Can I Sue for a HIPAA Violation?
By Melissa McCall, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed June 12, 2023
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
The Health Information Privacy and Accountability Act of 1996 is a federal law that sets data privacy and security safeguards for a person's identifiable health information.
Personal health information, also known as PHI, protected under HIPAA, includes more than a patient's medical information. It consists of a patient's Social Security number, date of birth, and other identifiers. Healthcare providers and their business associates must protect a patient's information. A business associate is an entity or person who performs services using protected health information on behalf of a covered entity.
Advances in information technology increase the chances of unauthorized disclosure. For example, without safeguards, anyone would be able to access the electronic records of a patient. If a healthcare provider or business associate violates a patient's privacy, that patient has several options for justice.
What Happens If My Medical Information is Mishandled?
Unfortunately, a patient cannot sue anyone directly for HIPAA violations. Under federal law, HIPAA does not have a private cause of action (sometimes called "private right of action"). It is against the law for medical providers to share protected health information without the patient's permission. But federal law prohibits filing a lawsuit asking for compensation.
Patients can sue healthcare providers or specific healthcare professionals for violating state laws involving HIPAA. Patients can sue for a "harmful" violation of their medical history or medical privacy. These claims are typically negligence claims or breach of contract claims.
HIPAA Privacy Rules 101
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of public health regulations. Those rules cover many areas, including privacy. HIPAA's Privacy Rules are under Title II of the Act.
HIPAA Privacy Rules set national standards that protect patients' rights. They set a national standard that protects patients' medical information. These rules include the following:
- Medical records
- Electronic health records
- Personal medical information
- Private health information (PHI)
- Health plans
- Healthcare electronic or financial transactions
These rules govern the disclosure and use of a patient's health information to insurance companies, healthcare clearinghouses, business associates, and other medical professionals.
Healthcare organizations or providers must give patients notice of privacy practices. This notice covers the organization's privacy practices. It must state permitted disclosures of their personal health information. It must also note the privacy protections that safeguard patient data.
Patient confidentiality is the cornerstone of the healthcare system. For example, a psychotherapy practice should inform patients about how it safeguards a patient's mental health information. If it shares this information without patient consent or against the rules set for HIPAA, the office may have committed a HIPAA violation.
Only covered entities need to follow HIPAA. Patients must confirm that the health provider or business they want to sue is a covered entity. According to the Centers for Medicaid and Medicare Services, a covered entity is:
- A health care provider that conducts certain transactions in electronic form
- A healthcare clearinghouse
- A health plan
Patient Consent vs. Patient Authorization
A patient's entire case could depend on giving consent or authorization. Consent is usually spoken and involves:
- A procedure
- The need to share the patient's medical information with other doctors and nurses during treatment
Through authorization, the patient's health information is given to covered entities. These include insurance companies or any business associate outside the medical facility.
Authorization requires a written document that they sign. It should name the current medical facility. It should also explain how they can use their information other than for payment or medical treatment.
The patient must consent to send medical information to their facility's insurance company, billing company, or another doctor. A patient can also allow family members to receive medical information in an emergency.
Unauthorized disclosure of information is a likely HIPAA violation.
Options for Justice: HIPAA Violations
Let's say a patient learned a nurse shared their health information or medical records with non-medical staff or a business associate without their consent. If this happens, the patient can take legal action by:
- Submitting a complaint (more on this below)
- Filing a negligence lawsuit
- Suing for breach of contract
- Suing for breach of fiduciary duty
- Suing for theft of unsecured personal data or a data breach
- Suing for theft of data (patient must show an unauthorized disclosure and this disclosure harmed them)
- Suing an insurance company for privacy violations
- Bringing a medical malpractice lawsuit if the situation affects their healthcare
While many of these actions result from a HIPAA violation, the actual legal action involves a different part of federal or state law.
HIPAA Complaints With the Department of Health and Human Services (HHS)
The Department of Health and Human Services (HHS) is the government agency that handles HIPAA information and HIPAA laws. It provides more information at its official website, www.hhs.gov.
Within the HHS is the Office for Civil Rights (OCR). The OCR enforces the protections of HIPAA. If a covered entity discloses patient records or other sensitive information without consent, the patient can submit a complaint to the OCR.
Submitting a HIPAA Complaint
An attorney can help patients submit a HIPAA complaint form to the OCR or state attorney general's office.
Patients can complain to the health provider's professional board, such as the Board of Medicine or the Board of Nursing. The patient must name the person or hospital that violated HIPAA.
A patient has 180 days to submit the claim from the day the situation occurs. The patient can bring the case to the Department of Justice (DOJ) if the HIPAA violation includes a criminal offense.
Suing Over a Violation of HIPAA
HIPAA violations can result in an invasion of privacy or harm to the patient's life. Suppose a psychotherapist's office sends sensitive information to a primary physician without consent. The patient may have a cause of action in state court for invasion of privacy. The patient must submit a complaint before an attorney can file a lawsuit. It is challenging to show that harm occurred after a violation. Saying a covered entity disclosed the information without consent is not enough to bring a lawsuit. The patient needs to show that it affected their life or job.
Have a Legal Question About HIPAA Violations? A Local Attorney Can Help.
Although lawsuits take time and money, an experienced law firm focusing on medical negligence or privacy laws can help. Talk to a local healthcare attorney today.
Next Steps
Contact a qualified health care attorney to help navigate legal issues around your health care.