Who can sue for a HIPAA violation? Unlike the California Consumer Privacy Act (CCPA), there is no private cause of action in HIPAA, so that means a patient cannot sue for a HIPAA breach even if their protected health information has been impermissibly disclosed or used for reasons not permitted by the HIPAA Privacy Rule.
Even when the HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered by a patient as a direct consequence of that violation, it is not possible for patients to pursue damages, at least not for the violation of HIPAA itself.
So, if it is not possible for a patient to successfully take legal action over a HIPAA violation, does that mean a covered entity cannot be sued for damages when the HIPAA Rules have clearly been breached? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and other covered entities for privacy violations and there have been many cases where damages have been awarded. Whether legal action is possible depends on where a patient resides and the privacy legislation that has been introduced in that state.
In some U.S. states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence and breach of implied contract, such as if a covered entity has not protected medical records and they were obtained by hackers. In such cases, for a lawsuit to have a chance of success, an individual will be required to demonstrate that harm has been inflicted as a result of a HIPAA-covered entity’s negligence. It must be established that physical, mental, or financial harm was more than likely suffered as a result of the covered entity failing to comply with state laws.
Taking legal action against a covered entity can be costly and there is no certainty of success. Patients should therefore understand the strength of their case and be clear about what exactly they are trying to accomplish by taking legal action. An alternative, less costly course of action may be possible that will will achieve the same objectives.
Filing Complaints about Potential HIPAA Violations
If HIPAA Rules are thought to have been violated, patients can submit a complaint to the Department of Health and Human Services’ Office for Civil Rights (OCR) – The primary enforcer of HIPAA compliance. Complaints must be submitted within 180 days of the discovery of a HIPAA violation, although in limited cases, an extension may be given.
While complaints can be submitted anonymously, OCR will be unlikely to take any action against a covered entity unless the complainant provides their name and contact information. OCR received many thousands of complaints and has limited resources to conduct investigations, so concentrates on investigating cases where there appears to have been a clear violation of the HIPAA Rules, and when particularly egregious violations of HIPAA may have occurred.
All complaints received by OCR alleging HIPAA violations are read, and if the complaint is substantiated, action may be taken by OCR against the covered entity. The actions taken by OCR in response to a HIPAA violation will depend on several factors, including the nature of the violation, the extent of the violation, the number of individuals impacted, whether there have been multiple violations of the HIPAA Rules, and if the violation is ongoing or has been identified by the covered entity and voluntarily corrected.
Many complaints are resolved through voluntary compliance, and oftentimes technical guidance is provided. OCR can also pursue financial penalties for HIPAA violations. The number of financial penalties imposed to resolve HIPAA violations has increased in recent years. One aspect of HIPAA compliance that has received considerable attention since 2019 is the failure to provide patients with a copy of their medical records within a reasonable time frame (30 days) for a reasonable cost based fee.
Complaints may also be referred to the Department of Justice to pursue in cases where there are alleged to have been criminal violations of the HIPAA legislation, for example, theft of medical records, or use of patient data for personal profit or for malicious purposes. Complaints can also be submitted to professional boards such as the Board of Medicine and the Board of Nursing, and to state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities.
How to Take Legal Action over a HIPAA Violation
If you have been advised that your protected health information has been exposed in a healthcare data breach, you feel your PHI has been obtained by an unauthorized individual or misused, or your HIPAA rights have otherwise been violated, the first step to take is to file a complaint about the potential privacy violation with the HHS’ Office for Civil Rights (OCR). This can be done in writing or through the OCR online portal. If filing a complaint in writing, you should use the official OCR complaint form from the OCR website and should save a copy to provide to your legal counsel.
You will then need to get in touch with an attorney to take legal action against a HIPAA covered entity. You can locate attorneys through your state or local bar association. Try to locate an attorney or law firm experienced in HIPAA law. While you cannot sue for a HIPAA violation, HIPAA can be used in lawsuits to establish a duty in negligence claims. There will likely be many other people who find themselves in the same situation, some of whom may have already begun legal action. Joining an existing class action lawsuit could be an option for you. The more people involved, the stronger the case will be.
It has become far more common in recent years for class action lawsuits to be filed following a healthcare data breach. Many of these cases are filed when hackers have obtained patient data, even though patients have not suffered any financial harm as a result of the theft of their personal and protected healthcare data. While there have been cases that have been successful when plaintiffs alleged they face an increased risk of future identity theft, fraud, and other harm, without proof of actual harm, the chances of success will be much lower.