There is no private right of action under HIPAA. You can report this to the Department of Health and Human Services as well as the Medical Board of New Jersey and they may want to investigate and take action against this facility/physician for possible HIPAA violations, but you can not sue. For a regular invasion of privacy lawsuit, most states require that you show the court with evidence that you suffered economic damages as a result of the invasion of privacy. An attorney will typically want at least a $5000 retainer plus his/her hourly fee, this is not the type of case usually taken on contingency. You say the info was possibly released "to the state" but you don't state the context. There are exceptions and instances where release of this type of info is allowed i.e., you are on some kind of assistance program dependent on disability and therefore the physician is fulfilling the requirement of reporting (read the paperwork you were given when you signed up for the program)--I don't know because the details have not been provided. You can always consult a local health law or privacy attorney to be sure.
We do not have an attorney-client relationship. I am not your lawyer. The statements I have made do not constitute legal advice. Any statements I have made are based upon the very limited facts you have presented, and under the premise that you will consult with a local attorney. This is not an attempt to solicit business. This disclaimer is in addition to any disclaimers that this website has made. I am only licensed in California.
I would suggest you contact an attorney in your area immediately. I agree that you can report this to the Department of Health and Human Services as well as the Medical Board of New Jersey if you have proof and are not merely speculating. Further, I agree with my colleague that there are times where a doctor is allowed to release this information, i.e government benefit programs, etc.
This office does not represent you. This email does not form any attorney / client relationship. In order to form an attorney client relationship with our office, our office requires both a signed retainer and payment of any initial fee. Further, since we have very limited facts relative to your matter, you should not rely on any of the general advice set forth within our answer. I would strongly recommend that you speak with counsel regarding your issue.
For certain purposes, the HIPAA Privacy Rule permits covered entities such as physician practices to disclose minimally necessary protected health information (PHI) about you to government agencies without your authorization. Generally, this type of disclosure is permitted for public health activities such as tracking diseases and medical devices as well as health care oversight activities. Covered entities can generally disclose minimally necessary PHI to Medicare and Medicaid or other government payor programs for payment purposes without your authorization under the HIPAA Privacy Rule.
Unless you declined receipt, the Notice of Privacy Practices (NOPP) that you received should included information on this type of disclosure, among other things as will as information about your HIPAA rights. The State of New Jersey may have stricter PHI use/disclosure laws or additional consent requirements.
If you are concerned that the disclosure of PHI was not permissible, contact the physician's privacy officer and file a complaint. You may also file a complaint with the US Department of Health and Human Services Office for Civil Rights. Information about how to file a complaint should be contained in the physician's NOPP.
The information provided is for general purposes only and does not establish an attorney/client relationship.