Even when HIPAA-compliant businesses close down the obligation to abide by HIPAA Rules does not cease to exist. This was highlighted recently when FileFax, a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities was fined $100,000 for HIPAA violtaions.
The company went out of business while an OCR investigation into potential HIPAA violations was ongoing.
A review was begun following an anonymous tip – which was submitted on February 10, 2015 – about a person that had taken documents containing protected health information to a recycling center and sold the paperwork for profit.
That person was a “dumpster diver”, not a staff member of FileFax. OCR determined that the female had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for money. The paperwork in question, which included patients’ medical history, was left unsecured at the recycling center. Overall, the medical histories of 2,150 patients were stolen with the paperwork.
OCR revealed that between January 28, 2015 and February 14, 2015, FileFax had impermissibly released the PHI of 2,150 patients due to either: A) Leaving the records in an unsecured truck where they could be accessed by people unauthorized to view the data or; B) By granting permission to a person to remove the PHI and leaving the unsecured paperwork outside its center for the woman to obtain.
Since FileFax is no longer in operation – the firm was involuntarily folded by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be paid by the court appointed receiver, who liquidated the assets of FileFax and is reserving the proceeds of that liquidation.
A corrective action plan of action has also been issued that obligates the receiver to catalogue all remaining medical histories and ensure the records are stored properly for the remainder of the retention duration. Once that time period has expired, the receiver must ensure the records are safely and permanently destroyed in line with HIPAA Rules.
The HIPAA settlement has been agreed with no admission of liability by any party.