Attorney General Todd Rokita’s office has secured a win for medical privacy, ensuring through court-directed discovery that IU Health has implemented proper privacy controls and training to protect Hoosier patients’ private health information.
IU Health management initially denied allegations that Dr. Caitlin Bernard violated a patient's privacy at a political rally. These denials persisted even after the Indiana Medical Licensing Board found that she did violate privacy laws. This refusal prompted the Office of Attorney General to investigate how IU Health was conducting patient privacy training.
When IU Health officials refused to answer questions, the Office of the Attorney General filed a lawsuit to compel their cooperation.
“This is a win for patients, but also for the group's 36,000 health care providers who can now trust they've received accurate training that is consistent with HIPAA privacy laws and Indiana patient confidentiality rules,” Attorney General Rokita said. “One of my office’s main priorities is to protect patient privacy because when it’s not, we no longer have reliable, honest healthcare."
The lawsuit, filed on Sept. 15, 2023, was against IU Health and IU Healthcare Associates for failing to properly report, review, and enforce HIPAA and Indiana law violations. Through discovery in this case, Attorney General Rokita's team verified that IU Health has taken necessary actions to better train employees in protecting medical privacy.
Dr. Caitlin Bernard spoke with an Indy Star reporter at a political rally about her 10-year-old patient on June 30, 2022. Despite IU Health issuing statements on July 13, 2022, and May 26, 2023, claiming no violation occurred, the Indiana Medical Licensing Board voted that Dr. Bernard had indeed violated HIPAA.
“IU Health rejected the best interest of patients and taxpayers alike when they set the tone by initially refusing to cooperate with our office,” Attorney General Rokita said. “We are pleased the information this office sought over two years ago has finally been provided and the necessary steps have been taken to accurately and consistently train their workforce to protect patients and their health care workers.”
Though voluntarily dismissing it without prejudice, Attorney General Rokita indicated they could refile if necessary. The State expects hospitals and covered entities to continue significant training addressing patient and data privacy.
###