Texting patient orders is easy. However, due to patient safety, security and privacy concerns, CMS and the Joint Commission prohibit it! Not only is texting patient information a gray area of the HIPAA law, it is also does not meet Medicare requirements.
Texting and HIPAA
Despite how tempting and convenient texting patient information may seem, it is a legal gray area. Therefore, if you are wanting to go down this path, consult with an attorney that is well versed in HIPAA.
HIPAA is pretty serious about how Electronic Protected Health Information (ePHI) must be transmitted and stored. The transmission must be secure. This can be a tedious and expensive undertaking. Text messaging needs to be securely transmitted and archived. This becomes increasingly difficult with Bring Your Own Device (BYOD) that naturally comes when texting. As most organizations do not provide cell phones to their staff, texting will be done on their personal devices.
All transmissions of ePHI, including texts, must be taken into account when an organization conducts its risk analysis. In the risk analysis process, the organization must consider:
- WHAT ePHI is being transmitted
- HOW the ePHI is being transmitted
- WHICH devices are permitted to send ePHI
- IF the organization has a BYOD policy, that it is calculating those devices in the risk analysis
In addition, the impact to the organization in the event of a breach must also be calculated. Events such as theft, loss, improper disposal of the device, as well as the likelihood of the ePHI being intercepted by an unauthorized individual, must all be considered in the risk analysis.
So How Do I Communicate?
You may be tempted to stop all electronic transmissions. However, eliminating electronic transmissions is not reasonable. Consider that 73% of all health care professionals are already texting ePHI, whether it is permissible or not. Also consider, 98% of all health care professionals rely on routine email messages to communicate between internal staff and referring providers as well as business associates. Eliminating electronic transmissions altogether could, and probably will, have an immense burden on the efficiency in your organization.
Because of the need for electronic communication, the idea of mutual consent comes into play. Mutual consent is where both the HIPAA covered entity or business associate enter into an agreement with the patient whose data is being transmitted. HIPAA seemingly allows for insecure transmissions IF:
- The individual is clearly informed of the security risks of that and a secure option is recommended.
- The individual indicates in writing that it is OK to send them ePHI via insecure email.
- The Covered Entity keeps explicit records of all of these “mutual consent” cases, including the content of the risk warnings and the written approval from the individual.
Be very careful when using this loophole in the HIPAA law. Seek the advice of an attorney well versed in HIPAA BEFORE sending any insecure transmissions. With such a legal gray area, and with many secure options for securely transmitting ePHI on the market that are quite affordable, it is my recommendation that you still seek the secure transmissions.
Texting Patient Orders and CMS
The reason CMS and The Joint Commission prohibit texting patient orders goes far beyond just HIPAA. In fact, texting patient orders is considered out of compliance with several Conditions of Participation and Conditions of Coverage for CMS. Most importantly, the retention of record and content of record requirements.
If you participate in Medicare, you are required to main records in their original or legally reproduced form. Texts are not able to accomplish this. Additionally, some messaging platforms struggle with this requirement. Check with your messaging provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If so, you may be able to continue to use your messaging application and remain in compliance with CMS.