Remote patient monitoring — Risk management considerations

by Tanya Babitch, Assistant Vice President, Risk Management, and
Robin Desrocher, BSN, RN, CPHRM, Director, Risk Managment

Remote patient monitoring (RPM) allows a patient to use a mobile medical device to perform routine tests and send test results to a physician in real-time without visiting the office. The physician can then review the information and adjust the patient’s treatment plan as needed.

RPM can help physicians manage patients with chronic conditions — high blood pressure, COPD, diabetes — and patients with implanted pacemakers or defibrillators. RPM also includes the use of wearable electronic devices designed for consumer or medical use.

Risk management considerations

Here are factors to think about when considering the use of remote patient monitoring.

Providers using telemedicine in any capacity — including remote patient monitoring — should develop a comprehensive set of protocols that defines hours of availability and describes the operation of telemedicine services. The protocols should describe when, how often, and who reviews the data. If the designated person is unavailable, who covers for them? The protocols should also include guidelines for physician notification.
Patients should be educated (and possibly sign an acknowledgment) about physician/provider “available hours” and the limitations of remote monitoring. Similar to emailing a practice with questions or issues, the patient must understand that there are limitations on remote monitoring, and that review of the data will occur during certain hours and within a certain timeframe.
Patients should be educated about what constitutes an emergency reading, and how to respond (i.e., call 9-1-1, go to the emergency department, etc.).
Patients should be educated on the risks of a remote device failing or malfunctioning, and the risks of malware compromising the effectiveness of the device and patient privacy.
These education elements should be documented in the medical record, either via written acknowledgment or documentation of discussion. A written acknowledgment should reference patient education about how remote monitoring works, the limitations, and warnings.
Some telemedicine platforms allow providers to set the times when patients can transmit data to the provider. Others allow providers to tailor the timing of transmissions for each patient to avoid random submissions when providers are not available to monitor the data. If patients will be allowed to transmit information 24/7, the providers would be responsible for developing and implementing a process to evaluate this data in a timely manner to avoid any delays in treatment.
Incorporate reference to telemedicine/remote monitoring technologies into your Notice of Privacy Practices.
Include telemedicine equipment in your organization’s Security Management Plan and annual Security Risk Assessment. Ensure that all employees who participate in telemedicine/remote monitoring services have received telemedicine-specific health care privacy and security training.
Determine the need for Business Associate Agreements. Evaluate all parties, including any vendors involved in the provision of services, for compliance with federal and state privacy and confidentiality regulations. Require the ability to provide proof compliance if asked; and require telemedicine vendors to hold their subcontractors accountable as well.
Contact your medical liability carrier to discuss any change in your practice related to telemedicine. TMLT policyholders should contact the TMLT Underwriting Department.