Should a patient find themselves the victim or affected by a violation of the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, which was the fault of a hospital, can that patient sue the hospital for any damages resulting from the HIPAA violation?
HIPAA does not include a private cause of action among its rules and regulations. This means that a patient would not be able to sue the hospital under HIPAA, even in cases where there were flagrant or obvious violations that negatively affected the patient. They could not try to win damages against the hospital, clinic, or other healthcare provider under HIPAA in a court of law.
This may seem strange, as, with this being the case, it appears at first that patients are left without recourse and that healthcare providers can act with near impunity, violating HIPAA as they wish. Fortunately, this is not the case: even though HIPAA does not regulate for a private cause of action, patients may find themselves with options to take legal measures against the covered entity under state laws, which often regulate similar areas relating to privacy that are also part of HIPAA.
One possible method which can be followed in certain states is to sue the offending healthcare provider for negligence. The possibility to sue for breach of an implied contract also exists in some places; the implied contract being that the HIPAA covered entity would protect the patients records as part of their service. A potential hurdle for patients and a line of defense for providers is that the plaintiff would have to prove that they had been harmed or suffered damage as a result of the providers negligence or the breach of their data.
Before legal action is taken, all avenues should be considered and it should most certainly not be forgotten that there is no guarantee of a positive outcome for the patient. Covered entities often have huge legal departments and lawsuits can last a long time, costing a lot of money and energy before any final decision is made, with this decision potentially subject to appeal.
Anyone tempted to undertake such an endeavor should first calmly review what they wish to achieve from the action and what goals they hope to fulfill. There may be other easier steps which can be taken, or ones with a higher probability of success.
Starting the Complaint Process
If a patient feels that HIPAA regulations are being or have been broken, that can make a complaint directly to the federal government via the Department of Health and Human Services’ Office for Civil Rights (OCR), which is tasked with investigating HIPAA violations. Should the complaint be found to have merit, then further action can be taken.
Complaints can be anonymously filed with the OCR, but they will not be investigated unless names and contact details for complainants are included. Action should not be taken under state law until complaints are filed. The normal limit within which complaints should be made is 180 days following discovery of the violation, but this can, in exceptional circumstances, be extended.