Last updated: July 14, 2026
The 2026 Medicare Physician Fee Schedule introduced two new RPM CPT codes, 99445 and 99470, effective January 1, 2026. These codes create a tiered billing structure that captures patients who previously fell below legacy thresholds. The CY 2026 Final Rule, released November 5, 2025, increased the conversion factor to $33.57 for APM participants and $33.40 for non-APM participants, raising reimbursement across all RPM codes.
The table below breaks down the 2026 RPM CPT code structure, thresholds, and national average reimbursement rates.
| CPT Code | Description | 2026 Threshold | National Avg. Rate |
|---|---|---|---|
| 99453 | Device setup and patient education (one-time per device episode) | Min. 2 days transmitted data; billed once per device | ~$21.71 |
| 99445 (new 2026) | Device supply, 2"15 days of data in a 30-day period | 2"15 transmission days; mutually exclusive with 99454 | ~$52.11 |
| 99454 | Device supply, 16+ days of data in a 30-day period | ≥16 transmission days; mutually exclusive with 99445 | ~$52 |
| 99470 (new 2026) | Treatment management, first 10"19 minutes of clinical staff time | 10"19 min; mutually exclusive with 99457 | ~$26.05 |
| 99457 | Treatment management, first 20+ minutes of clinical staff time | ≥20 min + one interactive communication; mutually exclusive with 99470 | ~$51.77 |
| 99458 | Each additional 20-minute increment after 99457 | Each additional 20 min; up to two units monthly | ~$41.42 |
Billing correctly means clearing three separate hurdles in sequence. CMS requires documented patient consent before any RPM billing begins, with verbal consent acceptable only if the record captures the date, time, name of the person obtaining it, cost-sharing disclosures, and the patient's right to revoke. Beyond consent, a valid physician order must also be in place, signed by a physician, NP, PA, or CNS with an established patient relationship, specifying the qualifying chronic condition and renewed on schedule. Even with consent and an order secured, only time spent by eligible personnel on monitoring, reviewing data, and meaningful interactive communication counts toward time-based codes; passive data accumulation and automated alerts without human review don't qualify.
A September 2024 OIG report found that about 43% of Medicare enrollees who received RPM did not receive all three required service components, prompting CMS to issue heightened billing guidance in January 2026. Practices should run internal audits on a random 10-20% sample of RPM records at least quarterly to catch these gaps before OIG does.
Every claim above depends on protecting the data behind it. RPM devices generate electronic protected health information with every reading, and the 2026 HIPAA Security Rule update mandates TLS 1.2 or higher for any ePHI transmitted via RPM. HIPAA doesn't mandate AES-256 or any specific algorithm for PHI at rest. Encryption remains addressable and technology-neutral under current rules.
HIPAA-compliant RPM platforms need these technical safeguards:
Business Associate Agreement obligations extend to every entity that touches RPM data. The RPM platform vendor, device manufacturer clouds, cloud infrastructure providers, and third-party AI or analytics services all need a signed BAA. Many RPM devices route data through consumer apps before reaching the clinical platform, and these intermediate stops may lack a BAA or fail to meet HIPAA encryption standards. Those BAA-covered data flows are exactly what feeds the billing codes below, so a gap in one creates exposure in the other.
The 2026 code set runs on mutual-exclusivity logic that practices must enforce at the claim level. Device supply codes follow either/or logic: bill 99445 for 2"15 days of data or 99454 for 16"30 days, never both in the same 30-day period. Management codes work the same way: bill 99470 for 10"19 minutes of monthly management time, or 99457 for 20 minutes or more. The two codes can't be billed together.
A practice with 200 RPM-enrolled patients that previously billed only 140 meeting the 16-day/20-minute thresholds can now bill the remaining 60 under 99445 and 99470, generating roughly $4,400 in additional monthly revenue at $74 combined per patient. A few more rules govern the full code set:
Billing rules stay constant nationwide, but licensure, consent, and payer rules shift at the state line. A cardiology practice enrolling patients across state borders needs to verify these three things state by state before expanding: where the provider must be licensed, what consent format the state requires, and whether private payers must offer telehealth parity. The table below lays out how each dimension varies.
| Policy Dimension | Key 2026 Rule | Notable State Variations | Source |
|---|---|---|---|
| Licensure | Provider must hold a license in the state where the patient is physically located | IMLC covers 43 states plus DC and Guam (early 2026) | CredentialMate 2026 |
| Telehealth Consent | Many states require telehealth-specific informed consent | Delaware requires written consent; Arizona, California, Colorado, Maryland accept verbal if documented; Florida, Georgia, Hawaii have no requirement | ForaSoft / CCHP 2026 |
| Private Payer Parity | Most states mandate some form of payer parity for telehealth | 43 states plus DC have private payer telehealth laws; Alabama, Idaho, North Carolina, Pennsylvania, South Carolina, Wisconsin, and Wyoming have none | World Population Review 2026 |
| Out-of-State Registration | Some states offer telehealth-only registration instead of full licensure | Florida, New Mexico, Maryland, Minnesota, Louisiana, New Jersey, and Oregon offer these registrations | CliniKEHR 2026 |
The Center for Connected Health Policy's Telehealth Policy Finder received Spring 2026 updates covering 20 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Hawaii, Indiana, Kentucky, Louisiana, Maine, Maryland, New Mexico, New York, Montana, North Dakota, Ohio, Rhode Island, West Virginia, and Wyoming. Check the CCHP tracker before enrolling patients who live outside your home state.
Cardiac implantable electronic device monitoring overlaps with standard RPM billing but isn't identical to it. The 93298 code family covers remote interrogation of implantable cardioverter-defibrillators and cardiac resynchronization devices, while CPT 99454 covers physiologic data device supply. As noted above, RPM and RTM can only be billed together when they address distinct conditions, use different data types, and involve separate clinical work; overlapping use of the same data stream is a common audit trigger. Practices must document which data stream supports each code family to avoid denial.
FDA device requirements apply to every device in the monitoring chain. Class III devices such as pacemakers and defibrillators require premarket approval involving clinical studies, not 510(k) clearance, because they sustain or support life. CIEDs fall squarely into this Class III category, which is why every device in a billable RPM program must carry FDA clearance; consumer wellness wearables don't qualify for Medicare reimbursement even when they collect similar data.
High dismissal rates in CIED monitoring reflect a safety-first design, with most OEM-generated alerts turning out nonactionable across more than 73,000 reports reviewed annually at the University of Chicago Medicine. Alert triage must separate clinically significant events, like new-onset atrial fibrillation, ventricular tachycardia, lead malfunction, or ERI/RRT indicators, from nonactionable transmissions. That triage decision needs documentation in the patient record to support both clinical care and billing audit trails.
Cardiology practices implanting devices from multiple manufacturers, such as Medtronic, Boston Scientific, Abbott, and Biotronik, must log into separate, non-interoperable OEM portals to pull patient data. This fragmentation compounds into real compliance failures. Staff manually transcribing data across portals introduce errors and documentation gaps that undermine the audit trail CPT billing requires. Critical alerts in one portal can go unreviewed while staff work in another, creating exactly the missed-event scenario OIG auditors flag.
The August 2025 OIG Data Snapshot identified practices that billed device codes without corresponding monthly management services for a substantial share of patients, a pattern traceable directly to workflows where device data and management documentation live in separate systems. A common audit finding involves device supply codes billed in months where transmitted data days don't support the billed unit, which means practices need provable, exportable reports of transmission days per period. Manual, portal-by-portal workflows make generating those reports operationally prohibitive at scale, and that gap is exactly what a unified platform closes.
Rhythm360 by RhythmScience is a cloud-based, vendor-neutral platform that ingests and normalizes data from all major CIED manufacturers and RPM device types into a single clinical workspace. Using API, HL7, XML, and PDF parsing with computer vision and AI-powered extrapolation, the platform reaches greater than 99.9% data transmissibility through redundant feeds that stay active even when an OEM server goes down.

Core platform capabilities include:
At the University of Chicago Medicine, the platform now supports review of more than 73,000 reports annually, the same volume referenced earlier in the CIED workflow discussion, now handled through one system instead of scattered portals.
See the platform in action to learn how automated audit trails hold up under OIG review.
| Step | Requirement | 2026 Standard | Authority |
|---|---|---|---|
| 1 | Establish patient relationship and document medical necessity | Prior E/M visit or established relationship required before enrollment; individualized clinical rationale documented per patient | CMS / CCN Health 2026 |
| 2 | Obtain and document patient consent | Verbal or written consent before first billable service; must include cost-sharing disclosure, single-provider acknowledgment, and right to revoke; documented with date, time, and staff name | CMS PFS 2026 |
| 3 | Issue a valid physician order | Signed by physician, NP, PA, or CNS; specifies qualifying chronic condition and monitoring type; renewed annually | CMS / CCN Health 2026 |
| 4 | Verify FDA device clearance | Device must be FDA-cleared for the specific physiologic parameter; Class II via 510(k); Class III (CIEDs) via PMA; consumer wellness devices excluded | FDA / Tenovi 2026 |
| 5 | Complete device setup and patient education (CPT 99453) | Minimum 5 minutes of documented education; patient demonstrates understanding; billed once per device per episode | CMS / MedCodex 2026 |
| 6 | Track and verify data transmission days | Bill 99445 for 2"15 days or 99454 for 16+ days; never both; multiple readings on the same day count as one transmission day; exportable day-count report required | CMS / CCN Health 2026 |
| 7 | Document clinical staff time with specificity | Date, duration in minutes, activities performed, and staff identity recorded per interaction; bill 99470 for 10"19 min or 99457 for 20+ min; add 99458 per additional 20 min | CMS PFS 2026 |
| 8 | Complete at least one interactive communication per month | Real-time audio, video, or secure messaging with patient or caregiver required for 99457, 99470; asynchronous text messages do not qualify | CMS / McDonald Hopkins 2026 |
| 9 | Apply HIPAA technical safeguards to all data flows | TLS 1.2+ in transit; encryption at rest (addressable, see HIPAA section above); BAAs with all vendors; audit logs retained for six years; risk analysis updated to include RPM data flows | HHS / Mindbowser 2026 |
| 10 | Conduct quarterly internal compliance audits | Random 10"20% sample of active RPM records reviewed across consent, orders, device status, transmission-day counts, time documentation, and diagnosis coding | CMS / CCN Health 2026 |
CMS uses a two-tier structure for RPM device supply in 2026. CPT 99445 applies when a patient transmits data on 2 to 15 days within a 30-day billing period, reimbursed at roughly $52 nationally. CPT 99454 applies at 16 or more transmission days in the same period, reimbursed at a similar rate. The two codes are mutually exclusive. Multiple readings on the same calendar day count as a single transmission day. Practices need exportable, date-stamped transmission logs to back up whichever code they bill, since the 16-day threshold for 99454 is the most commonly cited audit trigger in OIG reviews.
CMS requires patient consent obtained and documented before the first billable RPM service. Verbal consent works under Medicare rules, but the record must capture the date, time, name of the staff member, and specific disclosures made. Those disclosures cover the patient's agreement to participate, an explanation of data collected, acknowledgment of Part B cost-sharing, confirmation that only one practitioner may bill per 30-day period, and the right to revoke consent. Written consent offers stronger audit protection. Consent isn't a one-time task; revisit it when the program changes materially, such as adding a new device type or monitoring condition. Many states also require telehealth-specific consent on top of CMS rules, so check the requirements in each state where your RPM patients live.
OIG's August 2025 data snapshot and September 2024 evaluation report both identified the same recurring failures: device codes billed without matching management services, management time billed without documented interactive communication, and incomplete consent records. Rhythm360 addresses each directly. The platform tracks transmission-day counts per patient per billing period and flags accounts that haven't met the threshold before a claim goes out. Clinical staff time gets logged with date stamps and activity descriptions, producing the documentation CMS requires. Every patient communication, from phone calls to secure messages to automated reminders, gets recorded with a full audit trail. Bi-directional EHR integration pushes that documentation into the practice's system of record, closing the transcription gaps that create audit exposure.
Every point in the chain between an OEM portal and the reviewing clinician generates ePHI and falls under HIPAA's Security Rule. That means the RPM platform vendor, the OEM's cloud infrastructure, any data aggregation layer, and third-party AI or analytics services each need a signed BAA. Data moving between systems needs TLS 1.2 or higher encryption; encryption at rest remains addressable and technology-neutral, as covered in the HIPAA section above. The practice's risk analysis must address RPM data flows as their own category, separate from EHR and email systems, and audit logs need six years of retention. Rhythm360 is built to meet these requirements, with end-to-end encryption, BAA coverage, and audit-log infrastructure that supports both clinical and regulatory review.
The 2026 RPM compliance landscape asks cardiology practices to satisfy CMS billing thresholds, HIPAA safeguards, FDA device rules, and state telehealth licensure all at once. Practices that unify these requirements into a single auditable workflow, rather than tracking them piecemeal across OEM portals and spreadsheets, capture more revenue and face less audit risk.


