March 17, 2022

Considerations for Remote Patient Monitoring Vendors and Providers

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • The use of Remote Patient Monitoring – the use of digital technologies to monitor and capture medical and other health data from patients – is rapidly growing.
  • RPM vendors and providers using RPM technology are subject to specialized government regulations and guidelines.

Remote patient monitoring ("RPM") refers to the use of digital technologies to monitor and capture medical and other health data from an individual. This data is electronically stored for an individual's personal use or transmitted to health care providers for assessment. RPM requires a device to digitally record and transmit the recorded physiologic data. The data collected cannot be self-recorded, self-reported, or entered manually by the individual. RPM may also be called telemetry, remote physiologic monitoring, remote monitoring, or remote therapeutic monitoring. ​

What You Need to Know:

  • The use of Remote Patient Monitoring - the use of digital technologies to monitor and capture medical and other health data from patients - is rapidly growing.
  • RPM vendors and providers using RPM technology are subject to specialized government regulations and guidelines.​


Use of RPM was on the rise prior to the COVID-19 pandemic, but the value of providing patient care without additional travel or direct contact with others has been solidified during the pandemic and has propelled RPM to the forefront of care management tools. Better technologies and infrastructure to improve consistent monitoring, coupled with expanded Medicare coverage of RPM services to include both chronic and acute conditions, has dramatically increased the adoption of RPM.

With the growth of RPM, there are several considerations RPM vendors and health care providers using RPM services should understand. This article outlines security, compliance, and integration considerations that should be top of mind for vendors in the RPM industry and health care providers implementing RPM technologies.

Consumer Use of RPM
RPM solutions that capture or monitor health information are becoming increasingly popular. Consumers regularly use RPM devices and apps that track health information, such as fitness, medication, diet, mental health, and other health-related metrics. For example, an individual may use a monitor to track quantity and quality of sleep on a daily basis, while manually inputting day-to-day information that can affect sleep, like stress, diet, and exercise. However, it may come as a surprise to learn that many of these vendors are not covered by the Health Insurance Portability & Accountability Act ("HIPAA"). Instead, many RPM vendors providing these types of services are subject to a different set of federal regulations, including those enforced by the Federal Trade Commission ("FTC").

Due to the growing numbers of non-HIPAA-covered RPMs and Personal Health Record ("PHR")[1] vendors, the FTC recently issued guidance and declared its intent to bring actions to enforce its Health Breach Notification Rule ("HBN Rule"), 16 C.F.R. Part 318.[2] The HBN Rule requires vendors of PHR,[3] PHR-related entities[4] as well as their third-party service providers,[5] to notify individuals and the FTC if unauthorized access to consumer PHR identifiable health information[6] occurs. In breaches involving 500 or more residents of a given state, media outlets in that state must also be notified. With regard to timing, notice to affected individuals and the FTC must be made as soon as possible but in no case more than 60 days after the breach was discovered or should have reasonably been known to the vendor. If the breach involved 500 or more individuals, notice to the FTC must be provided no later than 10 business days after the discovery of the breach.

Violating the HBN Rule can result in prosecution as an unfair or deceptive act or practice in violation of the Federal Trade Commission Act and the imposition of daily civil monetary penalties. RPM vendors should be prepared with a plan to respond to potential data breaches, and for those vendors not covered by HIPAA, it is critical to include compliance with the HBN Rule as part of that plan.

Health Care Provider Use of RPM

RPM data that is transmitted to and used by a health care provider must comply with HIPAA. As RPM becomes a standard practice in the field, it is crucial for health care providers to understand that they have the same responsibility to protect patient information during remote visits as they do for in-person visits. As RPM is often combined with video conferencing, providers must ensure both the RPM device and any follow up technology to track and communicate with patients comply with the HIPAA Rules. The storage and transmission of electronic files, video, and images needs to be approached with the same caution as with physical documents. Consumer grade services, like Skype and Facetime, do not support HIPAA-compliant video conferencing because they are not encrypted. Therefore, they should never be used for any purpose that requires the transmission of Protected Health Information. To remain HIPAA compliant, health care providers should ensure data encryption is fully implemented in the RPM technology they use. Providers should store videos taken of RPM services in a HIPAA-compliant electronic medical record. In addition, the provider should conduct appropriate due diligence prior to selecting an RPM vendor, ensure that they have a strong contract with the vendor that includes appropriate protections, and enter into a business associate agreement with the RPM vendor.

In addition to HIPAA compliance, providers should also understand the Centers for Medicare and Medicaid Services ("CMS") guidelines for RPM. CMS' 2021 Physician Fee Schedule[7] ("2021 Schedule") and 2022 Physician Fee Schedule[8] ("2022 Schedule") clarify how CMS will regulate and reimburse for RPM services. CMS created new codes ("CPT codes") for RPM services in 2019 and 2020 and has tweaked its guidelines for services delivered under general supervision for purposes of "incident to" billing. The 2021 Schedule clarified how RPM programs should be run. CMS stated that after analyzing and interpreting a patient's remotely collected physiologic data, the next step in RPM is the development of a treatment plan informed by the analysis and interpretation of the patient's data. CPT code 99457 and its add-on code, CPT code 99458, describe the treatment and management services associated with RPM. The 2021 Schedule clarified that the "interactive communication" requirement in CPT code 99457 includes not only gathering, analyzing and using the data, but also spending at least 20 minutes on a video platform or the phone with the patient. Providers can only bill once under CPT codes 99453 and 99454 per patient during a 30-day period no matter how many devices a patient uses. In addition, CMS noted in the 2021 Schedule that auxiliary personnel, in addition to clinical staff, can furnish RPM services so long as they are under the general supervision of a billing physician or practitioner. The 2022 Schedule lists certain services CMS added to the Medicare telehealth list during the pandemic which CMS had permitted to remain on the list until December 31, 2023 to collect data to determine whether these services should be permanently added to the telehealth list.

When choosing an RPM solution, in addition to compliance concerns, health care providers should consider the ease with which the RPM solution can be integrated with the provider's practice. The RPM solution should be evaluated for its ability to easily integrate with the provider's existing electronic medical record or other practice software as well as the ease of learning the RPM software. Additionally, the provider should take into consideration the scope of the RPM solution and the amount of manual monitoring required, which could affect the provider's ability to scale the RPM as its patient roster grows. Fully understanding the RPM software will also assist the provider in preparing patients for RPM services. Providers should be prepared to educate patients about the steps that they are taking, along with their technology provider, to secure their confidential information. It is important to let patients know that the technology chosen is designed for this purpose and that the provider's obligations under HIPAA are taken very seriously. Health care providers should update their HIPAA Notice of Privacy Practices to reflect the use of the RPM solution.

RPM has changed the face of health care for many, making health-related data more accessible than ever. The above considerations can help to arm vendors providing RPM and providers using RPM with security and compliance information needed to effectively support consumers and patients alike.


[1] PHR means "an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual." 16 C.F.R. § 318.2(d).
[2] See September 15, 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices, available at

[3] A vendor of PHR is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR. 16 C.F.R. § 318.2(j).
[4] A PHR-related entity is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals PHRs, or (3) accesses information in a PHR or sends information to a PHR. 16 C.F.R. § 318.2(f).
[5] A third-party service provider is an entity that (1) provides services to a vender of PHR in connection with the offering or maintenance of a PHR or to a PHR-related entity in connection with a product or service offered by that entity; and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services. 16 C.F.R. § 318.2(h).
[6] PHR identifiable health information is "health information that identifies someone or could reasonably be used to identify someone." Complying with FTC's Health Breach Notification Rule, January 2022, available at
[7] See 2021 Medicare Physician Fee Schedule Final Rule, available at also 16 C.F.R. § 318.2(3).
[8] See 2022 Medicare Physician Fee Schedule Final Rule, available at

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Saul Ewing Arnstein & Lehr

The Friday Five: Five Current ERISA Litigation Highlights - June 2022

By Amy S. Kline Saul Ewing Arnstein & Lehr June 03 , 2022

This month’s Friday Five covers cases relating to an award of attorney’s fees (but not) costs, class certification in an ERISA benefits case, a court finding that a physician claimant was disabled from his own occupation, a claimant paying into insurance he thinks he has, and an insurance company using interpleader and jurisdiction to its advantage.

EPA Releases Updated Legal Guidance to Advance Environmental Justice

By Sean T. O'Neill Saul Ewing Arnstein & Lehr June 01 , 2022

On May 26th, the EPA released an update of its Legal Tools to Advance Environmental justice – a compilation of the legal authorities it relies upon to protect public health and the environment for all persons in EJ and all communities.

The U.S. Supreme Court Holds That Emotional Damages Are Not Available Under Spending Clause Statutes, Including Title IX and Title VI, Without Express Statutory Authority

By Ashley E. Miller Saul Ewing Arnstein & Lehr June 01 , 2022

On April 28, 2022, the U.S. Supreme Court held in Cummings v Premier Rehab Keller, P.L.L.C. that emotional distress damages are not recoverable in a private action to enforce several civil rights statutes.

More From Cybersecurity

A Maze-Like Path and Laundry List Don't Provide Written Description

By Cecilia Choy, Ph.D. McDermott Will & Emery March 16 , 2023

The US Court of Appeals for the Federal Circuit affirmed a Patent Trial & Appeal Board (Board) decision that there was insufficient written description in the asserted priority applications to support a genus claim because of a lack of ipsis verbis disclosure and insufficient blaze marks.

Coverage of COVID-19 Vaccines and the End of the COVID-19 Emergency

By Jacob M. Mattinson McDermott Will & Emery March 15 , 2023

Since the Biden administration announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023, a topic of great debate has been the requirement and the coverage of COVID-19 vaccines.

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Featured Stories