RPM Device Compliance Reporting: What CMS Actually Audits

CMS audits of RPM programs cluster on a small number of documentation gaps. The auditors aren't looking at the clinical decisions; they're looking at the evidence trail. Programs that build the trail upfront pass; programs that try to construct it after the audit notice fail.

The five documentation requirements

1. Initial setup documentation (99453). Evidence that the patient was educated on device use. Most programs miss this when device shipment happens by mail without an in-person setup visit. The fix: a documented telehealth or phone education session, with the patient's acknowledgment of training, captured as a note.
2. 16 unique transmission days per calendar month (99454). The device data log must show 16 distinct calendar dates with readings. Two readings on the same day count once. The auditor wants the raw transmission log, not a summary.
3. 20 minutes of clinical staff time per month (99457). Documentation of the time spent by clinical staff in treatment management — interactive communication with the patient, review of data, treatment modification. The auditor wants timestamps and a narrative, not just “reviewed RPM data.”
4. Communication of the data to the patient. The 20 minutes must include patient-facing communication. A clinical staff member reviewing alone doesn't qualify. Phone call notes, secure message exchanges, or telehealth contacts all count.
5. Treatment plan adjustments based on the data. The audit looks for evidence that the RPM data influenced care. A note saying “A1C trend improving, continued current regimen” is fine. No note linking the data to clinical decision-making is a problem.

Where audits actually fail

Most audit findings concentrate on #3 and #4 — the 20-minute clinical time requirement. Programs that struggle have two patterns:

• Clinical staff time is tracked at the patient level but not documented in the chart with timestamps.
• The interaction was internal (staff reviewing data and adjusting), not patient-facing. CMS requires patient-facing communication.

The analytics layer that prevents the audit problem

Vizier's RPM module ships with audit-readiness views built in:

• Patient-level documentation completeness — does this patient's month have all five elements?
• Audit cohort flagging — which 99457/99458 bills lack the time documentation needed to defend them?
• Pre-billing validation — before claims drop, flag patients who hit 16 days but are missing documentation.

The point of the analytics view isn't the bill — it's preventing the bill from going out when documentation can't defend it.

What to do if the audit notice arrives

Audit notices typically request 12 months of records for a sample of patients. The response window is short. Programs that already have audit-readiness analytics produce the requested documentation in days; programs that don't spend weeks reconstructing it.

The single best preventive action: monthly audit-readiness review. Pull the documentation completeness view for the prior month before billing closes. Catch the gaps while the clinical staff still remember the encounter.