Messaging , Risk Assessments , Risk Management

Joint Commission OKs Secure Texting for Patient Care Orders

Reverses Long Ban, But Says Messaging Must Meet Criteria
Joint Commission OKs Secure Texting for Patient Care Orders

The Joint Commission, which accredits healthcare organizations, has reversed its long ban on physicians and certain other clinicians using text messaging to place orders related to patient care, citing technology advances that enable more secure communication. But users must comply with a list of requirements, including the use of encryption.

See Also: Threat Intelligence - Hype or Hope?

In the May edition of the Joint Commission's Perspectives publication, the not-for-profit accreditation body says it "recently conducted research to better understand the capabilities of current texting platforms and has concluded that these platforms now offer the functionality to address the concerns outlined" in a 2011 frequently asked questions document.

That earlier document stated that it was "not acceptable for physicians or licensed independent practitioners to text orders for patient care, treatment or services to the hospital or other healthcare settings ... due to concerns about using personal mobile devices to send unsecure text messages between providers."

The commission had said that it also banned the use of texting because applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record. "At the time, the technology available could not provide the safety and security necessary to adequately support the use of text messaging for orders," the commission wrote back in 2011.

The commission's new policy states: "Licensed independent practitioners or other practitioners, in accordance with professional standards of practice, law and regulation, and policies and procedures may text orders as long as a secure text messaging platform is used and the required components of an order are included."

In a statement provided to Information Security Media Group, Christina Cordero, project director at the Joint Commission's department of standards and survey methods, notes: "We had several conversations with Joint Commission accredited healthcare organizations about whether the current technology could support the use of texting for orders. As part of our research into the functionality of secure text messaging platforms, we [also] spoke with multiple vendors about their current capabilities.

"We acknowledge that secure text messaging platforms now offer the functionality to address our previous concerns about texting orders. As long as healthcare organizations implement one of these platforms and include the required components of an order, orders can be transmitted through text messaging."

ONC's Reaction

The Office of the National Coordinator of Health IT, the unit of the Department of Health and Human Services that oversees policies and standards for certified electronic health records under the HITECH Act, says it welcomes the commission's changed stance and hopes vendors will meet the specifications the commission set for secure texting products.

ONC is pleased to see technology "being used in new and innovative ways to deliver better care at lower cost," a spokesman says. "ONC isn't directly involved in assessing texting vendors for their security capabilities. Since the ability to text orders is a new capability recently allowed, we anticipate that texting vendors will have to at least map their existing functionality to the new guidelines, or develop new security features to meet the new guidelines."

Healthcare providers implementing secure texting must first conduct a risk assessment and then develop policies and procedures that meet the Joint Commission's requirements and comply with HIPAA, the ONC spokesman adds.

Secure Texting Requirements

The Joint Commission says healthcare organizations may allow orders to be transmitted through text messaging if they use a secure text messaging platform that includes the following:

  • Secure sign-on process;
  • Encrypted messaging;
  • Delivery and read receipts;
  • Date and time stamp;
  • Customized message retention time frames;
  • Specified contact list for individuals authorized to receive and record orders.

In addition, organizations allowing texting of orders must comply with the Medication Management Standard MM.04.01.01, which addresses the required elements of a complete medication order and actions to take when orders are incomplete or unclear.

"Policies and procedures for text orders should specify how orders transmitted via text messaging will be dated, timed, confirmed and authenticated by the ordering practitioner," the commission notes. "Additionally, organizations need to consider how text orders will be documented in the patient's medical record and consider how text orders will be documented in the patient's medical record."

Meeting a Need

The change by the commission meets an important need of many healthcare professionals says Mac McMillan, CEO of the security consultancy CynergisTek.

"Nurses want to text doctors on another floor, and doctors want to text back. And the commission is saying this is OK for orders as long as they use a secure platform," he says. When the commission issued the ban five years ago, "there were only a one or two experimental secure texting solutions ... and the fear was that medical professionals were using their mobile devices for texting on a public cloud" platform, he says.

The use of secure texting for certain purposes is already commonplace at some healthcare organizations, notes Phil Curran, chief information security and privacy officer at Cooper University Health Care, a Camden, N.J.-based healthcare system that includes more than 700 physicians and a hospital.

"I have seen secure texting implemented for a few reasons," he says. "First, we want to provide our employees a secure way of texting PHI to improve patient care and patient safety. Texting seems to be the method of communication this generation of care providers uses. Second, we want to be able to track if an individual received a text and, if so, what did he/she do with the text - answer, ignore, etc. Some institutions have a problem with providers saying they never received a page or a text. Third, to replace the paging system which removes a device from a care provider's belt."

Curran says Cooper University Health Care is in the final stages of implementing a secure texting solution. The toughest hurdle in implementing it, he says, is "ensuring our employees actually use the application. There is technically no way we can prevent an employee from using their smartphone texting application to text."

More Guidance to Come

The commission's latest document regarding secure texting says its staff is "currently assessing the need to further delineate the expectations for secure text messaging platforms and policies and procedures for texted orders within the accreditation standards."

Meanwhile, the commission recommends that healthcare organizations that allow text orders to do the following:

  • Develop an attestation documenting the capabilities of their secure text messaging platform;
  • Define when text orders are appropriate;
  • Monitor how frequently texting is used for orders;
  • Assess compliance with texting policies and procedures;
  • Develop a risk management strategy and perform a risk assessment;
  • Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures.

Curran also suggests that an important consideration for all healthcare organizations implementing secure texting is careful analysis of overall pros and cons. "Secure texting is like any new application," he says. "First and foremost, they must understand the business objectives for secure texting, i.e., what is it they want to accomplish."

John Halamka, CIO of Beth Israel Deaconess Health Care, an integrated delivery system in the Boston area, says his organization "will use secure texting for team communication but will not use texting for orders." That's because "our ordering systems, which provide rich decision support, already run on mobile devices."

Some vendors of secure texting solutions are assessing how their products can meet the Joint Commissions' requirements.

"Imprivata is constantly working to enhance the Imprivata Cortext solution, and this change in position from the Joint Commission will assuredly be factored in as we move forward with our development," says Douglas Schwab, a company spokesman.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.