CMS issued a memo to state survey agency directors on December 28, 2017, to clarify CMS’s position on texting patient information. The memo, which indicates that it is effective “immediately,” states that CMS prohibits texting of orders by healthcare providers. Specifically, “texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions of Coverage (CfCs).” In support of its position, CMS cites “§489.24(b),” which appears to be a typographical error. The rule dictating the form and retention of hospital records is 42 C.F.R. §482.24(b) .The rule states that “[m]edical records must be accurately written, promptly completed, properly filed and retained, and accessible.”

CMS does recognize, however, “that the use of texting as a means of communicating with other members of the healthcare team has become an essential and valuable means of communicating among the team members.” Even so, in order to comply “with the CoPs or CfCs, all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.” Unlike the CMS memo, however, HIPAA does not necessarily require encryption in all circumstances, but instead, as outlined in a “frequently asked question” on the OCR website, encryption must be addressed and implemented if, after a risk assessment, it is found to be a reasonable and appropriate safeguard. The CMS memo appears to be more stringent than OCR guidance, found at “frequently asked question” 570, that indicates that unencrypted email could be allowed, at least under the Privacy Rule. In light of this memo, hospitals should examine their texting policies and should ensure that any health-related texting is conducted on an encrypted platform.