Healthcare Regulations & Compliance for RPM Programs

Last updated: July 14, 2026

Key Takeaways

  • 2026 CMS rules add new RPM CPT codes 99445 and 99470. This creates a tiered billing structure that captures patients who previously fell below legacy thresholds and raises reimbursement across all codes.
  • Compliant RPM requires documented patient consent, a valid physician order, FDA-cleared devices, and strict adherence to transmission-day and clinical-time thresholds. Skipping any of these triggers OIG audit risk.
  • HIPAA compliance for RPM demands TLS 1.2+ encryption in transit, Business Associate Agreements with every vendor touching ePHI, and six years of audit log retention.
  • Fragmented OEM portals create compliance gaps through manual transcription errors and missed alerts. Unified platforms remove these risks by consolidating data and automating audit trails.
  • Rhythm360 unifies CIED and RPM data into one audit-ready workspace. Schedule a demo today to see how it streamlines compliance and captures missed revenue.

CMS Billing Rules Practices Must Follow Before Submitting a Claim

The 2026 Medicare Physician Fee Schedule introduced two new RPM CPT codes, 99445 and 99470, effective January 1, 2026. These codes create a tiered billing structure that captures patients who previously fell below legacy thresholds. The CY 2026 Final Rule, released November 5, 2025, increased the conversion factor to $33.57 for APM participants and $33.40 for non-APM participants, raising reimbursement across all RPM codes.

The table below breaks down the 2026 RPM CPT code structure, thresholds, and national average reimbursement rates.

CPT CodeDescription2026 ThresholdNational Avg. Rate
99453Device setup and patient education (one-time per device episode)Min. 2 days transmitted data; billed once per device~$21.71
99445 (new 2026)Device supply, 2"15 days of data in a 30-day period2"15 transmission days; mutually exclusive with 99454~$52.11
99454Device supply, 16+ days of data in a 30-day period≥16 transmission days; mutually exclusive with 99445~$52
99470 (new 2026)Treatment management, first 10"19 minutes of clinical staff time10"19 min; mutually exclusive with 99457~$26.05
99457Treatment management, first 20+ minutes of clinical staff time≥20 min + one interactive communication; mutually exclusive with 99470~$51.77
99458Each additional 20-minute increment after 99457Each additional 20 min; up to two units monthly~$41.42

Billing correctly means clearing three separate hurdles in sequence. CMS requires documented patient consent before any RPM billing begins, with verbal consent acceptable only if the record captures the date, time, name of the person obtaining it, cost-sharing disclosures, and the patient's right to revoke. Beyond consent, a valid physician order must also be in place, signed by a physician, NP, PA, or CNS with an established patient relationship, specifying the qualifying chronic condition and renewed on schedule. Even with consent and an order secured, only time spent by eligible personnel on monitoring, reviewing data, and meaningful interactive communication counts toward time-based codes; passive data accumulation and automated alerts without human review don't qualify.

A September 2024 OIG report found that about 43% of Medicare enrollees who received RPM did not receive all three required service components, prompting CMS to issue heightened billing guidance in January 2026. Practices should run internal audits on a random 10-20% sample of RPM records at least quarterly to catch these gaps before OIG does.

Locking Down ePHI Across the RPM Data Chain

Every claim above depends on protecting the data behind it. RPM devices generate electronic protected health information with every reading, and the 2026 HIPAA Security Rule update mandates TLS 1.2 or higher for any ePHI transmitted via RPM. HIPAA doesn't mandate AES-256 or any specific algorithm for PHI at rest. Encryption remains addressable and technology-neutral under current rules.

HIPAA-compliant RPM platforms need these technical safeguards:

Business Associate Agreement obligations extend to every entity that touches RPM data. The RPM platform vendor, device manufacturer clouds, cloud infrastructure providers, and third-party AI or analytics services all need a signed BAA. Many RPM devices route data through consumer apps before reaching the clinical platform, and these intermediate stops may lack a BAA or fail to meet HIPAA encryption standards. Those BAA-covered data flows are exactly what feeds the billing codes below, so a gap in one creates exposure in the other.

Mutual-Exclusivity Rules That Trip Up RPM Claims

The 2026 code set runs on mutual-exclusivity logic that practices must enforce at the claim level. Device supply codes follow either/or logic: bill 99445 for 2"15 days of data or 99454 for 16"30 days, never both in the same 30-day period. Management codes work the same way: bill 99470 for 10"19 minutes of monthly management time, or 99457 for 20 minutes or more. The two codes can't be billed together.

A practice with 200 RPM-enrolled patients that previously billed only 140 meeting the 16-day/20-minute thresholds can now bill the remaining 60 under 99445 and 99470, generating roughly $4,400 in additional monthly revenue at $74 combined per patient. A few more rules govern the full code set:

Why Multi-State Cardiology Practices Need a Licensure Checklist

Billing rules stay constant nationwide, but licensure, consent, and payer rules shift at the state line. A cardiology practice enrolling patients across state borders needs to verify these three things state by state before expanding: where the provider must be licensed, what consent format the state requires, and whether private payers must offer telehealth parity. The table below lays out how each dimension varies.

Policy DimensionKey 2026 RuleNotable State VariationsSource
LicensureProvider must hold a license in the state where the patient is physically locatedIMLC covers 43 states plus DC and Guam (early 2026)CredentialMate 2026
Telehealth ConsentMany states require telehealth-specific informed consentDelaware requires written consent; Arizona, California, Colorado, Maryland accept verbal if documented; Florida, Georgia, Hawaii have no requirementForaSoft / CCHP 2026
Private Payer ParityMost states mandate some form of payer parity for telehealth43 states plus DC have private payer telehealth laws; Alabama, Idaho, North Carolina, Pennsylvania, South Carolina, Wisconsin, and Wyoming have noneWorld Population Review 2026
Out-of-State RegistrationSome states offer telehealth-only registration instead of full licensureFlorida, New Mexico, Maryland, Minnesota, Louisiana, New Jersey, and Oregon offer these registrationsCliniKEHR 2026

The Center for Connected Health Policy's Telehealth Policy Finder received Spring 2026 updates covering 20 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Hawaii, Indiana, Kentucky, Louisiana, Maine, Maryland, New Mexico, New York, Montana, North Dakota, Ohio, Rhode Island, West Virginia, and Wyoming. Check the CCHP tracker before enrolling patients who live outside your home state.

Where CIED Monitoring Adds Its Own Compliance Layer

Cardiac implantable electronic device monitoring overlaps with standard RPM billing but isn't identical to it. The 93298 code family covers remote interrogation of implantable cardioverter-defibrillators and cardiac resynchronization devices, while CPT 99454 covers physiologic data device supply. As noted above, RPM and RTM can only be billed together when they address distinct conditions, use different data types, and involve separate clinical work; overlapping use of the same data stream is a common audit trigger. Practices must document which data stream supports each code family to avoid denial.

FDA device requirements apply to every device in the monitoring chain. Class III devices such as pacemakers and defibrillators require premarket approval involving clinical studies, not 510(k) clearance, because they sustain or support life. CIEDs fall squarely into this Class III category, which is why every device in a billable RPM program must carry FDA clearance; consumer wellness wearables don't qualify for Medicare reimbursement even when they collect similar data.

High dismissal rates in CIED monitoring reflect a safety-first design, with most OEM-generated alerts turning out nonactionable across more than 73,000 reports reviewed annually at the University of Chicago Medicine. Alert triage must separate clinically significant events, like new-onset atrial fibrillation, ventricular tachycardia, lead malfunction, or ERI/RRT indicators, from nonactionable transmissions. That triage decision needs documentation in the patient record to support both clinical care and billing audit trails.

The Portal Problem: How Fragmentation Creates Audit Risk

Cardiology practices implanting devices from multiple manufacturers, such as Medtronic, Boston Scientific, Abbott, and Biotronik, must log into separate, non-interoperable OEM portals to pull patient data. This fragmentation compounds into real compliance failures. Staff manually transcribing data across portals introduce errors and documentation gaps that undermine the audit trail CPT billing requires. Critical alerts in one portal can go unreviewed while staff work in another, creating exactly the missed-event scenario OIG auditors flag.

The August 2025 OIG Data Snapshot identified practices that billed device codes without corresponding monthly management services for a substantial share of patients, a pattern traceable directly to workflows where device data and management documentation live in separate systems. A common audit finding involves device supply codes billed in months where transmitted data days don't support the billed unit, which means practices need provable, exportable reports of transmission days per period. Manual, portal-by-portal workflows make generating those reports operationally prohibitive at scale, and that gap is exactly what a unified platform closes.

Rhythm360: One Workspace for CIED and RPM Data

Rhythm360 by RhythmScience is a cloud-based, vendor-neutral platform that ingests and normalizes data from all major CIED manufacturers and RPM device types into a single clinical workspace. Using API, HL7, XML, and PDF parsing with computer vision and AI-powered extrapolation, the platform reaches greater than 99.9% data transmissibility through redundant feeds that stay active even when an OEM server goes down.

Rhythm360
Rhythm360

Core platform capabilities include:

  • Unified data ingestion: Consolidates CIED and RPM data from Medtronic, Boston Scientific, Abbott, Biotronik, and others into one dashboard, eliminating redundant portal logins
  • AI-powered alert triage: Filters nonactionable transmissions and prioritizes clinically significant events, cutting critical response times by up to 80%
  • Bi-directional EHR integration: Connects with Epic, Cerner, Athenahealth, eClinicalWorks, Greenway Health, and others via HL7, automating report generation and eliminating manual transcription
  • Automated audit trails: Documents every transmission review, clinical action, and patient communication with timestamped, immutable records that satisfy CMS, OIG, and HIPAA requirements
  • CPT code compliance support: Tracks transmission-day counts, clinical staff time, and interactive communication events against 2026 thresholds, helping practices capture missed revenue
  • HIPAA-compliant mobile access: Lets clinicians review transmissions, sign reports, and coordinate care from a secure mobile app

At the University of Chicago Medicine, the platform now supports review of more than 73,000 reports annually, the same volume referenced earlier in the CIED workflow discussion, now handled through one system instead of scattered portals.

See the platform in action to learn how automated audit trails hold up under OIG review.

A 10-Step Checklist for Auditable RPM Programs

StepRequirement2026 StandardAuthority
1Establish patient relationship and document medical necessityPrior E/M visit or established relationship required before enrollment; individualized clinical rationale documented per patientCMS / CCN Health 2026
2Obtain and document patient consentVerbal or written consent before first billable service; must include cost-sharing disclosure, single-provider acknowledgment, and right to revoke; documented with date, time, and staff nameCMS PFS 2026
3Issue a valid physician orderSigned by physician, NP, PA, or CNS; specifies qualifying chronic condition and monitoring type; renewed annuallyCMS / CCN Health 2026
4Verify FDA device clearanceDevice must be FDA-cleared for the specific physiologic parameter; Class II via 510(k); Class III (CIEDs) via PMA; consumer wellness devices excludedFDA / Tenovi 2026
5Complete device setup and patient education (CPT 99453)Minimum 5 minutes of documented education; patient demonstrates understanding; billed once per device per episodeCMS / MedCodex 2026
6Track and verify data transmission daysBill 99445 for 2"15 days or 99454 for 16+ days; never both; multiple readings on the same day count as one transmission day; exportable day-count report requiredCMS / CCN Health 2026
7Document clinical staff time with specificityDate, duration in minutes, activities performed, and staff identity recorded per interaction; bill 99470 for 10"19 min or 99457 for 20+ min; add 99458 per additional 20 minCMS PFS 2026
8Complete at least one interactive communication per monthReal-time audio, video, or secure messaging with patient or caregiver required for 99457, 99470; asynchronous text messages do not qualifyCMS / McDonald Hopkins 2026
9Apply HIPAA technical safeguards to all data flowsTLS 1.2+ in transit; encryption at rest (addressable, see HIPAA section above); BAAs with all vendors; audit logs retained for six years; risk analysis updated to include RPM data flowsHHS / Mindbowser 2026
10Conduct quarterly internal compliance auditsRandom 10"20% sample of active RPM records reviewed across consent, orders, device status, transmission-day counts, time documentation, and diagnosis codingCMS / CCN Health 2026

Frequently Asked Questions

What are the exact 2026 CMS data transmission thresholds for RPM device supply codes?

CMS uses a two-tier structure for RPM device supply in 2026. CPT 99445 applies when a patient transmits data on 2 to 15 days within a 30-day billing period, reimbursed at roughly $52 nationally. CPT 99454 applies at 16 or more transmission days in the same period, reimbursed at a similar rate. The two codes are mutually exclusive. Multiple readings on the same calendar day count as a single transmission day. Practices need exportable, date-stamped transmission logs to back up whichever code they bill, since the 16-day threshold for 99454 is the most commonly cited audit trigger in OIG reviews.

What consent documentation does CMS require before billing RPM services in 2026?

CMS requires patient consent obtained and documented before the first billable RPM service. Verbal consent works under Medicare rules, but the record must capture the date, time, name of the staff member, and specific disclosures made. Those disclosures cover the patient's agreement to participate, an explanation of data collected, acknowledgment of Part B cost-sharing, confirmation that only one practitioner may bill per 30-day period, and the right to revoke consent. Written consent offers stronger audit protection. Consent isn't a one-time task; revisit it when the program changes materially, such as adding a new device type or monitoring condition. Many states also require telehealth-specific consent on top of CMS rules, so check the requirements in each state where your RPM patients live.

How does Rhythm360 help cardiology practices avoid the compliance failures OIG has flagged in RPM audits?

OIG's August 2025 data snapshot and September 2024 evaluation report both identified the same recurring failures: device codes billed without matching management services, management time billed without documented interactive communication, and incomplete consent records. Rhythm360 addresses each directly. The platform tracks transmission-day counts per patient per billing period and flags accounts that haven't met the threshold before a claim goes out. Clinical staff time gets logged with date stamps and activity descriptions, producing the documentation CMS requires. Every patient communication, from phone calls to secure messages to automated reminders, gets recorded with a full audit trail. Bi-directional EHR integration pushes that documentation into the practice's system of record, closing the transcription gaps that create audit exposure.

What HIPAA obligations apply specifically to the data flows between CIED OEM portals and a clinical RPM platform?

Every point in the chain between an OEM portal and the reviewing clinician generates ePHI and falls under HIPAA's Security Rule. That means the RPM platform vendor, the OEM's cloud infrastructure, any data aggregation layer, and third-party AI or analytics services each need a signed BAA. Data moving between systems needs TLS 1.2 or higher encryption; encryption at rest remains addressable and technology-neutral, as covered in the HIPAA section above. The practice's risk analysis must address RPM data flows as their own category, separate from EHR and email systems, and audit logs need six years of retention. Rhythm360 is built to meet these requirements, with end-to-end encryption, BAA coverage, and audit-log infrastructure that supports both clinical and regulatory review.

Conclusion

The 2026 RPM compliance landscape asks cardiology practices to satisfy CMS billing thresholds, HIPAA safeguards, FDA device rules, and state telehealth licensure all at once. Practices that unify these requirements into a single auditable workflow, rather than tracking them piecemeal across OEM portals and spreadsheets, capture more revenue and face less audit risk.

Advisory Tags
Our automatic tagging and tracking keeps getting better - identify, manage and track multiple advisories more efficiently.
View and Acknowledge Recalls
Staff can document steps taken to resolve the recall for continuity of communication, tracking, and accountability.
Links Straight to FDA
Rhythm360 provides direct access to all the advisory details you need without additional searching and clicks.