Lawsuits For Unauthorized Release Of Private Medical Information

medical malpractice

We have previously written that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), while requiring private health information be kept private, does not allow for an individual to file a lawsuit based on a violation of HIPAA. While a HIPAA violation does not provide the right for an individual to file a lawsuit when private medical information is released, one may still have the basis for such a suit under the torts of Invasion of Privacy or Breach of Confidentiality.

Invasion of Privacy 

State laws vary on the particulars, but in general an Invasion of Privacy lawsuit can be brought under three alternative theories: intrusion of seclusion, appropriation of a name or likeness of another, and publication of private facts. The release of personal medical information falls under the ‘publication of private facts’ category.

Who Can Sue for Publication of Private Facts?

Only actual live human beings, and not corporations or other organizations, can sue for publication of private facts. You cannot invade the privacy of a dead person. Therefore, an estate cannot sue you for publishing private facts about a dead person, unless your publication took place before the person in question died.

Unlike lawsuits for defamation, the truthfulness of the facts disclosed is not a defense in an invasion of privacy case. And also unlike defamation, the plaintiff does not have to prove special damages, meaning no actual harm must be proven in order to prevail.  Unlike defamation, where compensation is confined to actual injury, for invasion of privacy, damages are extended to presumed or punitive damages. Invasion of Privacy is a willful tort which constitutes a legal injury, and damages for mental suffering are recoverable without the necessity of showing actual physical injury.

A plaintiff must establish four elements to hold someone liable for publication of private facts:

1. Public Disclosure: The disclosure of facts must be public. Another way of saying this is that the defendant must “give publicity” to the fact or facts in question.

2. Private Fact: The fact or facts disclosed must be private, and not generally known.

3. Offensive to a Reasonable Person: Publication of the private facts in question must be offensive to a reasonable person of ordinary sensibilities.

4. Not Newsworthy: The facts disclosed must not be newsworthy. Stated differently, the facts disclosed must not be a matter of legitimate public concern.

Public Disclosure 

Public Disclosure, for the purposes of an invasion-of-privacy claim, means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.?Restatement (Second) of Torts § 652D In other words, there are two methods to satisfy the publicity element of an invasion-of-privacy claim: the first method is by proving a single communication to the public, and the second method is by proving communication to individuals in such a large number that the information is deemed to have been communicated to the public.

Courts have held that the publicity element of an invasion-of-privacy claim is satisfied when private information is posted on a publicly accessible Internet website. The Restatement and caselaw teach that proof of publicity under the first theory does not require evidence that the information has been communicated to a large number of people. Rather, the question is whether the information has been communicated to the public at large.?Yath v. Fairview Clinics, N. P., 767 N.W.2d 34 (Minn.App. 06/23/2009)

Private Fact

The term “private facts” refers to information about someone’s personal life that has not previously been revealed to the public, that is not of legitimate public concern, and the publication of which would be offensive to a reasonable person. For example, writing about a person’s HIV status, sexual orientation, or financial troubles could lead to liability for publication of private facts. However, the law protects you when you publish information that is newsworthy, regardless of whether someone else would like you to keep that information private. In addition, the law protects you if you publish information already exposed to the public eye and especially material obtained from publicly available court records.


A plaintiff bringing a publication of private facts claim must show that, under the circumstances, publishing the facts in question would have been highly offensive to a reasonable person of ordinary sensibilities. The question is not whether the plaintiff himself/herself found the public disclosure highly offensive, but whether an ordinary person reflecting community mores would find it so.

Newsworthiness — Matters of Legitimate Public Concern

Newsworthiness is ordinarily the most important issue in a publication of private facts case. In many states, a plaintiff bringing a publication of private facts claim must show affirmatively that the facts disclosed were not newsworthy, that they were not a matter of legitimate public concern. In other states, the defendant must raise newsworthiness as a defense. Many courts hold that publishers have a constitutional privilege to publish truthful information on a matter of legitimate public concern. You generally cannot he held liable for disclosing private facts about someone so long as those facts are of legitimate public concern.

Each state has its own definition of what constitutes invasion of privacy through the publication of private facts.  A plaintiff must look to the laws of the state in which the disclosure of private facts was made. Some states have specific statutes which create the right to sue for certain invasions of privacy. For example, Massachusetts has a statute which says “[a] person shall have a right against unreasonable, substantial,  or serious interference with his privacy”. Mass. Ann Laws Ch. 214 § 1(B)

Invasion of Privacy In Healthcare

As previously noted, HIPAA is irrelevant when it comes to filing a lawsuit for the disclosure of private medical information. Our previous article, HIPAA Violations: Not A Cause Of Action For A Lawsuit, discussed this:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.  If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule. Covered entities include health care providers, health plans and health care information clearing houses. Your best friend, family member or neighbor, unless they are also your health care provider, is not a covered entity.

The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

The U.S. Department of Health and Human Services’ Office for Civil Rights(OCR)  is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. HIPAA does not create or allow for an individual to bring a lawsuit against a covered entity. If an individual believes a violation of their right to privacy or private medical information security under HIPAA has occurred, they must file a complaint with the OCR if they wish action be taken. Individuals of course have the right to file a lawsuit based on violation of privacy, etc., but such lawsuits are not a part of HIPAA itself.

If a patient consents to the release of medical information, the patient cannot later sue claiming Invasion of Privacy based on that release. All consents should be in written form signed by the patient whenever possible. If the consent is verbal, it should be noted in the medical record and signed and dated by the individual who obtained it. All written consents by covered entities must contain specific information detailed in the HIPAA Privacy Rule. 

Breach of Confidentiality (Physician-Patient Privilege)

Another theory of tort law under which a plaintiff might file suit is Breach of Confidentiality. It refers specifically to the unauthorized release of medical information that was gained under physician-patient privilege. While the information in question is covered under the physician-patient privilege, created by the physician-patient relationship, it is not only the physician who can be sued for releasing the information without authorization. In some states the scope, application and waiver of the privilege are governed by statute and in others the privilege was developed in common law by court decisions. Again, one must look to the specific state in which the violation occurred. 

In Ohio for example, the Supreme Court found in Biddle v. Warren General Hospital, 86 Ohio St.3d 395, 715 N.E. 518 (1999), the following:

1. In Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.

2. In the absence of prior authorization, a physician or hospital is privileged to disclose otherwise confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest that outweighs the patient’s interest in confidentiality.

3. A third party can be held liable for inducing the unauthorized, unprivileged disclosure of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship. To establish liability the plaintiff must prove that (1) the defendant knew or reasonably should have known of the existence of the physician-patient relationship, (2) the defendant intended to induce the physician to disclose information about the patient or the defendant reasonably should have anticipated that his actions would induce the physician to disclose such information, and (3) the defendant did not reasonably believe that the physician could disclose that information to the defendant without violating the duty of confidentiality
that the physician owed the patient. 

More recently the Court found that an attorney’s unauthorized disclosure of medical information obtained during litigation in a separate proceeding could be the basis of a tort claim.Hageman v. Southwest General Health Center, et al. Slip Opinion No. 2008-Ohio-3343 (July 9, 2008) 

Tags: , , , , ,

23 Responses to Lawsuits For Unauthorized Release Of Private Medical Information

  1. lawmed lawmed says:

    There are a number of issues, each of which has a different remedy. 1. The pharmacy, by both state and federal law, was prohibited from responding to the subpoena by providing your medical records to the attorney, or anyone else, without your expressed consent. They should be reported to the Department of Justice via a HIPAA violation complaint. Information on how to do this can be found at 2. I do not know whether you had an attorney representing you, but either he/she or you (if not represented by an attorney) should have objected to the medical records being used as evidence since they were illegally obtained. If no objection was made at the time you may not be able to appeal the decision based on improper evidence being considered. You need to consult a family law attorney. 3. While a HIPAA violation does not create a cause of action allowing you to bring a law suit, you can sue violators under “Invasion of Privacy”. Potential defendants would be the “W” pharmacy, the pharmacy tech, whoever actually sent the records and the lawyer who subpoenaed them, along with the mother-in-law, depending on her actual involvement in this. You certainly have a number of options and while the HIPAA violation complaint is something you can easily submit on your own, you will need to consult an attorney for the rest.

  2. bjc1153 says:

    Hope this isn’t too late but I have a question. Basically my girlfriend at the time now wife her mom hired an attorney for her ex husband and paid for everything to take my girlfriend to court because she moved to California with me and brought her daughter. Without going too much into it the lawyer without my consent showed the judge my medical records from a big chain pharmacy that starts with a W so that they could try and manipulate the judge into thinking i was a bad person and the child’s mother was an unfit mother for being with me and the judge granted custody to her ex who was in the state of Florida. Coincidentally my girlfriends mother was kin to the pharmacy tech that worked at W and when asked how she got my medical records she said the lawyer subpoenaed the pharmacy to give them all of my medical records which they did and that was the “smoking gun” so to speak in the whole court battle of custody. They took her daughter from her and gave her to the scumbag ex. I would like to know what my options are if anyone could help me I would appreciate it. Thanks

  3. lawmed lawmed says:

    This is not a HIPAA violation. HIPAA only applies to “covered entities” such as health care providers and insurance companies. An attorney is not a covered entity.

  4. dollygirl2013 says:

    I was sent someone elses medical records in the mail mixed in with my medical records from an attorney. Some of my medical records were missing. I found this to be very careless and unprofessional. I am concerned Who has my records and seeing them? What can be done about that? I’m pretty sure thats a Hippa violation, yes?

  5. Sara says:

    I am in need of advice…I underwent a custody hearing in 2002. My ex’s lawyer obtained my medical records in an attempt to prove I was unfit to care for my children. I was granted custody of my children. During this time, my ex disclosed my medical records to his wife, and now I have just learned through my children that his current (3rd) wife also has access to my medical records and has shown them to our children who are now teenagers. Do I have a case against my ex’es attorney for turning my records over to my ex? Or do I sue my ex for having my records and disclosing them to who he chooses? I objected the release of my med records but the judge ordered they be released due to the nature of the hearing. I didn’t understand this to mean that my ex would forever have my medical records. I am very disturbed that his wife would show my children. My ex’s second wife, who is now a friend of mine, told me he showed them to her as well. What, if anything, can I do?

  6. TonyFrancis says:

    If you are serious about pursuing the claim, you need to talk to a lawyer conversant in the law of privacy. Once again, the costs may be more than it is worth. But you won’t know until you talk to someone who can handle the case.

  7. Sarah says:

    I was seen at a physicians office where he told another patient (upon my standing at the check-out desk) that I had a particular health condition. I could identify the other patient and know specifics about their life (we talked in the waiting area). However, I don’t know this patients name or have any contact information. Can his patient log be subpoenaed? Can I still sue the physician for Breach of Confidentiality?

    Also, I have requested my medical records from this same physician. I have sent two requests -both through Certified Mail. I know this is a HIPAA violation and have filed a complaint with the OCR, but am wondering if I could sue privately for civil penalty money?

    Thank you!

  8. TonyFrancis says:

    The proof in these kind of cases can be difficult if you are relying on something someone said. In other words, the person who told you about it might not be willing to say the same in an affidavit, or in a deposition. And if they are, then it can boil down to her word against the word of the woman you are accusing. Enthusiasm can wane when there is the possibility of being impeached in a judicial proceeding. Make sure you aren’t letting your emotions get the best of your judgment.

    If you want to go forward with it, it would be best to discuss it with a lawyer who has experience with HIPAA complaints and invasion of privacy lawsuits. Filing a HIPAA complaint and a complaint with the state board might be a good place to start if you want to do something. If the information obtained by those agencies can be accessed, that may give you a better read on whether you have a case or not. However, that information is likely to be confidential. A lawyer may not be able get access to it. But they could try.

    Another thing to consider is the costs. They may become prohibitive without any real promise of getting anything. You might spend several thousand dollars simply to find you don’t have much of a case.

  9. lawmed lawmed says:

    Filing the complaint obviously should be done. Her employer can get fined thousands of dollars. If she has a professional health care provider license issued by the state you can also file a complaint with the state board which issues it. HIPAA violations are taken very seriously by state license agencies and can result in sanction, suspension or revocation of a license and fines on the individual. One might consider a letter to her employer detailing your concern as well as your intention to file the complaint. Obviously without knowing all the dynamics of the personalities, the information accessed, etc. it is hard to speak in anything but generalities here.

  10. Michelle Banks says:

    My husband has a child with her, and he has 2 children with me. She looked into MY child’s record (also my husband’s child. Not the child they have together) I am looking into filing a HIPAA complaint, but I am wondering if I can file a civil suit or something against her. She is not a good person and knowing she violated my child’s privacy really upsets me (and my child). Also, knowing the type of person she is, it is entirely possible she has looked into my other child’s record, mine, and then there is the possiblilty that it would continue if I don’t do something.

  11. lawmed lawmed says:

    I am a little confused. To be clear you are saying that the woman is NOT the mother of the child, with legal custody for such purposes, who’s records she looked at. You say ‘the mother’ and ‘my son’ so it is not clear.

  12. TonyFrancis says:

    You can go to this site which tells you how to file a complaint. Or you can google “filing a HIPAA complaint” to get to the same place.

  13. Michelle Banks says:

    She told someone… I don’t know if she looked into others, just the one, but the fact that she could look into the others disturbs me. I think they can check to see who has been in the records, it is all computerized. I haven’t filed a complaint yet, I wanted to know all of my options.

  14. TonyFrancis says:

    Michelle, it depends. Proving she looked at your records may be difficult. Because she had the opportunity does not mean she did.

    How do you know she looked into your son’s medical records?

  15. Michelle Banks says:

    I have a question. My husband has a child from a previous relationship. I just found out that the mother (who works in the medical field) has looked into my son’s medical records- Where she works, she would also have the opportunity to look into all of our records. Do I have any legal recourse?

  16. TonyFrancis says:

    That brings up another issue. If the information posted was not directly traceable to you, then it is more difficult to claim an invasion of privacy.

    Consider this hypothetical: A person posts on Facebook, “I just saw a patient with AIDS.” There is no identifying information shown.

    Another person comes on the Facebook page and says, “Hey, I was just at that doctor’s office. I have AIDS! They are releasing my private information!”

    That would be considered “self publication.”

    However, if the medical situation is so unique that it is apparent that publishing the information can reasonably be traced back to a specific person, then that is a different set of facts.

    An example: “I just saw a patient who was involved in the motor vehicle accident today in our town, and they have a serious brain injury.” And there was only one MVA in the town that day, then the information posted can reasonably be traced back to a specific person in the accident.

    Under any circumstances, it is poor form to publish specific medical information. If nothing else, it makes it uncomfortable for the patient.

    I post cases all the time on closed medical blogs. But I am careful to fictionalize the facts so it can’t be traced back to a specific individual, while keeping the medical aspects intact for discussion purposes.

  17. lawmed lawmed says:

    You describe a textbook example of someone divulging HIPAA protected private health information under the mistaken belief that simply removing names, or addresses, etc. renders the information ‘OK’ to blab about. It is also a fantastic example of how quickly someone identified that information as belonging to you. I won’t even comment on the fact that it was in your handwriting which any number of people would recognize. As I said this is a HUGE HIPAA violation without ANY doubt. Posting ANY patient information on social media websites, no matter how seemingly benign or unidentifiable is a VERY BAD idea as there is case after case like this. And of course if bad taste were illegal another crime would have been committed here.

    As for finding legal counsel you might try looking for an attorney who specializes in Health Law. You may need to contact a larger law firm.

  18. Tylerdurdin says:

    Famous, haha, no. I think she thought the fact I wrote that I was dying was funny. She took my personal info off. But a gentleman who worked with me came up to me about 45 minutes after I got back to work(from the MRI) and showed me her Facebook page and asked me if that was my information. It was his friend of his family.

  19. TonyFrancis says:

    Why would the woman post your private information on a Facebook page? Are you famous?

    Also were you identified? Or identifiable from the information posted?

  20. tylerdurdin says:

    Thank you so much for your insight. It’s great to know that there. Is help out there. One last question, if I were to pursue this, what type of attorney should I seek out? The few that I spoke to were so shocked by it that they said they had no idea how to proceed with a case like this.

  21. lawmed lawmed says:

    First, understand that this blog does not give legal advice. However one of the main elements for an invasion of privacy lawsuit is publication of private information to a large audience…and facebook qualifies in spades. If I understand correctly this person published a picture of some portion of what you wrote? This is a HUGE HIPAA violation and while doing so does not allow you to recover damages you most definitely should report this at You also need to save a copy of the facebook posting, both by actually saving the page as a html file AND doing a screen capture of the page (create a picture of it) in case it is removed. Then consult an attorney. It sounds like it may be worth your while.

  22. tylerdurdin says:

    I have a question, 3 weeks ago, I filled out my initial paperwork at a diagnostic center for an MRI. The female at the front desk posted some of the information that I wrote onto her facebook(via picture). Is it possible for me to sue?

    Thank you for your help on this matter.

  23. TonyFrancis says:

    Thanks for posting this most informative article. It has so much good information in it. I will keep it for future reference.