Indiana Attorney General Todd Rokita has filed a lawsuit against Indiana University Health, alleging it failed to report, review and enforce privacy standards in connection with OB-GYN Dr. Caitlin Bernard talking publicly about an abortion she performed on a 10-year-old.
The lawsuit was filed Friday in the Indiana Southern District Court.
The case follows Rokita’s partial win in an action against Bernard. The state Medical Licensing Board reprimanded and fined the doctor but declined to suspend her medical license.
Now, Rokita is focusing on Bernard’s employer, IU Health, arguing in the 28-page complaint that the health system opted to protect Bernard and itself rather than the patient.
IU Health has said Bernard didn’t violate HIPAA privacy laws.
By contradicting the licensing board’s determination, the complaint says IU Health has created confusion about what is permitted under HIPAA privacy laws and state patient confidentiality rules.
“The inconsistencies and confusion threaten the privacy of its Indiana patients,” the lawsuit says.
The complaint alleges that because of Bernard’s disclosure of the abortion to the Indianapolis Star, the 10-year-old was designated as a “high profile patient” by a privacy investigator, who placed an alert on the patient’s electronic medical record.
But IU Health didn’t have a policy in place that required it to determine whether its privacy policies were violated, the lawsuit says, going on to allege the same for HIPAA and state confidentiality requirements.
IU Health also incorrectly concluded at the end of its risk assessment that Bernard’s disclosure to an unauthorized person didn’t constitute the type of breach that would require notification, the complaint says.
The complaint lists seven counts against IU Health: failure to implement or, in the alternative, failure to follow administrative, technical and physical safeguards to protect the privacy of protected information; failure to document disclosures of personal health information; failure to implement or, in the alternative, apply and document sanctions; failure to appropriately train its workforce; failure to notify patient of breach; failure to mitigate harm; and violations of Indiana Deceptive Consumer Sales Act.
The Attorney General’s Office said it has discovered instances where IU Health has sanctioned non-physician employees with termination for “far less egregious patient privacy violations” while failing to enforce similar policies or sanctions for its physicians.
“Doctors and all health care professionals should be able to rely on their employers and patients should be able to trust their doctors,” Rokita said in a statement. “When a hospital or other healthcare provider makes your private medical information public, that trust is decimated. As a result, the quality, delivery, and sustainability of our healthcare is significantly weakened.”
Indiana Lawyer has reached out to IU Health for comment.
The lawsuit restarts a legal battle related to Bernard that briefly came to an end after the licensing board’s decision.
Bernard and the Attorney General’s Office each had an opportunity to appeal the decision, but both declined.
In a statement announcing that decision, Bernard said she saw Rokita’s action against her as “just a small part” of the post-Roe v. Wade landscape.
Bernard continues to practice medicine.