Imagine a child with a life-threatening illness is spirited out of a hospital, putting her at risk of death if she doesn’t get medical attention.
But the public, who might be able to spot the child and help her can’t be told who she is, beyond a first name and age because it would break a privacy law.
That scenario didn’t come from the inner recesses of Franz Kafka or Joseph Heller’s imaginations. It actually played out this week in Arizona.
An 11-year-old girl was being treated for leukemia in a Phoenix hospital. The girl already lost an arm to infection and had a catheter in her chest to deliver medication. The girl’s mother unhooked the medical lines and took her daughter out of the hospital with the open catheter, putting the girl at risk for fatal infections.
But initially, the girl was only identified as Emily, as officials said federal health privacy laws did not allow them to discuss her situation in greater detail.
The law in question is the Health Insurance Portability and Accountability Act (HIPAA). The law’s goal was to protect people’s medical information from prying eyes while making it easy for doctors to access it. Most of you encounter HIPAA when you go to the pharmacy and have to stand 10 feet back from the window until it’s your turn, lest you overhear the pharmacist telling a customer how to use medication for an illness.
But the law can also make getting important information difficult from those who either see HIPAA as an excuse to hold back information or are gunshy about the law’s penalties for unauthorized release. HIPAA violations can be punished by up to 10 years in prison and fines ranging between $50,000 and $1.5 million.
Emily’s story is a classic example of this problem. If she had been taken from a school or her home, her full name, age and the clothes she was last seen wearing would be flashing on every billboard in the state and popping up on cellphone screens everywhere.
Eventually, the police released her last name — Bracamontes — and the names of her parents. But the information could have come out sooner without violating HIPAA.
Paul Murphy, Utah’s Amber Alert Coordinator, said HIPAA does allow hospitals to release information to police when someone’s life is at risk, at which point it is no longer private and can be sent out to the public.
This is not the first time someone has used HIPAA to hold back information.
Several years ago, a Provo Municipal Councilwoman was taken out of a closed-door meeting by ambulance. However, the fire department refused to give out any information, citing HIPAA.
More recently, when The Salt Lake Tribune was before the State’s Record Committee seeking crime statistics from the Utah Transit Authority, a UTA employee said that the reports would have to be heavily redacted because they could contain “HIPAA information.”
HIPAA only applies to health-care providers, and the law does not include fire departments or police departments on that list. Nor should it be used to hide information about what happened to an elected official, crime statistics or information that could help find a girl whose life is in danger.