skip to main content

March 4, 2018

By: Stephanie T. Eckerle and Meghan M. Linvill McNab

In a recent announcement by the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), the OCR was clear to make a point that just because a business closes during an OCR investigation, does not mean that the business’ obligation for any HIPAA violations ends.  To make this point, OCR referenced the recent settlement and corrective action plan entered into for alleged HIPAA violations by now-defunct, Filefax.  The OCR was investigating Filefax for impermissibly disclosing protected health information (“PHI”) of 2,150 individuals.  Although Filefax ceased operations during the OCR’s investigation, Filefax’s obligations for the alleged HIPAA violations continued and the receiver appointed to liquidate the assets of Filefax ultimately agreed to pay $100,000 out of the receivership estate to settle the alleged HIPAA violations and agreed to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The OCR Press Release, Resolution Agreement and Corrective Action Plan are available here.

If you have questions regarding HIPAA compliance while closing a business or have other HIPAA-related questions, please contact Stephanie T. Eckerle at, Meghan M. Linvill McNab at or your regular Krieg DeVault attorney.