INDIANAPOLIS — Indiana Attorney General Todd Rokita has filed a lawsuit against IU Health and IU Healthcare Associates claiming they failed to properly report, review and enforce HIPAA law violations.
Rokita's lawsuit stems from the 2022 case in which IU Health OBGYN, Dr. Caitlin Bernard, shared information about providing an abortion to a 10-year-old rape victim from Ohio.
Bernard was eventually penalized by the Indiana Medical Licensing Board with a fine and a letter of reprimand.
The following day, IU Health issued the following public statement.
We appreciate the Medical Licensing Board’s time dedicated to understanding the issues involving our colleague Dr. Caitlin Bernard. We are pleased she will continue to be a member of our medical team and provide compassionate care to her patients. We do not agree with the Board’s decision regarding patient privacy regulations and stand by the HIPAA risk assessment. We believe Dr. Bernard was compliant with privacy laws.
Now, Rokita is seeking punishment for IU Health for their role in the incident.
“We will continue to uphold and protect Hoosier patients’ medical privacy,” Rokita said. “Trust is the foundation of the patient-doctor relationship. Without trust, we don’t have reliable, honest healthcare.”
Rokita's office claims that by publicly contradicting the Medical Licensing Board and contending the doctor’s actions were “in compliance with privacy laws,” IU Health has caused confusion among its 36,000-member workforce regarding what conduct is permitted under HIPAA privacy laws and the Indiana Patient Confidentiality rule.
“Doctors and all health care professionals should be able to rely on their employers and patients should be able to trust their doctors,” Attorney General Rokita said. “When a hospital or other healthcare provider makes your private medical information public, that trust is decimated. As a result, the quality, delivery, and sustainability of our healthcare is significantly weakened.”
The lawsuit consists of the following seven counts against IU Health:
- Failure to implement or follow administrative, technical, and physical safeguards to protect the privacy of protected information
- Failure to document disclosures of personal health information
- Failure to implement or apply and document sanctions
- Failure to appropriately train its workforce
- Failure to notify patients of breach
- Failure to mitigate harm
- Violations of Indiana’s Deceptive Consumer Sales Act
WRTV has reached out to IU Health for a statement.