The Centers for Disease Control and Prevention (CMS) in conjunction with the Joint Commission issued a memo on December 28, 2017 clarifying its position on texting patient orders. CMS has reiterated that texting of patient orders is prohibited regardless of the platform. This “no texting determination” is driven by potential patient safety concerns and the risk for data breaches involving insecurely texted PHI. CMS prohibits texting of orders by physicians or other healthcare providers regardless of the platform, but allows members of the healthcare team to text patient information through secure platforms, similar to those used by HIPAA compliant medical transcription companies.
An article published recently by the American Pharmacists Association reported on a survey from the Institute for Safe Medication Practices (ISMP) which found that pharmacists used texting for medical orders although the practice is banned by facilities. The survey’s respondents included pharmacists, nurses, physicians and other prescribers, medication and patient safety officers, quality and risk managers, educators, pharmacy technicians, and others.
More than 30% reported they opposed the use of texts for medication orders, while another 40% said texted medication orders were acceptable only if encrypted devices were used. Up to 53% of all respondents said that their facilities prohibited texted medical orders, though 45% of pharmacists reported that medical orders are texted regularly. The ISMP report noted that 70% of respondents were concerned or highly concerned about unintended auto correction in texts. Also, more than 50% of the respondents said they were concerned or highly concerned about use of potentially confusing abbreviated text terminology, potential for patient misidentification, misspellings, and incomplete orders. The report called for a halt to texting medication orders until software is developed to ensure privacy.
In January 2018, CMS clarified that it prohibits texting of only patient care orders, not all text messaging. The CMS memo also permits exchanging patient information on a secure platform. The key points of the memo are as follows:
- The practice of texting orders from a provider to a member of the care team does not comply with the Conditions of Participation (“CoPs”) or Conditions for Coverage (“CfCs”). In this case, the CoPs for Medical Records requirements that apply include, among other things, requirements for maintaining medical records, accurately completing medical records, accessing medical records and securing medical records.
- Texting to place patient orders, such as for medications or tests, on any platform – secure or not – is not allowed when treating Medicare and Medicaid patients.
- Computerized provider order entry (CPOE) is the “preferred method” of patient care order entry by providers because it results in the order being listed in a patient’s record.
- A physician or licensed independent practitioner should enter orders into the medical record via a handwritten order or via CPOE.
- An order that is entered via CPOE, with an immediate download into the provider’s electronic health records because the order would be dated, timed, authenticated and promptly placed in the medical record.
- Even when utilizing text as a means of communication among the healthcare team, providers must use and maintain systems and platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.
Text messaging is a written message sent between two or more mobile devices and includes both Short Message Service (SMS) text messaging and other messaging services such as WhatsApp and iMessage. Faster than a phone call and simpler than an e-mail, text messaging is widely used in the field of healthcare, permitting providers to multitask and communicate conveniently and quickly. Clinicians tend to use texting to place patient orders in time-sensitive or emergency situations.
However, text messages result in electronic protected health information (ePHI) that is stored on the smartphone. The privacy and security standards that govern electronic health records (EHRs) maintained on the servers of hospitals and health care organizations also apply to ePHI. Conventional SMS messages are not encrypted and texts may stay on a telecommunication provider’s server for indefinite periods of time. Any individual who has access to the healthcare provider’s mobile device can view the texted ePHI and even reply to the message instead of the intended recipient. The unintended recipient can also forward the message to others. Due to all these reasons, text messages cannot meet HIPAA requirements and can compromise PHI.
HIPAA regulations require every covered entity to have administrative, physical and technical safeguards in place that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits. Accordingly, HIPAA compliant medical transcription services allow healthcare providers to dictate and record notes, patient information and more, and transform the data to text format for integration into the electronic health record (EHR). The entire process is managed through a secure platform.
When it comes to implementing any type of text messaging solution, a Lexicogy report cautions that providers need to understand all state and federal requirements that may be applicable. They should carefully evaluate and be aware about managing the risks involved in text messaging, such as its security risks, impacts of text messaging on patient care, and how such text messaging integrates with the provider’s EHR.