Filefax PHI Disclosure Leads to USD100K OCR HIPAA Penalty
_{February 28, 2018}

Filefax, Inc. was liquidated and went out of business last year 2017. The company, however, was still penalized by OCR for its earlier Protected Health Information disclosure. A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to settle $100,000 out of the receivership estate to the U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in order to pay off potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The company, located in Illinois, promoted that it provided for the storage, maintenance, and delivery of medical records for covered entities. During the course of OCR’s investigations into alleged HIPAA violations, Filefax shut its doors. At that time, OCR had been investigating a complaint from 2015, where medical records had reportedly been left at a shredding and recycling facility.

OCR Director Roger Severino said in a statement, “The careless handling of PHI is never acceptable, covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

In that investigation, it was indicated that between January 28, 2015, and February 14, 2015, Filefax disclosed the PHI of 2,150 individuals via an unlocked truck in the company’s parking lot, or by granting access to an unauthorized person to remove the PHI from the company, leaving the PHI unsecured outside the facility of Filefax.

In addition to the monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

Details on the resolution agreement and corrective action plan has been presented in this document.