Filefax, Inc. (“Filefax”), an Illinois company that intimately handled sensitive Personal Health Information (“PHI”), paid $100,000 to the Department of Health and Human Services (“HHS”) to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The payment stemmed from, when still in business, Filefax allegedly improperly disclosing the PHI of approximately 2,150 people when not properly securing such information in an unlocked truck on Filefax property, as well as granting access to PHI to people who should not have been granted access. Pursuant to the Resolution Agreement, the court appointed receiver for Filefax did not admit liability on behalf of Filefax but, however, did agree to enter into a Corrective Action Plan to help mitigate potential exposure.
On its face, the Filefax case may appear to be just like other settlements with HHS resulting from a HIPAA violation, but this case is different for one critical reason—Filefax is no longer in business!
Yes, Filefax, a company no longer operating and which was involuntarily dissolved on August 11, 2017, settled these potential violations of HIPAA, making it clear that, just because the doors close, HIPAA still applies. Roger Severino, director of the Office of Civil Rights (“OCR”), the HHS enforcement arm of HIPAA, stated “[c]overed entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
Business owners, especially those that handle PHI on a day-to-day basis, must continue to take seriously the rules and guidelines HHS sets forth with respect to HIPAA and are on notice that penalties may still apply even if you are no longer conducting business. The Filefax case should serve as a stark warning to all business owners that you cannot escape liability and/or penalties under HIPAA by closing your doors.