RPM Patient Consent Requirements: What Practices Must Disclose Before Enrollment
Why RPM Patient Consent Is a Compliance Flashpoint
Remote Patient Monitoring enrollment seems straightforward until a payer audits your consent records. CMS has made it clear that beneficiary consent is a prerequisite for billing RPM services, yet the specifics of what constitutes valid consent remain a source of confusion for many primary care practices. Getting consent wrong does not just risk claim denials — it can trigger fraud allegations if auditors determine that patients were enrolled without understanding their financial obligations or the nature of the service.
This guide breaks down every element of RPM patient consent so your practice can enroll diabetic patients confidently and defensibly.
CMS Consent Requirements for RPM Billing
CMS requires that the ordering physician or qualified healthcare professional obtain patient consent before billing for RPM services. This requirement was formalized in the 2019 Physician Fee Schedule Final Rule and has been reinforced in subsequent rulemaking.
The core requirements are:
- Consent must be obtained before the initial RPM setup (CPT 99453) is billed
- The patient must understand what RPM entails and agree to participate
- Consent must be documented in the patient’s medical record
- The patient must be informed of any applicable cost-sharing obligations
Compliance tip: CMS does not currently mandate a specific consent form or template. However, having a standardized written consent process creates a defensible audit trail that verbal-only consent cannot match.
What Must Be Disclosed
Your consent process needs to cover specific elements to satisfy both CMS expectations and general informed consent principles.
| Disclosure Element | Required By | Notes |
|---|---|---|
| Nature of RPM services | CMS / General informed consent | Explain what data is collected and how |
| Frequency of monitoring | General informed consent | Daily readings, weekly check-ins, etc. |
| Who will review data | CMS (care team identification) | Physician, clinical staff, or third-party |
| Cost-sharing / copay obligations | CMS | Including that Part B cost-sharing applies |
| Right to revoke consent | CMS | Patient can stop RPM at any time |
| Device instructions and expectations | Best practice | How to use the device, transmission requirements |
| Data privacy practices | HIPAA | How PHI from the device is stored and transmitted |
Written vs. Verbal Consent: What CMS Actually Requires
CMS permits verbal consent for RPM services. The 2019 Final Rule explicitly states that consent does not need to be in writing. However, there is a critical distinction between what is legally sufficient and what is practically defensible.
Verbal Consent
When using verbal consent, the following must occur:
- A qualified member of the care team explains the RPM program to the patient
- The patient verbally agrees to participate
- The conversation is documented in the medical record, including the date, who obtained consent, and what was discussed
- The documentation should note the specific disclosures made
Written Consent
Written consent provides a signed record that is significantly harder to dispute during an audit. For practices managing large diabetic RPM populations, the operational overhead of a written form is minimal compared to the compliance protection it offers.
A written consent form should include:
- Patient name, date of birth, and date of consent
- Plain-language description of the RPM program
- Itemized list of what the patient is agreeing to
- Cost-sharing disclosure with estimated amounts
- Signature line for the patient (or authorized representative)
- Signature line for the obtaining provider or staff member
Best practice: Even if you use written consent, train your enrollment staff to verbally walk through the form with the patient. A signed form that the patient did not actually understand offers weak protection if the patient later complains to CMS or their MAC.
Cost-Sharing Disclosure: The Most Overlooked Requirement
The most common consent deficiency found in RPM audits is inadequate cost-sharing disclosure. Medicare beneficiaries are responsible for 20% coinsurance on RPM services after their Part B deductible is met. This can add up to meaningful out-of-pocket costs over the course of a year.
Estimated Annual Patient Cost-Sharing for RPM
| CPT Code | Description | Medicare Allowable (approx.) | Patient 20% Coinsurance |
|---|---|---|---|
| 99453 | Initial setup and education | $19 | $3.80 |
| 99454 | Device supply with daily recording | $55/month | $11.00/month |
| 99457 | First 20 min clinical staff time | $50/month | $10.00/month |
| 99458 | Additional 20 min clinical staff time | $42/month | $8.40/month |
| Annual total | $1,783 | $356.60 |
Patients must understand these costs before they consent. Failing to disclose cost-sharing is not just a consent issue — it can be characterized as a false or misleading enrollment practice.
Patients with Supplemental Coverage
For patients with Medigap or other supplemental insurance that covers Part B coinsurance, you should still disclose the cost-sharing obligation. The fact that their secondary coverage may pay it does not eliminate the disclosure requirement. Document that the discussion occurred and note whether the patient indicated they have supplemental coverage.
Revoking Consent: Patient Rights and Practice Obligations
Patients have the right to withdraw from RPM at any time. Your consent process must inform them of this right, and your practice must have a procedure for handling revocations.
When a patient revokes consent:
- Stop billing immediately. Do not bill for any RPM services after the date of revocation, even if data was collected during that billing period.
- Document the revocation in the medical record, including the date, method (verbal, written, phone), and who received the revocation.
- Retrieve or deactivate devices if the practice owns them. If the patient owns the device, document that they were informed monitoring has ceased.
- Do not penalize the patient. Revocation of RPM consent cannot affect the patient’s access to other services or their standing with the practice.
Important: If a patient simply stops transmitting data, that is not the same as revoking consent. You should have a protocol for reaching out to non-transmitting patients before assuming they wish to disenroll.
Sample Consent Language
Below is sample language that addresses the key CMS requirements. This is not legal advice — have your compliance counsel review any consent form before implementation.
Key Provisions to Include
Program description: “I understand that my physician has recommended Remote Patient Monitoring (RPM) as part of my care plan. RPM involves the use of a medical device to collect health data (such as blood glucose readings) that will be transmitted to my care team for review.”
Cost-sharing: “I understand that RPM services are billed to Medicare and that I may be responsible for applicable deductibles and coinsurance (typically 20% of the Medicare-approved amount). My estimated monthly out-of-pocket cost is $___.”
Data and privacy: “I understand that my health data will be electronically transmitted and stored in accordance with HIPAA privacy and security requirements.”
Revocation: “I understand that I may withdraw from the RPM program at any time by notifying my physician’s office. Withdrawal will not affect my eligibility for other medical services.”
State-Specific Consent Variations
While CMS sets the baseline for Medicare RPM consent, state laws can impose additional requirements. Practices operating in multiple states or near state borders must account for these variations.
| State Category | Examples | Additional Requirements |
|---|---|---|
| States with telehealth-specific consent laws | California, Texas, New York | May require specific telehealth disclosures even for RPM |
| States with stricter informed consent standards | Pennsylvania, Georgia | May require more detailed risk/benefit disclosure |
| States with recording/monitoring consent laws | Illinois, California | Two-party consent may apply if calls are recorded during enrollment |
| States with no additional requirements | Most states | CMS baseline is sufficient |
Key State Considerations
- California: The Telehealth Advancement Act requires that patients be informed of their right to receive services in-person. While RPM is not traditional telehealth, conservative compliance programs include this disclosure.
- Texas: Requires informed consent for telemedicine services that includes specific disclosures about the technology used. Practices should evaluate whether their RPM program falls under this definition.
- New York: Has specific requirements around patient consent for the electronic transmission of health information that may layer on top of HIPAA requirements.
Building a Defensible Consent Workflow
A compliant consent process is only as strong as its execution. Here is how to operationalize consent in a way that holds up under scrutiny.
Pre-Enrollment
- Identify eligible patients (e.g., diabetic patients with A1C above target)
- Prepare a personalized cost estimate based on their coverage
- Schedule a consent conversation — do not rush it during an unrelated visit
During Enrollment
- Use a standardized consent form reviewed by compliance counsel
- Walk through each section with the patient verbally
- Answer questions and document any concerns raised
- Obtain signature (or document verbal consent with specifics)
- Provide the patient with a copy of the signed form
Post-Enrollment
- File the consent form in the medical record (scan if paper)
- Flag the patient as RPM-enrolled in your EHR or billing system
- Set a reminder to re-confirm consent if the program terms change
- Monitor for revocation requests or non-transmission patterns
Common Consent Mistakes to Avoid
- Bundling RPM consent with general treatment consent. RPM consent should be a separate, identifiable document or conversation.
- Failing to update consent when costs change. If reimbursement rates change and patient cost-sharing shifts, re-disclose.
- Having non-clinical staff obtain consent without training. Anyone obtaining consent must understand the program well enough to answer patient questions.
- Not documenting the “who” and “when.” Every consent record should identify who obtained it and the exact date.
- Assuming one consent covers everything forever. If you add new monitoring parameters or change vendors, consider whether re-consent is needed.
Streamlining Consent Without Cutting Corners
Managing consent across a large diabetic RPM population requires systems, not just forms. Practices that scale RPM successfully invest in workflow automation that tracks consent status, flags expiring or missing consents, and generates audit-ready reports. Zayd Health builds these compliance workflows specifically for primary care practices running RPM programs, ensuring that consent documentation stays current and complete as your enrolled population grows.
The bottom line: consent is not a checkbox. It is an ongoing obligation that protects both your patients and your practice. Invest the time to get it right from day one, and you will avoid the painful remediation that follows a consent-related audit finding.
Zayd Health automates RPM documentation and superbill generation.
Transmission tracking, time logging, and audit-ready billing. So your team can focus on patient care.
Don't miss the next one.
One email when we publish. RPM billing changes, compliance strategies, and what's actually working in the field.
