The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Kind of Lawyer Deals with HIPAA Violations?

Posted By on Nov 9, 2023

The kind of lawyer that deals with HIPAA violations will most likely be a personal injury lawyer depending on the nature of the violation (i.e., a privacy violation) and what its consequences are (i.e., financial loss). However, because there is no private right of action under HIPAA, the lawyer will also have to be familiar with alternate routes for claiming for a HIPAA violation.

It is impossible to tell how many HIPAA violations occur each year because some covered entities “encourage” plan members and patients to file complaints directly with them rather than with HHS´ Office for Civil Rights. This is often achieved by publishing the contact details of the organization´s Privacy Officer on the Notice of Privacy Practices and including a secondary note that complaints can also be filed “with the Secretary of the U.S. Department of Health and Human Services” (example).

The number of complaints received directly by covered entities is never disclosed, so the only data to go on is that published by HHS´ Office for Civil Rights. The agency´s Enforcement Highlights web page reveals that around 15,000 complaints are filed with HHS´ Office of Civil Rights each year. Two-thirds of complaints are rejected due to not being HIPAA violations or due to not being filed within the permitted 180-day time limit. However, that still leaves 5,000 alleged violations per year.

Most of the 5,000 remaining alleged HIPAA violations concern relatively minor issues that have minimal consequences to individuals and that are resolved via “technical assistance”. More serious HIPAA violations are resolved via “Corrective Action Plans”; while, in a handful of cases each year, HHS´ Office for Civil Rights will issue financial penalties for HIPAA violations. The settlements collected by HHS´ Office for Civil Rights for HIPAA violations are paid into the U.S. Treasury General Fund.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Why Use a Lawyer to File a HIPAA Complaint?

There are several reasons why an individual might seek legal advice about filing a HIPAA complaint depending on the reason for the complaint. In most cases, individuals have identified a privacy issue they want resolved in order for the issue to be rectified and not repeated. In such circumstances, a complaint made by a lawyer to the covered entity may be attended to with more urgency than a complaint made by a member of the public.

If an individual wants to complain directly to HHS´ Office for Civil Rights, it can also be useful to use a lawyer if the individual is unsure about navigating the online Complaints Portal. The amount of information included in the complaint – and the language used to communicate the complaint – may influence whether or not HHS´ Office for Civil Rights investigates the complaint and takes further action against the covered entity.

When filing a complaint of this nature, it may not matter what kind of lawyer deals with HIPAA violations. However, if an individual is seeking compensation for an injury, the nature of the injury may determine what kind of lawyer to use. For example, if an individual has suffered a financial injury, it may be better to use a lawyer specializing in consumer law; while, if an individual has suffered a physical injury, it may be better to use a medical malpractice lawyer.

Other Factors that Affect what Kind of Lawyer Deals with HIPAA Violations

Other factors that can affect what kind of lawyer deals with HIPAA violations include the cause of the violation and where it occurred. Residents of many states have limited options when it comes to filing a claim for a HIPAA violation and, even though they may have suffered a physical injury, they might have to file a claim based on a Consumer Protection Act or Deceptive Practices Act (this may also depend on existing case law in each state).

Many states are in the process of introducing and passing privacy legislation. Some privacy legislation does allow for a private right of action to claim for a HIPAA violation, but it is important to be aware that some states exempt HIPAA covered entities and business associates from complying with the legislation. There may also be times when Protected Health Information is exempt from privacy legislation while it is in the possession of a covered entity.

The failure to notify individuals of a data breach can also affect what kind of lawyer deals with HIPAA violations because both federal and state breach notification laws apply to more organizations than just HIPAA covered entities and business associates. In some cases, a general commercial lawyer may be able to represent an individual in a claim for a HIPAA violation if it can be demonstrated that the failure to notify the individual of the breach resulted in avoidable harm.

Proposed Settlement Sharing Change May Negate Need for Lawyer

When the HITECH Act was passed in 2009, §13410(c)(3) requires the Department for Health and Human Services to “establish a methodology whereby an individual who is harmed by noncompliance with the HIPAA Rules may receive a percentage of a penalty or monetary settlement collected with respect to that noncompliance.” As yet, the Department has not implemented this requirement due to a failure to quantify “harm” and develop an acceptable model of distribution.

However, in April 2022, the Department published a “Request for Information” seeking comments on how harm should be quantified and whether an existing model should be applied to the distribution of Civil Monetary Penalties for violations of HIPAA. Although this issue may not be resolved for some time, when a change is made to how funds collected by HHS´ Office for Civil Rights are distributed, it may negate the need for a lawyer to pursue claims for a HIPAA violation.

Until such time as the Department for Health and Human Services implements this requirement of the HITECH Act, individuals who suffer harm due to negligence or non-compliance with HIPAA are advised to seek independent legal advice. The organization providing legal advice should be able to advise you whether you have a claim for a HIPAA violation worth pursuing and what kind of lawyer deals with HIPAA violations in the context of the nature of harm you have suffered and the laws that apply in your location.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist