HIPAA does not allow patients to sue for violations. However, under state laws, healthcare providers can be sued. Patients can file complaints with OCR or state attorneys general, resulting in investigations. If proven, patients may receive compensation for damages or losses.
Understanding HIPAA violations and legal actions
HIPAA violations can occur when a covered entity, such as a healthcare provider, fails to comply with the law's privacy and security standards. These violations can lead to the unauthorized disclosure of PHI, putting patients' sensitive information at risk. While HIPAA does not provide a private cause of action for patients to sue directly for a violation, patients can explore other legal avenues.
Go deeper:
Filing Complaints for HIPAA Violations
Suppose a patient believes their HIPAA rights have been violated. In that case, they can file a complaint with the Department of Health and Human Services' Office for Civil Rights (OCR), the federal agency responsible for enforcing HIPAA. The complaint should include details of the alleged violation and evidence supporting the claim.
In addition to filing a complaint with OCR, patients can also file complaints with state attorneys general, who have the authority to pursue cases against HIPAA-covered entities for violations. The actions taken against the covered entity will depend on various factors, including the nature and severity of the breach and the number of individuals impacted.
Legal actions against covered entities
While HIPAA does not provide a private cause of action, patients may still be able to take legal action against healthcare providers under state laws. In some states, patients can file lawsuits against covered entities for negligence or breach of an implied contract. These lawsuits typically require patients to prove that harm or damage has been suffered due to the violation.
To pursue legal action, patients should consult an attorney specializing in healthcare law and HIPAA regulations. Patients may also consider joining existing class action lawsuits, as the strength of the case may be enhanced with more individuals involved.
Alternative solutions
Before taking legal action, patients should consider what they hope to achieve. Legal action against a covered entity can be costly and time-consuming, with no guarantee of success. Patients should weigh the potential benefits against the potential drawbacks and explore alternative solutions that may help them achieve their goals.
Potential damages and settlements
Winning a legal case against a covered entity can entitle a patient to damages, such as compensation for harm or loss caused by the violation, including medical expenses, emotional distress, or loss of income. The amount of damages awarded will depend on the specific case.
Previous encounters
While patients cannot directly sue for a HIPAA violation, HIPAA privacy standards often serve as a benchmark in court cases concerning reasonable privacy expectations. A notable example is Byrne v. Avery Center for Obstetrics and Gynecology. In this case, the plaintiff sought compensation for a breach of confidentiality, rather than a direct HIPAA violation.
The Connecticut Supreme Court in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. ruled that patients can sue healthcare providers for disclosing medical records without consent, even if a subpoena is involved. This decision clarified that HIPAA violations do not override state common law claims, enabling patients to pursue damages in court. Although HIPAA itself does not offer a direct route for lawsuits, this case demonstrates that state laws can provide legal recourse for unauthorized disclosures by healthcare providers.
FAQs
What type of lawyer handles HIPAA violations?
Lawyers experienced in privacy or healthcare law can assist with HIPAA violation claims. They may take on your case depending on the nature of the violation, the harm suffered, and applicable state laws, especially if the violation occurred within the last 180 days.
What happens after filing a HIPAA complaint?
The process varies based on where you file the complaint. If filed with the violating organization, it’s usually handled internally unless it involves unsecured PHI, which must be reported to HHS’ Office for Civil Rights. Complaints to state Attorneys General or directly to the Office for Civil Rights may lead to an investigation, especially if the complaint is confirmed as a violation.
Have there been successful class actions for HIPAA violations?
There have been settled class actions involving HIPAA-covered entities for not protecting personal information, but these weren’t directly for HIPAA violations. These cases typically settle without admitting liability, so they aren't considered "successful" in that sense.
What happens after a HIPAA complaint is filed?
It depends on the recipient and the nature of the violation. Complaints made to healthcare providers are typically handled internally unless unsecured PHI is involved, which requires reporting to HHS. Escalated complaints or those made directly to HHS are reviewed and may lead to technical assistance, an investigation, or referral to the Department of Justice if a criminal motive is suspected.