Warning: Proper disposal of Protected Health Information is an OCR hot spot. Ensuring the safety of your patients' protected health information on your computers, networks, and mobile devices is important. However, you'd be wise to remember that the HIPAA Privacy Rule still mandates the security of your paper records, too. Those protocols must be followed even if your business goes belly up - or it could cost you, a recent breach demonstrates. The HHS Office for Civil Rights recently warned providers and their business associates in a release that anyone handling PHI, including health care providers, storage vendors, and other covered entities (CEs), is subject to the full consequences of a HIPAA violation - up to and beyond your business's viability or lifespan. Context: After liquidating the assets of Filefax Inc., the appointed receiver agreed to pay $100,000 out of the estate to settle violations of the HIPAA Privacy Rule. Filefax advertised its provision of storage, maintenance, and delivery of medical records for covered entities, according to the OCR release. OCR opened an investigation after an anonymous tipster alleged that someone transported Filefax medical records to a shredding and recycling facility in order to sell them. OCR found evidence of 2,150 patients' medical records - records containing PHI - at the shredding and recycling facility and in an unlocked truck in the Filefax parking lot. OCR's investigation indicated that Filefax had granted permission to an unauthorized person to remove the PHI from Filefax, who left the PHI unsecured outside the Filefax facility, according to the report. Though Filefax shuttered during the investigation, it was still held to the consequences of violating the HIPAA Privacy Rule. "In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others," according to the press release. "In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax's facility in compliance with HIPAA." Consider this: Although there has been intense focus in the healthcare industry on securing ePHI and medical records, paper records are still highly vulnerable, as this case illustrates. "While not as easily transferable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market," warned partner attorney Laurie Cohen in a blog posting for the law firm Nixon Peabody. Experts estimate that an individual's medical data can fetch as much as 10 times the value of a credit card number. Make Long-Term Plans For PHI In Your Protocols Filefax was slapped with a corrective action plan that addressed Privacy and Security Rule issues. The proper disposal of PHI is one of the OCR's top five hot spots, and one the department takes very seriously. "Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records," stressed associate attorney Jefferson Lin in a blog post for the Seattle-based law firm Ogden Murphy Wallace Attorneys. Under the HIPAA Privacy Rule, Section 45 CFR 164.530(c), "covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information," OCR guidance reminds. It's also essential to set up standards after your risk analysis for the disposal of ePHI, ensuring that the electronic devices and tools aren't reused for nefarious purposes after your agency dissolves, the Security Rule says in 45 CFR Part 160 and Subparts A and C of Part 164. Ask Yourself These 5 Questions Take care to outline specific guidelines for the retention and disposal of PHI and ePHI, keeping the HIPAA Privacy and Security Rules in mind. Consider these OCR questions for CEs when writing up your HIPAA compliance plan: Important: Healthcare is a competitive business, and agency closures are an all too common occurrence. Records management must include the proper disposal of records, taking every safeguard into account to secure PHI. The scope of the facility, how an agency dissolves, the number of business partnerships, and the state in which the provider operates, are all things that factor into how long PHI and ePHI are retained, managed, and eventually discarded and/or destroyed, advises the American Health Information Management Association in its online guidance "Protecting Patient Information After a Facility Closure." Endnote: "The careless handling of PHI is never acceptable," said Roger Severino, OCR director. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies." Note: A summary of the OCR guidance on disposing PHI is at online at www.hhs.gov/hipaa/forprofessionals/faq/575/what-does-hipaa-require-ofcovered-entities-when-they-dispose-information/index.html. AHIMA's advice on securing PHI after closure is at http://library.ahima.org/doc?oid=105074#.WqZm8WaZNAY.