The Attorney General of Indiana, Todd Rokita, filed a lawsuit on September 15th against Indiana University (IU) Health and IU Healthcare Associates.
What happened
According to the lawsuit filed in federal court, a patient's privacy and state law were violated after a doctor shared the story of a young rape victim seeking abortion care.
The doctor, Caitlin Bernard, shared the patient's story with a reporter at a rally supporting abortion access. According to Dr. Bernard, a 10-year-old rape victim traveled from Ohio to Indiana for abortion care. The information was publicly released in a July 2022 IndyStar article.
After the article was published, IU Health reviewed the case and, at the time, determined that Dr. Bernard had not violated patient privacy laws.
Despite IU Health's review, the case has remained contentious; in May 2023, according to the Indiana Daily Student, the Indiana Medical Licensing Board ruled that Dr. Bernard had breached state and federal privacy laws. Several other medical professionals, the American Medical Association, and Donna Shalala, the former United States Secretary of Health and Human Services and one of the authors of the HIPAA laws, argued that Dr. Bernard did not violate federal laws.
The lawsuit recently filed by Todd Rokita stands by the Medical Licensing Board's ruling. The lawsuit alleges that IU Health illegally supported the doctor and failed to adequately respond to privacy concerns.
Related: Can healthcare providers disclose PHI in the media?
Going deeper
In response to the Indiana Medical Licensing Board ruling, Dr. Bernard was fined $3,000. IU Health responded, saying that they disagreed with the ruling.
The most recent lawsuit from Todd Rokita claims that IU Health did not properly investigate the incident. The lawsuit also alleges that by publicly disagreeing with the Medical Licensing Board's ruling, the hospital is inconsistent with its privacy policies, creating confusion that could further harm patient privacy.
The lawsuit claims that Dr. Bernard should have obtained a HIPAA-compliant authorization signed by the patient or the patient's guardian before discussing the case publicly.
The lawsuit further claims there were several direct consequences of Dr. Bernard's disclosure, including President Biden discussing the incident in a speech and increased media attention on the criminal proceedings against the victim's alleged rapist.
What they're saying
In the lawsuit, the plaintiff claimed that IU Health falsely stated that Dr. Bernard complied with privacy policies. The lawsuit states, "By ratifying Dr. Bernard's conduct, IUH demonstrated to its workforce that discussing a patient's health matter with a reporter was permitted under HIPAA, thereby jeopardizing the privacy of all IUH patients."
IUH sent a statement to the Indiana Daily Student: "At IU Health, we hold ourselves accountable every day for providing quality healthcare and securing privacy for our patients. We continue to be disappointed the Indiana Attorney General's office persists in putting the state's limited resources toward this matter. We will respond directly to the AG's office on the filing."
The big picture
While the case unfolds, it joins a larger conversation on how organizations will protect patient privacy in the face of stricter abortion regulations.
As healthcare organizations, specifically those involved in reproductive healthcare, adjust to legal changes, they must keep patient privacy at the forefront of every decision.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
