On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.
This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.
Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.
To comply with HIPAA regulations, in its 2024 Memo CMS recommends that providers utilize and maintain systems/platforms that are “secure and encrypted and must ensure the integrity of author identification as well as minimize the risks to patient privacy and confidentiality.” CMS continues, “Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”
The hospital and CAH CoPs at 42 C.F.R. 482.24 and 485.638, respectively, require among other things that inpatient and outpatient medical records be “accurately written, promptly completed, properly filed and retained, and accessible.” They also require that the hospital must use “a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.” In addition, the CoPs require that medical records must be retained in their original or legally reproduced form for a period of at least 5 years. The CoPs also require that all orders, including verbal orders, must be dated, timed, and authenticated promptly by the ordering practitioner and be included in the medical record. Any secure texting platform must not only protect the privacy and security of the information contained in the order but also allow the order to be securely transmitted into the hospital’s electronic medical record hospital to comply with these CoPs.
TJC previously prohibited texting orders and is now reconsidering its stance on the topic. TJC’s website currently states, “The practice of texting patient orders is currently under review,” and TJC has promised to publish updates in the Perspectives Newsletters. TJC accredited facilities may want to wait for TJC guidance on this topic before implementing secure texting of orders.
In summary, we recommend that hospitals implement texting of patient orders with caution and only after addressing these concerns. Hospitals should assess any secure texting platform to ensure it protects the privacy and security of any PHI as well as allows the hospital to meet the Medicare CoPs and, if applicable, TJC standards. Hospitals should also re-assess texting platforms routinely to ensure they continue to meet these standards.
Contact a member of Wyatt’s data privacy and cyber security practice if you have questions or require assistance. To learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.
If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526
wyatthitechlaw.com 