This week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $100,000 settlement with Filefax, Inc., an out of business company that once provided medical records storage and disposal services. Based on an anonymous complaint, OCR’s investigation uncovered HIPAA Privacy Rule violations due to the company’s failure to properly secure patient medical records in its possession.

According to OCR’s investigation, Filefax impermissibly disclosed the Protected Health Information (PHI) of 2,150 individuals in one of two ways:

• by leaving PHI in an unlocked truck in the Filefax parking lot, or
• by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.

The anonymous complaint alleged that an unauthorized individual was able to retrieve these medical records and attempted to sell them at a shredding and recycling facility, which OCR was able to confirm.

As a business associate, Filefax was required to comply with the HIPAA Privacy Rule by implementing appropriate administrative, technical, and physical safeguards to limit incidental disclosures and avoid prohibited uses and disclosures of PHI—including disposal of PHI. Failing to protect PHI with these safeguards can result in impermissible disclosures of PHI, such as the case of Filefax.

HIPAA requires proper disposal methods when disposing PHI, including (a) PHI in paper records; (b) labeled prescription bottles; (c) hospital identification bracelets; (d) PHI on electronic media. HHS provides the following disposal methods as examples (but not limited to):

• Shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a vendor to pick up and shred or otherwise destroy PHI.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

If using a vendor for transport/disposal services, a business associate agreement must be in place that requires the vendor to safeguard PHI, among other things.

As for Filefax, the company closed its doors as of 2017 but it is still liable to OCR for its violations. OCR Director Roger Severino stated that “[c]overed entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

As part of the settlement, the court appointed receiver in charge of liquidating Filefax’s assets is no longer allowed to maintain possession of the remaining medical records. Instead, the records must be provided to Iron Mountain for storage. View the resolution agreement and corrective action plan here.

For more information on HIPAA compliance, view our compliance trainings or contact us for an online demonstration of our cloud based compliance management solution.