The Indiana University Health physician who performed an abortion on a 10-year-old child who was raped did not violate privacy laws when she shared the anecdote with a news outlet, university officials said Friday.
The claim: Earlier this week, Indiana Attorney General Todd Rokita questioned whether Dr. Caitlin Bernard, an obstetrician-gynecologist, had broken any HIPAA laws. He did not provide evidence.
What Indiana University Health says: “IU Health conducted an investigation with the full cooperation of Dr. Bernard and other IU Health team members. IU Health’s investigation found Dr. Bernard in compliance with privacy laws,” officials said in an email. They also said that the university “routinely initiate reviews” on privacy and compliance.
What to know about this case: Earlier this month, the Indianapolis Star, part of the USA TODAY Network, published a story about a 10-year-old child from Ohio who was raped and traveled to Indiana to get an abortion. The account became a talking point for abortion rights supporters, including President Joe Biden, and some opponents and news outlets criticized the story as unproven. A man was arrested and charged this week with the rape.
What does HIPAA say?
The Health Insurance Portability and Accountability Act passed in 1996 aims to protects the privacy of patient information.
Experts in HIPAA compliance say the law exists to prevent the release of identifiable information. Bernard provided the IndyStar only with the age of the girl and the state of her residence.
The question then becomes what the threshold is for identifiable information, said John Howard, director of the HIPAA Privacy Program at the University of Arizona, speaking in general terms about the law and not this specific instance.
“Often the trick here is determining when health information will still be considered identifiable,” Howard said in an email. “A good rule of thumb is if the information can reasonably be linked back to an individual, and the past, present or future provision of health care to that individual, it is identifiable.”
Although the law enumerates different potential identifiers that must be removed, such as name, date of birth and address, there’s a final “catch all” category that includes any unique identifier, he added. This category requires providers to ensure that the information can not be reasonably linked back to the patient.
Can HIPAA protect you from anti-abortion laws? What to know about medical privacy rights.
HIPAA was enacted 25 years ago. Today it’s wrongly being used to justify keeping COVID status secret.
Bernard also reported the procedure, despite claims
Rokita, the Indiana attorney general, has also called into question whether Bernard had properly reported the disturbing case, saying she had “a history of failing to report” in his roughly two-minute appearance on “Jesse Watters Primetime” on Fox News.
Rokita did not provide any evidence to back up his claims. Despite the newly disclosed form, Rokita said Thursday he plans to forge ahead with his investigation.
“As we stated, we are gathering evidence from multiple sources and agencies related to these allegations,” he said in an emailed statement. “Our legal review of it remains open.”
State court data shows no criminal charges have been filed against Bernard. The Marion County Prosecutor’s Office said it had not received any allegations that she failed to report the case of the 10-year-old.
But a pregnancy termination report released Thursday showed Bernard filed with the Indiana Department of Health and Department of Child Services in accordance with state laws, confirming the information that the doctor provided.
The records, obtained by the IndyStar through a public records request, show that Bernard reported the abortion before the state’s reporting deadline and that she disclosed the child had suffered abuse.
Contributing: Lizzie Kane, Kaitlin Lange and Johnny Magdaleno, The Indianapolis Star. Contact Shari Rudavsky on Twitter: @srudavsky.