Can You Sue for a HIPAA Violation? What Massachusetts Patients Need to Know

Patients trust their healthcare providers, insurers, and even employers with sensitive medical information. That trust is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that sets the national standards for the privacy and security of protected health information (PHI). But what happens when a healthcare provider, hospital, or employer violates those rules? Can you sue for a HIPAA violation?

If you’re considering suing for a HIPAA violation, it’s important to understand your legal options. Here’s what you need to know. 

What is a HIPAA Violation?

A HIPAA violation happens when a covered entity, like a hospital, clinic, or business associate, fails to follow the standards outlined in HIPAA’s Privacy Rule and Security Rule. These specific standards, 45 CFR Parts 160 and 164, regulate the use, disclosure, and protection of your medical information. 

A violation of these standards might look like:

  • A provider releasing your medical records without your consent. 
  • A nurse discussing your medical condition in a public area.
  • A healthcare worker accessing your file without a valid medical reason.
  • An employer mishandling health data they acquire through a workplace health plan. 

Is a HIPAA Violation Considered Medical Malpractice?

Not necessarily, but it can be. HIPAA violations typically concern patient privacy, whereas medical malpractice involves a breach of the standard of medical care. However, if a healthcare provider’s disclosure of PHI results in medical harm, it may also give rise to a medical malpractice claim. 

For example, suppose that disclosure led to a delay in treatment or a mental health crisis. In these situations, medical malpractice may apply. If you suspect your HIPAA violation led to medical malpractice, talk to an experienced attorney. They can help you determine whether that privacy breach constitutes malpractice under Massachusetts law. 

Can You Sue for a HIPAA Violation?

The short answer is no, not under HIPAA itself. HIPAA doesn’t allow people to bring private lawsuits for violations under its provisions. Instead, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handles enforcement. If you believe your rights have been violated, you can file a complaint with the OCR, and they may investigate and impose fines or corrective actions on the violating entity. 

So, why do people talk about HIPAA violation lawsuits? Because while HIPAA doesn’t provide the personal right to sue, courts have allowed individuals to file state law claims where the HIPAA violation serves as evidence of negligence or unlawful conduct. 

State Law Claims Based on HIPAA Violations in Massachusetts

Massachusetts offers strong privacy protections that can support a lawsuit based on unauthorized disclosure of medical information. Massachusetts General Laws Chapter 214, Section 1B, for example, guarantees individuals a “right against unreasonable, substantial, or serious interference with his privacy.”

So, if a healthcare provider, hospital, or employer mishandles your private health information, this statute can serve as the legal foundation for your lawsuit, even if the violation also implicates HIPAA. 

Courts in Massachusetts have acknowledged that HIPAA can help define the standard of care, even though it’s not a direct source of liability. In other words, a HIPAA violation can support state law claims like:

  • Invasion of privacy
  • Negligence
  • Breach of confidentiality
  • Emotional distress
  • Violation of consumer protection statutes

Can I Sue My Employer for a HIPAA Violation?

It depends. If your employer learned of your medical condition through a workplace-sponsored health plan, wellness program, or health screening covered under HIPAA and then improperly disclosed it, there may be a violation of both HIPAA and state privacy laws. 

However, not all employers are HIPAA-covered entities, and how they obtained your medical information matters. For example, if the information came from a public source or outside of a healthcare context, HIPAA might not apply, but Massachusetts privacy laws might. 

Can I Sue a Hospital for a HIPAA Violation?

Yes, it’s possible to sue a hospital, although not directly, for violating HIPAA. Instead, you can sue for issues like negligence, breach of confidentiality, or privacy violations under Massachusetts law. You will need to show that the hospital mishandled your private medical information and that you suffered harm as a result. 

For example, suppose a hospital disclosed your medical condition to your employer without your consent, and that led to job loss or reputational harm. In this situation, you could be entitled to damages, and HIPAA standards could help demonstrate the hospital’s failure to meet its duty of care. 

How to Sue for a HIPAA Violation in Massachusetts

It’s possible to sue for a HIPAA violation, though not directly. So, how do you sue for a HIPAA violation? It involves a few important steps, including:

  1. Filing a complaint with HHS OCR: This won’t result in compensation, but it may lead to enforcement actions and a paper trail that supports a future lawsuit. You can file online through the HHS website. 
  2. Contacting a Massachusetts attorney: A privacy or personal injury attorney can evaluate your situation and determine whether you have the basis for a state law claim based on the facts of the HIPAA violation. 
  3. Gathering documentation: This might include emails, medical records, witness statements, or any correspondence that supports your claim.
  4. Pursuing legal action under state law: If your attorney finds that you have a viable claim, you may file a claim under applicable state statutes and pursue legal action. 

HIPAA Violation Compensation: What Damages Can You Recover?

Since, technically, you can’t sue under HIPAA, there’s no formula for HIPAA violation compensation. Instead, compensation hinges on state law claims and the damages you can prove. That might include:

  • Emotional distress
  • Financial losses, such as job loss or denial of benefits
  • Medical expenses
  • Loss of reputation or relationships

It all depends on the specifics of your case, including the severity of the privacy breach, the harm caused, and the specific claims brought under Massachusetts law. Your attorney can help you evaluate the value of your case based on these specifics.

HIPAA Violations: Know Your Rights

HIPAA sets the standard for protecting your medical information, but it doesn’t give you the right to sue directly. However, that doesn’t mean you’re without options. In Massachusetts, you can sue for a HIPAA violation if you pursue it under state privacy laws. 

If you’re looking to sue a hospital for a HIPAA violation, wondering how to sue your employer for a HIPAA breach, or asking if HIPAA violations count as malpractice, reach out to our skilled attorneys at the Fogelman Law Firm. We’re here to help you understand your rights and pursue legal action for violations of your personal information. Contact us at 617.559.1530 or fill out our online contact form to start with a free consultation.

« Back to Our Blog and Resource Center – Boston Injury & Massachusetts Employment Law

Can We Help You?

Call 617.559.1530 or complete the form below.

 

By submitting this form, Fogelman Law will take no action on your behalf. Submission of this form does not establish an attorney-client relationship.

Super Lawyers
AV
MATA