Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2

Monday, October 1, 2012

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

I receive many questions and e-mails about possible violations of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information
More detailed information on HIPAA Privacy Regulations and Security Regulations, can be found at:
There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations.  This means you do not have a right to sue based on a violation of HIPAA by itself.  However, you may have a right to sue based on state law. 

To read the first part of this blog, click here. To continue learning more on HIPAA Privacy Rights and Medical Confidentiality, see below.

4.  State Laws and Law Suits (Civil Recovery).

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state's laws on patient or medical records confidentiality.  In most states this would give you a legal cause of action for invasion of privacy or for negligence.

The biggest problem usually encountered in this type of case and the reason most attorneys will not even consider taking one is the lack of documented  provable damages (again, I emphasize the words "documented" and "provable").

5.  Documented, Provable Damages is Key.

Unless you have actual bills and receipts, you don't have this.  In most cases, unless you can prove that you have suffered actual damages by proof such as:

a.  Doctors' bills you have paid
b.  Mental health counseling fees you have paid
c.  The purchase of credit protection insurance
d.  The purchase of identification theft insurance
e.  The costs you have paid because your identity was stolen
f.   Lost pay from time off (with the pay stubs, W-2 forms, etc., to prove the amount)
g.  Lost pay from a lost job (with the pay stubs, W-2 forms, etc., to prove the pay lost)
h.  Attorney's fees paid as a direct result of the breach of privacy (key word being "direct result")
i.  Other actual out-of-pocket expenses, you may have a difficult time proving a case in a court of law

If you have these keep good, detailed documentation.  Obtain good, legible receipts for everything.

Unless you have these, you will have great difficulty in finding a plaintiff's attorney to take such a case.  It is doubtful that you would have a provable case, as well.  There are exceptions to every case, however.

If you do feel that you have a valid case with documented damages, we urge you to contact and retain a plaintiff's attorney to file suit on your behalf as soon as possible.  You have only a short period of time to bring up such a case, after which your rights to do so will be extinguished forever.

We would urge you to consider carrying out actions #1, #2 and #3 in Part 1.  If these organizations do not find in your favor, then it is even less likely that a judge or jury would find in your favor.

Hourly Attorney vs. Contingency Fee Attorney.

Our statements above hold true mainly because most attorneys who would take such a case are plaintiff's attorneys who take cases for a contingency fee (a percentage of the amount they win).  In such a case, if an attorney spends 100 hours preparing for trial (actually a low number), wins your case, and you only have $500 worth of provable damages (if the contingency fee agreement is for 40%, a fairly standard amount) then that attorney only gets $200, or $2.00 per hour.  I don't know any attorney who will work for that amount.  (This is a very simplistic illustration to make the point; it does not even take into account the legal costs involved, which the client is usually responsible for paying.)

An attorney who charges by the hour may be more likely to take the case (but he/she may also be hard to find for this type of case), and may require a retainer fee of $5,000 to $15,000 paid up front just to get started.

If you have a civil case for liability, you only have a short, limited time to file it.  You must do so within the applicable time period or you will lose the right to do so forever.

Remember, there is only a short time in which to take any action that may be necessary and if you fail to do so, your rights may be lost forever.

Again, this is not legal advice, just general information.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act, HIPAA, HIPAA audits, HIPAA audit protocol, HIPAA compliance, medical records, medical practice audit, records request, defense attorneys, lawyers, legal representation, audit attorneys, health care audits, breach of patient
"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.


Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Tuesday, November 20, 2012
Steven K-Brooks says:

Nice website. Helpful information, presented in a straightforward, easy to understand way. Very professional. Much appreciated. SK-B ( Brattleboro Vermont)

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Thursday, July 18, 2013
JRC says:

I am a physician for a large corporation and am currently completing my residency. My wife works at a physician service office which is owned by the same corporation. I became a patient there in Nov. 2012 and my wife orginally interviewed in Dec. 2012 and became an employee there in March 2013. My personal primary-care-physician is located where she works. On occasion I have her change my lab appts, verify my office visits, etc... Recently, when she accessed my computerized chart, she looked at the very detailed chart history and was shocked to see that her supervisior had accessed my chart back in Dec. 2012 (when she had interviewed). I am listed as a referencoe on my wife's resume. I am incredulous as to why this supervisor would access my chart (which includes sensitive mental health information). This supervisor is also a coordinator-type person for a residency clinic program just started within this office building where my wife works. I wonder how may other residents had their

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Thursday, February 13, 2014
mark says:

Not sure if i have a case. But is it legal for a CVS pharmacy person to ask my last name, dob and discuss the controlled substance for anxiety to me where people can hear in line. This was in my local community. I was humiliated .

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Friday, February 14, 2014
The Health Law Firm says:

Greeting Mark: Unfortunately we cannot give legal advice through our blog. If you desire to speak with us about the case, please call our firm and make an appointment for a telephone conference with one of our attorneys. You may telephone (407) 331-6620 from 9:00 A.M. through 5:00 P.M. Eastern Time (except for lunch when we are closed for one hour starting at noon) and make such arrangements.

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Monday, November 3, 2014
Frustrated says:

A neighbor went to pick up a prescription for me and the pharmacy technician told him I had no to pick up. The neighbor ask was he sure, the technician then printed out my medical profile with medications and doctors names to show there was nothing. That was one sheet, the medication he was to pick was not even listed on that sheet. I live in Maryland where women sued Johns Hopkind because a doctor video taped their GYN exams. No faces were shown, here my everything was printed out and handed over and discussed with a stranger.

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Thursday, November 6, 2014
Private says:

In other words, the most seriously ill and distressed among us have NO LEGAL RIGHTS under HIPAA under which our privacy and dignity and even our very life can be heinously, illegally and maliciously destroyed at the unconscionable whim of any health care "professional" some of whom consider themselves above the law and can maliciously withhold medical services and medications if you refuse to give them complete access to your medical information to which they have no real legal right but for which their serious life-threatening abuses are protected under HIPAA. Every citizen of our Nation is today or will most likely eventually become in older age completely dependent upon the medical and pharmaceutical industries. Those few health care professionals within who have no regard, no respect for the privacy of patients nor their very lives and who have been left free to impose their Nazi-like aggressive and malicious wills upon anyone they chose at any time they chose for any reason th

Response to: Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality - Part 2
Tuesday, May 5, 2015
Al says:

HIPAA Compliance and Privacy Violations Case I received the following letter from Kaiser Permanente, Los Angeles Medical Center – [I am writing to inform you about a health information privacy matter. We received notification on April 2015 that some elements of your medical information were inadvertently released to an architectural firm with which we do business. The information included but was not limited to; name, medical record number and the type of radiology procedure that you received at Los Angeles Medical Center in 2014. The information did not include your social security number. We have received confirmation from the architectural firm that the information was disposed of in a secure manner. It is important to note, that the architectural firm has a contract with at Los Angeles Medical Center and upholds the confidentiality of our patient information. In accordance with our policies and procedures, we assure you that appropriate action will be taken with those invol

Like this blog? Add your public comments:

Items in bold indicate required information.