Table of Contents
In another example of the federal government exacting a toll on an organization already sanctioned by state authorities, the HHS Office for Civil Rights (OCR) recently collected $100,000 from a defunct medical records document storage company in Illinois. FileFax, Inc., paid the state $30,000 in 2015 to settle allegations that it had violated HIPAA and state laws for the same document-dumping incident that led to the Feb. 13 OCR announcement.
A bit of a zombie firm, FileFax, founded in 2000, was itself in receivership by the time OCR concluded its investigation and announced the agreement for payment and corrective action plan (CAP) that calls for proof of cataloging and proper disposal of the records.
The settlement also demonstrates the ripple effect of what seemed like a woman’s innocent attempt to earn a few dollars by attempting to turn the discarded documents she found unsecured in a Dumpster into cash at a shredding/recycling company. Unfortunately for FileFax and its former clients, the owner of the shredding firm recognized the 1,100 pounds of paper as medical records from a local pulmonary practice and blew the proverbial whistle. Under HIPAA, old, discarded or unusable records must be stored and/or disposed of through secure means.
FileFax’s actions caused Suburban Lung Associates to have to go through the breach notification and mitigation process, but the practice wasn’t subject to any formal enforcement actions. However, a group of pediatric gastroenterologists wasn’t so fortunate—and, of course, neither was FileFax.