On February 8, 2024, the Centers for Medicare & Medicaid Services (CMS) issued a quality standard memorandum (Memorandum) clarifying that hospitals and critical access hospitals (CAHs) may transmit patient information and orders via text message under certain conditions. Although Computerized Provider Order Entry (CPOE) continues to be the preferred method of order entry, healthcare team members are permitted to share patient information and orders among themselves through a Health Insurance Portability and Accountability Act of 1996 (HIPAA)-compliant secure texting platform (STP) in accordance with Medicare and Medicaid Conditions of Participation (CoPs). The Memorandum reverses CMS’s position in a January 2018 memorandum and is effective immediately.

To support hospital and CAH compliance with CoPs, the Memorandum includes the following provisions:

  • Use secure and encrypted STPs: To comply with the CoPs, all providers must utilize and maintain systems/platforms that are secure and encrypted. Further, providers must ensure the integrity of author identification and minimize the risks to patient privacy and confidentiality in compliance with HIPAA regulations.
  • Assess system/platform security and integrity: Providers should implement procedures and processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.
  • Comply with existing regulations when integrating STPs into the electronic health record (EHR): Providers who choose to incorporate texting of patient information and orders into their EHR are expected to implement a platform that complies with the HIPAA Security Rule; 2021 amendments to the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, which provides for mitigated penalties when implementing voluntary recognized security practices; and the CoPs.

CMS develops CoPs and Conditions for Coverage (CfCs) that healthcare organizations, including hospitals, CAHs, and other types of providers must meet in order to participate in the Medicare and Medicaid programs. As part of the CoPs, hospitals and CAHs must maintain inpatient and outpatient medical records by using a records system that ensures the integrity of authentication and protects the security of patient medical records.

Takeaways

The Memorandum signals the agency’s growing acceptance of certain digital health technologies, such as text messaging platforms, in an effort to drive innovation and efficiencies in delivering patient care. There is scant agency guidance on text messaging in compliance with HIPAA, which has led to many providers’ reluctance to permit any text messaging of protected health information (PHI). The Memorandum could embolden some of these providers and other organizations to embrace text messaging, at least in a limited capacity, although it may call into question some current practices that do not meet all of the recommendations.

Prior to using STPs, providers should consider not only the concepts outlined in the Memorandum but also other applicable HIPAA requirements, including requirements to implement reasonable safeguards and execute business associate agreements with any vendors that handle PHI. Team members will also need to be trained on using STPs to mitigate the risk of misuse and impermissible disclosures of PHI. In addition, providers should conduct a risk assessment prior to adopting STPs. While the HIPAA regulations themselves do not specify a frequency for conducting risk assessments, guidance clarifies that risk analysis and management should be performed as new technologies are planned and should not be treated solely as a post-implementation activity.  

Providers should also revisit existing uses of text messaging to consider how this guidance aligns with current policies and practices.

For more information, please contact the professionals listed below, or your regular Crowell contact.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.

Photo of Allison Kwon Allison Kwon

Allison Kwon supports Crowell Health Solutions, a strategic consulting firm affiliated with Crowell & Moring, to help clients pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health…

Allison Kwon supports Crowell Health Solutions, a strategic consulting firm affiliated with Crowell & Moring, to help clients pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health care. She is a health care policy consultant in the Washington, D.C. office.