By Matt Pavich, J.D.
HHS has reached an agreement with the receiver appointed to liquidate the assets of Filefax, Inc., resolving claims that the now-defunct company impermissibly disclosed protected health information (PHI) of patients. The agreement comes, despite the fact that Filefax ceased operation s during the pendency of HHS’ Office for Civil Rights (OCR) investigation (Resolution Agreement, February 13, 2018).
According to the agreement, the OCR received an anonymous complaint that on February 6 and 9, 2015, an individual brought medical records obtained from Filefax to a shredding and recycling facility in order to sell the documents. The OCR opened an investigation on February 10, 2015, and discovered that the dumpster diver had brought records of roughly 2,150 patients to the facility. Those records contained the patients’ PHI. The investigation further revealed that between January 28, 2015, and February 14, 2015, Filefax impermissibly disclosed the PHI of approximately 2,150 patients, either when it left the records in an unlocked truck in its parking lot, or when it gave permission to an unauthorized individual to remove the information from the Filefax facility.
Filefax is no longer in business and in 2016, a court in unrelated litigation appointed the receiver to liquidate Filefax’s assets for distribution. Pursuant to the agreement reached with HHS, the receiver will pay $100,000 on behalf of Filefax. In addition, the remaining medical records found at Filefax’s facility will be destroyed in compliance with HIPAA. The agreement is not an admission by the receiver of Filefax’s liability, nor is it a concession by HHS that Filefax did not violate HIPAA rules.
Companies: Filefax, Inc.
MainStory: TopStory EHRNews HITNews HIPAANews ProgramIntegrityNews
Interested in submitting an article?
Submit your information to us today!Learn More