On April 29, 2016, the Joint Commission released an update (“Update”) providing for the use of text messaging to submit orders for patient care, treatment, or services to the hospital or other health care settings for all accreditation programs. Back in 2011, the Joint Commission believed that the technology necessary to secure contents of a text message, verify the identity of the person sending the message, and retain the original message within the medical record were not readily available, and, therefore, prohibited the use of text messaging to submit orders. However, this has changed as reasonably accessible technology has been developed which mitigates the security and record retention risks the Joint Commission previously identified. In the Update, the Joint Commission said, “effective immediately, licensed independent practitioners or other practitioners in accordance with professional standards of practice, law and regulation, and policies and procedures may text orders as long as a secure text messaging platform is used and the required components of an order are included.”
The Update does not green light the use of common consumer, unencrypted messaging. According to the Joint Commission, secure text messaging platform should include, at minimum, the following components:
- Secure sign-on process;
- Encrypted messaging;
- Delivery and read receipts;
- Date and time stamp;
- Customized message retention time frames; and
- Specified contact list for individuals authorized to receive and record orders.
Organizations that allow the use of text messages to submit orders will remain obligated to comply with Joint Commission Medication Management Standard MM.04.01.01. This standard requires hospitals to have a written policy that defines (1) the required elements of a written order (name of drug, dose, frequency, route, rate, etc.), and (2) the actions to be taken when medication orders are incomplete, illegible, or unclear. Before implementing text orders, an organization should identify and document when text orders are appropriate, how such records will be dated and authenticated by the ordering providers, how these orders will be documented in the medical record, and conduct training for staff and other practitioners on the applicable policies and procedures.
Data privacy laws, such as HIPAA, will need to be taken into consideration as well. The HIPAA Privacy and Security Rules apply to covered entities, such as health care providers and professionals such as doctors, nurses, psychologists, dentists, and chiropractors. Individuals and organizations that meet the definition of a covered entity and who transmit health information in electronic form in connection with certain transactions must comply with the Privacy and Security Rules’ requirements to protect the privacy and security of health information, even when using mobile devices. The Office of the National Coordinator for Health Information Technology has released guidance on the use of mobile devices in a health care setting, including guidance on protecting and securing health data on a mobile device and providing a five step process to manage mobile devices.