Can I Sue for a HIPAA Violation?

No, you cannot sue anyone directly for HIPAA violations. HIPAA rules do not have any private cause of action (sometimes called "private right of action") under federal law.

While it is against the law for medical providers to share health information without the patient's permission, federal law prohibits filing a lawsuit asking for compensation. This can be confusing.

However, patients can sue healthcare providers or specific healthcare professionals for violations of state laws that involve HIPAA, or under ERISA. You could bring a lawsuit and ask for money if there was a "harmful" violation of your medical history or medical privacy. You can also bring a complaint with the Department of Health and Human Services to hold the providers accountable.

Options for Justice: HIPAA Violations

Let's say you learned a nurse shared your health information or medical records with non-medical staff or a business associate. If this happens, you can take legal action by:

• Submitting a complaint (more on this below)
• Filing a negligence lawsuit
• Suing for breach of contract
• Suing for breach of fiduciary duty
• Suing for theft of unsecured personal data or a data breach
• Suing for theft of data (you must be able to show that the data was used and caused you harm)
• Suing an insurance company for privacy violations
• Bringing a medical malpractice lawsuit if the situation affected your healthcare

While many of these actions are because of a HIPAA violation, the actual legal action involves a different part of federal or state law.

Bringing a lawsuit against a hospital or person (called a "covered entity") does not mean you will win the case. An attorney is the best person to advise you on your case's strength and the likely outcomes. They can guide you on the best corrective action to take.

Patient Consent vs. Patient Authorization

Your entire case could depend on giving consent or authorization. Consent is usually spoken and involves:

• A procedure
• The need to share your medical information with other doctors and nurses during treatment

Authorization gives your information to third parties, such as an insurance company or any business outside of the medical facility currently treating you.

Authorization requires a written document that you sign. It should name the medical facility you are at and explain how they can use your information for matters other than payment or medical treatment. You must authorize sending your medical information to your insurance company, billing company, or another doctor at a different building or facility.

You should carefully consider if the HIPAA violation you are concerned about involves consent or authorization and clearly explain the situation to your attorney.

HIPAA Privacy Rules 101

The Health Insurance Portability and Accountability Act of 1996, also know as HIPAA, is a set of regulations that fall into these major categories:

• Privacy rule
• Security rule
• Transactions and Code Sets (TCS) rule
• Unique identifier rule
• Breach notification rule
• Omnibus Final Rule
• HITECH Act

HIPAA Privacy Rules are a subset of the overall act, and they set a national standard that protects your:

• Medical records
• Personal medical information
• Private health information (PHI)
• Health plans
• Healthcare electronic or financial transactions

These rules determine how your health information can be disclosed to insurance companies, healthcare clearinghouses, business associates, and other medical professionals.

If this information is disclosed without your consent, or against the rules set for HIPAA, you may have a HIPAA violation on your hands. Only covered entities need to follow HIPAA, so you should be sure the person or business you want to sue is a covered entity.

HIPAA Complaints With the Department of Health and Human Services (HHS)

The Department of Health and Human Services (HHS), also called the U.S. Department of Health, is the main government agency and website that handles HIPAA information and HIPAA laws.

Within the HHS is the Office for Civil Rights (OCR). You need to submit your complaint using the steps below before your attorney can take legal action.

Submitting a HIPAA Complaint

An attorney can help you submit your HIPAA complaint form to the OCR or your state attorney general's office (if your state has the authority to pursue HIPAA cases).

Individuals can also be brought before their professional board if you choose to complain to the Board of Medicine or Board of Nursing.

You need to name the person or hospital who violated HIPAA and give their accurate contact information for the complaint to be valid. You have 180 days to submit the claim from the day the situation occurs.

If the HIPAA violation includes a criminal offense, you should bring the case to the Department of Justice (DOJ).

Suing Over a Violation of HIPAA

If the HIPAA regulations are not followed precisely, there could be an invasion of federal privacy laws, or your personal information could harm your life. Let's say your doctor's office sends too much information to your insurance company, and your insurance claims you have a pre-existing condition they won't cover. This might be the right time to bring this to state court and consider a lawsuit.

Remember, you must submit your complaint before an attorney can file a lawsuit. You can also determine if there is a class action lawsuit against an individual or business. It can be challenging to show that harm occurred after a violation. Simply saying the information was shared is not enough — you need to show that it negatively affected your life or job.

Lawsuits can take time and money to resolve, but it can be worth it to have your privacy re-protected and fix the damage that has been done by losing your right to medical privacy. A law firm that focuses on medical negligence or privacy laws can listen to your situation and advise you on the best way forward for your case.