Can I Sue My Employer for a HIPAA Violation? Compliance Guide

You’re not alone in asking, “Can I sue my employer for a HIPAA violation?” This compliance guide explains when HIPAA applies at work, why direct lawsuits under HIPAA are limited, and which alternative legal paths—state law, contract, negligence, and the ADA—may allow you to seek remedies for an unauthorized disclosure.

Use this overview to identify whether HIPAA covers your situation, understand the Covered Entity Definition, and decide whether to file a complaint with federal regulators or pursue claims under other laws.

HIPAA's Applicability to Employers

HIPAA regulates “covered entities” and their “business associates.” Under the Covered Entity Definition, health plans, most health care providers, and health care clearinghouses are covered. Employers, acting in their role as employers, are not covered entities.

That changes when an employer sponsors a group health plan, health flexible spending account, or employee assistance program (EAP). In those cases, the plan—not the employer—is the covered entity. Employers must maintain a firewall so that Protected Health Information (PHI) from the plan is kept separate from employment decision-making.

If a manager learns about your condition from FMLA paperwork, workers’ compensation, or a casual conversation, that information is typically not PHI under HIPAA. However, it can still be legally protected by the ADA Medical Information Confidentiality rules and state privacy laws. Any disclosure beyond what the law permits may be an Unauthorized Disclosure with consequences under non-HIPAA statutes.

Private Right of Action Under HIPAA

HIPAA does not give individuals a direct right to sue for damages. Enforcement is handled by the U.S. Department of Health and Human Services through Office for Civil Rights Enforcement, which can investigate complaints, require corrective action, and impose civil penalties.

While you generally cannot file a private lawsuit “under HIPAA,” some courts allow HIPAA regulations to inform the standard of care in state-law claims. In limited situations, plaintiffs argue that HIPAA sets duties that, if violated, support negligence per se or evidence of breach, but any damages must flow from state-law causes of action—not HIPAA itself.

State Privacy Laws Allowing Lawsuits

Many states provide avenues to sue for medical-privacy harms even when HIPAA itself doesn’t. Your options depend on the facts, the type of information disclosed, and the parties involved.

Common law privacy torts

• Public disclosure of private facts: widespread sharing of sensitive medical details without a legitimate purpose.
• Intrusion upon seclusion: prying into medical records or health data without authorization.
• Breach of confidentiality: disclosing information entrusted in confidence (including by company medical staff or plan administrators).

Statutory claims

• State medical privacy statutes and data-breach laws that allow private lawsuits for failure to safeguard or notify about exposure of health information.
• Consumer privacy statutes or biometric privacy laws that cover medical identifiers and related data, depending on the state.

Remedies and timing

Potential remedies include compensatory damages, emotional distress damages (where allowed), injunctive relief, and, in some statutes, attorney’s fees. The Statute of Limitations for Privacy Claims varies by state and claim type—often one to four years—so act promptly to preserve your rights.

Breach of Contract Claims

If your employer made specific, enforceable promises to protect medical information, an Employment Contract Breach claim may be available. Examples include nondisclosure agreements, offer letters, settlement agreements, or handbooks that are incorporated into the employment contract.

Key issues include whether the policy language is a binding promise, whether disclaimers reserve the employer’s right to change policies, and whether arbitration or class-action waivers apply. Damages may include economic losses and, where available, contract-based remedies tied to the confidentiality commitment.

Negligence Claims Related to Health Information

Negligence requires a duty, breach, causation, and damages. The Duty of Care in Privacy can arise from statutes, industry standards, company policies, or the foreseeability of harm from mishandling sensitive health data.

Breaches may include lax access controls, poor training, or failure to investigate and contain an Unauthorized Disclosure. To prevail, you typically need to show that the employer’s lapse caused actual harm—such as identity theft, out-of-pocket costs, or emotional distress where permitted.

Evidence that helps includes audit logs, emails, security assessments, and documented deviations from policies or recognized safeguards. Expert testimony may be useful to establish reasonable security practices and causation.

Americans with Disabilities Act Confidentiality

The ADA requires employers to keep employee medical information confidential and stored separately from personnel files. ADA Medical Information Confidentiality applies to disability-related inquiries, post-offer medical exams, accommodation requests, and related documentation.

Disclosures are tightly limited—to supervisors for accommodation needs, first-aid and safety personnel for emergencies, government officials investigating compliance, or as otherwise required by law. Unauthorized sharing can support an ADA claim, even if you remain qualified and no adverse action occurs.

Procedurally, many ADA claims require filing a charge with the EEOC before suing, and short deadlines may apply depending on your state. Remedies can include injunctive relief, damages, and, in some cases, attorney’s fees.

Filing a HIPAA Complaint

When to file

File a HIPAA complaint if the entity that mishandled your PHI is a covered entity (like a group health plan or EAP) or a business associate. If the issue involves your employer acting purely as an employer, consider state-law or ADA avenues instead.

How to file

• Gather facts: dates, what was disclosed, to whom, and how you learned of it. Keep copies of plan notices, emails, and screenshots.
• Submit to HHS’s Office for Civil Rights Enforcement, generally within 180 days of when you knew of the violation; extensions may be granted for good cause.
• Provide specifics on why the disclosure violated HIPAA, the type of PHI involved, and any harm you experienced.
• Cooperate with the investigation, which may result in corrective action, resolution agreements, or penalties against the covered entity—not direct damages to you.
• Consider parallel steps: notify the plan’s privacy officer, preserve evidence, evaluate state-law claims, and, where appropriate, consult counsel about timelines including the Statute of Limitations for Privacy Claims.

Conclusion

Bottom line: most employees can’t sue directly “under HIPAA,” but you may have viable claims under state privacy laws, contract, negligence, or the ADA. Identify whether HIPAA applies, act quickly to meet filing deadlines, and choose the forum—regulatory complaint or lawsuit—that best addresses your situation.

FAQs

Can employees sue employers directly under HIPAA?

No. HIPAA lacks a private right of action, so employees generally cannot sue under HIPAA itself. However, HIPAA can inform the standard of care in state-law cases, and you may pursue claims under state privacy laws, contract, negligence, or the ADA depending on the facts.

What state laws protect employee health information privacy?

States recognize privacy torts (like public disclosure of private facts and breach of confidentiality) and have statutes governing medical privacy and data breaches. Some also provide consumer or biometric privacy rights that may cover health-related identifiers. Available remedies and deadlines vary by jurisdiction.

How does the ADA impact employer obligations for medical data?

The ADA requires confidential handling of employee medical information, stored separately from personnel files, with disclosure limited to narrow purposes such as accommodations and safety. Improper sharing can violate the ADA even without a separate HIPAA breach.

What steps should I take to file a HIPAA complaint?

Confirm the entity is a covered entity or business associate, document the Unauthorized Disclosure, and submit a complaint to the Office for Civil Rights Enforcement—generally within 180 days of discovery. Include dates, what was disclosed, and supporting evidence, and consider parallel state-law or ADA claims to preserve all remedies.