In a memorandum issued on December 28, 2017, the Centers for Medicare & Medicaid Services (CMS) clarified its position with respect to texting among members of a health care team. Although they may communicate patient information via text messaging, physicians and other authorized health care providers cannot text orders. In particular, the latter is prohibited because it fails to comport with CMS’ Conditions of Participations (CoPs) and Conditions for Coverage (CfCs) requiring health care organizations to maintain medical records that are complete – including all practitioners’ and nursing notes – and to properly file and retain such records for a period of at least 5 years. In addition, the CoPs and CfCs require that there be a procedure for maintaining the confidentiality and proper release of the medical records in accordance with state and federal laws.
While CMS permits members of a health care team to text patient information to one another, it is important that they do so through platforms that are secure, encrypted, and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governing the privacy and security of certain health information. Traditional text messaging systems are generally not secure or HIPAA-compliant because the text messages containing protected health information may be stored by the service provider, intercepted, or accessed by unauthorized users if the mobile device is lost or stolen. For example, while Apple protects iMessages with end-to-end encryption, when users back up their devices on iCloud, Apple stores on its servers all iCloud data content, including iMessages, SMS and MMS messages, and it retains the encryption keys for itself. In this manner, Apple has the ability to access and obtain any user data backed up on iCloud and may produce such data to third parties if legally required to do so, as Apple states in its iCloud Terms and Conditions. Therefore, health care providers and organizations that want to text patient information and properly maintain the confidentiality of such information should look to and utilize platforms that are designed to be HIPAA-compliant in order to avoid the risk of a violation.
*The information in this article is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Greenspoon Marder LLP or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.