Eye on HIPAA Compliance - “Careless”  Business Associates and Pediatric Practice Group Suffer Penalties 

February 15, 2018

By: Hermes Fernandez and Raul A. Tabora, Jr.

The recent penalties imposed by the Office of Civil Rights (OCR) on a file storage company called Filefax, Inc., and the small pediatric practice group it served, presents an opportunity for health care providers and their contractors to conduct some risk assessment and assure that they do not follow in their footsteps. 

Filefax was an Illinois-based company that served medical providers and other covered entities by offering storage and maintenance of medical records. The company, a business associate under HIPAA, initially came under scrutiny in 2015 after files containing full medical records were discovered at a shredding and recycling facility. According to a recent Resolution Agreement and Corrective Action Plan, OCR’s investigation revealed that Filefax “impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to a person to remove the PHI from Filefax and leaving the PHI unsecured, outside the Filefax facility . . . .” 

Although Filefax had closed its doors and is now going through bankruptcy, OCR has imposed a penalty of $100,000 to be paid through the court-appointed receiver for Filefax’s HIPAA violations. Notably, the covered entity it served, a sizable provider group, appears to have escaped liability. However, the investigation into Filefax exposed other physician groups to scrutiny. During OCR’s investigation, they learned that another provider, a pediatric group, had failed to comply with basic HIPAA standards. This group also had been contracting with Filefax for over a decade, and in the process disclosed PHI of “at least” 10,728 individuals as part of the storage services offered by Filefax. Because neither of these entities could produce a signed Business Associate Agreement, OCR required the pediatric group to pay penalties in the amount of $31,000. There is no evidence that OCR found any of the patients to have been harmed by the violation. (Click here to read the official Press Release and to access the Resolution Agreement and Corrective Action Plan.)

These recent OCR enforcement actions show the crucial need to have a risk assessment program within all provider organizations which maintain health care records. At a rudimentary level, risk assessment checklist includes assessment of all contractors of a practice group to ensure that there is an appropriate Business Associate Agreement in place protecting the exchange, access or storage of patient health records. For more on risk assessments and Business Associate standards, see Bond’s publication Health Care: A Glimpse at Some Changes Required By HITECH and Omnibus HIPAA Final Rule.

To learn more on how to strengthen your HIPAA compliance program, contact:

Hermes Fernandez
(518) 533-3209

Raul A. Tabora, Jr.
(518) 533-3242

Bond’s Health Care Practice is a multi-disciplinary team devoted to representing all types of health care providers.

Bond's Long Term Care Practice attorneys have been representing health care providers across New York State for over 20 years with a comprehensive menu of services.