In a recently settled HIPAA case, the Department of Health and Human Services (HHS) set a new precedent for guarding electronic protected health information (ePHI).

In an extensive investigation, HHS determined that a small surgery practice in Arizona had violated HIPAA privacy rules and had instated few safeguards to protect patients' ePHI. The practice reportedly posted PHI on an Internet-based, publicly-accessible calendar and sent emails containing PHI to workers' personal email accounts.

HHS specifically noted that the practice was in violation because it had failed to obtain business associate agreements with the email and electronic calendar providers, a marked departure from past regulations. Previously, email providers had been considered "conduits," and were not subject to the same requirements as other entities that have access to PHI. This determination may signal the department's intent to require all employers to obtain a business associate agreement from all conduits in the future.

The case is also notable because it is the first time that text messaging has been discussed in relation to transmitting ePHI. According to the resolution agreement, HHS is requiring the practice to implement technical security measures for any protected information transmitted via text message. This ruling may also indicate the direction the department plans to take in regard to texting and may impact employers nationwide.

With this case, the HHS seems to be setting an example regarding future enforcement of regulations. The small size of the involved practice underlines the importance for organizations of all sizes to guard ePHI.