Providers’ performance data is used across an increasing number of areas by CMS, regulators and accreditation bodies, payers, and healthcare facilities themselves for initiatives like:
- Shared savings programs
- Merit-based incentives
- Peer review and external peer review
- Inclusion on government and commercial or private insurance panels
In the age of data breaches, it’s important for medical credentialing and privileging professionals to understand where the confidentiality lines are drawn.
Performance data tracking
The enhanced efforts we experience today to track all kinds of practitioner performance data are rooted in public demand for transparency of healthcare services and in outcomes improvement measures. Both equip payers and consumers to make better-informed quality decisions.
To monitor compliance efforts and educate practitioners about how their practices measure up to identified standards, healthcare organizations have adopted off the shelf software solutions and other tracking methods that generate individualized and aggregate practitioner profiling data. For example, some programs look at major diagnoses (e.g., heart failure) or events and then evaluate a practitioner’s performance. They might examine factors such as length of stay, average cost, mortality, readmissions, or drugs used.
Individual results are compared with those of peers to determine whether the practitioner is performing on par with the peer group or is an outlier in one or more categories. The goal of the profiling exercise, especially as applied to outliers, is to improve outcomes and modify practices where warranted. In the case of payers, it helps inform of under-performers.
Balancing data protection with the duty to protect patients
Hidden in the above-described efforts to improve healthcare quality and safety and decrease costs is risk. Hospitals and practitioners are generating increasing amounts of sensitive information about practitioners that a plaintiff could potentially use against the healthcare organization and/or its medical staff practitioners in a negligent credentialing claim.
How? It’s established law that hospitals have a duty to patients to ensure that practitioners are currently competent to exercise the clinical privileges a hospital grants to them. If a hospital grants privileges to an unqualified practitioner—or if the hospital knew (or should have known) the practitioner was not qualified based on internal or external studies, reports, or peer review analyses but took no action to limit or remove the privileges in question—the hospital may be found negligent.
10 steps to protect sensitive information
There are ways for hospitals and medical staffs to better approach the manner in which they develop and gather performance data and quality assurance information. But that’s not all. They must also retain the confidentiality of the data to the extent possible. The following practical steps can help protect against the discovery of sensitive information that could be used against them in a malpractice suit or other action.
- List relevant reports, studies, forms, analyses, profiling data, etc., that a hospital uses in carrying out its quality assurance, peer review, risk management, credentialing, and similar functions.
- Identify reports and information that, if accessible to a patient or plaintiff’s attorney, could be used to support a malpractice or corporate negligent claim.
- Identify all applicable state and federal confidentiality statutes, such as peer review, physician-patient, medical record, HIPAA, attorney-client, business record, and others that arguably apply to this data set.
- Determine the scope of protections afforded under the statutes and applicable case law, and/or the steps needed to at least assert a confidentiality argument, to the list referenced in step 1, to make an objective assessment about what data are likely to be protected and what may or will be discoverable.
- Identify documents, or portions of documents that remain after completing steps 1–4, and determine the level of sensitivity of the remaining information.
- If sensitive information remains, consider whether it can be moved to, consolidated with, or reauthorized by a peer review committee (or determine what other steps can be taken) to maximize protection under the applicable statutes.
- Determine whether the remaining sensitive information can be de-identified or aggregated without minimizing its effectiveness.
- Adopt bylaws, policies, and procedures that use statutory buzzwords (e.g., “This report is privileged and confidential under the ________ Act because it has been authorized for development and use by the ____ Committee for the purpose of reducing morbidity and mortality and to improve patient care”). This action may be self-serving, but courts have held that not making this internal designation suggests that the hospital did not consider the document confidential.
- Always consult with legal counsel in developing a plan—or at minimum meet with counsel regarding the final review of the plan.
- Update the plan as forms and the law change.