HIPAA Violation Lawsuit

There is no private cause of action in HIPAA, so a HIPAA violation lawsuit cannot be filed by a patient. Legal action can only be taken by the HHS’ Office for Civil Rights and state attorneys general, although patients may still be able to recover damages.

HIPAA Enforcement Actions by the HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights (OCR) is the primary enforcer of HIPAA Rules. OCR has the authority to investigate complaints about potential HIPAA violations, which are submitted via the HHS website or in writing. OCR also investigates all data breaches that have involved the theft or exposure of more than 500 healthcare records and some smaller data breaches, especially when multiple breaches have been experienced.

When HIPAA violations are discovered, OCR will determine whether any further action is required. Technical assistance may be provided by OCR to help the covered entity or business associate bring their compliance program up to the required standard.

However, when HIPAA violations have not been corrected voluntarily or when there is determined to have been a willful violation of HIPAA Rules, OCR may choose to issue a civil monetary penalty. If there have been criminal violations of HIPAA Rules, the cases are handed over to the Department of Justice.

Civil monetary penalties for HIPAA violations are rare. Typically, when faced with a financial penalty, the covered entity or business associate chooses to settle the case with no admission of liability by agreeing to pay a financial penalty and adopt a corrective action plan to address areas of noncompliance with HIPAA Rules.

Civil Monetary Penalties Issued by the HHS’ Office for Civil Rights

Year Covered Entity Penalty Amount Reason for Civil Monetary Penalty
2017 Children’s Medical Center of Dallas $3,200,000 Impermissible Disclosure of ePHI
2016 Lincare, Inc. $239,800 Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Denying Patients Access to Medical Records

Financial Settlements with OCR to Resolve Violations of HIPAA Rules

Year Covered Entity Amount
2018 Filefax, Inc. $100,000
2018 Fresenius Medical Care North America $3,500,000
2017 21st Century Oncology $2,300,000
2017 Memorial Hermann Health System $2,400,000
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000
2017 The Center for Children’s Digestive Health $31,000
2017 Cardionet $2,500,000
2017 Metro Community Provider Network $400,000
2017 Memorial Healthcare System $5,500,000
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000
2017 Presense Health $475,000
2016 University of Massachusetts Amherst (UMass) $650,000
2016 St. Joseph Health $2,140,500
2016 Care New England Health System $400,000
2016 Advocate Health Care Network $5,550,000
2016 University of Mississippi Medical Center $2,750,000
2016 Oregon Health & Science University $2,700,000
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000
2016 New York Presbyterian Hospital $2,200,000
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000
2016 Feinstein Institute for Medical Research $3,900,000
2016 North Memorial Health Care of Minnesota $1,550,000
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000
2015 University of Washington Medicine $750,000
2015 Triple S Management Corporation $3,500,000
2015 Lahey Hospital and Medical Center $850,000
2015 Cancer Care Group, P.C. $750,000
2015 St. Elizabeth’s Medical Center $218,400
2015 Cornell Prescription Pharmacy $125,000
2014 Anchorage Community Mental Health Services $150,000
2014 Parkview Health System, Inc. $800,000
2014 New York and Presbyterian Hospital and Columbia University $4,800,000
2014 QCA Health Plan, Inc., of Arkansas $250,000
2014 Concentra Health Services $1,725,220
2014 Skagit County, Washington $215,000
2013 Adult & Pediatric Dermatology, P.C. $150,000
2013 Affinity Health Plan, Inc. $1,215,780
2013 WellPoint $1,700,000
2013 Shasta Regional Medical Center $275,000
2013 Idaho State University $400,000
2012 The Hospice of Northern Idaho $50,000
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000
2012 Alaska DHSS $1,700,000
2012 Phoenix Cardiac Surgery $100,000
2012 Blue Cross Blue Shield of Tennessee $1,500,000
2011 University of California at Los Angeles Health System $865,500
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000
2010 Management Services Organization Washington Inc. $35,000
2010 Rite Aid Corporation $1,000,000
2009 CVS Pharmacy Inc. $2,250,000
2008 Providence Health & Services $100,000

State Attorneys General HIPAA Penalties

State attorneys general also have the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules, although only a handful of state attorneys general have issued fines solely for HIPAA violations.

That is not to say that HIPAA Rules are not being enforced at state level, only that violations of patient privacy and the failure to secure healthcare records is often also a violation of state laws. State attorneys general often choose to take action over the violation of state laws rather than HIPAA violations.

Year State Covered Entity Amount Individuals Affected
2018 New Jersey Virtua Medical Group $417,816 1,654
2018 New York EmblemHealth $575,000 81,122
2018 New York Aetna $1,150,000 12,000
2017 California Cottage Health System $2,000,000 More than 54,000
2017 Massachusetts Multi-State Billing Services $100,000 2,600
2017 New Jersey Horizon Healthcare Services Inc., $1,100,000 3.7 million
2017 Vermont SAManage USA, Inc. $264,000 660
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178
2015 New York University of Rochester Medical Center $15,000 3,403
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000
2014 Massachusetts Boston Children’s Hospital $40,000 2,159
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796
2013 Massachusetts Goldthwait Associates $140,000 67,000
2012 MN Accretive Health $2,500,000 24,000
2012 Massachusetts South Shore Hospital $750,000 800,000
2011 Vermont Health Net Inc. $55,000 1,500,000
2011 Indiana WellPoint Inc. $100,000 32,000
2010 Connecticut Health Net Inc. $250,000 1,500,000

Can a U.S. Citizen File a HIPAA Violation Lawsuit?

There is no private cause of action in HIPAA, so it is not possible for a patient or health plan member to file a HIPAA violation lawsuit when their privacy has been violated or their protected health information has been impermissibly disclosed. That does not mean that legal action cannot be taken to recover damages, only that a HIPAA violation lawsuit is not possible. Instead, a lawsuit would need to be filed for violations of state laws or other federal laws where there is a private cause of action. Several states do allow patients to sue providers for unauthorized disclosures of their medical records, including New York, Massachusetts, and Missouri.

Landmark HIPAA Violation Lawsuit Ruling

There have been several cases where a HIPAA violation lawsuit has been filed, only for the case to be thrown out. While there is no private right of action under HIPAA, a HIPAA violation lawsuit could potentially be filed following a landmark ruling by the Supreme Court in Connecticut.

There have been previous cases in Connecticut where a HIPAA violation lawsuit has been filed and rejected, but in the case of Emily Byrne, the case was allowed to proceed. Further, a majority decision by the Supreme Court has created a new state law that allows patients to sue providers for damages arising from unauthorized disclosures of medical records.

The HIPAA violation lawsuit was filed by Byrne after Avery Center for Obstetrics and Gynecology disclosed her medical records in response to a subpoena, without first obtaining consent or even informing Byrne. Byrne alleged HIPAA created a standard of care for medical records, and if those records were released without authorization, that standard is violated.

While Byrne lost the case in Superior Court, on appeal the Supreme Court ruled that HIPAA could be used as a standard of care in lawsuits. The case was referred to trial court but came before the Superior Court once again. The trial court deferred the case as no court had previously ruled on such negligence claims.

In its judgement, the Superior Court wrote, “We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”

This ruling therefore allows for a HIPAA violation lawsuit to be filed in Connecticut in certain cases, although whether such a HIPAA violation lawsuit succeeds will depend on the specifics of each case.