In its last Standards and Compliance letter of 2017, CMS has issued an uncharacteristically clear message to healthcare providers — you are at risk of a HIPAA violation if you send E-PHI by text.
Ref: S&C 18-10-ALL lays out the summary as follows:
Memorandum Summary
- Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
- Texting of patient orders is prohibited regardless of the platform utilized
- Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider
Additional information in the advisory to states and to CMS regional offices, goes on to advise:
In an effort to clarify the position of the Centers for Medicare & Medicaid Services (CMS) as it relates to texting, CMS does not permit the texting of orders by physicians or other health care providers. The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).
The following CMS hospital Condition of Participation for Medical Records requirements apply:
- §489.24(b) Standard: Form and retention of record. The hospital must maintain a medical recordfor each inpatient and outpatient. Medical records must be accurately written, promptlycompleted, properly filed and retained, and accessible. The hospital must use a system of author identification and record maintenance that ensures the integrity of the authentication and protectsthe security of all record entries.
- (1) Medical records must be retained in their original or legally reproduced form for a period ofat least 5 years.
- (3) The hospital must have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records must be released by the hospital only in accordance with Federal or State laws, court orders, or subpoenas.
The contents of this letter support activities or actions to improve patient or resident safety and increase quality and reliability of care for better outcomes.
§489.24(c) Standard: Content of record
- (4) All records must document the following, as appropriate:
- (i) Evidence of — (vi) All practitioners’ orders, nursing notes, reports of treatment, medication records, radiology, and laboratory reports, and vital signs and other information necessary to monitor the patient’s condition.
Computerized Provider Order Entry (CPOE)is the preferred method of order entry by a provider. CMS has held to the long standing practice that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a hand written order or via CPOE. An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.
CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members. In order to be compliant with the CoPs or CfCs, all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs. It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.
I think you missed the first half of this story and are mischaracterizing the CMS memo. The memo was a good thing. Read this article to get the whole story. https://www.fiercehealthcare.com/regulatory/cms-texting-physician-orders-joint-commission-regulations-hipaa-security
What does CMS say about texting directly with a patient if that is the patient’s preference?
If the patient specifically requests info by text, it needs to be documented and it is allowed. If the data is compromised in the process, with or without your fault, you still have to follow the reporting and notification rules.