Governance & Risk Management , Information Sharing , Next-Generation Technologies & Secure Development

CMS: Placing Orders Via Text Not Allowed

Security Experts Weigh In on Appropriate Uses of Secure Texting
CMS: Placing Orders Via Text Not Allowed

The Department of Health and Human Services has clarified that while it's permissible for healthcare entities to use secure texting platforms for communicating certain patient information, the use of texting to place patient orders, such as for medications or tests, on any platform - secure or not - is not allowed when treating Medicare and Medicaid patients.

See Also: Live Webinar | OT Cybersecurity Strategies for Executives

In a recent memo, the Centers for Medicare and Medicaid Services says it does not permit the texting of orders by physicians or other healthcare providers.

The CMS memo mirrors a position taken by the Joint Commission, which accredits healthcare organizations. In May 2016, the commission first signaled it would reverse a long ban on the use of texting in healthcare, but by July 2016 said it would delay that decision (see Joint Commission Delays Lifting Secure Text Messaging Ban.)

Ultimately, by December 2016, the commission issued a clarification saying that it had decided "the use of secure text messaging for patient care orders is not acceptable."

CMS did not immediately respond to an Information Security Media Group inquiry for details about why the agency issued the memo.

CPOE Preferred

In its memo, however, CMS warns that "the practice of texting orders from a provider to a member of the care team is not in compliance with the conditions of participation or conditions for coverage." Instead, the memo states, computerized provider order entry, or CPOE, is the "preferred method" of patient care order entry by providers because it results in the order being listed in a patient's record.

"CMS has held to the longstanding practice that a physician or licensed independent practitioner should enter orders into the medical record via a handwritten order or via CPOE," the memo says. "An order if entered via CPOE, with an immediate download into the provider's electronic health records, is permitted as the order would be dated, timed, authenticated and promptly placed in the medical record."

Texting in Healthcare

Clearly, texting is in widespread use in the healthcare sector. But secure texting applications are preferred because they encrypt messages at rest and in transit, protecting patient information.

"Texting is used every day, by everyone. It is a mainstay in how we communicate with one another on a conversational level. To think that it does not happen for [healthcare] some part of the time is likely naïve," says Mac McMillan, CEO of security consulting firm CynergisTek. "Many health organizations do have secure texting platforms available now for their clinical staffs."

It's highly likely that some clinicians at least occasionally use texting for placing patient orders, he acknowledges.

"In emergency or time-sensitive situations, I'm sure it still happens, but every health system we work with has policies and training for care givers that specifically denies the use of texts for placing orders," he says. "Do some still ignore this? Sure, all policies are ignored some of the time."

Tom Walsh, CEO of consultancy tw-Security, offers a similar assessment. "Because of its convenience, I believe that texting of patient information is widespread. Now if you were to ask physicians or clinicians, they will give you the expected company answer: 'We don't send protected health information in text messages,'" he says.

"There is also the misconception of what is PHI. For example, I heard a doctor say, 'I just sent a picture of the patient's leg via text message, but that's not PHI.' Depending on other circumstances, the doctor could be correct or could be wrong. Regardless, they tend to push the envelope."

Walsh notes that most electronic health record systems have messaging features integrated into them. "Therefore, from a hospital's perspective, it is the preferred method for communicating patient orders," he says. "It requires the doctor to 'remote in,' open the application and retrieve and reply to the message. Not easy or convenient. Doctors count key strokes and mouse clicks and often complain about how much unnecessary time they spend in front of a keyboard rather than practicing medicine."

A wide variety of vendors offer secure texting platforms that are appropriate for use in healthcare for purposes other than placing orders.

"I recommend that medical centers implement secure texting solutions when clinicians - including nurses and social workers - can improve communications and work flow through texting for better [patient] outcomes," says Kate Borten, president of privacy and security consulting firm, The Marblehead Group.

Texting Risks

There's a long list of reasons, however, why unsecured texting should never be used to communicate patient information, Walsh contends.

For instance, unsecured text messaging does not provide an audit trail and documentation for a patient's chart, Walsh says. "Any communications - text or even email - regarding patient care should be included in the legal record. Otherwise, this could put the hospital and the physician in a liable position."

Most hospitals have policies stating that encryption is required for PHI that is transmitted outside of the hospital. "If physicians or clinicians use regular text messaging over open cellular networks, the data is not encrypted and not stored on their personal phone and on the servers of telecommunication service providers," he says.

"Personally owned cell phones or smartphones may store text messages that contain PHI indefinitely. Unless the smartphone or tablet is registered through a hospital controlled mobile device management system, the hospital has no process for managing how often PHI is being removed from these devices, if the messages are being removed at all," he notes.

"Additionally, the cell phone carriers retain a copy of all text messages on the cell phone service provider's computer systems."

Data Breach Risks

In addition to patient safety concerns, the risk for data breaches involving unsecurely texted PHI is high, Walsh notes.

"Smartphones are high targets for loss and theft which significantly increases the risk to PHI stored on these devices," he says. "Further risk comes from the fact that individuals who find phones will likely try to access information within the phone."

In addition, there are patient safety concerns. "There is no way to guarantee that the recipient ever receives a text message or when they may get the text," Walsh says. "If texting is used in an urgent care situation, the text message may not get the urgent attention it requires. This carries significant risk for the hospital and the physician."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.