Can a patient take a legal action for a HIPAA violation? There is no private cause of action in HIPAA, so a patient cannot sue for a HIPAA violation. Even if HIPAA Rules have clearly been breached by a healthcare provider, and harm has been sustained due to this, it is not allowable for patients to seek compensation, at least not for the violation of HIPAA Rules.
So, if it is not possible for a patient to take a legal action for a HIPAA violation, does that mean legal action cannot be initiated against a covered group when HIPAA has clearly been breached? While HIPAA has no private cause of action, it is possible for patients to take legal action against healthcare suppliers and obtain damages for breaches of state laws.
In some States, patients may file a lawsuit against a HIPAA covered group on the grounds of negligence or for a breach of an implied contract, such as if a covered group has failed to protect medical records. In such instances, it will be necessary to prove that damage or harm has been caused due to negligence or the theft of unsecured personal information.
Taking legal action against a covered group can be expensive and there is no guarantee of success. Patients should therefore be explicit about their aims and what they hope to achieve by taking legal action. A different course of action may help them to achieve the same aim.
Submitting Complaints for HIPAA Breaches
If HIPAA Rules are believed to have been breached, patients can file complaints with the federal government and in most cases complaints are looked into. Action may be taken against the covered entity if the compliant is proven and it is established that HIPAA Rules have been breached. The complaint should be submitted with the Department of Health and Human Services’ Office for Civil Rights (OCR).
While official complaints can be filed anonymously, OCR will not investigate any complaints against a covered group unless the complainant is named and contact information is given.
A complaint should be submitted before legal action is taken against the covered group under state laws. Complaints must be submitted within 180 days of the discovery of the violation, although in limited cases, an extension may be allowed.
Complaints can also be submitted with state attorneys general, who also have the authority to chase cases against HIPAA-covered groups for HIPAA violations.
The actions taken against the covered group will depend on several factors, including the nature of the violation, the severity of the breach, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.
Even though many complaints are resolved through voluntary compliance, by issuing guidance, or if a group agrees to take corrective action to resolve the HIPAA issues that resulted to the complaint. Complaints may also be submitted to the Department of Justice to pursue cases if there has been a criminal breach of HIPAA Rules.
Complaints about people can also be submitted to professional boards such as the Board of Medicine and the Board of Nursing.
How to Submit a Lawsuit for a HIPAA Violation
If you have been advised that your protected health information has been impacted due to a healthcare data breach, or you think your PHI has been stolen from a specific healthcare group, you may be able to take legal action against the breached group to recover damages for any harm or losses suffered due to the breach.
The first step to take is to file a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in print or using the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a duplicate of the completed form to provide to your legal representative.
You will then need to find an attorney to take legal action against a HIPAA covered group. You can find attorneys through your state or local bar association. Try to locate an attorney or law firm well versed in HIPAA regulations for the greatest hope of success and contact multiple law firms and speak with many attorneys before making your choice.
There will no doubt be many other people who are in the same boat, some of whom may have already begun legal action. Joining an existing class action lawsuit is a possibility. The more individuals involved, the stronger the case is likely to be.
Many class action lawsuits have been submitted on behalf of data breach victims that have yet to suffer harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm due to their data being stolen. However, without proof actual harm, the chances of success will be greatly lessened.