This resource is part of the AMA's Debunking Regulatory Myths series, supporting AMA's practice transformation efforts to provide physicians and their care teams with resources to reduce guesswork and administrative burdens.
Debunking the myth
The use of text messages to communicate orders is not prohibited by the Centers for Medicare and Medicaid Services (CMS) or The Joint Commission. However, there are significant privacy and security factors related to HIPAA to consider when using text messages for communicating orders. While secure text messages for orders may offer efficiency when a physician is not near the EHR, it should be reserved for urgent situations, and it must be sent within a secure messaging platform.
Background
The CMS and The Joint Commission allow clinical staff to send, receive, and act on text message orders when those orders are sent through a HIPAA-compliant, secure texting platform consistent with the Medicare Conditions of Participation (CoPs). Ordering clinicians must ensure that the message is sent securely, the order is promptly entered and authenticated in the medical record, and that the EHR documentation is accurate and accessible. It is also vital that organizations routinely assess the security and integrity of their texting platforms to prevent risks to patient privacy and safety.1,2
It is important for physicians to be aware that many communication platforms state they are HIPAA- compliant and their enterprise version likely is. However, the free versions that many physicians utilize (for example, masked calling) is not HIPAA- compliant when it comes to texting.
Key takeaway
The safest and most secure option for conveying orders when the full EHR isn’t available is to use EHR-based messaging with a mobile device (for example, Epic’s Secure Chat within the Haiku app on a cell phone). However, when both an EHR and a mobile app aren’t available, physicians and care team members can utilize verified secure text messaging to communicate patient orders in urgent matters.
Physicians should ensure they use HIPAA-compliant platforms and promptly document and authenticate texted orders in the patient's record within the EHR. In addition, organizations should maintain ongoing processes to monitor the security and integrity of these systems. Physicians should follow organizational policies and procedures when considering whether and how to use secure messaging platforms.
AMA policy
- Physician-Patient Text Messaging and Non-HIPAA Compliant Electronic Messaging D-478.968
- Physician-Patient Text Messaging and Non-HIPAA Compliant Electronic Messaging D-478.970
- Guidelines for Patient-Physician Electronic Mail and Text Messaging H-478.997
Resources
- 2024 CMS Memorandum: Texting of Patient Information and Orders for Hospitals and CAHs. Accessed February 2026.
- 2026 Joint Commission Standards FAQ: “Can organizations use texting to communicate patient care information and orders?”. Accessed February 2026.
References
- Centers for Medicare & Medicaid Services (CMS). Texting of Patient Information and Orders for Hospitals and CAHs. QSO-24-05-Hospital/CAH. 2024. Accessed February 5, 2026. https://www.cms.gov/files/document/qso-24-05-hospital-cah.pdf
- Joint Commission. Standards FAQ: Can organizations use texting to communicate patient care information and orders? Joint Commission. January 7, 2026. Accessed February 5, 2026. https://www.jointcommission.org/en-us/knowledge-library/support-center/standards-interpretation/standards-faqs/000002483
Debunking Regulatory Myths overview
Visit the overview page for information on additional myths.
Disclaimer: The AMA's Debunking Regulatory Myths (DRM) series is intended to convey general information only, based on guidance issued by applicable regulatory agencies, and not to provide legal advice or opinions. The contents within DRM should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. An attorney should be contacted for advice on specific legal issues. Additionally, all applicable laws and accreditation standards should be considered when applying information to your own practice.
