HIPAA BAA Requirements for Remote Patient Monitoring Programs

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Remote patient monitoring programs collect physiological data from patients in their homes using connected devices — blood pressure cuffs, glucose meters, pulse oximeters, weight scales, and wearables — and transmit that data to clinical teams for review and intervention. The RPM ecosystem involves multiple layers: the physical device, the cellular or WiFi network transmitting the data, the cloud platform storing device readings, and the EHR integration delivering data to clinicians. Understanding which of these layers requires HIPAA BAAs is essential for compliant RPM deployment.

Why RPM Programs Create Business Associate Relationships

Healthcare providers operating RPM programs are covered entities that must execute BAAs with vendors handling PHI. In the RPM context, PHI includes:

• Device readings (blood pressure, glucose, SpO2, weight, heart rate) linked to identifiable patients
• Patient enrollment records and device assignment data
• Alerts and threshold breach notifications linked to specific patients
• Trend reports and clinical summaries generated from device data
• Care team communication logs related to patient device readings

Any vendor whose systems store, process, or transmit this data on behalf of the covered entity is a business associate. The RPM vendor relationship typically involves all four of the defining business associate activities: creating, receiving, maintaining, and transmitting PHI.

Understanding the Conduit Exception

A common question in RPM compliance is whether the cellular carrier transmitting device data is a business associate. The answer is generally no — cellular carriers typically qualify for HIPAA's "conduit exception."

The conduit exception (45 CFR § 160.103, business associate definition) excludes entities that transmit PHI but do not store it other than on a temporary basis as necessary for the transmission — similar to the postal service carrying a letter. A cellular carrier that routes data packets from a connected device to an RPM platform without storing the data content is acting as a conduit and is not a business associate.

However, the conduit exception is narrow. If the cellular carrier stores device data, provides analytics, or has any access to the PHI content beyond routing, the exception may not apply. IoT connectivity platform vendors who provide SIM management and data routing as a managed service for RPM devices should be individually evaluated against this standard.

Vendors RPM Programs Typically Need BAAs With

RPM Platform Vendors

Withings Health Solutions, Validic, Biofourmis, Current Health (Baxter), and Propeller Health are established RPM platform vendors with HIPAA compliance programs and BAA offerings. These platforms aggregate device data, provide clinical dashboards, generate alerts, and often offer patient engagement features. As the primary handlers of patient vitals data in the RPM workflow, they are the most critical BA relationship in an RPM program. Execute BAAs during vendor selection, before any patients are enrolled.

Device Manufacturers with Cloud Services

Modern connected RPM devices — blood pressure monitors, continuous glucose monitors, smart scales — pair with manufacturer-operated cloud services. When those cloud services store device readings linked to patient identifiers, the manufacturer's cloud platform is a business associate. The physical device hardware itself is not a HIPAA entity, but the software and cloud infrastructure the manufacturer operates is.

Evaluate each device's cloud architecture: does the manufacturer's app or cloud service store patient-identified readings, or does it transmit raw data directly to the RPM platform without storing it? Most manufacturers' consumer health platforms are not designed for HIPAA compliance — enterprise or clinical integrations with HIPAA BAAs may be available separately.

EHR Integration Vendors

Platforms that connect RPM data to EHR systems — Redox, Health Gorilla, or direct EHR integration APIs — transmit PHI between systems and are business associates. Any middleware or integration layer handling PHI in the RPM-to-EHR pipeline requires a BAA.

Patient Engagement Platforms

Patient communication tools used for RPM enrollment, device onboarding, and ongoing engagement — sending reminders about readings, alerting patients to care team messages — transmit PHI and are business associates. Secure messaging platforms and patient portal vendors handling RPM-related communications require BAAs.

Common Vendor BAA Table for RPM Programs

Common Compliance Gaps in RPM Programs

The most frequent compliance issues in RPM deployments: (1) enrolling patients with an RPM device before the BAA with the RPM vendor is executed; (2) using consumer-grade device companion apps that connect to manufacturer cloud platforms without HIPAA BAAs for the clinical version; (3) not evaluating the IoT connectivity layer — SIM and data management platforms — for conduit exception applicability; and (4) missing BAAs with EHR integration vendors because those relationships are managed by IT rather than compliance teams.

For guidance on digital health compliance more broadly, see our guide on BAA requirements for digital health companies. For evaluating specific vendor BAA policies, see does your vendor sign a HIPAA BAA.

Frequently Asked Questions

Do RPM vendors need to sign HIPAA BAAs?

Yes. RPM platform vendors that collect, store, and process patient physiological data are business associates. They create and maintain PHI on behalf of the covered entity and must sign a BAA before patient enrollment begins. The BAA should cover both the RPM platform software and any cloud infrastructure the vendor uses to store device readings.

Are connected device manufacturers business associates?

It depends on whether the manufacturer operates cloud services that store patient-identified device readings. If yes, the manufacturer's cloud platform is a business associate. The physical device hardware is not a HIPAA entity. Most clinical RPM deployments use enterprise or clinical versions of device cloud platforms that include HIPAA BAAs — evaluate this for each device model in your program.

Does the cellular carrier transmitting device data need a BAA?

Generally no. Cellular carriers that transmit device data without storing it beyond temporary routing purposes fall under HIPAA's conduit exception and are not business associates. IoT connectivity platforms that provide more than pure data routing — including SIM management with data access, analytics, or storage — should be individually evaluated to determine whether the conduit exception applies.

What RPM platforms offer HIPAA BAAs?

Withings Health Solutions, Validic, Biofourmis, Current Health (Baxter), and Propeller Health all offer HIPAA BAAs for healthcare provider clients. These platforms are purpose-built for clinical RPM programs and have established compliance frameworks. Request BAA documentation during the vendor evaluation phase and execute the agreement before enrolling any patients.