HIPAA Lawsuits 2022: Can You Sue for HIPAA Violation? 

HIPAA regulations were established to protect sensitive patient information and data that can also protect the healthcare providers who manage it. In the unfortunate event that there is a HIPAA violation, and you want to pursue it by filing a lawsuit, it is not possible to sue for a HIPAA violation; however, you can file a lawsuit against the healthcare provider and claim damages for violating state law. Pursuing legal action against a covered entity can be costly, and there is no certainty that you will win the case. Therefore, patients should be clear about their goals and what they intend to gain from filing a lawsuit. In this post, we’re going to answer your questions about suing for HIPAA violations and provide recent HIPAA violation case examples in 2022.

What is a HIPAA Violation?

A violation of the Health Insurance Portability and Accountability Act (HIPAA) occurs when Protected Health Information (PHI) is acquired, accessed, used, or disclosed in a way that places the patient at high personal risk. HIPAA violation examples include:

  • The discussion of any medical information over the phone or in person.
  • Disclosure of data to a parent concerning any child over 18 years old.
  • Disclosure of patient information without the patient's explicit consent to another doctor or healthcare professional.

Unless the business or employee can demonstrate that there is a low possibility that the PHI was compromised, any unauthorized use or disclosure of PHI is viewed as a breach. Compliance with HIPAA standards is strictly regulated. Covered entities and business associates can face serious consequences of civil and criminal penalties if a HIPAA violation occurs.

Can You Sue for a HIPAA Violation?

A patient cannot file a lawsuit for a HIPAA violation since there is no private right of action in HIPAA law. This means patients cannot sue for damages, at least not for the breach of HIPAA Rules, even if a healthcare professional has clearly violated the regulations and harm has been directly inflicted. While there is no HIPAA private right of action under HIPAA law or rules, patients still can sue healthcare providers and receive compensation for violating state law. Private HIPAA lawsuits are prohibited under federal law of HIPAA, according to federal courts. In some states, plaintiffs can claim that the HIPAA violation amounts to a violation of a state consumer privacy law or data security law to make it to state court. This allows plaintiffs to overcome the “no HIPAA private right of action” barrier and file for a lawsuit, if:

  • The state consumer privacy law or data security law expressly provides for lawsuits to be filed, and
  • The lawsuit alleges a violation of the state’s privacy or data security law (as opposed to a “HIPAA violation”).

How to File a HIPAA Violation Lawsuit

The Department of Health and Human Services (HHS) is the primary government agency and website that manages HIPAA information and HIPAA laws. Within the HHS is the Office for Civil Rights (OCR). According to the HHS, “If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.”

File a HIPAA Complaint

The first step in the process is to file a complaint about the potential privacy violation with the OCR if you have been informed that your PHI has been exposed in a healthcare data breach, you believe your PHI has been obtained by an unauthorized person or misused, or if your HIPAA rights have otherwise been violated. You can do this in writing or online through the OCR portal. Use the official OCR complaint form found on the OCR website for submitting a written complaint, and make sure to keep a copy to give to your legal representative. For the complaint to be valid, you must identify the organization or individual who violated HIPAA and provide their contact details. Remember that in accordance with state laws, before taking legal action against the covered entity, you must submit the complaint. Complaints can be filed with state attorneys general, who have the authority to pursue lawsuits against HIPAA-covered entities for HIPAA violations, and complaints against individuals can be submitted to professional boards like the Board of Medicine and the Board of Nursing. If the HIPAA violation includes a criminal offense, you should take the case to the Department of Justice (DOJ). Moreover, complaints must be made within 180 days of the violation being discovered; however, in rare circumstances, an extension may be authorized.

File a HIPAA Lawsuit

When filing a HIPAA violation lawsuit, you should follow the abovementioned steps and submit a complaint about the violation to the OCR. After submitting a HIPAA complaint, you should speak with a lawyer to pursue legal action against a HIPAA-covered entity. For a higher chance of success, before deciding on a lawyer, get in touch with several law firms and consult with different attorneys who are well-versed in HIPAA standards. The measures taken against the covered entity will be determined by several factors, such as the type of violation, its severity, the number of people affected, and whether there have been repeated violations of HIPAA Rules.

Recent HIPAA Violation Cases 2022

  1. New England Dermatology and Laser Center

Between February 4, 2011, and March 31, 2021, New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters. The containers had labels that included the PHI of patients. The PHI of 58,106 patients was incorrectly disposed of during that timeframe. The case was settled with OCR for $300,640.

  1. U. Phillip Igbinadolor, D.M.D. & Associates, P.A

The Charlotte and Monroe dentist office in North Carolina unlawfully exposed a patient's PHI on a website in reaction to a negative online review. A civil monetary penalty of $50,000 was imposed for failure to assist with the investigation and reply to an administrative subpoena.

  1. Northcutt Dental-Fairhope

In connection with a state senate election campaign, the owner of a dentist’s office in Fairhope, Alabama, illegally revealed patients' PHI to a campaign manager and a third-party marketing firm. The OCR found problems with the notice of privacy practices, and there was no HIPAA privacy officer. The settlement amount was $62,500. To learn more about HIPAA, visit the Department of Health and Human Services (HHS) website or take one of our HIPAA Exams courses.