HIPAA Violation Lawsuit: Can You Sue, What Counts, and How to Get Started

Filing a Complaint with the Office for Civil Rights

Who can file and when

If you believe your protected health information (PHI) was mishandled, you can file an Office for Civil Rights complaint with the U.S. Department of Health and Human Services. Complaints should generally be filed within 180 days of when you knew—or should have known—about the patient privacy breach. OCR may extend this deadline for good cause, so file even if you think you are late.

What to include in your submission

Provide the covered entity or business associate’s name (such as a hospital, clinic, health plan, or vendor), dates of the incident, a clear description of what happened, and why you believe HIPAA rules were violated. Attach supporting materials: correspondence, screenshots, portal messages, billing statements, audit logs you received, and names of witnesses. Concise, factual details help OCR assess the scope and impact.

What happens after you file

OCR screens the complaint to verify jurisdiction, then may open an investigation, seek early resolution, or close the matter with technical assistance. Outcomes can include corrective action plans, training, policy changes, resolution agreements, and civil monetary penalties. Even when OCR imposes penalties, it does not award you damages; those must be pursued separately under state law if available.

Practical tips

• Keep a dated timeline and preserve all communications.
• Ask the provider for written breach notices and for copies of any access logs showing who viewed your PHI.
• If the breach involved identity data, consider a fraud alert or credit freeze while the investigation proceeds.

Pursuing State Law Claims

How HIPAA and state law interact

HIPAA sets a federal floor for medical privacy but does not create a HIPAA private right of action, meaning you generally cannot sue directly under HIPAA. However, many states recognize claims that can remedy the same harm. HIPAA can still matter because courts may treat its rules as evidence of the standard of care under medical confidentiality laws.

Common causes of action

Depending on your state, you may bring state negligence claims, negligence per se (using HIPAA violations as evidence of breach), breach of medical confidentiality, breach of fiduciary duty, breach of contract healthcare (based on express or implied agreements to keep information confidential), and invasion of privacy lawsuits such as intrusion upon seclusion or public disclosure of private facts. Consumer protection or data breach statutes may also apply when unfair or unlawful practices caused the exposure.

Statutes of limitations and preemption

Deadlines vary widely by state and by claim type—often one to three years, sometimes longer under discovery rules. HIPAA preempts only less stringent state rules; stronger state privacy protections remain enforceable. Act quickly to avoid missing filing windows and to preserve evidence.

Potential damages

If successful, state claims can provide economic losses (out-of-pocket costs, credit remediation), non-economic harms (emotional distress from unauthorized disclosure), punitive damages in egregious cases, and injunctive relief requiring better safeguards.

Understanding Negligence in HIPAA Violations

The elements you must prove

To win a negligence claim, you typically must show duty, breach, causation, and damages. Healthcare providers and their vendors owe a duty to use reasonable safeguards to protect PHI. Failing to implement or follow those safeguards can be a breach.

Using HIPAA as the standard of care

While HIPAA itself does not create a lawsuit, its Security, Privacy, and Breach Notification Rules often inform what reasonable care looks like. In some states, a proven regulatory violation may support negligence per se, shifting focus to whether the violation caused your harm.

Proving causation and harm

Tie the patient privacy breach to concrete consequences: identity theft, fraudulent claims, employment or reputational harm, anxiety, or loss of control over sensitive information. Evidence can include credit reports, insurer explanations of benefits, expert opinions on data misuse risk, and your detailed timeline of events.

Covered entities and business associates

Liability can involve hospitals, physician practices, pharmacies, health plans, and their business associates (for example, cloud or billing vendors). Identify all responsible parties to avoid leaving out a key defendant.

Breach of Contract and Privacy Invasion Claims

Express and implied agreements

Some patients have written agreements or portal terms promising confidentiality. Even without a signed contract, many states recognize an implied contract that healthcare providers will safeguard PHI. A breach of contract healthcare claim may succeed when those assurances are broken and you suffer harm.

Privacy torts that often fit

Invasion of privacy lawsuits commonly include intrusion upon seclusion (unauthorized access or snooping) and public disclosure of private facts (sharing sensitive medical details with others without a valid purpose). Courts examine how widely the information spread, how sensitive it was, and whether any legitimate justification existed.

Illustrative scenarios

Examples include an employee accessing a record out of curiosity, misdirected faxes or emails containing diagnoses, disclosures to an ex-partner without consent, or posting treatment details in a public space. These facts can support both tort and contract theories alongside negligence.

Steps to Address Medical Privacy Violations

Immediate actions

1. Document everything: dates, who said what, and where data appeared.
2. Preserve evidence: letters, emails, screenshots, portal messages, and envelopes.
3. Notify the provider or plan in writing and request details of the breach and mitigation steps.
4. Secure your identity: change passwords, enable multifactor authentication, consider a fraud alert or credit freeze.
5. File an Office for Civil Rights complaint to trigger federal enforcement.
6. Consider contacting your state attorney general or professional licensing boards for additional oversight.
7. Consult counsel to evaluate potential state court claims and damages.
8. Monitor for continuing exposure and keep a running log of impacts and costs.

Legal Consultation and Rights Protection

When to talk to a lawyer

Seek counsel promptly if sensitive diagnoses were exposed, identity theft occurred, you received large medical bills tied to fraud, or the entity minimizes a clear breach. Early advice helps preserve claims and negotiate stronger remedies.

Choosing the right attorney

Look for experience with privacy, healthcare, and consumer protection litigation, including class actions when many patients were affected. Ask about prior results, investigation resources, and comfort with technical evidence like audit logs and security controls.

Fees and strategy

Many firms offer contingency or hybrid fee structures. Discuss demand letters, early settlement, individual vs. class strategies, and whether experts are needed to value risk and harm.

Protecting your claims

Send preservation letters to entities holding records, avoid posting sensitive details publicly, follow medical confidentiality laws when sharing your own documents in court, and calendar all deadlines, including any notice requirements under state statutes.

Remedies and Penalties for HIPAA Violations

Administrative outcomes under HIPAA

OCR can require corrective action plans, ongoing monitoring, and payment of civil monetary penalties for violations. Resolution agreements often mandate training, risk assessments, and policy overhauls tailored to the root cause of the incident.

Criminal enforcement

Knowingly obtaining or disclosing PHI without authorization can lead to criminal charges, with penalties that increase when the conduct involves false pretenses or intent to sell or use the data for personal gain. These prosecutions are separate from any civil case you pursue.

Civil remedies under state law

Courts may award compensatory damages, emotional distress damages, punitive damages where permitted, and injunctive relief ordering stronger safeguards. Settlements sometimes include credit monitoring and identity theft protection for a defined period.

Conclusion

You generally cannot sue directly under HIPAA, but you can pursue state-law remedies while filing with OCR to prompt enforcement. Start by documenting the breach, securing your accounts, submitting an OCR complaint, and consulting counsel to evaluate negligence, contract, and privacy tort claims. Acting quickly improves your chances of meaningful relief.

FAQs.

Can I file a lawsuit directly under HIPAA?

No. There is no HIPAA private right of action. You can file an Office for Civil Rights complaint to seek federal enforcement, and you may bring state claims—such as negligence, breach of confidentiality, contract, or privacy torts—to seek damages for your specific losses.

What types of state law claims apply to HIPAA violations?

Depending on your jurisdiction: state negligence claims (including negligence per se), breach of contract healthcare (express or implied promises of confidentiality), breach of fiduciary duty, and invasion of privacy lawsuits like intrusion upon seclusion or public disclosure of private facts. Consumer protection and data breach statutes may also provide remedies.

How do I file a complaint with the OCR?

Gather facts about the patient privacy breach, including dates, what was disclosed, and who did it. Submit an Office for Civil Rights complaint within 180 days of discovering the issue, attach supporting documents, and describe the harm. OCR may investigate, mediate, or require corrective action; it does not award personal damages.

What evidence is needed to prove a HIPAA violation?

Useful proof includes breach notices, access or audit logs, emails or messages admitting disclosure, misdirected documents, witness statements, and a detailed timeline. To support damages, add credit reports, billing anomalies, identity theft records, and notes on emotional or reputational harm connected to the disclosure.