Joint Commission: Even Secure Texts Are Unacceptable for Healthcare Orders

Jan 13, 2017 | Blog

Texts are the grease that makes healthcare in 2017 run smoothly. Doctors in hospitals interact about patient care through text, far more often than by voice communication. They may have to ratchet back their texting, though, as the Joint Commission on the Accreditation of Hospital Organizations (“Joint Commission”) has published a Clarification entitled “Use of Secure Text Messages for Patient Care Orders is Not Acceptable.”

The Security Rule of HIPAA states that communications containing Protected Health Information must be encrypted or otherwise protected in a way that would make the information unreadable to an unauthorized user. As a result, a number of companies developed secure texting platforms, in which the text messages were encrypted. Clinicians vastly prefer texts to email as a means of communications because they may receive hundreds of emails each day, and they don’t have time to sift through them while treating patients. Texts carry a brevity and immediacy that makes texting a more efficient means of communication. Clinicians text for consultations with other medical specialties, updates on patient care for shift changes and many other aspects of treatment.

According to the Joint Commission, which surveys healthcare organizations to determine whether they should keep accreditation (required for reimbursement from private insurance and government agencies), clinicians may no longer text for the entry of patient care orders. The Clarification states that even secure (encrypted) texting is impermissible for the entry of patient care orders such as medications, treatment and therapies. The basis of the holding is clinical efficiency, not security.

Instead, the Joint Commission noted that a text message with a treatment or medication order cannot be entered into the Computerized Provider Order Entry in the electronic medical record directly. The text recipient must enter the order, adding another layer in the order process. In addition, CPOE has an alert and recommendation application known as the Clinical Decision Support (CDS) system, and an alert or medication dosage recommendation provided by CDS would first be viewed by the text recipient, who must then in turn convey it to the ordering clinician. This could result in a time lag that could create risk to the patient.

The Joint Commission also noted that texts for orders are unnecessary in many, if not most institutions, because “CPOE is increasingly available through secure, encrypted applications for smartphones and tablets.”

Few healthcare agency events strike greater fear into the hearts of hospital administrators than an audit (“survey”) by the Joint Commission, so hospital administrators would be wise to discuss the limits of permissible texting with their clinical staff to avoid running afoul of this Clarification.

If you have questions about security and privacy compliance for medical communications under Joint Commission standards, HIPAA or state laws, please contact Kenneth N. Rashbaum.