How to Sue for a HIPAA Violation: When You Can (and Can’t), Steps, and Deadlines

Wondering how to sue for a HIPAA violation? Start by understanding when you can and cannot bring a lawsuit, what the Office for Civil Rights enforcement process looks like, and how deadlines affect your options. This guide walks you through complaints, state-law paths, retaliation protections, and potential HIPAA violation penalties so you can protect your health information privacy rights.

Understanding HIPAA and Private Right of Action

HIPAA sets national standards for protecting protected health information (PHI) held by covered entities and their business associates. It governs how your PHI may be used and disclosed and requires safeguards, notices, and access rights that strengthen your health information privacy rights.

HIPAA does not create a direct private right of action. That means you generally cannot sue “under HIPAA” in federal court simply because a violation occurred. Instead, federal enforcement happens through the U.S. Department of Health and Human Services’ Office for Civil Rights.

When you can sue

Even though HIPAA itself doesn’t let you sue, the same facts may support a lawsuit under state law. Many states recognize claims such as negligence, breach of confidentiality, invasion of privacy, breach of contract, or consumer-protection claims. Some states also have state medical privacy laws that expressly allow private lawsuits for unauthorized disclosures or data breaches.

When you can’t sue

You can’t bring a lawsuit solely for “violating HIPAA.” Your primary federal pathway is to file a complaint with OCR, which can investigate and require corrective action. If you seek damages, you typically explore state-law remedies in addition to (not instead of) the OCR process.

Filing a Complaint with OCR

OCR is the federal agency responsible for HIPAA complaint intake and Office for Civil Rights enforcement. Filing is free and available to anyone who believes their privacy rights were violated, including patients, personal representatives, or whistleblowers with knowledge of a violation.

Step-by-step filing

• Identify the covered entity or business associate you believe violated HIPAA, and note dates and what happened.
• Gather supporting materials such as letters, emails, screenshots, or policies that show the use, disclosure, or denial at issue.
• Submit your complaint to OCR with your contact information, a clear description, and the timeline of events. You may also request language or accessibility accommodations.
• Keep copies of everything you submit and create a simple chronology for reference in later communications.

Who can file and what to expect

Individuals, their personal representatives, and people with direct knowledge of a violation may file. OCR first checks jurisdiction and timeliness, then decides whether to open an investigation, seek an early resolution, or provide technical assistance. If OCR opens a case, you may be asked for more details during the review.

Meeting Complaint Requirements

To be considered, your complaint should include: your name and contact information; the name of the covered entity or business associate; a concise description of what happened; relevant dates; and any harm you experienced. If filing for someone else, explain your relationship and authority to act.

There is a HIPAA complaint filing deadline: generally, you must file within 180 days of when you knew—or should have known—about the violation. OCR may extend this deadline if you show good cause for delay, so provide reasons promptly if you need an extension.

• Be specific about dates and people involved.
• Attach documents that corroborate your account.
• State whether you fear retaliation and if you seek confidentiality for your identity.
• Respond quickly to OCR requests to avoid delays or closure.

Exploring State Law Remedies

If you want compensation, explore potential state-law claims alongside the OCR route. State medical privacy laws, consumer-protection statutes, and common-law claims may allow damages, injunctive relief, or attorneys’ fees depending on the jurisdiction and facts.

Common state-law pathways

• Breach of confidentiality or privacy torts (e.g., improper disclosure of medical information).
• Negligence or negligence per se (using HIPAA as evidence of the standard of care in some jurisdictions).
• Breach of contract or implied contract based on privacy promises or notices.
• Consumer-protection or unfair practices claims for misleading privacy representations.
• Data-breach statutes with statutory damages or fee-shifting in limited circumstances.

Deadlines for state claims

Statutes of limitations vary widely by state and claim type. Some privacy or negligence claims may have one-to-three-year windows, while contract claims can be longer. Because deadlines are strict, consult counsel quickly to preserve your rights.

Protecting Against Retaliation

HIPAA prohibits intimidation or retaliation against anyone who files a complaint, participates in an investigation, or otherwise exercises their rights. These retaliation protections HIPAA provides apply to covered entities and business associates.

What counts as retaliation

• Firing, demoting, or disciplining you for raising a privacy concern.
• Denying services or benefits because you filed a complaint.
• Harassing or threatening behavior intended to deter you from exercising your rights.

What to do if you experience retaliation

• Document incidents with dates, names, and witnesses.
• Report the behavior to the entity’s privacy or compliance officer in writing.
• Include retaliation facts in your OCR complaint, and consider separate state-law claims where available.

OCR's Investigation and Enforcement Process

After intake, OCR assesses jurisdiction, timeliness, and the nature of the alleged violation. If OCR proceeds, it may request records, interview witnesses, and evaluate safeguards, training, and policies. Many matters resolve through voluntary compliance or technical assistance if issues are limited.

Possible outcomes

• Technical assistance or early resolution when violations are minor or quickly corrected.
• Resolution Agreement and Corrective Action Plan detailing OCR corrective actions, with monitoring to verify sustained compliance.
• Civil money penalties when violations are serious, persistent, or involve willful neglect without timely correction.
• Referral to the Department of Justice for potential criminal enforcement in egregious cases.

Potential Penalties for HIPAA Violations

HIPAA’s civil penalty framework has four tiers that scale with the organization’s culpability—from lack of knowledge to willful neglect not corrected. Penalties are assessed per violation, subject to annual caps, and are adjusted periodically for inflation. Factors include the number of individuals affected, the nature and duration of the violation, harm caused, corrective efforts, history, and the entity’s size and financial condition.

Civil penalties (OCR)

• Tiered penalty ranges reflecting the entity’s knowledge and response.
• Per-violation amounts and annual caps that are periodically adjusted.
• Obligations to implement remedial measures such as risk analyses, policies, training, and technology safeguards.

Criminal penalties (DOJ)

• Knowing wrongful disclosures of PHI can lead to fines and imprisonment.
• Offenses committed under false pretenses or for personal gain, commercial advantage, or malicious harm carry higher maximum sentences, up to 10 years in the most serious cases.

Remedies under state law

• Compensatory damages for financial losses and emotional distress where allowed.
• Statutory damages or fee-shifting in states that provide them.
• Injunctive relief requiring stronger privacy and security safeguards.

Conclusion

You generally can’t sue directly “under HIPAA,” but you can file with OCR and, where appropriate, pursue state-law claims for compensation. Track the 180-day federal complaint deadline, preserve evidence, and act quickly to evaluate state statutes of limitations. Use the OCR process to stop ongoing issues, leverage retaliation protections, and, when warranted, seek remedies through state medical privacy laws.

FAQs.

Can I sue directly for a HIPAA violation?

No. HIPAA does not provide a private right of action. You can file a complaint with OCR for federal enforcement and consider state-law claims—such as breach of confidentiality or negligence—if you seek damages.

How do I file a complaint with OCR?

Prepare a clear description of what happened, identify the covered entity or business associate, gather supporting documents, and submit your complaint to OCR. Include your contact information, dates, and whether you seek confidentiality or accommodations.

What is the deadline for filing a HIPAA complaint?

The HIPAA complaint filing deadline is generally 180 days from when you knew or should have known about the violation. OCR may grant an extension for good cause, so explain any delay as soon as possible.

Are there state laws that allow suing for HIPAA violations?

States don’t let you sue “under HIPAA,” but many provide their own causes of action for unauthorized disclosures or inadequate safeguards. These state medical privacy laws and related claims can allow damages, injunctive relief, or attorneys’ fees, depending on your jurisdiction and facts.