HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.

So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.

In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.

Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Filing Complaints for HIPAA Violations

If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).

While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.

A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.

Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.

The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.

The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.

Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.

How to File a Lawsuit for a HIPAA Violation

If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach.

The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative.

You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice.

There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be.

Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.

Can a Patient Sue for a HIPAA Violation? FAQs

Has a patient ever successfully sued for a HIPAA violation?

No. However, the HIPAA Privacy Standards have been used in court cases as a benchmark of the level of privacy an individual can reasonably expect. One of the most frequently-quoted cases in this respect is Byrne versus the Avery Center for Obstetrics and Gynecology. This case was originally denied when the plaintiff pursued compensation for a violation of HIPAA, but the decision was reversed on appeal when the claim was changed to a violation in the duty of confidentiality.

Have there ever been successful class actions for a HIPAA violation?

There have been several settled class actions involving HIPAA Covered Entities who have failed to adequately protect personal information (note: not for violating HIPAA). Furthermore, class actions are frequently settled without an admission of liability (as in Jessie Seranno et al. v. Inmediata Corp.), so it would be incorrect to classify the class actions as “successful”.

How can I find out if my state has a privacy law I can use to claim for a HIPAA violation?

The International Association of Privacy Professionals maintains a web page tracking privacy legislation by state. It is important to note that many of the privacy laws listed on the web page are still to be passed or enacted, and some may not contain provisions that could support a claim for a HIPAA violation. To establish whether you have a claim for a HIPAA violation under your state´s consumer rights legislation, you should speak with an attorney.

I have received a letter stating my health data has been breached. What should I do?

Your response to the breach should be appropriate to nature of the data disclosed. The nature of the data exposed should be explained to you in the letter as well as advice on the measures you should take to protect yourself from fraud and theft. The letter should also contain contact information to find out more about the breach. In several cases, healthcare organizations have provided free credit monitoring services, and it may be in your best interests to find out if these are available to you.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.