RPM Compliance Engagement: From OIG Warning Flags to Audit-Ready Status
Last updated: April 2026
A representative example of how IHS conducts an RPM compliance gap assessment and remediation engagement. Client details are illustrative; all IHS client information is confidential.
About this case study: IHS does not publish identifying client information. This page describes the structure, findings, and outcomes of a representative RPM compliance engagement drawn from IHS's consulting practice. It illustrates the type of work IHS performs, the deficiencies we commonly find, and the remediation process we follow. Specific client names, locations, and financial details are not disclosed.
Client Profile
The Challenge
The practice had been billing RPM codes for [timeframe] when its Medicare Administrative Contractor (MAC) issued a prepayment review notice targeting CPT 99457 claims. The practice administrator had read the OIG's August 2025 Data Snapshot (OEI-02-23-00261) and recognized that the practice's rapid RPM enrollment growth over the prior [timeframe] — driven by a third-party RPM vendor's enrollment outreach program — matched several of the OIG's high-risk indicators.
Specifically, the practice was concerned about:
- Whether its time documentation was sufficient to defend CPT 99457 claims under audit
- Whether all enrolled patients had documented prior medical relationships with the billing providers
- Whether the enrollment growth rate would be flagged as a spike in OIG automated billing analysis
- Whether the RPM platform vendor had generated any patients enrolled without proper consent documentation
- Whether the practice's billing workflow had been properly updated for the 2026 CPT code changes (99445 and 99470)
The practice had not previously engaged an independent compliance consultant. Its RPM vendor provided billing support but had a financial interest in maximizing enrollment — creating a structural conflict that made vendor-provided compliance assurance insufficient for MAC audit response purposes.
IHS Approach: Five-Stage Gap Assessment
Stage 1: OIG Five-Flag Risk Scoring
IHS began by scoring the practice against each of the five high-risk patterns identified in OIG Data Snapshot OEI-02-23-00261:
- Missing required care components: [Assessment finding — percentage of patient records reviewed that contained all three required components: setup claim, transmission claim, treatment management claim]
- Enrollment spikes: [Month-over-month enrollment growth analysis — whether growth rate matched the OIG's 150%+ spike threshold]
- Prior medical relationship: [Percentage of RPM-enrolled patients with documented clinical history predating RPM enrollment with the billing provider]
- Time documentation adequacy: [Assessment of time tracking methodology — whether start/stop times, interaction type, and clinical content were documented for each CPT 99457 claim]
- Concurrent device billing: [Review of whether any patients had multiple device types billed in the same 30-day period]
The risk scoring was completed within [X] business days of engagement and provided the triage framework for the remainder of the assessment.
Stage 2: Documentation Audit
IHS conducted a structured review of [X] randomly selected patient records, examining:
- Patient consent documentation — presence, completeness, and timing relative to device deployment
- Prior medical relationship evidence — clinical encounter history predating RPM enrollment
- Device FDA clearance documentation — on-file confirmation of device eligibility
- Time tracking audit trails — start/stop times, interaction modality (phone vs. video), and clinical content documentation for all CPT 99457 claims
- Data transmission records — whether device transmission logs reflected the number of days claimed on 99454 billing
- Escalation protocol documentation — evidence that abnormal readings triggered documented clinical response
Stage 3: Billing Logic Review
IHS reviewed the practice's current CPT coding workflow against 2026 MPFS requirements. This included:
- Assessment of whether the billing team had implemented CPT 99445 for patients transmitting 2-15 days per month (vs. continuing to bill 99454 for all patients regardless of transmission days)
- Assessment of whether CPT 99470 had been implemented for patients with documented treatment management time under 20 minutes per month
- Review of EHR billing triggers for mutual exclusivity compliance (99454 vs. 99445; 99457 vs. 99470)
- Identification of any patients for whom the practice had generated CPT coding errors on 2026 claims
Stage 4: Vendor Relationship Assessment
IHS reviewed the practice's contractual relationship with its RPM vendor, including:
- Business Associate Agreement adequacy — whether the BAA covered all data transmission and storage activities
- Vendor enrollment process — whether the vendor's patient outreach protocols included proper prior relationship verification and consent documentation before device deployment
- Device certification documentation — whether the vendor maintained on-file FDA clearance documentation for all deployed device models
- Vendor time tracking capabilities — whether the platform's time logging met CMS documentation requirements for CPT 99457/99470 audit trail purposes
Stage 5: State Medicaid Overlay (where applicable)
For states in which the practice billed Medicaid RPM claims, IHS applied state-specific compliance requirements to identify any obligations beyond the federal CMS baseline — including diagnosis-specific coverage restrictions, documentation deadlines, and same-day billing prohibitions that vary by state.
Key Findings
IHS's gap assessment identified deficiencies across [X] of the five OIG risk categories. The most significant findings were:
Critical Finding: Time Documentation Inadequacy
[X]% of CPT 99457 claims reviewed lacked compliant time documentation. The practice was logging total interaction time per patient per month but not documenting start time, stop time, and interaction modality (phone vs. video) for each discrete interaction. Under OIG audit scrutiny, documentation that cannot prove each interactive communication was real-time and synchronous — as opposed to asynchronous messaging — cannot support CPT 99457 billing. This finding represented the most significant audit risk in the practice's current billing posture.
Risk exposure: [Dollar value of CPT 99457 claims without compliant time documentation in the review period]
Moderate Finding: 2026 CPT Code Implementation Gap
The practice had not updated its billing logic for CPT 99445 or 99470 as of [date of engagement]. For [X] patients in the post-January 1, 2026 billing period, the practice had billed CPT 99454 for patients whose transmission records showed fewer than 16 days of data — a CPT coding error that creates audit risk and, if systematic, constitutes false billing.
Corrective action required: Immediate EHR billing trigger update; review of all 2026 claims filed to date; potential voluntary disclosure assessment for the period of incorrect coding.
Moderate Finding: Consent Documentation Gaps
[X]% of patient records reviewed showed that consent was obtained after device deployment rather than before. In [X] cases, consent documentation was present but incomplete — missing the patient's right to withdraw and the cost disclosure elements required under URAC RPM Accreditation v1.0. While these records had CMS-required consent on file, the timing and completeness deficiencies would likely generate survey citations under URAC review.
Low Finding: Vendor BAA Gap
The practice's Business Associate Agreement with its RPM vendor predated the vendor's deployment of a new alert management module that processed and stored additional PHI. The BAA had not been updated to reflect this expanded data processing activity. While not a CMS billing deficiency, this created a HIPAA Security Rule gap that required BAA amendment before the next audit cycle.
Positive Finding: Prior Medical Relationship Documentation
[X]% of RPM-enrolled patients in the sample had documented clinical encounters with the billing provider within the prior 12 months predating RPM enrollment. The practice's enrollment process — driven primarily by referrals from the treating providers rather than third-party outreach — had naturally avoided the high-risk "no prior relationship" pattern that the OIG flagged in other practices. This was a material strength in the practice's audit posture.
Remediation Plan and Implementation
IHS delivered a prioritized remediation roadmap with three tiers based on audit risk and implementation complexity:
Tier 1 — Immediate (within 30 days)
- Update EHR billing triggers for CPT 99445 and CPT 99470 to correctly classify patients by monthly transmission day count and treatment management time
- Implement per-interaction time logging template requiring start time, stop time, modality, and clinical content for all RPM treatment management interactions
- Conduct voluntary disclosure assessment with healthcare counsel for the period of 99454 overcoding
- Amend BAA with RPM vendor to cover the alert management module
Tier 2 — Near-Term (30 to 90 days)
- Revise patient consent form to include all required elements and implement pre-deployment consent verification checkpoint in the enrollment workflow
- Train all clinical staff on updated time documentation requirements with attestation records
- Implement monthly billing supervisor review process prior to claim submission — a 30-minute review that catches coding errors before they become audit findings
- Develop written escalation protocol documentation for abnormal biometric data thresholds by device type and condition
Tier 3 — Ongoing Program Strengthening (90+ days)
- Assess MAC prepayment review response strategy with healthcare counsel using the IHS gap assessment findings as the compliance posture documentation
- Implement quarterly internal compliance audit using OIG five-flag framework as the standing audit template
- Evaluate staffing ratio against the 120:1 safe maximum as patient enrollment grows
- Assess whether URAC RPM Accreditation v1.0 would strengthen the practice's posture for commercial payer contracting and provide third-party validation of compliance remediation
Outcomes
All outcome figures are specific to this engagement and reflect the practice's starting compliance posture, responsiveness to remediation recommendations, and EHR capabilities. Results vary by organization. IHS does not guarantee specific audit outcomes.
What IHS Delivers in Every RPM Compliance Engagement
Every IHS RPM gap assessment produces the following written deliverables:
- OIG Five-Flag Risk Score — scored assessment against each of the five high-risk patterns from OEI-02-23-00261
- Documentation Audit Report — findings from patient record review with deficiency count, severity rating, and representative examples
- Billing Logic Assessment — review of current CPT coding workflow against 2025/2026 MPFS requirements
- Prioritized Remediation Roadmap — three-tier action plan with specific implementation steps, responsible parties, and timelines
- Risk Exposure Estimate — dollar value of claims at audit risk by deficiency category
- Vendor Assessment Summary — findings on BAA adequacy, enrollment process compliance, and device documentation
- State Medicaid Overlay (where applicable) — state-specific requirements beyond the federal CMS baseline
Engagements are scoped based on practice size, current billing volume, and number of states. IHS delivers the gap assessment report within 30 days of document receipt.
Is Your RPM Program Audit-Ready?
OIG is actively auditing RPM billers. The five warning flags in the 2025 Data Snapshot are the checklist auditors are using. IHS can tell you where your program stands — and exactly what to fix — before the prepayment review notice arrives.