Who can sue for a HIPAA violation? There is no private cause of action in HIPAA, so a patient cannot sue for a HIPAA vbreach. Even if HIPAA Rules have clearly been broken by a healthcare provider, and harm has been experienced by a patient as a direct consequence, it is not possible for patients to pursue damages, at least not for the violation of HIPAA regulations.
So, if it is not possible for a patient to initiate a legal action in relation to a HIPAA violation, does that mean a legal case cannot be taken against a covered entity when HIPAA has clearly been breached? While HIPAA does not have a private cause of action, it is possible for patients to start legal action against healthcare providers and receive damages for violations of state legislation.
In some states, it is possible to submit a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract – such as if a covered entity has not protected medical histories. In such instances, it will be required to prove that damage or harm has been inflicted as a result of negligence or the theft of unsecured personal data.
Taking legal action against a covered entity can be costly and there is no certainty of winning. Patients should therefore understand the strength of their cases and what they may accomplish by taking legal action. An alternative course of action may assist them to achieve the same goal.
Submitting Complaints for HIPAA Breaches
If HIPAA Rules are thought to have been violated, patients can submit complaints with the federal government and in most instances complaints are reviewed. Action may be taken against the covered entity if the complaint is substantiated and it is proven that HIPAA Rules have been breached. The complaint should be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR).
While complaints can be submitted anonymously, OCR will not review complaints against a covered body unless the complainant is named and contact information is given.
A complaint should be submitted prior to legal action being taken against the covered entity under most state legislation. Complaints must be submitted within 180 days of the discovery of the breach, although in limited cases, an extension may be given.
Complaints can also be submitted to state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA breaches.
The actions taken against the covered entity will depend on many factors, including the nature of the data violation, the extent of the violation, the number of individuals impacted, and whether there have been multiple violations of HIPAA Rules.
Although many complaints are resolved through voluntary compliance, by issuing guidance, or if a group agrees to take corrective measures to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to chase cases if there has been a criminal violation of HIPAA legislation.
Complaints about people can also be submitted with professional boards such as the Board of Medicine and the Board of Nursing.
How to Begin a Legal Action for a HIPAA Breach
If you have been advised that your protected health information has been exposed due to a healthcare data breach, or you feel your PHI has been stolen from a specific healthcare group, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered due to the breach.
The first step to take is to file a complaint about the violation to the HHS’ Office for Civil Rights (OCR). This can be done in writing or through the OCR online portal. If filing a complaint in writing, you should use the official OCR complaint form and should save a copy to provide to your legal counsel.
You will then need to get in touch with an attorney to take legal action against a HIPAA covered entity. You can locate attorneys through your state or local bar association. Try to locate an attorney or law firm experienced in HIPAA regulations for the strongest likelihood of your claim being successful, contact multiple law practices, and speak with several attorneys before selecting which will represent you.
There will likely be many other people who find themselves in the same situation, some of whom may have already begun legal action. Joining an existing class action lawsuit could be an option for you. The more people involved, the stronger the case will be.
A large number of class action lawsuits have been taken on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their private information. The plaintiffs claim for damages for future injury due to their data being stolen. However, without proof of actual harm, the likelihood of the case being successful is much less.