Remote Patient Monitoring: Compliance Considerations for 2026

Remote patient monitoring (RPM) has grown from a niche clinical tool into a core revenue stream for healthcare organizations of all sizes. CMS reimbursement for RPM services, combined with advances in connected health devices, has made it attractive for startups and established practices alike. But the compliance landscape for RPM is more nuanced than many founders realize.

From billing requirements to device regulations, here is what you need to know to operate an RPM program compliantly in 2026.

RPM Billing Requirements Under Medicare

CMS has established specific CPT codes for RPM services, and each code has distinct requirements that must be met to support billing.

• CPT 99453 — Initial setup and patient education: Covers the initial setup of the RPM device and education provided to the patient on how to use it. This is billed once per episode of care.
• CPT 99454 — Device supply with daily recordings: Covers the supply of the monitoring device and the transmission of data. Requires at least 16 days of data collection within a 30-day period to bill.
• CPT 99457 — Treatment management services: Covers the first 20 minutes of clinical staff time in a calendar month spent on interactive communication with the patient or caregiver, and/or reviewing and interpreting RPM data.
• CPT 99458 — Additional 20-minute increments: Covers each additional 20 minutes of treatment management services beyond the initial 20 minutes.

The 16-day data transmission requirement for CPT 99454 is one of the most common compliance pitfalls. Organizations must have systems in place to track daily transmissions and ensure the threshold is met before billing.

CMS Guidelines and Ordering Requirements

CMS requires that RPM services be ordered by a physician or qualified healthcare professional. The ordering provider must establish the medical necessity for monitoring and document it in the patient's medical record. Key CMS guidelines include:

1. Established patient relationship: RPM services generally require an established patient-provider relationship, though CMS has provided some flexibility for new patients under certain conditions.
2. Medical necessity documentation: The ordering provider must document why RPM is medically necessary for the specific patient, including the condition being monitored and the expected clinical benefit.
3. General supervision: RPM services can be furnished under general supervision, meaning the supervising physician does not need to be physically present when clinical staff are providing the services.
4. Incident-to billing: Clinical staff providing RPM services may bill incident-to the ordering physician, provided all incident-to requirements are met.

State Licensing Considerations for RPM

One of the trickiest compliance areas for RPM is state licensing. When a patient is located in one state and the monitoring provider is in another, the question of where the practice of medicine is occurring becomes critical.

Most state medical boards consider the practice of medicine to occur where the patient is located. This means that providers conducting RPM must hold a license in the patient's state, not just the state where they are physically located. For multi-state RPM programs, this creates a significant licensing burden.

Interstate licensure compacts can help. The IMLC and NLC allow qualifying providers to practice across member states, but not all states participate in these compacts. RPM companies must conduct a state-by-state licensing analysis before expanding into new markets.

Patient Consent Requirements

Patient consent for RPM goes beyond standard medical consent. Patients must be informed about and consent to several aspects of the monitoring program:

• Nature of monitoring: What data will be collected, how it will be transmitted, and who will review it.
• Cost and billing: Patients should understand any out-of-pocket costs, including copays and coinsurance for RPM services.
• Opt-out rights: Patients must have the right to discontinue RPM at any time without affecting their access to other care.
• Data privacy: How the patient's health data will be stored, used, and protected, including any data sharing with third parties.

Best practice is to obtain written consent using a dedicated RPM consent form that covers all of these elements, separate from the general consent to treatment.

Data Privacy and HIPAA Compliance

RPM generates a continuous stream of patient health data, which creates heightened privacy and security obligations. Beyond standard HIPAA compliance, RPM programs should address:

• Data transmission security: All data transmitted from monitoring devices to the platform must be encrypted in transit and at rest.
• Business Associate Agreements: RPM device manufacturers, cloud storage providers, and data analytics platforms that handle patient data must execute BAAs with the covered entity.
• Minimum necessary standard: Only the data elements necessary for the clinical purpose should be collected and shared. Collecting extraneous data increases privacy risk without clinical benefit.
• Data retention and disposal: Establish clear policies for how long RPM data is retained and how it is securely disposed of when no longer needed.

RPM platforms often collect more data than traditional clinical encounters. Organizations must ensure their HIPAA risk assessments specifically address the unique data flows and storage requirements of their RPM programs.

Device Regulations and FDA Considerations

The devices used in RPM programs may be subject to FDA regulation depending on their classification and intended use. Healthcare organizations should verify that the devices they deploy are FDA-cleared or exempt for their intended purpose. Key considerations include:

• Whether the device is classified as a medical device or a general wellness product
• Whether the device has received 510(k) clearance or De Novo classification
• Whether the software platform qualifies as a medical device under FDA guidance on software as a medical device (SaMD)
• Adverse event reporting obligations for device manufacturers and healthcare facilities

RPM represents a significant growth opportunity for healthcare organizations, but the compliance requirements are substantial and evolving. Building a compliant RPM program from the outset is far less costly than remediating compliance gaps after an audit or enforcement action.