Victims of medical data breaches have several legal recourses available to them.
Firstly, the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed. If the covered entity fails to notify the patients, they may face penalties from the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS).
However, it’s important to note that while HIPAA provides protections for patients’ health information, it does not provide a private cause of action. This means that patients cannot sue for HIPAA violations directly under federal law. Instead, patients can submit a HIPAA complaint to the OCR or their state attorney general’s office.
In some cases, patients may be able to file a lawsuit against the party who compromised their information, typically alleging negligence or noncompliance with state and federal breach notification laws. These lawsuits often claim that the organization should have implemented stricter security controls to prevent the breach.
In addition to these legal recourses, victims of medical data breaches can also seek help from data privacy attorneys who specialize in these cases. These attorneys can guide victims through the process of filing a claim and seeking compensation for any damages incurred as a result of the breach.
Lastly, the Federal Trade Commission (FTC) also has rules in place that require vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. If these entities fail to comply with the FTC’s Health Breach Notification Rule, they may face penalties.
In conclusion, while victims of medical data breaches cannot sue directly under HIPAA, they have several other legal recourses available to them, including filing a complaint with the OCR or their state attorney general’s office, filing a lawsuit alleging negligence, and seeking help from data privacy attorneys.