Can A Patient File A Lawsuit for A HIPAA Violation?

Protected Health Information Breach Report

Is it possible for a patient to file a lawsuit for a HIPAA violation? There is no private cause of action in HIPAA, hence a patient cannot sue a healthcare provider for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare organization, and a patient has suffered harm as a direct result of a HIPAA violation, the patient cannot take legal action under HIPAA to obtain damages.

So, if a patient cannot sue for a HIPAA violation, what other legal action can a patient take against a covered entity when there has been a suspected violation of HIPAA Rules? Although HIPAA doesn’t have a private cause of action, patients can still take legal action against healthcare organizations, and potentially be paid damages, but only if there has also been a violation of state privacy laws.

In certain states, a person can file a lawsuit against a HIPAA covered entity for negligence or for an infringement of an implied contract, for instance, if a covered entity failed to safeguard medical information. In such instances, it will be necessary to prove that harm or injury resulted from negligence or from the theft of unsecured personal data. Suing a covered entity could be costly and there’s no guarantee that a lawsuit would be successful. Therefore, it is important to be very clear about what is hoped can be achieved through legal action.

Filing Complaints for HIPAA Violations

If an individual believes a HIPAA-covered entity has violated HIPAA Rules, a complaint can be filed with the federal government. Non-anonymous complaints are investigated if it appears that there has been a violation of HIPAA Rules. The government may take action against the covered entity if there’s adequate evidence to support the compliant and it is proven that HIPAA Rules were violated. The complaint must be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Complaints may be filed anonymously, but OCR will not investigate complaints if the complainant is not named and there is no contact information provided. It is important to note that a complaint must be filed prior to taking legal action against the covered entity. Complaints should be submitted within 180 days of the discovery of a suspected HIPAA violation, although in some cases, an extension might be allowed. Complaints could likewise be submitted to state attorneys general, who are authorized to investigate potential HIPAA violations.

Many HIPAA violation cases are resolved though voluntary compliance, issuing guidance, or if the HIPAA-covered entity agrees to take corrective action to fix the problems that brought about the complaint, although financial penalties may be deemed appropriate if there has been an egregious violation of HIPAA or in cases where widespread noncompliance is discovered.  In certain cases, complaints are forwarded to the Department of Justice which pursues criminal violation of HIPAA Rules. Complaints against persons may also be submitted to professional boards such as the Board of Medicine or the Board of Nursing.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

How Do You File a Lawsuit for a HIPAA Violation

If your protected health information (PHI) has been exposed because of a healthcare data breach, or you are convinced that your PHI was stolen from a healthcare organization, you could take legal action against the breached covered entity to recover damages sustained as a result of the breach under state laws.

The first step is to file a complaint about the violation with the HHS’ Office for Civil Rights. This may be completed in writing or through the HHS website. If submitting a written complaint, you should complete the official OCR complaint form on the HHS website and retain a copy to provide to your lawyer.

Then, contact a lawyer and explain your situation. You can find lawyers through your local or state bar association. Call several law firms and talk with a number of attorneys before selecting your legal representative.

There will likely be other people who have similarly experienced harm as a result of a breach, some of whom may have already taken legal action. Connecting with an active class action lawsuit may therefore be possible.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: