The December 28, 2017 announcement of CMS’ new and apparently final stance on clinicians’ texting patient information probably sailed under your radar. CMS clarified what previously had been a confusing message, and now has specified that it is permissible for clinicians to communicate PHI, but only across a secure platform. However, significant caveats were noted. Every clinician across all healthcare provider organization must be educated, preferably through IT leadership, on CMS’ clarified policy on texting in healthcare as soon as possible — not just to adhere to federal rules, but to prevent compromise of texting usage by cyber criminal activity.
In a memo on December 28, CMS Survey and Certification Group Director David R. Wright wrote that texting in healthcare requires that “all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.” He also emphasized that providers must implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms being used, in order to avoid negative outcomes, such as compromise of patient care.
This requirement affects both clinicians and hospital IT departments. The latter must take the lead in disseminating the CMS policy clearly with providers.
In response to CMS’ policies, SBH Health System in New York City, like many other hospitals, offers a secure text messaging app to physicians to download free on their phones, says Cassandra Andrews Jackson, compliance officer and HIPAA privacy officer. “We instruct all our providers to use it because it’s secure, and the hospital also has a policy governing cellphone use.”
The CMS memo included a key caveat: “CMS does not permit the texting of orders by physicians or other health care providers.” CMS reconfirmed that computerized provider order entry (CPOE) is the preferred method of order entry by a provider.” An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”
Per Wright, If a physician or licensed independent practitioner (LIP) cannot use CPOE, he or she should enter hand written orders into the medical record.
While CMS’ texting policy did not cover texting between clinicians and patients, this remains an important related issue. Is texting with patients a violation of the HIPAA Security Rule? As a quick refresher, HIPAA requirements include:
- Access to PHI must be limited to authorized users who require the information to do their jobs.
- A system must be implemented to monitor the activity of authorized users when accessing PHI.
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
- Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
- Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.
Text messages often fail on these counts as the HIPAAJournal has summarized in an excellent article. For example, senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely.
Message accountability if texting with patients? This remains a huge problem. Anybody could pick up someone´s mobile device and use it to send a message – or even edit a received message before forwarding it on. As HIPAAJournal notes, these reasons and others make it clear that communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.
HIMSS has offered guidance on texting between clinicians and patients.
- Don’t text patients without their signing a consent form.
- Don’t include PHI in any text message to a patient (or to a provider who does not have a “need to know.”)
- Security: Password protect the phone used for sending the text messages. Confirm that the cell phone number of the client is recorded correctly. Confirm all mobile devices used to send messages are secure at all times, including at home and work.
- Storing and deleting messages: Delete text messages after communication is completed and necessary information is documented appropriately.
- Store first name plus last initial only. Never use first and last name in text.
- With patient messages that include PHI: you should not respond to the original text, instead, send a new message that asks the client to call you.
David Wright wrote that CMS recognizes that the use of texting in healthcare “as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.” As emphasized in a recent HCCA report by Robert Hudock, member at Epstein Becker & Green, “If texting solutions are good for highly classified military applications, they’re probably appropriate for hospitals.”
But, we have to do it right!
Phoenix was rated #1 for its HIT support by BlackBook in 2017. For a discussion or assistance on the above IT management issues or others, contact us!