Remedies for HIPAA Violations: Part 2

Thursday, February 28, 2019
George Indest By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

At The Health Law Firm, we often receive questions about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Regulations. Most often, the questions that we receive concern breaches of confidentiality of medical records and medical information.  This two-part blog series will attempt to explain and clarify this issue.  Click here to read Part one. 

HIPAA Privacy Rights and Medical Confidentiality (Continued).

REMEMBER: There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations.  This means you do not have a right to sue based solely on a violation of HIPAA by itself;  however, you have the right to sue based on state negligence law, using HIPAA as one of the sources of a duty that has been breached.

4.  State Laws and Law Suits (Civil Recovery) (continued).

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state's laws on patient privacy or medical records confidentiality.  In almost every state this gives you a legal cause of action for negligence and, perhaps, invasion of privacy.  The biggest problem encountered in this type of case and a reason most plaintiff's attorneys won’t consider taking a case such as this is the lack of documented, provable damages (again, I emphasize the words "documented" and "provable").

5.  Documented, Provable Damages is the Key.

Unless you have actual bills and receipts for the damages  you have suffered, then you don't have this.  In most cases, you must be able to show that you have suffered actual damages you can prove in a court of law by evidence such as:

a.  Doctors' bills you have paid
b.  Mental health counseling fees you have paid
c.  The purchase of credit protection insurance
d.  The purchase of identification theft insurance
e.  The costs you have paid because your identity was stolen
f.  Fees you have had to pay related to changing bank accounts and cardfs, obtaining credit reports, returned check fees, and other expenses related to identity theft
g.  Lost pay from time off (with the pay stubs, W-2 forms, etc., to prove the amount)
h.  Lost pay from a lost job (with the pay stubs, W-2 forms, etc., to prove the pay lost)
i.  Attorney's fees paid as a direct result of the breach of privacy (key word being "direct result")
j.  Other actual out-of-pocket expenses.

Unless you have these, you will have great difficulty in finding a plaintiff's attorney to take such a case.  It is doubtful that you would have a provable case, as well.  There are exceptions to every case, however.  These may include when information is disclosed to outside sources on HIV testing, sexually transmitted diseases, mental illness or other such disclosures that may tarnish your personal or  professional reputation.

If you do feel that you have a valid case with documented damages, we urge you to contact and retain a plaintiff's attorney to file suit on your behalf as soon as possible.  You have only a short period of time to bring up such a case, after which your rights to do so will be extinguished forever.

You should consider taking the actions I set forth above in Section 1, 2 and 3 in Part 1 of this blog series.  If the organizations involved find in your favor, then you may be able to use their findings to convince an attorney to take your case and to prove that case in court.

Hourly Attorney vs. Contingency Fee Attorney.

I state these opinions because most attorneys who would take such a case are plaintiff's attorneys who take cases for a contingency fee (a percentage of the amount they win).  In such a case, if an attorney spends 100 hours preparing for trial (actually a low number), wins your case, and you only have $500 worth of provable damages, and if the contingency fee agreement is for 40% (a fairly standard amount), then the successful attorney would only receive $200, or $2.00 per hour.  I don't know any attorney who would work for that amount.  This is a very simplistic illustration to make the point; it does not even take into account all of the costs in preparing and presenting a case at trial, which client is usually responsible for paying.

An attorney who charges by the hour may be more likely to take the case, but he/she may also be hard to find for this type of case, and may require a retainer fee of $5,000 to $15,000 paid up front just to get started.

Remember, there is only a short time in which to take any action that may be necessary and if you fail to do so, your rights may be lost forever.  Again, this is not legal advice, just general information. Click here to read one of my prior blogs on HIPAA violations and healthcare compliance.

Be sure to read part one of this blog here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule defense counsel, HIPAA Privacy Rule defense lawyer, HIPAA compliance attorney, HIPAA compliance defense lawyer, data security legal representation, representation for HIPAA violations, HIPAA compliance audit legal representation, legal representation for HIPAA compliance, legal counsel for penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, legal counsel for HIPAA compliance, Department of Justice (DOJ) investigation attorney, DOJ defense attorney, legal representation for DOJ issues, legal representation for DOJ matters, health care license defense attorney, legal representation for U.S. Department of Health (DOH) investigations, DOH defense lawyer, representation for DOH matters, DOH investigation attorney, reviews of The Health Law Firm, The Health Law Firm attorney reviews, Office of Civil Rights (OCR) defense attorney, physician defense attorney, Office of Civil Rights (OCR) investigation defense attorney, Office of Civil Rights (OCR) investigation defense lawyer, Board of Medicine defense attorney, Board of Medicine defense lawyer, Board of Medicine defense counsel, HIPAA corrective action plan (CAP) attorney

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2019 The Health Law Firm. All rights reserved.


Like this blog? Add your public comments:

Items in bold indicate required information.