In a December 28, 2017, memo to state survey agency directors, CMS clarified the confusion regarding whether the texting of patient information was precluded in all instances or whether there were some situations where texting of patient information was allowable. In the memo, CMS made clear that texting patient information is allowed as long as a secure texting platform is used, recognizing the importance of texting as an “essential and valuable means of communication among the team members” caring for patients.
This most recent round of confusion adds to the long and troubled history of using texts to transmit Protected Health Information (PHI). In 2011, The Joint Commission advised providers that text messaging of patient information was prohibited. In May 2016, that prohibition was lifted, and CMS and The Joint Commission provided guidance that all health care organizations should have policies prohibiting the use of unsecured text messaging of PHI (e.g., standard SMS messaging provided by the mobile services provider), but that secure text messaging was permissible.
The Joint Commission May 2016 guidance provided that healthcare organizations implementing secure text messaging platforms should ensure the platform includes the following:
- Secure sign-on process
- Encrypted messaging
- Delivery and read receipts
- Date and time stamp
- Customized message retention time frames
- Specified contact list for individuals
However, subsequent clarifying guidance was issued in December 2016. The joint guidance issued by The Joint Commission and CMS in December 2016 prohibited texting physician orders but did not forbid more general uses of secure texting platforms.
The most recent round of confusion appears to have been generated by a CMS Survey & Certification Group email that stated that CMS does not allow texting. CMS is reported to have stated in a November 30, 2017, email to a recently surveyed hospital: “After meeting with vendors regarding these products, it was determined that they cannot always ensure the privacy and confidentiality of PHI being transmitted. This resulted in the no texting determination.” When asked whether this no texting rule applied to secure encrypted texting solutions, CMS is reported to have replied that “it means no texting.”
In the memo, CMS highlighted the need to:
- Comply with HIPAA and meet the applicable Conditions of Participation (CoP) (42 C.F.R. §489.24) to ensure that patient confidentiality is upheld and documentation requirements are met;
- Use secure, encrypted platforms to limit the risk of exposing patient information; and
- Develop and adhere to policies and procedures that ensure the security and integrity of the secure texting platform.
Texting Orders Still Prohibited
CMS also restated its prohibition on texting orders, stating that orders should be entered into the patient medical record “via a handwritten order or via CPOE.” CPOE (Computerized Provider Order Entry) is an electronic method of placing orders. CMS emphasized that CPOE orders that are immediately downloaded into the electronic health record, dated, timed and authenticated are allowed.
This memo provides welcome relief to the healthcare industry’s concern that CMS’s earlier position could be interpreted to mean a prohibition against texting. In light of this memo, consider the following:
Scenario 1: My organization already has a secure texting solution.
- As there is no official prohibition on texting PHI at this point in time, immediately shutting down the texting solution is not necessarily required if your organization is in compliance with HIPAA and the CoP documentation requirements.
- Confirm that your organization reviewed the security of the secure texting platform pursuant to HIPAA Security Rule standards, including the addressable and required administrative, physical and technical safeguards, and documented that assessment. If the review was performed but not documented at that time, document it now.
- Confirm that the texting solution was configured at implementation in a manner that ensures the highest possible security.
- Confirm that your organization has policies and procedures in place for appropriate documentation in the patient medical record of those text communications that must be documented and ensure compliance with those policies and procedures.
- Conduct training to reinforce the appropriate use of texting of PHI under your policies.
- Remain aware that significant changes may have to be made if and when additional official guidance is issued.
Scenario 2: My organization has signed a contract for a secure texting solution, but it is not yet live.
- If you have not already done so, review the security of the secure texting platform pursuant to HIPAA Security Rule standards and document that assessment, including the addressable and required administrative, physical and technical safeguards.
- Develop policies and procedures for appropriate documentation of the secure text messages in the medical record part of the implementation.
- Be on the lookout for additional official guidance that may be issued.
Scenario 3: My organization is in the process of procuring a secure texting solution.
- Continue to vet texting solutions. Assess the security of secure texting platforms pursuant to the HIPAA Security Rule and industry standards. Document the assessment, including the addressable and required administrative, physical and technical safeguards.
- Be aware that additional official guidance may be issued.
- Consider negotiating a contractual provision permitting an early termination in the event secure texting of PHI is prohibited.
Finally, all organizations that allow some form of texting of PHI should perform a risk assessment of the organization’s use of texting. The assessment should thoroughly evaluate the overall benefits versus the risks and address communications regarding patient care. If your organization does not permit texting, verify that your organization’s policy is adequately enforced.
Rachael A. Ream, Ph.D. is an Oregon licensed attorney with Hall Render Killian Heath & Lyman. Rachael represents physicians and physician practices in strategic transactions such as mergers and acquisitions, private equity transactions, joint ventures, physician contracting matters, medical director agreements, and co-management agreements. She also defends physician practices on a broad array of compliance matters such as HIPAA, Stark Law, Anti-Kickback Statute, and qui tam defense. She earned her Bachelor’s Degree (with honors) from the University of Toledo; Ph.D. in Biology from Stanford University; and J.D. (magna cum laude) from Case Western Reserve University School of Law. She can be reached at: email@example.com or (425) 533-2690.
Stephen D. Rose, M.B.A. assists health care providers with complying with HIPAA. Since the inception of HIPAA, Stephen has been instrumental in developing educational materials and training classes for the Washington State Medical Association, as well as various hospitals, health systems and hospital associations. Stephen provides clients with guidance on first-party breach response and third-party privacy defense. He routinely works with third-party forensic consulting experts to identify the nature and scope of a network intrusion. Stephen earned his Bachelor’s Degree in Economics for the University of California at Santa Cruz; M.B.A. (Accounting) from the University of Santa Clara; and J.D. (cum laude) from Whittier College, School of Law. He can be reached at firstname.lastname@example.org or (425) 278-9337.
The purpose of this article is to inform and educate on recent legal developments. It is not intended to be, nor should it be used, as a substitute for specific legal advice.