Can You Sue for a HIPAA Violation? Guide to Complaints, Remedies, and Damages

HIPAA Private Right of Action

HIPAA is a United States federal law that sets baseline healthcare compliance regulations for how covered entities and their business associates use and disclose protected health information (PHI). If your medical records were mishandled, your first question is usually, “Can you sue for a HIPAA violation?”

No private right of action

Under HIPAA, individuals cannot sue directly for a violation. The statute does not create a private right of action; instead, HIPAA enforcement is handled by government authorities. That means a HIPAA breach alone is not a standalone lawsuit you can file in court.

How HIPAA still matters in court

Although you can’t sue “under HIPAA,” its rules often inform state-law litigation. Courts may treat HIPAA as evidence of the standard of care for safeguarding PHI. If a provider’s conduct falls short of those expectations, it can support state claims like medical information negligence, breach of contract claims, invasion of privacy, or breach of fiduciary duty.

Covered entities and business associates

HIPAA applies to health plans, most healthcare providers, healthcare clearinghouses, and their business associates that handle PHI. If the actor is not covered by HIPAA (for example, some health apps), your remedies may arise under different state privacy laws or consumer protection statutes rather than HIPAA.

Filing Complaints with OCR

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates alleged HIPAA noncompliance. An OCR complaint does not seek personal money damages, but it can drive corrective action and broader HIPAA enforcement.

When and how to file

• Act promptly. Complaints generally should be filed within 180 days of when you knew of the violation (extensions may be granted for good cause).
• Include specifics: who was involved, dates, the type of PHI exposed, how the disclosure occurred, and any harm (e.g., fraud, identity theft, anxiety).
• Attach supporting material such as letters, emails, screenshots, or explanation-of-benefits statements.

What to expect from an Office for Civil Rights investigation

OCR screens the complaint for jurisdiction (covered entity/business associate, PHI, timeliness). If accepted, OCR may request records, interview witnesses, and assess the entity’s safeguards. Outcomes range from technical assistance and voluntary corrective action to formal resolution agreements, corrective action plans, and civil penalties HIPAA authorizes.

Retaliation and confidentiality

Covered entities may not retaliate against you for filing a complaint. You can ask OCR to keep your identity confidential, though OCR may need to share limited information to investigate.

State Law Claims

Because individuals can’t sue directly under HIPAA, most private remedies come from state law. The same facts that constitute a HIPAA lapse can support state privacy laws and related claims.

Common legal theories

• Negligence or medical information negligence for failing to use reasonable safeguards to protect PHI.
• Negligence per se, where permitted, using HIPAA or similar statutes to inform the duty of care.
• Breach of contract claims if a patient agreement or notice of privacy practices created enforceable promises.
• Breach of confidentiality or fiduciary duty based on the provider–patient relationship.
• Invasion of privacy (intrusion upon seclusion or public disclosure of private facts).
• Consumer protection and data breach statutes that allow private suits for inadequate security or unfair practices.

Preemption and “more stringent” rules

HIPAA generally does not preempt state laws that are more protective of privacy. Many states impose additional duties (for example, faster breach notifications or broader private rights of action). A lawyer can assess which state rules apply and whether HIPAA strengthens your case as evidence of the standard of care.

Who you can sue

Potential defendants include the provider, health system, plan, or business associate responsible for the disclosure or inadequate safeguards. Some cases also involve vendors that lacked reasonable security or mishandled data under service contracts.

Potential Damages

Damages depend on the claim and state law, not HIPAA itself. Successful plaintiffs may recover compensation tied to the privacy injury and its consequences.

Types of recoverable losses

• Economic losses: costs for credit monitoring, identity restoration, fraudulent charges, time spent resolving issues, and out-of-pocket expenses.
• Non-economic harms: anxiety, humiliation, or loss of privacy, when recognized by state law.
• Punitive damages: available in some states for reckless or intentional misconduct.
• Statutory damages or attorney’s fees: available under certain consumer protection or data breach statutes.
• Injunctive relief: orders requiring improved safeguards, training, or deletion of improperly retained data.

Note that OCR investigations can result in civil penalties HIPAA authorizes and corrective action plans, but those government penalties are paid to the government—not to individual complainants.

Enforcement Actions

Multiple enforcement avenues may apply to the same incident, reflecting the layered nature of HIPAA enforcement.

Federal civil enforcement

OCR can impose civil monetary penalties and require resolution agreements with corrective action plans. Penalty tiers vary by the entity’s culpability and compliance efforts, and amounts are periodically adjusted for inflation.

State attorneys general

State attorneys general may bring actions to enforce HIPAA on behalf of residents, often seeking injunctions, restitution, and civil penalties. They can also enforce independent state privacy laws when those laws are more protective.

Criminal enforcement

The U.S. Department of Justice can prosecute knowing, wrongful uses or disclosures of PHI. Convictions can include fines and, in serious cases, imprisonment.

Business associates and vendors

Business associates are directly subject to HIPAA. OCR and state regulators frequently examine vendor risk management, business associate agreements, access controls, and incident response readiness.

Legal Consultation

If your PHI was exposed, consider consulting a privacy or healthcare attorney promptly. An attorney can evaluate HIPAA’s role, applicable state privacy laws, and whether facts support claims like medical information negligence or breach of contract.

Preparing for a consultation

• Timeline: dates of the incident, discovery, and any notices you received.
• Evidence: letters, emails, screenshots, portal printouts, and police or FTC identity theft reports.
• Impact: financial losses, time spent, and emotional distress.
• Entities involved: provider names, insurers, and any vendors handling your data.

Strategy and timing

Lawyers often pursue a dual-track strategy: file an OCR complaint to drive compliance and investigate, while preserving and, where appropriate, filing state claims for damages. Statutes of limitations vary by claim and state, so acting quickly protects your rights.

Bottom line: You typically cannot sue “under HIPAA,” but you can seek remedies through an OCR complaint and, where the facts support it, state-law claims for damages. Understanding HIPAA enforcement, state privacy laws, and available remedies helps you choose the path most likely to deliver accountability and meaningful relief.

FAQs

Can individuals sue directly for HIPAA violations?

No. HIPAA does not provide a private right of action. You can file a complaint with OCR to prompt enforcement, and you may bring state-law claims arising from the same conduct, such as negligence, invasion of privacy, or breach of contract claims where supported by your state’s laws.

How do I file a complaint with the OCR?

Submit a written complaint to the Office for Civil Rights with details about who was involved, what PHI was disclosed, when it happened, and how you were affected. File within 180 days if possible, attach supporting documents, and request confidentiality if needed. OCR will review and may open an Office for Civil Rights investigation to assess compliance and require remedies.

What damages can be recovered under state law for HIPAA violations?

While HIPAA itself doesn’t award damages to individuals, state-law claims tied to the same incident may allow recovery of economic losses (e.g., credit monitoring, identity restoration), non-economic harms (emotional distress where recognized), punitive damages for egregious conduct, statutory damages under some consumer statutes, attorney’s fees, and injunctive relief.

What penalties exist for HIPAA violators?

Regulators can impose tiered civil penalties HIPAA authorizes, require corrective action plans, and enter resolution agreements. The Department of Justice may bring criminal cases for intentional misuse of PHI. State attorneys general can also pursue enforcement under HIPAA and more protective state privacy laws.