Micaela Enger
Associate Editor 
Loyola University Chicago School of Law, JD 2023

The COVID-19 pandemic has fundamentally changed many aspects of healthcare delivery. Most notably, the pandemic increased the demand for digital health services. Telemedicine saw ten years’ worth of expansion in one year, but it was not the only digital health service that exploded as a result of the pandemic. Telehealth has evolved from merely meeting with a provider via a video conference to include more sophisticated technologies. Remote Patient Monitoring (“RPM”) allows for providers to collect patient data without the patient having to go to a healthcare facility for monitoring. RPM can improve the quality of healthcare delivery by more closely monitoring a patient while also reducing patient volumes within a healthcare setting. In addition, because RPM allows patients to get more care at home, it can largely reduce costs to the patient and the payor while increasing access. Despite the many benefits associated with RPM, there are considerable risks and compliance issues.

How does RPM work?

A healthcare provider can collect and maintain patient data in-house, but more often providers are contracting with a third-party vendor to use RPM services through the vendor’s platform. A provider can order RPM for a specific patient, and the vendor will provide delivery and set up services for the monitoring equipment. Once the patient has been informed about how to use the equipment, the provider can begin monitoring different data. For example, RPM is largely used for chronic care, behavioral health, or in a post-operative setting. RPM devices can measure body temperature, respiratory rate, heart rate, blood pressure, and even insulin levels. The provider can review the data to determine what communication is necessary or what changes need to be made for the patient’s care. For example, the provider might recommend a video conference with the patient to discuss the data and care strategy, or if the patient requires more immediate care, the provider can recommend that the patient go to the hospital for further care.

Why did RPM explode during the pandemic and will it remain post pandemic?

RPM exploded during the pandemic because it helped improve the quality and continuity of care for COVID-19 patients. COVID-19 patients that did not require hospitalization could be monitored at home, which helped reduce wait time and patient volume in emergency rooms. If a patient did require hospitalization due to COVID-19, RPM helped bridge the gap in care by allowing providers to conduct follow up visits without the patient having to return to the hospital. In addition, a hospital stay is expensive for both the patient and payor, so reducing the number of patients that need to stay in the hospital for monitoring purposes decreases costs and federal spending when the patient is a Medicare or Medicaid beneficiary. The increased need for RPM allowed it to evolve and explode; however, the benefits of RPM are likely here to stay. Many minority and low income communities have endured limited access to care while experiencing a greater risk of chronic conditions, such as heart disease or diabetes. RPM has the ability to increase access to care while keeping costs low to improve population health in minority and low income communities.

How RPM evolved?

Before the widespread adoption of telehealth and RPM during the pandemic, digital health services were struggling to find their place in healthcare delivery, despite the available technology. This was mostly due to the limited reimbursement opportunities and lack of incentives for providers. At the beginning of the pandemic, the Department of Health and Humans Services (“HHS”) and the Centers for Medicare and Medicaid Services (“CMS”) released an interim final rule to ensure providers had more flexibility to provide virtual health services for the duration of the pandemic. In December of 2020, the final rule was released and later in January, CMS clarified reimbursement for RPM services. CMS mandated that at least twenty minutes of interactive communication time between the provider and patient was necessary over a calendar month to qualify for reimbursement under CPT codes 99457 and 99458. CMS clarified that the “interactive communication” can include in-person or RPM services. Further, only one practitioner can bill CPT codes 99453 and 99454 during a thirty day period and only when at least sixteen days of data have been collected on at least one medical device. Proponents of the expansion of telehealth are pleased that the final rule has allowed reimbursement for monitoring by a practitioner other than a physician; however, disappointed that the final rule does not allow for multiple reimbursements for each device monitoring for different data.

What are the compliance risks associated with RPM?

While RPM has the ability to vastly improve the quality and cost of health care delivery, it is not without potential risks and compliance issues. RPM uses a variety of devices, applications, communication technologies, and databases for data storage. Thus, providers and larger healthcare systems must consider the security of their platform whether they’re monitoring the data in-house or through a third-party vendor. Multistep processes that interact through the RPM platform and interconnected systems pose a risk of cyberattack. HIPAA and patient data security laws still apply to patient data kept in the RPM platforms. The RPM company must have HIPAA compliant protocols, such as encrypting the data when appropriate.

Additionally, because many providers and health care systems choose to use a third-party vendor, the risk of abuse increases. Healthcare professionals should not have a business or financial interest in the RPM vendor so it does not risk running afoul of the healthcare fraud and abuse laws, such as the Anti-Kickback Statute or Stark laws. Similarly, like in other aspects of telehealth, RPM presents risks for fraudulent billing. A cardiac monitoring company created a registration process that led providers to charge the highest reimbursement code from CMS. The company was fined by the Department of Justice (“DOJ”) for $13 million because they promoted unnecessary services that led to increased billing. With the continued exponential growth of the RPM industry, CMS and the DOJ are still determining the best practices to manage regulation. As a result, healthcare systems and providers must balance the benefits and potential risks of RPM.