Indiana Attorney General Sues IU Health for Violating Rape Victim’s Privacy
On Friday, Indiana Attorney General, Todd Rokita, filed a lawsuit in the U.S. District Court for the Southern District of Indiana on behalf of the people of Indiana against University of Indiana Health (IU Health) and IU Health Associates, doing business as IU Health Physicians. The 7-count lawsuit alleges the defendants violated the Health Insurance Portability and Accountability Act (HIPAA) and state laws for failing to protect the privacy of a patient.
The patient in question was a 10-year-old rape victim who sought abortion care at IU Health. The patient and her mother checked into an IU Health-operated hospital on June 29, 2022, to terminate a pregnancy that resulted from the rape. While Indiana has now implemented a near-total ban on abortions following the decision of the Supreme Court to overturn Roe v. Wade, the termination was provided legally at IU Health before the ban took effect.
The lawsuit relates to a news report in the Indianapolis Star that was printed the day after the termination procedure was performed. The newspaper article included a quote from the girl’s OB/GYN doctor, Dr. Caitlin Bernard. Dr. Bernard did not disclose the patient’s name to the reporter, and the girl’s name was not included in the article. The lawsuit claims HIPAA and state laws were violated because “neither the 10-year-old nor her mother gave the doctor authorization to speak to the media about their case.”
IU Health issued statements to various media outlets on July 15, 2023, confirming that a review had taken place and it was determined that the HIPAA Rules had not been violated. IU Health and Dr. Bernard maintain that since no identifying information was disclosed in the comments provided to the Indianapolis Star, no privacy laws or rules had been violated, and HIPAA does not prohibit physicians from talking to the media. Indiana’s medical licensing board did not agree.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In May 2023, following a 14-hour hearing, the Indiana Medical Licensing Board determined that the doctor’s comments violated the HIPAA Privacy Rule – specifically, 42 C.F.R. §164.502(a) was violated by improperly disclosing patient information and 42 C.F.R. §164.514 was violated by improperly de-identifying patient information, and the doctor had violated the Indiana patient confidentiality rule 844 I.A.C. 5-2-2. The state sought to have Dr. Bernard’s medical license suspended; however, the Licensing Board was content with a $3,000 fine and a reprimand.
AG Rokita has chosen to continue to pursue the doctor and IU Health over the matter, claiming in the lawsuit that “rather than protecting the patient, the hospital chose to protect the doctor, and itself.” The lawsuit claims IU Health has terminated non-physician employees for far less egregious patient privacy violations yet chose to take no action against the doctor after the board determined that the HIPAA Rules had been violated. Further, rather than accept the Licensing Board’s decision, IU Health issued a public statement the day after the ruling stating it disagreed with the determination and continued to maintain that federal and state privacy laws had not been violated.
“By publicly contradicting the Medical Licensing Board by contending [the doctor’s] actions were “in compliance with privacy laws,” and through its inconsistent application of its privacy policies and sanctions among its 36,000 member workforce, [IU Health] has created confusion regarding what conduct is permitted under HIPAA privacy laws and the Indiana Patient Confidentiality rule.”
The lawsuit consists of 7 counts against IU Health:
- Failure to implement or follow administrative, technical, and physical safeguards to protect the privacy of protected information.
- Failure to document disclosures of personal health information.
- Failure to implement or apply and document sanctions.
- Failure to appropriately train its workforce.
- Failure to notify patients of a breach.
- Failure to mitigate harm.
- Violations of Indiana’s Deceptive Consumer Sales Act.
The lawsuit seeks statutory damages, attorneys’ fees, and legal costs, and requests the court issue a permanent injunction to prevent IU Health and the other defendants from violating HIPAA. AG Rokita said he is seeking the maximum fines, restitutions, penalties, and damages that are permitted by HIPAA and Indiana’s medical privacy laws.
“At IU Health, we hold ourselves accountable every day for providing quality healthcare and securing privacy for our patients,” said IU Health in a statement in response to the lawsuit. “We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter.”
