Consequences for HIPAA violations remain even when business closes
March 19, 2018
The U.S. Department of Health and Human Services Office of Civil Rights announced Feb. 13 that a receiver appointed to liquidate the assets of a medical records company agreed to pay $100,000 out of the receivership estate to settle potential violations of the Health Insurance Portability and Accountability Act.
Filefax, Inc., a Northbrook, Illinois, company that advertised it provided for the storage, maintenance and delivery of medical records closed its doors during the course of OCR's investigation in 2015 according to a news release.
"The careless handling of [patients' protected health information] is never acceptable," said OCR Director Roger Severino in a news release. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."
The OCR began its investigation after it received an anonymous complaint in 2015 that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell. The investigation found that the individual left medical records, which included patients' protected health information, of about 2,150 patients at the shredding and recycling facility.
In 2016, a court in unrelated litigation appointed a receiver to liquidate Filefax's assets for distribution to creditors and others. In addition to a $100,000 monetary settlement, the receiver agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax's facility in compliance with HIPAA, according to the news release.