Last month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a resolution agreement it had entered into with Filefax, Inc. (Filefax) to address potential violations of the Health Insurance Portability and Accountability Act (HIPAA). By way of brief background, Filefax was a medical record storage and disposal company that offered its services to several covered entities. In early 2015, the OCR learned that not only did Filefax leave medical records containing Protected Health Information (PHI) for over 2000 patients in an unlocked truck outside of its place of business for several days, but Filefax also permitted a non-employee to then transport these records to another facility for recycling.
Despite Filefax closing its business during the course of the investigation, the OCR continued to pursue enforcement action against Filefax by way of the resolution agreement. The resolution agreement bound Filefax to a $100,000 settlement amount and a Corrective Action Plan (CAP), which required Filefax properly store and dispose of its remaining medical records in a manner consistent with HIPAA.
In pursing this enforcement action, the OCR reminds covered entities that the OCR is committed to addressing any careless handling of PHI by any covered entity, regardless of whether the entity is a going concern or has ceased operation. Covered entities, including pharmacies, are required to implement appropriate safeguards to ensure that PHI remains secure and confidential following the cessation of the provider’s operation. Both federal and state law requires providers, particularly licensees, to make appropriate provisions to store medical records and notify former patients of their accessibility.
It is crucial for pharmacies to act cautiously in either storing or disposing of PHI when the pharmacy winds down its business and closes. A breach of PHI can be a costly event, even for a pharmacy that has been closed for many months or years. If you are contemplating closing or selling a pharmacy, Frier Levitt can provide the requisite guidance on the proper handling of PHI to avoid running afoul of HIPAA, as well as applicable federal and state laws. Contact us today to speak with an attorney regarding how to avoid any potential enforcement actions.