Texting is perhaps the most ubiquitous manner of communication in our society today. For example, texts from the Presidential Office are now considered official governmental documents and have become almost routine. However, healthcare providers in general, and physicians and hospitals, in particular, must exercise great caution in utilizing this otherwise universal method of communication.
On December 28, 2017, the Centers for Medicare and Medicaid Services (CMS) issued a Memorandum to state survey agency directors to clarify its position on texting patient information (the “Memorandum”). The Memorandum, effective “immediately” provides that:
- Texting patient information among members of the healthcare team is permissible if accomplished through a secure platform
- Texting of patient orders is, however, prohibited regardless of the platform utilized
- Computerized Provider Order Entry (“CPOE”) is the preferred method of order entry
The practice of texting patient orders from a provider to another member of the care team is deemed “not to be compliant” with the Medicare conditions of participation (“CoPs”) or the conditions for coverage (“CfCs”). See 42 C.F.R. § 489.24(b) relating to the form and retention of the medical record.
Nonetheless, CMS indicated that it recognizes that the use of texting with other members of a healthcare team has become an essential and valuable means of communication. In order to be compliant with CoPs or CfCs, however, providers who text information other than patient orders must utilize and maintain systems or platforms that are secure, encrypted and minimize the risk to patient privacy and confidentiality as per the HIPAA regulations. Therefore, the Memorandum states that it is “expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being used in order to avoid negative outcomes that could compromise the care of patients.”
The take-aways from the Memorandum are: (i) texting patient information other than patient orders among members of the healthcare team is permissible only if accomplished through a secure and encrypted system that is compliant with HIPAA requirements; (ii) texting patient orders is prohibited regardless of encryption or other protections; and, (iii) Computerized Provider Order Entry is the preferred method to communicate orders among the team.
Of course, violations of the CoPs or CfCs can have substantial potential adverse effects, up to and including termination of participating provider status under Medicare. In addition, violations of HIPAA that may be attendant to violations of the CoPs or CfCs carry additional potential for substantial monetary penalties.
We recommend that policies and procedures be checked, and if necessary, modified to address the issues discussed in the Memorandum.