CLIENT ADVISORY: CMS Clarifies Restrictions on Text Messaging Among Health Care Providers
In a recent memo released to state survey agencies, the Centers for Medicare and Medicaid Services (CMS) clarifies standards governing texting among health care providers, including both traditional SMS text messaging and messaging through apps designed to encrypt information. While the memo quotes applicable Conditions of Participation for hospitals, the clarified guidance broadly applies to any type of health care provider. The CMS memo provides the following guidelines:
Medical orders: Medical orders must be placed using a system that allows for the identification and authenticity of the author. Medical orders must also contain the date and time. To ensure that the author can be identified and patient records are complete, CMS recommends that a physician or Licensed Independent Practitioner (LIP) enter all orders in hand written format or by utilizing the Computerized Provider Order Entry (CPOE). All orders should include the date, time, and signature of the provider. CMS emphasizes that placing medical orders through a text messaging system of any kind, including systems provided by hospitals or clinics that claim security and encryption, is prohibited. The CMS Memo does not mention verbal orders, but does not appear to supersede current rules regarding the acceptability of properly-authenticated verbal orders.
Retention of medical records: The CMS memo emphasizes that all health care providers must properly file and maintain the medical records of every patient; the retained medical records must be accessible and promptly updated. (§489.24(b)). Original or legally reproduced medical records must be retained for at least five years. (§489.24(b)(1)). Because CMS stresses the proper filing and retention of current medical records, health care providers should not store medical documents or health information within text messages. The new guidance thus appears to recognize the difficulties associated with retaining and storing health information via text messages, including lack of physician access, accidental deletion, and device malfunction.
Patient confidentiality: Medical providers must protect the confidentiality of patient information by ensuring that unauthorized individuals cannot gain access to such information. (§489.24(b)(3)). To ensure that patient confidentiality is protected, all providers must only communicate patient health information through systems that are “secure, encrypted, and minimize the risks to patient privacy” states CMS. CMS expects providers, hospitals, and clinics to avoid breaches of confidentiality by implementing procedures to evaluate the security of texting systems used to communicate patient health information in attempts.
Next steps: At this time, medical providers should review their policies concerning the communication of health information through text messaging. Providers should be prepared to update text messaging practices to better reflect the new guidance from CMS on patient confidentiality and record retention. If a secure text messaging system is not already available, medical providers should analyze current practice, benefits, and the risks of adding a secure, encrypted text messaging service before incorporating text messaging into approved practice. Any new or existing text messaging or secure messaging service practices should be routinely analyzed and updated to avoid risk and ensure that the system is effectively guarding patient information. CMS is clear that text messaging should not be used to transmit patient orders.
Click here for full access to CMS’s memo regarding Texting of Patient Information among Healthcare Providers. If you have any questions regarding the new restrictions on text messaging in the health care industry, please contact Peter Mellette, Harrison Gibbs or Elizabeth Dahl.
Mellette PC acknowledges with appreciation Chasity Bailey ’19 (William & Mary Law School) for her assistance in preparing this advisory.
This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.