What Happens to PHI After a Healthcare Business Closes?

PHI Healthcare Business Closes

What happens to PHI after a healthcare business closes should be that any individually identifiable health information must be securely stored until it meets the state’s retention limit for medical records, while any HIPAA documentation must be securely stored for up to six years. Any personal information that does not qualify as a medical record or is not subject to HIPAA’s document retention requirements should be securely disposed of.

When HIPAA-covered entities and their business associates cease operations, the obligation to follow HIPAA rules does not end yet. This fact was made clear by the HHS’ Office for Civil Rights (OCR) when it slapped FileFax Inc with a $100,000 penalty for HIPAA violations. FileFax is a company in Northbrook, IL that provided medical record storage, maintenance and delivery service. After ceasing operations, OCR received an anonymous tip on February 10, 2015 that a person took documents with protected health information and sold them to a recycling facility.

According to OCR’s investigation, it wasn’t a FileFax employee that took the files and sold them to a recycling facility from February 6 to 9, 2015. She was a dumpster diver. The files contained the medical records of 2,150 patients. OCR reported that from January 28 to February 14, 2015, FileFlax impermissibly disclosed 2,150 patients’ PHI. Perhaps FileFax left the files in an unlocked truck or permission was granted to a person to remove the medical records from the facility.

The Illinois Secretary of State dissolved FileFax on August 11, 2017 since it no longer operates. Whatever penalty required from the firm will be taken care of by the court appointed receiver – the person who liquidated FileFax’s assets. The receiver also will perform the corrective action plan to catalogue and store securely what was left of the medical records until the required retention period lapses.

Covered entities and business associates must follow the HIPAA retention requirements with regards to documents containing PHI. Such documents must be retained for 6 years after its creation or after the date when it was last in effect. State laws also have required retention period for medical records. In Florida, medical records must be kept for 5 years from the last patient visit. In North Carolina, hospitals must keep the records for 11 years after the last discharge date.

HIPAA requires proper care of the documents during the retention period. There must be administrative, technical and physical safeguards to keep the medical records secure and confidential. When the retention period is over, the documents must be disposed of properly making sure they are indecipherable and unrecoverable. Paper records are usually shredded, burned, pulped or pulverized.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The case of FileFax is not unique. Many businesses have ceased operation and left paper records with PHI unsecure. Others have moved business location and left medical records at the old property only to be disposed of as regular trash. These actions are considered HIPAA rules violations and will be financially penalized.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA