Enterprise Risk Management (ERM) Legal & Regulatory Patient Safety/Clinical Care Technology

Getting Risk Ready for the Wearable Revolution


Health care innovation is on an accelerated trajectory! From mobile pulse oximeters to Fitbits, Apple Watches and Continuous Glucose Monitors, these devices, known as Remote Patient Monitoring or Wearables, are everywhere.

According to Pew Research, by 2025 wearable devices will be ubiquitous. (1) And Bloomberg estimates the medical Wearables market will grow to $76 billion by 2028. (2)

Wearables are electronic devices worn on the body that sense, analyze and transmit biological data that can be used to manage diseases or improve health. (1) The data collected may include heart rate, blood pressure, temperature, blood oxygen saturation, blood glucose levels, sleep patterns and activity such as steps, running distance and speed. (3,4) RPM solutions have the ability to transmit that data to health care professionals for review, diagnosis or clinical management.

You may be wondering what impact wearable technology has on health care delivery? As a result of the global pandemic and as healthcare provider shortages continue, digital health care has seen a significant uptick in adoption and utilization, as these devices have been found to be a game changer to engage and keep remote patient populations healthy. In underserved and rural areas, wearable technology provides individuals with the tools they need to communicate with their providers between visits. For patients with chronic conditions like diabetes or congestive heart failure, wearable trackers like CGM or smart scales allow monitoring patient conditions from the comfort of one’s home. Patients are no longer limited by their conditions, but instead empowered to meet their goals and improve their overall wellbeing. Wearable technology is expected to play a greater role in the patient’s health care experience post pandemic because it allows practitioners to closely monitor a patient’s health outside the office as a means to augment traditional medical care. With this data, the care team can monitor chronic conditions outside of the traditional health care environment and intervene in disease management as necessary, either in-person or virtually, before a patient’s condition becomes critical, thus reducing the need for emergency room visits or readmissions.

According to the American Hospital Association’s 2022 Environmental Scan, 26% of consumers own a wearable health device or use a smartphone to track wellness, 50% of patients would allow information from their device to be sent directly to their physician’s office and 57% believe the data is useful and want it to be collected by their doctor. (5)

To date, there are no known claims in the United States involving wearables. A 2014 Canadian personal injury case was the first to introduce data from a wearable. In that case, a personal trainer used data from a Fitbit to show a marked decrease in activity after a traffic accident. (6) Although there are no cases in the U.S. to date, it is likely that in the future, both plaintiffs and defendants in medical malpractice cases will use data from wearables to supplement information from traditional sources. (7) For example, claims for emotional damages may be bolstered by data showing increased insomnia, high blood pressure or other physiological signs of stress. (8)

The migration to using RPM or Wearables presents a lot of exciting possibilities in engaging patients and providing their physicians with a real-time picture of their care and adherence to treatment. However, it does not come without risks. For that reason, health care risk professionals need to proactively stay abreast of this rapidly evolving field and emerging area of risk. Below are some considerations and strategies to mitigate potential risks.

Not All Wearable Technology is Created Equal

It is important to understand that not all wearable technology is created equal. Wearables come in many different forms and have a myriad of features and various uses. To that end, it is vital to distinguish medical-grade devices approved by the Food and Drug Administration from consumer-grade wearables. Being subject to FDA approval means that the medical grade wearables have undergone testing and validation, the results of which were submitted to the FDA for review. On the other hand, consumer-grade wearables are used primarily as a motivational tool for patients. Because medical-grade devices undergo rigorous testing, they are likely to be more accurate and reliable than consumer-grade devices. In addition, medical-grade devices may include features that consumer-grade devices do not, such as the ability to record and store data for extended periods. (9) Consumer-grade devices have more variability in their data, overestimating or underestimating when compared to a medical device. (10) It is critical for providers to be aware of the limitations of the data when using the device for clinical decision-making. And, that they inform the patient of this. For example, the FDA issued a warning that pulse oximeters have “limitations and a risk of inaccuracy,” which patients monitoring themselves at home and health care providers must consider. (11)

Staff Education and Device Training Needed

Before prescribing or recommending wearables to patients, provide staff members with appropriate training on the device. They may need to show patients how to set up and operate the device correctly, answer questions about the device, explain what to do in response to prompts, etc.

Patient Selection Criteria Considered

Before recommending that patient uses a wearable device, consideration needs to be given to whether they will be able to operate the device and whether their lifestyle supports the proper use of the device. In addition, will the patient be able to afford the device and accessories, and have access to a reliable internet connection and smartphone (if required). Thought needs to be given to whether using the device will improve the patient’s health and outcomes compared to their current treatment plan. In other words, is the patient likely to become more engaged or less engaged in their care by using the device?

Patient Education and Device Training Needed

To increase patient self-efficiency, explain and show the patient how to use the device; read and respond to data; when and how to transmit data to the office; when it would be appropriate to call the office or seek immediate medical attention i.e., call 911 or go to the Emergency Department (ED); and what to do if the device malfunctions. When educating the patient, use teach-back and show-me to confirm that the patient has understood the information and can use the device appropriately.

Encourage the patient to share their data with a trusted family member or friend who may be able to help them adhere to the treatment plan or respond to alerts. As with all patient education, document the training in the electronic health record (EHR).

Expectations, Roles and Responsibilities Set

Manage patient expectations by communicating when and what data you will review. For example, tell patients that you will review data during an office visit or that you will not review data that is sent to you unless the patient calls with a specific concern. Tell the patient how readings outside predetermined “guardrails” or thresholds must be communicated as well as what you will do and what the patient must do. Document these discussions.

Informed Consent and Documentation Obtained

Prior to initiation of monitoring, it is important to obtain informed consent to include the reason for using the wearable device, the benefits and limitations, the roles and responsibilities of the patient and the clinician, and mutual expectations. Patients should be taught how to maintain the device, what a device malfunction looks like and what to do if they encounter one, as well as confidentiality and privacy provisions. It is imperative that patients understand the frequency and by whom the device data will be monitored and how alerts will be handled, and what they should do if they feel sick or are having a medical emergency – i.e., they need to call 911/go to nearest ED. Include a written agreement about what you have discussed and enter it into the medical record.

Documentation Required

Documentation must include the purpose or goals for using RPM/Wearables, the device being used, as well as the informed consent mentioned previously. Documentation should indicate when data from a wearable is used in clinical decision-making, to modify a care plan or change medication. If the device is discontinued, document the reason, actions taken and any follow-up communications.

Patient education on the risks of a remote device failing/malfunctioning, and the risks of malware compromising the effectiveness of the device and patient privacy should also be documented. Observe all medical and legal standards of care.

Data Management Handling

Receiving, analyzing and following up on Wearables data can be a daunting task. Moreover, the large volume of data could lead to alert fatigue. If your organization is not prepared to interact with the technology, it can lead to claims for failure to monitor, failure to detect or a missed diagnosis. Secure and reliable transmission of data using (vendor) platforms that integrate data transmission and alert systems into workflows and the patient’s medical record is key.

Before prescribing or recommending wearable devices or accepting data from patients, it is critical that policies and processes for managing data, distinguishing between data from medical-grade and consumer-grade devices, and appropriately using it in patient care are established. Clear guidelines or “guardrails” for if and when the data will be reviewed, by whom and how often are essential. Consider how you will review and record data from patients, the implications of actionable data and an escalation plan for data. For instance, if a patient sends you data via the patient portal or calls the office with a high blood pressure reading, how will the responsible provider be notified, what action will be initiated, including patient follow up, and where will this be documented in the patient’s EHR?

Data Security Essential

Wearables transmit patient data; hence, the risk of a data breach exists. Breaches of medical devices can cause an interruption in data flow or result in inoperability or a malfunction of the device. Properly encrypted data transmission is essential to comply with the Health Insurance Portability and Accountability Act (HIPAA). Providers who fail to properly safeguard protected health information (PHI) can face significant penalties.

The FDA has provided guidance on cybersecurity risks for medical devices. The FDA states that “device manufacturers, hospitals, healthcare providers, and patients” share a responsibility for keeping devices and data secure. (12) Steps to safeguard patient information within a network include ensuring antivirus software and firewalls are up to date, monitoring the network for unauthorized use and reporting any medical device cybersecurity problems to the device manufacturer. Patients are asked to be informed, register the device, update software, report glitches and issues, and educate family or caregivers about their device. (13,14) Likewise, health care providers and hospitals must reduce cybersecurity risks within their systems. (12)

Including Wearables equipment in your organization’s Security Management Plan and annual Security Risk Assessment is advised. It is key that all staff who participate in Remote Patient Monitoring services receive Remote Patient Monitoring-specific health care privacy and security training.

Incorporate reference to remote monitoring technologies into your Notice of Privacy Practices and determine the need for any Business Associate Agreements (BAA). Evaluate all parties, including any vendors involved in the provision of services, for compliance with federal/state privacy and confidentiality regulations. Require the ability to provide proof of compliance if asked and require vendors to hold any of their subcontractors accountable for the same level of compliance. Consult with your cyber insurer and insurance agent and request an assessment of your cyber risk preparedness to protect your organization.

Device Malfunction Responsibilities

If a remote device fails or malfunctions, health care providers may be named in a lawsuit against the manufacturer under the claim that the provider failed to use the device properly. To help minimize this risk, health care providers should routinely follow FDA alerts and recalls. In addition, stay up to date on the latest information for the device, including manufacturer warnings, device safety records and the device’s approved uses.

Also, thoroughly read all contracts with medical device vendors. Ensure that the contract outlines who is responsible in the case of a device malfunction or failure. Consult with an attorney regarding all contracts with medical device vendors. It is key that the contract outlines who is responsible in the event of a device malfunction or failure.

Quality Control Processes

Remote Patient Monitoring should be subject to a quality-control process. This may be managed by a medical equipment vendor, if the device is rented, or a home health agency. Otherwise, have the patient bring the device to the office visit to evaluate how the patient uses it and compare the device results with office-based findings. For example, compare the office-based point of care glucose result with the device glucose reading. Using data to measure the performance of a Remote Patient Monitoring/Wearables program provides information to guide further development of services or can highlight specific opportunities for improvement.

As RPM and wearable technology continue to gain traction to improve patient outcomes in a rapidly evolving area, the rules, roles, standards and uses are still evolving and will continue to change as technology improves and new capabilities are adopted. RPM and wearables risks can be managed by staying abreast of changing technology and regulations. Stay informed by monitoring the literature for developments and by following FDA alerts, recalls and updates.


  1. Anderson J, Rainie L. The Internet of Things Will Thrive by 2025. Pew Research Center. https://www.pewresearch.org/internet/2014/05/14/internet-of-things/. Published May 14, 2014. Accessed August 8, 2023.
  2. Wearable medical devices market to grow US$ 76,479.8 Mn by end of 2028, says Coherent Market Insights. Bloomberg. October 20, 2021 (https://www.bloomberg.com/press-releases/2021-10-20/wearable-medical-devices-market-to-grow-us-76-479-8-mn-by-end-of-2028-says-coherent-market-insights).
  3. Fotiadis DI, Glaros C, Likas A. Wearable medical devices. In: Akay M (Ed.). Wiley Encyclopedia of Biomedical Engineering. Hoboken, NJ: Wiley Interscience; 2006.
  4. Chandrasekaran R, Katthula V, Moustakas E. Patterns of use and key predictors for the use of wearable healthcare devices by USA adults: insights from a national survey. J Med Internet Res. 2020;22(10):e22443.
  5. American Hospital Association 2022 Environmental Scan. https://www.aha.org/guidesreports/2022-12-05-2022-environmental-scan. Accessed August 1, 2023.
  6. Bonnington C. Data from our wearables is now courtroom fodder. Wired. https://www.wired.com/2014/12/ wearables-in-court/. December 12, 2014. Accessed August 8, 2023.
  7. Vinez KE. The admissibility of data collected from wearable devices. 2017;4(1). https://www2.stetson.edu/ advocacy-journal/the-admissibility-of-data-collected-from-wearable-devices/. Accessed August 8, 2023.
  8. Crosley Law. Wearable technology and personal injury cases: evidence and ethics. https://crosleylaw.com/ blog/wearable-technology-personal-injury-cases-evidence-ethics/. Accessed August 8, 2023.
  9. Buckle J, Hayward T, Singhal N, Desai K. The role of wearables in private medical insurance. Millman Report. https://www.milliman.com/en/insight/the-role-of-wearables-in-private-medical-insurance. March 9, 2020. Accessed August 8, 2023.
  10. FDA. Pulse oximeter accuracy and limitations: FDA safety communication. https://www.fda.gov/medicaldevices/safety-communications/pulse-oximeter-accuracy-and-limitations-fda-safety-communication. February 19, 2021. Accessed August 8, 2023.
  11. U.S. Food and Drug Administration. The FDA’s role in medical device cybersecurity. Dispelling myths and understanding facts. FDA Fact Sheet. https://www.fda.gov/media/123052/download. Accessed August 8, 2023.
  12. U.S. Food and Drug Administration. Medical device cybersecurity: what you need to know. Current as of October 13, 2020. https://www.fda.gov/consumers/consumer-updates/medical-device-cybersecurity-what-you- need-know. Accessed August 8, 2023.
  13. Centers for Disease Control and Prevention. Public Health Matters Blog. #BeCyberSmart: 5 ways to protect your health tech. Public Health Matters Blog. October 20, 2020. https://blogs.cdc.gov/publichealthmatters/2020/10/cybersecurity/. Accessed August 8, 2023.
  14. Ahmad A, Rasul T, Yousaf A, Zaman U. Understanding factors influencing elderly diabetic patients’ continuance intention to use digital health wearables: extending the technology acceptance model (TAM). J Open Innov Technol Mark Complex. 2020;6:81.


Judy Klein, PA, CPHRM, FASHRM, is a Senior Risk Solutions Consultant for the MedPro Group, the nation’s first provider of healthcare liability. For more than 30 years, she has contributed to risk management publications and speaks on a regional, state and national level on risk and patient safety-related topics.

Klein holds a B.S. in medical science from Alderson-Broaddus College, has a CPHRM and is a Fellow of ASHRM. An active member of ASHRM, she is a past president of several chapters and member of Michigan, Indiana and Ohio ASHRM chapters.

Sign Up for ASHRM Forum Updates

Provide your information below to subscribe to ASHRM email communications