Best of all, the guidance is fairly straight-forward:
Here's a bit more detail from the guidance, which went into effect immediately:
CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members. In order to be compliant with the CoPs or CfCs, all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs. It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.
A quick internet search turned up a variety of text encryption apps, but medical providers should stick to those that are labeled HIPAA-compliant. They should also be prepared to do a little research before they download a new app: for example, how is the vendor guaranteeing HIPAA compliance and how often does it update its system to stay compliant? What kind of backup services are included, and are the backups encrypted?
Health care entities should also make sure the system is easy to use. A platform that is difficult to use will drive clinicians back to the regular, insecure texting service.