Remedies for HIPAA Violations: Part 1

Thursday, February 14, 2019
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Last year (2018) the government collected over $27million in fines levied on health care providers and other covered entities for Health Insurance Portability and Accountability Act (HIPAA) privacy violations.  At The Health Law Firm, we often receive questions about possible violations of the HIPAA Privacy and Security Regulations. Most often, the questions we see are on breaches of confidentiality of medical records and medical information.  I will attempt to explain and clarify this issue in this two-part blog series.  Stay tuned for part two!

HIPAA Privacy Regulations and Security Regulations.

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations.  This means you do not have a right to sue based on a violation of HIPAA by itself, however, you may have a right to sue based on state law. 

1.  File a HIPAA Privacy Complaint with the Office of Civil Rights (OCR).

As a first step, you may desire to file a HIPAA Privacy Complaint with the federal government.  These are usually required to be filed within 180 days of the event (there are limited exceptions).  They are usually all taken and fully investigated.  If it is an egregious or a repeat violation, it may even result in an investigation by the Federal Bureau of Investigation (FBI) and criminal charges being filed against those responsible.  However, in most cases if there is a valid complaint, the federal government will assess administrative fines against those responsible.  In almost all cases, a report will be made back to you of what is found and what actions have been taken. If you decide to file a HIPAA Privacy Complaint, this is done with the OCR of the U.S. Department of Health and Human Services (DHHS).  You may do this online.  The Complaint form can be found here.  

If you follow this process and the violation is verified, you may find it easier to retain an attorney to take your case.  Please note, there is only a very short period of time in which you are allowed to file such a complaint.

2.  File a Complaint Against the Physician Involved with the Florida Department of Health (DOH).

The Florida Department of Health (DOH) licenses all physicians, nurses and health professionals in the state of Florida.  It is also responsible for investigating complaints against them.  The various professional boards (Board of Medicine, Board of Nursing, etc.) are under the DOH. If there was a violation, breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality. Please not, this is true in most states, not just Florida.

If there was a violation or breach of patient confidentiality by a licensed health care professional, you may also file a complaint with the appropriate state licensing board or agency about this, as well.  In Florida, for example, if a licensed health professional did this, you may decide to report this to the Florida DOH.  If they are licensed in a different state, you may have to follow that state’s procedure for filing a complaint.

For Florida, you may call the Florida DOH at (888) 419-3456 or (850) 245-4339, or you may use the online complaint form.

The Florida DOH will investigate the complaint and in most cases have an expert witness review it.  If there is a finding against the physician (or licensed health professional) you can ask for a copy of the DOH expert’s report.  This may result in your obtaining a free expert witness review of the case.

3.  File Grievance or Report to Third Party Payer (Medicare, Tricare, VA, Insurance Co.).

If you are a Medicare patient, TRICARE/CHAMPUS patient, Veterans Administration (VA) patient, Public Health Service patient, or military patient, you may also report this to the Office of the Inspector General (OIG) of that specific agency.

If you are a member of a managed care plan or have health insurance, you may desire to file a member grievance or complaint with the insurance company.  Every physician or licensed health care professional who accepts Medicare is subject to the Medicare Program’s peer review system.  You may file a complaint directly with Medicare and ask for it to be reviewed by the Medicare peer review program.

4.  You may file suit, but the suit will be for common law negligence or invasion of privacy.

If you do decide your case is appropriate for filing a law suit, the suit will be based on state common law negligence (the same as automobile accident cases) and not based on HIPAA alone.  You may also have a cause of action under your state's laws on invasion of personal privacy.  Some states have strict laws and even state constitutional provisions guaranteeing its citizens the right to privacy.  This right extends to privacy in their medical records and medical information
Common law negligence means that there has been a duty breached by someone that has resulted in damages to you.  So, you must be able to show that you were damaged somehow by the breach of confidentiality or privacy that occurred.  The duty that was breached can be the duty imposed by a health care provider or covered entity by HIPAA and its implementing regulations, by state laws, by state constitutional provisions, by the standards and principles of the American Medical Association (AMA), and other standards and duties of the health care provider.

More on HIPAA Violations.

The failure to comply with HIPAA can result in both civil and criminal penalties. With an increase in the popularity and availability of social media platforms, also comes an increase in potential privacy violations.  To read a previous blog I wrote on this, click here.

Be sure to check out our YouTube page for informational video blogs on HIPAA matters and health law matters!

Check back soon to read part 2 of this blog.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule lawyer, HIPAA Privacy Rule defense counsel, HIPAA Privacy Rule defense lawyer, HIPAA compliance attorney, HIPAA compliance defense lawyer, data security legal representation, representation for HIPAA violations, HIPAA compliance audit legal representation, legal representation for HIPAA compliance, legal counsel for penalties for HIPAA violation, HIPAA OCR complaint defense attorney, HIPAA OCR complaint legal defense representation lawyer, legal counsel for HIPAA violation complaint, legal counsel for HIPAA breach, Department of Health and Human Services (HHS) investigation defense attorney, HHS complaint investigation defense lawyer, health care license defense attorney, legal representation for Department of Health (DOH) and Board of Medicine investigations, DOH and Board of Medicine investigation defense lawyer, DOH and Board of Medicine investigation defense attorney, reviews of The Health Law Firm, The Health Law Firm attorney reviews, Office of Civil Rights (OCR) defense attorney, physician license defense attorney, medical license defense lawyer, HIPAA corrective action plan (CAP) attorney, HIPAA breach risk assessment attorney and lawyer

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2019 The Health Law Firm. All rights reserved.


Like this blog? Add your public comments:

Items in bold indicate required information.