Bankrupt Medical Records Company Slapped with $100K HIPAA Fine
Filefax, Inc. took medical records to a shredding facility but failed to properly dispose of the documents, which contained protected health information from about 2,150 patients.
A receiver appointed to liquidate the assets of a bankrupt medical records storage company will pay $100,000 to settle potential violations of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services said.
Filefax, Inc., located in Northbrook, Ill., closed in 2016, while it was under investigation by HHS' Office of Civil Rights for HIPAA infractions that occurred in early 2015.
HHS received an anonymous complaint on Feb. 10, 2015 claiming that Filefax had taken medical records to a shredding facility earlier that month but failed to properly dispose of the documents, which contained protected health information from about 2,150 patients.
A subsequent investigation by OCR found that in January and February 2015 Filefax had left those patient medical records in an unlocked truck in the company parking lot.
"The careless handling of PHI is never acceptable," said OCR Director Roger Severino. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."
In 2016, in unrelated litigation, a court appointed a receiver to liquidate Filefax's assets for distribution to creditors. In addition to a $100,000 settlement, the receiver has agreed to store and dispose of remaining medical records found at Filefax's shuttered facility in compliance with HIPAA.