IU Health Faces Privacy Lawsuit for HIPAA Violations

Indiana Attorney General Todd Rokita has filed a privacy lawsuit against IU Health and its Associates for alleged violations of the Indiana Deceptive Consumer Sales Act and the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA violations resulted from the inability to protect the protected health information (PHI) of a child. The lawsuit originated from remarks given to the press by Dr. Caitlin Bernard, an obstetrician-gynecologist at IU Health, regarding the abortion she performed on a 10-year-old patient who was a rape victim. and could not legally have an abortion in her home state. The child had to travel to Indiana for the procedure because abortion was not legally available in her home state. Indiana’s update of its law made abortion illegal except in limited circumstances.

IU Health investigated Dr. Bernard’s disclosure and concluded that there was no violation of HIPAA Rules. Dr. Bernard had spoken to an IndyStar reporter, discussing only the patient’s age, gender, and home state, without revealing her name. However, the Indiana Medical Board found that enough information had been disclosed to potentially identify the girl. Dr. Bernard was issued a $3,000 fine for the violation although no other penalties were given.

Attorney General Rokita filed a lawsuit against IU Health on September 15, 2023, in the U.S. District Court for the Southern District of Indiana. The lawsuit with 7 counts accused the defendants of failing to use or adhere to the physical, administrative, and technical safeguards to protect patient privacy, neglecting to record disclosures of personal health data, failing to implement and document sanctions, inadequately training its employees, not informing patients about a breach, and failing to mitigate harm. These failures were clear violations of Indiana’s Deceptive Consumer Sales Act and HIPAA. The lawsuit wanted damages, legal fees, attorney’s service fees, and a permanent injunction so the defendants won’t commit more HIPAA violations.

IU Health at first declined to work with the Office of the Attorney General and moved to have a dismissal of the case. In June 2024, a District Court judge approved the dismissal, deciding that the state’s allegations like IU Health’s inability to give proper HIPAA training to its employees lack factual evidence. After one month, AG Rokita filed a modified complaint. In the process of discovery, the state acquired records from IU Health proving that the insufficiencies pointed out in the original and modified complaints were resolved since the IndyStar story was publicized.

The state was pleased that IU Health still trains its employees not to discuss patients’ cases in public places. It also instructed employees that when they are approached by reporters, they must inform IU Health Corporate Communications and Public Relations before giving any response so management could confirm that the needed patient authorizations were acquired.

The training provided by IU Health includes scenarios where a patient is not named but other information is disclosed that would allow that patient to be identified, and training material was provided to the state which confirms that employees are told that they should never discuss patient’s health information with the media unless authorization has been obtained in advance from IU Health Corporate Communications. Since the lawsuit was voluntarily dismissed without prejudice, the lawsuit could be refiled by AG Rokita.

The training offered by IU Health consists of situations where the patient is unnamed, yet other information is disclosed that can still lead to the identification of the patient. The state acquired training resources that ensure employees are directed to never talk about a patient’s health data with the press except if there is consent from the IU Health Corporate Communications. Considering that the lawsuit was voluntarily dropped with no prejudice, AG Rokita can refile the lawsuit.

AG Rokita commends IU Health for the information provided and for taking the required steps to accurately and regularly equip their employees to safeguard patients and their healthcare employees. This suggests that IU Health took corrective actions as prompted by Dr. Bernard’s media comments. According to IU Health, it has complied with HIPAA guidelines and has offered HIPAA training to its employees for several years.

About Christine Garcia 1201 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA