Officers contacted area hospitals to see whether Dill was a patient, and Salem Hospital officials wouldn't say, citing the Health Insurance Portability and Accountability Act, known as HIPAA, the Statesman Journal reported (http://stjr.nl/10gRVFZ).
An anonymous tipster eventually told police that Dill was in Salem Hospital, and Dill has since been transferred to an adult care facility, the newspaper reported.
"It gets complex under HIPAA," Glyzewski said. "But if it's law enforcement, that opens up other avenues. If we are contacted by law enforcement, we are allowed to say the person is here.
"On the flip side, if we see a report that someone is missing, we would proactively contact law enforcement."
Glyzewski declined to say whether that policy was followed in Dill's case. But he noted the hospital is reviewing, "moment by moment," the sequence of events that led to the officials' decision not to inform the police of the man's presence.
Police say the case illustrates a difficulty officers can encounter when somebody goes missing.
"It's a cumbersome law," Salem Police Lt. Steve Birr said. "... One of the difficult things is that we have people with mental illnesses, and they could end up in a mental health facility, and you would never know it, and they would never tell you."
Friends called police Monday after noticing Dill wasn't at their apartment complex. Police were not worried about Dill's mental health, but because he is diabetic they were concerned about the possibility that he experienced a medical emergency.
Hospital spokeswoman Sherryll Hoar told the Journal she couldn't speak about the specifics of Dill's case, but she said the hospital's HIPAA compliance officer is willing to talk with police about "whether we should have released that information or not."
Birr doesn't think the hospital was being adversarial, but he said knowing Dill was a patient would have saved taxpayer dollars and spared Dill's friends anxiety. The search's costs weren't immediately known.
Congress passed HIPAA in 1996, and its privacy rules were implemented in 2003. Health care providers such as hospitals can release limited information to police, but only in certain circumstances, such as when doctors suspect child abuse or a person is the subject of a criminal investigation. Civil fines can reach $25,000, and criminal fines $250,000.