skip to main content

January 9, 2018

By: Stephanie T. Eckerle

A December 28, 2017 CMS memo to state surveyors clarifies CMS’ position as it relates to texting of orders by physicians or other health care providers as well as utilizing text messaging as a means of communication among the healthcare team.[1] In its memo, CMS holds that the practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (“CoPs”) or Conditions for Coverage (“CfCs”). In this instance, the § 482.24(b) and 482.24(c) CoPs for Medical Records requirements apply, which include, among other things, requirements for maintaining medical records, accurately completing medical records, accessing medical records and securing medical records.

While indicating that Computerized Provider Order Entry (“CPOE”) is the preferred method of order entry by a provider, the memo also states that a physician or Licensed Independent Practitioner (“LIP”) may enter orders into the medical record via a hand written order if not using CPOE.  Further, CMS communicates that orders entered via CPOE and immediately downloaded into the provider’s EHR are permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.

Although CMS prohibits text messaging patient orders, CMS recognizes that the use of texting as a means of communication within the healthcare team has become an essential and valuable means of communication in the healthcare setting.  Even when utilizing text as a means of communication among the healthcare team, however, providers must comply with applicable CoPs or CfCs. Specifically, all providers must utilize and maintain systems and platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.

Prior to a provider implementing any type of text messaging solutions, providers should understand all state and federal requirements that may be applicable, such as the CMS requirements.  In addition, providers need to carefully analyze and understand the risk management implications presented by text messaging, such as security risks of text messaging, impacts on patient care, and how such text messaging integrates with the provider’s EHR, if at all.  If the text messaging platform is not secure and integrated with the EHR, then no record of the text message is saved in the patient’s medical record. As a result, a notification of a test result or other communication within the healthcare team may not be available in the patient’s record to support related assertions or treatment decisions.  In addition, if a provider is proposing a solution whereby its healthcare practitioners can interface directly with patients via text message, a separate but related analysis must be undertaken. 

If you have any questions related to the CMS guidance or health IT issues, please contact Stephanie T. Eckerle at or your regular Krieg DeVault attorney.