Causes of Action under HIPAA – San Diego Healthcare Law Attorney

As we at the VC Law Group regularly represent healthcare providers in connection with many health law issues, one of the most frequent medical privacy inquiries we receive is whether an individual has a cause of action under the Health Insurance Portability and Accountability Act (“HIPAA”).

While HIPAA encompasses a wide area of compliance issues, it is predominantly known for protecting the privacy of individuals. Specifically, it imposes requirements on healthcare providers aimed at protecting the confidentiality of such information.

However, while HIPAA provides for both civil and criminal penalties, it does not create a private cause of action under federal law. Rather, HIPAA allows individuals to file complaints against covered entities with the U.S. Department of Health and Human Services (the “DHHS”). The DHHS requires that any such complaints (i) be filed within 180 days of when the individual knew that a violation had occurred, unless this requirement is waived by the Secretary of DHHS for good cause; (ii) be written and submitted via U.S. mail or electronically; and (iii) include a name of the covered entity and description of the alleged violation. The covered entity must then provide compliance records and reports with the DHHS and cooperate with the complaint investigation.

While there is no private cause of action under HIPAA, it should be noted that certain attorneys have attempted to circumvent the rule by utilizing state privacy law rules to sue healthcare providers for data privacy violations, as well as use a HIPAA violation as the basis for a negligence per se cause of action.

At the VC Law Group, we represent healthcare providers in numerous health law matters. For more information on causes of action under HIPAA, or any other health law issue, please contact the VC Law Group at or 858.519.7333.