If a Business Closes, Are You Still Subject to HIPAA Rules?

In a recent settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 for potential violations of the HIPAA Privacy Rule. According to OCR's announcement, although Filefax shut its door during the course of OCR's investigation into alleged HIPAA violations, it could not escape its obligations under the law.

The announcement goes on to say that on February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients' protected health information (PHI). The impermissible disclosure was a result of Filefax leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
As part of the settlement, because Filefax is no longer in business, the receiver has agreed to properly store and dispose of remaining medical records found at Filefax's facility in compliance with HIPAA.

If you have any questions about how to properly dispose of PHI, we can help. Contact us today by email: [email protected] or by phone: 855-427- 0427