Remote Patient Monitoring (RPM) is transforming healthcare delivery—but it’s also drawing increased scrutiny from regulators. With RPM billing climbing exponentially and compliance missteps triggering six-figure Civil Money Penalties (CMPs), providers can no longer afford to treat RPM as a plug-and-play solution. Legal experts are advising caution: treat RPM like any other medical service, with clinical rigor, documented necessity, and constant oversight.
This article breaks down the legal risks, emerging CPT code changes, and compliance traps providers must avoid, drawing from the latest insights in the June 2025 issue of Report on Medicare Compliance.
Legal Spotlight: Compliance Risks in RPM
According to attorney Thomas Ferrante of Foley & Lardner LLP, many providers underestimate the compliance complexity of RPM, especially when patients don’t upload biometric data consistently. As Ferrante told Report on Medicare Compliance:
“The first thing RPM companies and providers realize can kick them in the teeth is how hard it can be to get patients to do 16 days of readings. This is one of the biggest friction points in the RPM world in terms of billing.”
Why does this matter? Because under current Medicare rules, CPT code 99454—which reimburses for device supply—requires data from at least 16 days in a 30-day period. Without this, reimbursement is not permitted, and billing can become a liability.
Settlements Are Increasing
In the last year alone, there have been at least two RPM-related settlements with the Office of Inspector General (OIG):
- Capital Health System (May 2025): Paid $528,937 for billing Medicare for RPM services that allegedly didn’t meet coverage requirements.
- Florence Wellness (August 2024): Paid $194,754 for submitting claims without capturing 16 days of biometric readings.
These cases arose from self-disclosures, not whistleblowers—signaling growing internal concern among providers and aggressive federal oversight.
What Triggers Legal Action?
According to Atty. Ferrante, red flags include:
- Billing for RPM when medical necessity is not documented
- Continuing RPM for patients whose conditions have resolved
- Enrolling patients in “subscription-like” models without individualized care plans
- Billing for dead or non-compliant patients
- Relying too heavily on vendors to handle the RPM process
In Ferrante’s words:
“At the end of the day, the responsibility falls on the billing provider. They will be on the hook for billing improprieties.”
OIG’s Warning: Oversight Is Coming
A 2024 OIG report recommended increased oversight and transparency of RPM, noting that:
“About 43% of people who received RPM didn’t get all three services.”
— OIG Report OEI-02-23-00260
The implication: Providers may be cherry-picking CPT codes (e.g., billing 99453 for setup but not delivering 99457 for treatment management), violating the spirit of the program.
CMS agreed with the OIG’s recommendation. Expect closer audits—and tougher enforcement.
CPT Changes Are Coming—But Risks Remain
The AMA has updated the CPT codes, reducing the required number of days for RPM data collection and creating new codes for shorter-duration treatment management. While the Medicare Physician Fee Schedule (MPFS) has yet to adopt these codes, private payers may begin accepting them.
Until then, the 16-day rule remains in effect. Providers must:
- Educate patients about their role in RPM compliance
- Monitor data transmission daily
- Document all communication and care decisions
- Ensure services are based on current medical need, not blanket enrollment
What Providers Should Do Now
To stay compliant and avoid legal exposure, as required by Medicare guidelines, providers must:
- Verify medical necessity at the start and throughout RPM use
- Use FDA-listed devices and ensure proper documentation of setup (CPT 99453)
- Monitor whether the patient transmits data 16 days per 30-day period (for CPT 99454)
- Deliver live, interactive treatment management (CPT 99457/99458)
- Capture consent, documentation, and oversight in every billing cycle
- Audit vendor partnerships to ensure they don’t exceed scope—or compromise your billing integrity
How DrKumo Helps Providers Stay Compliant
DrKumo is more than just an RPM vendor. It is a secure, end-to-end platform purpose-built to safeguard providers from the legal and compliance pitfalls increasingly flagged by CMS, the OIG, and other federal watchdogs. All biometric devices used by DrKumo are FDA-listed and transmit patient data securely in real time, supporting technical compliance from the ground up.
The platform’s daily monitoring notifies clinical staff when a patient misses a reading, supporting the critical 16-day data requirement for billing CPT 99454. Providers can easily monitor RPM activity by patient, aligning services with individualized care plans and updated medical necessity documentation. Finally, DrKumo’s cybersecurity-first architecture—aligned with VA Directive 6500, HIPAA, NIST, and FIPS 140-3 standards— supports data security and privacy requirements while enabling scalable, compliant RPM operations for healthcare systems and payers alike.
Takeaways
RPM offers reduced readmissions, better chronic care management, and proactive population health—but only when done right.
The legal landscape is clear: Medicare, the OIG, and the DOJ are no longer tolerating sloppy RPM practices or rubber-stamped billing. Providers who take shortcuts—especially those relying too much on third-party vendors without clinical oversight—are risking more than just revenue. They’re risking reputational damage and federal penalties.
Compliance isn’t just about avoiding trouble—it’s about delivering RPM as it was meant to be: personalized, responsive, and medically important.
Ready to reduce your RPM compliance risks and streamline billing for CPT 99453, 99454, and 99457? Contact DrKumo today to see how our end-to-end platform keeps you audit-ready and patient-focused.
Disclaimer: This blog is for informational purposes only and does not constitute legal, clinical, or billing advice. For official guidance, consult the Report on Medicare Compliance, CMS manuals, or a licensed healthcare attorney.
