HIPAA Obligations Do Not End When a Business Closes


When HIPAA-covered entities along with their business associates stop doing business, the duty to follow HIPAA rules doesn’t stop yet. This simple fact was made very clear by the HHS’ Office for Civil Rights (OCR) when it charged FileFax Inc with penalty amounting to $100,000 for violating HIPAA rule. FileFax is a firm in Northbrook, IL that offered healthcare record storage, preservation and shipping services. After stopping operations, OCR got an incognito tip on February 10, 2015 that an individual took away records with protected health information and brought them to a recycling center.

As per OCR’s investigation, it was not a FileFax staff that took the documents and offered them to a recycling center from February 6 to 9, 2015. She was a dumpster driver. The documents included the health-related data of 2,150 patients. OCR noted that by January 28 – February 14, 2015, FileFlax impermissibly exposed the PHI of 2,150 patients. Possibly FileFax left the documents in an unlocked vehicle or authorization was given to an individual to take out the healthcare records from the area.

 Considering that FileFax is not in operation anymore – the Illinois Secretary of State dissolved the company on August 11, 2017 – the HIPAA penalty is going to be covered by the court designated recipient, who liquidated the property of FileFax and took the money for safekeeping.

 A corrective plan was also given that necessitates the receiver to list all remaining healthcare records and be sure the records are kept safely for the rest of the retention period. As soon as that time period has lapsed, the recipient needs to ensure the medical records are safely and completely destroyed according to HIPAA Rules.

 HIPAA demands proper maintenance of the docs throughout the retention period. There should be administrative, physical and technical safeguards to protect the security and confidentiality of the medical records. Once the retention period has ended, the records needs to be discarded appropriately ensuring they are unrecognizable and unrecoverable. Paper documents are often shredded, pulverized, burned or pulped.

This HIPAA breach is just like a few others which have happened in the last couple of years. Businesses have stopped operations and paper records that contain the PHI of patients have been dumped, left behind, or kept unprotected. There were also instances where businesses have relocated and left documents behind, only for building contractors doing a renovation or refurbishing the property to discover the documents and get rid of it together with regular garbage. The inability to protect PHI throughout the retention period and the improper disposal of documents after that retention period is completed are regarded as HIPAA Rules violations, which could attract a substantial financial charge.