Currently, there is no private cause of action in HIPAA, so a patient cannot take a legal action for a HIPAA violation. Even if HIPAA Rules have clearly been breached by a healthcare provider, and harm has been sustained due to this, it is not possible for patients to submit a claim for damages, at least not for the breach of HIPAA Rules.
So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been breached? While HIPAA does not include a private cause of action, there is a route for patients to take legal action against healthcare suppliers and obtain damages for breaches of state legislation.
In certain states, it is possible to file a legal action against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, like when a covered entity has not safeguarding medical records. In such instances, it will be necessary to prove that damage or harm has been experienced due to negligence or the theft of unsecured personal data.
Taking a legal case against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they wish to achieve by taking legal action. A different course of action may help them to achieve the same outcome.
Submitting Complaints for HIPAA Violations
If HIPAA Rules are thought to have been breached, patients can file complaints with the federal government and in most cases complaints are reviewed. Action may be taken against the covered entity if the complaint is proven and it is established that HIPAA Rules have been violated. The complaint should be submitted with the Department of Health and Human Services’ Office for Civil Rights (OCR).
While complaints can be submitted anonymously, OCR will not look into any complaints against a covered entity unless the complainant is named and contact information is handed over.
A complaint should be submitted prior to legal action being initiated against the covered entity under state laws. Complaints must be registered within 180 days of the discovery of the violation, although in limited cases, an extension may be allowed.
Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered groups for HIPAA breaches.
The actions taken against the covered entity will depend on many factors, including the nature of the violation, the severity of the violation, the number of individuals affected, and whether there have been repeat breaches of HIPAA Rules.
Complaints may also be made known to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.
Complaints in relation to individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.
How to File a Legal Action for a HIPAA Violation
If you have been told that your protected health information has been exposed due to a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare group, you may be able to take legal action against the breached entity to rescue damages for any harm or losses suffered due to the breach.
The first step to take is to register a complaint about the violation to the HHS’ Office for Civil Rights. This can sent in written form or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to give to your legal representative.
You will then need to get in touch with an attorney to take legal action against a HIPAA covered entity. You can locate attorneys through your state or local bar association. Try to identify an attorney or law firm well versed in HIPAA regulations for the best chance of success and contact multiple law firms and speak with several attorneys before making choosing one.
There will, no doubt, be many other people who are in the same boat, some of whom may have already begun legal action. Joining an existing class action lawsuit can happen. The more individuals involved, the stronger the chances of success in the case are.
Many class action legal action have been submitted on behalf of data breach victims that have yet to suffer harm due to the exposure or theft of their data. The plaintiffs claim for damages for future damage due to their data being stolen. However, without proof of actual harm, the chances of success will be minimized.