A receiver for Filefax has agreed to pay $100,000 from its liquidated estate to the HHS Office for Civil Rights (OCR) after being found in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Filefax had advertised it ability to provide storage, maintenance and delivery of medial records. Although the company has since closed, it is still obligated to pay for HIPAA violations. Dating back to February 2015, OCR had received a complaint alleging that an individual had transported Filefax medical records to a shredding facility to sell. OCR then concluded the individual had left the records containing protected health information of 2,150 patients at the facility.
Further investigation found Filefax had disclosed the information of the patients by leaving the protecting health information in an unlocked truck in a parking lot or had granted permission to an unauthorized person to remove the information from Filefax.
“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
Although Filefax is not longer in business, the remaining medical records found at Filefax will be properly stored and disposed of according to HIPAA compliance.