Secure Messaging Gets the Green Light in Healthcare
In a cascading pattern of modernization, the U.S. federal government and healthcare accreditation bodies are building in guidelines for secure messaging. The most recent Certification Companion Guide (CCG) issued by the Office of the National Coordinator includes guidance on secure messaging between providers and patients.
Specifically, the criteria that need to be met include separate testing for a “trusted connection” either on a message level or a transport level and apply only to the content of a message, not the user’s device. Examples of secure messaging include email, portal, and texting, but any method must be bidirectional. On a more technical note, the CCG states that only encryption and hashing algorithms are in scope, not random number generators.
On a much more recent note, the Joint Commission (formerly the Joint Commission on Accreditation of Healthcare Organizations) stated in its May newsletter that it has ended its 2011 ban on texting medical orders.
It was only five years ago that the technology could not adequately address the concerns of the Joint Commission, namely securing the message, verifying the identity of the users, and capturing the message in the medical record. At this time, the Joint Commission has revised its position on the prohibition of texting medical orders as long as certain criteria is met. These criteria are for messaging platforms are:
- Secure sign-on process
- Encrypted messaging
- Delivery and read receipts
- Date and time stamp
- Customized message retention time frames, and
- Specified contact list for individuals authorized to receive and record orders
Additionally, organizations must consider how text messages will be captured in the patients’ medical records. The Joint Commission suggests that its requirements for verbal orders could be adapted for text orders. Further, while the Joint Commission staff prepares more details around texting medical orders, the Joint Commission recommends that healthcare organizations prepare their environments and procedures to address this capability. Such actions should include a risk assessment, policies around when texting is acceptable, determine the use case and load, and conduct training for providers and staff.