6 steps to ensure CMS-compliant text messaging
The agency clarifies when texting is prohibited and when it is permitted among healthcare professionals.
6 steps to ensure CMS-compliant text messaging
Texting and secure messaging have become ubiquitous in the healthcare industry, transforming healthcare delivery while improving quality and access and cutting costs. But the Centers for Medicare and Medicaid Services has sent mixed messages on the propriety of texting. Amid protests, CMS in December 2017 clarified—to a degree—that text messages are allowed as long as they are transmitted using a secure platform. Consulting firm Hayes Management offers the following tips for complying with CMS texting policy.
Perform a risk assessment
Organizations must first determine how mobile devices are being used in the organization and what risk they pose to protected health information. Review compliance policies to make sure they include provisions for secure communication. Determine where PHI is being created, received, maintained and transmitted. Remember that texting isn’t just done on phones but also via desktops, workstations and in the cloud. Train staff on the new policies.
Limit the scope of messaging, exclude orders
In its guidance, CMS clarified that texting of orders by providers is still prohibited regardless of the platform used. However, texting patient information among members of the care team is permitted if transmitted through a secure platform.
Adhere to specifications for order entry
With texting of orders prohibited, computerized provider order entry (CPOE) is the approach preferred by CMS. Clinicians should enter orders into the medical record manually or through CPOE; information must immediately be entered into the provider’s electronic health record to ensure that the order is dated, timed, authenticated and promptly placed in the record.
Enable patient access to text messages
Providers also must verify that text communications are integrated with the EHR and available if a patient requests a copy of their record. Any applicable disclosure of PHI during a text communication should be listed in the patient’s Accounting of Disclosures.
Secure the platform
Use products that ensure that messaging occurs in a secure environment, encrypting messages and transmitting them through a secure server. Use a third-party texting solution developed for healthcare use—some solutions store encrypted messages in the cloud or on an encrypted server rather than on individual devices.
Track devices used for texting
Track and monitor all mobile devices in the organization that transmit PHI. Prohibit personal use of the devices or require each device to be securely encrypted prior to being used for text messaging.