In the United States, regulations for Remote Patient Monitoring (RPM) are primarily managed by three federal bodies: the Centers for Medicare & Medicaid Services (CMS), the Food and Drug Administration (FDA), and the Department of Health and Human Services (HHS). Compliance is interconnected; a failure to meet one agency’s rules can lead to violations with the others.
- CMS: As the primary payor, CMS sets the rules for service delivery, patient eligibility, and reimbursement through the annual Medicare Physician Fee Schedule (MPFS). Its policies are the de facto national standard.
- FDA: The FDA regulates the technology, ensuring that RPM devices are safe and effective. To bill for RPM, devices must meet the FDA’s definition of a “medical device,” typically requiring 510(k) clearance.
- HHS: Through its sub-agencies, HHS enforces the Health Insurance Portability and Accountability Act (HIPAA) to protect patient data privacy and security. It also investigates fraud, waste, and abuse, with the Office of Inspector General (OIG) increasingly auditing RPM services.
Medicare Conditions of Coverage and Payment
To get paid for RPM, providers must meet CMS rules on who qualifies, who can bill, and medical necessity—the foundation of a compliant program.
Patient Eligibility Criteria
Acute and chronic conditions. CMS (CY 2021 MPFS Final Rule) covers RPM for both acute and chronic conditions, expanding use from longitudinal disease management to time-limited needs like post-op or acute infections.
The recent COVID-19 public health emergency (PHE) had a significant impact on the health care industry, and certain standards were different during the PHE compared to after it ended. One example is the “established patient” requirement (post-PHE). RPM may be furnished only to an “established patient”, one who has received face-to-face professional services from the billing practitioner (or same-specialty, same-group practitioner) within the last three years. This anchors RPM within ongoing care.
RPM vs. RTM. The established-patient rule applies to RPM but not RTM. CMS expects RTM to follow an initial interaction where a treatment plan is set.
PHE grandfathering. Patients who began RPM as new patients during the PHE are now treated as established for continuation.
Operational takeaway. RPM intake must verify the established-patient relationship; RTM is more flexible but still requires documentation of the initial evaluation and plan.
Qualified Providers and Practitioners
Who can bill. Physicians and NPPs eligible for E/M (MD/DO, NP, PA, CNS) may order and bill RPM/RTM.
Clinical staff & supervision. Many components (99453, 99454, 99457/99458) may be furnished by clinical staff incident to under general supervision, enabling nurses/MAs to run day-to-day operations while the billing practitioner retains overall responsibility.
Expanded settings.
- Therapists (RTM): PT/OT/SLP may furnish and bill RTM.
- FQHCs/RHCs: Effective January 1, 2024, RPM/RTM are payable separately via G0511 outside PPS/AIR, expanding access in underserved areas.
The Standard of Medical Necessity
RPM must be reasonable and necessary for diagnosis or treatment, and the chart must document why RPM is needed for that patient (e.g., uncontrolled hypertension requiring daily data to guide medication titration). CMS codifies the standard in regulation:
“Furnished in accordance with accepted standards of medical practice for the diagnosis or treatment of the patient’s condition or to improve the function of a malformed body member;… Meets, but does not exceed, the patient’s medical need; and… Is at least as beneficial as an existing and available medically appropriate alternative”.
Given heightened OIG scrutiny, meticulous documentation is essential to withstand audits and avoid denials.
FDA Regulation of RPM Devices and Technology
RPM compliance depends on using FDA-regulated technology; FDA status links directly to Medicare billing legitimacy.
The FDA’s Definition of a “Medical Device” in the RPM Context
For RPM billing (e.g., 99453, 99454), the supplied device must meet the FD&C Act definition:
“an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is… intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals…”.
Under CMS rules, the device must digitally collect physiologic data and automatically transmit it to the provider. The FDA further notes RPM devices are generally “non-invasive remote monitoring devices that measure or detect standard physiological parameters” and are designed to “wirelessly transmit patient information to their health care provider or other monitoring entity”.
Device Classes and Pathways to Market
Classes.
- Class I (low risk): General Controls; generally exempt from premarket submission.
- Class II (moderate risk): General + Special Controls; most RPM devices (BP cuffs, scales, oximeters, glucometers) require 510(k).
- Class III (high risk): Life-supporting/sustaining or implantable; require PMA.
510(k) vs. PMA.
- 510(k) Clearance: Demonstrates substantial equivalence to a predicate; typical for RPM devices → “FDA Cleared.”
- Premarket Approval (PMA): Full scientific evidence for safety/effectiveness for novel high-risk devices → “FDA Approved.”
Beware marketing that touts “FDA Registered”—that only reflects establishment registration, not device safety/effectiveness or market authorization.
Vendor due diligence. Treat device choice as a compliance decision: verify 510(k)/PMA status in the FDA database. Using a non-compliant device can render RPM claims false, risking repayment and False Claims Act exposure.
| Device Class | Risk Level | Primary Regulatory Control | Premarket Submission Required | Typical RPM Examples |
|---|---|---|---|---|
| Class I | Low | General Controls | Generally Exempt | N/A (Most RPM devices are Class II) |
| Class II | Moderate | General Controls & Special Controls | 510(k) Clearance | Blood Pressure Monitors, Glucometers, Pulse Oximeters, Weight Scales |
| Class III | High | General Controls & Premarket Approval | PMA (Approval) | Implantable Cardiac Monitors, Implantable Defibrillators |
Post-PHE Enforcement Policy for Non-Invasive Remote Monitoring Devices
- During the COVID-19 PHE, FDA used “enforcement discretion” for certain low-risk monitors, allowing limited changes (e.g., remote use, added connectivity) without a new 510(k).
- In October 2023, FDA’s final guidance said it does not intend to object to limited modifications to legally marketed 510(k)-cleared devices (e.g., in-home indications, wireless/Bluetooth) without a new submission.
- The discretion is narrow and does not cover risk-raising changes (e.g., core algorithm changes, new physiologic parameters, remote programming/control, or switching Rx to OTC). Such changes still require a new 510(k) and clearance.
Data Governance—HIPAA Compliance and Patient Consent
RPM data is PHI; HIPAA (enforced by HHS OCR) governs handling, and CMS plus state laws define consent requirements.
Applying HIPAA to RPM
- Privacy Rule: Sets national standards for when PHI may be used/disclosed; implement reasonable safeguards (e.g., private settings for patient communications).
- Security Rule: Protect ePHI via administrative (risk analysis, security management, workforce training), physical (facility/equipment protections), and technical (access controls, audit controls, integrity, encryption) safeguards.
- Tech scope: Security Rule does not apply to traditional PSTN/ “landline,” but does apply to VoIP, mobile apps, internet/Wi-Fi/cellular transmissions—requiring a documented risk analysis and mitigations.
Business Associate Agreements (BAAs)
- When a vendor accesses PHI, a BAA is mandatory. It must require the Business Associate to implement safeguards, report breaches, bind subcontractors, and comply with the Security Rule.
- Using an RPM vendor without a BAA is a clear HIPAA violation for both parties.
Patient Consent (Two Layers)
- CMS billing consent: Obtain before or at service start; verbal or written is acceptable but must be documented (includes notice of cost sharing under Part B).
- State telehealth informed consent: Often more prescriptive (verify identity/location; disclose credentials; explain benefits/risks/limits; privacy/security; tech-failure protocol; right to refuse).
- Common pitfall: Getting simple verbal consent to “begin RPM services,” satisfying CMS, but missing state-required elements (e.g., device-failure plan). Build a single workflow that meets the stricter of federal/state rules and document all elements (consult CCHP for state specifics).
CPT Code Reference for Remote Monitoring (2025)
| CPT Code | Service Type | Official Descriptor (Verbatim) | Key Billing Requirements |
|---|---|---|---|
| 99453 | RPM | Remote monitoring of physiologic parameter(s) (e.g., weight, blood pressure, pulse oximetry, respiratory flow rate), initial; set-up and patient education on use of equipment. | Billable once per episode of care. Requires data collection on at least 16 days within the first 30 days to bill. |
| 99454 | RPM | Remote monitoring of physiologic parameter(s) (e.g., weight, blood pressure, pulse oximetry, respiratory flow rate), initial; device(s) supply with daily recording(s) or programmed alert(s) transmission, each 30 days. | Billable once per 30-day period. Requires data transmission on at least 16 days of the 30-day period. |
| 99457 | RPM | Remote physiologic monitoring treatment management services, clinical staff/physician/other qualified health care professional time in a calendar month requiring interactive communication with the patient/caregiver during the month; first 20 minutes. | Billable once per calendar month. Requires a minimum of 20 minutes of management time and at least one live, two-way interactive communication. |
| 99458 | RPM | Remote physiologic monitoring treatment management services… each additional 20 minutes (List separately in addition to code for primary procedure). | Add-on code to 99457 for each additional 20 minutes of management time per calendar month. |
| 99091 | RPM | Collection and interpretation of physiologic data… digitally stored and/or transmitted by the patient and/or caregiver to the physician or other qualified health care professional… requiring a minimum of 30 minutes of time, each 30 days. | Requires 30 minutes of physician/QHP time per 30 days. Does not require interactive communication. Cannot be billed in the same month as 99457. |
| 98975 | RTM | Remote therapeutic monitoring (e.g., respiratory system status, musculoskeletal system status, therapy adherence, therapy response); initial set-up and patient education on use of equipment. | Billable once per episode of care. Requires at least 16 days of data collection to bill the corresponding device code. |
| 98976 | RTM | Remote therapeutic monitoring… device(s) supply with scheduled… transmission to monitor respiratory system, each 30 days. | Billable once per 30 days for respiratory system monitoring. Requires data transmission on at least 16 days. |
| 98977 | RTM | Remote therapeutic monitoring… device(s) supply with scheduled… transmission to monitor musculoskeletal system, each 30 days. | Billable once per 30 days for musculoskeletal system monitoring. Requires data transmission on at least 16 days. |
| 98980 | RTM | Remote therapeutic monitoring treatment management services, physician/other qualified health care professional time in a calendar month requiring at least one interactive communication… first 20 minutes. | Billable once per calendar month. Requires a minimum of 20 minutes of management time and at least one live interactive communication. |
| 98981 | RTM | Remote therapeutic monitoring treatment management services… each additional 20 minutes (List separately in addition to code for primary procedure). | Add-on code to 98980 for each additional 20 minutes of management time per calendar month. |
Oversight, Audits, and Compliance Risk Mitigation
As RPM use and reimbursement grow, federal scrutiny—especially from HHS OIG—has intensified. A robust compliance program is now essential to sustain operations and mitigate risk.
What Recent HHS-OIG Reports Signal
Key findings (high level):
- Incomplete service delivery. About 43% of Medicare beneficiaries who received RPM did not receive all three intended components (set-up, device supply/monitoring, treatment management)—raising questions about whether services align with CMS policy.
- Data blind spots. CMS currently doesn’t collect details on which conditions are monitored, or which devices are used, creating a “black box” that limits value assessment.
- Fraud/abuse risks. OIG has flagged schemes enrolling beneficiaries for services that are unnecessary or not provided and issued consumer alerts.
OIG recommendations to CMS (what to expect): Add safeguards; expand provider education; require formal orders and the ordering provider on claims; capture what health data is monitored; and closely monitor high-risk billers.
Why it matters: Moving from a data-agnostic to a data-specific model would let CMS tie RPM to diagnoses and outcomes, potentially leading to NCDs/LCDs, tiered rates, and stricter coverage. Platforms will need richer clinical data capture/reporting on claims.
Common Billing Errors & Pitfalls (to avoid)
- Billing 99454 with <16 data days in 30 days.
- Billing RPM and RTM in the same 30-day period for one patient.
- Billing RPM for a new patient post-PHE (no established relationship).
- Missing documented consent before/at initiation.
- Double-counting time across RPM/RTM and other care-management services.
- Thin medical necessity rationale or ongoing justification.
- Missing auditable time logs for 99457/99458.
- No documented “interactive communication” for management codes.
Documentation & Audit-Readiness (best practices)
- Complete charting: Order for RPM, documented consent, diagnosis codes, proof of device delivery and patient education—all in one place.
- Separate logs:
- Data days (every transmission date) to evidence the 16-day rule.
- Management time (date, duration, activity) supporting 99457/99458.
- Interactive contact notes (date, participants, summary).
- Regular self-audits: Sample claims, check each element against code rules, fix process gaps early.
Takeaways
To thrive in the evolving RPM space, providers must integrate a holistic compliance strategy that unites CMS billing rules, FDA device regulations, and HIPAA safeguards. This means building airtight documentation—clearly establishing medical necessity, tracking every data transmission day and minute of management time, and recording all interactive communications. Partnering with vendors who supply FDA-cleared or approved devices, maintain cybersecurity standards, and sign a Business Associate Agreement is critical. Equally vital is obtaining patient consent that satisfies both CMS and state telehealth requirements, and mastering CPT billing rules, including the 16-day device threshold, concurrency limits, and interactive communication mandates.
DrKumo, a URAC-accredited leader in digital health for chronic care and a trusted VA partner, offers secure, real-time monitoring technology that meets federal compliance standards, enabling providers to deliver high-quality RPM services while minimizing regulatory risk.
To implement an audit-ready RPM program that meets CMS, FDA, and HIPAA requirements, contact DrKumo.
External Resources:
- CMS Guidance: For detailed rules, refer to the annual Medicare Physician Fee Schedule (MPFS).
- FDA Device Database: To verify a device’s status, search the 510(k) Premarket Notification database.
- HHS Telehealth Policy: For information on HIPAA and telehealth, visit hhs.gov.
- State-Specific Rules: For state laws on consent and telehealth, consult the Center for Connected Health Policy’s policy finder.
Disclaimer: The information provided in this article is for general informational purposes only and is not intended as, and should not be understood to be, legal, medical, or financial advice. The regulatory landscape for remote patient monitoring is complex and subject to change. We strongly recommend you consult with a qualified professional for advice tailored to your specific situation.
