Considerations for Remote Patient Monitoring Vendors and Providers

Remote patient monitoring ("RPM") refers to the use of digital technologies to monitor and capture medical and other health data from an individual. This data is electronically stored for an individual's personal use or transmitted to health care providers for assessment. RPM requires a device to digitally record and transmit the recorded physiologic data. The data collected cannot be self-recorded, self-reported, or entered manually by the individual. RPM may also be called telemetry, remote physiologic monitoring, remote monitoring, or remote therapeutic monitoring. ​

What You Need to Know:

• The use of Remote Patient Monitoring - the use of digital technologies to monitor and capture medical and other health data from patients - is rapidly growing.
• RPM vendors and providers using RPM technology are subject to specialized government regulations and guidelines.​

Use of RPM was on the rise prior to the COVID-19 pandemic, but the value of providing patient care without additional travel or direct contact with others has been solidified during the pandemic and has propelled RPM to the forefront of care management tools. Better technologies and infrastructure to improve consistent monitoring, coupled with expanded Medicare coverage of RPM services to include both chronic and acute conditions, has dramatically increased the adoption of RPM.

With the growth of RPM, there are several considerations RPM vendors and health care providers using RPM services should understand. This article outlines security, compliance, and integration considerations that should be top of mind for vendors in the RPM industry and health care providers implementing RPM technologies.

Consumer Use of RPM
RPM solutions that capture or monitor health information are becoming increasingly popular. Consumers regularly use RPM devices and apps that track health information, such as fitness, medication, diet, mental health, and other health-related metrics. For example, an individual may use a monitor to track quantity and quality of sleep on a daily basis, while manually inputting day-to-day information that can affect sleep, like stress, diet, and exercise. However, it may come as a surprise to learn that many of these vendors are not covered by the Health Insurance Portability & Accountability Act ("HIPAA"). Instead, many RPM vendors providing these types of services are subject to a different set of federal regulations, including those enforced by the Federal Trade Commission ("FTC").

Due to the growing numbers of non-HIPAA-covered RPMs and Personal Health Record ("PHR")^[1] vendors, the FTC recently issued guidance and declared its intent to bring actions to enforce its Health Breach Notification Rule ("HBN Rule"), 16 C.F.R. Part 318.^[2] The HBN Rule requires vendors of PHR,^[3] PHR-related entities^[4] as well as their third-party service providers,^[5] to notify individuals and the FTC if unauthorized access to consumer PHR identifiable health information^[6] occurs. In breaches involving 500 or more residents of a given state, media outlets in that state must also be notified. With regard to timing, notice to affected individuals and the FTC must be made as soon as possible but in no case more than 60 days after the breach was discovered or should have reasonably been known to the vendor. If the breach involved 500 or more individuals, notice to the FTC must be provided no later than 10 business days after the discovery of the breach.

Violating the HBN Rule can result in prosecution as an unfair or deceptive act or practice in violation of the Federal Trade Commission Act and the imposition of daily civil monetary penalties. RPM vendors should be prepared with a plan to respond to potential data breaches, and for those vendors not covered by HIPAA, it is critical to include compliance with the HBN Rule as part of that plan.

Health Care Provider Use of RPM

RPM data that is transmitted to and used by a health care provider must comply with HIPAA. As RPM becomes a standard practice in the field, it is crucial for health care providers to understand that they have the same responsibility to protect patient information during remote visits as they do for in-person visits. As RPM is often combined with video conferencing, providers must ensure both the RPM device and any follow up technology to track and communicate with patients comply with the HIPAA Rules. The storage and transmission of electronic files, video, and images needs to be approached with the same caution as with physical documents. Consumer grade services, like Skype and Facetime, do not support HIPAA-compliant video conferencing because they are not encrypted. Therefore, they should never be used for any purpose that requires the transmission of Protected Health Information. To remain HIPAA compliant, health care providers should ensure data encryption is fully implemented in the RPM technology they use. Providers should store videos taken of RPM services in a HIPAA-compliant electronic medical record. In addition, the provider should conduct appropriate due diligence prior to selecting an RPM vendor, ensure that they have a strong contract with the vendor that includes appropriate protections, and enter into a business associate agreement with the RPM vendor.

In addition to HIPAA compliance, providers should also understand the Centers for Medicare and Medicaid Services ("CMS") guidelines for RPM. CMS' 2021 Physician Fee Schedule^[7] ("2021 Schedule") and 2022 Physician Fee Schedule^[8] ("2022 Schedule") clarify how CMS will regulate and reimburse for RPM services. CMS created new codes ("CPT codes") for RPM services in 2019 and 2020 and has tweaked its guidelines for services delivered under general supervision for purposes of "incident to" billing. The 2021 Schedule clarified how RPM programs should be run. CMS stated that after analyzing and interpreting a patient's remotely collected physiologic data, the next step in RPM is the development of a treatment plan informed by the analysis and interpretation of the patient's data. CPT code 99457 and its add-on code, CPT code 99458, describe the treatment and management services associated with RPM. The 2021 Schedule clarified that the "interactive communication" requirement in CPT code 99457 includes not only gathering, analyzing and using the data, but also spending at least 20 minutes on a video platform or the phone with the patient. Providers can only bill once under CPT codes 99453 and 99454 per patient during a 30-day period no matter how many devices a patient uses. In addition, CMS noted in the 2021 Schedule that auxiliary personnel, in addition to clinical staff, can furnish RPM services so long as they are under the general supervision of a billing physician or practitioner. The 2022 Schedule lists certain services CMS added to the Medicare telehealth list during the pandemic which CMS had permitted to remain on the list until December 31, 2023 to collect data to determine whether these services should be permanently added to the telehealth list.

When choosing an RPM solution, in addition to compliance concerns, health care providers should consider the ease with which the RPM solution can be integrated with the provider's practice. The RPM solution should be evaluated for its ability to easily integrate with the provider's existing electronic medical record or other practice software as well as the ease of learning the RPM software. Additionally, the provider should take into consideration the scope of the RPM solution and the amount of manual monitoring required, which could affect the provider's ability to scale the RPM as its patient roster grows. Fully understanding the RPM software will also assist the provider in preparing patients for RPM services. Providers should be prepared to educate patients about the steps that they are taking, along with their technology provider, to secure their confidential information. It is important to let patients know that the technology chosen is designed for this purpose and that the provider's obligations under HIPAA are taken very seriously. Health care providers should update their HIPAA Notice of Privacy Practices to reflect the use of the RPM solution.

RPM has changed the face of health care for many, making health-related data more accessible than ever. The above considerations can help to arm vendors providing RPM and providers using RPM with security and compliance information needed to effectively support consumers and patients alike.

[1] PHR means "an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual." 16 C.F.R. § 318.2(d).
[2] See September 15, 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices, available at https://www.ftc.gov/system/files/documents/public_statements/1596364/
statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf
[3] A vendor of PHR is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR. 16 C.F.R. § 318.2(j).
[4] A PHR-related entity is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals PHRs, or (3) accesses information in a PHR or sends information to a PHR. 16 C.F.R. § 318.2(f).
[5] A third-party service provider is an entity that (1) provides services to a vender of PHR in connection with the offering or maintenance of a PHR or to a PHR-related entity in connection with a product or service offered by that entity; and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services. 16 C.F.R. § 318.2(h).
[6] PHR identifiable health information is "health information that identifies someone or could reasonably be used to identify someone." Complying with FTC's Health Breach Notification Rule, January 2022, available at https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0
[7] See 2021 Medicare Physician Fee Schedule Final Rule, available at https://www.cms.gov/medicaremedicare-fee-service-paymentphysicianfeeschedpfs-federal-regulation-notices/cms-1734-f; see also 16 C.F.R. § 318.2(3).
[8] See 2022 Medicare Physician Fee Schedule Final Rule, available at https://www.cms.gov/medicaremedicare-fee-service-paymentphysicianfeeschedpfs-federal-regulation-notices/cms-1751-f