HIPAA Violations: Not A Cause Of Action For A Lawsuit

There is much confusion among the general public, and even among health care workers, as to the investigation, penalties and individual rights regarding HIPAA violations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.  If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule. Covered entities include health care providers, health plans and health care information clearing houses. Your best friend, family member or neighbor, unless they are also your health care provider, is not a covered entity.

The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

The U.S. Department of Health and Human Services’ Office for Civil Rights(OCR)  is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. HIPAA does not create or allow for an individual to bring a lawsuit against a covered entity. If an individual believes a violation of their right to privacy or private medical information security under HIPAA has occurred, they must file a complaint with the OCR if they wish action be taken. Individuals of course have the right to file a lawsuit based on violation of privacy, etc., but such lawsuits are not a part of HIPAA itself.

The OCR investigates all complaints according to a defined process. If a violation has occurred, the OCR may fine the entity and/or have the entity take corrective action. For criminal misuse of private information the Department of Justice may bring criminal charges.

File a complaint HERE.

HHS HIPAA information hub HERE.

An individual, as was the case before HIPAA, may file a lawsuit under the common law tort of invasion of privacy if personal medical information is used inappropriately. However the lawsuit may NOT be based on HIPAA rules being violated. Such lawsuits must meet the following elements to prevail:

1. Public Disclosure: The disclosure of facts must be public. Another way of saying this is that the defendant must “give publicity” to the fact or facts in question.

2. Private Fact: The fact or facts disclosed must be private, and not generally known.

3. Offensive to a Reasonable Person: Publication of the private facts in question must be offensive to a reasonable person of ordinary sensibilities.

4. Not Newsworthy: The facts disclosed must not be newsworthy. Stated differently, the facts disclosed must not be a matter of legitimate public concern.

Unlike HIPAA violations where an entity can be fined by the government for the violation itself independent of any damage or harm caused, a lawsuit for invasion of privacy must show actual damages, but proof of special damages is not required. The act of invading one’s privacy, while necessary to mount a claim, is in and of itself not evidence of damage and insufficient for a lawsuit. However,  also unlike defamation, the plaintiff does not have to prove special damages, meaning no actual harm must be proven in order to recover for them.  Unlike defamation, where compensation is confined to actual injury, for invasion of privacy, damages are extended to presumed or punitive damages. Invasion of Privacy is a willful tort which constitutes a legal injury, and damages for mental suffering are recoverable without the necessity of showing actual physical injury. 

See our related latest article on this subject: Lawsuits for Unauthorized Release of Private Medical Information  which discusses the type of lawsuit one can potentially file.

Tags: , , , , ,

10 Responses to HIPAA Violations: Not A Cause Of Action For A Lawsuit

  1. lawmed lawmed says:

    One of the permitted uses of protected health information is the sharing of that information for billing purposes. It is also permitted for one practitioner/facility to inform another also involved in that patient’s care, that a procedure is not being done because a bill has not been paid.

    You might consider finding another pain management specialist to do your epidural, and you can request a copy of your medical records which you can pick up from the office and take with you to your new provider.

  2. Brittany Anderson says:

    Hi, I have a few questions myself. On the 11th of this month I had contacted the anesthesiologist regarding getting an epidural. I was informed by him that I needed to talk to the lady in billing before he could schedule me one. I called her and she told me that I am behind in bills and she could not approve my epidural. I then made payment arrangements with her and tried to get one scheduled, but they guy went out of town. I called the clinic and they told me to ask if they could use my old orders which were the ones with my maiden name.( I just got married in May) until the next day when my PA was back. I then called back to the hospital and talked to the lady that schedules the appointments. She told me that the lady in billing told her that I was behind in my medical bills and they could not get one done until I took care of things in billing. She also told me that using my old orders was considered fraud. So I waited for the next day. The anesthesiologist went out of town for 10 days, so I tried going to a different hospital. No luck there. After thinking about all the this, I got to thinking and felt that the lady in billing violated my privacy. I do not see the point in her telling anyone that I am behind in my bills. She simply had to say that she had to discuss some things with the patient and left it at that. Anyway, today I called back to see if I could get my injection, I was informed that they have decided not to accept my payment arrangements and now I will not be allowed to get any treatment until my bills are paid in full. I was also told that because I had made a comment on Facebook that one of their staff members had turned it over to them. There was nothing bad at all about the comment just that I said Vivian, which is the lady that schedules these things would not allow me to use my old orders, and that also because Norma said I was behind in my medical bills. I did not bash the hospital I stated what was said to me, to a friend who has similar issues. I was then directed to the OCT officer who went on to explain that an epidural is an elective and not something that is required, and I also explained to him that I had made payment arrangements with billing, and he said yeah and what did you do after that. I said to him I filed a complaint. He said exactly… So now I am being punished for filing a complaint. I need my epidural, I have not had one in 6 months, and I am in severe pain, but I can not get one because they are refusing to treat me now. What can I do about all of this. I am on disability for this and also have two children to take care of ages 4 and 5. I can not go on in pain, but don’t know what to do and what steps I need to take to get this matter resolved. I have filed another complaint, but I want more done about it. No one understands that I am in pain, and it is messing with my emotions, because I can not play, pick up or do normal activities with my children. This is unfair and cruel.

  3. TonyFrancis says:

    Thanks for your comment. I usually post something new on the blog “The Verdict Is In” on Medscape/WebMD on Thursdays. So it was a pleasant surprise to discover your site. I am always looking for something new.

    The old tort of invasion of privacy appears to be set for expansion, depending on the jurisdiction.

    We had an interesting post on the closed blog – it was a psychiatrist who wondered about releasing her records concerning a child patient to the “other non-custodial parent” -the father – when those records contained medical information about the health of the custodial mother. It is kind of a dilemma. The non-custodial parent has a right to the child’s records, but not the mother’s information.

    We finally decided the only solution would be to scrub the original records of the mother’s medical information, or in the alternative, dictate a short summary of the child’s records for the court to review.

    Anyway, I will keep you posted of new posts. Thanks.

  4. lawmed lawmed says:

    We have just published a related item: lawsuits-for-unauthorized-release-of-private-medical-information


  5. lawmed lawmed says:


    Thanks for the mention in your article! It seems to depend on what state you are in as to how ‘easy’ an Invasion of Privacy action will be to prevail in. Each state has their own definitions and laws regarding this tort.

    Actual damages in an Invasion of Privacy suit must be specifically proven. (I lost my job, etc. due to the disclosure) However, Special Damages in an Invasion of Privacy suit, unlike those in a Defamation action, do not have to be specifically proved in general. In other words, actual harm does not have to be proven to recover presumed or punitive damages. The remedy, absent actual damages, is presumed/punitive damages which is always a nebulous matter left in the hands of the jury.

  6. TonyFrancis says:

    I have linked to this article on the blog I write for WebMD/Medscape, “The Verdict Is In.”


  7. TonyFrancis says:

    I am curious about “Invasion of Privacy.” That seems to be a difficult tort to bring to a successful conclusion. The damages would probably be nebulous, somewhat like defamation.

  8. Amy Lauren says:



  9. Amy Lauren says:

    Instead of caring for me and sending lab work to my doctor in NYC (which was part of the plan)
    My ex-doctor sold me out and published an article about a potential medical breakthrough and reversal of Premature Ovarian Failure. In fact that is the title of the article. But that never happened! Instead of getting better i got much worse and was brain washed that I was getting better.The doctor used all of my medical history and lab work to prove something he new himself to be a bold face lie! Not only was he negligent in my care he has now without my consent published an article (and even thanked me for allowing him to use all of my health information) for a cause that turned out to be the farthest thing from the truth. After reviewing the article my present DR told me that I have a giant lawsuit on my hands and that this dr is dangerous and purely out to make a name for himself anyway possible. The facts, the doctors, the quotes and the events are undeniably me. He even left out certain blood tests with an n/a that were right in front of him because they did not fit with what he was trying to prove. All the while I am getting sicker from 12 autoimmune diseases and he knows it when in June a CRP test comes back highly elevated. That was the beginning of the demise of my thyroid and adrenal glands as was seen just two months after our final appointment. Though I did go back to his office where the senior doctor and office manager tried to soothe me and told me how sorry they were and how they would make sure they would get me to the right doctors. The senior doc also dx’d me with a rare disease called APECED or Pplyglandular Endocrine disorder. Then I left the office and never saw him again. He had also taken some blood work at the time…I imagined it would be 5 pages at least. Nope 1 page in which he decided or I assume had his medical out to say I was healthy and fine. The article came out just a few weeks ago(July 12 2010) After calling the publisher to inform them the article was complete and utter bs there question to me was”How did you get this article” it is for doctors only!…The article is now giving women false hope on many websites including the NIH and Medscape!