Can I Sue for a HIPAA Violation? What the Law Allows and How to Take Action

Filing a Complaint with the Office for Civil Rights

When and why to file

If your protected health information was accessed, used, or disclosed without authorization by a covered entity or business associate, you can start the HIPAA complaint process with the U.S. Department of Health and Human Services. Office for Civil Rights enforcement focuses on systemic compliance and corrective action, not individual payouts, but it can trigger swift remedies that stop ongoing violations.

Deadlines and eligibility

You generally must file within 180 days of when you knew about the incident. OCR can extend this for good cause, so file even if you are unsure about timing. Patients, caregivers, employees, and anyone affected may submit complaints.

How to file and what to include

• Identify the organization and people involved, with dates and locations.
• Explain what happened and why you believe it violates HIPAA.
• Attach evidence such as letters, emails, audit logs, or screenshots (remove unrelated personal data).
• State any ongoing harm or risk, like medical identity theft or workplace impact.

What to expect from OCR

OCR reviews, may investigate, and can require corrective action, monitoring, or civil monetary penalties. You will not receive money damages from OCR, but the agency can secure changes that improve security and privacy. Retaliation for filing a good‑faith complaint is prohibited.

Pursuing State Law Claims

Common causes of action

Even though HIPAA itself does not let you sue, many states recognize claims for unauthorized disclosures. These include negligence claims, negligence per se (using a statute to define the duty), breach of confidentiality, invasion of privacy litigation (such as public disclosure of private facts or intrusion), breach of contract or implied contract, and consumer protection claims for unfair or deceptive practices.

Damages and proof

You may seek actual financial losses, costs to mitigate identity theft, and, in some jurisdictions, emotional distress or statutory damages under state privacy statutes. Preserve evidence early: save notices, portal messages, call logs, and credit-monitoring records that show harm and mitigation efforts.

Potential defendants and special hurdles

Defendants can include the provider group, hospital, pharmacy, insurer, or a vendor handling records. Public institutions may require notice-of-claim filings and may have immunity limits. An experienced healthcare law attorney can quickly spot these issues and protect filing deadlines.

Understanding the Lack of Private Cause of Action

What HIPAA does—and does not—allow

HIPAA sets national privacy and security standards, but it contains a private cause of action limitation: individuals cannot file a civil lawsuit solely for a “HIPAA violation.” Enforcement runs through federal regulators and prosecutors. Courts nationwide have repeatedly dismissed standalone HIPAA suits for this reason.

How this affects your strategy

Because you cannot sue directly under HIPAA, you focus on state-law remedies while using HIPAA rules to define duties and standards. Your case theory may weave HIPAA duties into negligence or confidentiality claims without labeling the claim as “HIPAA-only.”

Consulting Healthcare Law Attorneys

When to call and what to bring

Contact a healthcare law attorney as soon as you discover misuse or disclosure. Bring the notice of breach, your medical records chronology, communications with the provider, and any credit or identity-theft documentation. Early counsel helps you choose between negotiation, demand letters, or filing suit.

How attorneys add value

• Evaluate state privacy statutes, common-law claims, and damages.
• Preserve evidence and send litigation holds to providers and vendors.
• Navigate insurer and defense counsel protocols that often delay disclosure.
• Coordinate parallel actions—OCR complaints, licensing board reports, or attorney general referrals—to increase leverage.

Fees and timelines

Counsel may offer contingency, hybrid, or hourly arrangements depending on damages, insurance coverage, and class potential. Statutes of limitations vary by claim and state, so prompt evaluation protects your rights.

Using HIPAA Violations as Evidence

Standard of care and negligence per se

While HIPAA does not create a private lawsuit, its rules often inform the standard of care. Plaintiffs may argue that a provider’s failure to follow required safeguards is evidence of negligence, and some courts accept HIPAA as a benchmark for negligence per se in appropriate cases.

Discovery and proof

Request policies, training records, risk analyses, audit logs, and business associate agreements. Compare them to HIPAA’s minimum standards and to the organization’s own written promises. Gaps between policy and practice can be powerful proof of unreasonable conduct.

Jury communication

Frame HIPAA as a safety baseline the defendant chose to ignore. Keep the focus on your harm—financial loss, time spent mitigating, anxiety, delayed care—not just the rulebook.

Navigating State-Specific Privacy Laws

How HIPAA and state laws interact

HIPAA sets a floor, not a ceiling. Stricter state privacy statutes remain enforceable and often provide individual remedies. Many states also impose special protections for mental health, substance-use, HIV, genetic, or reproductive-health information that exceed HIPAA’s baseline.

Illustrative state frameworks

• Medical privacy statutes that create private actions for unauthorized disclosure or negligent safeguarding of records.
• Data breach notification laws requiring prompt notice, with remedies for late or inadequate disclosures.
• Consumer privacy laws that reach health-related data outside HIPAA (for example, wellness apps or trackers), expanding the litigation toolkit.

Preemption and venue choices

Your lawyer will analyze preemption, choice of law, and forum. In multistate breaches, you may have options to file where the conduct occurred, where you reside, or where the defendant does business, each with different damages and timelines.

Exploring Alternative Legal Remedies

Regulatory and professional complaints

Beyond OCR, you can report to state attorneys general, licensing boards, or consumer protection agencies. These avenues can prompt audits, fines, or probation terms that complement your civil claims.

Employment and contract angles

If an employer mishandled medical information, employment laws may provide remedies separate from HIPAA. Likewise, patient contracts, notice of privacy practices, or portal terms can support breach-of-contract theories when promises about confidentiality were broken.

Mitigation and practical relief

• Place fraud alerts or credit freezes and document time and expenses.
• Use identity-theft and medical-identity-theft dispute procedures with insurers and providers.
• Seek injunctive terms in settlements: policy fixes, training, or third‑party monitoring.

Key takeaways

You cannot sue “under HIPAA,” but you can act. File with OCR to drive Office for Civil Rights enforcement, then pursue state-law remedies—negligence, confidentiality, consumer protection—using HIPAA as evidence of the duty breached. A skilled healthcare law attorney can align these tracks to maximize accountability and compensation.

FAQs

Can I directly sue for a HIPAA violation?

No. HIPAA has a private cause of action limitation, so you cannot file a lawsuit solely for a HIPAA violation. Instead, you bring state-law claims—such as negligence or invasion of privacy—while using HIPAA standards as evidence of the duty and breach.

How do I file a complaint with the OCR?

Submit a written complaint to the Office for Civil Rights within 180 days of discovery. Identify who was involved, what happened, when and where it occurred, and attach relevant proof. OCR investigates and can require corrective action or penalties, but it does not award you money damages.

What state laws apply to HIPAA violations?

Depending on your state, you may rely on medical privacy statutes, data breach notification laws, consumer protection acts, and common-law claims like negligence, breach of confidentiality, and invasion of privacy. Your attorney will choose the best mix based on damages and deadlines.

Can HIPAA violations be used as evidence in court?

Yes. Courts often allow HIPAA rules and internal policies to inform the standard of care. Some jurisdictions treat violations as evidence of negligence or even negligence per se, helping you prove duty and breach alongside your state-law claims.