When police officers arrived at UPMC McKeesport to investigate a report of an assault on a staff member by a patient early Saturday, they said they found Jamie Devon Green naked in a nearby parking lot, yelling that he was Jesus Christ.
But even with the patient being implicated in the savage beating of employee Colleen Heinric, an administrator on duty refused to give police any information about the man -- including his name -- citing the Health Insurance Portability and Accountability Act.
Ms. Heinric, however, divulged his name.
HIPAA, as the law is more commonly known, outlines when health care providers are allowed to disclose patient information and to whom. An expert on the federal privacy law said that the scenario fell under a HIPAA exception, meaning he believes the hospital was permitted -- but not required -- to identify the man.
"The hospital, it appears to me, is misinterpreting HIPAA," said Abner Weintraub, the president of a training and consulting firm called the HIPAA Group.
UPMC spokeswoman Susan Manko would not comment on the incident because she said that, too, would be a violation of HIPAA and because it was a "law enforcement matter."
"We always cooperate with law enforcement," she said.
In a criminal complaint, police said that when they arrived on scene at around 4 a.m. Saturday, they found the Ms. Heinric badly beaten, with a black-and-blue bump on the side of her head and a bloodied mouth. She complained to police of pain in her hips and was having trouble standing.
Ms. Heinric told police that she spotted Mr. Green near a secure exit on the fifth floor of the Crawford Building. He told her, "Come here, I need to show you something."
When she turned and walked away, Mr. Green came up behind her, knocked her to her knees and put her in a choke hold. He punched her several times before pushing her to the floor, shaking her keys from her pocket.
Mr. Green grabbed the keys and ran out the door.
Another employee, Kimberly Cheek, told police she heard Ms. Heinric screaming and ran over to see Mr. Green attacking her.
Mr. Green took off, setting off a fire alarm before leaving.
They found Mr. Green outside.
After Ms. Heinric identified her attacker, police used JNET, the state's criminal justice database, to confirm his identity and filed charges of aggravated assault, simple assault and harassment against him.
The warrant was signed Wednesday morning, though it was unclear whether the 21-year-old Braddock man had been taken into police custody.
Mr. Weintraub said health care facilities often generate policies to comply with HIPAA that are far more restrictive than the federal health care law.
Sometimes, he said, those policies can be so broad that they conflict with other state or federal laws, or even HIPAA itself. He said he has seen facilities, for example, use HIPAA in their refusal to give their own patients their medical records.
"Based on my experience, the majority have policies that do go beyond what the law requires," he said. "They do err on the side of restrictiveness, of not disclosing, because the perception is that it's simpler just to keep the information close to the vest ... rather than opening up the potential for a lawsuit of wrongful disclosure."
But in this case, there are several exceptions articulated under HIPAA that would have permitted the release of the man's name.
Health care facilities are permitted to disclose certain information when police are looking for a fugitive or the perpetrator of a crime.
There are other exceptions that would have been triggered because the crime was committed on the premises of the hospital.
In Mr. Weintraub's view, the scenario fell plainly within those exceptions.
The hospital is "not applying the law accurately," he said.
Moriah Balingit: firstname.lastname@example.org or 412-263-2533.