BY Phuong Nguyen, Esq. and Michael Alexander, Esq., Brown and Fortunato, P.C.
On February 8, 2024, the Centers for Medicare and Medicaid Services (“CMS”) issued a memorandum entitled “Texting of Patient Information and Orders for Hospitals and CAHs,” allowing texting patient information and patient orders among members of the health care team under certain conditions. This new memorandum relaxes CMS’s previous prohibition on texting patient information and patient orders.
By way of background, in a memorandum issued on December 28, 2017, and later revised on January 5, 2018, CMS announced its position that texting patient information among members of the 
Hospital and Critical Access Hospital (“CAH”) healthcare team is permissible if accomplished through a secure platform. However, CMS’s position then was that texting patient orders was “prohibited regardless of the platform utilized.” At the time, CMS reasoned that texting orders from a provider to a member of the health care team would not comply with the Medicare Conditions of Participation (“CoPs”). For hospitals, 42 CFR § 482.24(b) contained requirements for the form, retention, and content of medical records. CMS expressed concerns regarding the ability of texted orders to be accurately and promptly incorporated into the hospital’s medical records. CMS was also concerned that hospitals would not be able to authenticate the prescriber’s identity. In addition, CMS was concerned that hospitals would not be able to ensure the security or confidentiality of the texted orders by protecting the texted orders from unauthorized individuals gaining access or altering the texted orders. Similarly, for CAHs, 42 CFR § 485.638(a) contained standards for medical record systems and protection of medical record information.
CMS concluded, at the time, that texting patient orders would not meet those two CoPs as it was unclear how an order sent via text would satisfy the CoPs’ requirements for retention, privacy, confidentiality, security, and integrity of the medical record. Consequently, CMS prohibited texting patient orders. CMS further stated its preferred method of order entry by a provider as using a Computerized Provider Order Entry (“CPOE”). A physician or licensed independent practitioner may enter orders into the medical record through handwritten orders or CPOE. Orders entered via CPOE, with an immediate download into the provider’s electronic health records, would be permissible as the order would be dated, timed, authenticated, and promptly placed in the medical record.
According to CMS, most hospitals and CAHs in 2018 did not have the ability to use secure texting platforms to incorporate text messages into the medical record. Fast forward to 2024. CMS recognizes that there have been significant improvements in the encryption and application interface capabilities of texting platforms and electronic health record systems to transfer data in a secure manner. CMS believes that technology has sufficiently advanced to make it possible for hospitals and CAHs to allow prescribers to text patient orders to a member of the healthcare team and comply with the CoPs. Hospitals and CAHs are still required to maintain medical records that are accurately written, promptly completed, properly filed retained, and accessible. To comply with the CoPs, the texting system or platform must be secure and encrypted. It must ensure the integrity of author identification and minimize risks to patient privacy and confidentiality. Hospitals and CAHs will need to develop and implement policies and procedures to routinely assess the security and integrity of the texting system or platform.
CMS also reminds hospitals and CAHs that, in addition to the CoPs, providers also need to ensure the texting system or platform complies with the requirements of the HIPAA Security Rule and the HITECH Act Amendments of 2021. The HIPAA Security Rule sets national standards to protect electronic PHI (“ePHI”) that is created, received, used, or maintained by a covered entity. The HITECH Act and its implementing regulations made the HIPAA Security Rule (and other provisions) directly applicable to business associates. The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, technical, and organizational safeguards to protect ePHI. While a fuller discussion of the HIPAA Security Rule is outside the scope of this article, we note that the HIPAA Security Rule makes data encryption an “addressable” implementation specification, meaning that the use of encryption is not mandatory under HIPAA. Nevertheless, CMS takes the position in its recent Memo that data encryption is required to meet the CoPs in the context of texting patient orders. In practice, data encryption has become a standard and common aspect of electronic medical record systems. Thus, meeting that element of CMS’s requirements for texting orders should not be unexpected.
In short, CMS expects hospitals and CAHs that incorporate texting of patient information and patient orders into their electronic health record systems to comply with the requirements of the CoPs and HIPAA. With the advances in electronic medical record systems, this may be a viable option for many hospitals and CAHs to consider.