Indiana’s attorney general has sued the state’s largest hospital system, claiming it violated patient privacy laws when a doctor publicly shared the story of an Ohio girl who traveled to Indiana for an abortion.

The lawsuit, filed Friday in Indianapolis federal court, marked Attorney General Todd Rokita’s latest attempt to seek disciplinary legal action against Dr. Caitlin Bernard. The doctor’s account of a 10-year-old rape victim traveling to Indiana to receive abortion drugs became a flashpoint in the abortion debate days after the U.S. Supreme Court overturned Roe v. Wade last summer.

Rokita, a Republican, is stridently anti-abortion and Indiana was the first state to approve abortion restrictions after the court’s decision. The near-total abortion ban recently took effect after legal battles.

“Neither the 10-year-old nor her mother gave the doctor authorization to speak to the media about their case,” the lawsuit stated. “Rather than protecting the patient, the hospital chose to protect the doctor, and itself.”

The lawsuit named Indiana University Health and IU Healthcare Associates. It alleged the hospital system violated HIPAA, the federal Health Insurance Portability and Accountability Act, and a state law for not protecting the patient’s information.

Indiana’s medical licensing board reprimanded Bernard in May, saying she didn’t abide by privacy laws by talking publicly about the girl’s treatment. It was far short of the medical license suspension that Rokita’s office sought.

Still, the board’s decision received widespread criticism from medical groups and others who called it a move to intimidate doctors.

Hospital system officials have argued that Bernard didn’t violate privacy laws.

“We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter,” IU Health said in a statement. “We will respond directly to the AG’s office on the filing.”

In July, a 28-year-old man was sentenced to life in prison for the child’s rape.

  • @jeffwOP
    link
    51 year ago

    First of all, many federal statutes authorize state-level enforcement.

    Second, information can be personally identifiable without giving away specific information like a name.

        • Flying Squid
          link
          131 year ago

          ROKITA identified the girl. HE failed the girl’s privacy. And he has received NO blowback for it.

          Dr. Bernard did not name her patient.

        • fmstrat
          link
          fedilink
          English
          01 year ago

          Age. Its like if a rare disease enters the hospital, you have to deidentify all data because if there’s only one person with say, a rare infection, and only one person who received a treating medication, there can be a correlation. Her problem will be the identification of age, which would likely allow others working at the institution who should not have access to identify the patient. My guess is she still has a good case, but it’s not open and shut. You’d be surprised how many clinicians say they understand privacy laws and then send an email with PHI the next day.

          • @Zron
            link
            71 year ago

            A patient’s age is not identifiable information.

            In your scenario, where a person of a specific age entered the medical system for a rare disease and received a rare medication, does not identify the patient.

            The only people who would know that, let’s say a 10 year old had received antibiotics to treat Bubonic plague, would be the child’s medical providers themselves, and they would be aware of far more information then just the patient’s age.

            Protected health information has a specific meaning, it has to contain information about patient health/treatment, and contain information that can be used to identify a patient. Someone’s age alone is not an identifier. How many ten year old girls are in driving distance of that hospital?

            That’s why case studies are written the way they are. John Doe, age 17, presented to hospital with symptoms of… etc etc, is not identifiable information.

            • fmstrat
              link
              fedilink
              English
              3
              edit-2
              1 year ago

              I’ve worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it’s based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior (from the other response).

              In your example, John Doe was one of many without outlier, unless they were risking it (if they gave the hospital).

            • fmstrat
              link
              fedilink
              English
              21 year ago

              Thanks for the additional context from Indiana specifically. I’ve worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it’s based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior.