By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

HIPAA Privacy Regulations and Security Regulations.

As a first step, you may desire to file a HIPAA Privacy Complaint with the federal government.  These are usually required to be filed within 180 days of the event (there are limited exceptions).  They are usually all taken and fully investigated.  If it is an egregious or a repeat violation, it may even result in an investigation by the Federal Bureau of Investigation (FBI) and criminal charges being filed against those responsible.  However, in most cases if there is a valid complaint, the federal government will assess administrative fines against those responsible.  In almost all cases, a report will be made back to you of what is found and what actions have been taken. If you decide to file a HIPAA Privacy Complaint, this is done with the OCR of the U.S. Department of Health and Human Services (DHHS).  You may do this online.  The Complaint form can be found here.  

If you follow this process and the violation is verified, you may find it easier to retain an attorney to take your case.  Please note, there is only a very short period of time in which you are allowed to file such a complaint.

The Florida Department of Health (DOH) licenses all physicians, nurses and health professionals in the state of Florida.  It is also responsible for investigating complaints against them.  The various professional boards (Board of Medicine, Board of Nursing, etc.) are under the DOH. If there was a violation, breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality. Please not, this is true in most states, not just Florida.

If there was a violation or breach of patient confidentiality by a licensed health care professional, you may also file a complaint with the appropriate state licensing board or agency about this, as well.  In Florida, for example, if a licensed health professional did this, you may decide to report this to the Florida DOH.  If they are licensed in a different state, you may have to follow that state’s procedure for filing a complaint.

For Florida, you may call the Florida DOH at (888) 419-3456 or (850) 245-4339, or you may use the online complaint form.

The Florida DOH will investigate the complaint and in most cases have an expert witness review it.  If there is a finding against the physician (or licensed health professional) you can ask for a copy of the DOH expert’s report.  This may result in your obtaining a free expert witness review of the case.

If you are a Medicare patient, TRICARE/CHAMPUS patient, Veterans Administration (VA) patient, Public Health Service patient, or military patient, you may also report this to the Office of the Inspector General (OIG) of that specific agency.

If you are a member of a managed care plan or have health insurance, you may desire to file a member grievance or complaint with the insurance company.  Every physician or licensed health care professional who accepts Medicare is subject to the Medicare Program’s peer review system.  You may file a complaint directly with Medicare and ask for it to be reviewed by the Medicare peer review program.

If you do decide your case is appropriate for filing a law suit, the suit will be based on state common law negligence (the same as automobile accident cases) and not based on HIPAA alone.  You may also have a cause of action under your state's laws on invasion of personal privacy.  Some states have strict laws and even state constitutional provisions guaranteeing its citizens the right to privacy.  This right extends to privacy in their medical records and medical information. 
Common law negligence means that there has been a duty breached by someone that has resulted in damages to you.  So, you must be able to show that you were damaged somehow by the breach of confidentiality or privacy that occurred.  The duty that was breached can be the duty imposed by a health care provider or covered entity by HIPAA and its implementing regulations, by state laws, by state constitutional provisions, by the standards and principles of the American Medical Association (AMA), and other standards and duties of the health care provider.