Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016. But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.
The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information. The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Although the closure of the business did not stop the investigation or excuse the business associate from responsibility, it probably did lessen the severity of the consequences. Often the finding of a violation will trigger an inquiry into an entity’s total HIPAA compliance program, and the settlement papers will include a list of failures to meet specific HIPAA requirements. In this case, the settlement agreement addresses only the violation itself, the penalty imposed is lower than often applies, and the ongoing measures that the business associate must undertake are tailored to the winding down of its business operations.