Out-of-Business File Storage Company Paid $100K for Alleged HIPAA Violations
Yesterday, DHHS’s Office for Civil Rights (OCR) announced a $100,000 settlement with a dissolved medical records moving and storage company in Illinois. This is another example of OCR bringing enforcement actions against a business associate under HIPAA. OCR investigated a complaint that the business associate brought medical records to a shredding and recycling facility in exchange for cash. According to OCR, it confirmed that the business associate violated the HIPAA Privacy Rule when it left the medical records of approximately 2,150 people at the shredding and recycling facility. Due to other legal troubles, a court had already forced the business associate to liquidate its assets and appointed a receiver to pay its debts. The receiver agreed to pay the $100,000 settlement and to ensure that the storage and disposal of the remaining medical records would be in compliance with HIPAA.
Read a copy of the Resolution Agreement here.