News Release

INDIANAPOLIS — Attorney General Todd Rokita’s office secured another win for medical privacy, ensuring through court-directed discovery that IU Health has proper privacy controls and training in place to protect Hoosier patients’ private health information.

Attorney General Todd Rokita

IU Health management initially denied allegations that Dr. Caitlin Bernard violated a patient’s privacy at a political rally.

IU Health officials even continued those denials after that same doctor’s peers serving on the Indiana Medical Licensing Board found that she did violate privacy laws. This repeated refusal by IU Health to even acknowledge a violation of patient privacy prompted the Office of Attorney General to probe whether and how IU Health was conducting patient privacy training in light of its mishandling of the Bernard matter.

When IU Health officials refused to answer questions, the Office of the Attorney General had no choice but to file a lawsuit to require their cooperation and answers.

“This is a win for patients, but also for the group’s 36,000 health care providers who can now trust they’ve received accurate training that is consistent with HIPAA privacy laws and Indiana patient confidentiality rules,” Attorney General Rokita said. “One of my office’s main priorities is to protect patient privacy because when it’s not, we no longer have reliable, honest healthcare.”

The Sept. 15, 2023, lawsuit was filed on behalf of the people of Indiana against IU Health and IU Healthcare Associates for their failure to properly report, review and enforce HIPAA and Indiana law violations. Attorney General Rokita and his team verified through discovery in this case that IU Health has now taken necessary actions to better train employees to help protect the medical privacy of Indiana residents.

Through this lawsuit, Attorney General Rokita’s office confirmed IU Health has undertaken the following actions:

• Trained employees to specifically avoid talking about patients in public areas;
• Informed its employees they are required to notify public relations staff prior to any communication so that management can verify patient authorization; and
• Conducted employee training on what constitutes Protected Health Information.

On June 30, 2022, Dr. Caitlin Bernard spoke with an Indy Star reporter at a political rally about her 10-year-old patient. IU Health later issued a media statement on July 13, 2022, that said Dr. Bernard had not violated privacy laws. After hearing over a dozen hours of testimony, the Indiana Medical Licensing Board, which is comprised of doctors, voted 5-1 that Dr. Bernard violated HIPPA. IU Health issued another statement on May 26, 2023, claiming it disagreed with the board’s decision and believed Dr. Bernard had not violated any privacy laws.

“IU Health rejected the best interest of patients and taxpayers alike when they set the tone by initially refusing to cooperate with our office,” Attorney General Rokita said. “We are pleased the information this office sought over two years ago has finally been provided and the necessary steps have been taken to accurately and consistently train their workforce to protect patients and their health care workers”.

Though voluntarily dismissing it without prejudice, Attorney General Rokita said they could always refile at a later date if necessary. As a government regulator responsible for HIPAA compliance, the State anticipates and expects hospitals and covered entities to continue significant and continual training to physicians and staff that addresses the importance of patient and data privacy.

The voluntary dismissal is here.