Everything has been said and done about HIPAA violations, but the real question is, can a patient sue for HIPAA violation? While it seems reasonable for patients to sue providers who compromised their data, HIPAA does not have a private right to action in its regulations.
Even if a healthcare professional clearly violated a patient’s rights to keep PHI safe and confidential, the affected patient cannot sue the provider or healthcare professional for HIPAA violation.
Read on to learn more about patient rights under HIPAA and the potential remedies and grounds for legal action.
Table of Contents
How Is a Patient Affected by a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was initially implemented to protect sensitive patient health information (PHI). When covered entities violate HIPAA Privacy and Security rules, it can pose extreme physical and technical dangers to patients with compromised data, which could later harm them.
Ultimately, HIPAA plays a vital role in safeguarding the confidentiality and integrity of patients’ data. Most HIPAA violations involve data breaches that stem from wrongfully accessing or disclosing sensitive patient data. Another reason is failing to implement sufficient safeguards to protect PHI. As a result, thousands of individuals become affected and suffer from identity theft or loss of money from cyber hackers, such as using their ID details to claim insurance money or selling healthcare details on the black market.
Is It Possible for a Patient to Sue for HIPAA Violations?
As stated above, a patient cannot file a lawsuit against a medical provider or healthcare organization for a HIPAA violation. According to federal law, private HIPAA lawsuits are not allowed. That means affected individuals of a security breach cannot sue for damages under the HIPAA rules.
However, patients can sue medical providers and other covered entities under state law violations. Some states consider violations of HIPAA as non-compliance with state consumer privacy or data security laws. Plaintiffs or patients involved can also file complaints with the Office for Civil Rights (OCR), a sub-agency of the Department of Health and Human Services. The OCR will then conduct the necessary investigation to validate the complaint. They will also enforce sanctions against covered entities violating the rules of HIPAA.
Patients’ Legal Rights Under HIPAA
HIPAA explicitly states that patients have the right to control their medical information and confidential decisions regarding their health and well-being. Under the HIPAA Privacy Rule, medical providers must provide individuals with a copy of their health information upon request. Patients also have the right to choose a personal representative to get their PHI on their behalf.
Here are some of the patients’ legal rights under HIPAA:
Right of access to the designated record set
Patients can request a personal copy of their information from a group of medical records within their provider’s designated database. These may include billing records, payments, claims, diagnoses, prescriptions, laboratory test results, and other files from the hospital’s medical management record systems. However, a medical provider cannot give patients copies of medical records stored outside their organization, such as records from affiliated hospitals and clinics.
Below are some information excluded from the designated record set:
- Psychotherapy notes or personal notes of a mental health care provider
- Data used for civil, criminal, or administrative proceedings
Request for paper and electronic copies
According to the HIPAA Privacy Rule, covered entities must provide a paper copy of PHI as requested. Similarly, the medical provider should provide electronic copies of PHI regardless if it’s available or not. If the entity only maintains paper copies, it should find a way to produce an electronic document format by scanning the paper records.
Right to assign a personal representative
A personal representative can act on behalf of a patient legally incapable of obtaining medical records. Likewise, the personal representative can exercise the patient’s right to access PHI. For instance, minors can be represented by their parent or legal guardian.
Assessing HIPAA Violations: Grounds for Legal Action and Potential Remedies
If you believe that your rights as a patient have been violated, you can always file a complaint with the Office for Civil Rights (OCR). Accordingly, the OCR oversees HIPAA compliance of covered entities and business associates.
Here’s how patients can pursue legal action against a HIPAA-covered entity:
Written complaint against a HIPAA-covered entity
Have you received a breach notification letter? If so, you can file a complaint to OCR informing them that an unauthorized person obtained your PHI. You can submit a written complaint or file it online through the OCR portal. For complaints in written format, you can use the official OCR complaint form and give a copy to your legal representative.
Also, to validate the complaint, it’s essential to identify the organization with contact details. According to state laws, you must submit a complaint before taking legal action. It would also be best to consult with state attorneys general who has the power to push through lawsuits against HIPAA-covered entities.
Written complaint against an individual
If you are filing against a particular individual, you can submit your complaint to professional boards like the Board of Medicine and the Board of Nursing. But for criminal HIPAA violations, you must submit the case to the Department of Justice (DOJ). HIPAA-related complaints must be forwarded to the corresponding authorities within 180 days from the initial discovery.
Once you’ve filed a HIPAA complaint to OCR, you must proceed to a lawyer who can help you pursue the case. It’s best to consult with lawyers who are well-versed in HIPAA standards and regulations.
Asserting Your Legal Rights for HIPAA Violations
Taking legal action against HIPAA covered-entities, especially those that are prominent in their industry, can be taxing and costly. While you cannot guarantee success, knowing and asserting your right as a patient is vital. As for covered entities, it reiterates the importance of ensuring compliance to avoid legal repercussions and costly fines.