Good News! Violations of HIPAA (Health Insurance Portability and Accountability Act) are not a cause of action for a negligence case. However the Bad News: complaints filed with the Feds over HIPAA violations can be more onerous than a medical malpractice suit. The Feds can impose fines and other sanctions without evidence of damages. And the offended party (the person who had medical records released) can turn around and file an "Invasion of Privacy" lawsuit. But take heart. That kind of lawsuit can be difficult to win. After all, what are the damages if the general public knows you went to the doctor for a cough and sore throat? Release of other kinds of information may be more onerous, depending on the facts.
From The Law Med Blog.
There is much confusion among the general public, and even among health care workers, as to the investigation, penalties and individual rights regarding HIPAA violations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule. Covered entities include health care providers, health plans and health care information clearing houses. Your best friend, family member or neighbor, unless they are also your health care provider, is not a covered entity.
The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
The U.S. Department of Health and Human Services’ Office for Civil Rights(OCR) is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. HIPAA does not create or allow for an individual to bring a lawsuit against a covered entity. If an individual believes a violation of their right to privacy or private medical information security under HIPAA has occurred, they must file a complaint with the OCR if they wish action be taken. Individuals of course have the right to file a lawsuit based on violation of privacy, etc., but such lawsuits are not a part of HIPAA itself.
The OCR investigates all complaints according to a defined process. If a violation has occurred, the OCR may fine the entity and/or have the entity take corrective action. For criminal misuse of private information the Department of Justice may bring criminal charges.
An individual, as was the case before HIPAA, may file a lawsuit under the common law tort of invasion of privacy if personal medical information is used inappropriately. However the lawsuit may NOT be based on HIPAA rules being violated. Such lawsuits must meet the following elements to prevail:
1. Defendant publicized a matter concerning the private life of plaintiff.
2. The matter would be highly offensive to reasonable persons.
3. The matter is not one of legitimate concern to the public.
4. Plaintiff suffered damages as a direct result.
Unlike HIPAA violations where an entity can be fined by the government for the violation itself independent of any damage or harm caused, a lawsuit for invasion of privacy must show damages. The act of invading one’s privacy, while necessary to mount a claim, is in and of itself not evidence of damage and insufficient for a lawsuit.
I found this description of Invasion of Privacy on line. It seems about as good as any.
Invasion of privacy n. the intrusion into the personal life of another, without just cause, which can give the person whose privacy has been invaded a right to bring a lawsuit for damages against the person or entity that intruded. However, public personages are not protected in most situations, since they have placed themselves already within the public eye, and their activities (even personal and sometimes intimate) are considered newsworthy, i.e. of legitimate public interest. However, an otherwise non-public individual has a right to privacy from: 1) intrusion on one's solitude or into one's private affairs; 2) public disclosure of embarrassing private information; 3) publicity which puts him/her in a false light to the public; 4) appropriation of one's name or picture for personal or commercial advantage. Lawsuits have arisen from magazine articles on obscure geniuses, use of a wife's name on a hospital insurance form to obtain insurance payment for delivery of a mistress' baby, unauthorized use of a girl's photo to advertise a photographer, and "tabloid" journalism treatment of people as freaks. There are also numerous instances of governmental invasion of privacy such as the Federal Bureau of Investigation compiling files on people considered as political opponents, partially corrected by the passage of the Freedom of Information Act in 1966. The right to privacy originated with an article in the Harvard Law Review in the 1890s written by lawyers "Bull" Warren and future Supreme Court Justice Louis D. Brandeis.