Skip to main content

I believe my local health clinic violated HIPAA. What can I do?

Cadillac, MI |

I recently received a letter form the clinic stating, "A medical assistant viewed your record and saw your name, contact information, and the results of a test ... The employee disclosed this information to a member of his household."

+ Read More

Attorney answers 3


The federal agency in charge of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (HIPPA) is the Health and Human Services Department. The complaint mechanism for a person to follow is to go about filing a complaint with the federal Health and Human Services department if you have experienced a HIPPA violation. The federal HIPAA statute does not provide anyone, including any person, with a private cause of action in the courts. This means that even for a violation by your doctor or other medical personnel, a person cannot bring a lawsuit. A person may, however, use the complaint mechanism by filing a complaint with the federal Health and Human Services department. That HHS Department can and may follow up on a reported HIPAA violation. Complaint forms are available on the Internet.


The letter you got is an indication that the clinic is doing what it is supposed to under the law - part of which is notify you when a "breach" of your information occurs. They are also required to tell the Office for Civil Rights mentioned in my colleague's answer. So you can file a complaint but it will just (hopefully) "meet up" with the report from the facility. OCR will require the facility to demonstrate how it has fixed the problem - they won't do anything in addition just because of your complaint unless there are additional facts that you provide to them.

It is possible that there is a common law claim under Michigan law for some sort of damages relating to loss of privacy, but you'd need to hire a lawyer there to analyze this under the facts and circumstances of your case. If you didn't know about the breach until you got the letter, it doesn't sound like you have had special damages arising from this (loss of a job, loss of something else), which would probably be necessary to get an attorney interested in working on your behalf unless you are willing to pay up front for his/her services.

This response is intended to provide general information, but not legal advice. The response may be different if there are other or different facts than those included in the original question. See for more information on why this communication is not privileged or create an attorney-client relationship.


You can file a complaint with the clinic or governing agency. The clinic has already disclosed to you what it discovered, and may have taken disciplinary action against the employee.

We do not have a client/attorney relationship until you make an appointment, we discuss your case face to face, I accept a retainer, and we explictly agree to enter into representation.



Isn't there stiff financial consequences for violating patient information?



This institution won't reveal the identity of the individual that exploited my information.

Barry Franklin Poulson

Barry Franklin Poulson


HIPAA provides no private cause of actions, that is, no ability to sue. As my colleague suggests, you might be able to make out some common law action. You say exploit, and that may be your key. How was the information exploited, that is, how was it used to cause you injury?

Business topics

Recommended articles about Business

What others are asking

Can't find what you're looking for?

Post a free question on our public forum.

Ask a Question

- or -

Search for lawyers by reviews and ratings.

Find a Lawyer