Regardless of the platform, CMS prohibits the practice of texting of patient orders. Above all, the provider is not in compliance with the Conditions of Participation or Conditions for Coverage if he or she texts patient orders to a member of the care team.
In December 2016, The Joint Commission, in collaboration with the Centers for Medicare & Medicaid Services (CMS), decided to reverse a May 2016 position to allow secure texting for patient care orders and issued the following recommendations:
- All health care organizations should have policies prohibiting the use of unsecured text messaging, also known as short message service, from a personal mobile device for communicating protected health information.
- The Joint Commission and CMS agree that computerized provider order entry (CPOE), which refers to any system in which clinicians directly place orders electronically, should be the preferred method for submitting orders, as it allows providers to directly enter orders into the electronic health record (EHR).
- In the event that a CPOE or written order cannot be submitted, a verbal order is acceptable on an infrequent basis.
In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited. Providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. When using this system, orders are immediately downloaded into the provider?s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.
For more information from CMS, Computerized Provider Order Entry (CPOE)
Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.
Most importantly, it is important to know that having security policies is not enough. An organization must observe and follow these policies to protect patients and the entity.
Consequently, all organizations must routinely review their plan, train their employees on HIPAA and monitor that everyone follows the plan.