CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024March 1, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

To comply with HIPAA regulations, in its 2024 Memo CMS recommends that providers utilize and maintain systems/platforms that are “secure and encrypted and must ensure the integrity of author identification as well as minimize the risks to patient privacy and confidentiality.” CMS continues, “Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”

The hospital and CAH CoPs at 42 C.F.R. 482.24 and 485.638, respectively, require among other things that inpatient and outpatient medical records be “accurately written, promptly completed, properly filed and retained, and accessible.” They also require that the hospital must use “a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.” In addition, the CoPs require that medical records must be retained in their original or legally reproduced form for a period of at least 5 years. The CoPs also require that all orders, including verbal orders, must be dated, timed, and authenticated promptly by the ordering practitioner and be included in the medical record. Any secure texting platform must not only protect the privacy and security of the information contained in the order but also allow the order to be securely transmitted into the hospital’s electronic medical record hospital to comply with these CoPs.

TJC previously prohibited texting orders and is now reconsidering its stance on the topic. TJC’s website currently states, “The practice of texting patient orders is currently under review,” and TJC has promised to publish updates in the Perspectives Newsletters. TJC accredited facilities may want to wait for TJC guidance on this topic before implementing secure texting of orders.

In summary, we recommend that hospitals implement texting of patient orders with caution and only after addressing these concerns. Hospitals should assess any secure texting platform to ensure it protects the privacy and security of any PHI as well as allows the hospital to meet the Medicare CoPs and, if applicable, TJC standards. Hospitals should also re-assess texting platforms routinely to ensure they continue to meet these standards.

Contact a member of Wyatt’s data privacy and cyber security practice if you have questions or require assistance. To learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

Breach Notification Deadline is February 29th

February 16, 2024March 1, 2024 Margaret Young Levi data breach; notification, Data Privacy & Security Breach Notification, Cyber Security, data breach, healthcare sector, HHS OCR Deadline, HIPAA

By: Margaret Young Levi

Head’s up! The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29^th.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities to provide notification following a breach of unsecured protected health information (PHI) to affected individuals, to OCR, and, in certain circumstances, to the media.

HIPAA covered entities must notify all individuals whose PHI has been impermissibly used or disclosed without unreasonable delay, and in no case later than 60 days from the discovery of a breach.

Reporting to OCR is accomplished by electronically submitting a breach report form. If a breach affects 500 or more individuals, then covered entities must submit the breach report to OCR without unreasonable delay and in no case later than 60 days following a breach. If, however, the breach affects fewer than 500 individuals, then the covered entity may choose to submit such breach reports on an annual basis. (Note that covered entities must submit a separate breach report for each breach incident and cannot combine them.) Annually submitted breach reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches are discovered, which falls on February 29, 2024. In addition to notifying the individual and OCR, covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

FTC Warns That Health Apps Must Notify Consumers of Data Breaches

October 11, 2021 Margaret Young Levi Data Privacy & Security data breach, Federal Trade Commission, Health Apps

By: Margaret Young Levi

On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.

The Health Breach Notification Rule (codified at 16 C.F.R. § 318) protects individually identifiable health information created or received by vendors of personal health records. The Rule requires vendors of personal health records to notify U.S. consumers, the FTC, and sometimes the media when there has been a breach of security of unsecured identifiable health information. Persons that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation, per day.

The Health Breach Notification Rule became effective in 2009, but the FTC has not enforced it to date. However, because health care applications continue to proliferate and to collect increasingly personal and sensitive health information, the FTC issued this Policy Statement to place health apps on notice that the Rule will be enforced going forward and to clarify that they are considered to be “vendors of personal health records” covered under the Rule.

The FTC explains that the developer of a health app or connected device is considered a “vendor of personal health records” under the Rule if it is capable of drawing information from multiple sources, such as a combination of direct inputting by a consumer, syncing with a consumer’s fitness tracker, or even interfacing with the phone calendar. The Rule does not apply to vendors of personal health records who are already covered by HIPAA.

In addition, the FTC reminds vendors of personal health records that a “breach of security” is not limited to cyberattacks by third parties, but includes any acquisition of identifiable health information of an individual in a personal health record without the individual’s authorization. The FTC states that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”

If a breach occurs, then health apps should examine state data breach notification laws to determine if they apply as well.

OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

October 8, 2021January 19, 2022 Margaret Young Levi HIPAA, Privacy & Security COVID Vaccines, HIPAA, Privacy of Vaccination Status

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.

Continue reading →

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

January 30, 2017January 30, 2017 Margaret Young Levi Data Privacy & Security, HIPAA, Privacy & Security data breach, data privacy, Federal Law Resources, OCR, protected health information

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading →

A legal blog about consumer privacy and data security in a high-tech world

Author: Margaret Young Levi