Dumpster Diver Demonstrates Importance of Proper Medical Record Storage and Disposal

Just because a business closes its doors, it doesn’t mean that it no longer is obligated to safeguard patients’ protected health information (PHI), as one company recently learned.

Earlier this month, the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 out of the receivership estate to settle potential HIPAA violations.

Filefax was an Illinois company that provided storage, maintenance and delivery of medical records. Before it shut its doors in 2016, the U.S. Department of Health and Human Services Office for Civil Rights, received a complaint alleging that a “dumpster diver” brought medical records obtained from Filefax to a shredding and recycling facility to exchange for cash. After opening an investigation, OCR confirmed that the medical records of more than 2,100 patients had been left at the shredding facility in February 2015.

Furthermore, its investigation found that those records had been left in an unlocked dumpster in the Filefax parking lot, where an employee allowed another person to remove them and take them for recycling. The recycler recognized the documents as protected health data and refused to shred them, choosing instead to contact the state attorney’s office.

That, in turn, led to a complaint being filed by the Illinois Attorney General in the Circuit Court of Cook County. The records, according to the complaint, belonged to Suburban Lung Associates. The AG brought the action under the provisions of the Consumer Fraud and Deceptive Business Practices Act alleging unfair and deceptive business practices.

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gives state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act allows State Attorneys General to obtain damages on behalf of residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Under HIPAA Rules, fines of between $100 and $25,000 can be issued per violation for breaches of personal health information.

According to the most recent data, since the compliance date of the Privacy Rule in April 2003, OCR has received more than 171,161 HIPAA complaints and has initiated more than 870 compliance reviews. It has resolved 98 percent of these cases (164,252). As of Dec 31, 2017, OCR has settled or imposed a civil money penalty in 53 cases resulting in a total dollar amount of $75,229,182.00.

HIPAA requires that covered entities and their business associates enter into written business associate agreements to ensure that protected health information is appropriately safeguarded. Covered entities that do not have such an agreement open themselves up to a HIPAA violation.

The Filefax case should serve as a reminder that covered entities should have a process in place to assess current and future business relationships to determine which vendors, consultants and sub-contractors meet the definition of a business associate. Such business relationships can evolve over time, so it’s important that any agreements also are updated regularly.

It’s always best to consult your legal counsel on these matters. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a HIPAA compliance program designed to meet your unique needs. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.

Material presented on the Health Law Offices of Anthony C. Vitale's website is intended for information purposes only.

It is not intended as professional advice and should not be construed as such.