A recent fine assessed by HHS underscores that paper and HIPAA violations still exist, and fines can be assessed after a covered entity or business associate closes.
In February, the receivership estate of Filefax, Inc. agreed to pay $100,000.00 to the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential violations of the HIPAA Privacy Rule. The liquidation of assets came about as a result of an unrelated case. In addition to the fine, the court appointed receiver had agreed to properly store and dispose the remainder of the medical records in a HIPAA compliant manner.
Paper matters. The Privacy Rule governs the privacy of individually identifiable information, regardless of the form. The Privacy Rule has other requirements such as the Notice of Privacy Practices and HIPAA Authorization Form. By way of contrast, the Security Rule governs electronic individually identifiable health information. The Breach Notification Rule applies to violations of PHI covered by both the Privacy Rule and the Security Rule.
In February 2015, OCR received an anonymous tip that medical records were transported from Filefax to a shredding and recycling facility to sell approximately 2,150 patients medical records. The OCR investigation revealed that the PHI was left in an unlocked truck in the Filefax parking lot and that unauthorized persons were given access to the PHI.
In its press release, OCR stated that Filefax "advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shuts its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law."
This situation underscores the importance of ongoing monitoring of business associates. Specifically, what assurances does a physician have that medical records will be handled appropriately in the event of a business closure or sale? Is this addressed in the Business Associate Agreement? The same notion applies to a physician's practice. If a practice closes or merges, are there appropriate disposal or other arrangements in place, as well as adequate policies and procedures?
The takeaways for physicians (and business associates) include consequences for HIPAA violations do not stop when a business closes, Privacy Rule paper violations are material, and the government may assert an interest in a bankruptcy proceeding.