David Schoolcraft, General Counsel
The healthcare industry’s focus on remote patient monitoring (RPM) to reduce costs and improve patient outcomes raises several legal questions among health systems and vendors. However, the rules are not drastically different than those for any other solution a care provider uses.
Think of RPM liability as similar to the potential liability for any medical device used to treat patients in the hospital. A reasonable health system or reasonable doctor standard applies if a device supplied by the healthcare provider malfunctions or provides inaccurate data, and the patient dies as a result.
In either an RPM or onsite scenario, liability concerns compound if the device is not FDA regulated, which is why it is crucial for vendors and health systems to be sure each assumes an appropriate amount of risk.
If the device is FDA-regulated and malfunctions or a provider misuses it, liability shifts accordingly. Hospitals are primarily responsible for data privacy for RPM solutions that are NOT devices, such as apps. Under HIPAA, they are known as covered entities.
Bottom line: Health systems are on the hook concerning unauthorized PHI disclosure and device misuse.
Business Associate Agreements – where the rubber meets the road
If PHI is exchanged as part of the service relationship, the health system and vendor must have an agreement in place that meets the HIPAA regulatory standards. HHS refers to this agreement as a Business Associate Agreement. From there, liability allocation between the vendor and the health system is governed largely by the attribution of risk provisions within the contractual arrangement between the parties.
Needless to say (but I will anyway), it is incumbent upon health systems to thoroughly vet their vendors before entering into this type of agreement.
It is also important to note that the HIPAA business associate agreement requirements do not apply to all software used by a hospital (check out Myth #3 in the link). A good example is enterprise resource planning software that doesn’t need to access PHI. Generally speaking, think of non-clinical functions or other functions that do not require access to PHI..
Primary regulatory considerations
A good base of understanding is what I call the “Big 3” FDA rules. These are
- FDA’s medical device regulations: These are not perfect and constantly changing. Someone from or affiliated with your organization needs to stay on top of this.
- FDA’s medical device software regulations (i.e., when the software is embedded into the device): The FDA is “tiptoeing” into this and is urged to regulate AI. Someone needs to stay on top of this, too.
- HIPAA: Health systems should evaluate the security and HIPAA compliance of how the PHI is used and how secure it is.
Honorary mention: CMS .. not a risk, per se, but a health system needs to be sure it meets reimbursement standards. These rules, as you are probably aware, are very complicated.
Entrust legal eagles with rule monitoring
It is a constant battle for health systems and vendors to stay updated on ever-changing standards and regulations. A robust legal team – risk managers, lawyers, and compliance experts – will keep its employers and clients current on developments and changing requirements.
Many tech companies unfamiliar with healthcare see opportunities for expansion into this space, as they should. However, it’s not an easy market in which to get up to speed quickly. Compare it to rideshare regulations for context. Once Uber cleared laws for taxi services, they were off and running. Healthcare is much more complex.
Health systems and care providers are always on the front line. Therefore it is essential to:
- Make sure staff are thoroughly trained on any new RPM solution
- Ensure RPM data is accurate and meets applicable standards
- Understand responsibility: the reasonable doctor standard or reasonable health tech standard is the same whether the app or device is used in a hospital setting or recommended by the health care organization for use in the home
Health systems should work with well-insured vendors who know the legal side and are familiar with healthcare is important. Xealth spun out of the Providence health system in 2017 and has raised $53.6M in funding from various investors, including 15 health systems. They are an established and reliable company within the digital health industry.
Learn how Xealth is helping health systems implement effective RPM programs that meet regulations on all sides.