Regulation of Medicine


Implementing Safe and Secure Remote Patient Monitoring

By: Raj Shah, Senior Regulatory Attorney, The Institute at MagMutual and Saskia Olczak, Risk Intern, The Institute at MagMutual
Executive Summary 

Remote Patient Monitoring (RPM) offers many financial, clinical and administrative benefits when effectively integrated into a practice. However, healthcare organizations should note the potential cybersecurity and legal risks associated with RPM before implementation to ensure that the appropriate steps are taken to mitigate their risk.       

Recommended Actions 
  • Consider your existing cybersecurity system and confirm that the RPM system’s security can be integrated without creating vulnerabilities. 

  • Ensure that your use of RPM complies with all regulatory law -- HIPAA, the Anti-Kickback Statute and the Stark Law. 

  •  Avoid using RPM as the only method of checking on patients. Instead, schedule a patient visit if you’re uncertain about the patient’s condition or care. 

As healthcare technology continues to improve, telehealth and remote patient monitoring (RPM) are becoming popular with many clinicians and their patients. RPM is a method of healthcare delivery that uses the advances in digital technology and wearable medical devices to gather patient data outside traditional healthcare settings. RPM allows providers to track healthcare data for a patient once they are released home, reducing inpatient readmission rates and outpatient visits. Often combined with videoconferencing, RPM allows providers to check on patients from afar. 

RPM programs can collect a wide range of data including vital signs, weight, blood pressure, blood sugar, blood oxygen levels and heart rate. RPM technology varies from handheld medical devices distributed from medical facilities, such as glucose meters and heart rate monitors, to consumer-grade wearables, like Fitbits, Garmins and Apple watches. Most RPM technology is geared towards patients of all ages and accommodates all levels of familiarity with technology. 

RPM uses technology that makes patients feel comfortable with managing their own health, which leads to better patient engagement, ultimately improving their care. With a constant stream of data at their fingertips, clinicians are better equipped to manage their patients’ health. RPM enables practitioners to know what is actually occurring with their patients on a daily basis, and the continuous tracking of patient’s symptoms allows intervention before problems become acute.  

While RPM techniques vary between devices, most use similar components. The first is a wireless-enabled sensor that measures specific physiological parameters and stores data that can connect with healthcare provider databases and related applications. Applications usually feature an interface to track or analyze data and display treatment recommendations. The data is then sent and stored in a relational database, allowing providers to examine it as individual instances or as part of the patient’s entire health history.  
Integration with Electronic Medical Records (EMR) is an especially beneficial component of RPM. When EMR and RPM applications are integrated, they communicate with each other through a bidirectional workflow. When biometric data is recorded on an RPM device, it will integrate into the EMR, facilitating record collection by eliminating the need to copy the data into the EMR separately and ensuring that all patient data is in one place. 

A challenge with consumer RPM devices is the potential for unsolicited patient data. Patient-Generated Health Data (PGHD) refers to data generated by a patient, such as biometric data collected on an Apple Watch. However, patients and physicians may differ as to what constitutes important information, and patients may send data without thinking about how it might affect the organization and management of their EMR. In addition, physicians may be skeptical about the reliability of PGHD since it is collected in nonstandard ways and by nonprofessionals. Finally, PGHD must be systematically processed and analyzed before it can be used with confidence. 

Providers should establish standard protocols for the type of information that should be added to the patient’s EHR. They must review PGHD thoroughly, even if it seems irrelevant. There may be legal consequences if inadequate review of health information received via PGHD results in ill-informed medical decisions or missed diagnoses. Providers may consider ordering new or additional testing if they are questioning the reliability or accuracy of PGHD. 

Five Risk Management Tips to Consider 

Since RPM is still a rapidly growing industry, there are limited standards and guidelines available for the appropriate utilization and monitoring of wearable technology. Also, no medical malpractice suits have been filed yet concerning RPM, but will surely be forthcoming. Therefore, it is important to be aware of the potential liability risks and to ensure correct implementation of RPM technology. Here are five key tips about RPM from a risk management and compliance perspective.   

Consider Security 

Before implementing RPM, consider system security. RPM uses a variety of devices, applications and communication technologies to connect devices to the provider’s office. These complex communication systems may also require using the vendor’s system. This complex, multistep process increases the risk of a cyberattack on the RPM system. Ensure that the vendor you choose and related third parties maintain a sound security posture to limit vulnerabilities in the host system and other connected systems. 

Keep the Anti-Kickback Statute in Mind 

Analyze whether the Anti-Kickback Statute, the Physician Self-Referral Prohibition law (Stark), and the Civil Monetary Penalty law apply. Ensure that your healthcare professionals do not have a financial interest in any RPM device company you select. 

Keep HIPAA in Mind 

HIPAA compliance and patient data security still apply. Ensure that the RPM device company has HIPAA-compliant processes, such as encrypting patient information both when the device is at rest and when the information is in transit. Also, ensure that you and the RPM business have a Business Associate Agreement (BAA) in place before you share protected health information. 

Ensure Correct Billing 

Before you begin implementing RPM, explore the reimbursement options in your practice area and with each payor so that implementing RPM provides financial value for your organization. Ensure that providers or coding staff in your practice familiarize themselves with the frequently used codes for billing RPM services as well as the requirements for these codes. 

When in Doubt, Bring Them In 

If you are unsure of the patient’s diagnosis or if indicators reported from the patient’s device are of concern (for example, spikes in blood pressure or heart rate), consider bringing the patient in for a visit. Also, continue with your documentation standards and ensure that you fully record your patient’s concerns on a timely basis. 

When appropriately implemented, RPM offers many benefits for both clinicians and patients. RPM can help reduce the number of hospitalizations, inpatient readmissions and the lengths of stay in hospitals, ultimately improving quality of care while also minimizing costs. Although RPM is still a growing field, following these steps can help ensure compliance and contain potential risks for your healthcare practice. 

Lessons Learned       
  • Before you make a choice, consult with other physicians (ideally, at least two) who have implemented the RPM system you’re considering.  

  • Ensure that your practice has proper training materials for patients when they have on-boarding or device issues.  

  • Ensure that clinicians are adequately trained to spot flags in the patient’s data that should trigger alarm for the provider. 

Potential Damages 

Since RPM misuse can result in a provider facing both regulatory fines and medical malpractice issues, potential for a higher payout is increased. However, the frequency of such claims is relatively low. To date, MagMutual policyholders have not made a claim for any loss relating to RPM. 


1. Cybersecurity is one of the top three risks associated with RPM.
2. Patient Generated Health Data (PGHD) should be systematically reviewed when received by a provider, even if it seems irrelevant.
3. You should put a BAA in place with your RPM vendor before implementing a system.


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.