HIPAA covered organization and their business associates must continue to adhere to Rules even when they close down. The HHS’ Office for Civil Rights (OCR) has reinforced this point with a $100,000 fine for FileFax Inc., for violations that happened after the business had ceased operating.
FileFax is a Northbrook, IL-based firm that supplies medical record storage, maintenance, and delivery facilities for HIPAA covered organizations. The firm stopped operating during the course of OCR revieew into piossible HIPAA violations.
An HIPAA investigation was started following an anonymous tip – received on February 10, 2015 – about an individual that had removed documents including protected health information to a recycling facility and sold them.
That individual was referred to as a “dumpster diver”, not an actual employee of FileFax. OCR determined that the woman in question had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm in return for for cash. The paperwork, which listed patients’ medical records, was not safeguarded at the recycling facility. In total, the records of 2,150 clients were listed in the paperwork.
OCR announced that, in the time period between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 clients as a result of either: A) Placing the records in an unlocked truck where they could be taken by individuals unauthorized to view the information or; B) By allowing an individual to remove the PHI and leaving the paperwork external to the facility for the woman to collect.
Since FileFax is no longer trading – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be accounted for by the court appointed receiver, who liquidated the assets of FileFax and is managing the proceeds of that liquidation.
A corrective action plan (CAP) has also been issued that requires the receiver to list all remaining medical records and make sure the records are stored properly for the duration of the retention period. Once that time period has come to an end, the receiver must ensure the records are properly destroyed in accordance with HIPAA Regulations.
The HIPAA settlement has been agreed to and there was no admission of liability from anyone involved.