Warning from DoH: HIPAA Compliance Doesn’t End When a Business Closes

A recent settlement between the U.S. Department of Health and Human Services, Office of Civil Rights (the Department) and Filefax, Inc. serves as a stark reminder for covered entities and business associates that their obligation to comply with the Health Insurance Portability and Accountability Act (HIPAA) does not end simply because they close their business operations.

Filefax was a business associate that provided storage and maintenance of medical records for covered entities. The Department commenced an investigation after allegations were made that Filefax left undestroyed and unsecured records containing protected health information at shredding and recycling facilities. The investigation confirmed that the records were left in an unlocked truck and unauthorized people at the facility had access to them. During the course of the investigation, however, Filefax closed its business.

The Department nonetheless charged Filefax with a HIPAA violation, explaining that a business has an ongoing obligation to comply with the privacy law and cannot escape liability simply by closing its doors. The parties ultimately settled for a payment of $100,000.

This settlement is an important reminder that, as part of any unwind plan when a business is closed or sold, consideration should always be given to HIPAA compliance. Covered entities and business associates have an obligation to ensure that any protected health information in their possession is properly and securely disposed of or transferred to an authorized person for storage before they end their business operations.