The State Attorney General Won’t Sue You for a HIPAA Violation, So You Won’t Be Sued, Right? Wrong: HIPAA & HITECH Act Blog by Jonathan P. Tomes

The initial conventional wisdom when HIPAA first came out was that a covered entity could not be sued for a HIPAA violation because it was a federal compliance issue, and thus, the law did not have a so-called private right of action. In other words, the government could enforce HIPAA through its criminal provisions and its federal civil money penalties (“CMPs”)―that is, fines―but aggrieved individuals could not file lawsuits because HIPAA did not have the magic words authorizing private individuals to sue for its violation. Thus, the thought (that the author never agreed with) was that, because HIPAA preempted state law, individuals could not sue under HIPAA in state court. But times have changed, and now, individual HIPAA lawsuits are increasing in state courts. For example, the Acosta case in North Carolina proved the author right, unfortunately for covered entities, when it ruled that a woman could sue a mental health practice for the unauthorized disclosure of her mental health condition to others. She did not sue for a HIPAA violation; instead, she sued for the infliction of emotional distress under state law. The trial court dismissed the case on the ground that HIPAA didn’t allow for a lawsuit. On appeal, however, the court reversed the trial court and allowed the case to proceed, saying that it wasn’t a HIPAA case, but instead was a state law infliction of emotional distress case. So it didn’t matter whether HIPAA allowed for a lawsuit or not. The court added that, even though it wasn’t a “HIPAA case,” the plaintiff could put HIPAA into evidence to show that the disclosure was improper. Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006).

Now, the Arizona Court of Appeals has ruled that a patient may bring a negligence lawsuit based on a HIPAA violation. The patient had canceled a prescription for an erectile dysfunction drug at Costco. He had subsequently authorized his ex-wife to pick up his regular prescriptions. When she was doing so, the pharmacist joked with the ex-wife about the uncollected (because Costco had failed to cancel the order) erectile dysfunction prescription. The patient had been attempting to reconcile with his wife, and his lawsuit alleged that this improper disclosure had ruined his attempt. The Court of Appeals ruled that Costco had a duty of care to the plaintiff arising from its privacy policies and HIPAA and that the duty of care was breached. The Court sent the case back to the trial court for further action.

The HITECH Act included a limited private right of action, limited in that the plaintiff cannot bring a lawsuit in federal court himself or herself but must get the state attorney general to sue on his or her behalf. But if, out of lack of knowledge about HIPAA issues or too many other cases in the pipeline, or for another reason, the attorney general will not take the case, the patient still has the option of suing in state court, and it will likely not be dismissed, especially in North Carolina and Arizona.

This post, along with my other blog posts on this blog, are not meant to scare the snot out of you, but rather to acquaint you with the risks of noncompliance to balance against the costs of security measures when you do your initial or follow-up risk analyses.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.


seo by: k.c. seo