Consequences for HIPAA Violations Don't Stop When a Business Closes

PUBLISHED: Feb 22, 2018
Relevant to: All Healthcare Organizations

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding covered entities that the consequences of Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule remain in effected even after a covered entity closes.

In a recent case, a receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to the HHS OCR in order to settle potential violations of HIPAA. Filefax, located in Northbrook, Illinois, advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law. On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ protected health information (PHI).

OCR’s investigation indicated that between January 28, 2015, and February 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility. Filefax is no longer in business. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others. In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

A link to the resolution agreement and corrective action plan can be accessed by following the link below.

HIPAA-covered entities are reminded that their HIPAA obligations do not end if a covered entity closes. Covered entities are required to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of protected health information (PHI), including the disposal of such information. See 45 CFR 164.530(c)

Included with today’s notice are example policies related to the disposal of PHI.

Want to read the full alert and receive alert emails?

Browse Additional Alerts