A Chicago record storage and disposal company has been named in a complaint filed by the Illinois Attorney General as a result of the negligent disposal of a medical practice’s patient records in an unlocked dumpster. The complaint alleges that FileFax, Inc. violated the Illinois Consumer Fraud and Deceptive Business Practices Act by failing to handle the records entrusted to it for secure disposal by the practice, Suburban Lung Associates, as required by the Illinois Personal Information Protection Act as well as HIPAA.
Not only did FileFax allegedly discard the records in its unlocked dumpster adjacent to its place of business, but more incredibly, a FileFax employee permitted another individual to remove 1,100 pounds of records and take them to another facility for recycling. The recycler, Shred Spot, recognized the documents as protected health records and refused to recycle them. After consulting his trade association, the National Association for Information Destruction, Shred Spot owner Paul Kaufmann contacted the office of Attorney General Lisa Madigan, according to the Chicago Tribune.
Adding to the perfect storm, shortly after the records were delivered to Shred Spot, Dave Savini, an investigative reporter for CBS Chicago, took a film crew to the dumpster outside of the FileFax facility which remained full of Suburban Lung’s records and remained unlocked, accessible by the general public. He noted:
“It is an identity thief’s dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers’ licenses, Social Security numbers and even medical histories.”
Watch his report here:
Illinois Attorney General agents and representatives of the Department of Health and Human Services then conducted a site visit of the Shred Spot facility, and documented the return of the records to the practice.
FileFax faces civil penalties and injunctive relief under the AG’s suit including a $50,000 fine for violation of the Consumer Fraud Act and an additional $10,000 for each violation that involved a senior citizen, plus costs of investigation and prosecution, along with another civil penalty of $50,000 for improperly disposing of sensitive personal information and protected health information under the state’s Personal Information Protection Act. At this point it is not clear what additional sanctions may be sought by HHS under HIPAA. Further, Suburban Lung Associates may face vicarious liability for the negligence of its business associate, FileFax.
My partners Elizabeth Litten and Michael Kline were quoted by Marla Durben Hirsch in the July 27, 2015 issue of Part B News in an article entitled “Faulty record disposal by business associate exposes physician practice” (subscription required).
“Reporters love to dumpster dive. It’s more sexy [than some other HIPAA violations],” says Kline. “It’s a horror show for the covered entity. And if there’s no business associate agreement, it’s even worse,” he adds.
In the interview, they emphasized the need to treat record storage and disposal companies as seriously as other third-party contractors handling patient-related items, to verify a vendor’s HIPAA compliance efforts before engaging them and to continue monitoring their compliance.
“Consider medical information as other waste, as if it’s toxic. If it’s not disposed of properly, there could be liability,” says Litten.
Further, a covered entity’s business associate agreement is its best defense when a business associate drops the ball. “You need to know that the business associate knows and complies with HIPAA and state law,” says Litten.
In addition, business associates should be required to report to covered entities within a few days of discovering a breach, and should be required to pay for any costs incurred by the covered entity they have caused, including credit monitoring.