Skip to Main Content

CMS Clarifies Text Messaging Prohibition

After a confusing month of contradicting guidance, the Centers for Medicare & Medicaid Services (CMS) issued a memorandum clarifying its position regarding the use of text messaging with patient information between providers. In early December, CMS communicated essentially a zero-tolerance policy on secure text messaging to a handful of hospitals via email, as first reported in the December 18, 2017, issue of the Report on Medicare Compliance. CMS cited to the HIPAA Security Rule and the Conditions of Participation for hospitals as support for their policy. On December 28, CMS clarified that text messaging amongst health care providers "is permissible if accomplished through a secure platform." However, CMS was very clear that the use of text messaging for patient orders is prohibited, regardless of the platform utilized.

While it has long been understood that SMS texting was a concern, widespread adoption of text message applications which can be provided via a secured, encrypted methodology was no different than any other secured application permitted by HIPAA Security Rules. Providers must be clear that the use of SMS text messaging for health care information should not be utilized, as it is not considered secure.

CMS's policy on secure text messaging is now consistent with recent policy clarifications, such as joint update by The Joint Commission's and CMS in December of 2016 on the use of secure text messaging for patient care orders. In clarifying their policy on secure text messaging, The Joint Commission prohibits secure text messaging by physicians or licensed independent practitioners to order patient care, treatment, or health care services. The view towards secure text messaging by the government and accreditation organizations is evolving quickly because of advents in new technologies with secure messaging platforms. For example, The Joint Commission's December 2016 update replaces their earlier guidance from that same year, in May 2016 (available here), in which they allow for secure text messaging of patient care orders, due to growing concerns that secure text messaging appropriately safeguards patient safety.

Baker Donelson Comments:

  • At this time, health care providers should revisit their compliance policies related to text messages and other messaging platforms for communicating health information. Keep in mind the December 2016 guidance from The Joint Commission when reviewing those policies. Be prepared to address these issues.
  • Health care providers should document their risk analysis of incorporating text messaging platforms as part of their health care organization and ensure that an appropriate risk management strategy is implemented and followed. Evaluations and maintenance of those safeguards should be revisited regularly.

If you have any questions about the content of this alert, please contact Alisa L. Chestler or any member of the Baker Ober Health Law Group.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept