CMS Explains the Use of Text Messages in Healthcare

The Centers for Medicare and Medicaid Services (CMS) has confirmed to healthcare providers that using text messages in healthcare is forbidden because of issues relating to security and patient privacy.

SMS messages aren’t safe. The CMS is worried that using text messages in healthcare could result in the exposure of sensitive patient information and could endanger medical record integrity. While this is true as far as SMS messages are involved, there are numerous secure messaging applications that meet all the prerequisites of HIPAA – for example, transmission protection, audit controls, access and authentication controls, and safety measures to guarantee PHI integrity.

Some hospitals brought up the possibility of using secure messaging platforms with the CMS; nevertheless, the CMS seemed to prefer total prohibition on using text messages in healthcare, including the use of secure messaging applications.

The CMS said secure messaging solutions cannot always guarantee the privacy and confidentiality of information being sent. Thus, the decision was taken to prohibit texting in healthcare.

The Health Care Compliance Association (HCCA) publicized the article, Report on Medicare Compliance, questioning the CMS position. Nina Youngstrom, the Report on Medicare Compliance Managing Editor, said it was mentioned in the article that a number of compliance officers and healthcare lawyers were shocked about the CMS position. One lawyer said a complete ban is like returning to the dark ages.

CMS explained that issue with regards to text messages in healthcare wasn’t only about the security of transmission. There was the possibility of inadequate access controls on the devices of senders and receivers, stored information might not be secure nor encrypted, and patient privacy is not assured. An additional point of concern was the need for transmitted information via texting to be logged in the patient records and that it must be retrievable.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

There was a time that the Joint Commission relaxed its restriction on using text messages in healthcare, particularly in sending patient orders, but later the ban was reinstated. The present position of the Joint Commission is to allow the use of text messaging in healthcare as long as the entity uses a secure messaging platform. Nevertheless, the prohibition on using text messages for delivering orders still holds.

The CMS seemed to be opposing all types of text messaging, even if a large percentage of hospitals have been using secure text messaging platforms instead of their obsolete pagers for some time. Such a prohibition would thus not be too different from implementing a prohibition on email, considering how text messaging is so widely utilized in healthcare.

The Institute for Safe Medication Practices (ISMP) conducted a survey with 788 healthcare professionals as participants. 45% of pharmacists and 35% percent of nurses claimed that texting was being used in their place of work. 53% said a policy prohibited using text messages for patient orders. Despite the Joint Commission ban, 12% said texting was allowed for patient orders – 8% said that it was allowed only when using a secure platform and 3% said text messages were allowed in any situation.

CMS States That Using Text Messages in Healthcare is Allowed
On December 28, 2017, the CMS issued a memorandum making clear its position on using text messages in healthcare, saying that it is not totally banned.

The CMS mentioned that the prohibition on using all kinds of text messaging, which include secure text messaging systems, is still applicable for orders by doctors or other healthcare companies. Texting orders from a healthcare provider to a care team member does not comply with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs), particularly stating §489.24(b) and §489.24(c).

Order entries ought to be made by healthcare providers utilizing Computerized Provider Order Entry (CPOE), or by means of orders written by hand. The CMS stated that ordering via CPOE, with an instant download into the provider’s electronic health records (EHR), is allowed since the order is dated, timed, authenticated, and immediately put in the medical record.

The CMS agrees to the fact that text messages are an essential method of communication in healthcare. Text messages are vital for efficient communication between healthcare team members. Nonetheless, so as to comply with the CoPs and CfCs, healthcare companies need to utilize secure text messaging systems or platforms.

Those platforms should use encryption for messages in transit and healthcare companies should evaluate and reduce the dangers to PHI confidentiality, integrity, and availability as demanded by HIPAA. The CMS also mentioned that providers/organizations should implement processes that regularly evaluate the security and integrity of the texting systems/platforms so as to prevent negative results that could undermine the care of patients.

The CMS position is therefore in line with that of the Joint Commission. Secure text messaging platforms may be utilized in healthcare, except for texting orders. Even if secure text messaging satisfies HIPAA demands for privacy and security, the prohibition remains in force over issues of sending orders through text messages into the EHR. CPOE continues to be the chosen method of entry for accuracy.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: