Can A Patient File A Lawsuit for A HIPAA Violation?

Protected Health Information Breach Report

A patient may be able to file a lawsuit for a HIPAA violation if the consequences of the violation result in avoidable harm and if the nature of the violation is covered by a state or federal law other than HIPAA, as HIPAA has no private cause of action. However, the legal landscape is changing rapidly, and patients who believe they are entitled to damages for a HIPAA violation are advised to speak with a legal expert at the earliest opportunity.

There are several ways in which HIPAA can be violated and the consequences of the violation result in avoidable harm. For example, a healthcare provider may impermissibly disclose Protected Health Information on social media resulting in an invasion of privacy. Alternatively, an IT department may fail to secure computer systems against cybercriminals resulting in a data breach, due to which personal information is sold on the dark web.

A further way in which HIPAA can be violated and the consequences of the violation result in avoidable harm is if an organization fails to notify individuals of an impermissible disclosure or data breach. If an individual is notified of a data breach in good time, they can take steps to prevent stolen personal information being used to commit fraud and identity theft. Without a timely notification, the personal and financial consequences can be significant.

Can a Patient File a Lawsuit for a HIPAA Violation?

There is No Private Cause of Action in HIPAA

When these events occur, there is no private cause of action in HIPAA. This means plaintiffs cannot file a lawsuit for a violation of a particular HIPAA standard or regulation. However, if a state or federal law permits plaintiffs to file a lawsuit for a privacy violation, and the privacy violation is attributable to a HIPAA violation, patients can recover damages for a HIPAA violation – albeit under a different state or federal law. An example of how this works is:

In February 2021, CaptureRx – a provider of administrative services to healthcare providers – suffered a ransomware attack in which the Protected Health Information of 2.6 million patients was stolen. Although HHS’ Office for Civil Rights did not fine the business for violating HIPAA, several class action lawsuits were filed alleging (among other claims) negligence, breach of implied contract, invasion of privacy, and breach of confidence.

In California, the allegations were based on laws such as the California Unfair Competition Law, the California Confidentiality of Medical Information Act, the California Information Practices Act, and the California Consumer Privacy Act. (The full list of state laws can be found in the Class Action Motion). The class action lawsuit was settled for $4.75 million – which, after costs, amounted to a maximum of $100 for each affected patient.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Can an Individual File a Lawsuit for a HIPAA Violation?

Individuals can – and have – filed lawsuits for HIPAA violations. Whereas in the past lawsuits for HIPAA violations were often dismissed, the number of successful lawsuits is increasing due to courts acknowledging that, although HIPAA has no private cause of action, HIPAA does not preempt state tort law. Indeed, in some cases, courts have used HIPAA to establish the standard of care required before finding in favor of a claim based on state law.

It can also pay to persevere with a lawsuit for a HIPAA violation. In one case, the plaintiff – Emily Byrne – filed a lawsuit for a HIPAA violation against the Avery Center for Obstetrics and Gynecology after the center disclosed Emily’s Protected Health Information to a former boyfriend. The lawsuit was dismissed in 2011 on the grounds that HIPAA does not have a private cause of action. However, the decision was overturned on appeal and reheard in 2018.

On this occasion, the court was told, “if Connecticut’s common law recognizes claims arising from a healthcare provider’s alleged breach of its duty to confidentiality […], HIPAA and its implementing regulations do not preempt such claims”. The jury awarded Emily $853,000 in damages, and although the Avery Center appealed the verdict, the award was upheld by Connecticut’s Court of Appeals in 2022.

Why It Is Important to Seek Prompt Legal Advice

The procedure for filing a lawsuit for a HIPAA violation can vary depending on the individual’s location. This is because each state has its own negligence, privacy, and breach notification laws – some of which have shorter notification time limits and statutes of limitations than others. In addition, it can take months before a healthcare organization realizes a data breach has occurred or before an individual realizes they are a victim of identity theft.

Because of the length of time it may take to realize a HIPAA violation has occurred, it is important to seek legal advice as soon as possible. It may also be important to seek prompt legal advice if a victim lives in a state that has introduced a law providing immunity from data breach lawsuits to organizations that have adopted an approved cybersecurity program. To date, four states have introduced legislation, although it is yet to be tested in court.

Organizations that want to avoid a lawsuit for a HIPAA violation  are advised to ensure they comply with HIPAA by providing HIPAA training on permissible uses and disclosures of Protected Health Information and by implementing measures to safeguard electronic Protected Health Information from data breaches. Organizations who are unsure of their compliance obligations should seek advice from a HIPAA compliance specialist.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: