CMS has a communications problem. Together with the Joint Commission, CMS issued joint guidance on the use of SMS messaging for clinical communications just over a year ago. Last month, the Health Care Compliance Association published a story stating that CMS had sent emails to two different hospitals stating that text messaging (including secure messaging services) is verboten. The apoplectic response of the regulated community and commentariat to the off-message message conveyed via email moved CMS to issue an official statement more in line with the joint communiqué of December 2016.
Fear not, gentle reader. We are now back to the status quo ante, at least with respect to the question of whether and how texting may be used in hospitals subject to the Medicare Conditions of Participation (i.e., most hospitals). CMS’s Survey and Certification Group published a memo sent to all state survey agency directors at the end of December regarding Texting of Patient Information among Healthcare Providers.
The problems with unencrypted texting are threefold from the CoP perspective:
- Medical records (accurate, properly maintained, accessible, authenticated, secure) must be retained for five years
- Patient records must be kept confidential
- Orders are to be entered into a medical record by hand or via CPOE (CPOE, unlike texting, is permitted because it is set up to auto-download into the EHR, with date, dime and authentication taken care of)
The CMS summation:
CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members. In order to be compliant with the CoPs or CfCs [Conditions for Coverage], all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs. It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.
Bottom line: Communication among team members via text message could be OK (as long as it’s secure), but orders must be communicated via CPOE.
So, when you’re shopping for your next CPOE tool, remember this: Any smartphone-based tool for CPOE must meet the CMS requirements outlined above as well as all HIPAA requirements.
This is clear . . . until the next clarification comes along. Other provider types are left to reason by analogy.
- Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry
- Cybersecurity and Healthcare Panel Discussion with Government and Industry Experts
- FDA and Digital Health Regulation