A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records.  On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.  OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility.  OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.

In addition to making the forfeiture payment, the receiver must also take all necessary steps to comply with a Corrective Action Plan (CAP) that was required by the OCR as part of the settlement. Under the CAP, the receiver will formulate a plan to properly dispose the remaining medical records in a Records Disposition Plan and seek authorization from the Circuit Court of Cook County, Illinois that appointed the receiver to implement the Records Disposition Plan. Prior to presenting the Records Disposition Plan to the court, the receiver must first send it to HHS for review and approval.

In connection with the CAP, the receiver will be required to:

  • Instruct Iron Mountain Information Management, LLC to properly store and dispose of all remaining medical records that were once in Filefax’s facility and have since been delivered to Iron Mountain.
  • Catalogue the remaining medical records it holds in its custody, and provide HHS with a copy of this inventory within seven days of the signing of the settlement agreement.
  • Within seven days of the signing of the settlement agreement, the receiver must provide HHS with an affidavit, signed under oath, detailing where and when the remaining medical records were found, the steps taken after their discovery to secure them, including their transfer to Iron Mountain, and the process undertaken to catalogue the remaining medical records. The affidavit must also authenticate the remaining medical records inventory.
  • Upon final disposal of all remaining medical records, the receiver must attest that all PHI in its possession was properly disposed of as outlined in the Records Disposition Plan.

This settlement illustrates that HIPAA covered entities and business associates must abide by HIPAA – even when operations shut down.

If you have any questions about this HIPAA settlement or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team.