Monetary damages for HIPAA violations are possible under certain circumstances, but you’ll need the help of an experienced attorney. There is no HIPAA violation reporting award just for having your or a loved one’s information compromised. While your information may have been improperly disclosed, the same law that addresses the handling of your protected health information also protects entities HIPAA applies to from most lawsuits. That does not, however, mean you may not be owed damages, but it depends on the context surrounding the HIPAA violation.
What is HIPAA?
HIPAA is short for Health Insurance Portability and Accountability Act of 1996, HIPAA made some big changes to how private health insurance and medical providers worked in the United States of America. HIPAA protected workers who lost their job from being unable to get coverage for pre-existing conditions if they’d been previously insured, established guidelines for pre-tax spending accounts, set the rules for company-owned life insurance policies, and established some rules for group health plans.
What HIPAA is most known for, however, is the requirements it puts on covered entities to keep your protected health information (PHI) safe. Applying to healthcare providers, insurance plans, clearinghouses that process PHI, and business associates of other covered entities, Before your PHI can be disclosed, the entity must have a written PHI disclosure authorization form on file giving your consent. Even with that consent, they have a responsibility to provide only the minimum amount necessary to other entities to fulfill their legitimate information needs, and to non-covered entities, only within the bounds of the approval you’ve granted.
For example, a provider may disclose the information necessary for a billing company to properly code a claim to bill your insurance, but should not also give access to your lab results or x-rays. Alternatively, if you’ve signed a release that your spouse may be given information about your medication in the event of a hospitalization, they should not be given your diagnosis unless that was also authorized by you in writing.
What Happens If There Is A HIPAA Breach?
Even if your PHI has been disclosed without your authorization, you may not be due monetary damages for a HIPAA violation. The first step is to report the violation to the United States Department of Health and Human Services (HHS) within 180-days of the violation.
- HHS Investigation – HHS, through their Office of Civil Rights (OCR), will investigate the entity based on the report you file of what information was released, the parties involved, and the circumstances surrounding that release.
- OCR Determination – The OCR will look at the facts uncovered in their investigation and decide if a HIPAA violation has occurred. They’ll issue a letter that advises you of the investigation’s resolution.
- The Entity Resolves The Complaint – If a violation has occurred, OCR will demand they take certain steps to comply with HIPAA guidelines. They will need to describe the corrective action taken to ensure a violation of that sort does not happen again, and there may be a settlement agreed to based on the severity of the violation. This money, if any, is paid to the federal government, not as monetary damages for a HIPAA violation.
When You Can File A Claim For Damages?
At this point, you are probably wondering, “When can I sue for a HIPAA violation?” In order for you to be considered for a HIPAA violation reporting reward, you must have been damaged financially by the disclosure. While you still can’t sue for the HIPAA violation itself, you can sue for the recovery of monetary damages for a HIPAA violation in civil court. This can let you recoup the expenses caused by the release as well as the money spent to mitigate the damage from the HIPAA violation. In order to sue, the following must be true:
- You Were The Victim Of A HIPAA Violation – Your information must have been disclosed through the mishandling of your PHI in a manner contrary to HIPAA rules. The release must come from a covered entity that you reasonably had cause to believe would protect your information in accordance with HIPAA protocols.
- You Were Damaged Financially – Whether it’s from loss of business, workplace harassment, or defamation, you must illustrate that you were harmed. PHI can contain sensitive personal details about your life as well as about your medical history. In order to succeed in pursuing monetary damages for a HIPAA violation, you must show that you experienced real financial damages due to the violation.
- These Damages Were The Direct Result Of The Improper Release Of PHI – You must also demonstrate that these damages were as a direct result of the breach of your trust in the entity to safeguard your information, without other sources being the likely cause of your PHI being exposed. This places the liability squarely on the shoulders of the company you trusted to protect your PHI.
If these three conditions are met, you may be able to sue for a HIPAA violation and be compensated for the damages done to you.
Filing a Case for Monetary Damages for a HIPAA Violation
If you think you may be entitled to a HIPAA violation reporting reward to recoup damages, then you need to talk to an experienced attorney who’s well-versed in litigation against medical providers. They’ll talk to you about the specifics of your case and help you understand your best options moving forward. With competent legal advice, you can navigate the complex civil procedures to sue for and win monetary damages for a HIPAA violation, and you can start that conversation at no cost to you.
Schedule a free initial consultation with an attorney from Anapol Weiss today. With decades of experience in personal injury and medical malpractice cases, our lawyers have successfully defended the rights of those damaged by an unauthorized HIPAA disclosure. Call today and take the first step toward the compensation you deserve.