WASHINGTON — A recent $100,000 settlement with a defunct Northbrook-based record and file storage and disposal firm should put companies dealing in legally protected personal information on notice that the federal government will not allow a business closure to deter it from enforcing HIPAA privacy rules.
On Feb. 13, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced it had reached a settlement with a court-appointed receiver for Filefax Inc., under which the shuttered company would pay $100,000 for allegedly leaving documents containing sensitive personal information in dumpsters.
The settlement stands as the second of its type in 2018.
Conor Duffy | Robinson+Cole
“The monetary payment under this settlement is relatively low compared to other recent settlements, but this may be due to the fact that Filefax was dissolved in 2017, and the settlement was entered into by its court-appointed receiver and will be paid using funds from the receiver’s prior sale of commercial property of Filefax,” said Conor O. Duffy, an attorney at Robinson+Cole, who followed the case.
The receiver also agreed to allow OCR to monitor and review the receiver's plan to dispose of remaining documents stored by Filefax.
In 2015, Filefax fell under OCR investigation after the agency received a complaint from a local shredding and recycling facility alleging Filefax left protected health information (PHI) for more than 2,000 patients vulnerable. Specifically, the OCR alleges that documents were improperly disposed of in a dumpster, stored in an unlocked truck for several weeks and transported to a shredding facility by an unauthorized person.
“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a statement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
Filefax Inc. has since been disbanded. During the progress of OCR’s investigation, Filefax, as a result of unrelated litigation, was sold off to creditors and shareholders by a court appointed receiver. OCR’s settlement with the receiver will result in a payment of $100,000 to the agency from the remaining funds from the liquidation of Filefax’s assets.
“This settlement is a reminder that companies subject to HIPAA can expose themselves to sanctions if they ignore fundamental HIPAA obligations, like implementing reasonable safeguards against unauthorized access to, or disclosure of, PHI,” Duffy said. “OCR’s willingness to pursue a now-defunct business associate could also be construed as a message to HIPAA-covered entities that financial difficulties will not excuse cutting corners when it comes to HIPAA. OCR appears to have gone out of its way in its press release to highlight the fact that OCR continued to pursue this company despite its closure.”
In light of the recent settlement, Duffy said that companies that are bound to HIPAA requirements should review their policies.
"Companies subject to HIPAA would be well-advised to proactively address HIPAA compliance, including conducting a risk analysis and reviewing policies and procedures for the safeguarding of PHI in both physical and electronic formats," he said. "Covered entities may also consider a comprehensive review of business associate arrangements, with particular focus on procedures for the return or destruction of PHI by a business associate."