We’ve spoken many times before about the risks associated with text messaging from a HIPAA compliance perspective, but there are other reasons to be wary of texting in the medical environment.
Back in November 2017, the Centers for Medicare and Medicaid Services (CMS) issued an email to healthcare providers, explaining that the use of text messaging in healthcare is prohibited due to concerns about patient privacy and security. It was feared that text messaging could expose sensitive patient data and threaten the integrity of medical records.
CMS’ concerns were not just related to transmission security, but also a lack of access controls on the devices of message senders and receivers. Weak passwords, lack of encryption, and data being stored on a device’s hard disk drive can all compromise the security of sensitive information, should a device wind up lost or stolen.
In a turn of events on December 28, 2017 – a month after sending the original notification – the CMS then issued another memo clarifying its position on the use of text messages in healthcare, confirming there was not a total ban in place. The CMS went on to explain a ban on the use of text messaging, including secure text messaging services, remains in place for sending orders by physicians or other healthcare providers specifically. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating that sections §489.24(b) and §489.24(c) apply.
The CMS accepts that text messages are an important and effective means of communication in modern healthcare. However, in order to comply with the CoPs and CfCs, healthcare organizations must utilize mobile messaging platforms that are secure and use encryption. Any such platform must encrypt messages in transit and organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures and processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”
The CMS explained that order entries specifically should be made by providers either in handwriting or by using Computerized Provider Order Entry (CPOE) stating “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”
The CMS, therefore, holds a position that is aligned with the Joint Commission – secure messaging platforms can be used in the realms of healthcare, but not for sending orders.
How secure mobile messaging helps healthcare organizations
While the texting of orders remains off limits, secure mobile messaging provides many benefits over alternative forms of communication in the healthcare setting, including:
- Reducing costs – Secure mobile messaging plans can easily be scaled up or down depending on organizational needs, which eliminates unnecessary overpayments for services or accounts which are not being used. Hardware costs are typically minimal too, as apps can be installed on existing handsets.
- Streamlines clinical workflows – Mobile messaging empowers care teams by allowing for fast and secure communication with the convenience of a mobile device. Real-time alerts and audit trails help accelerate workflows and enhance team collaboration.
- Minimizes error – The Joint Commission identified miscommunication as the root cause of 80% of all medical mistakes. Mobile messaging reduces the requirement for emailing, paging, faxing, and voicemail, which in turn, reduces the risk of error.
For healthcare organizations the message is clear; avoid non-secure text messaging at all costs, and only ever process instructions for the treatment of patients via CPOE.