August 3, 2020

Volume X, Number 216

August 03, 2020

Subscribe to Latest Legal News and Analysis

July 31, 2020

Subscribe to Latest Legal News and Analysis

Alleged HIPAA Violations Follow Company Post-Close

On February 13, 2018, the HHS Office of Civil Rights (“OCR”) announced that the court appointed receiver of Filefax, an Illinois company that moved and stored medical records for covered entities before going out of business in 2016, has agreed to pay $100,000 out of a receivership estate to settle potential violations of the HIPAA Privacy and Security Rules.  According to the Resolution Agreement between HHS and the receiver for Filefax, OCR began investigating Filefax after receiving an anonymous tip suggesting that Filefax had carelessly handled and improperly disclosed medical records containing protected health information (“PHI”).  OCR’s investigation revealed that between January 28, 2015, and February 14, 2015, Filefax allegedly impermissibly disclosed the medical records of approximately 2,150 patients, when the company allowed the paper records to be left unsecured in an unlocked truck outside the Filefax facility for an individual to take to a shredding and recycling facility in exchange for cash.  Filefax went out of business while OCR was investigating the alleged HIPAA violations; however, OCR nevertheless pursued its enforcement action.

According to OCR Director Roger Severino, the settlement agreement serves as a reminder that “[t]he careless handling of PHI is never acceptable…Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”   HIPAA requires covered entities and business associates to implement appropriate administrative, technical, and physical safeguards to ensure that records are secure and remain confidential during the retention period. After the retention period is over, all PHI must be disposed of in a compliant manner.  Individual states have specific record retention and disposal requirements, too, which must be considered when a company that handles PHI goes out of business.

The resolution agreement and corrective action plan are available on the OCR website at

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume VIII, Number 57


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Anne Harrington Energy Attorney Denver Squire Patton Boggs

Anne Harrington counsels clients in the energy and natural resources industries on a wide range of regulatory, administrative and public policy concerns ranging from compliance with federal and state environmental, health and safety laws, to Western public lands laws, to obtaining regulatory approvals.

Additionally, she draws from her past experience as a legal analyst and compliance deputy for an international biopharmaceutical and vaccines company and her training in bioethics to represent healthcare and health data companies. She advises clients ranging from small physician practices to state health information exchanges on federal and state regulatory issues with a focus on data privacy.

Energy and Natural Resources

In her energy and natural resources practice, Anne regularly advises national and international companies on regulatory compliance with state and federal health and safety laws, helps to manage company responses to regulatory inspections, investigations, citations, accidents and whistleblower actions, and defends companies in resulting state and federal enforcement actions (primarily MSHA and OSHA). She has substantial experience in drafting state and federal legislation, advising clients on public policy implications of legislative efforts, participating in federal notice and comment rulemaking efforts, and working with clients to devise and execute public policy strategies, including Congressional outreach, to address federal agency matters.


Anne has deep experience in developing risk management strategies, drafting privacy and security policies; negotiating complex data agreements with unique data privacy questions; and ensuring compliance with state and federal laws such as HIPAA and HITECH; 42 CFR Part 2, state laws and guidance governing privacy, security and breach notification; and the Children’s Online Privacy Protection Act.

In addition to her work as a lawyer, she has taught medical ethics at a large state university and sits on the ethics committee of a nationally-ranked children's hospital.


  • Energy and Natural Resources Representing oil and gas, gold, silver, trona ore, potash, copper and nickel mining companies operating on BLM and USFS land in Colorado, California, Nevada, Minnesota and Arizona, on matters arising under federal land management and environmental statutes, the General Mining Laws, Mineral Leasing Acts and counterpart state laws.

  • Representing one of the world’s largest oil industry service companies in connection with development of hydraulic fracturing disclosure and methane emission regulations in Colorado. This included securing permits for a water recycling facility to serve oil and gas well drilling contractors – a first of its kind operation – under Colorado recycling regulations.

  • Successfully negotiating major settlement with Mine Safety and Health Administration to avoid a crippling “pattern violator” designation for large Western mining client.

  • Handling multiple unwarrantable failure and flagrant citations issued by MSHA and litigating multiple employment discrimination claims under Section 105(c) of the Mine Act.