You probably no longer think about how many texts you send and receive throughout the day.
No matter how comfortable you are with texting, remember: Texting patients’ hospital orders is not an acceptable practice, and any other texts containing protected health information (PHI) must be secure and encrypted.
The Centers for Medicare & Medicaid Services (CMS) sent that reminder in a memo late last year regarding texting of patient information in hospitals and critical access hospitals (CAHs).
The CMS memo is in line with a clarification The Joint Commission (TJC) issued in December 2016. In their communications, both agencies prohibit the use of secure text orders, and establish computerized provider order entry (CPOE) as the preferred method of order entry by physicians.
The CMS memo was in response to a Dec. 18 report by the Health Care Compliance Association (HCCA) claiming CMS was banning physicians and providers from all texting, according to Becker’s Health IT & CIO Review. In its Report on Medicare Compliance, HCCA said CMS had emailed “at least two hospitals saying that ‘texting is not permitted’ — and that includes secure text messaging applications.”
In the memo, CMS confirmed that texting of patient orders “is prohibited regardless of the platform utilized.” However, the memo clarified that CMS allows secure texting of patient information among members of the health care team in hospitals and CAHs.
The practice of texting hospital orders from a physician or provider to a member of the care team would violate hospital and CAH Medicare/Medicaid Conditions of Participation (CoP) and Conditions for Coverage (CoC) as they relate to medical records, the memo explains. But an order entered via CPOE, “with an immediate download into the provider’s electronic health records … is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record,” the memo says.
Regarding texting other patient information, the memo says, “CMS recognizes that the use of texting as a means of communication with other members of the hospital and CAH health care teams has become an essential and valuable means of communication among the team members. In order to be compliant with the CoPs, all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the hospital and CAH CoPs.”
The CMS memo correlates with TJC’s position that the use of secure text orders is not acceptable. TJC developed the recommendation in collaboration with CMS, reversing a position it had published the previous spring condoning the secure text messaging of patient orders. TJC’s current policy also addresses verbal orders, saying a verbal order is acceptable in the event a CPOE or written order cannot be submitted.
“However, verbal orders should be used infrequently, and the use of verbal orders should be closely monitored to ensure that these are used only when it is impossible or impractical to use CPOE or written orders without delaying treatment. Verbal orders are not to be used for the convenience of the ordering practitioner,” the TJC document says.
Beyond HIPAA regulations and agency positions, hospitals may have their own policies regarding texting. For example, “Cook Children’s [in Fort Worth] specifically does not allow texting orders, or texting anything else construed to contain PHI,” said Matt Murray, MD, chair of TMA’s ad hoc Committee on Health Information Technology. “From my personal perspective, telephone orders and texted orders both have inherent risk associated with verifying/authenticating the physician giving those orders. With text you don’t even have the physician voice that might be familiar.”
If you have questions related to health information technology, call the TMA HIT hotline at (800) 880-5720, email hit[at]texmed[dot]org, or check out our online HIT Resource Center.