On February 13, 2018, the HHS Office of Civil Rights (“OCR”) announced that the court appointed receiver of Filefax, an Illinois company that moved and stored medical records for covered entities before going out of business in 2016, has agreed to pay $100,000 out of a receivership estate to settle potential violations of the HIPAA Privacy and Security Rules. According to the Resolution Agreement between HHS and the receiver for Filefax, OCR began investigating Filefax after receiving an anonymous tip suggesting that Filefax had carelessly handled and improperly disclosed medical records containing protected health information (“PHI”). OCR’s investigation revealed that between January 28, 2015, and February 14, 2015, Filefax allegedly impermissibly disclosed the medical records of approximately 2,150 patients, when the company allowed the paper records to be left unsecured in an unlocked truck outside the Filefax facility for an individual to take to a shredding and recycling facility in exchange for cash. Filefax went out of business while OCR was investigating the alleged HIPAA violations; however, OCR nevertheless pursued its enforcement action.
According to OCR Director Roger Severino, the settlement agreement serves as a reminder that “[t]he careless handling of PHI is never acceptable…Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.” HIPAA requires covered entities and business associates to implement appropriate administrative, technical, and physical safeguards to ensure that records are secure and remain confidential during the retention period. After the retention period is over, all PHI must be disposed of in a compliant manner. Individual states have specific record retention and disposal requirements, too, which must be considered when a company that handles PHI goes out of business.