The Centers for Medicare and Medicaid Services (CMS) sent emails to healthcare providers last November 2017 to explain the prohibited use of text messages in healthcare because of security and patient privacy concerns. SMS messages are not secure and could expose patients’ sensitive data and affect the integrity of medical records. Although there are SMS applications that are secure and satisfy HIPAA requirements e.g. security of transmission, access and authentication controls and audit controls.
Some hospitals raised the issue of using secure messaging platforms as CMS appeared to ban the use of all texting platforms including secure ones. The email of CMS said “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”
The Health Care Compliance Association (HCCA) also questioned the position of CMS in its published article Report on Medicare Compliance last December. HCCA officers and healthcare lawyers were horrified with this issue as a total ban would be “like going back to the dark ages.” CMS replied with the explanation that text messaging has transmission security issues. It lacked access controls on the devices of both sender and receiver. Stored data may not be secure or encrypted. Hence patient privacy is not guaranteed. Also, there’s the need to enter the text messages/information into patient record for future access or retrieval.
The Joint Commission’s position on this issue is that text messaging in healthcare is allowed if a secure messaging platform is used. The only ban is on using text messages for sending patient care orders. To comply with this, many hospitals have already switched to using secure text messaging platforms and replaced outdated pagers.
Finally on December 28, 2017, one month after the controversial email, CMS clarified that the use of text messages in healthcare is NOT totally banned. Aligning with the Joint Commission’s position, CMS maintains that secure text messaging is allowed in healthcare but not for texting patient orders. Texting patient orders does not comply with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs) – §489.24(b) and §489.24(c).
The preferred method of order entries is by using Computerized Provider Order Entry (CPOE), or hand written orders. The order made via CPOE is dated, timed, authenticated, and promptly placed in the medical record so accuracy and security is guaranteed.
Secure text messaging systems/platforms must encrypt messages in transit. Healthcare organizations need to assess the platform to minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The providers/organizations also need to implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms in order to avoid negative outcomes that could compromise patient care.