HIPAA Penalty Follows Company Into Receivership
"The careless handling of [protected health information] is never acceptable," said OCR Director Roger Severino. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."
Saying the case illustrates that "consequences for HIPAA violations don't stop when a business closes," the U.S. Department of Health and Human Services reported Feb. 13 that a receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $ 100,000 out of the receivership estate to the HHS Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Filefax, located in Northbrook, Illinois, is no longer in business. But it had advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. "Although Filefax shut its doors during the course of OCR's investigation into alleged HIPAA violations, it could not escape its obligations under the law," the federal agency reported, explaining the case this way:
- On Feb. 10, 2015, OCR received an anonymous complaint alleging someone transported medical records obtained from Filefax to a shredding and recycling facility to sell on Feb. 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility and that those records contained patients' protected health information (PHI).
- The investigation indicated that between Jan. 28, 2015, and Feb. 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot or by granting permission to an unauthorized person to remove the PHI from Filefax and leaving the PHI unsecured outside the Filefax facility.
"The careless handling of PHI is never acceptable," said OCR Director Roger Severino. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."