The media is rife with stories of health care workers sneaking illicit peeks at the medical records of the famous and infamous, from Brittany Spears to George Floyd. Everyone knows that such incidents are violations of HIPAA law. What most people don't know is what happens once a HIPAA violation is discovered. Can patients whose information has been compromised sue? If so, who? Under what circumstances? What penalties can HIPAA lawbreakers face? The short answer is: it's complicated. Here's how it all breaks down.
HIPAA Violation Basics
First, it's helpful to be clear about the answer to the question "what is HIPPA?" Is it really a contract between patients and providers? In a way, the answer is yes. HIPAA defines how:
- Medical providers will use information
- Patients agree to allow their information to be shared
- What will happen if providers violate the agreed-upon standards
But at the same time, HIPAA confidentiality breaches are more than just a civil breach of contract between two parties. When health care providers commit a HIPAA violation, they are breaking the law. Depending on the circumstances:
- An individual health care worker may be at fault
- Their employer may be at fault
- Both parties may share fault
Who is at fault plays a key role in who handles violations and how. When organizations are at fault, the OCR tends to handle HIPAA breaches. They do this outside of the court system using their legal authority over covered entities. When individual parties are at fault, the situation can go either way. In some cases, the OCR still handles matters outside of the court system. In other circumstances, a HIPPA violation can be cause for both a civil suit and criminal charges. Like other crimes that fall in either or both categories, such as assault:
- Victims can sue for civil damages in appropriate circumstances
- Victims must be able to prove enough about individual liability, intent, and actions to win their case
- Victims cannot press criminal charges
- Where criminal charges are appropriate they are brought by state legal authorities
Second, it is important to understand that how HIPAA violation cases are handled can vary widely depending on the exact details of the case. Different levels of liability can be in play. Who is most liable will directly impact how patients and other parties respond.
Who Can Act When a HIPAA Violation Occurs?
There are four parties who can potentially take action when a HIPAA violation occurs.
- The Covered Entity
- The OCR
- State Attorney Generals
- Patients
The Covered Entity
The covered entity or affected organization has a duty to report the violation as soon as it becomes aware of it. It then has a duty to notify affected patients to the extent possible. Covered entities are also responsible for investigating and addressing the situation. This can mean:
- Identifying the source and cause of the breach
- Determining if the responsible party knew what they did was wrong
- Determining if the responsible party acted with intent
- Assessing company policies and practices for weakness
- Taking disciplinary or corrective action where applicable
In some cases, this results in findings that show the incident was an accident. Simple employee counseling and documentation of the incident is sufficient. Other times, organizations respond to their findings with employee sanctions or terminations because workers intentionally violated the rules.
The OCR
Once notified of a breach, the OCR is responsible for investigating and addressing the situation. It will determine the severity of the breach, who is responsible, and what fines or other penalties should go into effect. None of its responses involve the court system.
State Attorney Generals
State Attorney Generals do not always get involved in HIPAA breaches. In fact, their involvement is rare. However, where breaches are intentional and malicious, they may press criminal charges on behalf of the patients affected. Attorneys may pursue criminal or civil cases depending on the facts of any given case.
Patients
Realistically, patients have only two potential actions when they are the victims of a breach. They can speak to the State AG about pressing criminal charges or they bring a civil suit. Not all cases will qualify for civil suits, however.
What Factors Determine the Response to a HIPAA Violation?
Generally, the legal response to a HIPAA violation depends on:
- The incident's severity
- Whether the incident was intentional or preventable
- How the covered entity responds
Severity
Many incidents that qualify as HIPAA breaches as minor. Patients often suffer no ill effects. For example, imagine that a staffer accidentally opens a file they weren't supposed to. They realize their mistake and promptly close it again. They do nothing with the small amount of information they encountered. This is a prime example of a very mild incident. If duly reported and responsibly handled, it may result in a token fine of $100 and nothing else. Likewise, accidental breaches that were unavoidable will also cause no harm and garner only minor responses. More severe incidents can take several forms. They may affect a large number of patients or they may affect a small number of patients in a dramatic way. They may have been preventable if proper care had been taken, or they may have been an intentional abuse of power.
Intent
The case of former UPMC patient care coordinator Linda Sue Kalina is a prime example of the role of intent in an incident. Kalina:
- Repeatedly and intentionally abused her access to patient records
- Stole and maliciously spread intimate information about her former coworkers
- Caused real and irreversible harm to her victims
- Acted against her employer's known policies and practices
As a result, she opened herself up to both civil and criminal liability.
Response
In cases like Kalina's, the third important factor in the legal response to a HIPAA violation is how the employer or covered entity responds. Entities that respond per legal standards can absolve themselves of liability. Entities that do not respond to legal standard can open themselves up to shared liability.
Liability
HIPAA violations are somewhat unique in that multiple parties can potentially be liable. For instance, an individual worker committing violations is liable for their own actions. The degree to which they are liable can vary, depending on:
- Their awareness of the illegality of their actions
- The intention behind their actions
- If the violation was a single event or a series of actions
For example, a health care worker who accidentally accessed files they should not have seen did commit a violation. But that violation was small and unintentional. Their liability is much lower than that of a similar worker who intentionally and repeatedly:
- Accessed files knowing they should not
- Copied, distributed, or otherwise leaked private patient information
- Purposely accessed and used private patient information for personal reasons such as identity theft or public shaming
At the same time, the organization for which an employee works can also be liable. How it responds to an incident can mitigate or inflate that responsibility. The brunt of liability may fall on an organization if it:
- Did not adequately train employees to identify appropriate and inappropriate uses of information
- Did not appropriately secure private patient information
- Knew about a violation and did nothing to stop or address it
- Fails to report the violation and take suitable action in the aftermath
Within an organization, common responses to a HIPAA violation include:
- Counseling or retraining of the parties responsible
- A review and possible revision of policies, practices, and access standards
- Employee sanctions or termination
If the OCR deems an organization liable, it may impose fines of up to $1.5 million a year.
When Violations Become Civil Cases
Most HIPAA violations do not qualify for civil court. Often this is because:
- The breach was accidental or unavoidable
- No demonstrable harm was done
- It is impossible to demonstrate culpability to court standards
Occasionally, victims or victims' estates may be entitled to bring civil cases as the result of an incident. This is most likely to happen when:
- The perpetrator committed the crime intentionally
- The victim suffered significant or public harm
- The victim was a celebrity or personage and the case serves to make a statement
If a breach is large or particularly severe, a state's Attorney General may take up the case on behalf of all of the victims. If possible, this is the best route to take. Personal HIPAA lawsuits can be expensive, time-consuming, and difficult to win. Victims may also choose not to bring civil cases even in situations where they could. Most often this is because the costs of the case would outweigh any potential awards. When suing an individual health care worker, victims may find that defendants do not have much in the way of assets. Even if they win their case, there is little to gain. Organizations will mete out punishments such as stripping violators of their right to work in the health care field and their medical credentials. They will terminate employees where appropriate. Thus, the only benefit of a civil case is financial compensation. But where financial compensation is unavailable due to perpetrators' lack of assets, civil cases may not be worthwhile.
When Violations Become Criminal Cases
HIPAA violations become cause for criminal cases when they:
- Are intentionally perpetrated by parties who know what they are doing is wrong
- Are part of an identity theft plot
- Otherwise involve stolen information that is then sold or given away for the perpetrator's personal, social, or financial gain
In nearly all cases, state attorneys file criminal charges against individual actors rather than organizations. Even if a covered entity is liable, its liability will be addressed by the OCR rather than by criminal courts. If convicted, defendants can face:
- Hefty fines
- Several years in jail
- Probation and other penalties
Individuals convicted of criminal charges in relation to HIPAA violations also generally lose their ability to ever work in the medical field or related fields again.
Can Patients Sue: The Bottom Line
All things considered, then, the bottom line is this:
- In most cases, patients cannot sue in response to a HIPAA violation
- The OCR and state attorneys are responsible for addressing and punishing HIPAA violations on the public's behalf
- In rare cases, perpetrators will intentionally violate HIPAA law in ways that open them up to civil and criminal lawsuits
- State attorneys will handle all criminal suits and some civil suits
- Victims may be able to sue personally in civil court in very rare situations
What This Means for Providers
What does this mean for providers? Put simply, it means that managing HIPAA compliance well at every stage is the best protection. This is true of not only OCR disciplinary actions but potential civil and criminal cases, as well. It is impossible for providers to prevent every breach, but they can reduce and minimize the likelihood of a breach and their liability by:
- Training workers properly on HIPAA law, violations, and consequences
- Training managers, supervisors, and administrators on how to respond to violations
- Maintaining and enforcing strong HIPAA compliance policies and practices
- Acting in good faith at all times
These simple actions can ensure that providers do not face ugly consequences when HIPAA violations happen. They also enable providers to demonstrate employee liability in the event the workers intentionally violate HIPAA law while in their employ.
Learn More
Learn more about HIPAA law, HIPAA violation penalties, and the best ways to handle training and prevention now. Browse our blog or explore our course catalog for the resources you need today.