The short answer is no. HIPPA itself precludes any “private cause of action.” Even if the health care provider clearly did not abide by HIPPA rules and you suffered some harm as a result, a private individual cannot sue under HIPPA. Only the federal government can assess penalties against a healthcare provider for violating HIPPA.
If you believe HIPAA Rules have been violated, you (and all patients) can file complaints with the federal government and in most cases, complaints are investigated. The complaint must be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR). Complaints must be filed within 180 days of when you discover the violation.
You may choose to file a claim anonymously, but know that OCR will not investigate the complaint unless you identify yourself and provide a way for OCR to contact you. Complaints can also be filed with state attorneys general, who are authorized to pursue cases for HIPAA violations.
After investigating, the ORC may take actions against the health system or provider. The severity of the actions will depend on several factors, such as whether the violation was an accident, how many individuals were impacted, and whether this is a repeat violation of HIPAA Rules.
Many complaints are resolved through voluntary compliance, by issuing guidance, or by the offending organization taking corrective action to resolve issues that led to the complaint. The Department of Justice may pursue cases if a criminal violation of HIPAA rules is suspected.
Although you may not directly pursue a HIPAA violation lawsuit, you may take legal action against a health care provider and seek monetary damages under state law, personal injury lawyers say. In some states, you may sue the health care provider on the grounds of negligence or for a breach of an implied contract. You would likely need to prove that you suffered some harm or damages due to the failure to protect your private information.
You should be aware that a lawsuit like this can be very expensive and time-consuming, with no guarantee that you will win. Health care providers usually are covered by medical malpractice insurance, and the insurers’ legal teams are known to drag out a legal case with the hopes that the plaintiff will give up.
Another way to take legal action against a health care system or provider who has failed to protect your private data is to join an existing class-action lawsuit. The more individuals involved, the stronger the case is likely to be.
If you believe your right to privacy has been violated, be sure to consult with an experienced attorney who is knowledgeable about medico-legal issues.