Texting physician orders is never OK, CMS stresses. Unsecured texting may be one of the most pervasive threats to health care providers' compliance with both the Conditions of Participation and HIPAA rules, and home care companies are particularly vulnerable to the weak spot due to their mobile staff. For years, the Centers for Medicare & Medicaid Services, accrediting body The Joint Commission, and others have warned against regulatory violations brought about by texting. Now, after a confusing month of mixed messages from CMS on the issue, the agency has issued some guidance on the matter in the form of a new Survey & Certification memo. "Over the last few years, health care providers have watched with interest as The Joint Commission wrestled with its stance on texting patient information," notes attorney Jennifer Nelson Carney with law firm Brickler & Eckler. While the Commission indicated that its most recent guidance was developed in collaboration with CMS, "CMS recently issued its own guidance to clarify its position on texting patient information," Nelson Carney says in analysis on the firm's website. In early December 2017, "CMS communicated essentially a zero-tolerance policy on secure text messaging to a handful of hospitals via email," note attorneys Emily Wein, Alisa Chestler and Matthew Horton with law firm Baker Donelson. But then in the Dec. 28 memo, "CMS clarified that text messaging amongst health care providers 'is permissible if accomplished through a secure platform,'" the counselors note. However: That permission doesn't extend to all communications. The memo makes clear that "CMS strictly prohibits the texting of patient orders, regardless of the platform utilized," notes attorney Sumaya Noush with Drinker Biddle & Reath. Instead: Rather than texting patient orders, "CMS states that its preference is for health care providers to either hand-write an order into the patient's medical record or enter the order via computerized provider order entry (CPOE)," explains attorney Nathan Arden with law firm Robinson+ Cole. "The CPOE should allow for an immediate download into the provider's electronic health record system." The memo shows that "CMS is maintaining a hardline approach with respect to patient orders," Arden says. But CMS also "recognizes the prevalence of texting as an important means of communication among providers." This means you: While the subject line of the S&C Memo relates to all health care providers, "CMS appears to rely only on the hospital CoPs to enforce this prohibition on texting orders," observe attorneys Stephanie Sprague Sobkowiak, Dena Castricone, and Daniel Kagan with law firm Murtha Cullina. "However, it is likely that CMS will extend this guidance to other provider types." What You Need To Do Take advice from CMS and legal experts to chart your path to compliance with your texting policies and procedures. Providers that are currently texting physician orders will need to stop that practice, the legal experts note. Staff can engage in non-orders-related texting, but providers will have to ensure the texting meets some requirements. "All providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs," CMS warns in the memo. "This means that providers currently using secured text messaging platforms should continue to monitor and assess the platforms' accessibility, security and integrity," advise the Murtha Cullina lawyers. Don't think you can just assess your texting system once and be done. CMS "expects that health care providers and organizations will routinely assess the texting platforms for security and integrity," Arden points out. Now is a good time to "revisit... compliance policies related to text messages and other messaging platforms for communicating health information," suggest the Baker Donelson attorneys. And be prepared to address issues that arise from the review. Plus: Perform and document a risk analysis for incorporating text messaging platforms as part of your health care organization, Wein, Chestler, and Horton advise. Then "ensure that an appropriate risk management strategy is implemented and followed." Note: CMS's memo on texting is at www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf and the Joint Commission's texting guidance, updated in December 2016, is at www.jointcommission.org/assets/1/6/Update_Texting_Orders.pdf.