Wait a Sec, I’ve Got a Text: CMS Clarifies Position Regarding Texting of Patient Information
On December 28, 2017, the Centers for Medicare and Medicaid Services (CMS) issued Survey and Certification Memorandum Number 18-10-ALL to the State Survey Agencies clarifying its position regarding texting health care information by providers. Such clarification was needed: CMS’s individual guidance about texting had been uneven in 2017, with reports that CMS informed some facilities that texting any patient information was prohibited. This contradicted The Joint Commission’s (TJC) December 2016 guidance, issued in collaboration with CMS (and discussed on this blog), which described under what circumstances texting is permissible.
CMS’s memo makes three main points:
- Texting patient orders is absolutely prohibited.
- Computerized Provider Order Entry (CPOE) remains the preferred method of order entry.
- The health care team may text patient information among itself if done through a secure platform.
Texting Orders Violates the Conditions of Participation and Conditions for Coverage
In the memo, CMS explains that texting orders by any member of the patient care team is prohibited, regardless of the platform used, largely because texts of orders would not meet the requirements for medical record form and retention. CMS reinforced its position that CPOE is the preferred method of order entry, especially if the method results in an immediate download into the electronic health record.
The TJC December 2016 Guidance likewise prohibited texting orders, closing out a year where TJC first permitting texting orders in May, and then prohibiting it in July. Although not mentioned in the CMS memo, TJC stated in its December 2016 guidance that it and CMS had concluded that the patient safety impact of texting patient orders remains unclear. TJC noted specifically that nurses having to manually transcribe text orders into the EHR may interfere with their ability to perform their patient care duties; that texting is “an asynchronous transaction,” which may require the person receiving the order to then contact the ordering practitioner to further discuss the order for clarification or confirmation; and other issues that arise during the transmitting and entering of a text order could result in a delay in treatment.
Texting Information is Permitted if on Secure Platform
CMS specifically recognized in the memo that texting patient information has become a valuable means of communication among the health care team. CMS noted that such communications must be done through systems that “are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations” and the Conditions of Participation or Conditions for Coverage. CMS also expects providers to have processes in place to “routinely assess the security and integrity” of these texting systems and platforms.
CMS’s memo is similar to the TJC guidance, which notes that “[a]ll health care organizations should have policies prohibiting the use of unsecured text messaging—that is, short message service (SMS) text messaging from a personal mobile device—for communicating protected health information.” In other words – while both CMS and TJC permit the texting of patient information, it should never be done through the average smartphone texting app.
Providers already should have policies in place addressing the security and confidentiality of patient information. If they haven’t already, providers should determine whether their policies address the issues raised in the CMS memo (and, if applicable, the TJC December 2016 Guidance). Organizations should ensure that their policies on provider orders prohibit the use of text ordering (or, at the very least, that their policies and processes do not explicitly or implicitly allow texting orders). They also should adopt policies prohibiting the use of unsecured text messaging of protected health information, as well as clear policies regarding under what circumstances – and on what platforms – texting may be used. Workforce education will be key in ensuring that “accidental texts” (which could also be read as, “accidental HIPAA violations and noncompliance with the Conditions of Participation”) don’t occur.
Arent Fox’s Health Care Group and Privacy, Cybersecurity & Data Protection Group regularly monitor developments in health care technology, patient privacy, and compliance with Medicare conditions. If you have questions about this or related topics, please contact Sarah G. Benator, Lowell C. Brown, or Thomas Jeffry in our Los Angeles office, Stephanie Trunk in our Washington, DC office, or the Arent Fox professional who regularly handles your matters.