CMS: Texting PHI among health care providers OK with caveats

To text, or not to text: That is no longer a question after the Centers for Medicare & Medicaid Services (CMS) issued clarification on texting patient information among health care providers.

In an official memo distributed Dec. 28, to state survey agencies, CMS clarified its position on exchanging patient information via text message after vacillating on the subject only weeks earlier. While CMS still does not permit texting patient orders by clinicians or other health care providers, it does permit texting patient information among members of the health care team if done so through a "secure platform."

Texting has grown to "become an essential and valuable means of communication" among members of the health care team, CMS notes. That's why the agency memo adds: "It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients."

The Health Care Compliance Association reported in December that CMS' Survey & Certification Group notified at least two hospitals of a wholesale prohibition on texting, citing the privacy and security concerns of medical records. When pushed on the subject, CMS doubled-down at the time that even texting through secure messaging applications wasn't permitted. However, this latest clarification walks back those CMS comments, acknowledging that texting through secure messaging applications is permissible.

Texting PHI? To 'who' matters

While the use of short message service (SMS) to communicate protected health information (PHI) is naturally different in a hospital or emergent care setting versus an optometric practice, the key takeaway is the same: if using SMS to transmit PHI, then take appropriate steps to ensure data is secure.

Marc Haskelson, president and CEO of Compliancy Group, an AOAExcel^® endorsed business partner, says there are three situations where providers might use SMS to transmit PHI, and each brings unique considerations for the doctor.

"Some of it has to do with who the doctor is communicating with, be it doctor-to-doctor, doctor-to-patient or doctor-to-business associate," Haskelson says.

Essentially, the standard for communicating PHI involves two components—ensuring PHI is secure at all times and that communication is end-to-end encrypted. Although communication between two HIPAA Covered Entities (CEs) using smartphones with proper password protection could be technically secure, there are HIPAA-compliant SMS services or applications that provide an even higher level of security. However, when it comes to doctor/patient SMS communication, Haskelson says doctors must obtain signed permission from the patient before texting. This can be obtained administratively with a signed "use and disclosure" document during patient check-in.

Still, too, there are unique considerations for doctor-to-business associate (transcription company, billing firm, etc.) communications. In addition to ensuring PHI is secure, CEs must do their due diligence and obtain a business associate agreement before communicating.

"Most enforcement of HIPAA and other regulatory acts revolves around the good-faith effort to satisfy these rules," Haskelson says. "The real answer is using a secure platform, having proper password protection, end-to-end encryption, especially when backing-up data, and looking at the organization to assess risk."