The lawsuit against IU Health and IU Health Associates filed by Attorney General Todd Rokita of Indiana related to violations of the Indiana Deceptive Consumer Sales Act and the Health Insurance Portability and Accountability Act (HIPAA) has been dismissed. The case revolved around the disclosure of protected health information (PHI) related to a 10-year-old rape victim by IU Health OB-Gyne Dr. Caitlin Bernard. Dr. Bernard had provided an abortion to the young patient, who had traveled to Indiana due to abortion restrictions in her home state. Since then, Indiana has further tightened its abortion laws, making them illegal except in a few cases.
The lawsuit was triggered by Dr. Bernard’s comments to an IndyStar reporter about the abortion case. Although she did not reveal the patient’s name, she mentioned the girl’s age, gender, and home state. IU Health conducted an internal investigation and found no HIPAA violation, as Dr. Bernard did not disclose identifying information directly. However, the Indiana Medical Board concluded that enough details were shared to potentially identify the child, leading to a $3,000 fine for Dr. Bernard, although no further penalties were imposed.
AG Rokita filed the lawsuit on September 15, 2023, in the U.S. District Court for the Southern District of Indiana. The lawsuit had seven counts including IU Health’s failure
- to implement proper administrative, physical, and technical, safeguards to protect health information, as required by HIPAA
- to document disclosures of PHI
- to impose sanctions for violations
- to train employees sufficiently on privacy protection
- to notify patients of a breach as required by HIPAA Breach Notification Laws
- to mitigate harm violating Indiana’s Deceptive Consumer Sales Act and HIPAA
The lawsuit is seeking damages, attorney’s fees, legal fees, and a permanent injunction to prevent future violations.
Initially, IU Health declined to work with the Attorney General’s Office and requested a dismissal of the case. In June 2024, a District Court judge sided with IU Health and dismissed the case, stating that the state’s claims about HIPAA violations, such as the inability of IU Health to provide proper HIPAA training to employees, were unsupported. Despite this, AG Rokita submitted an amended complaint, and through investigation, the state acquired evidence that IU Health had since addressed the issues mentioned in the lawsuit.
IU Health provided documentation showing that they had updated their training procedures and reminded employees about the importance of patient confidentiality. Employees were instructed not to discuss patient details in public spaces or with the media unless proper authorizations were obtained from IU Health Corporate Communications or Public Relations. The updated training covered scenarios where patient identities might be inferred from shared information, even if the patient’s name wasn’t disclosed.
In light of this new information, the Attorney General was satisfied that IU Health had taken necessary corrective actions, such as improving workforce training and reinforcing policies on media communication. Consequently, the lawsuit was voluntarily dismissed without prejudice, meaning it could potentially be refiled if necessary. AG Rokita acknowledged that the steps taken by IU Health were in line with the state’s expectations.
While IU Health expressed satisfaction with the resolution, they maintained that they have always upheld HIPAA compliance policies and have continuously trained their staff on privacy rules. The health system emphasized its commitment to patient confidentiality and HIPAA regulations. AG Rokita’s office indicated that the necessary measures had finally been taken to protect patients and healthcare workers.