CMS: Texting PHI among health care providers OK with caveats

January 18, 2018
Attend upcoming HIPAA webinar on violations, fines
Attend upcoming HIPAA webinar on violations, fines

To text, or not to text: That is no longer a question after the Centers for Medicare & Medicaid Services (CMS) issued clarification on texting patient information among health care providers.

In an official memo distributed Dec. 28, to state survey agencies, CMS clarified its position on exchanging patient information via text message after vacillating on the subject only weeks earlier. While CMS still does not permit texting patient orders by clinicians or other health care providers, it does permit texting patient information among members of the health care team if done so through a "secure platform."

Texting has grown to "become an essential and valuable means of communication" among members of the health care team, CMS notes. That's why the agency memo adds: "It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients."

The Health Care Compliance Association reported in December that CMS' Survey & Certification Group notified at least two hospitals of a wholesale prohibition on texting, citing the privacy and security concerns of medical records. When pushed on the subject, CMS doubled-down at the time that even texting through secure messaging applications wasn't permitted. However, this latest clarification walks back those CMS comments, acknowledging that texting through secure messaging applications is permissible.

Texting PHI? To 'who' matters

While the use of short message service (SMS) to communicate protected health information (PHI) is naturally different in a hospital or emergent care setting versus an optometric practice, the key takeaway is the same: if using SMS to transmit PHI, then take appropriate steps to ensure data is secure.

Marc Haskelson, president and CEO of Compliancy Group, an AOAExcel® endorsed business partner, says there are three situations where providers might use SMS to transmit PHI, and each brings unique considerations for the doctor.

"Some of it has to do with who the doctor is communicating with, be it doctor-to-doctor, doctor-to-patient or doctor-to-business associate," Haskelson says.

Essentially, the standard for communicating PHI involves two components—ensuring PHI is secure at all times and that communication is end-to-end encrypted. Although communication between two HIPAA Covered Entities (CEs) using smartphones with proper password protection could be technically secure, there are HIPAA-compliant SMS services or applications that provide an even higher level of security. However, when it comes to doctor/patient SMS communication, Haskelson says doctors must obtain signed permission from the patient before texting. This can be obtained administratively with a signed "use and disclosure" document during patient check-in.

Still, too, there are unique considerations for doctor-to-business associate (transcription company, billing firm, etc.) communications. In addition to ensuring PHI is secure, CEs must do their due diligence and obtain a business associate agreement before communicating.

"Most enforcement of HIPAA and other regulatory acts revolves around the good-faith effort to satisfy these rules," Haskelson says. "The real answer is using a secure platform, having proper password protection, end-to-end encryption, especially when backing-up data, and looking at the organization to assess risk."

Related News

AOA MORE, optometry’s data registry, takes yearlong pause

The AOA will use the time to evaluate its collection efforts and create a registry for the future that is most useful to improving eye health and vision care. The AOA launched the registry in 2015.

Talking politics in the office? 3 things to keep in mind

Even if you’re choosing to disengage, today’s politics have a way of finding you. What are the ground rules for approaching political debates in the practice?

New rules ahead for patient access to electronic health records

Under new rules for the 21st Century Cures Act, doctors of optometry will need to prepare for changes going into effect April 5. Doctors should check in with their health IT vendor in order to make sure they meet the new requirements.