Lashly & Baer, P.C.

By: Stuart J. Vogelsmeier
Summary: The Center for Medicare and Medicaid Services (“CMS”) recently issued guidance for Hospitals and Critical Access Hospitals (“CAHs”) on texting patient information among care team members. CMS Memorandum QSO-24-05-Hospital/CAH reached the conclusion that “Texting patient information and the texting of patient orders among members of the health care team is permissible, if accomplished through a HIPAA compliant secure texting platform (“STP”) and in compliance with the Conditions of Participation.” Computerized Provider Order Entry (“CPOE”) continues to be the preferred method of order entry by providers, CMS noted.
History: In 2018, CMS acknowledged that the use of texting had become a regular means of communication among healthcare team members. CMS cautioned, however, that texting patient orders from the ordering provider to another member of the care team would not be compliant with the Medicare Conditions of Participation (COPs”) because of difficulties in meeting record retention, privacy, confidentiality, security, and the integrity standards due to the technology at that time. In 2018, most Hospitals and CAHs did not have secure texting platforms to incorporate text orders into the medical record.
The COPs require that inpatient and outpatient medical records be accurately written, promptly completed, properly filed and retained, and accessible. The COPs also require the use a of system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries. No specific method or system of author identification and record maintenance is required.
2024 CMS Guidance: In the recent CMS Memorandum, CMS noted that CPOE continues to be the preferred method of order entry by a provider. CMS acknowledged that alternatives do exist, and that significant improvements in the encryption and application interface capabilities of texting platforms allow the transfer of texting data into electronic health records. Compliance with the Conditions of Participation requires that providers must: (i) utilize and maintain systems/platforms that are secure and encrypted, (ii) ensure the integrity of author identification, (iii) minimize the risks to patient privacy and confidentiality under HIPAA.
Key Takeaway: Providers should implement procedures/processes that routinely assess the security and integrity of the texting platforms that are being utilized, in order ensure the security of patient information. CMS expects that providers choosing to incorporate texting of patient information and orders into their medical records will implement a platform that meets the requirements of the HIPAA Security Rules.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Stuart J. Vogelsmeier is a partner with the St. Louis law firm of Lashly & Baer, P.C. where he Chairs the firm’s Health Care Advisory Team. Mr. Vogelsmeier regularly counsels health care providers on compliance issues, Stark Law and Anti-Kickback Law compliance, group purchasing, corporate structure, employment agreements, joint ventures, and adding ancillary services to practices.

This article is for informational and educational purposes only. Providers should contact their advisors for assistance.

Click here to read the full article as a PDF.

Categories: News