Have Questions for a Patient Privacy Attorney? Get Answers on HIPAA Violations and Your Rights

If you suspect your medical information was mishandled, you deserve clear guidance on what to do next. This guide explains how to file a HIPAA complaint, the legal recourse available, common HIPAA violations, your core rights, and the potential impact on your life.

Drawing on the perspective of a patient privacy attorney, you’ll learn how to protect your Protected Health Information (PHI), navigate the Office for Civil Rights Complaint process, and make informed decisions about your options.

Filing a HIPAA Complaint

You can file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if a covered entity or business associate improperly uses or discloses your PHI. In most cases, you should file within 180 days of when you knew, or should have known, about the issue; OCR may extend this for good cause.

Consider first contacting the provider’s privacy officer to try to resolve the problem. If that fails—or if the situation is urgent—submit an Office for Civil Rights Complaint online, by mail, or by email. Retaliation for filing a complaint is prohibited.

What to include

• Names and contact details for the provider, plan, or vendor involved.
• Dates, locations, and a concise description of what happened and how your PHI was affected.
• Any documents, screenshots, letters, or emails that support your account.
• The outcome you seek (for example, access to records, correction, mitigation, or policy changes).

After you file

OCR screens complaints, may contact you for clarification, and can open an investigation or facilitate early resolution. Outcomes range from corrective action plans to Civil Monetary Penalties for serious or uncorrected violations. Keep copies of everything you submit.

Legal Recourse for HIPAA Violations

HIPAA itself does not give individuals a direct right to sue, but you still have meaningful options. First, an OCR complaint can lead to corrective actions and penalties that prompt changes and reduce further harm.

Second, State Medical Privacy Laws may allow you to bring claims such as negligence, breach of confidentiality, invasion of privacy, or consumer protection violations. Many states also permit class actions after large breaches.

Third, if a health app or vendor falls outside HIPAA, other laws—such as state privacy statutes or consumer protection laws—may apply. Contract-based remedies and complaints to professional licensing boards can also be effective.

A patient privacy attorney can assess your evidence, identify the best legal theories, preserve deadlines, and help you weigh settlement versus litigation.

Common HIPAA Violations

• Disclosing PHI to the wrong person by email, fax, or mail; or discussing PHI in public areas or on social media.
• Snooping in a patient’s record without a job-related need; failing to follow the “minimum necessary” standard.
• Losing unencrypted laptops or phones, poor access controls, or improper disposal of records.
• Refusing or unreasonably delaying patient access to records.
• Using PHI for marketing without valid Patient Authorization, or selling PHI.
• Failing to execute required Business Associate Agreements with vendors that handle PHI.
• Not providing the Notice of Privacy Practices as part of HIPAA’s Privacy Notice Requirement.
• Missing or late notifications under the Breach Notification Rule after a breach of unsecured PHI.

Patient Rights Under HIPAA

HIPAA gives you actionable rights that help you control your PHI and hold organizations accountable.

• Access your records: You can inspect or obtain copies, typically within 30 days; extensions require written notice.
• Request amendments: You can ask to correct or add information; denials must include a reason and appeal rights.
• Request restrictions: You may ask providers or plans to limit certain uses or disclosures. If you pay a provider in full out-of-pocket, they must honor your request not to disclose to your health plan for that service.
• Confidential communications: You can request PHI be sent to you at a different address or by alternate means.
• Accounting of disclosures: You can request a list of certain non-routine disclosures.
• Notice of Privacy Practices: You have the right to receive it under the Privacy Notice Requirement and to understand how your PHI is used.
• Authorizations: Uses such as marketing or sale of PHI generally require your Patient Authorization, which you may revoke in writing.
• Right to complain: You can file with the provider’s privacy officer and/or OCR without fear of retaliation.

Reporting a HIPAA Violation

Step-by-step

• Document the incident: dates, what was disclosed, who was involved, and any harm you experienced.
• Preserve evidence: letters, emails, screenshots, voicemails, and breach notifications.
• Notify the provider’s privacy officer to seek quick remediation and to create an internal record.
• File an OCR complaint if the response is inadequate or the matter is serious; note the general 180-day window.
• Protect yourself: consider credit freezes, fraud alerts, and monitoring if identity theft is a risk.
• Consult a patient privacy attorney to evaluate state-law claims and strategy.

If you received a breach letter

Under the Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. Large breaches may also require notice to HHS and, in some cases, the media. Use the letter to confirm what data was involved and what mitigation is being offered, then take protective steps immediately.

Penalties for HIPAA Violations

OCR enforces HIPAA through a four-tier system of Civil Monetary Penalties that scale with the level of culpability (from lack of knowledge to willful neglect). Penalty amounts are adjusted annually for inflation, and many cases result in corrective action plans and outside monitoring.

Criminal penalties apply when someone knowingly obtains or discloses PHI in violation of HIPAA, with higher penalties for offenses under false pretenses and the most severe penalties—up to 10 years of imprisonment—for offenses committed for personal gain or malicious harm.

Business associates can be liable alongside covered entities. Separately, State Medical Privacy Laws may impose additional fines or provide avenues for damages to injured patients.

Impact of HIPAA Violations on Patients

Privacy breaches can trigger medical identity theft, fraudulent billing, and exposure of highly sensitive diagnoses. They can also erode trust, deter you from seeking care, and create risks of stigma or discrimination.

• Financial harm: out-of-pocket costs, time spent correcting records, and credit impacts.
• Clinical harm: altered or inaccurate records that could affect future treatment decisions.
• Emotional harm: stress, embarrassment, and loss of control over deeply personal information.

What you can do now

• Monitor explanations of benefits and medical bills for unfamiliar services.
• Request an accounting of disclosures and ask your provider to flag your record for potential fraud.
• Replace insurance cards or numbers if compromised and consider credit freezes.
• Work with a patient privacy attorney to pursue remedies and ensure stronger protections going forward.

Conclusion

HIPAA gives you powerful rights, and there are real consequences for organizations that mishandle PHI. Act quickly, document everything, use the OCR process, and consider state-law options with a patient privacy attorney to protect your privacy and reduce harm.

FAQs.

How do I file a HIPAA complaint?

Prepare a concise, factual summary of what happened, gather supporting documents, and submit an Office for Civil Rights Complaint online, by mail, or by email. Include the names of the entities involved, dates, how your PHI was affected, and what resolution you seek. You can also complain to the provider’s privacy officer. Retaliation for filing is prohibited.

What legal actions can I take for a HIPAA violation?

Start with an OCR complaint to prompt enforcement and corrective action. Depending on your situation, State Medical Privacy Laws may allow you to pursue civil claims such as negligence, invasion of privacy, or consumer protection violations, and class actions are possible after large breaches. Contract claims and complaints to licensing boards may also help. A patient privacy attorney can evaluate the best path.

What are common examples of HIPAA violations?

Frequent issues include sending PHI to the wrong recipient, snooping in records, discussing PHI in public or on social media, lost unencrypted devices, refusing or delaying access to records, using PHI for marketing without Patient Authorization, failing to provide the Notice of Privacy Practices under the Privacy Notice Requirement, missing Business Associate Agreements, and late notices under the Breach Notification Rule.

How long do I have to report a HIPAA violation to the OCR?

Generally, you must file within 180 days of when you knew, or should have known, about the violation. OCR may extend this deadline for good cause. Separate deadlines may apply to claims under State Medical Privacy Laws, so it’s wise to act promptly and consult a patient privacy attorney to preserve your options.