Indiana Attorney General Drops Privacy Lawsuit Against IU Health
Indiana Attorney General Todd Rokita has dropped a privacy lawsuit against IU Health and IU Health Associates that alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the Indiana Deceptive Consumer Sales Act for failing to protect a child’s protected health information. The lawsuit stemmed from comments made to the media by IU Health obstetrician-gynecologist Dr. Caitlin Bernard about an abortion she provided to a 10-year-old patient. The girl was the victim of a rape and could not legally have an abortion in her home state. She traveled to Indiana where abortions could be legally provided. The state has since updated its law and has made abortion illegal, except in very limited circumstances.
IU Health investigated Dr. Bernard over the disclosure and was satisfied that the HIPAA Rules had not been violated. Dr. Bernard provided comments to a reporter from the IndyStar but did not disclose the patient’s name, only her age, home state, and gender. The Indiana Medical Board determined that sufficient information had been disclosed to allow the girl to be identified. Dr. Bernard was fined $3,000 for the violation but faced no further sanctions.
AG Rokita’s lawsuit against IU Health was filed on September 15, 2023, in the U.S. District Court for the Southern District of Indiana. The 7-count lawsuit alleged the defendants failed to implement or follow administrative, technical, and physical safeguards to protect the privacy of protected information, failed to document disclosures of personal health information, failed to implement or apply and document sanctions, failed to appropriately train its workforce, failed to notify patients of a breach, and failed to mitigate harm, in violation of Indiana’s Deceptive Consumer Sales Act and HIPAA. The lawsuit sought damages, legal costs, attorneys’ fees, and a permanent injunction preventing the defendants from violating HIPAA.
IU Health initially refused to cooperate with the Office of the Attorney General and sought to have the case dismissed. In June 2024, a District Court judge granted the motion to dismiss, as the conclusions drawn by the state that IU Health had violated HIPAA, such as by failing to provide appropriate HIPAA training to the workforce, were not supported by facts. AG Rokita filed an amended complaint a month later. Through discovery, the state obtained documentation from IU Health that confirmed that the deficiencies stated in the initial and amended complaint had been addressed since the publication of the IndyStar story.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The state was satisfied that IU Health is continuing to train its employees not to talk about patients in public areas, and employees are told that if they are contacted by reporters, they are required to notify the Public Relations or IU Health Corporate Communications prior to any responsive communication so management can verify that the required patient authorizations have been obtained.
The training provided by IU Health includes scenarios where a patient is not named but other information is disclosed that would allow that patient to be identified, and training material was provided to the state which confirms that employees are told that they should never discuss patient’s health information with the media unless authorization has been obtained in advance from IU Health Corporate Communications. Since the lawsuit was voluntarily dismissed without prejudice, the lawsuit could be refiled by AG Rokita.
“We are pleased the information this office sought over two years ago has finally been provided and the necessary steps have been taken to accurately and consistently train their workforce to protect patients and their health care workers,” said AG Rokita, implying that corrective actions were taken by IU Health in response to Dr. Bernard’s comments to the media. IU Health maintains that it has always had robust HIPAA compliance policies in place and has provided its workforce with comprehensive training on the HIPAA Rules for many years.
