On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after a shredding and recycling facility submitted a complaint concerning medical records that had been discovered in a dumpster and delivered to the facility for recycling. OCR subsequently determined that Filefax impermissibly disclosed PHI of 2,150 individuals over a two week span in early 2015 by leaving PHI in an unlocked truck in Filefax’s parking lot, or by leaving PHI within medical records sitting outside of Filefax’s business for a third party to collect.

The settlement with OCR was entered into by a court-appointed receiver acting on behalf of Filefax, because Filefax ceased operations during OCR’s investigation and was dissolved in August, 2017. OCR nonetheless pursued this investigation and entered into the monetary settlement, which will be paid by the receiver from the proceeds of a prior sale of Filefax’s commercial property.

This settlement is a notable example of an egregious violation of HIPAA’s privacy and security standards, the discarding of medical records in a dumpster and/or transfer of such records to third parties without any assurances of confidentiality or accompanying safeguards. The settlement is also notable for OCR’s continued attention on HIPAA compliance by business associates and not just covered entities.

This settlement represents OCR’s second settlement in 2018, following a large settlement announced last week (see our analysis here), and the back-to-back settlement announcements may be indicative of an uptick in enforcement activity by OCR in 2018 after a quiet end to 2017.

[View source.]