HIPAA obligations do not end when a business closes because protected health information that remains in the possession or control of a HIPAA Covered Entity or HIPAA Business Associate must continue to be safeguarded, used and disclosed only as permitted, made available for individual rights when required, and disposed of securely when no longer maintained, and enforcement exposure can continue for past or ongoing violations.
HIPAA Status After Operations Stop
Closing a practice, facility, vendor, or program does not erase prior activities that occurred while the organization operated as a HIPAA Covered Entity or HIPAA Business Associate. The Office for Civil Rights has taken enforcement action in circumstances where a business stopped operating while issues involving protected health information remained unresolved. Liability can attach to the entity, a successor, or a court-appointed representative handling records and assets when protected health information is improperly handled during wind-down activities.
Safeguards Continue for Stored Records
The HIPAA Privacy Rule requires administrative, technical, and physical safeguards to protect protected health information for as long as the covered entity maintains it, including through final disposal. Business closure changes workflows and staffing, but the safeguard obligation continues for any retained paper files, electronic systems, backups, portable media, and offsite storage.
The HIPAA Privacy Rule does not set a medical record retention period. Medical record retention is primarily governed by state law and other applicable federal requirements. Even when retention requirements come from outside HIPAA, the HIPAA Privacy Rule still applies to the protected health information that is retained and the safeguards and disposal requirements remain applicable for the entire period the information is maintained.
Workforce, Agents, and Access Control During Wind-Down
During closure, access to protected health information often shifts from routine operations to a limited set of functions such as responding to patient requests, transferring records, billing resolution, litigation holds, and storage management. Access should be restricted to authorized personnel or agents with a defined role in the wind-down process, and access credentials for departing staff should be terminated or adjusted to prevent unauthorized access.
Individual Rights and Record Requests
If a covered entity maintains designated record set information after closure, responsibilities related to individual rights can still apply, including responding to requests for access and producing records in the form and format required when applicable. Business closure does not eliminate the underlying obligation to handle protected health information in a compliant manner when responding to individuals, personal representatives, or authorized requesters.
Operational responsibility for responding may be assigned to a successor entity, a custodian of records, or another designated party under state law and contractual arrangements. The arrangement should support timely retrieval, identity verification, secure transmission, and documentation of the disposition of requests.
Transfer of Records to a Successor or Custodian
When records are transferred to another covered entity or to a designated custodian, the transfer process must protect confidentiality and integrity. Controls should address chain of custody, secure transport, encryption or equivalent protections for electronic media, and limits on further use and disclosure. Any service provider involved in storage, indexing, transport, conversion, or destruction should be treated as a HIPAA Business Associate when the activity involves protected health information on behalf of a covered entity, and a compliant business associate agreement should be in place.
Business Associate Obligations After Contract Termination
Business associates remain responsible for complying with HIPAA requirements that apply to business associates, including limits on use and disclosure and safeguarding obligations, until protected health information is returned or destroyed as required by the business associate agreement or until return or destruction is not feasible and protections continue under the agreement terms. Termination of a relationship or cessation of operations does not authorize a business associate to keep protected health information for its own purposes or to dispose of it in a manner that creates an impermissible disclosure.
Secure Disposal Requirements
Business closure frequently involves consolidating systems, terminating leases, decommissioning servers, and clearing storage locations. Protected health information must be destroyed or disposed of in a manner that prevents it from being read or reconstructed. Disposal controls should address paper records, imaging media, drives and solid-state storage, archived databases, cloud storage repositories, and backup media. Disposal should be documented to support audit and legal defensibility, including the scope of media destroyed, the method used, the date, and the responsible party.
Continuing Exposure to Enforcement and Claims
Regulatory investigations and enforcement actions can continue after closure, including settlements that require payment from remaining assets and require protected health information to be safeguarded and disposed of properly. Closure also does not prevent contractual claims, indemnification disputes, or state law actions tied to mishandling of protected health information during operations or during the wind-down period.