Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations

Share

A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records.  On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.  OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility.  OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.

In addition to making the forfeiture payment, the receiver must also take all necessary steps to comply with a Corrective Action Plan (CAP) that was required by the OCR as part of the settlement. Under the CAP, the receiver will formulate a plan to properly dispose the remaining medical records in a Records Disposition Plan and seek authorization from the Circuit Court of Cook County, Illinois that appointed the receiver to implement the Records Disposition Plan. Prior to presenting the Records Disposition Plan to the court, the receiver must first send it to HHS for review and approval.

In connection with the CAP, the receiver will be required to:

  • Instruct Iron Mountain Information Management, LLC to properly store and dispose of all remaining medical records that were once in Filefax’s facility and have since been delivered to Iron Mountain.
  • Catalogue the remaining medical records it holds in its custody, and provide HHS with a copy of this inventory within seven days of the signing of the settlement agreement.
  • Within seven days of the signing of the settlement agreement, the receiver must provide HHS with an affidavit, signed under oath, detailing where and when the remaining medical records were found, the steps taken after their discovery to secure them, including their transfer to Iron Mountain, and the process undertaken to catalogue the remaining medical records. The affidavit must also authenticate the remaining medical records inventory.
  • Upon final disposal of all remaining medical records, the receiver must attest that all PHI in its possession was properly disposed of as outlined in the Records Disposition Plan.

This settlement illustrates that HIPAA covered entities and business associates must abide by HIPAA – even when operations shut down.

If you have any questions about this HIPAA settlement or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Sumaya M. Noush

Sumaya Noush counsels health care clients on strategic and operational matters, including transactions, corporate governance and regulatory compliance. View Sumaya's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

February 21, 2018
Written by: Sumaya M. Noush
Category: Health Care, HHS, HHS/OCR, HIPAA, Privacy

Post navigation

Previous Previous post: China Releases New Personal Information Privacy Standards
Next Next post: FDA Approves Software Application That Alerts Providers of Potential Stroke in Patients

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT