HIPAA Fine, HIPAA Compliance Management, HIPAA Manual

HIPAA Single Fine


February 17, 2018 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

HIPPA Fine: FileFax Document Disposal Service Gets HIPAA Fine of $100,000

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a new HIPAA fine for $100,000, stressing the importance of proper document disposal.

Filefax Inc. was a record management service based out of Illinois. OCR received a complaint stating that over 1,000 pounds of documents containing protected health information (PHI) were found in an unlocked dumpster behind the company’s office. PHI is any demographic information that can be used to identify a patient, including name, date of birth, Social Security number, and medical information.

Over the course of OCR’s investigation into Filefax, the company filed for bankruptcy and shut down. However, federal investigators still found grounds to fine the company, which is still expected to pay the $100,000 out of its remaining assets.

HIPAA Won’t Quit, Even after Bankruptcy

This type of HIPAA single fine is unique because Filefax has not been able to avoid being fined, even after shutting its doors. The incident proves that HIPAA fines can affect health care organizations long after a data breach / HIPAA violation has occurred.

Growing Threat Posed by Health Care Vendors

As a record management service, Filefax is considered a HIPAA business associate under the law. A business associate (BA) is any vendor hired by a health care provider that necessarily encounters PHI over the course of work they’ve been hired to perform.

Common examples of BAs include: billing companies, EHR platforms, document storage services, cloud providers, IT services, attorneys, accountants, and record management services, to name a few.

Under HIPAA regulatory requirements, BAs must be HIPAA compliant in order to protect the sensitive health information they handle for their clients.

The threat of a negligent BA is two-fold. First, when a BA mishandles PHI, as in the case of Filefax, they put your patients’ health data at risk. Health information such as PHI sells for three times as much as financial information on the black market. Your patients could be at risk of identity theft and worse if a non-compliant BA mishandles their information.

Second, if your BA gets investigated, it could drag your behavioral health organization into an audit as well. As per the law, all health care providers must execute legal Business Associate Agreements with vendors before any information can be shared. If your vendor has a data breach and ensuing HIPAA investigation and your company has not signed a Business Associate Agreement with them, your organization could be at risk of a HIPAA violation.

The best way to defend your behavioral health practice against non-compliant BAs and the growing trend of BA HIPAA fines is to adopt a total HIPAA compliance program that addresses the full extent of the law.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Telehealth Courtroom Realities: How to Stay Out of Legal Hot Water

Developed by a senior litigating telehealth attorney for the defense, this eye-opening telehealth training experience will help the clinician avoid the harsh realities of a courtroom.

Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent

Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...