The OCR still enforced a HIPAA penalty for a breach that occurred in 2015, even after the business closed in 2016.
FileFax, Inc. closed its doors in 2016 when a court appointed a receiver to liquidate its assets for distribution to creditors. Additionally, this receiver agreed to store and maintain any health records that FileFax had before the closure. Along with those records came a stiff HIPAA fine for a breach that occurred in 2015.
On February 10, 2015, the Office for Civil Rights (OCR) received an anonymous complaint that records obtained from FileFax were transported to a shredding and recycling facility to sell. During the course of the investigation, the OCR discovered that approximately 2,150 patients’ health records were left at this shredding facility. Additionally, the OCR discovered that FileFax left protected health information (PHI) in an unlocked truck in the parking lot, allowing for this theft and potential sale of PHI to occur.
The OCR Director, Robert Severino stated that this type of situation is unacceptable. He also stated that “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
Consequently, the receiver has agreed to pay the fine, totaling $100,000. These funds will come out of the receivership estate.
This situation highlights just how far the OCR will go to enforce HIPAA regulations. Going out of business or filing for bankruptcy won’t get you out of that fine.
Make sure you are conducting your risk assessments, providing your employees training, and remaining vigilant in stopping people from trying to access your patients’ information without the proper permission.
To start your risk assessment and find out more about HIPAA compliance, use the HIPAAgps tool today!