On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation. 

OCR opened its investigation in February 2015, after receiving an anonymous complaint alleging that on February 6 and 9, 2015, a “dumpster diver” brought medical records obtained from Filefax to a shredding and recycling facility to exchange for cash. OCR’s investigation confirmed that an individual had left medical records containing the protected health information (“PHI”) of approximately 2,150 patients at the shredding and recycling facility. OCR’s investigation concluded that Filefax impermissibly disclosed the PHI by either (1) leaving it in an unlocked truck in the Filefax parking lot, or (2) granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.

The resolution agreement required Filefax to pay $100,000 and enter into a corrective action plan, which obligates Filefax’s receiver to properly store and dispose of the remaining medical records found at Filefax’s facility in compliance with HIPAA.