Protecting the privacy & security of your patient’s health information.

Blog Post: Regulatory Alert: To Text or Not? CMS comments issued Dec. 2017

On Dec. 27, 2017, the Centers for Medicare & Medicaid Services (CMS), issued a memo advising State Survey Agency Directors on their position on texting of patient information.  Click here to view the complete CMS memo. The summary section of the memo summarizes the key points as follows:


  • Texting patient information among members of the health care team is permissible if accomplished through a secure platform
  • Texting of patient orders is prohibited regardless of the platform utilized
  • Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider

Key Takeway: Texting of patient orders is prohibited under the Conditions of Participation(CoPs) and Conditions of Coverage(CfCs).  Texting of PHI is allowed, but organizations need to use secure platforms and continue to assess risk to the confidentiality, integrity and availability of patient data.

In 2017, prior to the release of this memo, CMS contacted specific healthcare organizations and began fining them for the use of text services to send out medical orders; in the interest of protecting patient health information (PHI).  Since CMS has begun issuing fines, healthcare organizations must act to ensure they are operating within the guidelines of the advisory.

What is Next?

At a minimum, all senior management involved with protecting patient data should meet to discuss the CMS guidance’s impact to clinical services and operational areas of the healthcare organization.  We suggest involving the Compliance, Legal and Risk Management personnel responsible for patient data security to address the proper use of texting of PHI.   This group can address the following:

  • Outline the impact to service delivery of the CMS guidance on texting PHI and prohibition of texting orders
  • Communication planning to clinical and business staff handling patient information 
  • Define the notification process to advise business associates of the texting advisory

Please continue to follow this blog for updates on other regulatory issues affecting patient data security.