$100k FileFax HIPAA Fine Issued Despite Company Ceasing to Exist

by | Feb 15, 2018

Even when HIPAA-compliant businesses close down the obligation to abide by HIPAA Rules does not cease to exist. This was highlighted recently when FileFax, a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities was fined $100,000 for HIPAA violtaions.

The company went out of business while an OCR investigation into potential HIPAA violations was ongoing.

A review was begun following an anonymous tip – which was submitted on February 10, 2015 – about a person that had taken documents containing protected health information to a recycling center and sold the paperwork for profit.

That person was a “dumpster diver”, not a staff member of FileFax. OCR determined that the female had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for money. The paperwork in question, which included patients’ medical history, was left unsecured at the recycling center. Overall, the medical histories of 2,150 patients were stolen with the paperwork.

OCR revealed that between January 28, 2015 and February 14, 2015, FileFax had impermissibly released the PHI of 2,150 patients due to either: A) Leaving the records in an unsecured truck where they could be accessed by people unauthorized to view the data or; B) By granting permission to a person to remove the PHI and leaving the unsecured paperwork outside its center for the woman to obtain.

Since FileFax is no longer in operation – the firm was involuntarily folded by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be paid by the court appointed receiver, who liquidated the assets of FileFax and is reserving the proceeds of that liquidation.

A corrective action plan of action has also been issued that obligates the receiver to catalogue all remaining medical histories and ensure the records are stored properly for the remainder of the retention duration. Once that time period has expired, the receiver must ensure the records are safely and permanently destroyed in line with HIPAA Rules.

The HIPAA settlement has been agreed with no admission of liability by any party.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy