CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024March 1, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

To comply with HIPAA regulations, in its 2024 Memo CMS recommends that providers utilize and maintain systems/platforms that are “secure and encrypted and must ensure the integrity of author identification as well as minimize the risks to patient privacy and confidentiality.” CMS continues, “Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”

The hospital and CAH CoPs at 42 C.F.R. 482.24 and 485.638, respectively, require among other things that inpatient and outpatient medical records be “accurately written, promptly completed, properly filed and retained, and accessible.” They also require that the hospital must use “a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.” In addition, the CoPs require that medical records must be retained in their original or legally reproduced form for a period of at least 5 years. The CoPs also require that all orders, including verbal orders, must be dated, timed, and authenticated promptly by the ordering practitioner and be included in the medical record. Any secure texting platform must not only protect the privacy and security of the information contained in the order but also allow the order to be securely transmitted into the hospital’s electronic medical record hospital to comply with these CoPs.

TJC previously prohibited texting orders and is now reconsidering its stance on the topic. TJC’s website currently states, “The practice of texting patient orders is currently under review,” and TJC has promised to publish updates in the Perspectives Newsletters. TJC accredited facilities may want to wait for TJC guidance on this topic before implementing secure texting of orders.

In summary, we recommend that hospitals implement texting of patient orders with caution and only after addressing these concerns. Hospitals should assess any secure texting platform to ensure it protects the privacy and security of any PHI as well as allows the hospital to meet the Medicare CoPs and, if applicable, TJC standards. Hospitals should also re-assess texting platforms routinely to ensure they continue to meet these standards.

Contact a member of Wyatt’s data privacy and cyber security practice if you have questions or require assistance. To learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

Stages 1, 2, And Now 3, Meaningful Use Criteria

April 17, 2015 Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use CEHRT, Centers for Medicare & Medicaid Services, CMS, EHR, Health Information Technology, Meaningful Use, Medicaid Electronic Health Record, Medicare Electronic Health Record, ONC

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program implemented by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. Then CMS made changes to Stage 1 and Stage 2 Meaningful Use criteria to better align with the proposed Stage 3 criteria just two weeks later.

On March 30, 2015, CMS published a long-awaited proposed rule which, if finalized, would implement Stage 3, making changes to the objectives and measures of meaningful use for providers effective in Continue reading →

March 31st Attestation Deadline for Eligible Professionals

March 18, 2014 Margaret Young Levi Electronic Health Records, Health Information Technology, Meaningful Use EHR, Electronic Health Records, Health care reform, Health Information Technology, Meaningful Use, meaningful use of certified EHR

Reminder: The deadline for Medicare eligible professionals to attest to meaningful use of certified electronic health record technology for the 2013 program year is just two weeks away. Attestations are due on March 31, 2014 at 11:59 pm EST. Click here for addition information about the EHR incentive program as well as to register or attest to meaningful use.

CMS Issues EHR Meaningful Use Hardship Exceptions for Health Care Providers Subject to 2015 Medicare Reimbursement Reduction (Includes Automatic One-Year Reprieve for 2013 Meaningful Users)

March 11, 2014March 12, 2014 Margaret Young Levi EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use, Physician EMR Stimulus CEHRT, EHR, hardship exception, hardship exemption, Meaningful Use

On February 28, 2014, we posted an article about ICD-10 and Stage 2 Meaningful Use (MU) announcements by the Centers for Medicare & Medicaid Services (CMS) at the 2014 HIMSS annual conference. At that conference, while CMS refused to extend the deadlines for ICD-10 and Stage 2 MU, it promised to be more flexible about providing hardship exemptions on Stage 2 MU for providers and vendors truly struggling to meet the incentive program’s requirements. CMS said that guidance would be forthcoming. Yesterday, March 10, 2014, CMS issued such guidance. The Guidance is directed solely at providers experiencing EHR vendor issues. Importantly, the Guidance gives an automatic, one-year reprieve for certain providers who demonstrated MU for 2013. Continue reading →

No Further Extensions for ICD-10 and MU Stage 2

February 28, 2014April 7, 2014 Margaret Young Levi EHR Certification Standards, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use, Physician EMR Stimulus American Hospital Association, American Medical Association, Centers for Medicare & Medicaid Services, Centers for Medicare and Medicaid Services, Certified Electronic Health Record, Certified Electronic Health Record Technology, CMS, EHR, Health Insurance Portability and Accountability Act, HIMSS14, ICD-10, Marilyn Tavenner, Medicare EHR Incentive Programs, Medicare EHR Incentives, MU, Privacy & Security, Stage 2, Stage 2 Meaningful Use, Tavenner

Update: On April 1, 2014, President Obama signed into law the “Doc Fix” bill, Public Law 113-93, which extends the deadline for ICD-10 for an additional year. Section 212 of this law prohibits the Secretary of Health and Human Services from adopting ICD-10 code sets prior to October 1, 2015.

Everyone is a-twitter (pun intended) about the announcement on Thursday, February 27, 2014, from Marilyn Tavenner, the Administrator for the Centers for Medicare & Medicaid Services (CMS), that the deadline for adoption of ICD-10 will not be extended. Tavenner was the keynote speaker at the HIMSS14 conference, and numerous tweets from HIMSS attendees highlighted her assertion that CMS will stand firm on the October 1, 2014 deadline. All entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must be prepared to use ICD-10 codes on transactions by this date.

Tavenner also affirmed that the deadlines for Stage 2 Meaningful Use (MU) will not be extended. Providers who are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare EHR Incentive Programs will face a penalty, in the form of Medicare payment adjustments. These payment adjustments will be applied beginning on January 1, 2015. Continue reading →