Liquidator of a Shuttered Business Associate Agrees to $100k Payment for Alleged HIPAA Violations
On February 13, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that a receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 to settle potential HIPAA violations by Filefax. The OCR press release announcing the settlement described that, prior to closing, Filefax had “provided for the storage, maintenance, and delivery of medical records for covered entities.” Importantly, OCR noted that even though Filefax went out of business during the course of the OCR investigation, it could not avoid its HIPAA compliance obligations.
In February 2015, OCR received an anonymous complaint that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell these medical records. OCR’s investigation confirmed that an individual had left the medical records of approximately 2,150 patients that included protected health information in an unlocked truck in the Filefax parking lot.
After Filefax ceased conducting business, a court appointed a receiver to liquidate its assets as part of an unrelated litigation matter. The receiver executed a resolution agreement with HHS on behalf of Filefax and agreed, in addition to the fine, to properly store and dispose the remaining Filefax records in a HIPAA compliant manner.
This settlement is noteworthy in that it involved a closed company that retained HIPAA financial exposure and liability for an incident that occurred while it was open.
A copy of the OCR press release and the resolution agreement can be retrieved here.
Saul Ewing attorneys regularly counsel covered entities and business associates with respect to HIPAA Privacy Rule and Security Rule compliance activities. For more information about the Firm’s Health Law Practice, please contact the authors or the Saul Ewing Arnstein & Lehr attorney with whom you are regularly in contact.