Attorney General Rokita has filed a lawsuit against IU Health and IU Healthcare Associates.
This lawsuit was filed on behalf of the people of Indiana against IU Health and IU Healthcare Associates for their failure to properly report, review, and enforce HIPAA and Indiana law violations.
The issue was first brought to the attention of the office of the Attorney General in 2022 when a 10-year-old rape and abuse victim and her mother went to an IU hospital for an abortion.
After the abortion, while the mother and daughter were still at the hospital for recovery and observation, a front-page news story in the Indianapolis Star was published describing the 10-year-old’s case in great detail. This article went public after a doctor spoke to a reporter at a political rally. Neither the girl nor her mother gave the doctor authorization to speak to the media about their case.
On July 15th, 2022, hospital administrators emailed statements to multiple media outlets informing them they had conducted a review and “found the doctor in compliance with privacy laws.”
On May 25th, 2023, the Indiana Medical Licensing Board conducted a hearing and determined the doctor violated HIPAA by improperly disclosing patient information, improperly de-identifying patient information, and violating the Indiana patient confidentiality rule by failing to get patient permission prior to disclosing any information. The following day, IU Health issued a public statement disagreeing with the Medical Licensing Board’s determination.
Subsequent to the Medical License Board hearing, the office of the Attorney General discovered numerous instances where IU Health has sanctioned non-physician employees with termination for far less egregious patient privacy violations but has failed to implement or enforce similar privacy policies or sanctions for its physicians.
The Attorney General’s office lawsuit consists of seven counts against IU Health including failure to implement or follow administrative, technical, and physical safeguards to protect the privacy of protected information; failure to document disclosures of personal health information; failure to implement or apply and document sanctions; failure to appropriately train its workforce; failure to notify patients of breach; failure to mitigate harm; and violations of Indiana’s Deceptive Consumer Sales Act.