OCR announces $100,000 settlement with out-of-business BA connected to multiple HIPAA breaches

Even going out of business doesn’t protect an organization from HIPAA requirements. The Office for Civil Rights (OCR) recently announced it reached a $100,000 settlement with the receiver liquidating the assets of Filefax, Inc., a Northbrook, Illinois, medical records company that shut down during an investigation of HIPAA violations.

The settlement, announced February 13, results from  an anonymous complaint in 2015. The complaint alleged that an individual obtained medical records from Filefax and took them to a shredding and recycling facility to sell them. OCR’s investigators found that an individual did leave the medical records of roughly 2,150 individuals at the shredding and recycling facility.

The details on how the medical records got to the shredding and recycling facility are murky. In the resolution agreement, OCR states that Filefax impermissibly disclosed protected health information (PHI) by leaving the records in an unlocked truck in the Filefax parking lot, or by granting permission to an individual to remove the records from Filefax and leaving the unsecured records outside for the individual to collect.

Filefax was connected to a different settlement OCR announced last year. In April 2017, OCR reached a $31,000 settlement with the Center for Children’s Digestive Health (CCDH), an Illinois clinic group. During OCR’s investigation of Filefax, it discovered that Filefax stored inactive paper records for CCDH dating back to 2003. Under this arrangement, Filefax acted as CCDH’s business associate (BA), and CCDH was required by HIPAA to execute a BA agreement (BAA) with Filefax. However, neither organization could produce a signed, valid BAA dated prior to 2015.

OCR’s recent actions reveal that the agency may be taking a different approach to HIPAA enforcement. In 2017, the agency redesigned the “Wall of Shame” to make it easier to use by improving the search and sort features and including additional information on the status of breaches or investigations as well as the names of BAs involved. This may signal that the agency plans to use its data and target repeat offenders for investigation. In addition, on February 1, OCR announced a $3.5 million settlement with Fresenius Medical Care North America (FMCNA) for a string of small breaches in 2015. OCR generally focuses on breaches affecting 500 or more individuals. None of the FMCNA breaches involved more than 250 individuals; however, OCR’s investigation revealed enterprisewide compliance failures, earning the steep penalty.