Every month, patients contact OCR after discovering a hospital shared their medical records without authorization, a business associate lost a laptop containing thousands of patient files, or an employee snooped through records out of curiosity. The first question is almost always the same: can I sue for a HIPAA violation? The answer is more nuanced than most people expect — and it catches both patients and healthcare organizations off guard.

Why HIPAA Does Not Create a Private Right of Action

Here is the hard truth that surprises nearly everyone: HIPAA itself does not give individuals the right to sue. Congress designed the statute as a regulatory framework enforced by the federal government — specifically the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). The Privacy Rule (45 CFR Part 164, Subpart E) and the Security Rule (45 CFR Part 164, Subpart C) impose obligations on covered entities and business associates, but they do not create a private cause of action for patients.

Courts have consistently upheld this interpretation. In Acara v. Banks (2006) and numerous subsequent decisions, federal courts have ruled that individuals cannot bring a lawsuit solely on the basis of a HIPAA violation. This means you cannot walk into a courtroom and file a complaint citing HIPAA as your legal basis for damages.

The fact that you cannot sue under HIPAA directly does not mean you have no legal recourse. In my work with covered entities, I regularly see cases where a HIPAA breach becomes the factual foundation for claims brought under other legal theories. These include:

  • State privacy and data breach laws: Many states — including California, Texas, and New York — have their own health privacy statutes that do allow individuals to sue. Some carry statutory damages, meaning you do not have to prove specific financial harm.
  • Negligence: If a covered entity or business associate failed to implement reasonable safeguards for your protected health information (PHI), an attorney can argue they breached a duty of care. The HIPAA Security Rule standards often serve as evidence of what "reasonable" looks like.
  • State consumer protection statutes: Unauthorized disclosure of PHI may violate unfair or deceptive trade practices laws in your state.
  • Breach of contract: If a provider's Notice of Privacy Practices or a signed agreement promised specific protections and those protections failed, a breach of contract claim may be viable.
  • Intentional infliction of emotional distress: In egregious cases — deliberate snooping by an employee, sharing records with a patient's abuser — courts have allowed tort claims to proceed.

So while the answer to "can I sue for a HIPAA violation" is technically no under federal law, the violation itself frequently opens the door to state-level claims that can result in significant damages.

How OCR Enforcement Actually Works for HIPAA Violations

If you cannot sue directly, OCR enforcement is the primary federal mechanism for accountability. Any person can file a complaint with OCR within 180 days of discovering a HIPAA violation. OCR investigates, and consequences for covered entities range from corrective action plans to civil monetary penalties.

The numbers are not trivial. In 2023, OCR collected over $4 million in HIPAA enforcement actions. Penalty tiers under the HITECH Act range from $137 per violation (for unknowing violations) up to approximately $2,067,813 per violation for willful neglect that is not corrected. Criminal violations — prosecuted by the Department of Justice — can result in fines up to $250,000 and imprisonment up to 10 years.

Healthcare organizations consistently underestimate how quickly an OCR investigation escalates. A single patient complaint can trigger a comprehensive review of your risk analysis, workforce training records, business associate agreements, and breach notification procedures.

If you are running a covered entity or business associate operation, the question "can I sue for a HIPAA violation" should concern you from the defense side. Even though HIPAA does not create a private lawsuit, your organization's HIPAA compliance posture directly affects your exposure under state law claims and OCR investigations.

Three steps reduce that exposure dramatically:

  • Conduct and document a thorough risk analysis. The Security Rule requires it under 45 CFR § 164.308(a)(1)(ii)(A). OCR cites the lack of a current risk analysis in the majority of enforcement actions. This is not optional.
  • Enforce the minimum necessary standard. Every access to PHI must be limited to the minimum amount needed for the intended purpose. Snooping incidents — where employees access records they have no legitimate reason to view — are among the most common triggers for patient complaints and state-level lawsuits.
  • Train your entire workforce annually and document it. Under the Privacy Rule (45 CFR § 164.530(b)), every member of your workforce must receive HIPAA training. Documented completion of a comprehensive HIPAA training and certification program is one of the strongest pieces of evidence you can present in your defense during an OCR investigation or state court proceeding.

The Role of Business Associates in HIPAA Liability

Since the Omnibus Rule of 2013, business associates are directly liable for HIPAA violations. If a third-party vendor, IT contractor, or billing company mishandles your patients' PHI, both the business associate and your organization can face consequences. Patients pursuing state-law claims often name every entity in the chain of custody.

This is why business associate agreements must be current, specific, and enforceable — and why your partners need to demonstrate their own HIPAA compliance, not just sign a form.

Protecting Your Organization Before a Complaint Arrives

OCR has made clear through its enforcement patterns that proactive compliance is the strongest defense. Organizations that can demonstrate ongoing workforce training, a current risk analysis, updated policies, and proper breach notification procedures face dramatically lower penalties — and are far harder targets for state-law litigation.

The time to act is before a patient files a complaint, not after. Investing in workforce HIPAA compliance is the most cost-effective risk mitigation strategy available to any covered entity or business associate.

Whether you are a patient exploring your legal options or a healthcare organization preparing your defenses, the answer to "can I sue for a HIPAA violation" is the same: not under federal HIPAA law — but the consequences of a violation extend far beyond what HIPAA itself prescribes. The real question is whether your organization is ready for what comes next.