Share this article on:
Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.
So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.
In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.
Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.
Filing Complaints for HIPAA Violations
If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).
While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.
A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.
Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.
The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.
The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.
Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.