Privacy Lawsuit Against IU Health Voluntarily Dismissed

by | Sep 22, 2024

The lawsuit against IU Health and IU Health Associates filed by Attorney General Todd Rokita of Indiana related to violations of the Indiana Deceptive Consumer Sales Act and the Health Insurance Portability and Accountability Act (HIPAA) has been dismissed. The case revolved around the disclosure of protected health information (PHI) related to a 10-year-old rape victim by IU Health OB-Gyne Dr. Caitlin Bernard. Dr. Bernard had provided an abortion to the young patient, who had traveled to Indiana due to abortion restrictions in her home state. Since then, Indiana has further tightened its abortion laws, making them illegal except in a few cases.

The lawsuit was triggered by Dr. Bernard’s comments to an IndyStar reporter about the abortion case. Although she did not reveal the patient’s name, she mentioned the girl’s age, gender, and home state. IU Health conducted an internal investigation and found no HIPAA violation, as Dr. Bernard did not disclose identifying information directly. However, the Indiana Medical Board concluded that enough details were shared to potentially identify the child, leading to a $3,000 fine for Dr. Bernard, although no further penalties were imposed.

AG Rokita filed the lawsuit on September 15, 2023, in the U.S. District Court for the Southern District of Indiana. The lawsuit had seven counts including IU Health’s failure

  • to implement proper administrative, physical, and technical, safeguards to protect health information, as required by HIPAA
  • to document disclosures of PHI
  • to impose sanctions for violations
  • to train employees sufficiently on privacy protection
  • to notify patients of a breach as required by HIPAA Breach Notification Laws
  • to mitigate harm violating Indiana’s Deceptive Consumer Sales Act and HIPAA

The lawsuit is seeking damages, attorney’s fees, legal fees, and a permanent injunction to prevent future violations.

Initially, IU Health declined to work with the Attorney General’s Office and requested a dismissal of the case. In June 2024, a District Court judge sided with IU Health and dismissed the case, stating that the state’s claims about HIPAA violations, such as the inability of IU Health to provide proper HIPAA training to employees, were unsupported. Despite this, AG Rokita submitted an amended complaint, and through investigation, the state acquired evidence that IU Health had since addressed the issues mentioned in the lawsuit.

IU Health provided documentation showing that they had updated their training procedures and reminded employees about the importance of patient confidentiality. Employees were instructed not to discuss patient details in public spaces or with the media unless proper authorizations were obtained from IU Health Corporate Communications or Public Relations. The updated training covered scenarios where patient identities might be inferred from shared information, even if the patient’s name wasn’t disclosed.

In light of this new information, the Attorney General was satisfied that IU Health had taken necessary corrective actions, such as improving workforce training and reinforcing policies on media communication. Consequently, the lawsuit was voluntarily dismissed without prejudice, meaning it could potentially be refiled if necessary. AG Rokita acknowledged that the steps taken by IU Health were in line with the state’s expectations.

While IU Health expressed satisfaction with the resolution, they maintained that they have always upheld HIPAA compliance policies and have continuously trained their staff on privacy rules. The health system emphasized its commitment to patient confidentiality and HIPAA regulations. AG Rokita’s office indicated that the necessary measures had finally been taken to protect patients and healthcare workers.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy