A patient cannot sue a healthcare provider for a HIPAA violation and seek damages even when harm resulted. But it is still possible to take legal action against the covered entity and demand damages for violation of state laws. Some states allow patients to file a lawsuit when the covered entity failed to protect medical records on the grounds of negligence or a breach of an implied contract. But it is necessary for the complainant to prove that damage or harm has been done as a result of the breach. Patients should take note that this legal process can be expensive and success is not guaranteed. Hence, a patient should be focused on what he hopes to achieve.
How To File Complaints for HIPAA Violations
When patients file complaints with the federal government, it triggers an investigation most of the time. When there’s substantial evidence to back-up the complaint that the HIPAA Rules had been violated, action may be taken against the covered entity. Actions taken depend on a number of factors: nature of the violation, severity of violation, number of persons impacted, and repetition of HIPAA Rules violation.
The complainant can file a lawsuit with the Department of Health and Human Services’ Office for Civil Rights (OCR). It should not be an anonymous complaint or there will be no investigation. A complaint must be filed before any legal action can be taken against the covered entity. It should be filed within 180 days of discovering the violation. In some cases, this time period is extended. Many complaints can be resolved in several ways: voluntary compliance, issuing guidance, the covered entity takes corrective action.
A complaint may also be filed with state attorney generals. They are authorized to pursue cases filed against HIPAA-covered entities that violated HIPAA Rules. When there was a criminal violation of HIPAA Rules, the complaint may be referred to the Department of Justice. Complaints involving individuals may also be filed with professional boards like the Board of Medicine or Board of Nursing.