The 2026 OIG Audit for RPM is Scheduled. Are You Ready?
Between 2024 and 2026, the OIG initiated its most intensive oversight cycle for Remote Patient Monitoring. They have already identified the “Red-Flag” billing patterns they are looking for.
This is your complete guide to the new audit risks and how to build a defensible program.
Stop Guessing. Get a Free RPM Fraud-Risk Report.
The OIG’s “Red-Flag Patterns” are exactly what our Compliance-as-Code engine is built to detect. We’ll generate a free, practice-specific RPM fraud-risk summary based on these patterns—so you know where you stand before an audit.
We’ll email a narrative risk summary based on OIG red-flag categories. No claim files or PHI required.
RPM Grew Fast. Now, the Oversight is Here.
RPM grew from a small program to nearly one million beneficiaries and over $500 million in spending by 2024. That rapid expansion triggered a predictable and intensive oversight cycle from the OIG, defined by three key documents.
Understanding these three sources provides a complete picture of where the government believes RPM is being misused and why compliance expectations are rising sharply heading into 2026.
The 3 OIG Documents Defining the New RPM Audit Risk
1. The 2024 OIG RPM Audit: Early Evidence of Systemic Gaps
The first report, released in September 2024 (OEI-02-23-00260), reviewed the extent to which RPM providers were furnishing all required components of the service:
- Setup and patient education
- Device supply and data transmission
- Treatment-management services (generally CPT 99457/99458)
The audit found that about 43 percent of beneficiaries did not receive all three components, even though the services were billed. This was the first large-scale warning that the OIG viewed RPM as a risk area because workflow requirements were inconsistently met, often identifying outsourced RPM operators as weak links.
2. The August 2025 Data-Driven Report: The “Red-Flag” Billing Patterns
On August 25, 2025, the OIG released a data-driven national review of RPM billing (OEI-02-23-00261). It found that spending had accelerated and, more importantly, identified specific billing patterns considered risk indicators:
- Red Flag 1: Patients without a prior relationship to the billing practice (implying third-party “RPM mills” attaching patients to doctors).
- Red Flag 2: Multiple device codes (99454) billed for a single patient in the same month (a clear violation of Medicare rules).
- Red Flag 3: RPM billed without corresponding treatment-management (billing 99453/99454 without ever billing 99457/99458).
- Red Flag 4: Duplicated monitoring of a single beneficiary across multiple practices.
These red flags clearly describe the vendor-driven RPM industry, not legitimate physician-driven programs.
3. The OIG Work Plan for FY 2026: The Formal Audit is Scheduled
The third critical document is the announced audit:
- Audit ID: OAS-25-05-008, “Audit of Medicare Part B Remote Patient Monitoring Services”
- Expected Issue Date: FY 2026
- Goal: To “determine whether providers furnished and billed for RPM services in accordance with Medicare requirements.”
This is the clearest signal that OIG is moving from data analysis to enforcement-grade audits. Fieldwork is underway. Providers will be sampled, medical records and device logs will be reviewed, and the OIG will issue findings with repayment obligations.
Your Vendor May Be Your Biggest Liability. FairPath is Your Defense.
The OIG’s “Red-Flag Patterns” map perfectly to the high-risk, rev-share vendor model. FairPath was designed to be the antidote.
| The OIG “Red Flag” (The Problem) | The FairPath “Compliance-as-Code” Engine (The Solution) |
|---|---|
|
Red Flag 1: No Prior Patient Relationship RPM billed for patients who have no documented relationship with the practice. |
FairPath is your practice’s software, not a third-party mill. Ethical Enrollment tools ensure you are only monitoring established patients based on clinical need, not “leads” from a vendor. |
|
Red Flag 2: Multiple Device Codes Billed More than one 99454 billed for the same patient in a 30-day period. |
Smart Billing Automation enforces the “one 99454 per beneficiary, per 30-day period” rule. Claims that attempt to exceed this are blocked before submission. |
|
Red Flag 3: “Device-Only” Billing (No 99457/8) Billing for setup and device supply without ever providing treatment-management. |
The integrated dashboard links billing to clinical action. Patients must have documented clinical review before management codes can be billed, preventing device-only patterns. |
|
Red Flag 4: Duplicate Patient Billing RPM billed for the same beneficiary across multiple practices. |
FairPath provides a single, unified panel for your practice. Because enrollment is managed inside your own system, you maintain one source of truth, eliminating duplicate-program risk within your organization. |
The OIG Isn’t Trying to End RPM. It’s Trying to End Vendor-Driven Misuse.
Across all three documents, the OIG’s message is consistent: RPM is valuable, but the “vendor-first” model is broken. They are targeting:
- Unsupervised enrollment
- Billing without clinical involvement
- Device-only “RPM mills”
- Programs billing patients unknown to the practice
This is good news for legitimate, practice-run programs. The OIG is clearing the field of bad actors. Practices with strong, auditable workflows (like those automated by FairPath) can bill safely while competitors who rely on risky vendors hesitate or exit.
This is the time to automate your compliance and secure your revenue.
Stop Guessing. Get a Free RPM Fraud-Risk Report.
We’ll map your current RPM approach against the OIG’s red-flag categories and send you a concise fraud-risk report you can share with your leadership and compliance team.
No claim files or PHI required. We use your self-reported RPM profile and the OIG’s published patterns to build your report.
