Can Patients Sue for HIPAA Violations?
When someone violates your medical privacy, it can be alarming and upsetting even before you come up against any of the nasty consequences of that violation. Breaches of medical privacy can end in anything from personal harassment to identity theft.
In an era with more and more public HIPAA security breaches, many people wonder: can you sue for a HIPAA violation? Continue reading to learn more.
Can I Sue a Hospital for HIPAA Violation as a Patient?
If a hospital – or doctor's office or anyone else HIPAA applies to – violates your rights under HIPAA as a patient, can you sue?
The short answer is "Maybe."
HIPAA does not contain a private cause of action (also called a private right of action) for a civil lawsuit under federal law. In other words, federal law prohibits individuals from filing lawsuits and asking for compensation over HIPAA violations. On the other hand, many states have laws related to HIPAA that do allow you to sue healthcare providers or specific healthcare professionals for a "harmful" violation. These cases often end up being either negligence or breach of contract claims.
Even if your state doesn't allow such lawsuits, you may be able to sue for something other than the HIPAA violation itself. You'll need to research the laws in your state and speak to a legal professional to find out if you have a case. It's worth noting that there has never been a successful civil suit where the defendant compensated the plaintiff for violating HIPAA. There have been several class action suits that were settled with compensation but no admission of liability on the part of the defendant.
What Are My Other Options for a HIPAA Violation?
When you suspect that a HIPAA violation has occurred, your primary recourse is to file a claim with the Department of Health and Human Services (HHS)'s Office of Civil Rights (OCR). In fact, an OCR complaint must be filed before you also pursue a civil suit.
HIPAA complaints must be filed within 180 days of the violation, although in rare cases, the OCR may extend the deadline if the complainant can show "good cause."
Official HIPAA complaints will never result in you, as the complainant, getting monetary compensation. Instead, the federal government will suggest corrective actions that must be taken. Most complaints are resolved through voluntary compliance with these requests.
If the entity fails to comply – or misses the deadline – then the federal government will impose a punishment on the responsible party if your claim is proven through the OCR's investigation.
The OCR can only fine the entity up to $100 per violation with a maximum yearly penalty of $25,000 annually. But if the OCR finds a criminal level of misconduct, they can refer the violation to the Department of Justice (DOJ) for harsher punishment, including prison time.
Potential DOJ penalties for HIPAA breaches are as follows:
- If the breach is committed under "false pretenses," penalties range from
- $50,000 and one year in prison to
- $100,000 and five years in prison
- If the breach is committed with "the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm," penalties are up to
- $250,000 and 10 years in prison
You're also allowed to file a complaint with your state's attorney general, who have the authority to pursue a case. The penalties and process will depend on the jurisdiction.
If your complaint is against an individual who violated your privacy rights under HIPAA, you can file a complaint with the professional board – like the Board of Medicine or the Board of Nursing – that governs their licensing. These bodies can impose punishments and even revoke their professional license with enough cause.
How Do I Know If My State Has Privacy Laws that Apply?
The best way to get accurate, up-to-date information is probably to talk to a lawyer who is part of your state's Bar Association.
However, the International Association of Privacy Professionals tracks privacy legislation by state, and that may be a place to start.
Can I Sue My Employer for HIPAA Violation?
It depends on what you mean. If you work for an employer completely unrelated to the healthcare industry, it's unlikely that your employer can commit a HIPAA violation against you.
Unless your employer also provides you with health services, any medical information they have stored is part of your employment file and does not count as Protected Health Information (PHI).
HIPAA doesn't prohibit an employer from asking for vaccine or test results, requesting medical proof for an absence or medically-related change, or asking about your healthcare coverage.
Only "covered entities" can violate HIPAA – that includes healthcare providers, health plans, healthcare clearinghouses, and any business associates of covered entities that handle PHI. Examples of covered business associates include medical billing companies, law offices, accounting firms, shredding services, IT vendors, and medical transcription services that receive or store protected health information.
There's one case where an employee may be able to file a HIPAA-related lawsuit against their employer.
If you work for a covered entity and you report a HIPAA violation to management or proper authorities, and they retaliate against you for it, you may be able to sue them. As with a patient's right to sue, HIPAA itself doesn't allow suing for compensation in this case, but state law in certain places does.
Under both the HIPAA Security Rule and the HIPAA Privacy Rule, employees have the right to report suspected HIPAA violations to management. Employers are not allowed to threaten, intimidate, coerce, harass, discriminate against, or engage in retaliation against employees for filing a complaint with HHS, assisting in an investigation or proceeding, or refusing to take actions that violate HIPAA.
Learn More About HIPAA Violations
HIPAA rules are complex, so knowing what counts as a HIPAA violation may take more in-depth knowledge than you have. This is important if you suspect your employer of HIPAA violations, but it's even more important for helping you follow the law.
You don't want to be the reason for a HIPAA lawsuit, investigation, or complaint. You could lose your professional license if you have one.
We offer online, self-paced courses to educate employees of different kinds of covered entities about their obligations and the best practices for upholding HIPAA. We have courses on HIPAA compliance tailored to healthcare workers, medical office staff, sales professionals, business associates, and more.