Can patients sue their provider over a HIPAA violation?

According to a chapter from Patient Confidentiality published in the StatPearls, “When a healthcare worker or facility violates HIPAA rules, patients generally have no recourse except to report the matter to the OCR. HIPAA has created a right to privacy and does not allow most patients to file lawsuits.” Instead, they may pursue state-level claims (e.g., negligence, breach of contract) if harm results from mishandled data. 

HIPAA grants patients a few rights when it comes to their health information. Under the Privacy Rule, patients can access, request corrections to, and obtain copies of their medical records. They must receive a Notice of Privacy Practices explaining how their data is used and shared, and they can request restrictions on certain disclosures (e.g., preventing a health plan from being notified if they pay privately). 

Patients also have the right to file complaints with the Department of Health and Human Services (HHS) if they suspect violations. However, patients cannot directly sue providers under HIPAA for violations, as the law lacks a private cause of action.

However, a 2018 Connecticut Supreme Court ruling in the Lee Thomas v. LabCorp case created a landmark precedent allowing patients to pursue state-level claims, such as negligence or breach of contract, when their protected health information (PHI) is mishandled. In this case, a patient successfully sued her provider for improperly disclosing her medical records, marking a shift in legal recourse for HIPAA-related harms in Connecticut.

What is a HIPAA violation?

A HIPAA violation occurs when a covered entity or business associate fails to comply with HIPAA standards, like inadequate safeguards for protected health information (PHI). The American Medical Association (AMA) states, “Failure to comply with HIPAA can also result in civil and criminal penalties…If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation.”

A breach, a subset of violations, specifically involves unauthorized access, use, or disclosure of PHI that compromises privacy or security. For example, a stolen unencrypted laptop containing PHI constitutes a breach if encryption policies were absent (a violation), whereas an employee accidentally viewing a patient’s record without authorization is a violation but not necessarily a breach unless the data is further compromised. 

HIPAA does not grant patients the right to sue directly for violations

HIPAA does not grant patients the right to sue directly for violations of the law. The statute explicitly lacks a private cause of action, meaning individuals cannot file federal lawsuits solely based on HIPAA violations, even if harm results from improper handling of PHI. 

The limitation was reaffirmed in the 2018 case Lee-Thomas v. Labcorp, where a patient’s lawsuit was dismissed because HIPAA enforcement is reserved for regulatory bodies like the HHS Office for Civil Rights (OCR) and state attorneys general. Courts have consistently ruled that HIPAA’s enforcement framework prioritizes administrative penalties (e.g., fines, corrective action plans) over individual litigation. 

The Memorandum Opinion for Lee-Thomas v. LabCorp notes, “Furthermore, courts in this and other circuits that have considered the question have reached a consensus that the statutory language of HIPAA grants no private right of action. See, e.g., Adams v. Eureka Fire Prot. Dist., 352 F. App'x 137, 138-39 (8th Cir. 2009) (noting that "Courts have repeatedly held" that HIPAA does not create a private right of action); Acara v. Banks, 470 F.3d 569, 571-72 (5th Cir. 2006) ("Every district court that has considered this issue is in agreement that the statute does not support a private right of action.")

Briscoe v. Costco Wholesale Corp., 61 F.Supp.3d 78, 90 (D.D.C. 2014) (finding that plaintiff's complaint lacked cognizable legal theory because HIPAA provides no private cause of action); Hudes, 806 F.Supp.2d at 195-96 (collecting cases indicating no private HIPAA cause of action); Johnson v. Quander, 370 F.Supp.2d 79, 100 (D.D.C. 2005) (dismissing HIPAA claim involving disclosure of medical information because no private cause of action existed), aff'd, 440 F.3d 489 (D.C. Cir. 2006).”

However, patients may pursue state-level claims (e.g., negligence, breach of contract, or invasion of privacy) if a HIPAA violation overlaps with a separate legal duty under state law, provided they can demonstrate tangible harm such as financial loss or emotional distress.

Distinguishing between enforcement by OCR and private legal remedy

According to the HHS, “One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.”

The distinction between OCR enforcement and private remedies lies in their mechanisms and objectives. OCR enforcement is a federal administrative process focused on systemic compliance. The OCR investigates complaints, conducts audits, and imposes penalties ranging from voluntary corrective actions to multimillion-dollar fines, depending on the severity and scope of violations. 

Remedies, on the other hand, aim to improve industry-wide compliance rather than compensate individuals, though OCR may require breach notifications or credit monitoring for affected patients.

How private remedies work

Private remedies depend on state laws and require plaintiffs to prove:

• A legal duty independent of HIPAA (e.g., a provider’s contractual obligation to safeguard records).
• Causation between the violation and specific harms (e.g., identity theft, reputational damage).
• A patient might sue under state privacy laws if a provider’s HIPAA violation also constitutes negligence, but success hinges on state-specific standards and evidence of actual harm. This bifurcated system ensures regulatory oversight while leaving individual redress to state jurisprudence.
  
  

How state-level privacy laws might offer a pathway for legal claims

State privacy laws often exceed HIPAA’s minimum standards, creating avenues for litigation when federal law falls short. For example, California’s Confidentiality of Medical Information Act (CMIA) allows statutory damages of up to $1,000 per violation for unauthorized disclosures, while Texas permits negligence claims if PHI breaches cause harm. These laws complement HIPAA by embedding its standards into state tort frameworks, enabling plaintiffs to argue that HIPAA violations constitute negligence per se (automatic negligence due to statutory breach) or breach of contractual duty.

The NCBI study Patient Health Record Protection Beyond the Health Insurance notes that while HIPAA’s 2013 Omnibus Rule expanded patient rights, "state-level regulations exceeding HIPAA requirements" have not reduced breaches, suggesting persistent gaps that state tort systems address. The study analyzed breach reports and found that "hacking or IT incidents" disproportionately impact patients, yet HIPAA’s enforcement relies on OCR penalties rather than individual compensation. The regulatory shortfall pushes plaintiffs toward state courts.

Case law reinforces this dynamic. In G.R. v. United States (2017), a New Mexico federal court allowed a nurse to sue her employer-hospital for disclosing her sexual assault records, framing the HIPAA violation as a breach of privacy under state tort law. Similarly, the Arizona Court of Appeals in Byrne v. Costco (2019) permitted a negligence claim after a pharmacy disclosed PHI to an ex-spouse, ruling that HIPAA "may inform the standard of care" in state lawsuits.

Torts and negligence in HIPAA violation claims 

Tort theories like negligence per se, invasion of privacy, and breach of contract have become tools for plaintiffs seeking damages tied to HIPAA violations. Negligence per se allows courts to treat HIPAA violations as automatic breaches of duty if the plaintiff proves:

• The defendant violated HIPAA,
• The plaintiff is within the class HIPAA protects, and
• The harm aligns with what HIPAA aims to prevent.

The chapter from StatPearls discusses that "employee negligence" drives most breaches, making negligence claims a natural fit. In Guy v. Providence Health (2022), an Alaska court revived a breach-of-contract claim after a hospital employee disclosed PHI, emphasizing that contractual obligations to safeguard data exist independently of HIPAA. Similarly, the R.K. v. St. Mary’s Medical Center case allowed a West Virginia plaintiff to sue for emotional distress after PHI was shared during divorce proceedings, with the court stating HIPAA "enhances penalties for violations" by informing state tort standards.

A Fisher Phillips insight ‘Even More At Stake Than Meets The Eye With Potential HIPAA Violations’ notes that courts increasingly permit negligence per se claims based on HIPAA violations, rejecting preemption arguments because state tort law "complements" federal enforcement. In Byrne v. Costco, the court ruled that HIPAA’s privacy rules could establish the standard of care for state negligence claims, even though HIPAA itself does not authorize private suits.

The final takeaway

State-level remedies fill HIPAA’s enforcement gaps but create a patchwork of standards. While the mentioned studies show HIPAA amendments like the Omnibus Rule have not reduced breaches, state tort systems provide a reactive, harm-based approach. However, this reliance on negligence claims places a burden on plaintiffs to prove causation and damages, which many struggle to do. 

Accidental PHI disclosures without tangible harm (e.g., no financial loss) often fail in court, limiting redress. The Lee-Thomas v. Labcorp dismissal reaffirms that federal courts remain closed to private HIPAA suits, forcing plaintiffs into state systems where outcomes depend on variable laws.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What types of data breaches fall under healthcare data violations?

Healthcare data violations encompass breaches of ePHI, unauthorized access to paper records, and failures in security measures such as inadequate encryption or poor access controls.

Are healthcare data violations limited only to hospitals and clinics?

No. Healthcare data violations can occur across various settings, including hospitals, outpatient clinics, insurance companies, and even third-party vendors or business associates. 

What rights do patients have if their healthcare data is compromised?

Patients have the right to be informed if their data is breached, request access to their records, and file a complaint with the OCR. In some states, they may also have additional legal remedies under state privacy or data breach laws.