How CMS’ 2025–26 Rule Changes Make RPM & APCM Viable Without a Vendor

Q: Is vendor-based RPM still profitable?

It is becoming less viable. With vendors taking 40–60% of revenue and CMS and OIG increasing scrutiny on third-party documentation, many practices are moving to in-house models to retain 90–100% of revenue and keep compliance under their direct control.

Q: What is OIG actually looking for in RPM audits?

OIG reviews focus on patterns such as patients enrolled without a prior relationship, device-only months with no documented management, duplicate RPM billing across providers, and claims that do not match documented days of data or minutes of work. Programs with clear eligibility criteria, documented medical necessity, complete time and device logs, and one accountable owner per patient are better positioned to withstand audits.

Q: Are RPM revenue-share vendors still safe to use?

Revenue-share RPM vendors create risk because they are financially incentivized to maximize billable interactions while the practice remains responsible for the claims. Even if a contract is marketed as compliant, regulators will hold the billing practice accountable for overutilization, poor documentation, and misaligned incentives. Many groups are switching to vendor-free, flat-fee software models to reduce this exposure.

What the new Advanced Primary Care Management rules actually mean for independent practices—and why the era of the outsourced audit risk is ending.

For the last five years, Remote Patient Monitoring (RPM) has been the “Wild West” of healthcare. Venture-backed vendors flooded the market, promising practices easy “mailbox money” in exchange for handing over their patient data and billing rights.

As we move into the 2025–2026 cycle, CMS is signaling a massive shift. With the introduction of Advanced Primary Care Management (APCM) and tighter scrutiny on traditional RPM, the era of the outsourced vendor is ending. The new era is about technologically enabled independent practices that keep revenue and oversight in-house.

Who this guide is for

Independent practices, RHCs/FQHCs, medical directors, and billing/compliance leads who want to keep RPM/RTM/APCM revenue while staying off the OIG’s radar and reducing dependence on full-service vendors.

How to use it

Use sections 1–4 to understand how CMS is repositioning RPM and APCM, sections 5–6 to stress-test your current workflows, and the FAQ to brief clinicians and leadership without having to summarize the rules yourself.

CMS 2025-26 RPM and APCM overview banner

1. Why RPM Went “Off the Rails” (And Why CMS Noticed)

During the COVID-19 Public Health Emergency (PHE), regulators loosened the reins to keep patients home. It was necessary—but it also created perverse incentives that vendor-driven RPM models eagerly exploited.

Most vendor offerings optimized for volume, not care. They prioritized:

Hardware over health: Mailing devices to patients who didn’t necessarily need them, solely to bill setup and supply codes.
Timer-based billing: Focusing on hitting “16 days of data” rather than improving blood pressure, A1c, or functional status.
Audit risk: Because vendors were often disconnected from the EHR, documentation lived in external portals and PDFs that didn’t match what was in the chart.

The result: The Office of Inspector General (OIG) has flagged massive amounts of waste, specifically citing missing care plans and duplicate billing. When the audit comes, the vendor does not sit in front of the auditor. The practice is liable, not the vendor.

2. The Solution: Enter APCM (Advanced Primary Care Management)

CMS has not banned remote care. Instead, they are restructuring how they pay for it—moving from device-driven payments to management-driven payments.

2.1 What is APCM?

APCM is a new set of billing codes (G0556, G0557, G0558) designed to bundle care-management services into a streamlined, risk-adjusted monthly payment. Unlike traditional fee-for-service RPM—which requires strict time logging and device data counts—APCM focuses on the availability, continuity, and comprehensiveness of the patient’s primary care.

2.2 The shift from “volume” to “value”

Old model (RPM): You get paid if the patient stands on a scale 16 times and someone logs 20+ minutes.
New model (APCM): You get paid if you provide continuous access, coordinated management, and a living care plan for the patient.

For independent practices, this is a game-changer. It reduces the click-burden of minute-logging, shifts focus to team-based primary care, and returns clinical quarterbacking to the primary care provider instead of a vendor call center.

3. Comparison: Vendor-Based RPM vs. In-House APCM/RPM

For an independent practice, the economics of running remote care in-house have drastically improved under the 2025–26 rules.

The “Old” Vendor Model

Billing basis: 16 days of readings plus 20 minutes of time per month.
Data ownership: Vendor portal is the source of truth; you get PDFs or exports.
Patient contact: Random call-center agents pressure patients to use devices.
Profit margin: Low—vendors routinely take 40–60% of RPM revenue.
Audit risk: High—documentation is external and often doesn’t reconcile with the EHR.

The “New” In-House Model (APCM + RPM)

Billing basis: Monthly APCM management plus targeted RPM/RTM when clinically appropriate.
Data ownership: You own the data; it lives inside your operational workflow.
Patient contact: Your staff (or trusted extensions) manage care and communication.
Profit margin: High—you keep roughly 90–100% of revenue.
Audit risk: Lower—documentation is integrated with the EHR and care plan.

Stop giving away your margin

If you have 500 patients on RPM, a 50% vendor split could be costing you $15,000+ per month in lost revenue.

Run the free Vendor P&L Analyzer →

4. How RPM Fits Into the New Model (Not Dead, Just Different)

Is RPM going away? No. But it is changing roles. In 2026, RPM should no longer be a blanket strategy where you enroll every patient with a pulse. It becomes a targeted clinical tool.

The new mental model for remote care

APCM as the base: Every eligible patient is enrolled into comprehensive, monthly primary-care management.
RPM as the tool: You prescribe a device (e.g., BP cuff, glucometer) only to patients who actively need data monitoring to manage a condition or medication.

By treating RPM as a supplement to APCM, you solve the compliance problem (medical necessity is obvious) and the audit problem (you aren’t billing for data nobody reviews). RPM becomes a high-yield signal generator inside a broader APCM program, not the program itself.

5. Designing a Compliant, Vendor-Free Program

To capitalize on the 2025–26 rule changes, you don’t need a partner who takes half your check. You need a system that makes APCM and RPM compliant by design.

A properly structured in-house program should cover three core capabilities:

5.1 Automated eligibility & enrollment

Don’t guess which patients qualify. Use software that scans your panel against payer rules (Medicare, MA, and key commercial policies) to identify candidates for APCM, RPM, or CCM automatically. This prevents over-enrollment, under-billing, and missed revenue.

5.2 A “policy graph” approach to compliance

CMS and payer rules change. Your software shouldn’t break every time they do. Instead of relying solely on staff training and PDFs, use a system with clinical and billing rules baked into the workflow.

For APCM, the system should enforce the structural elements (consent, access, care plan, transitions, etc.) before letting you close the month.
For RPM, if a patient doesn’t meet the “16 days” threshold or lacks documented medical necessity, the system should automatically flag or downgrade the code before you bill.

5.3 Exception-based workflow

Your staff cannot live in five different vendor portals. Data from patient devices and APCM workflows should flow into a single dashboard that highlights exceptions (who is worsening, who missed follow-up, who needs a medication change), not just volume (who stepped on a scale).

With exception-based automation, one trained staff member can realistically manage hundreds of patients across APCM, RPM, and CCM without drowning in clicks.

6. Compliance Checklist: Are You Audit-Ready?

Whether you use a vendor or go fully in-house, if you can’t check these boxes, you are exposed. Use this as a quick reality check for your current workflows.

The HHS Office of Inspector General has already published evaluations showing high rates of missing RPM components (setup, device, management), device-only billing, and duplicate enrollee patterns. A dedicated Part B RPM audit is on the OIG work plan for the 2025–26 cycle. Treat this checklist as your pre-audit filter: if an auditor pulled ten random charts, would you be comfortable handing them over?

RPM audit triggers

Prior relationship: The billing provider saw the patient before ordering the device (documented initiating visit or E/M).
Medical necessity: The monitored condition (e.g., HTN, HF, diabetes) is documented in the care plan or problem list.
Data review: There is proof that someone clinically appropriate actually reviewed the incoming data.
Interactive time: The 20 minutes of “management” represents interactive communication (phone/telehealth/two-way messaging), not just voicemail drops or automated reminders.

APCM audit triggers

Care plan: A comprehensive care plan exists, is updated, and reflects what your APCM team is actually doing.
24/7 access: The patient can reach the care team continuously (and you can show logs, not just marketing copy).
Consent: The patient’s APCM consent is documented (verbal or written) and retrievable.
Panel logic: You can explain why a patient is in a given APCM tier (G0556 vs G0557 vs G0558) and how you prevent double-billing with CCM/PCM/TCM or overlapping vendor programs.

Download the 2025–26 OIG Audit Survival Checklist (PDF) Check Your Vendor Profit with the Analyzer

7. Conclusion: Take Control of Your Panel

The 2025 CMS rules are a gift to independent practices—but only if you adapt. The “easy button” of signing up with a predatory vendor is gone. The new path requires you to own your data, your workflows, and your compliance.

By keeping remote care in-house and aligning RPM with APCM, you protect your patients from harassment, protect your practice from audits, and keep the revenue where it belongs: with the providers doing the work.

Audit your risk

Get a concrete list of what an RPM/APCM auditor will look for in 2026.

Download the 2025–26 Audit Survival Checklist

Check your math

Quantify how much vendor revenue-share is costing your practice every month.

Use the Vendor Profit Analyzer

See the solution

Learn how FairPath automates APCM and RPM in-house, with compliance as code.

See the FairPath APCM Program

8. Frequently Asked Questions

1. Is APCM replacing RPM?

No. APCM is an alternative or additive payment model for comprehensive primary care management. RPM remains valid for specific physiologic or therapeutic monitoring needs. The most defensible strategy is a hybrid: APCM as the base for ongoing management, with RPM as a targeted supplement when real-time data are clinically necessary.

2. Does bringing this in-house increase my staff’s workload?

It changes the workload more than it increases it. Instead of chasing vendors for reports and reconciling external portals with your EHR, your staff manages care inside a single workflow. With exception-based automation, one staff member can support hundreds of APCM/RPM patients by focusing on outliers rather than micromanaging every reading.

3. Can I fire my current RPM vendor?

Maybe—but do it deliberately. Review your contract for term, termination, and data-ownership clauses. Many vendor agreements are misaligned with the new transparency expectations and do not support APCM billing.

That may give you leverage to renegotiate or to plan a staged transition where you run FairPath in parallel while you unwind the legacy program and preserve your in-house APCM and RPM workflows.

4. What is OIG actually looking for in RPM audits?

The OIG’s RPM work has consistently highlighted the same patterns: patients without a prior relationship to the billing provider, device-only months with no documented management, duplicate billing across practices or vendors, and claims that don’t match the documented days of data or minutes of work. If your program has clear eligibility criteria, documented medical necessity, complete time and device logs, and one accountable owner per patient, you are already ahead of the highest-risk cohort.

5. Are RPM revenue-share vendors still safe to use?

They are increasingly hard to defend. Any model where a third party is paid more as you bill more—especially when that party controls outreach, scripting, and documentation—raises Anti-Kickback and False Claims questions. Even if a vendor’s attorney signs off on the contract, regulators will still hold your practice responsible for the claims billed under your NPI. That is why many groups are moving to a vendor-free model with flat software fees and full visibility into every minute and device day.