Dumpster diver shows the importance of proper medical record storage and disposal

Dumpster diver shows the importance of proper medical record storage and disposal

By Christopher A. Parrella J.D., CPC, CHC, CPCO 

Just because a business closes its doors, it doesn’t mean that it no longer is obligated to safeguard patients’ protected health information (PHI), as one company recently learned.

Earlier this month, the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 out of the receivership estate to settle potential HIPAA violations.

Filefax was an Illinois company that provided storage, maintenance and delivery of medical records. Before it shut its doors in 2016, the U.S. Department of Health and Human Services Office for Civil Rights, received a complaint alleging that a “dumpster diver” brought medical records obtained from Filefax to a shredding and recycling facility to exchange for cash. After opening an investigation, OCR confirmed that the medical records of more than 2,100 patients had been left at the shredding facility in February 2015.

Furthermore, its investigation found that those records had been left in an unlocked dumpster in the Filefax parking lot, where an employee allowed another person to remove them and take them for recycling. The recycler recognized the documents as protected health data and refused to shred them, choosing instead to contact the state attorney’s office.

That, in turn, led to a complaint being filed by the Illinois Attorney General in the Circuit Court of Cook County. The records, according to the complaint, belonged to Suburban Lung Associates. The AG brought the action under the provisions of the Consumer Fraud and Deceptive Business Practices Act alleging unfair and deceptive business practices.

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act allows State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Under HIPAA Rules, fines of between $100 and $25,000 can be issued per violation by state attorney generals for breaches of personal health information.

According to the most recent data, since the compliance date of the Privacy Rule in April 2003, OCR has received more than 171,161 HIPAA complaints and has initiated more than 870 compliance reviews. It has resolved ninety-eight percent of these cases (164,252). As of Dec 31, 2017, OCR has settled or imposed a civil money penalty in 53 cases resulting in a total dollar amount of $75,229,182.00.

HIPAA requires that covered entities and their business associates enter into written business associate agreements to ensure that protected health information is appropriately safeguarded. Covered entities that do not have such an agreement open themselves up to a HIPAA violation.

The case should serve as a reminder that covered entities should have a process in place to

assess current and future business relationships to determine which vendors, consultants, and sub-contractors meet the definition of a business associate.

Such business relationships can evolve over time, so it’s important that any agreements also are updated regularly.


Substance abuse is a serious problem impacting the lives of not just those who use, but also their families, friends and employers. Innovative Laboratory Solutions, the maker of the EZ Test Cup, has 20-plus years of manufacturing experience behind it. Our 12-panel drug test cup is FDA approved and CLIA waved. Contact us today for more information at info@eztestcup.com or call 561-218-4646.