Remote patient monitoring: Risk management considerations
Remote patient monitoring (RPM) allows a patient to use a mobile medical device to perform routine tests and send test results to a physician in real-time without visiting the office. The physician can then review the information and adjust the patient’s treatment plan as needed. RPM can help physicians manage patients with chronic conditions — high blood pressure, COPD, diabetes — and patients with implanted pacemakers or defibrillators. RPM also includes the use of wearable electronic devices designed for consumer or medical use.
Risk management considerations
Here are factors to think about when considering the use of RPM.
Providers using telemedicine in any capacity — including RPM — should develop a comprehensive set of protocols that defines hours of availability and describes the operation of telemedicine services. The protocols should describe when, how often, and who reviews the data. If the designated person is unavailable, who covers for them? The protocols should also include guidelines for physician notification.
Consider which of your patients are good candidates for RPM. You may decide not to use these technologies with patients who are not engaged in their own health care, do not have reliable access to an internet connection, or senior patients who may have difficulty using technical devices.
Patients who are good candidates for RPM should be fully educated (and possibly sign an acknowledgment) about how to use and maintain the device, physician/provider “available hours” for consult, and the limitations of remote monitoring. Similar to emailing a practice with questions or issues, the patient must understand that there are limitations on remote monitoring, and that review of the data will occur during certain hours and within a certain timeframe.
Patients should be educated about what constitutes an emergency reading, and how to respond (i.e., call 911, go to the emergency department, etc.).
Patients should be educated on the risks of a remote device failing or malfunctioning, and the risks of malware compromising the effectiveness of the device and patient privacy.
These education elements should be documented in the medical record, either via written acknowledgment or documentation of discussion. A written acknowledgment should reference patient education about how remote monitoring works, the limitations, and warnings.
Some telemedicine platforms allow providers to set the times when patients can transmit data to the provider. Others allow providers to tailor the timing of transmissions for each patient to avoid random submissions when providers are not available to monitor the data. If patients will be allowed to transmit information 24/7, the providers would be responsible for developing and implementing a process to evaluate this data in a timely manner to avoid any delays in treatment.
Incorporate reference to telemedicine/remote monitoring technologies into your Notice of Privacy Practices.
Include telemedicine equipment in your organization’s Security Management Plan and annual Security Risk Assessment. Ensure that all employees who participate in telemedicine/remote monitoring services have received telemedicine-specific health care privacy and security training.
Determine the need for Business Associate Agreements. Evaluate all parties, including any vendors involved in the provision of services, for compliance with federal and state privacy and confidentiality regulations. Require the ability to provide proof of compliance if asked; and require telemedicine vendors to hold their subcontractors accountable as well.
Ensure that all of your medical devices are safeguarded against data breaches, viruses, or malware. Per HIPAA, physicians must take reasonable steps to protect patient health information from unauthorized access by cyber criminals. Do not rely only on RPM device manufacturer security features. Be diligent in keeping all of your own encryption and security software up to date when using RPM technologies.
Texas physicians may use telemedicine to treat or see patients within Texas. However, to treat patients outside of Texas using remote technologies, you must be licensed in the state the patient is located. If you practice outside of Texas, check your state medical board for your local telemedicine rules and limitations.
Contact your medical liability carrier to discuss any change in your practice related to telemedicine. TMLT policyholders should contact the TMLT Underwriting and Business Development Department at www.tmlt.org/contact/underwriting.
Additional resources
“How to mitigate the risks of remote patient monitoring” on The Doctor Weighs In website, available at https://thedoctorweighsin.com/remote-patient-monitoring-risks/.
Accessed February 5, 2021.
“Pros and cons of remote patient monitoring” on the Health IT Outcomes website, available at
Accessed February 5, 2021.
“Remote patient monitoring brings mHealth care management into the home” on the mHealth Intelligence website, available at
Accessed February 5, 2021.
“How to avoid the legal risks of telemedicine” on the Medical Economics website, available at https://www.medicaleconomics.com/view/how-avoid-legal-risks-telemedicine. Accessed February 5, 2021.
“Remote patient monitoring opportunities and risks for technology vendors and providers” on the JD Supra website at https://www.jdsupra.com/
legalnews/remote-patient-monitoring-opportunities-54912/.
Accessed February 5, 2021.
“Safely incorporate remote patient monitoring into your practice” on the Texas Medical Association (TMA) website. Portions of TMLT’s risk management advice found in this article also appears here. Available at https://www.texmed.org/Template.aspx?id=53660&terms=remote%20patient%20monitoringpresents.”
Accessed February 8, 2021.
Tanya Babitch can be reached tanya-babitch@tmlt.org.
Robin Desrocher can be reached at robin-desrocher@tmlt.org.