They also have the right to complain about the unauthorized disclosure of their PHI.
Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretenses or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could result in up to ten years´ imprisonment.