Maybe you’ve heard the recent news…..  A few months ago, a giant healthcare provider suffered a massive security breach, exposing the protected health information of dozens of patients. One of these patients, upon being notified of the breach, promptly filed a HIPAA violation lawsuit in federal court, naming the provider as a defendant, asserting a HIPAA breach, and demanding one million dollars in damages….

Specifically, in the HIPAA lawsuit, plaintiff alleged…

Back up for a second.

This HIPAA violation lawsuit was never actually filed. Turns out, you didn’t hear about it after all. Or maybe it was filed, but it was dismissed. In fact, any time an individual plaintiff sues a defendant health care provider, based on a HIPAA violation, the court in which the plaintiff files the case, will dismiss the “HIPAA lawsuit.”

Why Can’t I File a HIPAA Lawsuit?

Because neither the HIPAA law nor the regulations that implement the law, provide for what the law calls a private right of action.

A private right of action is a right possessed by an individual to enforce the violation of a law in court.  Under a private of action, the person claiming a violation files a lawsuit, naming himself or herself as plaintiff, and naming the entity alleged to have violated the law, as defendant. Plaintiff typically commences the lawsuit by filing a summons (a notification to the defendant that a lawsuit is being filed against the defendant) and a complaint (a legal document detailing the laws and rights Plaintiff claims were violated, and containing a description of the remedy – money or an injunction, for example – Plaintiff seeks).

If a federal law (also known as a “statute”) specifically states that a private person may enforce his or her rights under that law, the person has a private right of action, and may file a lawsuit.

If a federal law specifically states that a private person may NOT file a lawsuit (because, for example, under the law, the job of enforcing the law is given exclusively to the federal government), then the person does not have a private right of action, and may not sue.    

But what if a federal law is silent – says nothing one way or the other – about whether a person can file a lawsuit to enforce his or her rights under the law?

No HIPAA Lawsuits Here 

Many federal laws are worded exactly this way – that is, they do not state, one way or the other, whether civil lawsuits can be filed under those laws. 

The general rule, developed by federal courts over the years, is this: when a federal law says nothing about whether an individual can file a lawsuit one way or the other, generally speaking, the person cannot file the suit.

HIPAA is a “says nothing one way or the other” law. Its terms do not mention anything about individual lawsuits, one way or the other. 

Nonetheless, from time to time, despite the implications of this – no lawsuits allowed – a person will file a lawsuit seeking money damages against a health care entity, on the basis of a “HIPAA violation.”

For example, several months ago, a LabCorp patient filed a lawsuit in federal district court (federal trial court). The patient plaintiff alleged that she underwent laboratory testing at the Washington D.C.-based Providence Hospital. She alleged that she was instructed to submit medical information at a computer intake station that she alleged was within earshot and eyesight of another patient using a nearby intake station. 

Before filing the lawsuit, the first patient sent a letter to Providence Hospital, arguing the incident at the computer intake station constituted possible HIPAA Privacy Rule and HIPAA Security Rule violations.

The patient, unsatisfied with the hospital’s response, then filed a complaint with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), asserting LabCorp’s alleged failure to make proper “public accommodations” to ensure HIPAA compliant facilities violated the HIPAA Privacy and Security Rules. 

Filing this complaint was hardly unusual. The HIPAA regulations expressly allow individuals to file complaints with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). In the complaint, the patient must name the covered entity or business associate involved, and describe the acts or omissions the patient believes violated the requirements of the Privacy, Security, or Breach Notification Rules. OCR then investigates the allegations, and when it is done investigating, it issues a letter describing the resolution of the investigation.

In this case, OCR, after its investigation, informed the patient that it would not be taking further action on her complaint, because, in OCR”s determination, the patient’s HIPAA rights were not violated by either the hospital or LabCorp.

The patient, undeterred by this finding, filed her lawsuit in federal court, with her single claim consisting of an allegation of that LabCorp violated her HIPAA Privacy Rule and Security Rule rights.

The court dismissed her HIPAA lawsuit. The court, in its ruling, stated:

“LabCorp’s alleged HIPAA violation is the only cause of action included in the case, and that given the clear consensus among courts that have addressed the question, no private action exists under HIPAA, the patient has failed to state a claim upon which relief can be granted.” 

The court’s legalese translates simply to this: There is no HIPAA private right of action. The law does not permit Plaintiff’s HIPAA lawsuit to go forward. Therefore the HIPAA lawsuit must be dismissed.

This case reaffirmed the precedent that individual patients cannot file a HIPAA lawsuit (a lawsuit for alleged HIPAA violations), because there is no language in the HIPAA law or regulations allowing a private right of action. Rather, as courts have held, only OCR and state attorneys general can file lawsuits against healthcare organizations for alleged HIPAA violations.