Indiana’s attorney general has sued the state’s largest hospital system, claiming it violated patient privacy laws when a doctor publicly shared the story of an Ohio girl who traveled to Indiana for an abortion.
The lawsuit, filed Friday in Indianapolis federal court, marked Attorney General Todd Rokita’s latest attempt to seek disciplinary legal action against Dr. Caitlin Bernard. The doctor’s account of a 10-year-old rape victim traveling to Indiana to receive abortion drugs became a flashpoint in the abortion debate days after the U.S. Supreme Court overturned Roe v. Wade last summer.
Rokita, a Republican, is stridently anti-abortion and Indiana was the first state to approve abortion restrictions after the court’s decision. The near-total abortion ban recently took effect after legal battles.
“Neither the 10-year-old nor her mother gave the doctor authorization to speak to the media about their case,” the lawsuit stated. “Rather than protecting the patient, the hospital chose to protect the doctor, and itself.”
The lawsuit named Indiana University Health and IU Healthcare Associates. It alleged the hospital system violated HIPAA, the federal Health Insurance Portability and Accountability Act, and a state law for not protecting the patient’s information.
Indiana’s medical licensing board reprimanded Bernard in May, saying she didn’t abide by privacy laws by talking publicly about the girl’s treatment. It was far short of the medical license suspension that Rokita’s office sought.
Still, the board’s decision received widespread criticism from medical groups and others who called it a move to intimidate doctors.
Hospital system officials have argued that Bernard didn’t violate privacy laws.
“We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter,” IU Health said in a statement. “We will respond directly to the AG’s office on the filing.”
In July, a 28-year-old man was sentenced to life in prison for the child’s rape.
Sounds like this scum is trying to hide the misery his party’s policies have caused.
That is exactly what it is. Republicans prefer policies based on how they think reality ought to be, rather than how it is, and actively do not want to talk about the misery they cause by doing that, because it shatters the illusion.
Removed by mod
What’s nuts is how they can’t see the writing on the wall. Being anti abortion is so unpopular that a liberal judge won a race by +10% in a swing state. These people have completely lost touch with reality.
There’s a reason why red states have been trying to disallow referendums or change rules. Even deep red states vote to keep abortion legal when there’s a referendum.
This one’s already done. He’s trying to send a message for the next one.
Rokita is trying to get into headlines in order to parley that into winning the Republican nomination for governor (which because of Indiana’s political leanings, the GOP nominee will likely win). He is just trying to do stupid shit constantly to drum up outrage in order to make sure HIS name is more well known to more republican voters in the primary than his opponents.
He is literally using a raped 10 year old girl for career advancement, most vilest shit ever. Like not even fucking kidding you cannot make this shit up.
If it isn’t personally identifiable, it doesn’t violate HIPPA. Also a state AG trying to enforce federal law is truly hilarious.
It’s not a well known fact, but while HIPAA is administered by DHHS, complaints are pursued via each state’s Attorneys General. If you put in a HIPAA complaint to DHHS and they don’t feel like following it up on your behalf, you will be referred to the state’s AG yourself, and the state’s AG can pursue prosecution or drop it at their discretion.
I know this is hard to believe, and it doesn’t change the fact that Todd Rokita is a self-serving sumremoved completely content to twist the life devastating multi-part trauma of a preteen to his own ends, but legally, yes, it’s his job to pursue HIPAA complaints in Indiana.
So what I really want to know now is whether this amoral shitstain of an AG got an actual complaint from the DHHS or the child’s parents/guardians in the state of Indiana (they reside in Ohio), or he just made one up himself to be able to further pursue prosecution of the one person in Indiana who actually demonstrated real concern for the girl’s wellbeing and acted in her best interests instead of their own.
He just made one up himself. That’s the sort of thing he does.
First of all, many federal statutes authorize state-level enforcement.
Second, information can be personally identifiable without giving away specific information like a name.
Was this rape/abortion ban victim identified specifically by the information the doctor shared?
That’s the question the court will have to answer now. But it looks pretty good for the doctor. PII is actually very tightly defined in law, and since everything the good doctor said was recorded by reporters, it should be easy to determine that she did not.
If I recall correctly, Rokita brought this up at the time in the press, accusing the doctor of failing the girl’s privacy, but I never read anything that could pin it on her: she was quite careful in what she said. Someone has now filed a HIPAA complaint (maybe Rokita himself, who knows) so now it’s his job to factually prove his accusation in court and not just slander the doctor in the press, finally.
ROKITA identified the girl. HE failed the girl’s privacy. And he has received NO blowback for it.
Dr. Bernard did not name her patient.
Yes, if I recall correctly it was never the doctor but Rokita’s office who identified the child and then accused the doctor of doing so, but I didn’t feel like looking up the links. It might have been that his office slipped it to an outside group who then slipped it to the press.
Either way, there is an excess of neither humanity nor morals among that crowd.
For myself I do not think Dr. Bernard will be found guilty in a regular courtroom; I think the law and her actions are quite clear. But now that we have “activist judges” making decisions all the way up to the SC who fucking knows . . .
Age. Its like if a rare disease enters the hospital, you have to deidentify all data because if there’s only one person with say, a rare infection, and only one person who received a treating medication, there can be a correlation. Her problem will be the identification of age, which would likely allow others working at the institution who should not have access to identify the patient. My guess is she still has a good case, but it’s not open and shut. You’d be surprised how many clinicians say they understand privacy laws and then send an email with PHI the next day.
A patient’s age is not identifiable information.
In your scenario, where a person of a specific age entered the medical system for a rare disease and received a rare medication, does not identify the patient.
The only people who would know that, let’s say a 10 year old had received antibiotics to treat Bubonic plague, would be the child’s medical providers themselves, and they would be aware of far more information then just the patient’s age.
Protected health information has a specific meaning, it has to contain information about patient health/treatment, and contain information that can be used to identify a patient. Someone’s age alone is not an identifier. How many ten year old girls are in driving distance of that hospital?
That’s why case studies are written the way they are. John Doe, age 17, presented to hospital with symptoms of… etc etc, is not identifiable information.
I’ve worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it’s based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior (from the other response).
In your example, John Doe was one of many without outlier, unless they were risking it (if they gave the hospital).
Just for reference:
This covers what is specifically defined as personal health information under HIPAA.
None of it is guesswork or subjective. The good doctor either violated the clearly defined law, or did not. A vague correlation does not by itself fall afoul of HIPAA guidance, and age in years only, without a specific birthdate, is specifically excluded. From the first link:
The following are considered identifiers under the HIPAA safe harbor rule:
( C ) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
Other exceptions and circumstances are spelled out more clearly in the second link.
You’d be surprised how many clinicians say they understand privacy laws and then send an email with PHI the next day.
I don’t doubt it. But it’s pretty clear Dr. Bernard is not among them. At the very least she already had legal representation before she wrote her op-ed for WaPo and went on the record for other publications, and took legal advice on doing so, having already been widely accused of both not identifying the child so that no one could substantiate the doctor’s claim, AND then of identifying the child, breaking privacy laws.
But in both directions, all along Dr. Bernard has been found to be in compliance with applicable privacy laws. This particular link is worth a closer look, because the reporter that wrote it teamed up with a medical malpractice attorney to find what they could find on Dr. Bernard, and came up empty handed – especially on any privacy violations related to the case Todd Rokita’s office is now pursuing against her. Also from that article:
Indiana University Health sent this statement,
“As part of IU Health’s commitment to patient privacy and compliance with privacy laws, IU Health routinely initiates reviews, including the matters in the news concerning Dr. Caitlin Bernard. Pursuant to its policy, IU Health conducted an investigation with the full cooperation of Dr. Bernard and other IU Health team members. IU Health’s investigation found Dr. Bernard in compliance with privacy laws.”
Keep in mind that Indiana also has its own laws, which do not require a specific HIPAA violation to transgress. If this rabidly right wing AG could have gotten her on a vague correlation, as you say, or the mere age of the child, she’d have been indicted or at least censured by Indiana’s medical licensing board long before now.
Thanks for the additional context from Indiana specifically. I’ve worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it’s based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior.
Yes, the part you work with is (I think) just after the bit I quoted from Section C, about aggregating ages and such. Thank you for clarifying your role, because it was clear you knew more about it than most of us laypeople (I screwed up and called it PII instead of PHI in my first post, for example).
Dr. Barnard definitely already had representation by the time of the WaPo op-ed because it had been going on for over a month by then, during which time Todd Rokita had already been making accusations and legal threats as AG while attempting to try her in the press. While Dr. Bernard did not name her attorney in the WaPo op-ed, other articles from around that same time period do, which is a relief.
BTW, I don’t know if you’ve seen the latest, but now Todd Rokita has gotten a slap from the Indiana Supreme Court Disciplinary Commission for the way he announced the lawsuit this post was about, lol:
The lawsuit is not even the most recent volley in the back-and-forth. Rokita violated professional conduct rules in speaking about this case, according to a ruling Monday from the Indiana Supreme Court Disciplinary Commission, days after the lawsuit was filed.
It literally never stops with this fool. Here’s a gift link to the newest WaPo article if you’re interested:
This article also contains information contrary to what I previously posted: Dr. Bernard WAS fined for a HIPAA violation in this same case.
Remember everyone:
Todd Rokita is mad that a 10 year old rape victim who was pregnant could get an abortion in his state because she couldn’t get one in her own.
Yep. He’s not trying to protect a little girl in a bad situation. He’s trying to punish her doctor for treating her.
Rokita is so fucking obsessed. And he doesn’t give a shit about Indiana.
I have to live in this fucking state, so I’ve been aware of his base-pandering bullshit for a long time. It’s literally all he does.
It’s like these people watched or read Handmaid’s Tale and thought it was worthy of implementing…
Conservatives being mad again that 10 year old girls can’t be forced to give birth to the babies of rapists. You heard that right
This is the best summary I could come up with:
The lawsuit, filed Friday in Indianapolis federal court, marked Attorney General Todd Rokita’s latest attempt to seek disciplinary legal action against Dr. Caitlin Bernard.
Rokita, a Republican, is stridently anti-abortion and Indiana was the first state to approve abortion restrictions after the court’s decision.
It alleged the hospital system violated HIPAA, the federal Health Insurance Portability and Accountability Act, and a state law for not protecting the patient’s information.
Indiana’s medical licensing board reprimanded Bernard in May, saying she didn’t abide by privacy laws by talking publicly about the girl’s treatment.
Still, the board’s decision received widespread criticism from medical groups and others who called it a move to intimidate doctors.
“We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter,” IU Health said in a statement.
The original article contains 313 words, the summary contains 137 words. Saved 56%. I’m a bot and I’m open source!
No standing. Case will tossed.
Thank you for this article. I remember hearing the argument that she couldn’t have been raped because there were no charges. I’m glad the guy was caught and sentenced to life.
