Companies in the healthcare industry face many unique challenges when undergoing a bankruptcy, including challenges arising due to the federal and state law framework governing the use and disclosure of medical information. In February 2018, the U.S. Department of Health and Human Services (HHS) announced that it had reached a settlement with the receiver appointed to liquidate the assets of Filefax, Inc., a medical record storage and transportation company, resolving claims against Filefax for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The HHS investigation, which commenced in 2015, indicated that Filefax impermissibly disclosed the protected health information (PHI) of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax and leaving the PHI outside the Filefax facility for collection in an unsecured manner. During the investigation, Filefax stopped operating and was involuntarily dissolved. As part of the settlement, the receiver agreed to pay $100,000 out of the receivership estate and to properly store and dispose of the remaining medical records in compliance with HIPAA.
Medical Record Storage and Maintenance
While HIPAA requires covered entities (i.e., health plans, healthcare providers, and healthcare clearinghouses) and their business associates (generally, persons or entities providing services that involve the use or disclosure of PHI to or on behalf of a covered entity) to maintain the privacy and security of PHI during maintenance, storage, and disposal of PHI, state laws typically govern the length of time the medical records must be kept. For example, in Texas, a hospital must maintain medical records for 10 years from the date of last treatment of the patient, or, if the patient was under 18 when last treated, for the longer of 10 years or until the patient reaches the age of 20. State laws can vary based on the type of person or entity and record involved, although often these record maintenance laws apply only to specific types of healthcare providers. In addition, certain other statutes may apply. For example, the Centers for Medicare & Medicaid Services (“CMS”) require hospitals to maintain medical records for five years.
Maintenance and storage of medical records may be complicated further if the covered entity or business associate is undergoing a bankruptcy and lacks the financial resources required for proper maintenance and storage of the patient records. The United States Bankruptcy Code (the “Bankruptcy Code”) permits a “health care business” that is a debtor in bankruptcy to dispose of patient records in a certain manner if the debtor/trustee has insufficient funds to pay for storage of the patient records as required by federal or state law. Specifically, the healthcare business must publish notice in a newspaper of the intent to destroy the records and must attempt to contact directly each patient and the patient’s insurance provider. The records must be kept for at least one year, and if no one claims the records, the trustee must offer them to the appropriate federal agency. Records that are not accepted by the appropriate federal agency may then be destroyed as set forth in the Bankruptcy Code. A “health care business” is defined in the Bankruptcy Code to include any public or private entity that is primarily engaged in offering to the general public facilities and services for the diagnosis or treatment of injury, deformity, or disease, and surgical, drug treatment, psychiatric, or obstetric care, including, but not limited to, any hospital, emergency or surgical treatment facility, hospice, home health agency, and nursing, assisted-living, or long-term care facility.
While the definition of “health care business” in the Bankruptcy Code covers many healthcare providers, it does not cover every healthcare provider.1 Further, if there is no applicable federal or state law requiring the healthcare business to maintain the patient records for a certain period of time, courts have some discretion to develop procedures on a case-by-case basis. For example, after finding no relevant state law requiring the debtor to maintain the patient records and noting that the trustee had no funds to store patient records, the court in In re LLSS Mgmt. Co., Inc. ordered the trustee to keep a compact disk (for no cost) that contained the names and addresses of patients to whom a prescription mixture was given and for whom anti-depressants were prescribed, and to notify patients that their medical histories would be shredded after sixty days.2
Disclosure of Records During Sale or Winding Up
Part of the bankruptcy or winding up process may involve the sale of some or all of the debtor’s assets, and potential purchasers may have access to medical information during the due diligence process. HIPAA has certain exceptions to allow for the disclosure of PHI during the due diligence process, but the exceptions are limited in nature and must be analyzed carefully to ensure compliance. For example, a covered entity may disclose PHI for due diligence related to a sale, transfer, merger, or consolidation without obtaining patient consent if the transaction is between two covered entities, or between a covered entity and an entity that will become a covered entity following the transaction.
Given the complexity of the federal and state laws applicable to medical record privacy and security during a bankruptcy or winding up, companies in the healthcare industry should take certain steps to limit their exposure (e.g., earmarking funds for medical records management in liquidation or restructuring budgets, and ensuring appropriate privacy and security policies and procedures are continued during this process). Healthcare providers and their vendors should also proactively address medical record storage, destruction, and ownership in their agreements and consider adding specific provisions to address “wrapping up” services in the event of a bankruptcy. Finally, companies in the healthcare industry should carefully consider disclosures made during a potential purchase and engage legal counsel to help determine whether HIPAA, state laws, and applicable exceptions apply.