The law does not give an individual a civil remedy for a HIPAA violation. The only recourse for a HIPAA violation is to complain to HHS about it. HHS has the power to fine the entity for the improper disclosure. But that doesn't help the OP with the damages from this incident. At least not directly. The OP might threaten to report the violation to HHS unless the OP gets a break on the compensation for the damages the OP caused if doing so would not amount to extortion/blackmail under Arizona law. Some states make that kind of threat a crime; others don't. I've not researched Arizona law on that. I'd suggest the OP consult an Arizona attorney about that before making such a threat. But even if the OP could do that without violating the law, whether the store would be intimidated by that threat is another matter.

