Can You Sue for a HIPAA Violation? Requirements, Examples, and Compliance Safeguards

If your medical privacy was compromised, you understandably want accountability. While the Health Insurance Portability and Accountability Act (HIPAA) powerfully protects Protected Health Information, whether you can sue depends on the pathway you take. Below, you’ll learn what HIPAA does and does not allow, the state-law avenues that may exist, how to file an Office for Civil Rights Complaint, what penalties regulators can impose under the HIPAA Enforcement Rule, and practical compliance safeguards for organizations.

Private Right of Action Under HIPAA

Short answer: you generally cannot file a private lawsuit under HIPAA itself. HIPAA does not create a private right of action. Federal enforcement is handled by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and criminal cases are handled by the Department of Justice. However, evidence of a Privacy Rule Violation can still matter in other ways, as explained below.

What counts as a HIPAA violation?

HIPAA protects “Protected Health Information” (PHI)—any individually identifiable health data held or transmitted by a covered entity or its business associate, in any form. Violations include activities like unauthorized access (“snooping”), impermissible disclosures, failing to implement reasonable safeguards, or not providing timely access to records. Inadequate risk analysis, lack of workforce training, and unsecured devices that expose PHI are common failure points.

What you can do instead of suing under HIPAA

• File an Office for Civil Rights Complaint asking HHS OCR to investigate the covered entity or business associate.
• Pursue state law claims (for example, negligence or invasion of privacy) where available.
• Raise the issue with the organization’s privacy officer to trigger internal remediation.

Illustrative examples

• A staff member looks up a neighbor’s records without a job-related need to know.
• A clinic emails lab results to the wrong patient without encryption and lacks a process to detect or report the error.
• An unencrypted laptop with patient schedules is stolen from a vehicle, and the entity never performed a proper risk analysis.

Legal Actions Under State Law

Although HIPAA itself doesn’t let you sue, many states provide causes of action when your privacy is breached. Courts sometimes allow HIPAA standards to inform the “duty of care” in these suits, even if HIPAA is not the claim itself.

Common claims and what you must prove

• Negligence or negligence per se: You must show the entity owed a duty (safeguarding PHI), breached it, and caused damages. In some jurisdictions, violating HIPAA can help establish the duty or breach.
• Breach of confidentiality or fiduciary duty: Healthcare providers typically owe duties to keep PHI confidential; unauthorized disclosures can trigger liability.
• Invasion of privacy torts: Intrusion upon seclusion or public disclosure of private facts may apply when PHI is accessed or shared without permission.
• Breach of contract: Patient agreements, notices of privacy practices, or membership contracts can create enforceable privacy promises.
• Consumer protection or data breach statutes: Some states allow actions for unfair or deceptive practices, or provide statutory damages and attorney’s fees for data-breach violations.

Damages and remedies

• Compensatory damages: Out-of-pocket costs (credit monitoring, counseling), lost wages, and, where permitted, emotional distress.
• Injunctive relief: Court orders to improve security or stop unlawful practices.
• Statutory damages and fees: Available in some states under specific privacy or consumer protection laws.

Evidence tips for your claim

• Document what happened, when you learned of it, who was involved, and any communications from the provider.
• Preserve emails, portal messages, screenshots, and letters about the incident or breach notification.
• Track concrete harms (billing issues, identity theft alerts, time spent resolving problems) to support damages.

Reporting HIPAA Violations

If you want government enforcement, file an Office for Civil Rights Complaint. Anyone may file—patients, family members, or workforce members. OCR typically requires filing within 180 days of when you knew of the incident, though “good cause” extensions may be granted.

Step-by-step filing

• Identify the covered entity or business associate and the date(s) of the alleged violation.
• Describe what PHI was involved and how it was used or disclosed—include facts, not more PHI than necessary.
• Explain why you believe HIPAA was violated (for example, no minimum necessary, lack of access controls, or a Privacy Rule Violation).
• Provide your contact information and any supporting documents or screenshots.

What to expect after filing

• OCR reviews for jurisdiction and may open an investigation, seek voluntary compliance, or provide technical assistance.
• Outcomes can include corrective action plans, resolution agreements, or Civil Monetary Penalties under the HIPAA Enforcement Rule.
• OCR’s process addresses the organization’s compliance; it does not award you personal damages. You may still pursue state-law remedies separately.

Anti-retaliation

HIPAA bars covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint or participating in an investigation.

Civil Penalties for Violations

Under the HIPAA Enforcement Rule, OCR uses a tiered penalty framework that considers culpability and corrective actions. Willful Neglect Penalties are the most severe, particularly when not corrected.

Penalty tiers at a glance

• No knowledge: The entity did not know and, by exercising reasonable diligence, would not have known of the violation.
• Reasonable cause: A failure that is not due to willful neglect but still violates HIPAA’s requirements.
• Willful neglect—corrected: Violation due to conscious or reckless disregard, but corrected within the required timeframe.
• Willful neglect—uncorrected: The most serious tier, reflecting disregard and failure to remediate.

Civil Monetary Penalties apply per violation, and annual caps may apply per identical provision. Dollar amounts are indexed for inflation and can range from the low hundreds to tens of thousands per violation, with annual caps that can reach into the millions depending on tier and year.

Aggravating and mitigating factors OCR weighs

• Nature and extent of the violation and resulting harm (scope of PHI, sensitivity, number of individuals affected).
• Entity size, compliance history, and whether issues were persistent or systemic.
• Timeliness of detection, breach response, and corrective action.
• Cooperation with OCR and transparency with affected individuals.

Resolution agreements and corrective action plans

In lieu of or in addition to penalties, OCR may require multi-year corrective action plans with independent monitoring, policy overhauls, workforce training, and periodic reporting to verify Covered Entity Compliance.

Criminal Penalties for Willful Neglect

“Willful neglect” is technically a civil standard. Criminal liability arises when someone knowingly obtains or discloses PHI in violation of HIPAA, or does so under aggravating circumstances. The Department of Justice prosecutes these cases.

Three offense levels

• Basic offense: Knowingly obtaining or disclosing PHI—fines up to $50,000 and up to 1 year imprisonment.
• False pretenses: Doing so under false pretenses—fines up to $100,000 and up to 5 years imprisonment.
• Intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: Fines up to $250,000 and up to 10 years imprisonment.

Who can be prosecuted

Individuals—including employees, contractors, or business associate personnel—can face criminal charges. Organizations may also incur corporate liability based on the acts of their agents.

Examples of criminal conduct

• Accessing celebrity records out of curiosity and sharing screenshots with friends.
• Using patient demographics to commit identity theft or sell data to third parties.
• Misrepresenting your role to obtain PHI from another provider’s system.

Compliance Safeguards for Covered Entities

Strong, practical safeguards reduce risk, protect patients, and demonstrate good-faith compliance. The most resilient programs align privacy and security operations, integrate governance, and continually test controls.

Governance and risk management

• Designate privacy and security officers and maintain clear reporting lines to leadership.
• Conduct an enterprise-wide risk analysis, document findings, and implement a risk management plan with timelines and owners.
• Use data inventories and process maps to identify where PHI resides, flows, and is shared.

Administrative safeguards

• Policies covering minimum necessary, access authorization, sanction procedures, and contingency planning.
• Vendor management with business associate agreements that define permitted uses, safeguards, and breach duties.
• Workforce screening, role-based access, and documented training upon hire and at least annually.

Technical safeguards

• Strong authentication (including multi-factor), unique user IDs, and automatic logoff.
• Encryption of data at rest and in transit; mobile device management and remote wipe for laptops and smartphones.
• Audit logging, high-risk alerting (e.g., snooping detection), and regular access reviews.
• Data loss prevention for email and file sharing; secure patient portals for communications.

Physical safeguards

• Facility access controls, visitor management, and workstation security.
• Secure media handling and disposal procedures for drives, copies, and backups.

Incident response and breach notification

• Documented playbooks for containment, forensics, risk-of-harm assessment, and notification timelines.
• Drills that test decision-making and cross-functional coordination under pressure.

Ongoing monitoring and improvement

• Periodic internal audits against the HIPAA Enforcement Rule requirements and your policies.
• Key performance indicators (training completion, access review cadence, audit log anomalies) reported to leadership.
• Independent assessments to validate control effectiveness and drive continuous improvement.

Key takeaways

• You typically cannot sue directly under HIPAA, but you may have state-law remedies for privacy harms.
• Regulators can impose Civil Monetary Penalties and corrective actions, with Willful Neglect Penalties being the most severe.
• Filing an OCR complaint preserves federal enforcement while you consider state-law options.
• Robust safeguards and a culture of compliance are the best defense against violations.

FAQs

Can individuals directly sue for HIPAA violations?

No. HIPAA does not provide a private right of action. You may file a complaint with HHS OCR for enforcement, and you might pursue state-law claims such as negligence, breach of confidentiality, or invasion of privacy depending on your jurisdiction.

What state law claims are available for privacy breaches?

Common claims include negligence or negligence per se, breach of confidentiality, invasion of privacy (like intrusion upon seclusion or public disclosure of private facts), breach of contract, and in some states consumer protection or data-breach statute claims that may offer statutory damages or attorney’s fees.

How do I file a complaint with the HHS OCR?

Prepare an Office for Civil Rights Complaint describing who was involved, what PHI was affected, when it happened, and why you believe HIPAA was violated. File within 180 days of when you learned of the issue (extensions may be granted for good cause). OCR may investigate, seek voluntary compliance, require corrective actions, or impose penalties on the organization.

What are the potential penalties for HIPAA violations?

Under the HIPAA Enforcement Rule, OCR can impose tiered Civil Monetary Penalties that increase with culpability, especially for willful neglect that is not corrected. Outcomes can also include resolution agreements and multi-year corrective action plans. Criminal penalties—fines and imprisonment—apply when someone knowingly obtains or discloses PHI, with higher penalties for false pretenses or misuse for personal gain or harm.