February 28, 2018
The December 28, 2017 announcement of CMS’ new and apparently final stance on clinicians’ texting patient information probably sailed under your radar. CMS clarified what previously had been a confusing message, and now has specified that it is permissible for clinicians to communicate PHI, but only across a secure platform. However, significant caveats were noted. Every clinician across all healthcare provider organization must be educated, preferably through IT leadership, on CMS’ clarified policy on texting in healthcare as soon as possible — not just to adhere to federal rules, but to prevent compromise of texting usage by cyber criminal activity.
In a memo on December 28, CMS Survey and Certification Group Director David R. Wright wrote that texting in healthcare requires that “all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.” He also emphasized that providers must implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms being used, in order to avoid negative outcomes, such as compromise of patient care.
This requirement affects both clinicians and hospital IT departments. The latter must take the lead in disseminating the CMS policy clearly with providers.
In response to CMS’ policies, SBH Health System in New York City, like many other hospitals, offers a secure text messaging app to physicians to download free on their phones, says Cassandra Andrews Jackson, compliance officer and HIPAA privacy officer. “We instruct all our providers to use it because it’s secure, and the hospital also has a policy governing cellphone use.”
The CMS memo included a key caveat: “CMS does not permit the texting of orders by physicians or other health care providers.” CMS reconfirmed that computerized provider order entry (CPOE) is the preferred method of order entry by a provider.” An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”
Per Wright, If a physician or licensed independent practitioner (LIP) cannot use CPOE, he or she should enter hand written orders into the medical record.
While CMS’ texting policy did not cover texting between clinicians and patients, this remains an important related issue. Is texting with patients a violation of the HIPAA Security Rule? As a quick refresher, HIPAA requirements include:
Text messages often fail on these counts as the HIPAAJournal has summarized in an excellent article. For example, senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely.
Message accountability if texting with patients? This remains a huge problem. Anybody could pick up someone´s mobile device and use it to send a message – or even edit a received message before forwarding it on. As HIPAAJournal notes, these reasons and others make it clear that communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.
HIMSS has offered guidance on texting between clinicians and patients.
David Wright wrote that CMS recognizes that the use of texting in healthcare “as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.” As emphasized in a recent HCCA report by Robert Hudock, member at Epstein Becker & Green, “If texting solutions are good for highly classified military applications, they’re probably appropriate for hospitals.”
But, we have to do it right!
Phoenix was rated #1 for its HIT support by BlackBook in 2017. For a discussion or assistance on the above IT management issues or others, contact us!