Medical data is extremely personal, and exposure of this private information can have a significantly negative impact on an individual's life. That's one of the reasons why the Health Insurance Portability Accountability Act (HIPPA) was put in place to hold people and agencies with access to sensitive medical data responsible for protecting patient privacy. While HIPPA laws provide the federal government with the ability to levy civil and criminal penalties against violators, many victims of data breaches wonder if they can use these same laws to sue for personal injury damages related to exposure of their medical data. While this is possible, some legal maneuvering is required.
HIPPA Has No Direct Cause of Action
The problem with suing for damages related to HIPPA violations is the law only provides the government with the ability to penalize violators civilly and criminally. It doesn't provide a cause of action for victims to sue in civil court for damages. This means you cannot walk into a courtroom and sue the defendant for the violation itself.
However, a HIPPA violation can form the basis for other types of lawsuit. It can be used to establish a duty of care in a medical malpractice lawsuit, for instance, and let a victim collect damages based on that tort law. Other common law principles that can be used to recover damages for injuries or losses include negligence, invasion of privacy, and defamation.
For example, a well-known drugstore chain was ordered to pay a victim $1.44 million after one of its pharmacists accessed the individual's private medical information and relayed that information to an unauthorized party. The person in question had previously dated the pharmacist's husband. For unknown reasons, the pharmacist shared information about the person's prescription history with her husband who, in turn, told three other people and threatened to use the information against the victim. The victim sued for breach of privacy using the HIPPA violation as proof and won both the original lawsuit and the appeal.
Challenges to Litigating Your Case
The first challenge is showing the violator is subject to HIPPA laws. These laws only apply to the entities defined by the U.S. Department of Health and Human Services and include:
- Healthcare providers such as doctors, clinics, psychologists, nursing homes, and pharmacies
- Entities that provide health plans such as health insurance companies, corporations that offer private health plans, and government agencies
- Healthcare clearinghouses that process medical information received from other entities
The business associates of these entities are also covered. For instance, if a doctor hires a computer programmer to create a proprietary system to organize patient information, that person would also be required to comply with HIPPA laws. Both the programmer and the doctor who hired the individual could be held liable for violations.
However, this also means that you can't use a HIPPA violation in a case against someone who isn't covered under the law. For instance, someone in the human resources department at your company gains access to your medical information and shares it with a third party. This person is generally not guilty of violating HIPPA laws if he or she is not involved in the administration of a health plan.
Another challenge you may face is proving you sustained compensable damages as a result of the breach. For instance, if you lost your job because your employer learned you had HIV because of a data breach, then you could sue the responsible party for lost wages and other related damages. On the other hand, if the breach didn't result in any adverse effects or losses for you, then you may have a difficult time collecting compensation for the violation.
Suing for HIPPA violations can be challenging. It's a good idea to connect with a personal injury attorney who can help you develop a viable case and obtain the outcome you want.