As part of our healthcare practice, we frequently field questions from individuals from the general public about alleged violations of the HIPAA law that have affected them. Many people have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, and they want to know what they can do about it. Such individuals are often surprised and deeply disappointed to learn that the HIPAA law does not provide a "private right of action" in the event of unlawful access, use or disclosure of PHI. That means that under HIPAA, an individual cannot file a private lawsuit to recover damages against a party that allegedly improperly accessed, used or disclosed their PHI.
Such improper disclosures, however, may violate other state or federal laws or common law rights of privacy, so that individuals may wish to reach out to an attorney who is licensed in their state of residence to determine whether they have any specific claims, rights or remedies related to the improper access, use or disclosure. The statute of limitations on such claims may be very short-lived, so those who wish to pursue such potential claims should do so without undue delay.
Under HIPAA, if you feel that your PHI has been accessed, used or disclosed inappropriately, you may contact the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) to file a complaint (go to the OCR website to acquire a form that you may fill out online to file a complaint). Additionally, each state’s Attorney General is authorized to bring lawsuits under HIPAA on behalf of individuals whose medical records have been improperly disclosed, and to share any proceeds of such suits with the affected individuals.
While it may be viewed as unfair by victims of inappropriate access, use or disclosure of PHI that they cannot sue under HIPAA themselves, they should act promptly to seek assistance of HHS or their state’s Attorney General to assert what rights they do have under HIPAA.