS regarding additional measures to ensure that remote monitoring services are furnished consistent with existing requirements and guidance, or it could prompt CMS to impose additional limitations or requirements on RPM services.

We will continue to monitor updates to RPM services. Please contact the authors of this article or your regular McDermott Will & Schulte lawyer with any questions.