A Question of Privilege: Protecting Data in a Clinically Integrated Network

In this emerging era of healthcare reimbursement based on value, many providers are considering different ways to provide services to patients.  The old fee-for-service model, which often awarded providers based on volume, is being replaced with a model that incentivizes providers to provide quality care at reduced costs.

In order to position themselves for value-based reimbursement, many providers have banded together to form clinically integrated networks (CINs) to coordinate and standardize patient care across various service lines.

Whatever term given to these networks (e.g. CINs, accountable care organizations, accountable care networks etc.), the goal of these entities is to enable a diverse array of independent providers to provide high quality, value-based care.

Many CINs have entered into “shared savings” contracts with payors, under which a CIN’s provider-members have the monetary incentive to meet certain quality-based metrics.

In order for these networks to be truly “clinically integrated,” it is critical that provider-members transmit data to the CIN related to their treatment of patients.

For example, in order to ensure the proper care of patients, primary care providers may be required to provide the CIN with the blood pressure levels of patients who are managing high blood pressure.

To incentivize high quality care, the providers whose patients have blood pressure levels consistently within an acceptable range will receive a larger payout of any “shared savings” money than providers whose patients consistently have higher levels.

Without the receipt of detailed treatment data from providers, CINs would not be able to effectively set quality-based metrics, recommend best practices, and incentivize value-based care.

But there is an important question that CINs should consider: Is the data submitted by a CIN’s provider-members privileged and protected from discovery in a lawsuit?

The Peer Review Privilege

The importance of protecting sensitive information related to a healthcare provider’s services is not a new concept.

Many states throughout the country have recognized the “quality improvement” or “peer review” privilege, which protects certain documents and information that are created during the course of a quality assurance review of a provider’s treatment of patients.

The privilege is a critical mechanism to ensure that peer reviewers engage in frank and open discussion of a provider’s practice without the threat of having all of their discussions obtained by a patient or the patient’s attorney.

For example, let’s assume that a peer review committee of a hospital is reviewing the competence of an OB/GYN physician whose patient had complications during childbirth.  The patient has provided her notice of intent to sue the hospital and the physician for malpractice.

In order to ensure that physician-error did not contribute to the bad result, the hospital’s peer-reviewers closely scrutinize the physician’s performance, and also the performance of the hospital’s support staff.  Their objective is to find any deficiencies that can be corrected for future cases.

Without the peer review privilege, the hospital could be forced to release the peer reviewers’ frank discussions related to the providers’ and hospital’s potential culpability to the patient’s malpractice attorney.  These self-critical discussions and documents could be a goldmine for the patient’s case against the hospital.

Clearly, the peer review privilege is essential for a healthcare provider’s risk management.

Peer Review Privilege and Clinically Integrated Networks

Providers and CINs commonly assume that the peer review privilege applies to any data transmitted between the CIN and the CIN’s provider-members.

But this might not be an accurate assumption.

In reality, the peer review privilege in many states is very narrow and only applies if the provider has met strict requirements.

For example, the Washington State peer review privilege solely applies to information created specifically for, and collected and maintained by a regularly constituted “coordinated quality improvement committee.”

The privilege is waived if any of the information or documents are disclosed to anyone outside of the committee.  One key exception is that a coordinated quality improvement committee of one entity may share information with a coordinated quality improvement committee of another entity.

The primary issue for CINs is that Washington State law only allows certain entities, such as hospitals, medical facilities, provider groups of five or more providers, and health carriers, to form a coordinated quality improvement committee.  WAC 246-50-005.

The rules do not explicitly permit a clinically integrated network or accountable care organization that is a separate legal entity from a medical facility or hospital to form a coordinated quality improvement committee.

Therefore, under Washington State law, there is a risk that provider data shared with a CIN will be unprotected from discovery in a lawsuit.

A Possible Alternative: The Patient Safety and Quality Improvement Act

It may come to a surprise to many CINs and providers that data shared between a CIN and a provider could be subject to discovery in a legal proceeding.  However, unless a state law allows a CIN to take advantage of the peer review privilege, quality data received by a CIN is potentially at risk.

One alternative that CINs should consider is the privilege set forth in the federal Patient Safety and Quality Improvement Act (PSQIA).

The PSQIA is federal law enacted in 2005 that created a broad privilege for “patient safety work product,” which a provider may disclose to a “patient safety organization.” These terms are defined as follows:

• Patient Safety Organization (PSO): A private or public entity (or component of such entity) that is listed as a PSO by the Secretary of Health and Human Services.
• Patient Safety Work Product (PSWP): Includes any data, reports, records, memoranda, analyses, or written or oral statements which could improve patient safety, health care quality, or health care outcomes; and
  • Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or
  • Are developed by a PSO for the conduct of patient safety activities; or
  • Which identify or constitute a provider’s deliberations, analyses, or reporting related to information disclosed to a PSO.  A provider’s procedures for collecting and reporting information to a PSO are known as the provider’s “patient safety evaluation system” (PSES).

Importantly, PSWP does not include the original medical record of the patient or other information that is collected or maintained separately from the provider’s collection and reporting to the PSO.

Therefore, if a CIN were to create a PSO, quality information shared between a CIN and its provider-members could be protected from discovery in a lawsuit.  Even better, the PSQIA privilege is never waived – even if the information or documents are subsequently improperly disclosed by the PSO.

In comparison to the Washington State peer review privilege, the privilege under the PSQIA appears to be broader and more appropriate for the activities of a CIN.

Creating a PSO for a Clinically Integrated Network

Although the privilege protections of the PSQIA should interest CINs and their participating members, it is important to review the major steps needed for the proper creation of a PSO.

1. Eligibility: The first step is to confirm that the CIN is eligible to create a PSO.  Under the rules, any private or public entity can create a PSO, so long as the entity is not listed as “excluded” by the PSQIA. The list of excluded entities includes:
   • Health insurers;
   • Regulatory agencies;
   • Accreditation and licensure entities; and
   • Entities that administer a federal, state, local, or tribal patient safety reporting system to which health care providers are required to report.

If one of these types of agencies has an ownership interest in the CIN, it is critical that the CIN’s governing documents make clear that such entities do not exercise any control over the operation of the PSO.

2. Separate Legal Entity: In order to ensure compliance with the PSQIA, and insulate liabilities, the CIN should considering forming the PSO under a separate legal entity (e.g. limited liability company). The primary mission of the separate PSO entity must be the improvement of patient safety and the quality of health care delivery. Under the PSQIA rules, the PSO would be a “component” of the CIN.
3. Workforce: The PSO must be staffed by a qualified “workforce,” which must include employed or contracted licensed healthcare providers. The CIN can share staff with the PSO, but such staff members should sign confidentiality agreements stating that they will not improperly disclose PSWP to the CIN.
4. Policies: The PSO must create policies and procedures to meet the eight patient safety criteria in the PSO:
   • Efforts to improve patient safety and the quality of health care delivery;
   • The collection and analysis of PSWP;
   • The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
   • The utilization of PSWP for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
   • The maintenance of procedures to preserve confidentiality with respect to PSWP;
   • The provision of appropriate security measures with respect to PSWP;
   • The utilization of qualified staff; and
   • Activities related to the operation of a PSES and to the provision of feedback to participants in a PSES.

5. Participation Agreement: The PSO should enter into a template Participation Agreement with the CIN’s provider-members. Among other requirements, the Agreement should specify a standardized manner for the providers’ transmission of data to the PSO. The PSO and the CIN’s provider-members should also enter into a HIPAA Business Associate Agreement.

6. Patient Safety Evaluation System: Each provider entity should set up its own policies and procedures for reporting PSWP to the PSO. This reporting structure will be each provider’s “patient safety evaluation system.”

7. Consent for Disclosure to the CIN: The PSQIA permits a PSO to disclose PSWP back to a participating provider for “patient safety activities.”  However, due to the fact that a CIN is not a “provider” of healthcare services, it is not able to contract with the PSO and receive PSWP. This could be a problem if the CIN needs access to identifiable PSWP in order to develop quality metrics, create best practices for the members, or distribute any shared savings money.  In order to ensure that the CIN is able to receive PSWP from the PSO, each CIN provider-member should sign a consent that permits the PSO to disclose PSWP to the CIN for the purposes of clinical and financial integration.

8. Apply for Certification: In order to officially become a PSO, the PSO entity should apply for certification from the Agency for Health Research and Quality (https://pso.ahrq.gov/forms/initial/). After approval, the PSO will be listed for a period of three years. The PSO must renew its listing after the three year period.

Please note that this is not an exhaustive list of requirements for PSOs, but it does contain many of the major steps that should be considered in forming a PSO.

By going through the process of forming a PSO, a CIN may have a better chance of protecting sensitive quality data than relying on state peer review privilege laws.

For more information on the peer review privilege, clinically integrated networks, and patient safety organizations please contact Casey Moriarty.