RPM, CCM Attract Audits, May Be Vulnerable to FCA Investigations

By Nina Youngstrom

Although CMS has been encouraging the use of chronic care management (CCM) and remote patient monitoring (RPM), the services are being eyeballed for compliance with billing and other requirements, attorneys say. For example, the HHS Office of Inspector General (OIG) has reviews underway of RPM and has already released two audit reports on CCM, and recovery audit contractors are all over RPM.

“If your organization is engaged in CCM or RPM or is partnering with a third party to provide these services, it’s important to make sure your organization has robust guardrails,” said attorney Lauren Gennett, with King & Spalding, at a May 29 webinar sponsored by the firm.

CCM services have been covered since 2014 for Medicare patients with two or more chronic conditions (e.g., arthritis and diabetes), said attorney Taylor Whitten, with King & Spalding. They include comprehensive care management, recording patient information, managing care transitions and sharing patient health care information. CMS hopes to keep patients with chronic care conditions out of the hospital.

“One cool aspect of CCM services is they don’t have to be provided in person,” Whitten noted. Also, billing practitioners—physicians and nonphysician practitioners (NPPs)—aren’t required to personally provide CCM, which may be delegated to clinical staffers (e.g., nurses) who provide the services incident to the physician. But patients must have an initiating visit with the physician before embarking on CCM if they’re new or haven’t been seen in a year.

Here are two main CPT code categories for CCM:

  • 99491: CCM provided by a physician or NPP for at least 30 minutes per patient per month.

  • 99490, 99487 and 99489: CCM provided by clinical staff. Time spent by the billing practitioner may also count toward the time threshold if not used to report 99491.

RPM Again Requires 16 Days of Data Collection

RPM involves the use of a device to collect and transmit patient data (e.g., respiratory flow rate, blood pressure) remotely to their care team. CMS started covering RPM in 2018 and quickly expanded coverage, Whitten said.

“RPM has its own quirks,” she noted. For example, only established patients are eligible for RPM and their data must be collected for 16 days in a 30-day period and billed only once by a practitioner for that patient. During the public health emergency (PHE), it was only two days per 30-day period for patients with confirmed or suspected cases of COVID-19.

Here are the CPT codes for RPM:

  • 99091: collection and interpretation of physiologic data digitally stored and/or transmitted by the patient and/or caregiver to the physician or other qualified health care professional.

  • 99453 (initial set-up and patient education on use of equipment), 99454 (30-day device supply with transmission of daily recordings or programmed alerts), and 99457 (RPM treatment management, at least 20 minutes in a calendar month, including at least one interactive communication with the patient or caregiver).

  • 99458 (additional payment for each additional 20 minutes of RPM treatment management).

  • 99473 (patient education and training and device calibration) and 99474 (self-readings, collection of data reported by the patient or caregiver, report and subsequent communication of a treatment plan).

The use of CCM and RPM is growing, although far more physicians could be providing the services, said attorney Rick Zall with King & Spalding. Two-thirds of Medicare patients have two or more chronic conditions, and one study found that the CCM program saved Medicare $884 per patient per year in decreased hospital care. But, in 2021, only 12,000 physicians billed Medicare for CCM when there are one million participating providers. Partly it’s a function of the obstacles, Zall said. For example, “providers and beneficiaries have to opt in after being informed of the benefits of the program and how to participate” and providers have concerns about satisfying Medicare CCM requirements.

The uptake of RPM has been more significant, partly because of the COVID-19 PHE, Zall said. The number of providers who routinely billed for RPM grew from about 400 in 2019 to about 3,700 in 2021, and there has also been an increase in the number of vendors that help physician practices provide CCM and RPM services. “CMS regulations anticipated the use of vendors to provide the services,” he said. “They recognized many practices don’t have the ability to do this with their current staff.”

Overbilling, Kickbacks Are Potential Risks

Apparently, there’s enough use of RPM and CCM to invite scrutiny. For one thing, OIG’s Work Plan includes a review of the use of RPM that’s due out next year.[1] “This review will be based on Medicare fee-for-service claims and Medicare Advantage encounter data for remote patient monitoring services,” OIG states. “It will look at the extent to which the use of remote patient monitoring services has changed, the nature of remote patient monitoring services being used by Medicare enrollees, and the characteristics of enrollees using remote patient monitoring services. This review will also determine the extent to which provider billing for remote patient monitoring services may indicate fraud, waste, or abuse.” RPM is also included in OIG audits underway of telehealth services billed to Part B during the PHE.[2]

“It underscores that RPM is an area OIG is giving more attention to particularly as we come out of the pandemic,” Gennett said.

OIG also issued an RPM consumer fraud alert, warning that “unscrupulous companies” sign up Medicare patients for RPM through calls, texts or internet ads and bill them for monthly services that may or may not be provided.[3]

CCM has already been scrutinized by OIG, which issued two reports identifying Medicare overpayments for the services, Gennett said. The more recent report in 2021 said Medicare continues to make overpayments for CCM.[4] Among the errors, OIG said providers billed for CCM more than once for the same beneficiary for the same service period.

Other Medicare contractors are reviewing the area. “The recovery audit contractors are active in the CCM space,” Gennett said. “We have a couple of clients subject to RAC audits now.”

Areas of Potential Enforcement Scrutiny

CCM and RPM also may be vulnerable to False Claims Act (FCA) allegations. The six-year lookback period of the FCA is “important today because of a rise in the provision of CCM and RPM during the pandemic,” said attorney Doug Comin, with King & Spalding. Generally, there’s scrutiny of services provided during the pandemic, when the rules temporarily changed, he noted. For example, CMS only required RPM to be provided two days in a 30-day period when patients had suspected or confirmed COVID-19, but the 16-day requirement returned at the end of the PHE May 11, 2023. RPM rules also were revised between 2019 and 2023. “Because enforcers could be looking at claims during the years when the rules were changing, that’s an important factor for anyone who could be facing scrutiny or doing a self-disclosure,” Comin said.

He described areas of enforcement scrutiny that possibly could apply to CCM and RPM:

  • Overutilization: Are providers billing for more services than necessary? For example, 99457 is the code for 20 minutes of RPM and 99458 is for 20 additional minutes. “If the presence of 99458 is high, that’s an area the government might scrutinize,” Comin said.

  • Access to care: Can patients actually use the devices? Not all patients are good about using blood pressure or glucose monitors, for example, he said. “Make sure they transmit electronically to providers.”

  • Quality of care: Even if the data is transmitted, are services being provided as required? How does the government know the provider did more than collect 16 days of blood pressure readings? When above-normal readings were escalated to the physician, did the physician act on them? “It’s something the government may come asking about,” Comin said.

  • Anti-Kickback Statute (AKS): The government is scrutinizing the use of third-party vendors, with a focus on fair market value and per-click compensation, Comin said. “The government and whistleblowers may advance a theory that there can be a kickback when a third party offers to furnish services at less than fair market value to get business,” he said. “We have seen some examples of that.” With per-click compensation, for example, the physician practice hires the vendor to help with devices and services when necessary, but “if the vendor is contacting patients and trying to steer them toward the services, that could give rise to potential AKS allegations.”

Consent Should be Documented

With audits and possible investigations of RPM and CCM looming, Gennett suggests adding RPM and CCM to your organization’s risk assessment. They may not be at the top of the list, but if CCM and/or RPM are identified as a potential risk area, she recommends developing a regular audit plan.

There are certain strategies to keep in mind for risk mitigation. One is supervision and clinical staff, Gennett said. “There are two different layers,” she explained. The first layer is ensuring that clinical staffers who deliver services meet state licensure and supervision requirements, she said. The second layer is the CCM and RPM documentation requirements for provider involvement and supervision.

Also consider patient enrollment and utilization. Who identified patients for enrollment in CCM and RPM? What percentage of patients in your practice are enrolled? If every potential enrollee is in RPM or CCM, it could suggest some of the services weren’t medically necessary. Also, because consent is required, there should be appropriate documentation. And what happens if patients aren’t participating? “Are they timely disenrolled or is the program continuing for them and you’re still billing even though there’s no required interaction?”

To help practices audit their compliance, Gennett suggests using CMS’s 2022 MLN booklet on CCM, which includes a checklist of services.[5]

Contact Gennett at lgennett@kslaw.com.

 
1 U.S. Department of Health and Human Services, Office of Inspector General, “Use of Remote Patient Monitoring Services in Medicare,” accessed May 30, 2024, https://bit.ly/3H01o0U.
2 U.S. Department of Health and Human Services, Office of Inspector General, “Audits of Medicare Part B Telehealth Services During the COVID-19 Public Health Emergency,” accessed May 30, 2024, https://bit.ly/2OTSjPo.
3 U.S. Department of Health and Human Services, Office of Inspector General, “Consumer Alert: Remote Patient Monitoring,” last updated November 21, 2023, https://bit.ly/4bTSz6t.
4 Amy J. Frontz, Medicare Continues To Make Overpayments For Chronic Care Management Services, Costing The Program And Its Beneficiaries Millions Of Dollars, A-07-19-05122, Office of Inspector General, U.S. Department of Health and Human Services, August 2021, https://bit.ly/3Vlma2t.
5 Centers for Medicare & Medicaid Services, “Chronic Care Management Services,” MLN909188, September 2022, https://go.cms.gov/3V38iIX.
This publication is only available to subscribers. To view all documents, please log in or purchase access.
Purchase Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings