Written from press release and court documents
Indianapolis, Indiana – September 16, 2023
Indiana University Health, Inc. (IUH) and Indiana University Healthcare Associates, Inc. are facing a lawsuit over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) stemming from the disclosure of sensitive patient information.
The State of Indiana, represented by Attorney General Todd Rokita, has filed a complaint for injunctive relief, statutory damages, attorneys’ fees, and costs in the United States District Court, Southern District of Indiana, Indianapolis Division.
The lawsuit centers around a case involving a ten-year-old rape victim from Ohio who sought medical care at an IUH-operated hospital in June 2022. The victim and her mother had checked into the hospital to terminate the pregnancy resulting from the assault.
The State alleges that neither the victim nor her mother had given authorization for the doctor to speak to the media, including the Indianapolis Star, about their case. Instead of safeguarding the patient’s privacy, the hospital, according to the Rokita, prioritized the doctor’s interests and its own reputation. However, Indiana University Health, issued a statement claiming that they had reviewed the matter and found the doctor in compliance with privacy laws.
Editors’s Note: News reports also recently named the person accused of raping the 10-year-old girl:
https://www.cbsnews.com/news/gerson-fuentes-guilty-sentenced-life-rape-10-year-old-girl-abortion/
“The girl was 9 years old when she was assaulted by Fuentes. Columbus police learned about the girl’s pregnancy through a referral to the Franklin County Children Services that was made by her mother. Shortly after her 10th birthday, the girl traveled to Indiana to get an abortion. Prosecutors said DNA testing of the aborted fetus confirmed Fuentes was the father,” according to CBS.
However, a subsequent hearing by the Indiana Medical Licensing Board found that the doctor had violated HIPAA rules by improperly disclosing patient information and violating Indiana patient confidentiality rules. Despite this finding, IUH publicly disagreed with the Board’s determination.
The lawsuit further claims that IUH’s inconsistent application of its privacy policies among its workforce of 36,000 employees has created confusion about what conduct is permitted under HIPAA privacy laws and the Indiana Patient Confidentiality rule. These inconsistencies, the State contends, pose a threat to the privacy of Indiana patients.
Dr. Caitlin Bernard, the physician involved in the case, is alleged to have disclosed sensitive patient information during a public rally, which she helped organize, on the IU School of Medicine campus. The disclosure was overheard by a reporter from the Indianapolis Star, who subsequently published the story. Dr. Bernard’s actions led to extensive media coverage and public discussions on abortion laws.
The State argues that IUH’s response to this situation has undermined patient privacy and sends a message to its employees that disclosing patient information to the media is permissible under HIPAA, creating confusion and potential risks to patient privacy.
The lawsuit seeks injunctive relief, damages, attorneys’ fees, and costs, alleging violations of HIPAA by IUH and its failure to uphold patient privacy standards. The case, filed under Case No. 1:23-cv-1665, is now awaiting further proceedings in the United States District Court for the Southern District of Indiana, Indianapolis Division.
