HIPAA Violation? Sue Me

This is a true story that occurred recently in Indiana. Failing to collect payment for treatment, a medical group sent a patient to collections. In providing the unpaid bills to the collections attorney, practice staff failed to redact sensitive information. When the attorney filed the bills with the court as part of his collection action, the patient’s positive HIV status became public record.

The patient sued the practice and won. The jury awarded $1.25 million in damages.

As a case of wrongful disclosure this one seems pretty open-and-shut. But how exactly did the patient and his attorney proceed? Under which of the following did the patient bring action:

  • HIPAA privacy rule
  • HIPAA security rule
  • HITECH breach notification rule
  • Indiana Medical Malpractice Act

The patient sued the practice and won under the Indiana Medical Malpractice Act.

Why not HIPAA? Because he could not.

The case is a good reminder that although HIPAA sets a standard for an individual’s privacy rights it does not provide a private right of action, says Nicholas K. Lagina, an attorney with Krieg DeVault, based in Indiana.

When it comes to HIPAA violations, the patient is limited to filing complaints with appropriate governmental agencies, such as the Office for Civil Rights, he says. Other sources of law must form the basis of a lawsuit.

Common Law and the Theory of Negligence

Individuals facing what they believe to be a wrongful use or disclosure often fall back on traditional common law tort principles, according to Lagina.

“Typically claims are brought under some sort of claim of negligence, violation of privacy rights, or invasion of privacy,” he says. “You also see providers face allegations of negligent or intentional infliction of emotional distress, or even allegations of things such as defamation.”

Negligence is a tort concept available in every state, and it is broad enough to cover many types of actions.

In essence, negligence is the concept that someone had a duty to someone else, the duty was breached, and the breach resulted in an injury. “If you can show all those elements,” Lagina says, “you can fit all kinds of causes of actions underneath the theory of negligence.”

In some states, consumer protection laws and data breach laws also can provide a cause of action for privacy complaints such as wrongful disclosure.

Will Insurers Push Back?

The Indiana case is interesting for another reason, Lagina says. Cases like this may change professional liability insurance.

At the time of the interview, Lagina had not seen all of the case documents, but it appeared that the medical group’s insurance company would pay $250,000 of the $1.25 million award. This is the medical malpractice cap in Indiana for a case like this.

The remaining $1 million presumably would be paid by the Indiana Patient’s Compensation Fund.

“One of the things that will be interesting in the Indiana case as it progresses will be to see if the Indiana Patient’s Compensation Fund, which is the ultimate payer of excess damages, will try to argue that this is not malpractice,” Lagina says.

Lagina has no knowledge that it will, but generally he expects that if malpractice laws increasingly serve as the platform for rising privacy complaints, liability insurers will respond.

“I believe you’ll see in the future an interplay in the way courts are interpreting these kinds of allegations and what the insurance companies are doing in respect to insuring for those allegations,” he says.

“To the extent an insurer believes an act or a judgment is not covered under their policy, that is going to have some practical and pronounced effects on healthcare providers.”

Changes could come for individuals seeking damages, also. States considering malpractice reform have enacted or are considering multiple options: limiting damages, adding procedural requirements intended to discourage “frivolous” lawsuits, and shortening statutes of limitation.

A Share in the Damages

The HITECH modifications to HIPAA made no impact on an individual’s right of action. However, they do affect individuals in tangential ways.

HITECH grants state attorneys general the ability to bring civil action and seek damages on behalf of their residents for HIPAA violations.

A second provision provides individuals harmed by a wrongful disclosure under HIPAA a percentage of any recovery or settlement. The provision will be effective for any violation occurring after February 2009, but the Department of Health and Human Services has until 2012 to issue the regulation.

Once the regulation is in effect, Lagina foresees a spike in reported violations. The rule “has the potential to increase complaints, because individuals will have an actual monetary stake in the recovery,” he notes.

Editor’s note: An abbreviated version of this article appears in the March print issue.


  1. As a student of HIM these type of information enrich my knowledge, and makes me more eagle to take my classes very seriously, so thank you.

  2. These articles are a great up-to-date resource to me for researching pertinent topics! Thanks.

  3. I had a similar incident (sent me to collections- got the paperwork with my meds listed on it) My doctor indicated the type of medication he prescribed and the dosage. This would be an example of a violation correct? Suggestions on next steps?

  4. I’m in school for HIT and this site is a great resource.

  5. i was discharged from work. i tried to apply with another company and my hippa laws were violated by the other company, thus i didn’t get hired because of that. what can i do?

  6. I am a registered nurse who went into a medical detox facility. I was very concerned about my privacy but was assured by the intake nurse that EVERYTHING was private!! It was a hospital inpatient facility. She advised me that they were on a separate system compared to the rest of the hospital and those records..reason for the visit was blocked by everyone unless u worked on that unit..Approx a month later I went to see my cardiologist and he stated he pulled up my hospital record and there it was a description of why I was inpatient at the hospital “opioid detox”. I was completely humiliated and felt my hippa rights were violated. since I work in the medical field this will severely affect everything that I have spent my life building. I wouldn’t have gone there if this would have been attached to my regular medical record. what recourse do I have? This is such a violation!!! I went to great length to protect my situation. pls help. I will face serious repercussions over this.

  7. In January 2012 I had STD tests done at the local hospital. The clerk who checked me in told my husband what tests I had done. He confronted me to ask the reason for the tests. This woman was previously his fiance, and he has now moved out and moved in with her. Do I have any recourse? I contacted the hospital administration anonymously (without the details that would give away who the clerk was), and they urged me to file a complaint, and I have not.

  8. My son’s pediatrician released information to cps about dates and tiimes of appoinments, and about missed checkups. do i have a case?

  9. I am a lawyer who represents persons whose HIPPA rights have been violated. Several people who have left comments here have a cause of action for a violation of their privacy. A doctor I know had surgery on his knee and another doctor felt he should not be seeing patients in the hospital while he was taking pain killers. He sought out the other doctors records and used them in an open meeting to try and have action taken against the other doctor. I find that the worst violators of HIPPA are medical professional’s who cannot resist the temptation to look up other medical health professionals. The show the least respect for each other it seems. I saw a similar case where a health professional looked up the aids history of a co worker who was being seen by another doctor for his condition. No reason, just curious when he saw him go to see the doctor who treats aids patients.

  10. My employer send a form to my health care provider requesting information about me without my consent and the health care provider returned the form fill and my employer sent them to me via e-mail and attach a letter to my supervisor all this without any consent from me. is this a violation of my rights?

  11. I was wondering what/who you would sue if I had a hippa violation of: A person at a facility that I was going to could not get a hold of me or my wife, so that person decided to call my place of work, she talked to the secretary and told her that I was going to kill myself and she was trying to find where I was at. The secretary then transferred the call to my Director and she told her the same thing (that I was going to kill myself). My director called my wife and asked if everything was okay because she got that call that I was going to kill myself. That made me take extra time off of work because of emotional distress and there were hippa investigaters that were pursuing the problem. My Dr. told me (where the hippa violator works) that if I wanted to sue, that I would most definatly win)
    There are a lot of other things that go along with this, but isn’t it wrong to call anybody besides my emergency contact, especially not calling my place of work (a hospital)
    Thank you

  12. My employer released information about me in front of a group of coworkers at a meeting I was not present for. Do I have a case?

  13. Can my employer be held responsible for one of their manager’s invading my privacy in front of an office meeting.

  14. I went to treatment for alcohol abuse and I have been sober for nearly a year now. My husband and I just went through a divorce and he found my treatment assignments and step work in a binder I had hidden under my bed and presented them in court these same documents were part of my treatment plan and chart and even had the treatment facilities name on the top of some papers. Later these documents were mailed out anonymously to people on my witness list. These documents were used in court and only lawyers should have had copies to keep for safe keeping in their offices during this time. I have also been using a soberlink device that is HIPPA protected to prove my sobriety, these documents were printed out and a publicized to others, Is there any form of legal action I can take? The people I suspect both work at the hospital where I live and definitely know Hippa rules and regulations. Please Help!

  15. I was dismissed from the hospital after an overnight observation, two weeks after knee replacement surgery. The dismissal paper told me to a)come to physical therapy as usual two days later b)RECOMMENDED I not drive.

    A month later I received a letter from the Department of Transportation telling me to surrender my license indefinitely, because of an ‘unsatisfactory medical report’.

    I went to the driver’s license station & got a copy of the letter they’d received from the attending physician. It reported that I had a ‘CHRONIC’ leg condition’, my name and SS number. I’d also mentioned in the hospital that I had a headache from squinting at the TV, because I’d forgot my reading glasses, so I also had ‘chronic eye problems.’

    My physical therapist told me the stress had set back my therapy by at least 1 1/2 weeks at that time. I cannot attend my followup appointments with my surgeon, and cannot continue my rehabilitation due to loss of transportation. I was supposed to continue therapy on my own using the equipment at their facility for another month. If I drive anyway I am subject to prosecution for driving under suspension.

    I am extreme low-income & cannot get an answer from an attorney. Can you advise me?

  16. I have an open CPS case and during a family team meeting the guardian ad litem disclosed in front of the whole meeting that I was sexually abused as a kid. I don’t know if this is a hipaa violation or what it would be called? But I felt revictimized , and very upset that he said this in front of the child’s aunt who is definitely going to spread this around the small town I live in. Can I sue this guy?

  17. I recently visited the hospitals er and to make a long story short I was giving a giwn and was tokd to undress and I did. Well after I done so I looked up and it was a camera in the room and I was told it was not on. Well it was I was on the moniter at the nurses station and I have pictures of me being on this monitor. I feel like I have been very violated by every means and I need help please.

  18. My brother went to a local Walgreens pharmacy and asked for a print out of his prescriptions. Along with his list they also included mine my nephews my cousins and a sister inlaws list of prescriptions. I realize you cannot sue under current hipaa laws is there anything else to provide a cause of action, I live in Wisconsin.

  19. An employee, health unit coordinator, looked at my medical records,those were out her assigned unit. She looked at them 4 different times. What are my chances to win a HIPAA case against the clinic?

  20. If I cannot sue the clinic under HIPAA, is there any other way I can sue the clinic? I live in Minnesota. Can I sue the employee?

  21. Supervisor at work told co worker about my medical information that I did not want others to know and she told a delivery driver also………what I s possible in this case.


  22. And I work for the florida department of corrections in the pharmacy……my supervisor is a pharmacist…and we go through training every year about hippa.

    thanks again

  23. My sister and I have been seeing the same pt for years for different things recently my younger cousin started seeing her for some back pain 3x a week , I had no ideas of the visits until my cousins mom and I had lunch and she was telling me how the pt talked about my sister and I all the time about our injuries and how my sister got better faster than I because I am overweight , how in genral My sister is the good one I am the bad one ect, ect, my sister and I both want to take action aginst her can we sue her ?

Submit a Comment

Share This

Share This

Share this post with your friends!