To text or not to text. That is the question. When it comes to personal interaction, there is no doubt that texting has become an essential form of instant communication between friends and colleagues.
Texting and secure messaging are also beginning to transform healthcare delivery and helping to improve quality, provide access and control costs. But up to now, questions surrounding the permissibility of texting in a healthcare setting has proven to be a somewhat murky conundrum for providers.
Mixed messages cause confusion
The Health Care Compliance Association (HCCA) issued a report in December 2017 highlighting the confusion being created by mixed messages coming out of the Centers for Medicare and Medicaid Services (CMS). According to the report, the CMS told at least two hospitals that “texting is not permitted,” citing concerns “around privacy, security, and the integrity of medical records.”
The report said that after meeting with vendors of various texting products, the CMS felt the applications couldn’t adequately safeguard the privacy of PHI (protected health information). A second hospital inquired if the ban applied to secure encrypted texting solutions and the CMS reaffirmed its ruling that no texting is allowed.
The decision set off a storm of protests saying that CMS was adhering to a “zero risk tolerance” policy, which attorneys said has never been the government’s position. According to the report, various attorneys said that the CMS ruling was not supported by HIPAA regulations. Another lawyer asserted that the texting ban would put patients at risk by preventing instant communication with specialists in time-sensitive situations.
CMS clarifies its position
The CMS responded to the howls of protest by releasing a Survey and Certification letter on December 28, 2017 that they hoped would clarify the guidelines covering texting for healthcare professionals. The revised ruling said text messages are allowed as long as they are being transmitted using a secure platform.
The clarification now aligns the CMS policy with that of the Joint Commission and states that “in order to be compliant with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs), all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.”
So, what can you do to ensure that you maintain compliance with the CMS texting policy and meet HIPAA privacy and security guidelines? Here are three steps you should be taking now.
- Perform a risk assessment
Your primary concern is reducing your risk and avoiding a PHI breach. To accomplish that, start with a comprehensive compliance assessment of your communication technology and processes. Determine how mobile devices are being used in the organization and what risk they pose to patient PHI.
Review your current compliance policies and make sure they include provisions for secure communications. You may have to develop, document and implement new policies that address the use of mobile devices in general and texting patient data specifically. Be sure to include a policy prohibiting the use of unsecured texting.
Determine where PHI is being created, received, maintained and transmitted. Although texting is primarily done on mobile phones, people can also text using applications on desktops, workstations or in the cloud. Evaluate potential threats such as loss or improper disposal of mobile devices and access of PHI by parties other than the device owner. Institute policies that address these threats.
Once your assessment is complete and your policies and procedures have been updated, conduct training with all staff members to ensure they are aware of any changes and they understand the importance of specifically adhering to secure texting policy.
For example, one multi-specialty organization has a secure messaging platform but physicians were still using non-secure texting when communicating with their clinical staff. Even though policies were developed and implemented, this behavior could have been avoided if the organization practiced mobile device privacy and security awareness and training for providers and staff.
- Comply with CMS and Joint Commission guidelines
Because of the confusion caused by the “back and forth” policies on texting, it’s critical that you thoroughly understand and comply with the latest CMS guidelines.
The December 28th CMS directive clarifies that texting of orders by physicians or other healthcare providers is still prohibited, regardless of the platform used. The letter asserts that this practice doesn’t comply with the CoPs or CfCs when it comes to Medical Records retention.
However, texting patient information among members of the healthcare team is allowed if transmitted through a secure platform. In the letter, CMS Survey and Certification Group Director David R. Wright, recognizes that texting has become an essential means of communication among healthcare professionals but that to comply, all providers must use a secure platform.
Wright also reaffirms in the letter that Computerized Provider Order Entry (CPOE) is the preferred method of order entry. The long-standing practice of CMS is that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record manually or through CPOE and the information must be immediately entered into the provider's EHR. This ensures the order is dated, timed, authenticated, and promptly placed in the medical record.
You must also verify that text communications are integrated with your EHR and available if a patient requests a copy of their record. Also make sure that any applicable disclosure of PHI during a text communication is listed in the patient’s Accounting of Disclosures.
- Make sure your texting platform is secure
Start by using products that ensure secure messaging and include encrypting messages and transmitting them through a secure server. Use a third party, HIPAA-proof texting solution many of which have been developed specifically for the healthcare industry. Many solutions now store encrypted messages in the cloud or on an encrypted server rather than on individual devices which further enhances security.
Track and monitor all mobile devices within the organization that are transmitting PHI. Your policy should prohibit the personal use of these or require each device to be securely encrypted by your organization prior to being used for text messaging.
Texting, when done via a secure platform, can play a vital role in your organization. By performing a risk analysis, implementing secure-aware policies and procedures, training staff and staying abreast of current regulations, you can be confident that your text communications are compliant.
For more information about how technology and innovation affects healthcare, download our white paper, Healthcare Consumerism, Value-based Care and Innovation: Is Your Organization Poised for Success?
 CMS Says No Texting Allowed, Citing HIPAA, CoP; Lawyer: ‘Like Going Back to Dark Ages,” Report on Medicare Compliance, Volume 26, Number 25, December 18, 2017 reprinted with permission from HCCA.