The headline above may cause a bit of puzzlement for longtime HIPAA experts, covered entities (CEs) and others. That’s because they know that, at least currently, the HHS Office for Civil Rights (OCR) actually has no role in providing payments to people who have been harmed by having their privacy violated by medical organizations.

But OCR should be in the business of compensating people—and would be had it completed a task Congress gave it 10 years ago.

HIPAA did not create a private right of action, meaning there was no natural or easy way for individuals to sue for violations of that law. Cases have been brought by individuals, however, beginning in 2010, after an enterprising attorney with a solo practice in Indiana conceived of suing a CE for malpractice and using HIPAA as the standard that had been violated. Neal Eggeson would go on to collect millions on behalf of individual patients, and now devotes his practice solely to medical privacy litigation. (An upcoming issue of RPP will feature a Q&A with Eggeson).

In recent years, cases have also been brought based on violations of state privacy laws. Class action suits have proliferated, but these typically provide a few thousand dollars to patients who are named in a suit and the value of credit monitoring to the rest of the litigation class (“In Sign of Growing State Might, Premera Pays $10M to 30 AGs, $74M to Resolve Class Action,” RPP 19, no. 8). Additionally, a $1 million judgment that a patient won against a California psychiatrist for reporting a patient she believed to be homicidal was recently reaffirmed by the trial judge, but the doctor plans to appeal (“Judge Upholds $1M Award for Psychiatrist's Warning of Possible Shooting; Appeal Begins,” RPP 19, no.8).