In this morning’s Roanoke Times,was an article about employees at a local hospital who were fired when the administration realized these employees had accessed someone’s personal health care records in violation of federal law.
We get calls about potential HIPAA violations all the time. The general public assumes that if an employee wrongfully accessed or shared their information, and a HIPAA violation occurred, that the person whose information was wrongfully shared has the right to file suit against the company, facility or individual and seek money damages.
We often explain to these callers that under state and federal law, there is no private right of action. Though you can file a complaint through the Federal Department of Health and Human Services, and that your state Attorney General’s office can then investigate the claims, you cannot just go to the court house and allege your private information has been wrongfully accessed. Nor can you the victim of the breach, recover financially.
To file a complaint – visit the HHS website here for exact complaint procedures.
You could also notify the facility of the alleged access and ask them to check the electronic medical record system which should capture who has accessed the patient’s chart. Best case scenario for the victim, is the person is fired or reprimanded and the responsible party fined.
Individuals however will not recover themselves for the breach. While I am not sure a fine is enough of a punitive measure to deter future violations, the law is the law and currently individuals cannot recover financially if their information has been accessed in violation of HIPAA.