In 2023, a patient in Texas discovered her therapist had disclosed session notes to a family member without authorization. She hired an attorney, filed suit citing HIPAA, and the case was dismissed. The reason: there is no HIPAA private cause of action. Despite being one of the most misunderstood areas of health privacy law, this principle has been affirmed by federal courts for over two decades — and it has significant implications for both patients and covered entities.

What HIPAA Private Cause of Action Actually Means

A private cause of action is a legal right that allows an individual to file a civil lawsuit directly under a specific statute. Many federal laws grant this right. HIPAA does not.

Congress designed HIPAA enforcement to flow through two channels: the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and, in certain cases, state attorneys general. The statute at 42 U.S.C. § 1320d-6 establishes criminal penalties enforced by the Department of Justice, but nowhere in HIPAA's text does Congress authorize private individuals to bring lawsuits for violations of the Privacy Rule, Security Rule, or Breach Notification Rule.

Federal courts have been remarkably consistent on this point. From Acara v. Banks (5th Cir. 2006) to Dodd v. Jones (10th Cir. 2010) and numerous district court decisions since, the judiciary has held that no HIPAA private cause of action exists under federal law.

Why Patients Still File Lawsuits — and Sometimes Win

The absence of a HIPAA private cause of action does not mean patients have zero legal recourse. In my work with covered entities, I consistently see organizations underestimate the indirect legal exposure that HIPAA violations create.

Plaintiffs' attorneys have found effective workarounds. The most common strategies include:

  • State law negligence claims: Attorneys argue that HIPAA's Privacy Rule establishes the standard of care for handling protected health information (PHI). A violation of that standard can support a negligence claim under state tort law.
  • State privacy statutes: States like California (CMIA), Texas (THIPA), and Illinois have enacted health privacy laws that do include private rights of action, often with statutory damages.
  • Breach of contract: If your Notice of Privacy Practices or patient agreements promise certain protections, a failure to deliver can become a contractual dispute.
  • Negligence per se: Some state courts accept HIPAA regulations as evidence of the applicable standard, effectively allowing HIPAA violations to serve as the basis for a negligence per se argument.

The practical result: even though a patient cannot sue you under HIPAA, your HIPAA violations can absolutely be used against you in state court litigation.

OCR Enforcement: The Primary Accountability Mechanism

Since patients cannot pursue a HIPAA private cause of action, OCR serves as the primary enforcement body. And OCR has teeth. Between 2003 and 2024, OCR has secured over $142 million in settlements and civil monetary penalties.

OCR investigates complaints filed by individuals, conducts compliance reviews, and can refer cases to DOJ for criminal prosecution. Penalties under 45 CFR § 160.404 are tiered based on the level of culpability:

  • Tier 1 (lack of knowledge): $137 to $68,928 per violation
  • Tier 2 (reasonable cause): $1,379 to $68,928 per violation
  • Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation
  • Tier 4 (willful neglect, not corrected): $68,928 per violation, up to $2,067,813 per calendar year for identical provisions

These figures are adjusted annually for inflation. Your organization faces these penalties regardless of whether a patient can personally sue under HIPAA.

How State Attorneys General Expand Enforcement Reach

The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations. This effectively created a second enforcement lane that many healthcare organizations overlook.

States including Indiana, Massachusetts, New York, and New Jersey have actively used this authority. In several cases, state AG actions have resulted in six-figure settlements — separate from and in addition to any OCR penalties. For covered entities and business associates operating across multiple states, this multiplies compliance risk significantly.

Healthcare organizations consistently struggle with a dangerous assumption: because there is no HIPAA private cause of action, they believe PHI mishandling carries limited legal risk. This thinking ignores the convergence of OCR enforcement, state AG actions, and state tort claims that can stack on top of each other after a single incident.

A single impermissible disclosure of PHI can simultaneously trigger an OCR investigation, a state attorney general inquiry, and a state-law negligence lawsuit — all from the same set of facts. The absence of a federal private right of action provides far less protection than most organizations assume.

The most effective defense against both regulatory enforcement and state-law litigation is demonstrable, documented compliance. OCR has repeatedly stated that organizations with robust compliance programs receive more favorable treatment during investigations.

Here is where your investment matters most:

  • Workforce training: Every member of your workforce — employees, volunteers, trainees — must receive training on HIPAA policies and procedures as required by 45 CFR § 164.530(b). Comprehensive HIPAA training and certification creates the documented evidence that protects your organization when a complaint is filed.
  • Risk analysis: The Security Rule requires a thorough and accurate risk analysis under 45 CFR § 164.308(a)(1). Failure to conduct one is the single most cited deficiency in OCR enforcement actions.
  • Minimum necessary standard: Ensure your policies limit PHI access and disclosure to the minimum necessary for each workforce role. This is both a Privacy Rule requirement and a practical defense against negligence claims.
  • Business associate agreements: Every business associate relationship must be governed by a compliant BAA. If your vendor mishandles PHI and you lack a proper agreement, liability flows upstream to your covered entity.

Building a culture of compliance through workforce HIPAA compliance programs is not just a regulatory checkbox — it is your best shield against the full spectrum of legal exposure.

What This Means for Your Organization Today

The fact that there is no HIPAA private cause of action under federal law should never be mistaken for safety. OCR enforcement is active, state attorneys general are increasingly aggressive, and plaintiffs' attorneys have become skilled at leveraging HIPAA violations in state court proceedings. Your organization's compliance posture determines whether a PHI incident becomes a manageable event or an existential legal crisis.

Document your training. Complete your risk analysis. Audit your business associate agreements. The organizations that treat HIPAA compliance as ongoing operational discipline — not a one-time project — are the ones that survive enforcement scrutiny and litigation intact.