Receiver for Out-of-Business HIPAA BA Reaches $100,000 Settlement with HHS | Practical Law

Receiver for Out-of-Business HIPAA BA Reaches $100,000 Settlement with HHS | Practical Law

The Department of Health and Human Services (HHS) announced a $100,000 settlement with the court-appointed receiver of an out-of-business company for potential violations of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The enforcement action arose after HHS received an anonymous tip that an individual brought medical records obtained from the company to a shredding and recycling facility to sell.

Receiver for Out-of-Business HIPAA BA Reaches $100, 000 Settlement with HHS

Practical Law Legal Update w-013-1754 (Approx. 4 pages)

Receiver for Out-of-Business HIPAA BA Reaches $100,000 Settlement with HHS

by Practical Law Employee Benefits & Executive Compensation
Published on 14 Feb 2018USA (National/Federal)
The Department of Health and Human Services (HHS) announced a $100,000 settlement with the court-appointed receiver of an out-of-business company for potential violations of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The enforcement action arose after HHS received an anonymous tip that an individual brought medical records obtained from the company to a shredding and recycling facility to sell.
On February 13, 2018, HHS announced a $100,000 settlement with the court-appointed receiver of an out-of-business company for potential violations of HIPAA's Privacy Rule (see Practice Note, HIPAA Privacy Rule and HIPAA Privacy, Security, and Breach Notification Toolkit). The company, a business associate (BA) under HIPAA, provided medical records storage, maintenance, and delivery services to HIPAA covered entities (see Standard Document, HIPAA Business Associate Agreement).
HHS opened its investigation after receiving an anonymous tip that a "dumpster diver" brought medical records obtained from the company to a shredding and recycling facility to sell for cash. The records contained the protected health information (PHI) of 2,150 patients. HHS's investigation revealed that the company, which went out of business during the investigation, impermissibly disclosed the patients' PHI. The disclosure resulted after the company either:
  • Left the PHI in an unlocked truck in the company's parking lot.
  • Allowed an individual to remove the PHI from the company's facility and disposed of it in an unsecured location for the individual to collect.

Corrective Action Plan

In addition to the $100,000 payment, the receiver agreed, on the company's behalf, to comply with a corrective action plan (CAP). The receiver had already placed the medical records at issue into storage with a third-party information management company. The CAP requires the receiver to properly store and dispose of these remaining medical records.
Under the CAP:
  • The information management company must catalogue the records, and the receiver will send a copy of this inventory to HHS.
  • The receiver must submit a records disposition plan to HHS for approval (and, following HHS's approval, submit the plan to the court that appointed the receiver).
  • Within seven days of the CAP's effective date, the receiver must send HHS an affidavit authenticating the records and outlining:
    • where and when the records were found;
    • the steps taken to secure the records; and
    • the process used to catalogue the records.
  • After disposing of the remaining records, the receiver must attest that it disposed of the PHI in its possession consistent with the records disposition plan.
For a discussion of disposing of PHI, see Practice Note, Disposing of HIPAA PHI for Group Health Plans.

Practical Impact

As this settlement agreement illustrates, issues involving the proper disposal of PHI can become complicated when a HIPAA covered entity or BA ceases to exist. In the context of group health plans as covered entities, a BA agreement must provide that upon the agreement's termination, if feasible, the BA will:
  • Return or destroy all PHI received from, or created or received by the BA on the plan's behalf that the BA still maintains in any form.
  • Retain no copies of the information.
If returning or destroying the PHI is not feasible, the agreement must provide that the BA will:
  • Extend the agreement's protections to the information.
  • Limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
But if it the BA simply ceases to exist and it becomes unclear whether these end-of-agreement actions will be carried out, the plan may find itself without access to information it needs (for example, to handle ongoing claims) or with potential liability if the PHI is not properly disposed of (see Practice Note, Disposing of HIPAA PHI for Group Health Plans).