Share this article on:
Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.
So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.
In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.
Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.
Filing Complaints for HIPAA Violations
If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).
While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.
A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.
Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.
The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.
The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.
Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.
How to File a Lawsuit for a HIPAA Violation
If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach.
The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative.
You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice.
There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be.
Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.