When it comes to protecting medical privacy, HIPAA is the standard in the United States, holding healthcare providers and organizations accountable for safeguarding patient information. But what recourse do patients have when a violation occurs? Can individuals sue directly for a breach of their privacy rights under HIPAA, or are there other legal avenues to explore? In this post, we will discuss how to file a HIPAA lawsuit and what to expect. We will also outline some examples of HIPAA violation lawsuits that occurred in 2024.
What Is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996 to protect patients’ health information and ensure it remains confidential. Initially designed to simplify healthcare data management and enhance insurance portability, HIPAA has since become a cornerstone in healthcare privacy. The law establishes guidelines for handling Protected Health Information (PHI), creating strict rules for how healthcare providers, insurance companies, and other entities must protect patient data from unauthorized access and disclosure.
What Is a HIPAA Violation?
HIPAA maintains the integrity of PHI. Protected health information includes all information, including demographic data that can relate to a person’s past, present, or future health condition, healthcare management, and healthcare payment, and can be used to identify an individual. HIPAA uses some laws like the Privacy and Security Rules to maintain PHI. Violations occur when these rules are breached.
For example, the Privacy Rule requires covered entities to use and disclose PHI in all forms of media in a manner that protects the patient from Personal risk. This rule can be breached when medical information is discussed over the telephone without removing patient identifiers.
The Security Rule, which sets the standard for maintaining PHI transmitted electronically, can be breached when covered agents fail to take appropriate security measures to protect patient medical records from cyber hackers.
Why You Can’t Sue for a HIPAA Violation
Patients cannot file a lawsuit for a HIPAA violation because HIPAA law makes no provision for a private right of action. In Federal courts, private HIPAA lawsuits are prohibited under the federal law of HIPAA. This means that patients can’t sue for HIPAA damages even if it is clear that a covered agent violated HIPAA laws.
But there is a catch. Although patients can’t sue privately under federal law, they can sue under state law. For this to happen, the following conditions must be met:
- The state makes provisions for lawsuits under the state consumer privacy law or data security law.
- The plaintiff can prove a breach of the state’s privacy law and data security law.
Can You Sue a Company for a HIPAA Violation?
Patients cannot sue a company for HIPAA violation because HIPAA law makes no provision for a private right of action. In Federal courts, private HIPAA lawsuits are prohibited under the federal law of HIPAA. This means that patients can’t sue for HIPAA damages even if it is clear that a covered agent violated HIPAA laws.
But there is a catch. Although patients can’t sue privately under federal law, they can sue under state law. For this to happen, the following conditions must be met:
- The state makes provisions for lawsuits under the state consumer privacy law or data security law.
- The plaintiff can prove a breach of the state’s privacy law and data security law.
Can I Sue My Employer for HIPAA Violation?
Unfortunately, employees cannot sue their employers for HIPAA violations. Employers are not covered entities and are, therefore, not subject to HIPAA rules and regulations. There is also no private right of action governing them. This can be distressing for employees who feel their employers violated their privacy.
It is still helpful to consult your attorney for other routes of legal action. For example, it may be possible to sue your employer if there is a violation of another state or federal law besides HIPAA.
How to File a HIPAA Violation Lawsuit
The first step is to file a HIPAA complaint with the Office for Civil Rights (OCR). The OCR is a body within the Department of Health and Human Services (HHS). The OCR investigates complaints of violations against covered entities and their business associates.
How to File a HIPAA Complaint
You can file a complaint with the OCR online or in writing using the OCR portal. On the OCR website, look for the official OCR complaint form. Before submitting the form, you must make a copy for your legal representative.
A valid complaint must:
- Identify the organization or individual responsible for the violation. They must be a covered entity or a business associate.
- Make the complaint within 180 days of the violation being discovered. This requirement has some exceptions, and in rare circumstances, an extension may be authorized.
You can file complaints against covered entities with the state attorneys general. You can also file complaints against individuals with professional bodies like the Board of Medicine or the Board of Nursing. If the HIPAA violation includes a criminal offense, you can file complaints with the Department of Justice.
To increase your chances of success, speak with different attorneys with experience in HIPAA standards. They can provide insight into your case.
What To Expect After the Investigation
OCR carefully looks into every complaint it receives. At the end of the investigation, OCR issues a letter detailing the outcome of the investigation.
If the OCR finds the covered entity/business associate liable, it requires them to:
- Comply voluntarily with HIPAA regulations
- Take corrective action
- Agree to a settlement
If OCR deems the corrective action unsatisfactory, it may impose a civil rights HIPAA penalty.
Recent HIPAA Violation Cases
Montefiore
In February 2024, Montefiore Medical Center agreed to pay a settlement of $4.75 million over HIPAA security rule violations. Nine years prior, the NYPD discovered that an employee from the company had been stealing patients’ PHI and selling it to an identity theft ring.
Following the outcome of this investigation, Montefiore filed a breach report with OCR. This led to a compliance investigation and the subsequent settlement plan. Apart from paying this hefty sum, OCR required Montefiore to submit a corrective action plan.
SAV-RX
In October 2023, SAV-RX suffered a security breach that exposed the PHI of over 2 million users. An investigation showed that an authorized third party hacked into its systems five days before the event.
There is speculation that the cyber hacker requested a ransom payment. Although SAV-RX made no mention of this, it said “in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.” It is unlikely that this was possible without a ransom payment.
Change Healthcare
The OCR is currently investigating security breaches in Change Healthcare. In February 2024, cyber hackers disabled the company’s nationwide healthcare informatics and billing systems and demanded a ransom to unlock them.
Change Healthcare at the time processed the medical claims of about 900,000 physicians, 5,500 hospitals, 33,000 pharmacies, and 600 laboratories. The settlement fee after this investigation is projected to be hefty.
Protect Your Business Today
The consequences of HIPAA violations can be costly. Our HIPAA courses protect you from risk by arming you with the knowledge you need to create an effective risk assessment plan.
We also teach you all you need to create and communicate a fail-proof policy that protects your business from sanctions against healthcare privacy violations. Our courses are tailor-made for different professionals: business associates, healthcare workers, HR professionals, and dental offices.
Enroll today!