CMS to allow text messages, but only in secure systems/platforms and not for patient orders

By ASN Staff

In November 2017, the Centers for Medicare and Medicaid Services (CMS) stated that “the use of text messages in healthcare is prohibited due to concerns about security and patient privacy… The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI”.

In emails that CMS sent out to communicate their decisions, “CMS said ‘after meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information transmitted. This resulted in the no texting determination’”.

CMS “appeared to be saying no to all form of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare”.

“A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.”.

“On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders.

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communications between care team members. However, in order to comply with the Conditions of Participation (CoPs) and Conditions for Coverage (CfCs), healthcare organizations must use and maintain text messaging systems/platforms that are secure.

These platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that ‘it is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients”.

See the full article on HIPAA Journal for more information.

Category:
Subcategory:
Author:
ASN Staff
Article Image:
Body:

In November 2017, the Centers for Medicare and Medicaid Services (CMS) stated that “the use of text messages in healthcare is prohibited due to concerns about security and patient privacy… The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI”.

In emails that CMS sent out to communicate their decisions, “CMS said ‘after meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information transmitted. This resulted in the no texting determination’”.

CMS “appeared to be saying no to all form of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare”.

“A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.”.

“On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders.

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communications between care team members. However, in order to comply with the Conditions of Participation (CoPs) and Conditions for Coverage (CfCs), healthcare organizations must use and maintain text messaging systems/platforms that are secure.

These platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that ‘it is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients”.

See the full article on HIPAA Journal for more information.

Area(s) of Interest:
Date:
Tuesday, January 9, 2018