If you haven’t talked to your device provider about tariffs, security breaches, and where your patient is stored, you should. Any one of these threats has the potential to seriously disrupt your business if things go wrong.
President Trump has implemented multiple rounds of tariffs on goods from China, Canada, and Mexico, including medical devices. This creates a complex challenge for RPM providers, as Medicare reimbursement rates are unlikely to adjust for increased device costs. Advanced purchases and inventory management strategies have become critical to ensure RPM companies can continue to provide devices while managing price fluctuations.
Although the implementation timeline for further tariffs is subject to change, healthcare organizations should prepare for probable RPM device cost increases. Inventory management strategies and device partnerships for flexible purchasing options will be critical to adapt to price volatility.
RPM device companies store confidential patient information that is transmitted via cellular networks and are a prime target for security hacks. If you haven’t thought through what a security breach from your device company would mean for you, you should.
A data breach involving protected health information (PHI) triggers immediate HIPAA breach notification requirements. The RPM company must promptly notify affected patients, the Department of Health and Human Services (HHS), and in cases affecting more than 500 individuals, local media outlets. This notification process alone can incur substantial costs and operational disruption.
Beyond the immediate notification costs, RPM companies could face substantial monetary penalties from regulatory bodies, potentially reaching millions of dollars depending on breach severity and the level of negligence demonstrated. Legal expenses can mount quickly through class action lawsuits, individual patient claims, and potential actions from healthcare provider partners seeking damages for breach of contract and reputational harm.
These costs may be enough to bankrupt many RPM companies. Even RPM companies that can withstand the short-term financial hit will likely lose many clients to competitors. Rebuilding trust with clients, partners, and patients would be an ongoing investment.
Security risks can be avoided by asking your device company the right questions. What security protocols and levels of encryption have they put in place? Are they installing security certificates on individual devices to ensure a secure key confirms the validity of each device?
During the first Trump administration, the Committee on Foreign Investment in the United States (CFIUS), intensified its oversight of international investments in American companies, particularly those that could impact national security or involve sensitive data such as PHI.
PatientsLikeMe, a digital health platform that helped patients connect with other patients facing similar health conditions, sold a majority ownership stake to iCarbonX, a Tencent-backed genomics technology company based in China. CFIUS forced the company to divest its stake and find a buyer. While PatientsLikeMe ultimately found a home with UnitedHealthGroup, the forced sale brought a lot of uncertainty and disruption to the company.
Internationally-owned companies storing sensitive data about US consumers are at risk. Some of the largest and most popular medical device companies store patient data on internationally-owned servers.
RPM companies should be focused on provider relationships and patient care, not device operations. But in today’s marketplace, the threat of tariffs, security breaches, and forced divestitures are very real. If your device provider isn’t actively managing these device threats, then you need to address them. Continua can remove the stress of these device threats. Contact us to learn more.