Navigating Compliance and Consent in Remote Patient Monitoring: Key Takeaways from CTeL’s RPM Conference

Written By April Noel

As telehealth and AI technologies continue to transform healthcare delivery, remote patient monitoring (RPM) stands out for its potential to improve patient outcomes. But with innovation comes a growing list of compliance challenges. At the Center for Telehealth and e-Health Law (CTeL)’s third annual Remote Patient Monitoring Conference, legal expert Adam Solander tackled the thorny issues of data privacy, informed consent, and compliance as they pertain to RPM systems.

Solander, a partner at King & Spalding, a member of the CTeL Legal Resource Team, and an authority on data privacy and security in digital health, offered an in-depth look at the regulatory landscape surrounding RPM. His message was clear: as RPM companies gather unprecedented amounts of patient data, their responsibilities to ensure informed consent and data privacy are greater than ever.

The Foundation: Transparent Consent

“Informed consent is the cornerstone of patient monitoring,” Solander stated, stressing that clear, easily understood consent is both a legal obligation and a core ethical responsibility for RPM providers. Consent, he emphasized, should be simple enough for any user to understand, outlining the purpose of the service, details of data collection, risks, and benefits. He described this approach as “clear and conspicuous,” a standard necessary for RPM providers to meet regulatory requirements across various states, each with its own laws on consent.

Solander noted the growing scrutiny by the Federal Trade Commission (FTC) over what he referred to as “dark patterns,” design elements that obscure critical information or subtly nudge users toward consenting to data use they may not fully comprehend. He advised companies to avoid these tactics and instead prioritize straightforward, accessible language. “Digital literacy matters,” he noted, recommending that providers offer consent forms in multiple languages and keep the text concise.

Data Privacy in the Era of RPM

With RPM systems generating vast datasets, the focus on data privacy has intensified, particularly as RPM technologies often rely on AI to analyze patient data. The challenges here are formidable. Solander explained that RPM providers are subject to stringent requirements under both HIPAA and numerous state laws that govern data sharing, use, and retention. He advised RPM companies to clearly define data rights within contracts, ensuring legal protections for both the organization and the patient.

Beyond compliance, Solander highlighted a broader shift: investors are increasingly viewing privacy and security as crucial elements in a company’s long-term value. “Data is the new oil, and securing rights to that data is like securing the ability to pump it,” Solander observed. Compliance with data privacy standards is becoming an asset for companies, enhancing reputations and attracting investors. In an industry where regulatory violations can cost millions and severely damage a company’s reputation, Solander argued that compliance is no longer just a cost of doing business—it’s a competitive advantage.

“Data is the new oil, and securing rights to that data is like securing the ability to pump it,” Solander observed.

Balancing Consent and Data Rights

Consent in RPM, however, doesn’t end with initial approval. Solander discussed the complexities surrounding consent withdrawal, an increasingly relevant issue in light of state laws like the California Consumer Privacy Act (CCPA), which grants patients a “data destruction right.” RPM providers, he noted, need systems in place to honor consent withdrawal requests while still complying with regulatory data retention requirements.

For RPM companies, this balancing act—respecting patient rights while maintaining compliance—requires careful data management. It’s a necessity, he added, to communicate clearly with patients about data use and to offer processes for patients to withdraw consent when needed.

For RPM companies, this balancing act—respecting patient rights while maintaining compliance—requires careful data management.

Compliance as a Strategic Advantage

Compliance might not be the first thing on the minds of fast-growing RPM startups, but Solander argued that it should be. As privacy standards tighten and regulatory bodies ramp up oversight, Solander noted that adhering to data privacy and security laws can help companies distinguish themselves in a crowded field. "When investors look at a company, they’re increasingly looking for compliance as a baseline,” he explained. “Data is invaluable, but without the legal right to use it, it’s worthless.”

The increased attention from regulators and private litigators makes non-compliance a costly gamble. Solander referenced multimillion-dollar settlements for data breaches and privacy violations, warning that even small companies can face severe penalties if they fail to secure data rights. For emerging RPM companies, he argued, a solid compliance foundation could spell the difference between success and failure in the market.

Key Takeaways for RPM Providers and Health Systems

Based on Solander’s insights, RPM providers and health systems should consider several concrete steps to strengthen compliance:

  1. Simplify Consent Documents: Ensure that consent documents are easy to understand, include all necessary information on service use, and are available in multiple languages to improve accessibility.

  2. Strengthen Data Privacy Measures: Align all RPM services with HIPAA and state privacy regulations, especially when using AI, and document all data use agreements.

  3. Account for Digital Literacy: Ensure that consent forms avoid technical jargon and dark patterns to ensure patients of varying digital literacy levels understand what they’re consenting to.

  4. Manage Consent Withdrawal: Implement processes for handling data deletion requests while meeting data retention requirements, especially in states with laws like the CCPA.

  5. Position Compliance as a Competitive Advantage: Leverage a strong privacy and security posture to attract investors and gain a reputation as a responsible, trustworthy RPM provider.


A New Era for RPM Compliance

As RPM technology continues to evolve, so too does the regulatory landscape governing its use. Solander’s session at CTeL underscored that robust data privacy practices and transparent patient communication are essential for navigating this complex environment. For RPM companies, building a foundation of compliance isn’t just about avoiding legal pitfalls; it’s about establishing trust, both with patients and investors, in a field poised to shape the future of healthcare.

April Noel
Previous

Privacy in the Age of Remote Patient Monitoring: Insights and Actions from CTeL’s Annual RPM Conference
Next

CMS Final Rule Update: Key Telehealth Provisions in the 2025 OPPS and ASC Systems