$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.
FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.
An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.
That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.
OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.
Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.
A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.
The settlement has been agreed with no admission of liability.
HIPAA Retention Requirements and Disposal of PHI
There are HIPAA retention requirements for documents containing PHI. Covered entities and their business associates must ensure that documents containing PHI are retained for a 6 years from the date of creation or the date when it was last in effect, whichever is the later.
HIPAA covered entities are also bound by state laws, which also require documents to be retained for a set period of time. It is state laws that determine how long medical records must be retained by covered entities. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact – less than HIPAA. However, in North Carolina, hospitals must maintain records for 11 years following the last date of discharge.
During the retention period, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.
In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.
This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.
The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.
“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”