HIPAA Violations: Can You File a Lawsuit to Protect Your Rights?

Here’s where we unpack HIPAA laws, and how you can pursue financial compensation if your personal health information is shared without your permission.

The Health Insurance Portability and Accountability Act (HIPAA) is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat your private health information (PHI).

Penalties for HIPAA violations can be substantial, ranging from fines to criminal prosecution and imprisonment.

Even though it’s against the law for medical providers to share your health information without your permission, under federal law you don’t have the right to file a lawsuit or ask for compensation.

Despite HIPAA limitations, you do have the right to pursue compensation for harmful violations of your medical privacy. Here’s what you need to know.

Why We Need HIPAA Laws

The main goal of the Health Insurance Portability and Accountability Act is to protect the privacy of your personal health information. HIPAA also works to create systems of confidentiality and accountability within healthcare facilities.

HIPAA is a legislative act made up of five titles as described below:

Title I: Protects health insurance coverage for workers and their families that change or lose their jobs. Title I also prohibited new health plans from denying coverage due to a pre-existing condition if the person was covered under another plan before the change.

Since 2014, under the Affordable Care Act, health care insurers cannot deny coverage or increase premiums based on a pre-existing condition, whether or not the person had prior insurance coverage.

Title II: Prevents Health Care Fraud and Abuse; Medical Liability Reform; Administrative Simplification: Requires the establishment of national standards for electronic health care transactions and national identifiers for providers, employers, and health insurance plans.

Under Title II The U.S. Department of Health and Human Services (HHS) develops and publishes the rules about private health information that must be followed by all health care organizations covered by HIPAA.

Title III: Provides guidelines for pre-tax medical spending accounts. Title III makes changes to health insurance laws about deductions for medical insurance.

Title IV: Has guidelines for group health plans, such as the kind of health care plans offered by many employers.

Title V: Governs company-owned life insurance policies. Title V also makes provisions for treating people without United States Citizenship.

When Does HIPAA Protect Your Private Health Information?

HIPAA does not always protect the privacy of your personal health information. Under federal rules, only certain types of “covered entities” are governed by HIPAA. Covered entities are categories of medical facilities and related businesses that might have access to your personal health information:

  • Health care providers: Health care providers include medical doctors, osteopathic doctors, dentists, chiropractors, nurses, lab technicians, pharmacies, and medical administrators supporting these providers.
  • Health plans: Health plans include HMOs, PPOs, Medicaid, Medicare, company medical plans, and military and veteran health care programs.
  • Health care clearinghouses: Health care clearinghouses include individuals or companies hired to process individuals’ personal health information. For example, billing service companies, health information systems, transaction facilitators, and other businesses that handle PHI.
  • Business associates: A “business associate” is a person or entity that performs certain functions on behalf of a covered entity who may have access to patient information. Examples of business associates are CPAs, attorneys, medical transcription services, and hospital utilization consultants.

How Can Someone Get My Health Records?

HIPAA’s “Privacy Rule” covers a person’s private health information, which includes medical bills, claim information, prescriptions, lab results, medical opinions, and all other protected forms of PHI.

Under the privacy rules, your PHI cannot be distributed without your written authorization.

It’s important to know the difference between patient consent and patient authorization:

Consent generally means giving permission to have a medical procedure performed, or for medical information to be shared with doctors during treatment.

Authorization generally means giving permission for your PHI to be released to third parties, other than the original medical facility providing treatment.

To be a legitimate authorization, there must be a written document, signed by the patient, giving the named medical facility permission to use specific PHI for matters other than medical treatment, payment, or surgeries.

The authorization applies when a patient’s PHI will be disclosed to a third party, such as an insurance company, billing company, or even another doctor.

A written authorization for release of medical records is also used to gather important proof of damages in injury cases, like auto accidents.

The patient authorization must include a description of the specific PHI to be disclosed, the person or company to whom the PHI will be sent, an expiration date for the authorization, and the purpose of the disclosure.

Another form of written authorization is a “Power of Attorney” that allows someone to conduct business and manage personal affairs on your behalf.

Court Orders and Subpoenas of Medical Records

Under HIPAA, covered entities like your doctor’s office or pharmacy are not allowed to release your private health information without your written authorization, except under limited circumstances:

Court Order: A judge signs a court order. Your medical provider must release copies of the requested records as stated in the court order. The medical provider does not have to notify you of the request under federal law, although some states may have notification requirements.

Subpoena: A subpoena is not the same as a court order. Subpoenas can be issued by a court clerk or an attorney in the case. Under HIPAA privacy laws, your medical provider can only hand over copies of your records in response to a subpoena after trying to:

  1. Notify you of the subpoena so that you have an opportunity to object to the disclosure of your records, or
  2. Seek a qualified protective order from the court for the requested information

Disclosure of any portion of the patient’s PHI without authorization is a potential violation of HIPAA laws.

Case Summary:  $1.8 Million Verdict for Disclosure of Pharmacy Records

Indiana resident Abigail Hinchy used her local Walgreen pharmacy to handle all her prescription medications, including birth control.

Hinchy was horrified when her former boyfriend, Davion Peterson, obtained copies of her pharmacy records and attempted to use the information against her.

Peterson threatened to disclose to Hinchy’s family that she was being treated for genital herpes and that she had stopped using birth control for two months before becoming pregnant.

Hinchy later learned that Davion Peterson had been dating and married Audra Withers. Withers worked as a pharmacist at the Walgreen where Hinchy filled all her prescriptions.

Through her attorneys, Abigail Hinchy filed a professional malpractice lawsuit against Walgreen and the pharmacist who breached her medical privacy.

The jury awarded Hinchy $1.8 million in damages. The verdict was upheld on appeal.

Legal Recourse for HIPAA Violations

Contrary to what many people believe, you cannot sue a medical entity for violating your HIPAA rights.

In legal terms, a HIPAA violation does not allow a “private right of action.” That means the government can punish the medical provider or business associate, but any penalties paid by the violator go to the government, not to you.

You do have the right to report HIPAA violations to the Office of Civil Rights (OCR). You must file your complaint within 180 days of the violation.

File your HIPAA complaint online using the U.S. HHS Office for Civil Rights Complaint Portal.

After the investigation is complete, the Office for Civil Rights will issue a letter describing the resolution of your complaint.

If a covered entity was found to violate HIPAA, they must take corrective actions and may be fined or subject to criminal prosecution.

Federal Penalties for Violations

The severity of the penalties imposed on health care providers or other entities that violate HIPAA privacy rules depends on whether the entity knowingly violated the rules.

Penalties for HIPAA violations are most severe when the entity has intentionally ignored the rules.

The four categories used for the penalty structure are as follows:

Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules

Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules)

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation

Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

Minimum fines, depending on the category, can range from $100 to $50,000 per violation. In one year, the maximum total fines per category is capped a $1.5 million.

Medical Privacy Under State Laws

If a medical privacy violation resulted in damages, meaning you suffered some kind of verifiable financial loss, you might have a civil claim against the individual who violated your HIPAA rights.

Each state has different privacy laws governing personal health information. Talk to a personal injury attorney about your rights to compensation for HIPAA violations.

Case Summary: $853,000 Verdict Against Medical Center

The Connecticut Supreme Court ruled that violations of medical privacy under HIPAA could lead to tort liability under Connecticut law, paving the way for Emily Byrne to win her lawsuit against the Avery Center.

Byrne and her ex-boyfriend, Andro Mendoza were involved in a custody battle over their daughter. They had broken up about the time Byrne became pregnant.

Andro Mendoza’s attorneys sent a subpoena to the Avery Center for Obstetrics and Gynecology, seeking the release of Emily Byrne’s medical records.

The Avery Center complied with the subpoena without first notifying Emily Byrne. Mendoza and his legal team viewed her records.

Byrne did not authorize the release of her medical records and was not given the opportunity to object to the subpoena of her records, as required by HIPAA.

The jury awarded $853,000 to Emily Byrne because her medical records were improperly released without her knowledge.

When to Hire an Attorney

You won’t get far trying to handle a HIPAA violation on your own in state court.

Medical providers and associated businesses are protected by malpractice and liability insurance. Insurance companies have armies at the ready to fight claimants like you.

The defense team will start by arguing you don’t have a “private right of action” under HIPAA and won’t give up. They have no reason to offer a settlement if you are on your own. They know you probably won’t have the energy or the legal know-how to beat them.

You don’t have to fight alone, and you don’t need lots of money up front to hire a successful personal injury attorney. Most attorneys don’t charge for their initial consultation, and usually represent clients on a contingency fee basis.

In other words, the attorney’s fees aren’t paid unless your case is settled or your attorney wins a verdict in court.

There’s too much at stake to wait. Aside from the deadline for filing a HIPAA complaint, each state has a statute of limitations, meaning a deadline for filing lawsuits. If you miss the deadline, you lose your chance to pursue compensation.

Act now. There’s no obligation, and it costs nothing to find out what a skilled attorney can do for you.

HIPAA Violation Questions & Answers

Charles R. Gueli, Esq. is a personal injury attorney with over 20 years of legal experience. He’s admitted to the NY State Bar, and been named a Super Lawyer for the NY Metro area, an exclusive honor awarded to the top five percent of attorneys. Charles has worked extensively in the areas of auto accidents,... Read More >>