The Institute of Medicine report, To Err Is Human, recommended that collaborative networks of health care organizations should exchange information regarding medical errors to prevent the same errors from being repeated. Another recommendation, that Congress enact legislation protecting such exchanged information from legal discovery, has not occurred. Even if such legislation does pass, it may conflict with existing federal discovery requirements. Nevertheless, existing state and federal law may offer some protection. The most promising source of existing protection for all members of patient safety collaboratives is 42 U.S.C. §299c-3(c), which extends protection to data collection sponsored by the Agency for Healthcare Research and Quality (AHRQ). The Department of Health and Human Services’ confidentiality certificates and state peer review protection laws may offer little if any protection. However, with AHRQ sponsorship and the proper structure, health care organizations may be able to safely exchange information with one another without fear of liability or disclosure of sensitive information.

The 2000 publication of the Institute of Medicine (IOM) report, To Err Is Human,1  caused substantial public concern about medical error. The report estimated that potentially preventable adverse events attributable to medical errors during hospitalization caused between 44,000 and 98,000 deaths at a total cost of $17 billion to $29 billion annually. The report recommended, among other things, the development of voluntary reporting and collaborative efforts among health care organizations to prevent the same errors from being repeated in different organizations. Regional safety consortia are one such type of collaborative effort, formed between member health care institutions in a given locality for the purpose of exchanging information regarding practices, devices, techniques, systems and policies that may either reduce or contribute to adverse patient outcomes. By definition, these consortia are interorganizational in nature. In addition to learning from each other’s experience with medical errors, other advantages of regional safety consortia may include pooling data to increase the power of any collaborative study and to discern worrisome safety trends; collecting a broad and more easily generalizable database of cases from which to draw inferences regarding patient care quality; and comparing across different practices and systems, thereby more rapidly identifying care process and devices that improve or endanger safety.

One potential problem with such consortia, also recognized in the IOM report, was that free exchange of information between institutions may render such information vulnerable to discovery by plaintiffs, either by implied waiver of any peer review privilege that might exist, or by allowing discovery of such information from recipient member organizations of the safety consortium. The IOM report recommended that to remedy this problem, comprehensive federal legislation should be passed to protect data that are shared with other health care organizations for the purpose of improving safety and quality. While several bills have been reported out of committee in both the House and Senate, no comprehensive federal legislation has yet passed. The IOM report intimated that even given the lack of statutory protection, state law (more specifically, state peer review protection) might also protect the exchange of patient safety data shared between unaffiliated institutions.1 

This article will examine existing federal law and regulations to see if any federal evidentiary protection currently exists for patient safety data submitted to regional health consortia. It also will examine any potential evidentiary problems that might arise in cases scheduled in federal court. Using California as an example, this article will also review issues related to peer review protection, in the context of patient safety data shared with outside institutions. We conclude even in the absence of beneficial federal legislation, there may be a limited ability to share safety information in regional consortia. However, each potential consortium must conduct a careful analysis of its structure and approach, considering (at a minimum) federal statutory protection, its specific state peer review/quality assurance laws and the relationship between state and federal law.

Federal Protection

42 U.S.C. §299c-3(c)

Perhaps the most promising source of existing federal protection for safety information exchanged across institutional boundaries lies in 42 U.S.C. §299c-3(c), which specifies that information collected in the course of activities sponsored or supported by the Agency for Healthcare Research and Quality (AHRQ) may not be used for any purpose other than the purpose for which it was supplied. Although the data collected by AHRQ-sponsored entities are clearly protected under 42 U.S.C. §299c-3(c), it is uncertain whether that protection extends to data collected in the course of AHRQ-sponsored activities, but which are later disseminated to other organizations, i.e., other members of a regional health care safety consortium for non-AHRQ-sponsored safety activities. Susan Green Merewitz, senior attorney for AHRQ, relying on Farnsworth v. Proctor & Gamble, has argued that due to the public policy favoring protection of data collected for safety purposes,

If individuals inside a health care institution are gathering identifiable medical error information as part of AHRQ-supported grant or contract research, and it is conveyed outside the institution, e.g., for analysis in an AHRQ-supported central databank, even if the reporters lost their protection against being subpoenaed to testify under state law, the federal statute would cover and protect the identifiable information they acquired pursuant to AHRQ’s statutory research authority.2 

However, the Merewitz memorandum, while given great weight, is not binding on any court likely to hear the matter at the state level and refers only to a scenario where an AHRQ-sponsored entity collects the data, and in turn disseminates such data to non-AHRQ-sponsored entities. AHRQ protection may be attenuated if non-AHRQ-sponsored entities collect patient safety data and the AHRQ-sponsored entity acts only as a repository or an intermediary that then disseminates such data to other non-AHRQ entities. Protection under this statute also requires at least one member of a safety consortium, preferably the member collecting the data, be AHRQ-sponsored. Notably, federal grantees often have some discretion to alter the nature and scope of funded projects beyond that outlined in their original funded proposal. It may be reasonable to postulate such expansion to include additional safety initiatives and institutional participants would have similar protection.

42 U.S.C. §241(d)/DHHS certificates of confidentiality

Another possible source of legal protection for patient safety information exchanged among health care organizations lies in 42 U.S.C. §241(d), which states the Secretary of Health and Human Services may authorize persons engaging in research to protect the identity of research subjects by withholding from all persons not connected with such research the names and other identifying characteristics of such individuals.3  Persons so authorized may not be compelled in any legal proceeding to disclose identifying information of such individuals. By its terms, however, the protections mentioned above only apply to the identity of research subjects, or to data that would allow possible identification of such individuals. It seems then, that patient safety data that are de-identified per (for example) the medical privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) would still be potentially ascertainable, although the utility of such data may be limited. The question also arises as to whether this provision of law applies to patients who have presumably not consented to becoming patient safety research subjects. Additionally, since the purpose of this law is to protect patients’ privacy, patients may be able to waive the protections of 42 U.S.C. §241(d) as to their own information, which they presumably would do if they were plaintiffs in a malpractice lawsuit.3  The protections of 42 U.S.C. §241(d) also necessitate an application to the National Institutes of Health (NIH), a division of the Department of Health and Human Services (DHHS), for a “Certificate of Confidentiality.” While readily obtainable, such a certificate may generate a false sense of security, as cases interpreting §241(d) are few in number and the validity of the statute has never actually faced challenge.4  Furthermore, none of the questions mentioned above has yet been answered by any binding authority.

Conflict of 42 U.S.C. §§241(d) and 299c-3(c) with FRCP 26(a)

No court has yet had occasion to interpret §§241(d) and 299c-3(c) in light of existing federal law. In addition to the various legal challenges that either statute may face, both may conflict with existing federal discovery requirements. Per the Federal Rules of Civil Procedure (FRCP), a defendant is required to disclose all information he or she may use to support his or her defense, as well as the locations and custodians of such information.4  An argument could be made that a defendant could be required to disclose protected information if that defendant reviewed protected information in support of his or her defense.

However, §241(d) states that persons “so authorized may not be compelled in any federal, state or local civil, criminal, administrative, legislative or other proceedings to identify such individuals.” Section 299c-3(c) states that identifiable information may not “be used for any other purpose than for which it was supplied.” Thus, federal law in this area appears contradictory, a conflict that no court has yet resolved. While FRCP Rule 26(d) states that privileged materials are not discoverable, FRCP Rule 26(b)(5) states that to assert a privilege in federal court, one must describe the nature of the privileged material sufficiently to allow a fact finder to assess its applicability.4  However, in these circumstances, even materials not admissible in court may still be subject to discovery as long as they are “reasonably calculated” to lead to admissible materials. This could include any information relevant to a patient injury, including patient safety information and the location of that information, such as the specific consortium members who hold the data and have provided the reports. Hence, under general discovery rules, protection of safety information may be limited due to the low threshold required for access to consortium information.

State Law Protections

California peer review/quality assurance privilege

Peer review is defined as “[t]he concurrent or retrospective review by practicing physicians or other health professionals of the quality and efficiency of patient care practices or services ordered or performed by other physicians or other health professionals.”5  In all states, the peer review privilege protects the proceedings and records of peer review committees from civil discovery or subpoena in actions where staff privileges are not at issue. The issue of peer review privilege arises in the context of exchanging patient safety data among health care organizations in one of two ways. The first issue (also discussed in the Merewitz memorandum) is whether exchanging patient safety data would constitute an implied waiver of any existing peer review protection to which the reporting health care provider might be entitled.2  The second is whether the peer review privilege is interinstitutional, i.e., whether it applies to consortia composed of health care institutions engaging in peer review-like activities, but on a multi-institutional basis.

No waiver of peer review in California

In California, the law may allow implied waiver of evidentiary privileges by third party disclosure. However, a review of the medical peer review cases under Evidence Code §1157 appears to indicate that peer review is considered “an immunity,” rather than a “privilege,” and hence is not subject to waiver in specified circumstances.6  For example, beginning in 1974 with Matchett v. Superior Ct.,7  it was held that “§1157 establishes an immunity from discovery rather than an evidentiary privilege.” While the court in Matchett made no mention of waiver, this distinction became important in subsequent cases. In Newhall v. Superior Ct.,8  the court specifically addressed the issue of “whether or not a hospital waives the immunity from discovery provided in Evidence Code §1157… by filing a transcript of its staff committee hearing in an unrelated administrative mandamus proceeding ....” The plaintiff contended that by voluntarily filing a copy of the staff committee transcript in the administrative action, the hospital had waived any privilege provided by California Evidence Code §1157. The court found that there was no waiver of §1157 and stated that “to hold otherwise would render hollow immunity provided in section 1157 and subvert the underlying public policy of section 1157….” The court, however, held that the hospital must assert the protection in “timely and in proper form.” So while holding that §1157 was not waived in this case, the court also established at least some constraints on peer review protection, including timeliness and form.

The next California case to address the issue of waiver was West Covina v. Superior Ct.9  Here, the appellate court specifically referred to the principles of waiver in its analysis, stating that “[t]he idea that an individual may ‘waive the [peer review] privilege’ is incongruous to the provisions and purpose of the statute.” On appeal to the California Supreme Court, however, the majority reversed, holding instead that §1157 was inapplicable to voluntary testimony, thereby avoiding any further waiver analysis.10  The dissent in the California Supreme Court opinion reiterated the language of Matchett, stating that §1157 “creates for the protected material an absolute immunity from discovery ….”

In the fourth case to address the issue of waiver, University of Southern California v. Superior Ct.,11  the plaintiff, a surgical resident alleging wrongful termination, sought to compel production of records of her evaluation along with evaluations of other residents, terminated or otherwise. When the defendant only produced records pertaining to the plaintiff, the plaintiff contended that “by producing records relating to her personally, USC waived the discovery exemption in section 1157.” The court responded by again distinguishing between evidentiary privileges and immunities, stating while “some decisions use the word ‘privilege’ to describe the exemption from discovery set forth in section 1157.” The court responded by again distinguishing between evidentiary privileges and immunities, stating that while “some decisions use the word ‘privilege’ to describe the exemption from discovery set forth in section 1157… ‘[p]rivileges’ are covered by Division 8 of the Evidence Code, which contains familiar section 912 regarding waiver of privilege. Section 1157, by contrast, is contained in Division 9….” The court went on to state that any waiver analysis was inapplicable since “[s]ection 1157 clearly does not create a privilege,”12  thereby implying that immunities were not waivable. The court, however, did not go so far as to state that §1157 immunity could never be explicitly waived, instead stating that assuming a waiver doctrine of some kind did apply, waiver would necessarily have to involve all those protected by §1157, including the committee members, physician reviewers and other resident surgical trainees who were reviewed.

More recently, the California Supreme Court again addressed this question in Fox v. Kramer.13  In Fox, the plaintiff attempted to subpoena the expert testimony of an investigator for the California Department of Health Services (DHS), where that investigator had relied substantially on hospital peer review committee records in forming his opinions. When the hospital objected, citing §1157, the plaintiff claimed that the protections of §1157 were waived once the hospital turned over its committee records to the DHS or, in the alternative, when a redacted form of the report was given to the plaintiff by the DHS. The court ruled in favor of the defendants, finding that “[t]he fact of DHS review did not constitute a general waiver by the hospital of discovery immunity under Evidence Code section 1157, subdivision (a): the hospital peer review committee records did not lose their immunity from discovery simply because they were reviewed in the course of an administrative investigation.”

Thus, according to Fox, Newhall and University of Southern California, and supported by the dissent in West Covina, the protection provided by §1157 is an immunity, which is not waived by disclosure to outside parties. It is important to note, however, that in all the cases that specifically addressed this issue, the disclosure was made in furtherance of some sort of secondary litigation. In Newhall, the disclosure took place pursuant to an unrelated administrative mandamus proceeding. In University of Southern California, the disclosure took place during the defense of a wrongful termination action. And in Fox, the disclosure took place when the hospital was compelled to turn over its committee records to the Department of Health Services.

All of these disclosures, which were later held not to constitute waivers, were necessary to defend against another action — civil, quasi-criminal or administrative. The question then arises as to whether a court would find voluntary disclosure by a peer review committee to a regional patient safety consortium with no other litigation pending to be similar to these cases. While the issue has never been specifically addressed by a court of competent jurisdiction, at a minimum for the immunity to possibly apply, the assertion of immunity must be timely and in proper form, there must be no federal jurisdiction, and explicit waiver by all those protected by §1157 — including committee members, physician reviewers and physicians reviewed — must not have occurred.

In California, the peer review privilege does not apply across institutional boundaries

Although the IOM report optimistically characterized the peer review privilege in California as “the most promising existing source of legal protection”1  for protecting interinstitutional exchange of patient safety data, even the broad protection of California’s peer review statute does not protect the interinstitutional exchange of patient safety information. Section 1157 covers only the proceedings and records of peer review committees composed of the medical staff within an institution. Even in the broadest of §1157 interpretations in California, courts have never read the phrase “proceedings and records” expansively enough to include proceedings and records of a committee existing outside the aegis of a single health care institution, such as a regional patient safety consortium. Similarly, “proceedings and records” and “medical staff” encompassed by §1157 have never been held to cross organizational lines. Rather, “medical staff” has consistently been associated with an individual health care organization, either as employees or physicians with staff privileges. Additionally, in a large state like California, the interpretation of these terms may actually be different between appellate courts. (For example, some California appellate courts have tended toward narrowing the meaning of the definition of “proceedings and records,” while others have maintained a broader interpretation.) In the case of a regional patient safety consortium, the majority of members would likely have no official association with more than one health care organization within the consortium. Hence, it is unlikely even a deferential court would find the legislature intended the “proceedings and records” of a “medical staff,” both of which exist outside the aegis of a single health care organization, would be covered by §1157.

The peer review privilege may not apply in federal court

Even if peer review privilege was found to apply to a regional patient safety consortium, a potential litigant may be able to “end run” any protection provided by such a statute by obtaining federal jurisdiction, a system which does not necessarily recognize state law evidentiary privileges.14  federal jurisdiction requires either a federal question (i.e., a conflict arising under federal law), differences (i.e., “diversity”) of state citizenship among litigants, the United States as a party to the action, an action between two or more states or a case governed by admiralty or maritime law.15  The Federal Rules of Evidence provide that the question of whether a federal court shall adopt an evidentiary privilege

shall be governed by the principles of the common law as they may be interpreted by the courts of the United States in the light of reason and experience. However, in civil actions and proceedings, with respect to an element of a claim or defense as to which state law supplies the rule of decision, the privilege … shall be determined in accordance with state law.16 

Hence, in federal actions based on diversity of the litigants’ residence, state law applies, including any protection provided by state peer review statutes. But if the claim involves at least one federal issue or if the litigant sued a federal institution, the federal law and its limited recognition of the peer review privilege could apply.

Federal courts are split as to whether peer review privilege is recognizable under federal law, depending on the underlying claims and laws at issue.17  The U.S. Supreme Court has not yet addressed whether any medical peer review privilege exists under federal common law.18  This means even if a malpractice claim was filed in a state that had found state peer review privilege does apply to interinstitutional activities, the privilege might be defeated if the action was successfully removed to a federal court in a jurisdiction that does not recognize the peer review privilege. Even if the particular federal court did recognize peer review privilege as existing in federal common law, there is no guarantee it would interpret such privilege as applying to interinstitutional activities in the same manner as in the state where the action took place.19 

Given the review above, even in the absence of some additional form of federal legislative protection, there is some potential to allow a regional patient safety consortium to exchange information without fear of discovery, as long as certain precautions are undertaken.

AHRQ sponsorship or support is highly desirable

Because 42 U.S.C. §299c-3(c) is the strongest potential source of protection for exchanged information, it should be the foundation for any information exchange paradigm. Therefore, if no member of the consortium has AHRQ sponsorship, it should be sought. Thus, AHRQ should be encouraged to foster the formation of such patient safety consortia through flexible grant or contract mechanisms, even if they can be supported with only limited levels of funding. Once AHRQ sponsorship is obtained, the AHRQ-sponsored entity should act as the central repository of information for the consortium. Only fully de-identified data should be transmitted by members to the AHRQ-sponsored entity. The data should then be stripped of all indications of organizational affiliation before retransmittal to other members. This method of information management conforms to provisions of §299c-3(c), which clearly protects data collection on behalf of an AHRQ-sponsored entity.

Review specific state laws to determine if state peer review protections apply

Providers interested in creating safety consortia should assess their specific state laws to determine if, and to what extent, the peer review/quality assurance privilege applies, and under what conditions. Pay attention to what forms of information must be placed, the committees and other entities that will see the data and the circumstances where such privilege appears to be lost. This review should also assess under what circumstances the peer review/quality assurance privilege may be weakened in conflicts brought in federal court.

Other issues to consider

The creation of a regional consortium of unaffiliated health care institutions has the potential for advancing patient safety communitywide through the sharing of knowledge, joint learning and collaborative initiatives. However, in the creation of such a consortium, the potential member organizations need to consider a number of other factors besides concerns about waiver of protection from discoverability, as discussed above. Other issues requiring evaluation include patient privacy issues (e.g., HIPAA), the legal and organizational structure of the consortium, membership issues, confidentiality and indemnification and the need for human subjects review. In the interest of brevity and focus, we cannot address these issues here. However, sample questions with which the consortium members must struggle might include:

  • What kinds of data do we feel comfortable sharing — from highest (actual patient adverse events) to lowest (structure of quality assurance and safety initiatives) risk?

  • Can the consortium’s activities be more clearly and closely associated with individual member’s medical staff peer review processes?

  • What kind of legal structure can best protect members from inadvertent disclosure by the consortium or by other members?

  • In the event of a lawsuit, would there be joint liability and, if so, how might individual members be shielded from excessive or inappropriate liability?

  • Should the consortium be a separate corporation, a partnership, an unincorporated association or some other formal or informal structure?

Despite recommendations from the Institute of Medicine for legislators to establish federal evidentiary protection allowing health care organizations to safely and securely exchange information relating to patient safety, no such federal laws have yet been passed. The lack of nationwide protection, however, may not preclude health care organizations from exchanging at least some types of patient safety information, since protection may be possible under existing federal and state law. However, before forming a patient safety consortium and undertaking such data sharing, member institutions need to engage their general counsels, patient safety officers, risk managers and senior executives to evaluate and assess the risks and benefits of such participation in light of the particular local legal and other conditions in which they must operate.

This project was supported by a grant from the Agency for Healthcare Research and Quality (P20-HS11750).

To err is human: building a safer health system. A report of the Committee on Quality of Health Care in America, Institute of Medicine
Washington, DC
National Academy Press
senior attorney for AHRQ.
Statutory confidentiality protection of research data. Memorandum of 2001 April 16
42 U.S.C. §241(d) (2004); Protection of Identity-Research Subjects, 42 Code of Federal Regulations §2a.1–8 (2004).
People v. Still 364 N.Y.S.2d 125 (1975), affirmed in part, modified in part 369 N.Y.S.2d 759 (1975); Wolpin v. Morris 189 F.R.D. 418, 425 (C.D. Cal. 1999).
Federal rules of civil procedure. Rule 26 (St. Paul, MN: West Pub. 2001).
The facts on file dictionary of health care management
N.Y., N.Y
Facts on File Publications
California Evidence Code §§1157, 912 (2003).
Matchett v. Superior Ct. 40 Cal.App.3d 623 (1974).
Newhall v. Superior Ct. 81 Cal.App.3d 626 (1978).
West Covina v. Superior Ct. 165 Cal.App.3d 794 (1985) (superseded by grant of review).
West Covina v. Superior Ct., 41 Cal.3d 846 (1986).
University of Southern California v. Superior Ct. 45 Cal.App.4th 1283 (1996).
Fox v. Kramer 22 Cal.4th 531 (2000).
Risk of reporting sentinel events
Health Aff
Civil procedures §2.2, at 13 (3rd ed. 1999).
Federal rules of evidence. Rule 501 (St. Paul, MN: West. Pub. 2001).
Weinstein’s Federal evidence. §501.04[3], n. 11–12. Joseph M. McLaughlin, editor. 2d ed.; 2003. Moore J, et al., Moore’s Federal practice. §26.48[2] fn 13. 3rd ed.; 2001.
Virmani v. Norvant Health Inc. 259 F.3d 284, 287 (4th Cir. 2001).
Whitman v. U.S. 108 F.R.D. 5, 6–8 (D.N.H. 1985), and New Hampshire v. Soucy 139 N.H. 349 (1995).