Skip to main content
Find a Lawyer

Can I Sue for a HIPAA Violation?

Key Takeaways

Technically, you can’t sue directly for a HIPAA violation under federal law. Yet, you may sue under state laws for related harms, such as negligence or breach of contract, if your medical privacy was violated.

The Health Information Privacy and Accountability Act of 1996 (HIPAA) is a federal law that sets data privacy and security safeguards for a person’s identifiable health information. Personal health information, also known as PHI, includes more than a patient’s medical information. It consists of a patient’s Social Security number, date of birth, and other identifiers.

Healthcare providers and their business associates must protect a patient’s information. A business associate is an entity or person who performs services using protected health information on behalf of a covered entity. 

If a healthcare provider or business associate violates a patient’s privacy, that patient has several options for justice. Find a HIPAA violation lawyer before deciding what to do next. A health care law attorney can help you review these options for your individual circumstances.

What Happens If My Medical Information Is Mishandled?

Unfortunately, a patient cannot sue anyone directly for HIPAA violations. Under federal law, HIPAA does not have a private cause of action (sometimes called "private right of action").

It is against the law for medical providers to share protected health information without the patient’s permission. But federal law prohibits filing a lawsuit asking for compensation.

Patients can sue healthcare providers or specific healthcare professionals for violating state laws involving HIPAA. Patients can sue for a "harmful" violation of their medical history or medical privacy. These claims are typically negligence claims or breach of contract claims.

HIPAA Privacy Rules 101

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of public health regulations. Those rules cover many areas, including privacy. HIPAA’s Privacy Rules are under Title II of the Act.

HIPAA Privacy Rules set national standards that protect patients’ rights. They set a national standard that protects patients’ medical information. These rules include the following:

  • Medical records
  • Electronic health records
  • Personal medical information
  • Private health information (PHI)
  • Health plans
  • Healthcare electronic or financial transactions

These rules govern the disclosure and use of a patient’s health information to insurance companies, healthcare clearinghouses, business associates, and other medical professionals.

Healthcare organizations or providers must give patients notice of privacy practices. This notice covers the organization’s privacy practices. It must state permitted disclosures of their personal health information. It must also note the privacy protections that safeguard patient data.

Patient confidentiality is the cornerstone of the healthcare system. For example, a psychotherapy practice should inform patients about how it safeguards a patient’s mental health information. If it shares this information without patient consent or against the rules set for HIPAA, the office may have committed a HIPAA violation.

Advances in information technology increase the chances of unauthorized disclosure. For example, without safeguards, anyone would be able to access a patient’s electronic records.

Who Must Follow HIPAA?

Only covered entities need to follow HIPAA. Patients must confirm that the health provider or business they want to sue is a covered entity. According to the Centers for Medicaid and Medicare Services, a covered entity is:

  • A health care provider that conducts certain transactions in electronic form
  • A healthcare clearinghouse
  • A health plan

Patient Consent vs. Patient Authorization

A patient’s entire case could depend on giving consent or authorization. Consent is usually spoken and involves:

  • A procedure
  • The need to share the patient’s medical information with other doctors and nurses during treatment

Through authorization, the patient’s health information is given to covered entities. These include insurance companies or any business associate outside the medical facility.

Authorization requires a written document that they sign. It should name the current medical facility. It should also explain how they can use their information other than for payment or medical treatment.

The patient must consent to send medical information to their facility’s insurance company, billing company, or another doctor. A patient can also allow family members to receive medical information in an emergency.

Unauthorized disclosure of information is a likely HIPAA violation.

Options for Justice: HIPAA Violations

Let’s say a patient learned a nurse shared their health information or medical records with non-medical staff or a business associate without their consent. If this happens, the patient can take legal action by:

  • Submitting a complaint (more on this below)
  • Filing a negligence lawsuit
  • Suing for breach of contract
  • Suing for breach of fiduciary duty
  • Suing for theft of unsecured personal data or a data breach
  • Suing for theft of data (patient must show an unauthorized disclosure and how this disclosure harmed them)
  • Suing an insurance company for privacy violations
  • Bringing a medical malpractice lawsuit if the situation affects their healthcare

While many of these actions result from a HIPAA violation, the actual legal action involves a different part of federal or state law.

HIPAA Complaints With the Department of Health and Human Services (HHS)

The Department of Health and Human Services (HHS) is the government agency that handles HIPAA information and HIPAA laws. It provides more information on its official website, www.hhs.gov.

Within the HHS is the Office for Civil Rights (OCR). The OCR enforces the protections of HIPAA. If a covered entity discloses patient records or other sensitive information without consent, the patient can submit a complaint to the OCR.

Submitting a HIPAA Complaint

An attorney can help patients submit a HIPAA complaint form to the OCR or the state attorney general’s office.

Patients can complain to the health provider’s professional board, such as the Board of Medicine or the Board of Nursing. The patient must name the person or hospital that violated HIPAA.

A patient has 180 days to submit the claim from the day the situation occurs. The patient can bring the case to the Department of Justice (DOJ) if the HIPAA violation includes a criminal offense.

Suing Over a Violation of HIPAA

HIPAA violations can result in an invasion of privacy or harm to the patient’s life. Suppose a psychotherapist’s office sends sensitive information to a primary physician without consent. The patient may have a cause of action in state court for invasion of privacy.

The patient must submit a complaint before an attorney can file a lawsuit. It is challenging to show that harm occurred after a violation. Saying a covered entity disclosed the information without consent is not enough to bring a lawsuit. The patient needs to show that it affected their life or job.

Get a HIPAA Violation Lawyer for Help

Lawsuits take time and money, but you can ask a lawyer whether it could be worth it in your case. An experienced law firm focusing on medical negligence or privacy laws can guide you.

A lawyer can assist with each step of the way, from reporting a violation to the OCR through litigation in court. Your attorney can examine how the other party broke privacy laws. They can gather and present evidence for you. Talk to a local health care attorney today.

Was this helpful?

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:
SPONSORED
Copied to clipboard