On December 22, 2016, the Joint Commission issued Clarification: Use of Secure Text Messaging for Patient Care Orders is Not Acceptable. In this guidance, the Joint Commission clarified:
- PHI should not be sent by unsecured text messaging.
- The preferred method for submitting electronic orders is computerized provider order entry (CPOE).
- If CPOE is not available, verbal orders can be used – but verbal orders should be used minimally, and closely monitored.
- Secure text orders should not be used.
The Joint Commission gave three reasons for prohibiting text orders:
- When nurses must transcribe text orders into the EHR, they have less time to care for patients.
- Unlike verbal orders, text orders are asynchronous – and can require additional discussion to confirm the order.
- If an alert is issued while the order is being sent, the practitioner must be contacted, potentially delaying treatment.
These guidelines were clear, and fairly simple to follow. However, a year later, in December 2017, some providers received emails from CMS indicating that ALL texting regarding patients is prohibited – not just text orders or unsecured texts. Likely in response to the confusion and concern this caused compliance officers, CMS issued an official texting position on December 28, 2017: S&C 18-10-AL, Survey & Certification Group Memo: Texting of Patient Information among Healthcare Providers. In this memo, CMS clarified:
- CMS prohibits texting patient orders.
- CPOE is the favored order entry method: “An order if entered via CPOE, with an immediate download into the provider’s [EHR], is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”
- Secure texting of PHI (other than orders) is acceptable.
CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members. In order to be in compliance with the CoPs [Conditions of Participation] or CfCs [Conditions for Coverage], all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks of patient privacy and confidentiality as per HIPAA Regulations and the CoPs and CfCs. It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients….
Your next steps
Before you use secure texting to communicate non-order PHI, keep in mind:
- Texting should first be addressed in your HIPAA security risk analysis.
- If you use a texting software program, a business associate agreement with the vendor is needed.
- Texts must be transcribed into the medical record.
- OCR has published guidance addressing appropriate encryption methods.