CCM Compliance Is Becoming an Analytics Problem

7/1/2026 Matt Furnari , CTO
Remote-care analytics dashboard showing program-integrity signals for CCM and RPM billing readiness.

A new OIG work-plan item has put Chronic Care Management back in the spotlight.

We reviewed the latest program-integrity information around CCM and RPM, including OIG's active CCM audit focus and recent RPM claims-data findings. The takeaway is clear: remote-care compliance is becoming an analytics problem.

That does not mean documentation no longer matters. Consent, care plans, time logs, clinical notes, and billing supervision still matter. But the new information points to a deeper operational question:

Can the operator prove that each patient-month was eligible, supported, non-duplicative, and ready for billing before the claim went out?

That is a different question than, "Did someone write a note?" And it is exactly the kind of problem FairPath was designed to help solve.

What OIG is now looking at in CCM

HHS OIG has an active work-plan item titled "Audit of Medicare Payments for Chronic Care Management Services at Risk of Noncompliance." The project number is OAS-26-09-007.

The important detail is the focus of the audit. OIG is not simply announcing a broad review of every CCM billing requirement. The audit is focused on Medicare Part B CCM payments that may be at risk of noncompliance with the multiple-chronic-conditions requirement.

CCM is intended for patients with at least two chronic conditions that:

  • are expected to last at least 12 months or until death; and
  • place the patient at significant risk of death, acute exacerbation or decompensation, or functional decline.

That matters because it moves the compliance question upstream. A care-management note can show that work happened. A time log can show that staff spent time. A care plan can show that someone created a document. But none of those, by themselves, prove that the patient met the underlying eligibility premise for CCM.

The question OIG is now spotlighting is more fundamental: did this patient actually qualify for CCM during the billed month?

The defensible unit is the patient-month

The practical lesson is that the defensible unit of CCM compliance is not simply "a CCM note." It is a CCM patient-month.

A defensible CCM patient-month should connect:

  • the patient;
  • the billed month;
  • the billing practitioner;
  • at least two qualifying chronic conditions;
  • diagnosis evidence;
  • the expectation that those conditions are chronic;
  • the required clinical risk profile;
  • care-plan mapping to those conditions;
  • patient consent;
  • monthly care-management work;
  • time thresholds, where applicable; and
  • the absence of duplicate or overlapping care-management services.

That is a data-linkage problem. In many programs, those facts live in disconnected places. The diagnosis may be in the EHR. The care plan may be in another system. Consent may be in a scanned document. Staff time may be in a separate log. Billing rules may live in someone's memory or a spreadsheet. Overlap checks may happen at the end of the month, if they happen at all.

OIG's new CCM focus makes that fragmentation dangerous. The risk is not only that a practice cannot produce documentation. The risk is that the documentation does not prove the patient-month was eligible, coherent, and ready for billing.

OIG has already scrutinized CCM billing patterns

This is not the first time OIG has looked at CCM program integrity. In a prior CCM audit, OIG reviewed:

  • more than 7.8 million physician claims;
  • more than 240,000 hospital claims;
  • noncomplex and complex CCM services from calendar years 2017 and 2018; and
  • paid claims totaling $356 million.

OIG found approximately $1.9 million in overpayments associated with 50,192 claims. The overpayment categories included duplicate CCM billing for the same beneficiary and same service period, overlapping care-management services for the same beneficiary and same period, and incremental complex CCM services associated with overpaid complex CCM claims.

That history matters because it shows a progression. OIG has already examined duplicate CCM claims, overlapping care-management services, and complex CCM billing issues. The newer work-plan item adds another layer: whether the patient met the multiple-chronic-conditions requirement in the first place.

For CCM operators, the message is straightforward. The claim has to make sense as a patient-month. The eligibility, care plan, work performed, billing practitioner, and absence of conflicts all need to line up.

The CCM analytics checklist operators should be running

If OIG is going to audit CCM eligibility, practices and pharmacy partners should be checking that eligibility before billing. A modern CCM pre-claim analytics layer should ask several questions.

Patient eligibility

  • Does the patient have at least two chronic conditions?
  • Are those conditions expected to last at least 12 months or until death?
  • Do those conditions create the required risk of death, acute exacerbation, decompensation, or functional decline?
  • Are the conditions active, documented, and clinically meaningful?
  • Is the patient still eligible this month?

Evidence linkage

  • Are the qualifying diagnoses tied to the care plan?
  • Is there chart, claims, problem-list, or clinician-assessment evidence?
  • Does the care plan actually reflect the qualifying conditions?
  • Is the monthly CCM work related to those conditions?
  • Is the diagnosis evidence current enough to support the billed month?

Patient-month readiness

  • Was consent captured?
  • Was the care plan active and maintained?
  • Was monthly care-management work performed?
  • Was the time threshold met, where applicable?
  • Is the billing practitioner correctly associated?
  • Is the patient ready for billing review?

Conflict and overlap checks

  • Is another provider billing CCM for the same patient and month?
  • Is there an overlapping care-management service?
  • Are there code-stacking or bundling issues?
  • Are complex CCM increments supported by a valid base service?
  • Is anything about the month inconsistent with the claim being prepared?

These are not questions to ask after a denial or audit letter. They are questions to ask while the month is still open.

RPM shows where remote-care oversight is heading

The CCM work-plan item is the center of this issue, but it is part of a broader remote-care trend. OIG's recent RPM work shows how program-integrity oversight is increasingly shaped by claims-data analytics.

In OIG's 2025 data snapshot, "Billing for Remote Patient Monitoring in Medicare," OIG reported that:

  • Medicare RPM payments reached $536 million in 2024 across Original Medicare and Medicare Advantage;
  • that represented a 31% increase from 2023;
  • nearly 1 million Medicare enrollees received RPM in 2024;
  • that represented a 27% increase from 2023; and
  • about 4,600 medical practices routinely billed RPM in 2024.

OIG then identified several claims-data measures that could flag practices for scrutiny. Those included sudden patient-growth spikes, lack of prior patient relationship, absence of treatment management, multiple practices billing RPM for the same enrollee, and multiple RPM devices billed for the same enrollee in the same month.

Those RPM signals are not the same as CCM eligibility. But the lesson is the same: remote-care risk can be detected in patterns.

For RPM, the patterns may involve enrollment velocity, treatment-management gaps, device billing, or multiple billers. For CCM, the patterns may involve chronic-condition evidence, patient-month eligibility, care-plan linkage, duplicate billing, overlapping services, and billing practitioner consistency.

If regulators can see those patterns after the fact, operators should be watching them before claims are submitted.

Why this matters for medical practices

For medical practices running CCM or RPM programs, the new information should not be read as a reason to avoid remote care. These programs remain important tools for managing patients outside the office. But the operating model has to mature.

A practice may believe its CCM program is safe because staff are documenting time and maintaining care plans. But eligibility risk can still exist if problem lists are outdated, diagnosis evidence is inconsistent, care plans do not clearly map to qualifying conditions, patients remain enrolled after eligibility changes, monthly work is disconnected from the qualifying chronic conditions, overlapping services are missed, or billing readiness is only reviewed at month-end.

The practice does not need more end-of-month cleanup. It needs in-cycle intelligence. It needs to know which patients qualify, which patients are blocked, which months are ready, and why.

Why this matters for pharmacy partners and clinical builders

The issue is just as important for pharmacy partners and clinical builders that operate remote-care programs on behalf of practices. In some ways, the risk is multiplied.

A pharmacy partner may support outreach, enrollment, patient education, device logistics, pharmacist review, adherence follow-up, care-plan support, or other operational work. But the claim still has to be defensible inside the practice's clinical and billing record.

That creates a different kind of responsibility. The partner's value is not just helping a practice enroll more patients. It is helping the practice enroll the right patients, perform the right work, and create claims the practice can stand behind.

Common partner risks include scaling enrollment faster than eligibility review, inconsistent condition mapping across customer practices, weak care-plan provenance, unclear handoff between pharmacist work and billing practitioner oversight, poor evidence capture, device logistics that do not match billing records, and client practices being exposed by work the partner helped operationalize.

For pharmacy partners, program-integrity analytics is client protection.

How FairPath is designed for this problem

FairPath was built around a simple belief: remote care should be operated as an active system, not a passive documentation archive.

The goal is not to wait until the end of the month and ask, "Can we clean this up enough to bill?" The goal is to know, throughout the month:

  • who qualifies;
  • what work is needed;
  • what evidence exists;
  • what is missing;
  • what is blocked;
  • what is ready; and
  • what should not be billed yet.

That is why FairPath is designed around eligibility, workflow, evidence, and billing readiness together.

Eligibility intelligence before work begins

FairPath helps operators identify better-fit patients before enrollment. It uses information such as payer rules, diagnosis codes, payment history, program requirements, and patient-level program fit to support a 1-5 Qualification Score.

For CCM, this matters because the new OIG focus is specifically about whether patients meet the multiple-chronic-conditions requirement. Operators need to know whether a patient appears to have the chronic-condition profile needed to support CCM before staff invest time and before billing risk is created.

For RPM, RTM, and APCM, the same idea applies. The patient should be clinically appropriate, operationally viable, and aligned with payer and program requirements before the workflow begins.

Condition-level mapping

FairPath maps diagnoses to remote-care programs such as CCM, RPM, RTM, and APCM. That condition-level mapping is directly relevant to the new CCM risk.

If OIG is asking whether CCM patients actually had multiple qualifying chronic conditions, then condition-level mapping is not a nice-to-have feature. It is compliance infrastructure.

A CCM program should be able to answer:

  • Which conditions support this patient's eligibility?
  • Are those conditions reflected in the care plan?
  • Is the monthly work connected to those conditions?
  • Does the evidence support the billed month?

Without that linkage, CCM documentation can become a pile of disconnected artifacts. With that linkage, the patient-month becomes easier to understand, manage, and defend.

Care plans connected to clinical reality

FairPath supports structured care pathways, multi-condition care planning, and AI-assisted care-plan drafting. That matters because CCM care plans should not be generic. They should reflect the patient's actual chronic conditions and the clinical goals of the program.

FairPath's AI can help analyze patient history and comorbidities, draft structured care plans, and suggest goals or interventions. Clinicians remain in control, but the system helps reduce inconsistency and fragmentation.

For CCM, the key value is not simply faster drafting. The key value is a care plan that fits into a structured, auditable workflow. The care plan should help connect eligibility, chronic conditions, clinical goals, monthly work, patient communication, and billing readiness.

BillingQ: the pre-flight check

FairPath's BillingQ is one of the clearest examples of how remote-care compliance can move upstream. BillingQ treats compliance as a systems problem. It helps operators identify whether a patient-month is ready before the claim reaches billing review.

For CCM, that means checking for issues such as missing required components, incomplete time or work product, care-plan gaps, consent issues, overlap risk, code conflicts, billing-readiness gaps, and patient-months that should not yet be submitted.

For RPM, the same pre-flight concept can apply to issues such as device data thresholds, no-data patterns, treatment-management activity, device assignment, consent and training evidence, and setup/supply codes that are not supported by ongoing management.

BillingQ moves the compliance question from "Can we clean this up at month-end?" to "Is this patient-month ready right now?"

That is the difference between retrospective cleanup and active program integrity.

Automated evidence as work happens

The best audit defense is not a frantic reconstruction months later. It is evidence created as the work happens.

FairPath automatically timestamps and logs remote-care activity such as calls, texts, patient interactions, reviews, consents, readings, alerts, care-plan updates, clinical documentation, and time-based work.

That evidence becomes part of the operational record. For CCM, this helps support the monthly patient-management story. For RPM, it helps connect device data, patient communication, and treatment management. For pharmacy partners, it creates a cleaner handoff between distributed staff activity and the practice's billing record.

PriorityQ and ReviewQ: reducing operational drift

Many compliance failures are not intentional. They happen because remote care is operationally complex.

Patients stop transmitting data. Staff miss follow-ups. Conditions change. Payer rules shift. A care plan gets stale. A patient is enrolled but never reaches a billing-ready state. A month ends before anyone realizes a required component is missing.

FairPath's PriorityQ and ReviewQ are designed to reduce that drift. They route work based on factors such as clinical risk, urgency, program fit, code completion, missing requirements, no-data patterns, exception status, and billing progress.

Instead of forcing staff to hunt through dashboards, the system pushes the right work to the right person. That matters for compliance because billing readiness is not only a billing function. It is the result of daily operational execution.

How our AI fits into this

AI is not useful in remote care because it sounds futuristic. It is useful when it turns fragmented information into operating intelligence. FairPath and Intelligence Factory use AI to help with practical problems.

Patient and panel analysis

AI can help identify which patients may be appropriate for CCM, RPM, RTM, or APCM based on conditions, payer rules, program requirements, and available evidence.

Care-plan drafting and review

AI can help draft structured care plans based on patient history and comorbidities, while keeping clinicians in control.

Exception detection

AI can help surface patterns such as no-data periods, worsening trends, missing steps, low engagement, incomplete documentation, eligibility issues, and billing-readiness problems.

Claims-pattern analysis

AI and data pipelines can analyze public or internal claims data for signals such as sudden volume changes, unusual code ratios, missing management activity, reimbursement concentration, provider pattern anomalies, and other program-integrity indicators.

The goal is not to accuse anyone of fraud. The goal is to identify patterns worth reviewing before they become expensive problems.

Sidebar: applying the same analytics mindset to public claims data

As part of our Intelligence Factory work, we applied this same analytics mindset to public HHS/CMS Medicaid remote-care data.

The workflow included staging a public dataset of approximately 10.325 GB, filtering it into 284,294 remote-care rows, analyzing programs including RPM, CCM, RTM, and APCM, filtering by remote-care CPT families, generating program counts, applying OIG-style signal scoring, enriching providers with NPI data, geolocating provider patterns, and producing reimbursement and risk visualizations.

In a related FairPath analysis of public Medicaid RPM billing patterns, we looked for signals such as sudden patient-volume spikes, setup/supply versus management-code imbalance, lower-than-expected utilization, rapid drop-off, and concentration of reimbursement among higher-warning providers.

That kind of public-data analysis is not a fraud accusation. It is a way to identify patterns worth reviewing.

Claims data tells a story. Public-data analysis shows what can be detected after the fact. FairPath brings that same mindset into the live workflow, where practices and pharmacy partners can act before risk becomes a submitted claim.

What practices should do now

Practices running CCM, RPM, RTM, or APCM should use the new OIG information as a prompt to examine their operating model.

For CCM, practices should ask:

  • Do we know which patients have two qualifying chronic conditions?
  • Can we connect those conditions to the care plan?
  • Can we prove the patient was eligible during the billed month?
  • Is consent captured and accessible?
  • Is monthly work tied to the conditions being managed?
  • Are time thresholds tracked in-cycle?
  • Are duplicate or overlapping services checked before billing?
  • Do we know which patient-months are ready, blocked, or incomplete?

For RPM, practices should ask:

  • Do we know whether the patient had the required relationship?
  • Can we explain enrollment spikes?
  • Are device assignments and serial numbers clean?
  • Are no-data patterns surfaced quickly?
  • Is treatment management happening?
  • Are setup and supply codes supported by ongoing activity?
  • Are multiple-provider or duplicate-device risks being monitored?

The right time to ask these questions is before the claim is submitted.

What pharmacy partners should do now

Pharmacy partners and clinical builders should ask a related set of questions.

  • Are we helping practices enroll clinically appropriate patients?
  • Are qualifying conditions documented and mapped?
  • Is our work visible in the practice's evidence trail?
  • Are consent, education, device logistics, and follow-up captured consistently?
  • Are pharmacist activities connected to the care plan and billing workflow?
  • Can we operate across multiple practices without blurring data or documentation?
  • Are claims blocked when required components are missing?
  • Can each client practice stand behind the work we helped perform?

For partners, the standard should be higher than growth alone. The value proposition should be clean growth: the right patients, the right work, the right evidence, and claims that are ready before they are submitted.

The future of CCM compliance is upstream

The new CCM audit focus should not be viewed as a reason to retreat from chronic-care programs.

CCM, RPM, RTM, and APCM are important tools for managing patients outside the office. They help practices and care teams stay connected to patients between visits. They create opportunities for pharmacies and clinical partners to support chronic-care delivery in more scalable ways.

But the operating model has to match the oversight environment. The future of remote-care compliance is eligibility checked before enrollment, conditions mapped before billing, care plans connected to clinical evidence, evidence created as work happens, missing requirements surfaced in-cycle, overlap risk detected before submission, claims reviewed before billing, and program-integrity signals monitored continuously.

OIG's CCM work-plan item is a reminder that remote-care compliance is not only about whether a note exists. It is about whether the patient-month makes sense.

If OIG can find remote-care risk through analytics after the claim is paid, operators should use analytics before the claim is submitted.

That is what FairPath was built for.

Standard Operating Procedures

FairPath is built on operational work, not theory. We publish the playbooks and checklists we use to keep programs compliant and profitable. Use them whether you run FairPath or not.

Browse the Expert Library →

RPM Manual

The practical 2026 guide to device rules, day thresholds, management time, and audit defensibility for Remote Patient Monitoring.

Read the RPM Guide →

RTM Guide

How to run Remote Therapeutic Monitoring for MSK, respiratory, and CBT workflows with the correct 9897x and 9898x rules.

Read the RTM Guide →

CCM Guide

Calendar-month operations for CCM: consent, initiating visit, care plan requirements, time counting, and concurrency rules.

Read the CCM Guide →

APCM Playbook

The operator blueprint for Advanced Primary Care Management: eligibility, G0556–G0558 tiers, and monthly execution.

Read the APCM Playbook →