When HIPAA-covered entities and their business associates cease operations, the obligation to follow HIPAA rules does not end yet. This fact was made clear by the HHS’ Office for Civil Rights (OCR) when it slapped FileFax Inc with a $100,000 penalty for HIPAA violations. FileFax is a company in Northbrook, IL that provided medical record storage, maintenance and delivery service. After ceasing operations, OCR received an anonymous tip on February 10, 2015 that a person took documents with protected health information and sold them to a recycling facility.
According to OCR’s investigation, it wasn’t a FileFax employee that took the files and sold them to a recycling facility from February 6 to 9, 2015. She was a dumpster diver. The files contained the medical records of 2,150 patients. OCR reported that from January 28 to February 14, 2015, FileFlax impermissibly disclosed 2,150 patients’ PHI. Perhaps FileFax left the files in an unlocked truck or permission was granted to a person to remove the medical records from the facility.
The Illinois Secretary of State dissolved FileFax on August 11, 2017 since it no longer operates. Whatever penalty required from the firm will be taken care of by the court appointed receiver – the person who liquidated FileFax’s assets. The receiver also will perform the corrective action plan to catalogue and store securely what was left of the medical records until the required retention period lapses.
Covered entities and business associates must follow the HIPAA retention requirements with regards to documents containing PHI. Such documents must be retained for 6 years after its creation or after the date when it was last in effect. State laws also have required retention period for medical records. In Florida, medical records must be kept for 5 years from the last patient visit. In North Carolina, hospitals must keep the records for 11 years after the last discharge date.
HIPAA requires proper care of the documents during the retention period. There must be administrative, technical and physical safeguards to keep the medical records secure and confidential. When the retention period is over, the documents must be disposed of properly making sure they are indecipherable and unrecoverable. Paper records are usually shredded, burned, pulped or pulverized.
The case of FileFax is not unique. Many businesses have ceased operation and left paper records with PHI unsecure. Others have moved business location and left medical records at the old property only to be disposed of as regular trash. These actions are considered HIPAA rules violations and will be financially penalized.