The most recent HIPAA settlement out of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proves that care needs to be taken every step of the way to protect your business from HIPAA violation breaches and fines.
The Illinois-based Filefax, Inc. was fined $100,000 to settle violations regarding improper document disposal.
The fact that makes this case so different from any other HIPAA settlement to date is that Filefax, Inc. shutdown in 2016 after filing for bankruptcy while OCR was conducting its investigation.
On February 10, 2015, HHS received a complaint stating that Filefax had illegally dumped files containing protected health information (PHI) in an unlocked dumpster behind its office building.
According to a report in the Chicago Tribune published shortly after the incident, someone found “1,100 pounds of paper” in the dumpster and brought those to a shredding company, “seeking cash for recycled materials.”
The owner of the shredding company noticed that the documents contained medical records and called the Illinois State Attorney General.
The Attorney General, Lisa Madigan, filed suit against Filefax for failing to properly destroy the medical records it was charged with managing. “This company brazenly violated the law and jeopardized the personal information and privacy of thousands of Illinois residents,” said Madigan in a press release.
This event, in turn, triggered the HIPAA investigation by OCR. Federal investigators also discovered that the records had been improperly disposed of, and have now issued Filefax a $100,000 fine. The company’s assets were liquidated when it filed bankruptcy in 2016. The fine will be paid by a receiver appointed to manage liquidation of the firm’s assets.
HIPAA Fines Mounting Against Healthcare Vendors
This fine is also significant because it’s been levied against a HIPAA business associate (BA). A business associate, under HIPAA, is classified as any vendor or organization hired by a covered entity that necessarily encounters PHI in any way over the course of work they’ve been hired to accomplish. As a record management service, Filefax fits into a growing trend of large-scale HIPAA settlements targeting BAs.
This kind of enforcement was uncharacteristic in the past, but is starting to become regular, with the first fine levied against a BA back in 2016. The HIPAA Omnibus Rule sets national standards that BAs must comply with and was first enacted in 2013. Because OCR investigations can take anywhere from two to five years to reach settlement, it makes sense that BA fines are now starting to become more commonplace. This is a trend that’s very likely to continue into the future now that OCR has the authority to investigate and fine business associates.
“The careless handling of PHI is never acceptable,” said OCR Director, Roger Severino. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
This HIPAA violation fine is the second HIPAA settlement of 2018, bringing the HIPAA fine total to $3.6 million since the start of the year alone.
Is your business doing everything it can to protect against growing HIPAA fines? Implementing an effective HIPAA compliance program is the industry best-practice for keeping protected health information safe from data breaches and fines!