After a confusing month of contradicting guidance, the Centers for Medicare & Medicaid Services (CMS) issued a memorandum clarifying its position regarding the use of text messaging with patient information between providers. In early December, CMS communicated essentially a zero-tolerance policy on secure text messaging to a handful of hospitals via email, as first reported in the December 18, 2017, issue of the Report on Medicare Compliance. CMS cited to the HIPAA Security Rule and the Conditions of Participation for hospitals as support for their policy. On December 28, CMS clarified that text messaging amongst health care providers "is permissible if accomplished through a secure platform." However, CMS was very clear that the use of text messaging for patient orders is prohibited, regardless of the platform utilized.
While it has long been understood that SMS texting was a concern, widespread adoption of text message applications which can be provided via a secured, encrypted methodology was no different than any other secured application permitted by HIPAA Security Rules. Providers must be clear that the use of SMS text messaging for health care information should not be utilized, as it is not considered secure.
CMS's policy on secure text messaging is now consistent with recent policy clarifications, such as joint update by The Joint Commission's and CMS in December of 2016 on the use of secure text messaging for patient care orders (available here). In clarifying their policy on secure text messaging, The Joint Commission prohibits secure text messaging by physicians or licensed independent practitioners to order patient care, treatment, or health care services. The view towards secure text messaging by the government and accreditation organizations is evolving quickly because of advents in new technologies with secure messaging platforms. For example, The Joint Commission's December 2016 update replaces their earlier guidance from that same year, in May 2016 (available here), in which they allow for secure text messaging of patient care orders, due to growing concerns that secure text messaging appropriately safeguards patient safety.
Baker Donelson Comments:
- At this time, health care providers should revisit their compliance policies related to text messages and other messaging platforms for communicating health information. Keep in mind the December 2016 guidance from The Joint Commission when reviewing those policies, available here. Be prepared to address these issues.
- Health care providers should document their risk analysis of incorporating text messaging platforms as part of their health care organization and ensure that an appropriate risk management strategy is implemented and followed. Evaluations and maintenance of those safeguards should be revisited regularly.