CMS on Texting of Patient Information
On Dec 28th, 2017, the CMS released a Survey and Certification letter regarding texting of patient information between healthcare providers. Although secure texting is still permissible, with the use of a secure platform, Telmediq has found that some texting platforms that are in wide deployment today in healthcare do pose potential security risks as well as risks to patient safety.
We would like to share some key areas for you to evaluate potential security breaches in your secure messaging platform. But first, here is a summary of the CMS release.
Within the document CMS Director, David Wright, writes: “CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.”
The CMS statement further states that:
- Messages sent among clinicians are permissible so long as their texting solution is secure, encrypted, and minimizes the risks to patient privacy and;
- Texting of patient orders is prohibited, which aligns with the Joint Commission's position on this matter.
Wright adds additional context regarding the expectations of using a secure texting platform to accomplish care team texting: “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”
At Telmediq, we want to provide some additional perspective on this CMS position, along with some recommendations that your hospital or healthcare system may want to consider regarding this recent policy clarification. We will briefly cover the following topics that healthcare providers may want to consider based on questions that we’ve received from our customers.
- How secure is my secure texting platform?
- How does a secure texting platform impact patient safety?
- Will integrating my texting platform with the patient health record help me meet CMS' requirements?
- If I can’t text orders using my texting platform, what can I use it for?
How secure is my secure texting platform?
There are some key features required for a secure texting platform to not only meet CMS' requirements, but also for HIPAA. Some of these basic security features should include:
- Encryption of all data in transit and at rest
- The ability to authenticate the user, preferably with 2-factor authentication
- Ability to keep a discoverable archive of messages for 7 years
- Administrative ability to lock users from the system when they leave the organization
- Administrative ability to wipe all texting data from a user’s device
There is a risk of breach in some of the platforms currently on the healthcare market:
Some secure texting products with broad adoption in healthcare have been designed to allow your clinicians to ‘invite’ outside members into a texting exchange through the use of a mobile number. Once the phone number is entered, an invite is sent via non secure text message to the target recipient’s device with a web link to create an account on the secure texting platform where they can access the secure message via a mobile browser. There are two fundamental problems with this approach from a security perspective:
- First, the receiving party does not need to authenticate who they are. In fact, if the sender incorrectly enters the mobile number, which is a common occurrence, the invite will be sent to the wrong person who can then gain access to the message contents and the PHI.
- Secondly, there is no way for the healthcare system to regulate which people or organizations these text messages are being sent to, and therefore may not have a Business Associate Agreement with these organizations.
This puts the healthcare organization that sends a message using such a platform at risk of a HIPAA violation. If you are concerned that your existing platform may have this vulnerability, please contact us and we can confirm with a list of known vendors we are tracking.
How does a secure texting platform impact patient safety?
There is no doubt that providing a convenient and rapid two-way texting channel leads to improved patient care. This has been validated by several academic studies and at Telmediq we have demonstrated significant improvements in the delivery of care. However, these platforms also add an element of risk if not managed effectively, especially since they rely on consumer grade smartphones that physicians are using in a Bring Your Own Device configuration. The applications also require a reliable data connection in order to properly function. In addition, the wrong clinician could be contacted at the wrong time.
Telmediq has some key recommendations to ensure a secure texting platform is selected and configured to minimize patient risk due when time sensitive or critical information is being sent about a patient:
- The platform should allow for the sender to see if /and when a message is delivered and read
- The platform should provide alternate delivery paths for a message than the data channel - such as SMS notifications and phone calls as backup delivery paths
- The platform should provide a way to escalate non delivered or unread messages to a backup or alternate provider when the initial target provider can not be reached
- The platform should be able to direct messages to a specific clinician or away from a specific clinical based on a set of routing rules and call schedules.
Will integrating my texting platform with the patient health record help me meet CMS' requirements?
There are several useful integrations to the medical record for clinical texting solutions that enhance the clinician communication experience and improve patient safety:
- Patient lists from the EMR can improve care coordination by displaying the entire care team for a patient
- Critical lab results can be sent from the EMR to the texting platform in real time
- Documentation: There are many communications that need to occur between clinicians that would only serve to clutter the medical record. Some clinical judgment should be applied to which texting exchanges are appropriate for the health record. For that reason, a very useful feature is for clinicians to choose which conversations should be stored to the record.
In summary, CMS does not specify that an integration is required, but your healthcare system may find it beneficial to do so for the value added benefits of better care coordination.
If I can’t text orders using my texting platform, what can I use it for?
While both CMS and the Joint Commission have banned the use of texting orders, there are hundreds of high value use cases for secure texting in a clinical environment. We’ve included some of the common use cases that our customers accomplish with the Telmediq platform on a daily basis:
- Casual (non record based) communications about patient care that is not related to a direct order such as care coordination, admit and discharge planning, patient moves, patient status changes, following up on previously ordered tests and therapies.
- Figuring out who is on-call for all physician groups across the hospital.
- Ability for clinicians to share availability and control their forwarding so that they do not receive inappropriate phone calls or text messages when they should not be getting them.
- Access to a unified phone and messaging directory, including local extensions, offsite practices and locations such as pharmacies.
- Ability for doctors to call using their personal phones while protecting their personal phone numbers.
- Ability to access patient lists for purposes of performing rounding. This gives the physician the ability to instantly see patient details such as location, age, chief complaint without needing to log into the EMR.
- The ability for nurses to get instantly notified when they have an order to carry out that has been entered into the EMR.
- The ability to get real-time notification, directly on the smartphone device for any critical lab results for the doctor’s patients.
- Nurses can be mobilized to get nurse call system alarms directly on their smartphone.
If you would like to discuss the CMS Survey and Certification, would like additional access to the information discussed in this posting, or have have questions about the Telmediq platform, connect with one of our Clinical Communications Consultants.