CMS clarifies rules for HIPAA compliance when texting patient data

| April 15, 2024

By Andres Fox—Texting of patient orders among members by healthcare teams is now permissible at hospitals and critical access hospitals when done through a HIPAA-compliant secure platform in compliance with CMS Conditions of Participation rules, the agency says.

The Centers for Medicare and Medicaid Services Quality, Safety & Oversight Group sent a memo to state survey agency directors, effective immediately, clarifying HIPAA compliance for texting patient information and hospital orders at critical access hospitals.


Texting guidance CMS released to hospitals in 2018 indicated that while texting patient information had become essential to operations, the practice of texting patient orders from a provider to a member of the care team was not compliant with the agency’s Conditions of Participation.

The hospital and CAH medical record CoPs regulations require that “inpatient and outpatient medical records be accurately written, promptly completed, properly filed and retained and accessible,” according to CMS in a new patient data texting protocol released Thursday.

CMS said in the new memo, Texting of Patient Information and Orders for Hospitals and CAHs, that back in 2018, it had concerns with “record retention, privacy, confidentiality, security and the integrity of existing systems at that time.” 

While computerized provider order entry is still the agency’s preferred method of order entry by a provider, those choosing to incorporate texting of patient information and orders into electronic health records must utilize and maintain data security and encryption as well as ensure the integrity of author identification on secure texting platforms that comply with the Health Insurance Portability and Accountability Act of 1996, CoPs and the HITECH Act, CMS said.

“Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients,” CMS noted.


CMS’s stance on texting patient information in 2018 came shortly after a report from the Health Care Compliance Association raising concerns about the agency’s arcane policy. 

In that report, the association said some hospitals had received emails from CMS indicating that “texting is not permitted,” regardless of an application’s security, citing retention of medical records and their confidentiality as factors in the agency’s no-texting decision.

Despite the prevalence of texting across care teams since that time, a 2022 study from the Regenstrief Institute, Indiana University School of Medicine and Indiana University Health Methodist Hospital found that, although they were happy to replace pagers with clinical texting systems, doctors were critical of the high volume of messages.

“We found that there is a lack of shared understanding among clinicians regarding how to use clinical texting,” said study corresponding author Joy L. Lee, a Regenstrief Institute research scientist and University of Massachusetts Chan Medical School assistant professor, in an announcement about that clinical texting study. 


“CPOE continues to be the preferred method of order entry by a provider, but we recognize that alternatives also exist now, as well as significant improvements in the encryption and application interface capabilities of texting platforms to transfer data into electronic health records,” CMS said in the memo. 

Category: Uncategorized

Comments are closed.