Liability for HIPAA Violations Continues after a Business Ceases Operations

On February 13, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its settlement with Filefax, Inc. to resolve alleged violations of the HIPAA Privacy Rule. Filefax was a business records and documents storage company, located in Northbrook, Illinois, that shut its doors during OCR’s investigation. Despite the closure, OCR continued to pursue sanctions against Filefax. OCR Director Roger Severino commented that “careless handling of PHI is never acceptable,” and that OCR will enforce the HIPAA standards “regardless of whether a covered entity [or business associate] is opening its doors or closing them,” emphasizing that business associates and covered entities may be held liable for HIPAA violations even after ceasing operations.

As a company in the business of storing, maintaining, and delivering medical records for covered entities, Filefax was a business associate under HIPAA and thus responsible for maintaining the confidentiality of the protected health information (PHI) in its possession. OCR initiated its investigation of Filefax in response to an anonymous February 10, 2015 complaint which alleged that on February 6 and 9, 2015, an individual brought medical records from Filefax to a shredding and recycling facility to exchange for cash. According to OCR, between January 28, 2015, and February 14, 2015, Filefax unlawfully disclosed the PHI of 2,150 individuals by leaving medical records in an unlocked truck in the Filefax parking lot or by granting permission to an unauthorized individual to remove the PHI from Filefax and leaving it in an unsecured area outside the Filefax facility.

As part of the Resolution Agreement, the court-appointed receiver for Filefax (the “Receiver”) agreed to pay $100,000 and enter into a Corrective Action Plan with HHS. In exchange, HHS agreed to release Filefax from any action it may have under the HIPAA Rules arising out of the conduct covered by the Resolution Agreement. According to the Corrective Action Plan, the Receiver moved the remaining medical records into storage with Iron Mountain Information Management, LLC (“Iron Mountain”) and asked Iron Mountain to catalogue the remaining records. As part of its obligations under the Corrective Action Plan, the Receiver is required to provide HHS with a copy of the inventory of the remaining records. The Receiver also will develop a “Records Disposition Plan” to dispose of the remaining records and is required to seek HHS approval of the plan. Notably, the Receiver is required to revise the Records Disposition Plan if instructed by HHS, and to continue this review and revision process until HHS approves. Only upon HHS approval of the plan may the Receiver present it to the Court that appointed the Receiver for authorization to implement the plan. Finally, upon final disposal of all remaining medical records, the Receiver must attest that all PHI in its possession was properly disposed of as outlined in the Records Disposition Plan.

This post-closure settlement with Filefax underscores the importance of HIPAA compliance, even when a business is winding down. Even though Filefax ceased operations during the OCR investigation, Filefax was still subject to its HIPAA obligations and liable for violations. Covered entities should take note also; in April of last year, OCR announced a Resolution Agreement and Corrective Action Plan with the Center for Children’s Digestive Health that was triggered by the investigation of Filefax and based on the absence of a compliant business associate agreement. This highlights the continued criticality of signing compliant business associate agreements and the importance of vetting vendors’ HIPAA compliance. An organization’s non-compliance with HIPAA can have far-reaching consequences that can implicate other companies and that can extend beyond the organization’s corporate existence. With this settlement, OCR has made it clear that dissolution of a business does not negate its HIPAA obligations or liability for violations.