Legal: Evaluate HIPAA compliance program

Q. Can a person or entity sue for a HIPAA violation?
Friday, October 25, 2013

A. Generally, no. HIPAA requires covered entities to maintain the confidentiality of patients’ medical records and other protected health information. If an entity violates HIPAA, the Department of Health and Human Services may impose a civil or criminal penalty against the violator. HIPAA does not give a person or entity the right to file a lawsuit based on a HIPAA violation. However, recent cases may offer a new twist on an old rule.                   

In Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (2006), the plaintiff, Heather Acosta, used the privacy and security provisions of HIPAA to establish the standard of care owed by Dr. David Faber, with regard to Acosta’s medical records. Acosta was an employee and a patient of Faber’s at Psychiatric Associates of Eastern Carolina. Another defendant, Robin Byrum, was the office manager at Psychiatric Associates. Acosta claimed that Faber improperly allowed Byrum to use Faber’s medical record access code numerous times, and that while using Faber’s medical record access code, Byrum retrieved Acosta’s confidential psychiatric and medical records, and then provided information contained in Acosta’s records to third parties. 

Acosta filed suit in North Carolina state court alleging invasion of privacy and emotional distress. Acosta claimed that Faber violated HIPAA by allowing Byrum to use his access code. The Court noted that Acosta did not bring a claim under HIPAA itself, but simply used HIPAA to establish the “duty of care owed by Dr. Faber with regard to the privacy of the plaintiff’s medical records.” Because Acosta did not sue Dr. Faber for violating HIPAA and simply used HIPAA to establish the standard of care, Acosta was not precluded from bringing her claim.            

To recap, individuals do not have a private right to sue covered entities for violations of HIPAA. However, individuals have found a way to circumvent this preclusion by filing causes of action in state courts. Covered entities should re-evaluate their HIPAA compliance program and ensure mechanisms are in place to safeguard against violations of HIPAA.

Edward Vishnevetsky is an associate with Munsch Hardt Knopf & Harr. Reach him at or 214-855-7546.