Back to Resources
Federal Audit Alert

The OIG RPM Audit Playbook: 5 Red Flags You Can See in Billing Data

Based on HHS OIG report OEI-02-23-00260 (September 2024). This guide translates the OIG’s findings into operational checks for "ghost minutes," duplicate setups, and missing utilization.

Source: HHS OIG / CMS
For: Compliance Officers & Billing Leads

Operational Focus: This page focuses on what auditors can see in claims data before they ever ask for a chart, and what evidence you must produce on demand.

Audit Risk Profile
Primary Trigger
Rapid program growth (55k to 570k enrollees) has triggered data-driven oversight of "incident to" staffing and device usage.
The Core Threat
Auditors are looking for internal inconsistency: billing for management when device supply is missing, or billing setup multiple times per episode.
Prevention Strategy
Reconcile 99454 (supply) and 99457 (time) logs against the active roster before claims generation.

Why This Is an Urgent Problem

"The OIG reported that Medicare RPM grew from about 55,000 enrollees in 2019 to more than 570,000 in 2022... Rapid growth has triggered tighter oversight."

The 2024 OIG report is not a list of “gotcha” codes. It is a set of billing-data signals that indicate incomplete service delivery. This page translates those findings into operational checks.

Key Takeaways

  • Internal Consistency: Device supply and management time must reconcile.
  • Attribution: "Ghost minutes" (time without staff attribution) are a primary target.
  • Usage Thresholds: 99454 billing requires 16 days of transmission; auditors check this math.
  • Episode Integrity: Duplicate setup events (99453) are flagged as automated overpayments.
On This Page

Need to scan your own data?

View Audit Risk Briefing

Who This Is For

  • Compliance officers accountable for RPM audit exposure.
  • Practice owners and CMOs who want RPM revenue without clawback risk.
  • Billing leaders who don’t trust their RPM vendor’s internal QA.

Proof This Isn’t Theoretical

Multi-specialty group | 4,500 Medicare lives

Identified 2,300 at-risk device-supply claims before submission, avoiding ~$420k in potential denials and re-training a vendor team.

Cardiology practice | 600 active RPM patients

Caught 18 duplicate device-setup events linked to device swaps; prevented automatic resubmission and preserved audit defensibility.

The 5 OIG RPM Audit Red Flags (What to Look For, What to Save, and How to Prevent Denials)

Red Flag 1

Unattributed or Implausible Treatment-Management Time (“Ghost Minutes”)

Applies to: Treatment management time and additional management time.

What auditors look for

Time-based remote-care billing is analyzed for plausibility (can a team realistically deliver it?) and attribution (who actually performed the work?). The OIG highlighted that “incident to” billing can obscure who delivered services, making extreme time totals difficult to validate.

  • Outlier total hours billed under a single billing NPI that appear impossible without undisclosed staffing.
  • Time patterns consistent with duplicated effort: overlapping sessions across patients, identical time blocks repeated across many beneficiaries, or time billed with no corresponding interaction evidence.
  • High volumes of additional management time relative to baseline management time without a clear clinical driver.

What this looks like in billing data

  • Provider-period totals that are far outside peer norms after adjusting for panel size and active monitoring months.
  • Beneficiaries billed for management time in periods where there is no documented outreach, escalation, or care-plan activity.
  • Payer requests that focus on who performed the service, what was done, and why it was medically necessary.

What to save for audit defense

  • A work log that ties each billed time block to a concrete activity (call, two-way message, or documented review with clinical action).
  • Staff identity and role for the person who performed the work, plus supervision/escalation notes where applicable.
  • A patient-period summary showing what data were reviewed and what treatment actions were taken (coaching, medication adjustment, escalation, appointment, etc.).

How FairPath reduces this risk

  • In-platform calling with call recording, transcript, and call summary, plus post-call time capture tied to the patient record.
  • Minutes tracking that accrues toward billable thresholds inside the billing grid, creating an auditable trail instead of after-the-fact time reconstruction.
  • A billing queue review step so teams validate readiness and supporting evidence before claims go out.
Red Flag 2

Duplicate Device Setup / Education Events (Setup Billed Too Many Times)

Applies to: Device setup and patient education.

What auditors look for

A common audit signal is when setup is billed more times than there are unique beneficiaries or defensible episodes of care. This often happens during device swaps, vendor transitions, or operational restarts without clear episode tracking.

  • Setup counts exceeding unique beneficiaries for the same period.
  • Multiple setup events for the same beneficiary without documentation supporting a new episode.
  • Setup performed without durable evidence of consent and patient education.

What this looks like in billing data

  • Duplicate setup lines for the same patient in the same episode window.
  • Setup billed but no follow-on device supply/utilization and no management time.
  • Spikes in setup billing around vendor/device changes.

What to save for audit defense

  • Patient consent evidence and the education/setup record (date, method, who performed it).
  • Device assignment or setup details (device type, start date; reason for replacement if applicable).
  • If a true new episode exists: the clinical rationale and clear episode boundary documentation.

How FairPath reduces this risk

  • Consent workflows (scripts/forms and recorded consent capture) stored with the patient record.
  • Onboarding via roster import so setup history, payer fields, and episode context are tracked consistently.
  • Billing grid visibility into prior setup history and a billing queue review step to prevent avoidable duplicate submissions.
Red Flag 3

Device Supply Billed Without Required Usage Days

Applies to: Device supply and data transmission.

What auditors look for

Billing for device supply is a frequent focus because it depends on the patient actually transmitting physiologic data often enough in the relevant period. Auditors look for billing that continues despite low transmission days, missing readings, or unclear device/physiologic data support.

  • Device supply billed for periods where the patient did not meet the usage threshold in the code descriptor.
  • Low utilization patterns repeated month after month (suggesting devices were shipped but not used).
  • Missing support that the data are physiologic and automatically transmitted from a qualifying medical device.

What this looks like in billing data

  • Patients with long enrollment spans but few payable device-supply periods.
  • Device supply billed without any credible utilization export available for audit defense.
  • Large cohorts with “near-miss” utilization that are billed anyway.

What to save for audit defense

  • A device utilization export by patient and period (days with transmitted physiologic readings; device type if available).
  • Evidence of device setup/education and consent tied to the same monitoring program.
  • A brief period summary showing the clinical use of the data (what was monitored and what actions were taken).

How FairPath reduces this risk

  • Work management via a priority queue and scheduled events so low-utilization patients surface for outreach before the period closes.
  • In-platform calling and two-way SMS so outreach is documented and attributable to staff, with time capture tied to patient work.
  • Billing grid and billing queue workflows that keep device utilization evidence and billing readiness in the same operational view (based on the utilization data you provide via export/import or integration, depending on your environment).
Red Flag 4

Missing Required RPM Components (The Component Completeness Gap)

Applies to: Setup, device supply, and treatment management (as a complete service pattern).

What auditors look for

The OIG reported that a large share of enrollees did not receive all three RPM components (setup/education, device supply, and treatment management). Even when billing rules do not require that you bill every component, missing components create a clear “was this actually used as intended?” audit narrative.

  • Patients who only have setup activity with no sustained device supply or management.
  • Patients with device supply billed but little or no treatment management.
  • Treatment management time billed without credible evidence of device data being reviewed and acted on.

What this looks like in billing data

  • Large gaps between counts of setup patients, device-supply patients, and patients receiving management time.
  • Periods where management time is billed but device utilization is missing or below threshold.
  • Vendor-driven program volumes where a material subset of patients never receive treatment management.

What to save for audit defense

  • A patient-period evidence packet: consent, setup/education record, utilization summary, and a management summary that references actions taken.
  • Care plan availability and review cadence (what the care team is doing each month and why).
  • Communication history and escalation notes that show follow-through, not just device shipment.

How FairPath reduces this risk

  • Care plans built from condition pathways, with editing, approval, publishing, and review cadence so treatment management is anchored to a plan.
  • A priority queue that continuously surfaces next steps and follow-ups, reducing “device only” programs with no clinical management.
  • Exportable documentation snapshots suitable for attaching to the EMR, consolidating the evidence trail for each billed period.
Red Flag 5

Eligibility, Ordering, and Diagnosis Gaps

Applies to: Enrollment, medical necessity, and audit defensibility across all RPM components.

What auditors look for

OIG and CMS oversight increasingly emphasizes transparency: what condition is being treated, who ordered the monitoring, and who delivered the services. Gaps here are easy to spot in claims and hard to defend without clean operational evidence.

  • Patients billed under coverage arrangements where the service is not payable as billed (including payer-specific exclusions and capitation dynamics).
  • Diagnosis codes on claims that do not clearly indicate an acute or chronic condition being monitored.
  • Missing ordering-provider information or weak ordering evidence (risk increases as CMS moves toward stronger ordering transparency).
  • Conflicts where more than one practitioner bills remote monitoring for the same patient in the same period.

What this looks like in billing data

  • Recurring denials tied to coverage rules, eligibility status, or plan type.
  • Claims that use vague diagnosis coding that does not specify the monitored condition.
  • Payer requests for the ordering provider, medical necessity, and the attributable staff work trail.

What to save for audit defense

  • Ordering evidence (ordering clinician, date, and the condition being monitored), plus patient consent.
  • Documentation that the monitored data are tied to a clinically meaningful condition and the care plan.
  • Coverage verification results and any payer-specific requirements you relied on.

How FairPath reduces this risk

  • Patient onboarding via spreadsheet import including diagnoses, medications, and insurance fields, so ordering/diagnosis/coverage context is captured consistently.
  • Program eligibility support and patient scoring for program fit (RPM, CCM, RTM, APCM), with workflow routing based on readiness.
  • Billing readiness workflows via the billing queue, including overlap/conflict warnings across programs and periods.

What Auditors Ask For (And What to Save to the EMR)

When audits happen, the fastest path to a defensible response is a patient-by-patient, period-by-period evidence packet that shows: consent, setup, utilization, clinical management, and attributable staff work. If you cannot produce this quickly, even valid care can become a recoupment risk.

Minimum audit-defense artifacts (per patient, per billed period)

  • Ordering evidence and monitored condition (who ordered, what condition is being treated).
  • Consent evidence and setup/education record (date, method, who performed it).
  • Device utilization summary for the period (days with transmitted physiologic readings; device type if available).
  • Management summary (what was reviewed, what decisions/actions were taken, escalation if applicable).
  • Attributed work trail (staff identity/role, timestamps, interaction type, and time captured).

How teams running FairPath produce this faster

  • Consent workflows plus in-platform calling (recording, transcript, summary) and two-way SMS create an attributable communication trail.
  • Minutes tracking and the billing grid consolidate time capture across staff and programs instead of spreadsheet reconstruction.
  • Exportable documentation snapshots provide a single attachable artifact for the EMR and audit response packets.

This page is operational guidance, not legal advice. Confirm payer-specific requirements and billing constraints with your billing team or counsel.

Want a CMS-Aligned Red Flag Scan for Your Program?

FairPath can pull your CMS data and show which OIG red flags your billing patterns currently trigger, along with a prioritized list of exceptions you can act on immediately.

See the CMS/OIG Red Flags in Your Data Explore the FairPath Platform

Looking for a system that handles this end-to-end? Our platform keeps the evidence trail, billing readiness, and audit defense in one place.

Sources

FairPath is designed to handle this complexity for you.

While most platforms simply record what happened, FairPath actively runs the program. It continuously monitors every patient, staff action, and billing rule across CCM, RPM, RTM, and APCM, intervening immediately when a requirement is missed.

This allows you to scale your own program without losing quality, breaking trust with physicians, or losing control of your revenue. We provide the precision of an automated medical director without the chaos.

View Pricing Schedule a Demo
Or start a Pilot program →

Standard Operating Procedures

FairPath is built on operational work, not theory. We publish the playbooks and checklists we use to keep programs compliant and profitable. Use them whether you run FairPath or not.

Browse the Expert Library →

RPM Manual

The practical 2026 guide to device rules, day thresholds, management time, and audit defensibility for Remote Patient Monitoring.

Read the RPM Guide →

RTM Guide

How to run Remote Therapeutic Monitoring for MSK, respiratory, and CBT workflows with the correct 9897x and 9898x rules.

Read the RTM Guide →

CCM Guide

Calendar-month operations for CCM: consent, initiating visit, care plan requirements, time counting, and concurrency rules.

Read the CCM Guide →

APCM Playbook

The operator blueprint for Advanced Primary Care Management: eligibility, G0556–G0558 tiers, and monthly execution.

Read the APCM Playbook →