There is no private cause of action in HIPAA, so a HIPAA violation lawsuit cannot be filed by a patient. Legal action can only be taken against covered entities by the HHS’ Office for Civil Rights and state attorneys general, although patients may still be able to recover damages if they sustain financial losses as the result of negligence.
The Department of Health and Human Services’ Office for Civil Rights (OCR) is the primary enforcer of HIPAA Rules. OCR has the authority to investigate complaints about potential HIPAA violations, which are submitted via the HHS website or in writing. OCR also investigates all data breaches that have involved the theft or exposure of more than 500 healthcare records and some smaller data breaches, especially when multiple breaches have been experienced by a covered entity.
When HIPAA violations are discovered, OCR will determine whether any further action is required. Technical assistance may be provided by OCR to help the covered entity or business associate bring their compliance program up to the required standard.
However, when HIPAA violations have not been corrected voluntarily or when there is determined to have been a willful violation of HIPAA Rules, OCR may choose to issue a civil monetary penalty. If there have been criminal violations of HIPAA Rules, the cases are handed over to the Department of Justice to pursue. Fines and jail terms are possible in such cases.
Civil monetary penalties for HIPAA violations are relatively rare. Typically, when faced with a financial penalty, the covered entity or business associate chooses to settle the case with no admission of liability by agreeing to pay a financial penalty and adopting a corrective action plan to address areas of noncompliance with HIPAA Rules.
|Year||Covered Entity||Penalty Amount||Reason for Civil Monetary Penalty|
|2018||University of Texas MD Anderson Cancer Center||$4,348,000||Impermissible Disclosure of ePHI / No encryption|
|2017||Children’s Medical Center of Dallas||$3,200,000||Impermissible Disclosure of ePHI|
|2016||Lincare, Inc.||$239,800||Failure to Safeguard PHI|
|2011||Cignet Health of Prince George’s County||$4,300,000||Denying Patients Access to Medical Records|
|2018||Pagosa Springs Medical Center||$111,400|
|2018||Advanced Care Hospitalists||$500,000|
|2018||Allergy Associates of Hartford||$125,000|
|2018||Boston Medical Center||$100,000|
|2018||Brigham and Women’s Hospital||$384,000|
|2018||Massachusetts General Hospital||$515,000|
|2018||Fresenius Medical Care North America||$3,500,000|
|2017||21st Century Oncology||$2,300,000|
|2017||Memorial Hermann Health System||$2,400,000|
|2017||St. Luke’s-Roosevelt Hospital Center Inc.||$387,000|
|2017||The Center for Children’s Digestive Health||$31,000|
|2017||Metro Community Provider Network||$400,000|
|2017||Memorial Healthcare System||$5,500,000|
|2017||MAPFRE Life Insurance Company of Puerto Rico||$2,200,000|
|2016||University of Massachusetts Amherst (UMass)||$650,000|
|2016||St. Joseph Health||$2,140,500|
|2016||Care New England Health System||$400,000|
|2016||Advocate Health Care Network||$5,550,000|
|2016||University of Mississippi Medical Center||$2,750,000|
|2016||Oregon Health & Science University||$2,700,000|
|2016||Catholic Health Care Services of the Archdiocese of Philadelphia||$650,000|
|2016||New York Presbyterian Hospital||$2,200,000|
|2016||Raleigh Orthopaedic Clinic, P.A. of North Carolina||$750,000|
|2016||Feinstein Institute for Medical Research||$3,900,000|
|2016||North Memorial Health Care of Minnesota||$1,550,000|
|2016||Complete P.T., Pool & Land Physical Therapy, Inc.||$25,000|
|2015||University of Washington Medicine||$750,000|
|2015||Triple S Management Corporation||$3,500,000|
|2015||Lahey Hospital and Medical Center||$850,000|
|2015||Cancer Care Group, P.C.||$750,000|
|2015||St. Elizabeth’s Medical Center||$218,400|
|2015||Cornell Prescription Pharmacy||$125,000|
|2014||Anchorage Community Mental Health Services||$150,000|
|2014||Parkview Health System, Inc.||$800,000|
|2014||New York and Presbyterian Hospital and Columbia University||$4,800,000|
|2014||QCA Health Plan, Inc., of Arkansas||$250,000|
|2014||Concentra Health Services||$1,725,220|
|2014||Skagit County, Washington||$215,000|
|2013||Adult & Pediatric Dermatology, P.C.||$150,000|
|2013||Affinity Health Plan, Inc.||$1,215,780|
|2013||Shasta Regional Medical Center||$275,000|
|2013||Idaho State University||$400,000|
|2012||The Hospice of Northern Idaho||$50,000|
|2012||Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc.||$1,500,000|
|2012||Phoenix Cardiac Surgery||$100,000|
|2012||Blue Cross Blue Shield of Tennessee||$1,500,000|
|2011||University of California at Los Angeles Health System||$865,500|
|2011||General Hospital Corp. & Massachusetts General Physicians Organization Inc.||$1,000,000|
|2010||Management Services Organization Washington Inc.||$35,000|
|2010||Rite Aid Corporation||$1,000,000|
|2009||CVS Pharmacy Inc.||$2,250,000|
|2008||Providence Health & Services||$100,000|
State attorneys general also have the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules, although only a handful of state attorneys general have issued fines solely for HIPAA violations.
That is not to say that HIPAA Rules are not being enforced at state level, only that violations of patient privacy and the failure to secure healthcare records is often also a violation of state laws. State attorneys general often choose to take action over the violation of state laws rather than HIPAA violations.
|Year||State||Covered Entity||Amount||Individuals Affected|
|2018||New Jersey||EmblemHealth||$100,000||6,443 (81,000)|
|2018||New Jersey||Best Transcription Medical||$200,000||1,650|
|2018||District of Columbia||Aetna||$175,000||13,160|
|2018||Massachusetts||UMass Memorial Medical Group / UMass Memorial Medical Center||$230,000||15,000|
|2018||New York||Arc of Erie County||$200,000||3,751|
|2018||New Jersey||Virtua Medical Group||$417,816||1,654|
|2017||California||Cottage Health System||$2,000,000||More than 54,000|
|2017||Massachusetts||Multi-State Billing Services||$100,000||2,600|
|2017||New Jersey||Horizon Healthcare Services Inc.,||$1,100,000||3.7 million|
|2017||Vermont||SAManage USA, Inc.||$264,000||660|
|2017||New York||CoPilot Provider Support Services, Inc||$130,000||221,178|
|2015||New York||University of Rochester Medical Center||$15,000||3,403|
|2015||Connecticut||Hartford Hospital/ EMC Corporation||$90,000||8,883|
|2014||Massachusetts||Women & Infants Hospital of Rhode Island||$150,000||12,000|
|2014||Massachusetts||Boston Children’s Hospital||$40,000||2,159|
|2014||Massachusetts||Beth Israel Deaconess Medical Center||$100,000||3,796|
|2012||Massachusetts||South Shore Hospital||$750,000||800,000|
|2011||Vermont||Health Net Inc.||$55,000||1,500,000|
|2010||Connecticut||Health Net Inc.||$250,000||1,500,000|
There is no private cause of action in HIPAA, so it is not possible for a patient or health plan member to file a HIPAA violation lawsuit when their privacy has been violated or their protected health information has been impermissibly disclosed. That does not mean that legal action cannot be taken to recover damages, only that a HIPAA violation lawsuit is not possible. Instead, a lawsuit would need to be filed for violations of state laws or other federal laws where there is a private cause of action. Several states do allow patients to sue providers for unauthorized disclosures of their medical records, including New York, Massachusetts, and Missouri.
There have been several cases where a HIPAA violation lawsuit has been filed, only for the case to be thrown out to to a lack of standing. While there is no private right of action under HIPAA, a HIPAA violation lawsuit could potentially be filed following a landmark ruling by the Supreme Court in Connecticut.
There have been previous cases in Connecticut where a HIPAA violation lawsuit has been filed and dismissed, but in the case of Emily Byrne, the case was allowed to proceed. Further, a majority decision by the Supreme Court has created a new state law that allows patients to sue providers for damages arising from unauthorized disclosures of medical records.
The HIPAA violation lawsuit was filed by Byrne after Avery Center for Obstetrics and Gynecology disclosed her medical records in response to a subpoena, without first obtaining consent or even informing Byrne. Byrne alleged HIPAA created a standard of care for medical records, and if those records were released without authorization, that standard is violated.
While Byrne lost the case in Superior Court, on appeal the Supreme Court ruled that HIPAA could be used as a standard of care in lawsuits. The case was referred to trial court but came before the Superior Court once again. The trial court deferred the case as no court had previously ruled on such negligence claims.
In its judgement, the Superior Court wrote, “We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”
This ruling therefore allows for a HIPAA violation lawsuit to be filed in Connecticut in certain cases, although whether such a HIPAA violation lawsuit succeeds will depend on the specifics of each case.