Is it possible for patients to sue or file lawsuits for a HIPAA violation? As there is no private cause of action in HIPAA, it is not possible for a patient to sue for a HIPAA violation under HIPAA rules. Patients are not entitled to seek damages for violation of HIPAA rules even in cases where direct harm has been caused by a healthcare provider clearly violating HIPAA rules.
With this question answered, does this mean that patients have no legal recourse against covered entities, even when HIPAA regulations have been violated in obvious ways? Not entirely. Although there is no private cause of action in HIPAA, patients may still be able to pursue a claim against healthcare providers if state laws have been violated.
Certain states allow patients to take legal action against HIPAA-covered entities on the basis of negligence or breach of an implied contract – for example in cases where a covered entity failed to adequately secure medical records. For the action to be successful, it must be proven that the negligence or theft of unsecured data was the cause of damage or harm suffered by the patient.
It can be costly as well as risky to initiate legal action against a covered entity. Before bringing the suit, patients should have specific goals and a strong idea of what they expect to happen through their use of the courts. It may be possible to attain the same outcome though other less expensive or risky options.
Filing Complaints for HIPAA Violations
If a patient thinks that a HIPAA violation has occurred, they can file a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR). Almost all complaints are investigated. If the basis of the claim is found to be accurate and it is determined that HIPAA rules were indeed violated, then the covered entity may be open to legal challenge.
Anonymous complaints can be submitted, but the OCR will only pursue an investigation into a covered entity if the complainant has given a name and contact information.
Complaints should be filed prior to initiating state law claims against covered entities. Once a violation is discovered, there is a period of 180 days in which a complaint can be filed. In certain circumstances, an extension may be allowed.
State Attorneys General may also accept complaints filed against covered entities as they are in a position to bring legal action against HIPAA-covered entities for HIPAA violations.
A number of elements will determine what action can be taken against the covered entity, such as the type of violation, the seriousness of the violation, how many people were affected, and whether HIPAA rules had been repeatedly violated.
Sanctions following HIPAA violations can be severe, but complaints are often resolved through voluntary compliance, by issuing guidance, or by taking corrective action to address the issue that led to the complaint. The Department of Justice can also become involved should a criminal violation of HIPAA rules be suspected.
A number of professional boards accept complaints against individuals being filed with them, such as the Board of Nursing and the Board of Medicine.