The U.S. Department of Health and Human Services has found that consequences for HIPAA violations don’t stop when a business closes. In a recent settlement agreement, the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 to settle potential violations of HIPAA.
Filefax provided for the storage, maintenance and delivery of medical records for covered entities. In 2015, HHS received a complaint alleging privacy indiscretions. HHS investigated and found that an individual left medical records of approximately 2,150 patients at a shredding and recycling center. The records contained protected health information. HHS determined that PHI was left in an unlocked truck in the Filefax parking lot and were transported by an unauthorized person.
During the investigation, Filefax went out of business and a receiver was appointed to liquidate its assets. HHS worked with the receiver who agreed to a $100,000 monetary settlement and agreed, on behalf of Filefax, to properly store and dispose of remaining medical records in compliance with HIPAA.
Employers should take note that privacy and confidentiality requirements stick with protected health information, even when a company goes out of business.
