Indiana attorney general sues hospital system over privacy of Ohio girl who traveled for abortion

jeffw@lemmy.world to politics @lemmy.world – 306 points – Indiana attorney general sues hospital system over privacy of Ohio girl who traveled for abortion
apnews.com

Indiana’s attorney general has sued the state’s largest hospital system, claiming it violated patient privacy laws when a doctor publicly shared the story of an Ohio girl who traveled to Indiana for an abortion.

The lawsuit, filed Friday in Indianapolis federal court, marked Attorney General Todd Rokita’s latest attempt to seek disciplinary legal action against Dr. Caitlin Bernard. The doctor’s account of a 10-year-old rape victim traveling to Indiana to receive abortion drugs became a flashpoint in the abortion debate days after the U.S. Supreme Court overturned Roe v. Wade last summer.

Rokita, a Republican, is stridently anti-abortion and Indiana was the first state to approve abortion restrictions after the court’s decision. The near-total abortion ban recently took effect after legal battles.

“Neither the 10-year-old nor her mother gave the doctor authorization to speak to the media about their case,” the lawsuit stated. “Rather than protecting the patient, the hospital chose to protect the doctor, and itself.”

The lawsuit named Indiana University Health and IU Healthcare Associates. It alleged the hospital system violated HIPAA, the federal Health Insurance Portability and Accountability Act, and a state law for not protecting the patient’s information.

Indiana’s medical licensing board reprimanded Bernard in May, saying she didn’t abide by privacy laws by talking publicly about the girl’s treatment. It was far short of the medical license suspension that Rokita’s office sought.

Still, the board’s decision received widespread criticism from medical groups and others who called it a move to intimidate doctors.

Hospital system officials have argued that Bernard didn’t violate privacy laws.

“We continue to be disappointed the Indiana Attorney General’s office persists in putting the state’s limited resources toward this matter,” IU Health said in a statement. “We will respond directly to the AG’s office on the filing.”

In July, a 28-year-old man was sentenced to life in prison for the child’s rape.

29

You are viewing a single comment
View all comments

If it isn't personally identifiable, it doesn't violate HIPPA. Also a state AG trying to enforce federal law is truly hilarious.

First of all, many federal statutes authorize state-level enforcement.

Second, information can be personally identifiable without giving away specific information like a name.

Was this rape/abortion ban victim identified specifically by the information the doctor shared?

deleted by creator

ROKITA identified the girl. HE failed the girl's privacy. And he has received NO blowback for it.

Dr. Bernard did not name her patient.

Age. Its like if a rare disease enters the hospital, you have to deidentify all data because if there's only one person with say, a rare infection, and only one person who received a treating medication, there can be a correlation. Her problem will be the identification of age, which would likely allow others working at the institution who should not have access to identify the patient. My guess is she still has a good case, but it's not open and shut. You'd be surprised how many clinicians say they understand privacy laws and then send an email with PHI the next day.

A patient’s age is not identifiable information.

In your scenario, where a person of a specific age entered the medical system for a rare disease and received a rare medication, does not identify the patient.

The only people who would know that, let’s say a 10 year old had received antibiotics to treat Bubonic plague, would be the child’s medical providers themselves, and they would be aware of far more information then just the patient’s age.

Protected health information has a specific meaning, it has to contain information about patient health/treatment, and contain information that can be used to identify a patient. Someone’s age alone is not an identifier. How many ten year old girls are in driving distance of that hospital?

That’s why case studies are written the way they are. John Doe, age 17, presented to hospital with symptoms of… etc etc, is not identifiable information.

I've worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it's based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior (from the other response).

In your example, John Doe was one of many without outlier, unless they were risking it (if they gave the hospital).

deleted by creator

Thanks for the additional context from Indiana specifically. I've worked deidentifying data in Healthcare so my experience is Safe Harbor is not the end all be all (in my industry anyway). You have to remove outliers of less than a certain threshold, even if it's based on one data point (abortion plus age (year only but outlier) plus which hospital). This applied to deidentifying for private and government sectors. Glad to hear she likely had representation prior.