HIPAA Private Right of Action Explained: Examples, State Claims, and OCR Process

Overview of HIPAA Enforcement

HIPAA sets national standards for health information privacy and security through the Privacy, Security, and Breach Notification Rules. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces these rules to protect Health Information Privacy across the healthcare ecosystem.

OCR regulates each Covered Entity—health plans, most healthcare providers, and clearinghouses—and their business associates that handle protected health information. When Privacy Rule Violations or Security Rule failures occur, OCR can pursue a range of Enforcement Actions aimed at remediation and accountability.

• Informal resolution: technical assistance and voluntary compliance commitments.
• Formal measures: resolution agreements with corrective action plans, monitoring, and, when appropriate, Civil Monetary Penalties.
• Criminal matters: referral to the Department of Justice for potential criminal prosecution.

Limitations on Private Right of Action

HIPAA does not create a private right of action. In other words, you cannot file a lawsuit solely for a HIPAA violation. The law is enforced by OCR and, in certain circumstances, by state attorneys general—not by individual plaintiffs under HIPAA itself.

That said, HIPAA still matters in court. Plaintiffs and judges often look to HIPAA’s standards as evidence of the duty of care in negligence or as a benchmark for reasonable data security. Practically, if you believe your rights were violated, you can file an OCR complaint and explore state-law options that may allow you to sue.

• File with OCR to trigger an administrative review and potential remedies.
• Consider state claims grounded in privacy, consumer protection, or contract law.
• Use HIPAA standards to help establish duties or breaches under state law.

State Law Claims for Privacy Violations

While a HIPAA private right of action does not exist, many states allow you to pursue relief under State Privacy Statutes or common-law claims. The availability and elements of these claims vary by jurisdiction, so outcomes depend on your state’s specific rules.

• Negligence or negligence per se based on failure to safeguard medical information consistent with industry standards.
• Intrusion upon seclusion for snooping in medical records without a legitimate purpose.
• Public disclosure of private facts for sharing sensitive details without authorization.
• Breach of fiduciary duty recognizing the special trust in provider–patient relationships.
• Breach of contract or implied contract tied to promises in Notices of Privacy Practices or patient agreements.
• Consumer protection (UDAP) claims alleging unfair or deceptive privacy or security practices.
• Statutory claims under state medical confidentiality or data privacy laws that expressly allow private lawsuits.

Remedies may include damages for financial loss, emotional distress where permitted, statutory damages under certain statutes, injunctive relief to halt ongoing practices, and in some cases attorney’s fees. Filing deadlines, proof of harm, and class certification standards differ by state and claim type.

OCR Complaint Filing Process

1) Confirm jurisdiction and timing

First, confirm the respondent is a Covered Entity or its business associate. Complaints generally must be filed within 180 days of when you knew, or should have known, about the alleged violation; OCR may extend this for good cause.

2) Prepare your submission

Describe what happened, when it occurred, who was involved, and how your information was affected. Include supporting documents (letters, emails, bills, or screenshots). You may authorize someone to file for you. HIPAA prohibits retaliation for filing a complaint.

3) File with OCR

You can submit online or by mail. Provide your contact information, the entity’s details, and a clear narrative of the issue (for example, an impermissible disclosure, denial or delay of access, or inadequate safeguards). Keep copies of everything you send.

4) Intake and early resolution

OCR reviews whether the complaint is timely and within its authority. Some matters are resolved quickly through technical assistance or informal corrective steps when the entity readily addresses the problem.

5) OCR Compliance Investigation

If OCR opens an OCR Compliance Investigation, expect requests for policies, risk analyses, training records, system logs, and incident documentation. OCR may interview witnesses, test controls, and evaluate whether corrective actions are effective.

6) Outcomes

OCR may close the case with no finding, issue technical assistance, require a resolution agreement with a corrective action plan and monitoring, impose Civil Monetary Penalties, or refer egregious conduct to the Department of Justice. Entities may have administrative avenues to contest formal penalties.

Examples of OCR Enforcement Actions

• Patient access delays: settlements for failing to provide timely, reasonably priced access to records or for overcharging copy fees.
• Risk analysis gaps: penalties when entities lacked an enterprise-wide security risk analysis or failed to implement risk management plans.
• Lost or stolen devices: enforcement following breaches involving unencrypted laptops, portable media, or mobile devices lacking adequate safeguards.
• Missing business associate agreements: actions where vendors handled protected health information without a required contract.
• Workforce snooping: cases involving inappropriate employee access due to weak access controls or insufficient audit review.
• Improper disclosures: Privacy Rule Violations such as faxing to the wrong recipient, discussing PHI publicly, or allowing media access without HIPAA-compliant authorization.
• Tracking technologies: actions addressing disclosure of identifiers or visit details to third-party analytics or advertising tools without proper safeguards.
• Improper disposal: penalties where paper records or devices with PHI were discarded without destruction or sanitation.

These outcomes typically require policy updates, workforce training, strengthened technical controls, vendor management improvements, and ongoing reporting to OCR.

Civil Monetary Penalties for Violations

OCR applies a tiered framework that scales penalties to the organization’s culpability and response. Factors include the nature and extent of the violation, number of individuals affected, duration, types of data involved, actual or likely harm, prior history, cooperation, remediation, and the entity’s financial condition.

• No knowledge: the entity did not know and, exercising reasonable diligence, would not have known of the violation.
• Reasonable cause: the entity knew or should have known, but the violation was not due to willful neglect.
• Willful neglect—corrected: a conscious or reckless failure that was corrected within a required period.
• Willful neglect—uncorrected: the most serious tier with the highest exposure.

Penalties are assessed per violation and may accrue daily or by record in certain contexts, subject to annual caps that are periodically adjusted for inflation. Many matters resolve through settlement agreements with corrective action plans; OCR typically reserves formal penalties for egregious or unremedied noncompliance.

Role of State Attorneys General

State attorneys general may bring civil actions in federal court to address HIPAA violations affecting their residents. They can seek injunctions, damages, and costs, and they often coordinate with OCR to avoid duplicative or conflicting remedies.

AGs may also leverage State Privacy Statutes and consumer protection laws in parallel, expanding potential relief and compliance obligations. These actions often end in consent judgments that require robust security programs, audits, restitution, and ongoing oversight.

Conclusion

HIPAA does not give individuals a direct lawsuit, but you still have practical options. File an OCR complaint to trigger administrative review, and evaluate state-law claims that fit your facts. For organizations, sustained compliance—risk analysis, access controls, training, vendor management, and prompt remediation—reduces exposure to Enforcement Actions and Civil Monetary Penalties.

FAQs

Does HIPAA allow individuals to sue for violations?

No. HIPAA does not provide a private right of action. You can file a complaint with OCR and, depending on your state’s laws, pursue claims such as negligence, privacy torts, consumer protection, or contract-based remedies.

How does the OCR handle HIPAA complaints?

OCR screens complaints for timeliness and jurisdiction, may resolve some through technical assistance, and can open a formal investigation. Outcomes range from voluntary corrective steps to resolution agreements, monitoring, Civil Monetary Penalties, or referral to the Department of Justice.

Can state laws provide a private right of action?

Yes. Many states authorize lawsuits under common-law privacy theories or specific State Privacy Statutes, and some allow consumer protection claims for unfair practices. Availability, elements, and damages vary by state.

What penalties can OCR impose for violations?

OCR can impose tiered Civil Monetary Penalties based on culpability and other factors, require corrective action plans with multi-year monitoring, and in severe cases refer matters for criminal enforcement. Penalty amounts are per violation and subject to annual caps that adjust over time.