$100,000 Fine in Case Involving Defunct Records Storage FirmSecond HIPAA Settlement in Recent Months With a Troubled Company
For the second time in recent months, a federal regulator has signed a HIPAA settlement with an organization that's either gone out of business or filed for bankruptcy.
The Department of Health and Human Services' Office for Civil Rights announced Tuesday that it's entered a $100,000 settlement with Filefax, a now-defunct medical records storage company at the center of a 2015 "dumpster diver" breach affecting more than 2,000 patients.
Although Filefax shut its doors during the course of OCR's investigation into alleged HIPAA violations, the firm could not escape its obligations under the law, OCR says in a statement. "The careless handling of protected health information is never acceptable," said OCR Director Roger Severino. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."
HHS says the receiver for Northbrook, Illinois-based Filefax, who is responsible for liquidating the shuttered company's assets, has agreed to pay the $100,000 monetary settlement out of proceeds from the sale of Filefax real estate.
Filefax advertised itself as providing storage, maintenance and delivery of medical records for covered entities, OCR notes. In 2016, a court in unrelated litigation appointed a receiver to liquidate the company's assets for distribution to creditors and others.
In addition to the monetary settlement, the receiver has agreed, on behalf of Filefax, to a corrective action plan that involves moving remaining medical records from Filefax's facility to another vendor, Iron Mountain, for proper storage and disposal in compliance with HIPAA, the agency adds.
Settlement with Bankrupt Clinic
Late last year, OCR signed a $2.3 million HIPAA settlement with bankrupt cancer care clinic chain, 21st Century Oncology. Separately the Florida-based clinic also agreed to false claims settlements totaling $26 million with Department of Justice for making false attestations regarding its use of electronic health records under the HITECH Act meaningful use financial incentive program as well as making other false claims.
Under the HIPAA resolution agreement with 21st Century Oncology, the monetary payment to OCR was made by the clinic's cyber insurer, Beazley Group (see Bankrupt Cancer Clinic Chain's Insurer to Cover Breach Fine).
Filefax Breach Saga
At the center of the Filefax settlement is a breach that occurred in early 2015.
The saga appears to have begun when a local Chicago TV station reported it received a tip about the discovery of medical charts by a "dumpster diver" who was selling the papers for recycling. The reporter investigating the tip also found a Filefax dumpster filled with medical records that should have been shredded or destroyed before disposal, as well as a parked vehicle containing medical records.
OCR says it received a complaint about the incident on Feb. 10, 2015, alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.
OCR says its investigation confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients' protected health information.
OCR's investigation indicated that between Jan. 28, 2015, and Feb. 14, 2015, Filefax impermissibly disclosed the PHI by leaving it in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax and leaving the PHI unsecured outside the Filefax facility.
Hundreds of pounds of paper medical records of patients at Suburban Lung Associates, a Chicago-area healthcare provider, were discovered in a dumpster outside the Filefax building. Suburban Lung Associates had said it had hired Filefax to retain and then properly destroy its patient documents.
In another, apparently unrelated enforcement action tied to Filefax, OCR last year signed a $31,000 HIPAA settlement with Center for Children's Digestive Health, a small Illinois-based pediatric specialty practice that hired Filefax to store paper records containing patients' PHI but lacked a business associate agreement.
Lessons to Learn
The OCR enforcement action against Filefax offers several critical lessons for covered entities and business associates, ranging from the importance of secure storage and disposal of PHI to proper oversight of vendors.
"As a covered entity, I have immediate downstream responsibility for anyone I have entrusted with this very personal, sensitive information," says Bob Chaput, CEO of security and privacy consultancy Clearwater Compliance. HIPAA calls for "robust business associate management, starting with a BA agreement," he notes. Among critical steps to take with BA management is identifying all BAs, as well as the risks to PHI they pose, he says.
"Because in a large organization, there will be a large number [of BAs], go through the process of risk-ranking the order of those vendors" based on the volume and the nature and sensitivity of PHI they're handling, he says. "There's PHI and then there's super-PHI ... such as mental health information."
Once ranked, each BA should be put into a category with plans developed for each category, he says. "For instance, for your highest risk BAs ... you might have an annual attestation and a strong right to audit."
Joe Gillespie, a security and privacy consultant at tw-Security says carefully vetting vendors before turning over patient PHI to them is critical.
"I have seen several start-up companies in the records storage business over the years and it was obvious in talking with some of them that they did not have the depth of regulatory knowledge that is necessary," he says. "Covered entities and business associates must perform a thorough due-diligence review ... along with reference checks with the company's client list. During negotiations, the company should be asked for a complete list of healthcare clients and contact information. If the company refuses, that should be factored into the decision process."
In addition, Keith Fricke, principal consultant at tw-Security notes that the duty to safeguard PHI doesn't stop when patient records, paper or electronic, are no longer needed by an organization, Fricke says.
"Hitting the delete key on a computer is not enough. Data must be permanently scrubbed in a way that it cannot be recovered with free or commercial tools," he says. "Physical destruction of storage media is a good practice. There are free and commercial tools designed to forensically wipe electronic data before decommissioning computers or disposing of storage media."
OCR has penalized other organizations for cases involving improper disposal of PHI.
For instance, in 2014, OCR signed an $800,000 settlement with Parkview Health System, as a result of an incident in June 2009 involving the paper medical records of 5,000 to 8,000 patients that were left unattended in the driveway outside the home of a retired physician.