Is There a Private Right of Action Under HIPAA? Your Legal Options Explained

Short answer: no—HIPAA does not grant a private right of action that lets you sue directly under the federal statute. But that does not leave you without remedies. You can leverage federal enforcement, state law claims, and consumer protection statutes to address unlawful disclosures of your health information.

Below, you will learn how the Department of Health and Human Services and its Office for Civil Rights enforce HIPAA, which state-law pathways remain open to you, and how civil monetary penalties work when regulators step in.

HIPAA Enforcement Mechanisms

HIPAA is enforced primarily by the Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). OCR investigates complaints, audits compliance, negotiates resolution agreements with corrective action plans, and assesses civil monetary penalties when warranted.

When conduct is potentially criminal—such as knowingly obtaining or disclosing protected health information (PHI) under false pretenses—HHS can refer matters to the Department of Justice for prosecution. State attorneys general may also enforce HIPAA on behalf of residents, adding another public enforcement channel.

Typical outcomes of OCR actions

• Technical assistance or voluntary compliance assurances.
• Resolution agreements with multi-year corrective action plans and monitoring.
• Civil monetary penalties based on the severity and culpability of violations.
• Referral for criminal investigation when appropriate.

Covered entities (health plans, most healthcare providers, and clearinghouses) and their business associates are within OCR’s reach. You cannot file a HIPAA lawsuit yourself, but your complaint can trigger these enforcement tools.

State Law Claims for HIPAA Violations

Although HIPAA itself lacks a private right of action, you may pursue state law causes of action arising from the same facts. Courts often allow plaintiffs to use HIPAA standards as evidence of the duty of care, even though HIPAA is not the claim’s legal basis.

Common civil theories to discuss with counsel

• Negligence claims for failing to safeguard PHI (sometimes framed as negligence per se where recognized).
• Invasion of privacy torts, including intrusion upon seclusion or public disclosure of private facts.
• Breach of confidentiality or fiduciary duty by a healthcare provider or employer.
• Breach of contract based on privacy promises in notices or patient agreements.
• Claims under state medical privacy or data breach notification statutes.

Remedies vary by state and may include injunctive relief, out-of-pocket and consequential damages, and in some jurisdictions statutory damages and attorneys’ fees.

Filing Complaints with HHS OCR

You can file a complaint with the HHS Office for Civil Rights if you believe a covered entity or business associate violated HIPAA. Generally, complaints should be submitted within 180 days of when you knew of the violation; OCR may extend this for good cause.

How to prepare an effective OCR complaint

• Confirm HIPAA coverage: identify the entity (provider, plan, clearinghouse) or business associate.
• Gather facts: dates, what was disclosed, who received the information, and how the incident came to light.
• Include documentation: notices of privacy practices, correspondence, screenshots, or breach notifications.
• Explain the impact: financial harm, reputational harm, or barriers to care.
• Request relief: investigation, corrective action, and, if appropriate, civil monetary penalties.

HIPAA prohibits retaliation for filing a complaint or exercising privacy rights. Keep copies of everything you submit and note all follow-up communications from OCR.

Legal Recourse for Privacy Breaches

Act quickly if you suspect a breach. Ask the provider for an accounting of disclosures, request a correction if records are inaccurate, and consider placing fraud alerts if financial data was involved. Document all contacts, dates, and outcomes.

Parallel to an OCR complaint, explore state-level options. File a grievance with your state health department or state attorney general, and consult a lawyer experienced in health privacy or data breach litigation about potential negligence claims, invasion of privacy, or breach of confidentiality.

If the entity falls outside HIPAA (for example, certain health apps or wellness platforms), consumer protection statutes may provide a path to relief based on unfair or deceptive practices about data collection and security.

Understanding Civil Monetary Penalties

OCR applies a tiered penalty framework that accounts for the entity’s knowledge and corrective actions—from violations where the entity lacked actual knowledge, through reasonable cause, up to willful neglect (corrected or uncorrected). Each violation may carry a per-violation amount and annual caps, which are periodically adjusted for inflation.

When deciding penalties, OCR weighs factors like the number of individuals affected, the sensitivity of PHI, duration and repetition of conduct, harm to individuals, the entity’s history, and the effectiveness of remediation. Many cases resolve through settlement agreements paired with corrective action plans rather than formal penalties.

Differences Between Federal and State Enforcement

Federal enforcement by OCR is regulatory and forward-looking, emphasizing systemic fixes and, when needed, civil monetary penalties or criminal referrals. State attorneys general can bring actions to protect residents, often seeking injunctions, restitution, and, in some states, statutory penalties.

HIPAA preempts contrary state laws, but it acts as a floor, not a ceiling. More stringent state privacy protections survive. Practically, this means you may see OCR drive nationwide compliance while state actions address local harms and deliver individualized relief.

Navigating Consumer Protection Statutes

Most states maintain consumer protection statutes that prohibit unfair or deceptive acts or practices. If a provider, insurer, pharmacy, or health-tech company promises robust privacy but fails to implement reasonable safeguards, those misrepresentations may be actionable—even when HIPAA itself does not let you sue.

Depending on the state, you may recover actual damages, statutory damages, attorneys’ fees, or injunctive relief. These cases often turn on whether privacy statements, notices, or marketing created reasonable consumer expectations and whether data practices were undisclosed, misleading, or unfair.

Conclusion

While there is no private right of action under HIPAA, you still have options. Use OCR’s enforcement process to drive corrective action, evaluate state negligence claims and invasion of privacy theories, and consider consumer protection statutes when promises about data practices fall short. A targeted strategy that blends these tools can deliver accountability and meaningful relief.

FAQs

Can individuals sue for HIPAA violations?

No. Individuals cannot sue directly under HIPAA. However, you may pursue state law remedies—such as negligence claims, invasion of privacy, breach of confidentiality, or actions under consumer protection statutes—based on the same facts.

How does the HHS investigate HIPAA complaints?

The Office for Civil Rights screens your complaint for jurisdiction and timeliness, requests records from the entity, analyzes policies and safeguards, and then seeks corrective action where needed. Outcomes range from technical assistance to resolution agreements and civil monetary penalties, with criminal referrals for egregious conduct.

What state laws apply to health privacy breaches?

Depending on where you live, options may include common-law negligence, invasion of privacy torts, breach of confidentiality, medical privacy statutes, data breach notification laws, and consumer protection statutes targeting unfair or deceptive practices.

Are there any penalties for HIPAA violations without private lawsuits?

Yes. Even though you cannot sue under HIPAA, OCR can impose civil monetary penalties, require corrective actions, and monitor compliance. State attorneys general can also enforce HIPAA and related state laws, seeking injunctions, restitution, and other remedies.