On February 8, 2024, the Centers for Medicare & Medicaid Services (CMS) issued a quality standard memorandum (Memorandum) clarifying that hospitals and critical access hospitals (CAHs) may transmit patient information and orders via text message under certain conditions. Although Computerized Provider Order Entry (CPOE) continues to be the preferred method of order entry, healthcare team members are permitted to share patient information and orders among themselves through a Health Insurance Portability and Accountability Act of 1996 (HIPAA)-compliant secure texting platform (STP) in accordance with Medicare and Medicaid Conditions of Participation (CoPs). The Memorandum reverses CMS's position in a January 2018 memorandum and is effective immediately.

To support hospital and CAH compliance with CoPs, the Memorandum includes the following provisions:

  • Use secure and encrypted STPs: To comply with the CoPs, all providers must utilize and maintain systems/platforms that are secure and encrypted. Further, providers must ensure the integrity of author identification and minimize the risks to patient privacy and confidentiality in compliance with HIPAA regulations.
  • Assess system/platform security and integrity: Providers should implement procedures and processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.
  • Comply with existing regulations when integrating STPs into the electronic health record (EHR): Providers who choose to incorporate texting of patient information and orders into their EHR are expected to implement a platform that complies with the HIPAA Security Rule; 2021 amendments to the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, which provides for mitigated penalties when implementing voluntary recognized security practices; and the CoPs.

CMS develops CoPs and Conditions for Coverage (CfCs) that healthcare organizations, including hospitals, CAHs, and other types of providers must meet in order to participate in the Medicare and Medicaid programs. As part of the CoPs, hospitals and CAHs must maintain inpatient and outpatient medical records by using a records system that ensures the integrity of authentication and protects the security of patient medical records.

Takeaways

The Memorandum signals the agency's growing acceptance of certain digital health technologies, such as text messaging platforms, in an effort to drive innovation and efficiencies in delivering patient care. There is scant agency guidance on text messaging in compliance with HIPAA, which has led to many providers' reluctance to permit any text messaging of protected health information (PHI). The Memorandum could embolden some of these providers and other organizations to embrace text messaging, at least in a limited capacity, although it may call into question some current practices that do not meet all of the recommendations.

Prior to using STPs, providers should consider not only the concepts outlined in the Memorandum but also other applicable HIPAA requirements, including requirements to implement reasonable safeguards and execute business associate agreements with any vendors that handle PHI. Team members will also need to be trained on using STPs to mitigate the risk of misuse and impermissible disclosures of PHI. In addition, providers should conduct a risk assessment prior to adopting STPs. While the HIPAA regulations themselves do not specify a frequency for conducting risk assessments, guidance clarifies that risk analysis and management should be performed as new technologies are planned and should not be treated solely as a post-implementation activity.

Providers should also revisit existing uses of text messaging to consider how this guidance aligns with current policies and practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.