In a recent announcement by the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), the OCR was clear to make a point that just because a business closes during an OCR investigation, does not mean that the business’ obligation for any HIPAA violations ends. To make this point, OCR referenced the recent settlement and corrective action plan entered into for alleged HIPAA violations by now-defunct, Filefax. The OCR was investigating Filefax for impermissibly disclosing protected health information (“PHI”) of 2,150 individuals. Although Filefax ceased operations during the OCR’s investigation, Filefax’s obligations for the alleged HIPAA violations continued and the receiver appointed to liquidate the assets of Filefax ultimately agreed to pay $100,000 out of the receivership estate to settle the alleged HIPAA violations and agreed to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.
The OCR Press Release, Resolution Agreement and Corrective Action Plan are available here.