HHS' Office For Civil Rights is setting a precedent that it doesn't take HIPAA violations lightly by imposing a $100,000 fine on Filefax, a now-closed medical records management company, for a breach that occurred in 2015.
OCR received a complaint in February 2015 that alleged an individual transported medical records obtained from Filefax — which marketed itself as a medical records storage, maintenance and delivery facility — to a shredding and recycling facility to later sell them. An OCR investigation confirmed an unauthorized individual left the medical records of roughly 2,150 patients at the shredding and recycling facility, unsecured. Those documents contained patients' protected health information
Specifically, OCR concluded that because patients' PHI had been stored in an unlocked truck in Filefax's parking lot, and Filefax had allowed an unauthorized person to improperly handle the PHI, the company violated HIPAA.
"The careless handling of PHI is never acceptable," said OCR Director Roger Severino. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."
The company, however, has since closed its doors. In 2016, a court appointed a receiver to liquidate Filefax's assets and distribute them among its creditors. In addition to the $100,000 settlement, the receiver, acting on behalf of Filefax, agreed to store and dispose of the remaining medical records found at Filefax's facility to comply with HIPAA.