RPM Manual
The practical 2026 guide to device rules, day thresholds, management time, and audit defensibility for Remote Patient Monitoring.
Read the RPM Guide →
Audit Defense Brief
The Zombie Patient Audit
Cross-referencing RPM billing against Part D dispensing and adherence signals
Published: February 3, 2026
For Pharmacy Owners, Compliance Directors
Compliance note: This resource is educational and not legal advice. Audit exposure and billing eligibility depend on payer policy, medical necessity, documentation, and the billing practitioner’s compliance program.
The Logic Trap
The Signal
Part B billing implies active hypertension management, but Part D history shows zero medication refills for 90+ days.
The Audit Question
"If the patient is not on therapy, what exactly are you monitoring, and why is it medically necessary?"
The Defense
Operationalize the "Adherence Reconciliation Note" to turn a data mismatch into a documented clinical intervention.
Executive Summary
Oversight of Remote Patient Monitoring (RPM) is increasingly data-driven. The Office of Inspector General (OIG) has published claims-based analyses of RPM billing and explicitly describes using measures derived from billing data to identify practices that warrant further scrutiny. [1]
At the same time, CMS maintains integrated claims data infrastructure that combines Medicare Parts A, B, C, and D claims (including Part D Prescription Drug Event data) for analytics and program integrity use. [3]
That combination creates a predictable audit pattern: scenarios where Part B RPM billing implies active clinical management of a condition, but Part D drug-event history implies that the patient is not receiving, refilling, or covering the corresponding therapy. This does not prove fraud by itself. It creates a contradiction that auditors can flag early, before any chart request, and then interrogate with medical records if needed.
This brief defines the “Zombie Patient” signal as an internal risk control concept, explains why it is technically feasible in today’s Medicare data environment, and provides an operational protocol to neutralize the signal by making the clinical story consistent with the billing story.
Section index
I. Why this audit vector is technically feasible now
CMS data is not siloed by benefit
CMS’s Integrated Data Repository (IDR) is a high-volume data warehouse integrating Parts A, B, C, D, and DME claims. Privacy documentation explicitly frames the IDR Cloud as a centralized resource for fraud, waste, and abuse detection. [3][4]
OIG is publishing claims-based RPM measures
OIG’s 2025 RPM report describes measures to monitor RPM billing and identify practices that warrant scrutiny. Their active work plan includes an audit project focused on whether providers furnished and billed RPM services in accordance with Medicare requirements. [1][2]
Precedent for Cross-Benefit Auditing
OIG has already performed cross-benefit analyses using PDE (Part D) data to audit Part A skilled nursing facility benefits. While not RPM-specific, this proves the concept: auditors use prescription drug data to test for contradictions across benefit payment rules. [5]
II. What “Zombie Patient” means in an audit-control sense
This is not an official OIG term. Use it internally as a risk label for a specific contradiction pattern:
Zombie Patient (Internal Risk Definition)
A beneficiary has sustained RPM billing for a condition that normally implies active therapy management, but Part D dispensing history shows little to no evidence of medication coverage for that condition over a clinically meaningful period.
Part B Story (Billed)
“We are actively monitoring and managing hypertension month after month.”
Part D Story (Observed)
“There is no recent evidence of antihypertensive medication coverage or refills through Part D.”
Important: A no-fill pattern is not always wrong (cash purchase, samples, or lifestyle management). The risk is not the adherence—it is the lack of documentation explaining the contradiction.
III. The cross-reference logic auditors can run
You should assume that a claims-based screening query can be built. Below is a representative structure of how auditors use PDC (Proportion of Days Covered) data from Part D to flag Part B RPM claims.
-- Identify sustained RPM billing for a condition
WITH rpm_panel AS (
SELECT beneficiary_id FROM part_b_claims
WHERE cpt IN ('99454','99457')
AND diagnosis_icd10 IN ('I10') -- hypertension
GROUP BY beneficiary_id
HAVING COUNT(DISTINCT month(service_date)) >= 6
),
-- Compute therapy coverage proxy from Part D PDE
pde_coverage AS (
SELECT beneficiary_id, PDC(ndc_list_antihypertensives) AS pdc_hyp
FROM part_d_pde
WHERE beneficiary_id IN (SELECT beneficiary_id FROM rpm_panel)
)
SELECT * FROM rpm_panel r
JOIN pde_coverage p ON p.beneficiary_id = r.beneficiary_id
WHERE p.pdc_hyp < 0.20; -- The "Zombie" Flag
WITH rpm_panel AS (
SELECT beneficiary_id FROM part_b_claims
WHERE cpt IN ('99454','99457')
AND diagnosis_icd10 IN ('I10') -- hypertension
GROUP BY beneficiary_id
HAVING COUNT(DISTINCT month(service_date)) >= 6
),
-- Compute therapy coverage proxy from Part D PDE
pde_coverage AS (
SELECT beneficiary_id, PDC(ndc_list_antihypertensives) AS pdc_hyp
FROM part_d_pde
WHERE beneficiary_id IN (SELECT beneficiary_id FROM rpm_panel)
)
SELECT * FROM rpm_panel r
JOIN pde_coverage p ON p.beneficiary_id = r.beneficiary_id
WHERE p.pdc_hyp < 0.20; -- The "Zombie" Flag
IV. Why this becomes a medical necessity question
RPM billing is justified when ongoing monitoring is medically necessary and connected to active clinical management. When Part D signals show no therapy coverage, auditors can interpret RPM activity as detached from treatment.
If the contradiction is unaddressed
The record can look like passive surveillance without a clinical plan. That framing makes it easier for auditors to question whether RPM services were reasonable or necessary for the condition billed.
If the contradiction is reconciled
Documented adherence outreach, medication barriers, and provider coordination show that RPM was used to address the therapy gap. The narrative supports medical necessity by tying monitoring to a concrete intervention.
V. The operational fix: The Adherence Reconciliation Note
The most reliable defense is to make the contradiction explicit and resolve it with documented clinical action.
The "High Risk" Note Pattern
“Reviewed BP log. Readings stable. Continue monitoring.”
Why it fails: This note ignores the Part D dispensing reality. If the auditor sees the patient isn't taking meds, this note implies the provider isn't actually managing the patient—they are just "watching a dashboard."
The "Audit-Defensible" Note Pattern
“Noted persistent elevations. Reviewed medication history; no refill evidence for amlodipine since [date]. Patient reports stopping due to cost. Provided cost-saving alternatives and education. Coordinated with prescribing clinician regarding restart plan.”
Why it works: It converts the contradiction into a documented Medication Adherence Intervention. You are now using the RPM service specifically to address the non-adherence detected in the data.
VI. What to monitor internally as a pharmacy owner
Build a simple internal control dashboard. You do not need perfect data; you need consistent detection and documentation.
High RPM / Low Fill Ratio
Flag patients with repeated 99454 billing months who have minimal or zero therapy coverage evidence in your dispensing system.
Uncontrolled / Unactioned Readings
Review patients with persistently high readings but no documented clinical escalation or adherence check.
References
- OIG. Billing for Remote Patient Monitoring in Medicare. Report OEI-02-23-00261. Posted Aug 28, 2025.
- OIG Work Plan. Audit of Medicare Part B Remote Patient Monitoring Services. Announced Dec 16, 2024.
- CMS. Integrated Data Repository (IDR) overview.
- CMS. Integrated Data Repository Cloud (IDRC) Privacy Impact Assessment, purpose includes fraud, waste, and abuse detection.
- OIG. Medicare Part D Paid Millions for Drugs for Which Payment Was Available Under the Medicare Part A Skilled Nursing Facility Benefit. Report A-09-21-03008.
- CMS. 2025 Part C and D Star Ratings Technical Notes, PDC definition.
FairPath is designed to handle this complexity for you.
While most platforms simply record what happened, FairPath actively runs the program. It continuously monitors every patient, staff action, and billing rule across CCM, RPM, RTM, and APCM, intervening immediately when a requirement is missed.
This allows you to scale your own program without losing quality, breaking trust with physicians, or losing control of your revenue. We provide the precision of an automated medical director without the chaos.
