Todd Rokita and Caitlin Bernard
Indiana Attorney General Todd Rokita filed a federal lawsuit Friday against IU Health, claiming the state’s largest hospital system did not properly enforce state and federal privacy laws in connection to abortion care provided by Dr. Caitlin Bernard for a 10-year-old rape victim last summer.
The Republican office holder filed the legal challenge in the U.S. District Court for the Southern District of Indiana. His lawsuit seeks to prohibit further privacy violations and require IU Health to implement and follow an appropriate sanctions policy.
Bernard was disciplined by the Indiana Medical Licensing Bound earlier this year for violating patient privacy laws.
“We will continue to uphold and protect Hoosier patients’ medical privacy,” Rokita said in a statement. “Trust is the foundation of the patient-doctor relationship. Without trust, we don’t have reliable, honest healthcare.”
The lawsuit consists of seven counts:
- Failure to implement or follow administrative, technical, and physical safeguards to protect the privacy of protected information
- Failure to document disclosures of personal health information
- Failure to implement, apply or document sanctions
- Failure to appropriately train its workforce
- Failure to notify patients of breach
- Failure to mitigate harm
- Violations of Indiana’s Deceptive Consumer Sales Act
IU Health did not immediately reply to the Indiana Capital Chronicle’s request for comment. Legal counsel for Bernard were also not immediately available Friday afternoon.
“Doctors and all health care professionals should be able to rely on their employers and patients should be able to trust their doctors,” Rokita continued in his statement. “When a hospital or other healthcare provider makes your private medical information public, that trust is decimated. As a result, the quality, delivery, and sustainability of our healthcare is significantly weakened.”
Ongoing legal saga
The legal saga surrounding the doctor stems from a medication abortion she oversaw in July 2022 for a 10-year-old girl from Ohio. A complaint against the doctor was filed by Indiana Attorney General Todd Rokita in November.
The case garnered nationwide attention and has drawn fear from health care practitioners and advocates who say it could have a chilling effect for abortion care providers.
The state sought a suspension of Bernard’s medical license. Rokita maintained that Bernard “failed to immediately report the abuse and rape of a child to Indiana authorities” after performing the girl’s abortion. His office also argued that Bernard “failed to uphold legal and Hippocratic responsibilities” by “exploiting a child’s traumatic medical story to the press for her own interests.”
In May, the board determined Bernard had violated state and federal patient privacy laws when she publicly discussed the 10-year-old rape victim’s case but upheld her actions in terms of reporting.
Ultimately, the doctor was given a reprimand and fined $3,000. The board declined to take action affecting Bernard’s ability to practice, though. Before the decision, she had never been disciplined by the licensing board.
Neither Bernard nor Rokita’s office appealed the ruling.
Even so, a day after the board’s decision, IU Health issued a public statement, disagreeing with the determination and maintaining Bernard did not violate privacy laws.
“We do not agree with the board’s decision regarding patient privacy regulations and stand by the HIPAA risk assessment,” the hospital system said. “We believe Dr. Bernard was compliant with privacy laws.”
Hospital administrators previously said a review of Bernard’s conduct “found the doctor in compliance with privacy laws.”
Rokita disagrees
But the attorney general’s office said IU Health “chose to protect the doctor, and itself,” rather than the 10-year-old patient.
Now, Rokita contends IU Health’s disagreement with the Medical Licensing Board’s finding “has caused confusion among its 36,000-member workforce” about what is permitted under federal and state privacy laws, which has since created “an environment that threatens the privacy of its Indiana patients.”
He also maintained the hospital has disciplined others “for far less egregious patient privacy violations.”
Rokita pointed to “numerous instances” in which IU Health has sanctioned non-physician employees with termination for less serious patient privacy violations, but did not provide specific examples. He said the hospital has “failed to implement or enforce similar privacy policies or sanctions for its physicians,” however.
Rokita’s office additionally argues the 10-year-old’s treatment “was a very private and sensitive matter,” and emphasizes that neither the girl nor her mother gave the doctor explicit authorization to speak publicly about their case.
In the lawsuit, Rokita asked a judge to require IU Health to implement or update its “administrative, technical and physical safeguards to protect patients’ protected health information,” and prohibit the hospital from “ratifying the HIPAA violations of its workforce” and disclosing patients’ protected health information without written patient authorization, including to the media.
While the girl’s rapist was identified by reporters through court records, her name has never been made public.
By Casey Smith – The Indiana Capital Chronicle is an independent, not-for-profit news organization that covers state government, policy and elections.
