A HIPAA violation is not automatically medical malpractice, and the two are legally distinct. HIPAA is a federal privacy law enforced by the government, not by individual patients. You cannot sue a doctor or hospital directly for violating HIPAA. Medical malpractice, on the other hand, is a civil claim you bring yourself, requiring proof that a healthcare provider fell below the standard of care and caused you measurable harm. However, the same event that triggers a HIPAA violation can sometimes form the basis of a malpractice or privacy lawsuit under state law.
Why HIPAA Alone Doesn’t Let You Sue
HIPAA has no “private right of action,” which is the legal term for a patient’s ability to file a lawsuit. Only the federal government, through the Office for Civil Rights (OCR) at the Department of Health and Human Services, can investigate and penalize HIPAA violations. Those penalties are significant: fines range from $145 per violation for unknowing breaches up to $2.19 million per year for willful neglect that goes uncorrected. But that money goes to the government, not to you.
This surprises most people. If a hospital employee snoops through your medical records or a clinic faxes your health information to the wrong person, you might assume you can take legal action under HIPAA. You can file a complaint with OCR, and the government may investigate and impose fines, but you personally cannot collect damages through a HIPAA-based lawsuit.
What Medical Malpractice Actually Requires
A successful medical malpractice claim requires four elements. First, the provider owed you a legal duty of care, which is established the moment a doctor-patient relationship exists. Second, the provider breached that duty by failing to meet the accepted standard of their profession. Third, that breach directly caused you harm. Fourth, you suffered actual damages, whether financial, physical, or emotional, that the legal system can compensate.
A privacy breach doesn’t fit neatly into this framework. Malpractice typically involves clinical errors: a missed diagnosis, a surgical mistake, a wrong medication. Disclosing your medical records without permission is a breach of confidentiality, not a failure in clinical treatment. Courts generally treat these as different categories of wrongdoing, which is why a HIPAA violation on its own rarely qualifies as malpractice.
How Patients Can Still Sue for Privacy Breaches
Even though HIPAA doesn’t give you a direct path to court, state laws often do. Courts in numerous states have recognized an independent legal claim, sometimes called a tort, for the unauthorized disclosure of private medical information. A landmark Ohio case, Biddle v. Warren General Hospital, established that “an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.” That ruling drew on prior decisions from courts in Pennsylvania, Virginia, Texas, New York, Georgia, Michigan, and more than a dozen other jurisdictions.
The reasoning is straightforward: protecting patient privacy isn’t just an ethical obligation for doctors. It’s a legal one. As one federal court in Ohio put it, “the unauthorized revelation of medical secrets, or any confidential communication given in the course of treatment, is tortious conduct which may be the basis for an action in damages.” So while you can’t sue under HIPAA itself, you can often sue under state privacy law, negligence, or breach of confidentiality for the same underlying facts.
Some states also have their own health privacy statutes that go beyond HIPAA and explicitly allow patients to file civil lawsuits. The legal options available to you depend heavily on which state you live in.
When a HIPAA Violation Supports a Malpractice Claim
There are situations where a privacy breach and malpractice overlap. If a provider’s failure to protect your records also reflects a broader failure in the standard of care, and that failure caused you direct harm, the HIPAA violation can serve as evidence supporting your malpractice claim. For example, if a doctor carelessly discusses your HIV status in a waiting room and that disclosure leads to job loss or emotional distress, a malpractice attorney might argue that the provider’s conduct fell below the professional standard of care.
In these cases, HIPAA standards aren’t the legal basis for the lawsuit, but they help define what “reasonable care” looks like. A jury can consider the fact that federal privacy rules existed, that the provider was required to follow them, and that the provider failed to do so. The HIPAA violation becomes a piece of the puzzle rather than the claim itself.
Employer Liability for Employee Snooping
One common scenario involves a hospital or clinic employee accessing your records out of personal curiosity or malice, then sharing what they found. You might assume the employer escapes liability because the employee was clearly acting outside their job duties. Courts have increasingly pushed back on that assumption.
In a 2020 Indiana case, a hospital employee accessed a patient’s records during normal work duties and then texted the information to her husband. The hospital argued it shouldn’t be held responsible because the employee violated its own policies. The appeals court disagreed, ruling that a jury should decide whether the employee’s misconduct was “incidental” to her authorized duties. The court pointed to three factors: the wrongful act was similar in nature to her authorized job tasks, the misconduct was intermingled with legitimate work, and the employment itself provided the means and opportunity to commit the violation.
The practical effect of rulings like this is that healthcare organizations often can’t escape responsibility simply by pointing to their policies. If an employee used the employer’s systems, during work hours, while performing otherwise authorized tasks, the organization may share liability. This matters for patients because it means you may have a viable claim against the institution, not just the individual employee who accessed your records.
Filing a Government Complaint
If you believe your privacy was violated, you have two separate paths. The first is filing a complaint with OCR, which investigates HIPAA violations at the federal level. Anyone can file a complaint electronically through the OCR Complaint Portal or submit one in writing. This process is free and doesn’t require a lawyer, though it also won’t result in direct compensation to you. OCR may investigate, require the provider to change its practices, or impose fines.
The second path is consulting an attorney about a state-level lawsuit for breach of confidentiality, negligence, or invasion of privacy. This is where you could potentially recover damages for financial losses, emotional distress, or reputational harm. Many attorneys who handle medical malpractice cases also handle medical privacy claims, and the initial consultation is often free. The strength of your case will depend on your state’s laws, the severity of the breach, and whether you can demonstrate concrete harm from the disclosure.