CMS Addresses Text Messaging of Protected Health Information
Health Care Provider Alert
Text messaging has become an important communication tool. The number of text messages sent in the United States has grown exponentially from an estimated 12 million per month in 2000 to 780 billion per month in 2017. According to an article in the June 2017 Journal of the American Medical Association, several small studies including 45 resident and 28 faculty general surgeons and 97 pediatric hospitalists, reported that more than half (60%-80%) of physicians use text messaging for clinical communications. While text messaging of protected health information (“PHI”) is not prohibited by HIPAA, there has been relatively little guidance on the scope of its permissible use.
The Centers for Medicare and Medicaid Services (“CMS”) issued a memorandum on December 28, 2017, to State Survey Directors, which was intended to clarify CMS’ position as it relates to texting. While recognizing that texting is a valuable and essential means of communication with other members of a patient’s healthcare team, CMS’ position is that the texting of patient orders by physicians or other health care providers is not permissible, because it does not comply with the CMS Conditions of Participation (“CoPs”) and Conditions for Coverage (“CfCs”) requirements applicable to the maintenance of medical records. Those requirements include the following: medical records must be accurately written, promptly completed, properly filed and retained, and accessible; a hospital must use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries; a hospital must implement a procedure for insuring the confidentiality of patients’ records; and all records must document evidence of all practitioners’ orders.
The Memorandum goes on to provide that Computerized Provider Order Entry (“CPOE”) is the preferred method of order entry. CMS follows the long-standing practice that a physician should enter orders into the medical record either via a hand written order or via CPOE. An order entered via CPOE, with an immediate download into the provider’s electronic health records, is permitted, as the order would be dated, time-stamped, authenticated and promptly placed in the medical record.
While prohibiting the texting of patient orders, the Memorandum permits the texting of other PHI via systems/platforms that are secure, encrypted and minimize the risks to patient privacy and confidentiality as required by HIPAA regulations and the CoPs and CfCs. The Memorandum concludes with CMS’ statement of its expectation that providers will implement procedures to routinely assess the security of their texting systems/platforms to avoid negative outcomes that could compromise patient care.
In light of CMS’ guidance, providers should consider their use of messaging related to patient orders, as well as their overall order entry and documentation process. How a provider transmits and records orders is important not only to ensure that orders are carried out properly, but also may be crucial in defending malpractice actions or billing reviews. Roetzel attorneys are available to assist you in conducting a practice review and implementing appropriate and compliant policies.