With the Centers for Medicare & Medicaid Services “CMS” releasing a memorandum summary at the very end of 2017, it further clarified the two positions on use of text messaging when dealing with patient information.
Can healthcare use regular text messaging that comes standard on all mobile devices? No!
Can healthcare use secure text messaging through HIPAA compliant systems for their mobile devices? Yes!
So here is the breakdown: Yes, to collaboration and clarifications (when using compliant messaging) and No, to sending orders.
Catch that “when using compliant messaging” did you? There has been some confusion on what can and cannot be sent via "Text". So, let us provide a brief history. In 2011, the Joint Commission “banned text” since the technology was new and not really vetted for healthcare. In the Spring of 2016 The Joint Commission approved Secure text and outlined what needed to be done to be compliant, but partially reversed itself to ban sending patient orders a few months later. Essentially text messaging in healthcare went from little to no regulations to completely banning, then completely approved, back to banning some things and allowing others when communicating about patients.
So now you know you can message patient information, but how do you do this in a compliant fashion?
Well time for a little vocabulary lesson…while text or even "secure text" is a common term in the HealthIT space... it really is part of the confusion. Actually, SMS Text is the non-compliant technology for any sharing of potential patient identifying information (PHI). To add a further level of complexity "Secure Messaging" has a number of areas it needs to address be "compliant messaging". For example, the financial markets have different regulation on secure... so secure to a bank is different than secure to a hospital. To sum up, text is not secure and not compliant, secure messaging could be compliant, and if someone claims compliance in healthcare they should have a Third-party risk assessment and a Business Associate Agreement in place (BAA).
(Sorry about this mouthful coming)
So for Mediprocity we focus on securing healthcare communications and risk assessments to meet OCR/NIST, as well as Federal/State regulations to securely communicate patient information compliantly. Lastly is the push for CPOE (Computerized Provider Order Entry) being preferred, with written and verbal being allowed, which leaves integration as an area to cross over. Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
This ruling came after there was some confusion by a response from CMS stating that texting any kind of patient information was prohibited. To clarify, CMS and the Office of Civil Rights “OCR” which governs HIPAA does not allow texting patient information of any kind unless it is done within a fully HIPAA compliant platform. HIPAA compliant platforms must meet and should exceed HIPAA Security Rule, 45 CFR Parts 160 and 164. Mediprocity meets and exceeds this ruling and therefore may be used to text patient health information.
JACHO and CMS have also reaffirmed their position that no patient orders should be sent via text regardless of the platform utilized. The preferred method is a CPOE, which is a computer provider order entry system. CMS does go on to say that physicians and licensed independent practitioners should enter orders into the medical record via a hand-written order or through a CPOE. Since text messaging is the preferred method of communication today, with over 23 billion texts being exchanged daily – it is safe to assume that some of that communication includes patient health information. Your organization at this point should be using a secure texting solution to comply with HIPAA. It is hard to believe in the year 2018 that your staff does not ever use text messaging. If you honestly believe no one in your organization sends texts daily, we have a great bridge in Brooklyn to sell you.
If everyone in your organization was still using a rotary phone or an old cellular block phone then this argument would hold up. Realistically, almost everyone has some sort of smart phone and/or tablet and is using text daily.
• Do you have a mobile phone policy in place if the OCR were to perform an audit?
• Do you have access controls and remote wipe in place?
• Do you have retention of text records?
Mediprocity turns these questions into a yes! Mediprocity also allows your team to clarify orders on patients while discussing patient health information. CMS recognizes that texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication. CMS goes on to say they expect the texting platform to meet HIPAA standards, and that the functionality of the platform will help to avoid negative outcomes that could compromise the care of patients.
The effective date on this ruling is immediate. All state survey, certification staff and managers have been made aware of this memorandum. If you do not have a HIPAA compliant texting solution in place and a state surveyor asks to see what you use, what will be your answer? If your answer is we never text and you have a breach, you will be on record and fall into willful neglect. This places you in the high-risk fine arena which is a place you do not want to be, as organizations and individuals can be held accountable.
Need some proof? Most recently a 2 million dollar fine was imposed on a Cancer Treatment Company that is now filing for bankruptcy protection. Texting without a secure platform today is no joke. Mediprocity can help by becoming your mobile device policy, a trusted source to improve your communication and improve patient care. So let’s recap…
Can I text patient health information? Only if using a HIPAA complaint text platform.
Can I send orders via text? Only if using a CPOE or hand-written order into the medical record.
Can I clarify orders and ask questions using a HIPAA compliant platform like Mediprocity? YES!
• Free for physicians.
• No long-term contract.
• Accounts as low as $6 per user / per month.
• Free Training.
• Free Support.
• And, we are super friendly!
Contact us today and protect your organization! We can have you up and running in less than 30 minutes.