HIPAA isn’t the only reason anymore to be cautious about texting patient information. At the end of 2017, CMS instructed surveyors that some texting of patient information violates Medicare/Medicaid Conditions of Participation and Conditions for Coverage. CMS S&C 18-10-ALL

CMS warns that texting of patient orders is prohibited regardless of the platform utilized. Per CMS, “Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider. … An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.” These key elements are missing in texted orders, and cause the texted order to be out of compliance with the Conditions of Participation for medical records. It’s unclear why CMS did not treat a texted order like a verbal (telephonic) order that can be acted upon and authenticated by the ordering physician at a later time within parameters established by the Medical Staff By-laws.

But texts between health professionals with a need to know the patient information is acceptable, as long as the texting platform is “secure, encrypted, and minimizes the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.” Commercial services offer secure, encrypted texting applications that can be used with personal mobile devices—but these must be affirmatively installed. Security experts recommend using a texting app that employs end to end encryption, rather than simply encryption in transit.

The cost of a texting misstep has escalated from HIPAA fines to the world of Medicare/Medicaid certification sanctions. Providers would be prudent to assess their texting policies and security precautions, and make any needed revisions.