Consequences for HIPAA violations don’t stop when a business closes
A receiver appointed to liquidate the assets of Filefax has agreed to pay $ 100,000 out of the receivership estate to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Filefax, located in Northbrook, Illinois, advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law.
On Feb. 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on Feb. 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ protected health information (PHI).
OCR’s investigation indicated that between Jan. 28, 2015, and Feb. 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
Filefax is no longer in business. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others. In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.