Legal Brief: CMS revises policy on texting patient orders

Posted on: 2/16/24

 

CMS issued a new guidance Memorandum (CMS QSO-24-05-Hospital/CAH) on Feb. 8 regarding texting patient information and patient orders among members of a healthcare team. The guidance provides that texting patient information and orders is allowable by CMS so long as the text messages are appropriately incorporated into the EMR in compliance with the HIPAA Security Rule and the Conditions of Participation. 

The CoPs (42 CFR 482.24 and 485.638) require that inpatient and outpatient medical records be accurately written, promptly completed, properly filed and retained, and accessible. In addition, the hospital must ensure the integrity of author identification and record maintenance. There is no required method or system that must be used for author identification and record maintenance; however, CMS prefers CPOE as the method of order entry by a provider. This is because an order entered via CPOE can be immediately downloaded into the EHR system dated, timed, authenticated, and promptly placed in the medical record. 

Historically, CMS has taken the position that texting patient orders from a provider to a member of the healthcare team is not allowed under the CoPs. This guidance was developed in 2018 and the reasoning at that time was centered around CMS’ concerns about record retention, privacy, confidentiality, security, and the integrity of the texting platform. Since 2018 there have been significant developments in the encryption and application interface capabilities of texting platforms to transfer data into the EMR. While CPOE is still CMS’ preferred method of order entry, texting patient information and orders via secure texting platforms is now acceptable. 

Should a hospital or CAH desire to utilize texting to share patient information and patient orders, they must utilize a platform that meets the requirements of the HIPAA regulations, specifically the Security Rule, and the CoPs. It will be essential to utilize and maintain systems/platforms that are secure and encrypted, minimize the risks to patient privacy and confidentiality, and ensure the integrity of author identification. Failure to do so could result in a CoP or HIPAA violation. In addition, hospitals and CAHs should regularly audit the security and integrity of any texting systems/platforms used to avoid negative outcomes that could compromise the care of patients. (Maggie Martin)