Governance & Risk Management , Information Sharing , Next-Generation Technologies & Secure Development

Joint Commission Delays Lifting Secure Text Messaging Ban

Additional Guidance in the Works Before Policy Changes
Joint Commission Delays Lifting Secure Text Messaging Ban

The Joint Commission, which accredits healthcare organizations, has put on hold its plan to lift its longstanding ban on clinicians using text messaging to place patient care-related orders so it can collaborate with federal regulators to develop additional guidance.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

In the June edition of the Joint Commission's Perspectives publication, the not-for-profit accreditation body said it was delaying until September the implementation of lifting its ban on secure text orders, as originally announced in May (see Joint Commission OKs Secure Texting for Patient Care Orders).

"The Joint Commission determined additional guidance is required to ensure a safe implementation involving the secure texting of orders for healthcare organizations desiring to employ technology supporting this practice," Christina Cordero, project director of the Joint Commission's department of standards and survey methods, says in a statement provided to Information Security Media Group.

The commission will collaborate with the Centers for Medicare & Medicaid Services to develop additional guidance for text orders "to ensure congruency with the Medicare Conditions of Participation," the commission says in its Perspectives statement. The guidance will include "a comprehensive series of 'frequently asked questions' documents to assist healthcare organizations with the incorporation of text orders into their policies and procedures," the commission says.

CMS did not immediately reply to an ISMG request for comment.

The new guidance is designed to supplement earlier secure texting recommendations issued by the commission in May.

"The Joint Commission expects the additional guidance to be published by late September 2016," Cordero says.

Lifting the Ban

In May, the Joint Commission said it had reversed its long ban on physicians and certain other clinicians using text messaging to place orders related to patient care, citing technology advances that enable more secure communication.

The commission said at the time that users must comply with a list of requirements, including the use of encryption.

The ban on text messaging for patient care orders formally started in 2011 when the commission issued a "frequently asked questions" document stating that it was "not acceptable for physicians or licensed independent practitioners to text orders for patient care, treatment or services to the hospital or other healthcare settings ... due to concerns about using personal mobile devices to send unsecure text messages between providers."

The commission said it had banned the use of texting because applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record.

"At the time, the technology available could not provide the safety and security necessary to adequately support the use of text messaging for orders," the commission wrote back in 2011.

In May, the commission announced its new policy stated: "Licensed independent practitioners or other practitioners, in accordance with professional standards of practice, law and regulation, and policies and procedures, may text orders as long as a secure text messaging platform is used and the required components of an order are included."

Critical Issues

As the commission and CMS develop the new additional guidance, they should address a few critical issues, says security expert Mac McMillan, CEO of the consulting firm CynergisTek.

"It's important that they specifically call out what an acceptable secure texting platform is, meaning the types of controls required for the system, the level of encryption required and the physical restrictions necessary to ensure controlled access," he says. "This should not reference specific 'brands' or solutions, but the attributes that make a secure texting solution acceptable to be used for this purpose."

In its document in May that initially reversed the ban, the commission said healthcare organizations may allow orders to be transmitted through text messaging if they use a secure text messaging platform that includes the following:

  • Secure sign-on process;
  • Encrypted messaging;
  • Delivery and read receipts;
  • Date and time stamp;
  • Customized message retention time frames;
  • Specified contact list for individuals authorized to receive and record orders.

In addition, the commission said organizations allowing texting of orders must comply with the Medication Management Standard MM.04.01.01, which addresses the required elements of a complete medication order and actions to take when orders are incomplete or unclear.

"Policies and procedures for text orders should specify how orders transmitted via text messaging will be dated, timed, confirmed and authenticated by the ordering practitioner," the commission noted in May. "Additionally, organizations need to consider how text orders will be documented in the patient's medical record and consider how text orders will be documented in the patient's medical record."

Other Steps

McMillan says he's confident that secure texting platforms are available that can meet clinicians' needs. His main concerns about secure texting for patient care orders are "the same concerns I have for any other electronic system - how well is it administered, how well is it maintained, how well is it audited/monitored, etc.," he says.

Clinicians need to "stop, think and act" when using text messaging, McMillan says. "Most mistakes with messaging systems happen when we rush or do not pay attention. Use two-factor authentication on the platform running the app as well as for the app itself."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.