Privacy law gets mixed reviews in Utah

When Pam died last year, the stress on her family was compounded by a federal law designed to protect patients. They were unable to figure out which hospital she'd been flown to after she collapsed on a family outing, and when they frantically called hospitals, no one would say whether she was a patient for fear of violating the patient privacy provisions of HIPAA — the Health Insurance Portability and Accountability Act.

Two years after its beginning, HIPAA is getting mixed reviews.

The problem with HIPAA, say the experts who use it on a daily basis, is it creates confusion about patient privacy. Then it tosses in stiff financial penalties and possible jail or prison terms as a punishment for anyone who blows it. And everyone applies it a little differently. Especially early on in HIPAA's enforcement, which began in spring 2003, everyone erred heavily on the side of caution.

Some hospitals are now re-evaluating how they interpret the law.

"I think it's really come a long way. People are starting to understand there are both good aspects and challenges." says Stephanie Argoitia, manager of University Hospital's privacy office.

Opt in/opt out

Patient privacy, just one aspect of HIPAA, has garnered the most public attention because that's where change is most visible. Before HIPAA, you could call the hospital and find out about your neighbor's condition.

Now, information about a patient's condition and location may not be released to anyone unless the patient "opts in."

Most hospitals consider a patient opted-in unless he asks to opt out — with the exception of patients like Pam, too ill to indicate preference. In most cases, her family would then have been asked to make the decision for her, but they weren't there so the hospital opted her out. When her husband and adult daughter tried to find her, a staffer with no way to verify their identity over the phone refused to release any information.

They did find her after raising a ruckus, but they felt they'd been robbed of precious time, their grief and anxiety compounded. Pam died a couple of days later.

Argoitia and others say that's an extreme and rare example of an unintended HIPAA consequence. Now, they say, it's more likely that a facility's privacy officer would be called and a way found to reunite the family and patient quickly.

Still, "nothing that happens in a hospital any more is a matter of public record," notes Bonnie Midget, Primary Children's Medical Center spokeswoman.