After a confusing month of contradicting guidance, the Centers for Medicare & Medicaid Services (CMS) has issued a memorandum clarifying its position regarding the use of text messaging with patient information between providers. In early December, CMS communicated essentially a zero-tolerance policy on secure text messaging to a handful of hospitals via email.
CMS cited to the HIPAA Security Rule and the Conditions of Participation for hospitals as support for their policy. A few weeks later, CMS clarified that messaging amongst healthcare providers "is permissible if accomplished through a secure platform." However, CMS was very clear that the use of text messaging for patient orders is prohibited, regardless of the platform utilized.
While it has long been understood that SMS texting was a concern, widespread adoption of text message applications which can be provided via a secured, encrypted methodology was no different than any other secured application permitted by HIPAA Security Rules. Providers must be clear that the use of SMS text messaging for healthcare information should not be utilized, as it is not considered secure.
CMS's policy on secure text messaging is now consistent with recent policy clarifications, such as joint update by The Joint Commission's and CMS in December of 2016 on the use of secure text messaging for patient care orders. In clarifying its policy on secure text messaging, The Joint Commission prohibits secure text messaging by physicians or licensed independent practitioners to order patient care, treatment, or health care services.
The view towards secure text messaging by the government and accreditation organizations is evolving quickly because of advents in new technologies with secure messaging platforms.
- Information courtesy Baker Donelson