Understanding CMS Regulations Guiding Texting of PHI

Executive Summary

As technology continues to advance, the way providers communicate with their patients advances too. However, it’s crucial that healthcare organizations understand the risks and regulations surrounding electronic communications, especially with texting. Violations for using improper communication channels could lead to a provider facing costly HIPAA fines and financial penalties. 

Recommended Actions

• Ensure that you’re familiar with current regulations regarding electronic communications with patients.
• Continue to document any clinically relevant communications with patients in their medical records.
• Continue to enter orders into a patient’s medical record only via a hand written order or via CPOE.

On December 28, 2017, the Center for Medicare and Medicaid Services (CMS) announced that texting patient information among healthcare providers is acceptable if done through a secure platform, but the texting of orders is prohibited — even if the orders are encrypted. Computerized Provider Order Entry (CPOE) is the preferred method of order entry. Although CMS has gone back and forth on this issue, it is now clear that texting orders does not comply with the Conditions of Participation (CoPs) and Conditions for Coverage (CfCs). A copy of the CMS Memorandum can be found here. 

In 2016, The Joint Commission (TJC) clarified its position, which also prohibits the use of secure text orders. The Joint Commission further recommended that all healthcare organizations have policies prohibiting the use of unsecured text messaging for communicating protected health information (PHI). 
One of the concerns surrounding the texting of orders is that the information may be lost or compromised if it has to be manually entered into the medical record from a text message. Other healthcare providers will not have access to this information if it is not in the medical record, which could affect patient care. The medical record must contain all information upon which treatment decisions are based, and patients have the right to access this information pursuant to HIPAA. 

In addition, there are several privacy and security concerns. When a text message appears on a phone, it may be possible for others to see PHI. A phone may lack proper authentication allowing PHI to be disclosed improperly. Lastly, verification of the recipient and verification of receipt may be challenging.

Lessons Learned 

• Ensure that your practice has policies prohibiting the use of unsecured text messaging for communicating PHI.
• Make certain that all staff members understand these policies and are appropriately trained. 
• Communicate your practice’s no texting order policy to new providers who join your organization.

Potential Damages

Healthcare organizations that text treatment orders could potentially face a HIPAA violation. If there is an impermissible disclosure of a patient’s PHI, the provider could face HIPAA fines and financial penalties.