U.S. flag

An official website of the United States government

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Gliklich RE, Dreyer NA, Leavy MB, editors. Registries for Evaluating Patient Outcomes: A User's Guide [Internet]. 3rd edition. Rockville (MD): Agency for Healthcare Research and Quality (US); 2014 Apr.

Cover of Registries for Evaluating Patient Outcomes

Registries for Evaluating Patient Outcomes: A User's Guide [Internet]. 3rd edition.

Show details

9Protecting Data: Confidentiality and Legal Concerns of Providers, Manufacturers, and Health Plans

1. Background

As the cost of care delivered in the United States continues to grow at an unsustainable rate without parallel improvements in the quality of care,1-8 health care policy experts and lawmakers are paying increasing attention to initiatives that measure and publicly report information about the performance of physicians, hospitals, and other health care providers and about the services and procedures they are delivering. They believe this is an important step toward improving health care quality and controlling costs. For example, advancing quality improvement through greater access to and use of health information is a specific goal of the Patient Protection and Affordable Care Act,9 which includes a number of provisions to incentivize quality measurement, improvement, and reporting and to enable more informed decisionmaking by consumers and other stakeholders.

Critical to the success of these initiatives is the availability and accessibility of relevant administrative and clinical data. Data registries (or repositories) are often used to collect, process, maintain, and release relevant data for these purposes. For example, many professional associations and societies organized around provider specialties or specific diseases and conditions administer their own registries. Typically, these registries are used for a variety of patient safety and quality improvement activities, including: matching patients with researchers, tracking the course of patients' care, tracking and identifying trends in medical errors or other patient safety issues, and tracking outcomes related to specific diseases or conditions or the effectiveness of specific treatments used to treat them. For example, the American College of Chest Physicians (ACCP) directs the ACCP Quality Improvement Registry, Evaluation and Education, or AQuIRE, which is intended to “assist the chest physician with meeting increasing demands placed upon them by the public, credentialing bodies, regulatory agencies, payers, and the institutions in which they practice.”10 Likewise, the American Orthopaedic Association spearheads the Own the Bone registry, designed to better coordinate patient care among a patient's providers, close the gaps associated with physician treatment recommendations, and alter patient and physician behaviors to reduce future incidence of bone fractures due to osteoporosis.11 Quality improvement and clinical research registries are also organized by the American College of Rheumatology,12 the American College of Radiology,13 the Society for Thoracic Surgeons,14 and the National Cardiovascular Data Registry.15 Other registries, such as the American Joint Replacement Registry, are endorsed by surgeons but use a multi-stakeholder funding and sponsorship model. Manufacturers and health plans also often contribute data to or sponsor registries for quality improvement and clinical research, including identifying care delivery trends and determining whether or not a particular service, procedure, medical device, or pharmaceutical achieves the desired effect.

Administrative and clinical information submitted by or about providers, medical device and pharmaceutical manufacturers, and health plans and included in registries for research, quality measurement and improvement activities, and patient safety initiatives often includes sensitive patient, provider, and/or manufacturer or health plan–identifiable information. Release of this information in an identifiable or even nonidentifiable manner may compromise the privacy of individual patients and providers and compromise sensitive financial, commercial, or proprietary manufacturer or health plan (e.g., benefit design, reimbursement) information. As more and more registries are developed and used for a variety of research (including comparative effectiveness research), quality improvement, and patient safety programs, more and more information about patient safety, quality of patient care, performance, and other details about providers, medical devices, pharmaceuticals, and health plans becomes available. This information is incredibly useful because it helps providers better understand and improve the care they are delivering, helps manufacturers refine and improve the devices and pharmaceuticals they are developing, and helps patients make more informed choices about their providers and treatment options. However, this information is also desirable for use in litigation or other judicial or administrative proceedings to demonstrate that a certain level of care was adhered to or not, or that a certain device or pharmaceutical works in a particular way.

Considerable attention has been directed towards ensuring the privacy and confidentiality of individually identifiable patient health information maintained in registries, particularly in regards to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.16 As such, the privacy and confidentiality of individually identifiable patient health information is well established and recognized by Federal and State agencies, courts of law, and others. (See Chapter 7.)

Significantly less attention has been directed towards the privacy and potentially proprietary nature of information about providers, medical device and pharmaceutical manufacturers, and health plans. Often providers, manufacturers, and health plans are the best source of information about the care they deliver and/or their products to support the effectiveness of a registry, whether it is used for research, quality improvement, patient safety initiatives, or other related activities. Even when they do not directly give a registry information about the care they deliver and/or their products, they may be included in information provided by other sources. (For example, a provider may submit information about Company Y's medical device related to a procedure performed on a patient.) Numerous policymakers and researchers have noted the “chilling effect” that the lack of protection for the information provided may have on the willingness of providers, manufacturers, and health plans to provide (or be included as a direct or indirect subject of) relevant information to support research, quality improvement, and patient safety initiatives conducted through registries. For example, commentary in the 2006 Journal of the American Medical Association reported that “wariness about liability exposure in the medical community may stymie public and private efforts.”17

The 1999 Institute of Medicine report, To Err is Human, explicitly identified this “wariness” as a significant issue that hampers voluntary reporting and collaborative efforts, including the free exchange of information, to identify medical errors and prevent their repetition. To address this issue, the report recommended that Congress pass “legislation to extend peer review protections to data related to patient safety and quality improvement that are collected and analyzed by health care organizations for internal use or shared with others solely for purposes of improving safety and quality.”18 To date, however, no comprehensive Federal legislation has been passed. Thus, providers, manufacturers, and health plans must look to a variety of Federal and State laws that may offer protection from disclosure of information pursuant to a discovery request or other judicial or administrative proceedings.

2. Relevant Laws and Regulations: Variety of Sources, But Limited Protection

While no general Federal statutory privilege exists to protect information held in a registry submitted by or relating to providers, manufacturers, or health plans, a number of Federal laws may provide protection from discovery or disclosure in judicial or administrative proceedings. In addition, most States have specific peer review or quality assurance laws that may provide additional protection as well, but again in limited circumstances. This chapter will primarily focus on available Federal evidentiary protections, but will also address State-specific protections. It concludes with an overview of mechanisms that may be used to protect information included in a registry during judicial or administrative proceedings. While registries may collect information from both within the United States and internationally, treatment of registries by international laws is outside the scope of this chapter.

2.1. Federal Laws

2.1.1. AHRQ's Confidentiality Statute

All identifiable research data obtained by the Agency for Health Research and Quality (AHRQ) is protected by the agency's confidentiality statute.19 The statute requires that data collected by AHRQ-sponsored entities that identify individuals or establishments be used only for the purposes for which the data are supplied. Any effort to determine the identity of a person in an AHRQ database, or to use the information for any purpose other than for research, analysis, and aggregate statistical reporting, violates the AHRQ confidentiality statute. Recipients of a data set are also prohibited from releasing, disclosing, publishing, or presenting any individually identifying information. Specifically, the statute provides:

No information, if an establishment or person supplying the information or described in it is identifiable, obtained in the course of activities undertaken or supported under this subchapter may be used for any purpose other than the purpose for which it was supplied unless such establishment or person has consented (as determined under regulations of the Director) to its use for such other purpose. Such information may not be published or released in other form if the person who supplied the information or who is described in it is identifiable unless such person has consented (as determined under regulations of the Director) to its publication or release in other form.19

Concerns have been raised that this protection may be vulnerable if the information is disclosed to an outside entity such as a registry. However, AHRQ has interpreted this provision to protect all AHRQ-funded research from discovery requests, including discovery requests in the course of litigation. A memorandum from senior AHRQ attorney Susan Merewitz noted that “if individuals inside a health care institution are gathering identifiable medical error information as part of AHRQ-supported grant or contract research, and it is conveyed outside the institution (e.g., for analysis in an AHRQ-supported central databank), even if the reporters lost their protection against being subpoenaed to testify under State law, the Federal statute would cover and protect the identifiable information they acquired pursuant to AHRQ's statutory research authority.”20 While this memorandum is not binding on any court of law and has yet to be introduced in a legal challenge, it clearly establishes AHRQ's protective position as it relates to any information collected under the auspices of an AHRQ-supported project. Registries participating in AHRQ-sponsored activities would certainly be able to avail themselves of this protection and, given Merewitz's comments, this protection may even extend to non-AHRQ activities in which an AHRQ-sponsored entity holds the data as a repository or intermediary.

Importantly, this protection is limited to AHRQ-sponsored registries. Therefore, registries maintained by professional associations or other organizations that are not sponsored by or otherwise participating in an AHRQ-sponsored project would not benefit from the protections the AHRQ confidentiality statute affords.

2.1.2. HHS Certificate of Confidentiality

The U.S. Department of Health and Human Services (HHS) may issue a “Certificate of Confidentiality” for any research project that collects personally identifiable, sensitive information and has been approved by an institutional review board. A Certificate protects an investigator, and others who have access to research records, from being required to disclose identifying information on research participants in any Federal or State judicial, administrative, or legislative proceeding. The Certificate may be used for biomedical, behavioral, clinical, or other types of research.

In the research arena, the National Institutes of Health (NIH) is the most common source for Certificates of Confidentiality. The NIH considers research to be sensitive if disclosing the information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation. According to NIH, examples of studies that may be considered sensitive include those collecting genetic information; information on subjects' psychological well-being; information on sexually transmitted diseases or on subjects' sexual attitudes, preferences or practices; and information on substance abuse or other illegal conduct; as well as studies where subjects may be involved in litigation related to exposures under study (i.e., breast implants, environmental or occupational exposures).21

The specific statutory language provides that:

The Secretary [of the U.S. Department of Health and Human Services] may authorize persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.22

The application of Certificates of Confidentiality to registries has four inherent shortcomings.23 First, the protections apply only to the identity of research subjects, or to data that would allow the possible identification of such individuals. Thus, de-identified patient safety data is still potentially discoverable. Second, there are questions as to whether a Certificate applies to patients who presumably have not consented to becoming research subjects. Third, individual patients may be able to waive the Certificate protections as to their own information, which they presumably would do if they were plaintiffs in a malpractice lawsuit. Fourth, the protections apply only to research information for which a Certificate of Confidentiality has been applied for and has been granted. Therefore, the protections afforded by a Certificate of Confidentiality are limited and do not provide meaningful opportunities for registries that are not engaged in research and that have not applied for and been granted a Certificate.

2.1.3. The Patient Safety and Quality Improvement Act of 2005

The Patient Safety and Quality Improvement Act of 2005 (PSQIA)24 creates a Federal privilege from discovery in connection with Federal or State judicial or administrative proceedings for certain information identified as patient safety work product. To claim the privilege, providers must create the patient safety work product by collecting event information and reporting it to a formally recognized patient safety organization (PSO) for aggregation and analysis. The term “patient safety work product” encompasses any data, reports, records, memoranda, analyses, or written or oral statements that meet one of two criteria: (1) the materials “could improve patient safety, health care quality, or health care outcomes” and are gathered by a provider to be reported and are reported to a PSO or are developed by a PSO to conduct patient safety activities; or (2) the materials “identify or constitute the deliberations or analysis of, or fact of reporting to, a patient safety evaluation system.”

Materials not gathered to be reported to the PSO and not actually transmitted to a PSO would not qualify for a privilege. The privilege specifically does not apply to medical records, billing and discharge information, or other records kept outside of a patient safety evaluation system. Furthermore, providers must comply with any State laws that require reporting of patient safety information and may not use PSO activities to shield them from reporting. Thus, if a patient safety investigation references medical records, the records themselves do not become part of the work product eligible for protection.

Documents created, maintained, or developed separately from a patient safety evaluation system are excluded from the definition of patient safety work product. Thus, individual patient medical records, billing and discharge information, and any original patient or provider records are not considered work product and are thus not privileged. In addition, information collected to comply with external reporting requirements is not work product.

The preamble to the final regulations (44 FR 70,732) implementing the confidentiality protections of the PSQIA identifies several examples of information that must be reported and that does not merit protection as work product. These examples of required reportinginclude State incident reporting, adverse drug event information reporting, records for compliance with health oversight agency requirements, reporting physician disciplinary actions to the National Practitioner Data Bank, and disclosures required under Medicare's conditions of participation. Thus, a significant amount of data remains outside the patient safety work product definition. This includes registry data that is not maintained by a PSO and used for specific patient safety activities or is not identifiable. Therefore, the PSO statute and regulations provide no protection for registries acting outside the protected scope of the PSO arena.

2.1.4. Quality Improvement Organization Statute and Regulations

Quality Improvement Organizations (QIOs) are responsible for improving the effectiveness, efficiency, economy, and quality of services delivered to Medicare beneficiaries. The Centers for Medicare & Medicaid Services (CMS) contracts with one private, generally not-for-profit organization in every State, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, to serve as that jurisdiction's QIO. QIO employees, consisting primarily of doctors and other health care professionals, are instructed to review medical care and assist beneficiaries with quality of care issues and complaints, as well as to implement improvements to the quality of providers' care.

The QIO statute states that any data or information acquired by a QIO in its course of duties must be kept confidential and may not be disclosed to any person, except as the information assists Federal and State agencies responsible for investigating fraud, abuse, and risks to the public health, or assists appropriate State agencies and national accreditation bodies responsible for licensing or certifying providers or practitioners.25

Furthermore, the statute explicitly states that “no patient record in the possession of” a QIO may be subject to subpoena or discovery proceedings in a civil action.26 Additionally, no document or other information produced by a QIO in connection with its deliberations may be subject to subpoena or discovery in any administrative or civil proceeding. However, a QIO is required to provide, upon the request of a practitioner or other person adversely affected by such deliberations, a summary of the QIO's findings and conclusions.

Additionally, QIO regulations state that quality review study information with a patient identifier is not subject to subpoena or discovery in a civil action, including administrative, judicial, or arbitration proceedings.27 This restriction, however, does not apply to HHS administrative subpoenas issued in the course of an audit or investigation of HHS programs, in the course of administrative hearings held under the Social Security Act, or to disclosures to the U.S. Government Accountability Office as necessary to carry out its statutory responsibilities.

Similar to the PSQIA, the QIO statute and regulations provide protection only to information that has been collected by a QIO under contract with CMS to perform specific statutory functions. To the extent a QIO is the owner and operator of a registry used to perform required functions, the information included in the registry would be protected. However, this does not apply to the vast majority of registries currently in existence today.

2.1.5. HIPAA Privacy Rule

The HIPAA Privacy Rule protects the privacy of individually identifiable health information.28 The Privacy Rule applies to “covered entities,” which include health plans, health care clearinghouses, and health care providers who conduct certain electronic health care transactions. Some of the Privacy Rule's provisions also apply to business associates of covered entities (e.g., contractors performing specific functions on their behalf).29 The purpose of the Rule is to protect “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to an individual's (1) past, present, or future physical or mental health condition; (2) receipt of health care; or (3) past, present, or future payment for health care. The information also must either directly identify the individual or be able to reasonably lead to identification of the individual. Common identifiers include an individual's name, address, birth date, and Social Security number.29 The Privacy Rule refers to this information as “protected health information” (PHI).

The Privacy Rule permits the disclosure of PHI in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal.30 Absent a court order, a covered entity also may respond to a subpoena or discovery request from a party to the proceeding if the covered entity obtains either: (1) satisfactory assurances that reasonable efforts have been made to give the individual whose information has been requested notice of the request; or (2) satisfactory assurances that the party seeking such information has made reasonable efforts to secure a qualified protective order that will guard the confidentiality of the information.

In meeting the first test, a covered entity is considered to have received satisfactory assurances from the party seeking the information if the covered entity receives a written statement and documentation that the party has made a good-faith effort (such as by sending a notice to the individual's last known address) to provide written notice to the individual whose information is the subject of the request, that the written notice included sufficient information about the proceeding to permit the individual to raise an objection, and that the time for the individual to raise objections to the court or administrative tribunal has elapsed and no objections were filed, or any objections the individual filed have been resolved.

A “qualified protective order” means an order of a court or of an administrative tribunal or a stipulation that: (1) prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which the records are requested; and (2) requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. Satisfactory assurances of reasonable efforts to secure a qualified protective order are a statement and documentation that the parties to the dispute have agreed to a protective order and that it has been submitted to the court or administrative tribunal with jurisdiction, or that the party seeking the protected health information has requested a qualified protective order from such court or tribunal.

Importantly, the protections of the HIPAA Privacy Rule will apply only if a registry is considered a covered entity or the business associate of a covered entity. A registry may be considered a covered entity if the registry is maintained and administered by a HIPAA-covered health care provider. More commonly, the registry will be acting as the business associate of a covered entity (e.g., collecting and processing PHI on behalf of provider(s) and/or health plan(s)). Even if the registry is considered a covered entity or business associate, the HIPAA requirements that apply to disclosures pursuant to a court order, subpoena, or discovery request only apply to PHI. To the extent the requested information does not include PHI (e.g., the information is considered to be de-identified according to the requirements of the Privacy Rule and thus does not contain identifiable health information about individuals), HIPAA does not protect information about providers, manufacturers, or any other entities. Therefore, in the case of providers, manufacturers, and health plans seeking protection for information specific to them or their products but not part of PHI, HIPAA does not shield them from discovery requests in litigation or any other court proceedings.

2.1.6. Privacy Act of 1974

The Privacy Act of 197431 protects information about individuals, such as patients and providers, held or collected by the Federal Government that can be retrieved by personal identifiers such as name, Social Security number, or other identifying number or symbol. The Privacy Act authorizes a Federal agency to release individually identifiable information to identified persons or to their designees with written consent or pursuant to 1 of 12 exemptions for disclosure. These exemptions include disclosure to Federal agency employees, the Census Bureau, the National Archives and Records Administration, other government entities for civil and criminal law enforcement purposes, the Comptroller General, Congress or its committees, and a consumer reporting agency.32 Additional exemptions include disclosures for statistical research, disclosures required by Freedom of Information Act, disclosures in response to emergency circumstances, and importantly for purposes of this chapter, disclosures pursuant to a court order.

Unless the Federal Government maintains the registry, the Privacy Act of 1974 offers no protection from discovery for litigation or related court proceedings. Furthermore, even if the Federal Government maintains the registry, the Privacy Act specifically allows for the release of identifiable information about individuals without their written consent pursuant to a court order. This could include information not only about individual patients, but also individual providers (e.g., individual practitioners).

2.1.7. Freedom of Information Act

Enacted by Congress in 1966, and expanded in 1996 to cover electronic records,33 the U.S. Freedom of Information Act (FOIA)34 generally provides that any person has the right to obtain access to information contained in the records of Federal agencies, unless FOIA specifically protects the information from disclosure. With a goal of ensuring an informed citizenry, capable of holding the government accountable, FOIA effectively establishes a statutory right of public access to executive branch information, requiring that virtually every record held by a Federal agency be provided to individuals upon request.35 Information that is subject to FOIA is likely to be disclosable pursuant to a discovery request or other court proceeding. However, FOIA does have limited exemptions and exclusions to the broad disclosure requirements. The most relevant exemptions for purposes of protection of registry information—in order of their importance—are Exemptions 4, 6, and 3.

Exemption 4 protects “trade secrets and commercial or financial information obtained from a person and privileged or confidential.”36 Importantly, however, it is not a mandatory bar to disclosure, but rather limits an agency's obligation to disclose specified information. “Trade secrets” are defined as commercially valuable plans or formulas for producing trade commodities to which has been invested substantial effort or innovation.37 In the case of registries that contain information supplied by or about providers, medical device or pharmaceutical manufacturers, and health plans, it is likely that only the pharmaceutical and medical device manufacturers and health plans would have information that could be considered “trade secrets.” Furthermore, information that manufacturers contribute to a registry is more likely to be considered “commercial” or “financial.” For example, in Public Citizen Health Research Group v. Food & Drug Administration,38 the court found that “because documentation of the health and safety experience of their products will be instrumental in gaining market approval for their products it seems clear that the manufacturers … have a commercial interest in the requested information.”39

Exemption 6 states that Federal agencies can withhold from disclosure information about individuals in “personnel and medical files and similar files” when the disclosure of such information “would constitute a clearly unwarranted invasion of personal privacy.”40 In order to warrant protection under Exemption 6, the information at issue must first meet the threshold requirement of falling into one of three categories—personnel files, medical files, and similar files. The Supreme Court found that Congress intended these categories to be interpreted broadly and to protect information that “applies to a particular individual.”41 Once it has been established that the information meets this threshold, the focus shifts to whether the disclosure of such information would be an unwarranted invasion of privacy. This requires balancing the public's right to disclosure of the information against the individual's right to privacy. After determining that a protectable privacy interest exists, the public's interest in disclosure of the information will be weighed against the individual's privacy interest in not disclosing the information.

The landmark Supreme Court decision in United States Department of Justice v. Reporters Committee for Freedom of the Press42 governs how privacy interests under Exemption 6 are determined and balanced with public interest in the information. First, the Court clarified that a substantial privacy interest may exist in information that has already been released to the public at some point. Second, the Court held that the identity of the individual or party requesting the information may not be taken into consideration when determining if information should be released and “has no bearing on the merits of his or her FOIA request.”43 When considering the public interest in disclosing the information, the Court ruled that the determination should be based on the nature of the requested information and its relationship to the public interest generally, and not solely the purpose for which the request is made. Finally, the Court narrowed the scope of the public interest to the kind of interest to information that will “shed light on an agency's performance of its statutory duties.”44

It is important to note, however, that Exemption 6 protects only information that identifies the individual in question. Thus, while patient records included in a registry are likely to be protected, if identifying information is removed, the information is no longer protected under Exemption 6. The most common types of information protected under Exemption 6 are age, home address, Social Security number, medical information about individuals participating in clinical research trials, claims files, and other personal information held by CMS.45

Exemption 3 protects information if it is “specifically exempted from disclosure by statute, provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.”46 An example of a statute that may prevent disclosure or discovery of information contained in a registry under FOIA Exemption 3 would be the Patient Safety Quality Improvement Act of 2005 (discussed above), if the information met the PSQIA requirements.

2.1.8. Federal Trade Secrets Act

The Federal Trade Secrets Act47 imposes fines or imprisonment on any Federal employee who discloses any information that relates to trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses or expenditures of any person or corporation. The Act applies only to public disclosures, and does not reach internal agency use of the data.

There is no private right of action under the statute; however, the Administrative Procedure Act may create a right of action to prevent a violation of the Trade Secrets Act or review a decision to disclose information.48 Similar to Exemption 4 under FOIA, the Federal Trade Secrets Act may protect proprietary information, however, only to the extent that is held by the Federal Government and disclosed publicly (e.g., the Act may not reach information disclosed pursuant to a protection order as part of a discovery proceeding).

2.1.9. Federal Rules of Evidence and Civil Procedure

Federal legal rules of evidence and civil procedure may place limits on what information may be discoverable or otherwise used in a court proceeding. For example, Rule 401 of the Federal Rules of Evidence defines “relevant evidence” as evidence having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.”49 Rule 403 narrows the scope of Rule 401 stating “although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or misleading the jury…”50 Often of the most relevance to information contained in registries is the prohibition in Rule 404 against “evidence of other … acts … to prove the character of a person in order to show action in conformity therewith.”51 This may apply in instances where information is sought from a registry to show evidence of similar medical outcomes.

Turning to Civil Procedure, Rule 26(b)(2)(C)(iii) of the Federal Rules of Civil Procedure provides that a court may limit discovery if “the burden or expense of the proposed discovery outweighs its likely benefit, considering … the importance of the discovery in resolving the issues.”52 Rule 26(c) also allows parties from whom discovery is sought to move for a protective order.53 Rule 45(c) protects individuals from unduly burdensome or expensive subpoenas. Specifically, 45(c) states, “a party or attorney responsible for issuing and serving a subpoena must take reasonable steps to avoid imposing undue burden or expense on a person subject to the subpoena. The issuing court must enforce this duty and impose an appropriate sanction—which may include lost earnings and reasonable attorney's fees—on a party or attorney who fails to comply.”54 It is left to the discretion of the court in each case to determine whether the facts and circumstances merit quashing a specific subpoena.

While these Federal rules of evidence and civil procedure may offer protection against discovery of registry information in certain situations, their application is left entirely to the discretion of the particular court in which the case is heard. Thus, the case law is mixed, with some courts allowing discovery and others not, depending on their application of a balancing test of the need for confidentiality versus hardship to the party seeking discovery. For example, in Andrews v. Eli Lilly & Co., Inc., E.R. Squibb & Sons and Rexall Drug Company,55 Squibb sought production of data from a University of Chicago registry that included information about a disease related to a products liability action against Squibb. The University of Chicago claimed that the contents of the registry were privileged and confidential. In balancing the privacy interests of the registry against the need for the information, the court stated, “the balance … tips in favor” of the registry.56 “Squibb's need for the information is speculative and uncertain. Its essentially private interest in defending itself is outweighed by the compelling social interest in preventing harm to the Registry and the vital work it conducts.”56 The court, however, did allow discovery of information contained in the registry related to the plaintiffs. Squibb appealed, and in Deitchman v. E.R. Squibb & Sons,57 the appellate court noted that the privilege was not “absolute” and remanded the case back to the lower court to determine the best way to provide information from the registry while preserving confidentiality.58 In a secondhand-smoke case, Wolpin v. Phillip Morris, Inc.,59 the court ordered disclosure of data from a statewide tumor registry from a study by the University of South California and California Department of Health, despite objections that the data was protected by State and Federal privacy laws. The court held that the need for the information in the lawsuit outweighed the confidentiality interest, but did require patient names to be removed prior to release.

2.1.10. Patient Protection and Affordable Care Act: Release of Medicare Claims Data for Provider Performance Measurement and Reporting

Section 10332 of the Affordable Care Act requires the Secretary to make Medicare claims data available to qualified entities for the evaluation of provider performance on measures of quality, efficiency, effectiveness, and resource use.60 The data are standardized extracts of claims data under Medicare Parts A, B, and D, for items and services furnished for one or more specified geographic areas and time periods requested by a qualified entity. The qualified entities will be required to pay a fee to obtain the data and must submit to the Secretary of HHS a description of the methodologies that will be used to evaluate the performance of providers and suppliers.

All subsequent reports a qualifying entity publishes must include an understandable description of the measures, risk adjustment methods, physician attribution methods, other applicable methods, data specifications and limitations, and the sponsors, so that consumers, providers of services and suppliers, health plans, researchers, and other stakeholders can assess such reports. In addition, the reports must be made available to any provider or supplier identified in the report, with an opportunity to appeal and correct any errors. Finally, the reports may include information on a provider or supplier only in an aggregate form as the Secretary determines appropriate.

The Secretary may not make claims data available to a qualified entity unless the entity agrees to release the information on the evaluation of performance of providers of services and suppliers. Section 10332 requires that data released to a qualified entity shall not be subject to discovery or admission as evidence in judicial or administrative proceedings without consent of the applicable provider or supplier.61

While limited in application to Medicare claims data provided to qualified entities, this provision is a significant recognition by Congress of concerns related to the “chilling effect” the fear of disclosure has on provider, supplier (including manufacturer), and health plan participation in quality measurement, improvement, and reporting programs. By shielding this information from discovery or admission as evidence without consent, Congress has explicitly protected and incentivized the activities of qualified entities, including the development of registries to support their performance measurement and reporting efforts.

2.2. State Laws

2.2.1. State Surveillance Laws

To encourage practitioner participation in State surveillance registries, many States have passed legislation providing immunity from civil and criminal penalties that may arise in conjunction with such reports. Most States protect providers from any liability that may result from a disease report unless the provider acted with some level of negligence or malicious intent.62 Fewer States provide complete immunity for reporting disease cases to a registry, with no distinction made for negligent or intentionally malicious reports.63 Additionally, other States provide immunity only for certain causes of action related to the information reported, or protect from civil liability only.64 However, case law implicating such State harbors is sparse, with most cases affording immunity for health care professionals who report sexually transmitted diseases discovered in minors in potential child abuse cases.65

2.2.2. State Peer Review and Quality Assurance Laws

Presently, all 50 States have enacted statutes to protect the confidentiality of the peer review process. Most statutes offer a blanket protection for all accounts, records, and conclusions of the review process from being introduced into evidence during any court proceeding.66 Without such protection, providers and hospitals may be less inclined to truthfully monitor their peers, evaluate the quality of care that is provided to patients, or adequately prevent or correct for adverse events.

A few States also have passed legislation specifically protecting information collected for quality improvement and other related purposes. These “safe harbor” laws protect a broader set of information beyond the traditional peer review process, including collection by organizations outside the scope of an internal peer review board or committee. For example, in Minnesota, information relating to patient care a nonprofit organization collects for purposes of “evaluating and improving the quality of health care” or “reviewing the safety, quality or cost of health care services” provided to health plan enrollees “shall not be disclosed to anyone … and shall not be subject to subpoena or discovery.”67 The Virginia Patient Safety Act protects the collection of patient safety data by “statewide or local associations” representing licensed health care providers. It treats the information collected as “privileged communications which may not be disclosed or obtained by legal discovery proceedings unless a circuit court, after a hearing and for good cause arising from extraordinary circumstances being shown, orders the disclosure of such proceedings, minutes, records, reports, or communications.”68 Similarly, the Illinois Medical Studies Act protects all information “used in the course of internal quality control or of medical study for the purpose of reducing morbidity or mortality, or for improving patient care or increasing organ and tissue donation.” Such information is “privileged, strictly confidential, and shall be used only for medical research, increasing organ and tissue donation, [or] the evaluation and improvement of quality care.”69 It is not “admissible as evidence, nor discoverable in any action of any kind in any court or before any tribunal, board, agency or person.”69

However, it is important to note that the peer review privilege and other State-based protections are often not recognized in Federal cases outside the jurisdiction of State law. Federal courts have been resistant to the establishment of a Federal peer review or other privilege, and often subordinate the State peer review privileges in favor of other interests. For instance, the 11th Circuit Court of Appeals recently declined to recognize such a privilege during a Federal civil rights discrimination case, ordering the discovery of peer review documents.70 Similar outcomes have been reached in many other Federal courts, including cases deciding Federal antitrust71 and wrongful termination claims.72

2.3. Practical Considerations

As described above, Federal and State law currently do not provide any consistent or comprehensive protection from disclosure, pursuant to discovery or other judicial or administrative proceedings, of information submitted to registries by (or related to) providers, medical device or pharmaceutical manufacturers, or health plans. This leaves registries that are operating outside of the government-sponsored programs described above, their participants and subjects, vulnerable to discovery requests ranging from preliminary fact-finding requests to court orders. As the Institute of Medicine noted, this can have a “chilling effect” on willingness of providers to participate. The same is also true for manufacturers and health plans that similarly may be both a source of information as well as the subject of information included in a registry. Beyond concern for the privacy and confidentiality of the information, the costs and burden associated with discovery or other requests can be substantial, as the litigation process often takes months or years to unfold. These costs may include not only costs related to challenging the request, but also data production, including costs for redaction (particularly where patient identifiable information is involved), and the costs of legal representation.

Registries and their participants can take several steps to reduce their vulnerability to disclosure requests. As described above, several Federal programs protect information collected for specific patient safety and quality improvement purposes. (See Case Example 18.) If registries qualify for or are funded through these programs, the information collected and maintained would automatically be entitled to protection from discovery or other judicial or administrative proceedings. While not always possible or practical given their goals or priorities, registries should consider whether participation in any of these programs would be appropriate.

To the extent participation in one of these Federal programs is not possible, registries and their participants should consider forming in a State that provides broader protection, beyond the peer review process, for information collected (e.g., Virginia, Minnesota, or Illinois). Furthermore, registries and their participants should clearly articulate their roles and responsibilities, including how discovery or other requests will be handled. Registries should develop specific policies and procedures to guide their response to such requests and should ensure that all participants are familiar with the policies and procedures. (See Case Examples 17 and 19.) For example, registries might stipulate that they will direct all disclosure requests to the original source of the information where possible. Where information held within a registry has been aggregated and analyzed such that it is significantly modified from its original state, the registry will notify the original data sources prior to compliance with any discovery request and give them the opportunity to object.

In the event a registry is compelled to release information pursuant to a court order or other judicial or administrative order, registries may request that certain information be redacted or a protective order issued. A court protective order can stipulate who can see the information, who has access to the information, and how the data should be returned or destroyed. Similarly, a registry may request that the court “seal” information so that it is not made public. These types of actions have historically been used to protect patient-identifiable information held in registries; however, they may be similarly applied to confidential or proprietary information related to providers, manufacturers, or health plans.

3. Summary

As more attention is focused on the development and implementation of quality improvement activities, including those tied to new payment models, availability and accessibility of underlying clinical and administrative data that registries can provide to support these efforts will be increasingly important. This emphasis will be further strengthened as the new Patient-Centered Outcomes Research Institute, which is authorized to support efforts to generate comparative effectiveness research, begins its work. Given this heightened interest in registries as data sources, the issue of protection of registry data from disclosure pursuant to a discovery request or other judicial or administrative proceedings will be increasingly important. Registry sponsors may be able to address concerns from potential participants about data protection by considering these issues during the registry development stage. In particular, providers, manufacturers, and health plans that are developing registries or considering participation in registries should look to the Federal and State laws described here that may offer protection and should consider the practical steps outlined above to reduce their vulnerability to disclosure requests.

Case Examples for Chapter 9

Case Example 17Handling discovery requests for registry data

DescriptionThe ICD Registry captures the characteristics, treatments, and outcomes of patients receiving implantable cardioverter defibrillators (ICDs). Participation in the registry is required by a coverage decision of the Centers for Medicare & Medicaid Services (CMS). In addition to CMS reporting, participating hospitals may use their data to monitor and improve the outcomes and management of ICD patients through implementation of evidence-based clinical guidelines.
SponsorAmerican College of Cardiology Foundation (ACCF)
Year Started2005
Year EndedOngoing
No. of SitesOver 1,600 laboratories
No. of PatientsOver 800,000 procedures


Before its launch, the ICD Registry received significant attention from the public and researchers because of the CMS coverage decision. The registry sponsors anticipated that the registry would generate interest from outside entities seeking to discover registry data, particularly those investigating potential fraud (e.g., the Office of the Inspector General), those desiring to use registry data in malpractice lawsuits (e.g., litigation attorneys), and those seeking to corroborate information published in the peer-reviewed literature (e.g., media representatives). Driven by these concerns, the sponsor and registry staff sought to address this anticipated issue proactively.

Proposed Solution

Registry staff implemented procedures to assist all parties involved in handling a discovery request. In coordination with general counsel and outside counsel, internal policies were drafted and provisions were written into contracts with participating sites that explained the way registry staff would handle discovery requests, the process of responding to a discovery request from an attorney, the process of cooperating with the Office of Inspector General during an audit or investigation, and best practices for protecting registry data from discovery. This language prepared sites for these procedures should they ever occur, made them aware of their options in these situations (i.e., cooperate with or dispute the request), and clarified the level of protection that the registry offered for their data.

Standard operating procedures were implemented to train staff to recognize a discovery request and subpoena and to describe the actions that should be taken to appropriately triage and respond to discovery requests for registry data (e.g., that site support staff direct such requests to the registry compliance office). More in-depth staff training was provided, including role-play scenarios in which staff tested their skills and confidence through simulated discovery requests.


Since 2005, the registry has received five different requests for registry data, from sources as varied as attorneys, the Office of the Inspector General, and members of the press. The requests are managed in a consistent, documented way, regardless of whether the registry first receives these requests via site support staff or other venues. The registry maintains a relationship with the ACCF general counsel so that questions about future requests can be promptly resolved.

Key Point

Registries can take proactive steps to manage discovery requests for their data. Appropriate steps may include confidentiality provisions in contracts with sites and targeted training for all levels of registry staff.

Case Example 18Meeting the confidentiality and quality improvement needs of providers through a patient safety organization

DescriptionThe Pediatric Peri-Operative Cardiac Arrest (POCA) Registry investigated the incidence, causes, and outcomes of cardiac arrest among children undergoing anesthesia. The Wake Up Safe (WuS) Initiative is a quality improvement initiative and registered patient safety organization (PSO) that aims to improve processes of care and outcomes for children undergoing anesthesia.
SponsorPOCA: American Society of Anesthesiologists and the University of Washington; WuS: Society for Pediatric Anesthesia
Year Started1994 (POCA) and 2008 (WuS)
Year Ended2005 (POCA) and ongoing (WuS)
No. of Sites58–79 (POCA) and 18 (WuS)
No. of Patients374 events from >3.5 million anesthetics (POCA) and 518,000 anesthetic records (WuS)


Children undergoing anesthesia have an increased risk of cardiac arrest compared with adults. Although factors associated with this increased risk had been identified, the causes of these arrests and their outcomes were not well understood. The American Society of Anesthesiologists and the University of Washington formed the POCA Registry in 1994 to collect detailed case reports of cardiac arrests during anesthesia in pediatric patients. Institutions submitted these case reports anonymously to protect the participating institutions and the registry from legal risks of disclosure.

In 2000, the registry analyzed the first 4 years of data (1994–1997) and found that the incidence of anesthesia-related cardiac arrest was 1.4 per 10,000 anesthetics, with a mortality rate of 26 percent. The most common causes were medication related and cardiovascular, with cardiovascular depression from halothane (a commonly used anesthetic in children) accounting for two-thirds of medication-related cardiac arrests. This suggested a target for preventive strategies, including avoidance of halothane when a new agent (sevoflurane) was available. In 2007, the registry published an update on its findings, comparing cardiac arrests from 1998 through 2004 with the cardiac arrests in the initial report. This report found fewer medication-related cardiac arrests (associated with a decline in use of halothane) and more arrests with undetermined causes.

Despite these promising findings, the pediatric anesthesiology community sought a more comprehensive approach to quality care improvement. The registry collected only data on pediatric cardiac arrest, and not on any other outcomes, processes, or quality of care indicators. In addition, because data was submitted anonymously to the registry, benchmarking at the institution level was not possible. There were also concerns about the protection of registry data. The registry was housed in the State of Washington, which had legal protections in place to protect quality improvement data from legal discovery. However, not all States had these same protections in place.

Proposed Solution

In 2005, the POCA Steering Committee decided to halt case collection, as compliance with reporting had declined. While the registry had contributed much to understanding of anesthesia-related cardiac arrest in children, it was felt that further data collection using the same methodology was unlikely to produce additional insights.

In 2007, the Society for Pediatric Anesthesia (SPA) began garnering support to form the Wake Up Safe Initiative, a new quality improvement initiative for pediatric anesthesiology. As institutions joined, they signed participation agreements with the SPA that were intended to address intellectual property issues, but evolved as each hospital had its own concerns about privacy, protection, and anonymity in reporting. By 2008, 10 institutions had signed on to participate in the initiative. The same year, the Patient Safety and Quality Improvement Act of 2005 came into effect, which provides Federal legal protections to information reported by providers to a patient safety organization (PSO). WuS applied for and was granted PSO status in 2008.


The WuS initiative captures a broad range of outcomes, and individual institutions are not identifiable. Anesthetic records for pediatric patients are extracted from the administrative billing systems of member hospitals and provided to the registry on a quarterly basis. This information provides background data on which to base incidence calculations. Individual event case reports are provided to the registry on an ad hoc basis, as they occur. To date, 18 member hospitals have contributed 518,000 anesthetic records and 450 event case reports to the registry.

As a PSO, the registry provides more complete protections for the providers contributing data. These include limits on the use of registry data in civil, administrative, and some criminal proceedings, and provisions for monetary penalties for violations of confidentiality or privilege protections.

Key Point

Registries, particularly those that collect sensitive information on provider performance, should consider taking advantage of the legal protections that are available to patient registries. Official designation as a patient safety organization (PSO) offers broader Federal protections that individual States may not be able to offer. This may provide an incentive for participation, especially for registries that collect sensitive information on performance or quality of care.

For More Information


Morray JP, Geiduschek JM, Ramamoorthy C, et al. Anesthesia-related cardiac arrest in children: initial findings of the Pediatric Perioperative Cardiac Arrest (POCA) Registry. Anesthesiology. 2000 Jul;93(1):6–14. [PubMed: 10861140].

Posner KL, Geiduschek J, Haberkern CM, et al. Unexpected cardiac arrest among children during surgery, a North American registry to elucidate the incidence and causes of anesthesia related cardiac arrest. Qual Saf Health Care. 2002 Sep;11(3):252–7. [PubMed: 12486990].

Bhananker SM, Ramammoorthy C, Geiduschek JM, et al. Anesthesia-related cardiac arrest in children: update from the Pediatric Perioperative Cardiac Arrest Registry. Anesth Analg. 2007 Aug;105(2):344–50. [PubMed: 17646488].

Ramamoorthy C, Haberkern CM, Bhananker SM, et al. Anesthesia-related cardiac arrest in children with heart disease: data from the Pediatric Perioperative Cardiac Arrest (POCA) registry. Anesth Analg. 2010 May 1;110(5):1376–82. [PubMed: 20103543].

Case Example 19Protections available to registry data from institutional review boards and academic institutions

DescriptionThe Postoperative Visual Loss (POVL) Registry consists of anonymous case reports of blindness after non-ophthalmologic surgery. Its goal is to identify patient and clinical factors associated with this complication.
SponsorAmerican Society of Anesthesiologists
Year Started1999
Year EndedOngoing
No. of SitesNot applicable
No. of Patients191


Blindness after non-eye surgery is a rare but devastating complication. Blindness due to ischemic optic neuropathy after spine surgery appeared to be increasing in the 1990s, and its causation was unknown. Its rarity created difficulty in studying causative factors.

Proposed Solution

A registry was created to collect detailed case reports of blindness after non-ophthalmologic surgery, and included data pertinent to all known theories of causation of postoperative visual loss. Due to the potential for malpractice litigation when postoperative blindness occurs, case reports were submitted without patient, provider, or institutional identifiers. It was hoped that anonymity of case reports would protect the registry from legal discovery and encourage case report submission by health care providers. The registry was housed at the University of Washington, and its institutional review board (IRB) approved these confidentiality procedures.


In spite of these procedures to protect confidentiality of case reports, plaintiff attorneys submitted numerous requests for release of registry data. Following university policy, all requests were referred to the office of public information. All such public information requests were denied based on the institutional review board–approved confidentiality procedures.

One public information request for registry data was appealed through the court system. A registry investigator was serving as a defense expert in a malpractice lawsuit, basing her testimony on published registry results. The plaintiff requested raw registry data. When the university denied this request, the plaintiff sought to strike the investigator's testimony because she would not produce the raw registry data underlying the publication that formed the basis of her testimony. The trial court determined that the raw registry data was discoverable because the defense expert considered such data in forming her opinion. The university supported an appeal to the State Supreme Court in order to support institutional protections of research data. The State Supreme Court ruled that the author could testify based on the published results and that release of the underlying data was not required.

Key Point

It is critical to consider protection of sensitive registry data from legal discovery. When developing and implementing registries, consider protections that may be available through IRB study approval and academic institutions. Seek guidance from IRBs or university counsel, as needed.

For More Information


Lee LA, Roth S, Posner KL, et al. The American Society of Anesthesiologists Postoperative Visual Loss Registry: Analysis of 93 spine surgery cases with postoperative visual loss. Anesthesiology. 2006;105:652–9. [PubMed: 17006060]

The Postoperative Visual Loss Study Group. Risk factors associated with ischemic optic neuropathy after spinal fusion surgery. Anesthesiology. 2012;116:15–24. [PubMed: 22185873].

References for Chapter 9

Fisher E, Goodman D, Skinner J, et al. Health Care Spending, Quality and Outcomes: More Isn't Always Better. Dartmouth Atlas Project Topics Brief. 2009 February 27 [August 15, 2012]; http://www​.dartmouthatlas​.org/downloads/reports​/Spending_Brief_022709.pdf.
Fisher ES, Wennberg DE, Stukel TA, et al. The implications of regional variations in Medicare spending. Part 1: the content, quality, and accessibility of care. Ann Intern Med. 2003 Feb 18;138(4):273–87. [PubMed: 12585825]
Fisher ES, Wennberg DE, Stukel TA, et al. The implications of regional variations in Medicare spending. Part 2: health outcomes and satisfaction with care. Ann Intern Med. 2003 Feb 18;138(4):288–98. [PubMed: 12585826]
McGlynn EA, Asch SM, Adams J, et al. The quality of health care delivered to adults in the United States. N Engl J Med. 2003 Jun 26;348(26):2635–45. [PubMed: 12826639]
Wennberg JE, Fisher ES, Skinner JS. Geography and the debate over Medicare reform. Health Aff (Millwood). 2002 Jul-Dec;(Suppl Web Exclusives):W96–114. [PubMed: 12703563]
Wennberg JE, Cooper MM, Bubolz TA, et al. The Dartmouth Atlas of Health Care in the United States. American Hospital Publishing, Inc.; 1996. [August 15, 2012]. http://www​.dartmouthatlas​.org/downloads/atlases/96Atlas.pdf.
Wennberg JE, Brownlee S, Fischer ES, et al. An Agenda for Change: Improving Quality and Curbing Health Care Spending: Opportunities for the Congress and the Obama Administration. The Dartmouth Institute for Health Policy & Clinical Practice; Dec, 2008. [August 15, 2012]. http://www​.dartmouthatlas​.org/downloads/reports​/agenda_for_change.pdf.
de Brantes F, Rosenthal MB, Painter M. Building a bridge from fragmentation to accountability--the Prometheus Payment model. N Engl J Med. 2009 Sep 10;361(11):1033–6. [PubMed: 19692682]
Patient Protection and Affordable Care Act of 2010, Public Law No. 111-148.
American Orthopaedic Association. [August 15, 2012]. http://www​.ownthebone.org/
American College of Rheumatology. ACR Rheumatology Clinical Registry. [August 7, 2013]. http://www​.rheumatology​.org/Practice/Clinical​/Rcr/Rheumatology​_Clinical_Registry/
American College of Radiology. National Radiology Data Registry. [August 7, 2013]. http://www​.acr.org/Quality-Safety​/National-Radiology-Data-Registry.
Society for Thoracic Surgeons National Database. [August 15, 2012]. http://www​.sts.org/national-database.
National Cardiovascular Data Registry. [August 7, 2013]. https://www​.ncdr.com/webncdr/
45 CFR pts. 160, 164 (2010).
Kesselheim AS, Ferris TG, Studdert DM. Will physician-level measures of clinical performance be used in medical malpractice litigation? JAMA. 2006 Apr 19;295(15):1831–4. [PubMed: 16622145]
Kohn LT, Corrigan JM, Donaldson MS, editors. To Err is Human: Building a Safer Health System. Washington, D.C.: National Academies Press; 1999. [PubMed: 25077248]
42 U.S.C. § 299c-3(c).
Memorandum from Susan Merewitz, Senior Attorney, AHRQ, on Statutory Confidentiality Protection of Research Data, to Nancy Foster, Coordinator for Quality Activities, AHRQ. Apr 16, 2001. [August 15, 2012]. http://www​.ahrq.gov/fund/datamemo.htm.
National Institutes of Health. Certificates of Confidentiality: Background Information. [August 15, 2012]. See. http://grants​.nih.gov​/grants/policy/coc/background.htm.
42 U.S.C. § 241(d).
Rothman K, Greenland S, Poole C, et al. Causation and Causal Inference. In: Rothman K, Greenland S, Lash TL, editors. Modern Epidemiology. 3rd ed. Philadelphia: Lippincott Williams & Wilkins; 2008. pp. 5–31.
42 U.S.C. §§ 299b-21-26.
42 U.S.C. § 1320c-9(b).
42 U.S.C. § 1320c-9(d).
42 CFR § 480.140.
Health Insurance Portability and Accountability Act of 1996, Public Law No.104-191, 110 Stat. 139 (1996) (codified as amended in scattered sections of 42 U.S.C.). HIPAA Privacy Rule Regulations codified at 45 CFR pts. 160 & 164 (2010).
45 CFR § 160.103 (2010).
45 CFR § 164.512(e).
Privacy Act of 1974, Public Law No.93-579, § 3, 88 Stat. 1896, 1896 (codified as amended at 5 U.S.C. § 552a (2006)).
Id. at 5 U.S.C. § 552a(b).
Electronic Freedom of Information Amendment Acts of 1996, Public Law No. 104-231, 110 Stat. 3048 (1996) (codified as amended at 5 U.S.C. § 552).
Freedom of Information Act, 5 U.S.C. § 552 (2006), amended by OPEN Government Act of 2007, Public Law No. 117-175.
U.S. Department of Justice. Freedom of Information Act Guide. 2004. [August 15, 2012]. http://www​.justice.gov/oip/introduc​.htm#N_2_.
5 U.S.C. § 552(b)(4).
45 CFR § 5.65(a).
Pub Citizen Health Research Group v. Food & Drug Admin., 704 F.2d 1280 (D.C. Cir. 1983).
704 F.2d at 1290.
5 U.S.C. § 552(b)(6).
See U.S. Dept of State v. Washington Post Co., 456 U.S. 595, 602 (1982).
U.S. Dept of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749 (1989).
489 U.S. at 771.
489 U.S. at 773.
45 CFR § 5.67(c).
5 U.S.C. § 552(b)(3).
18 U.S.C. § 1905.
76 C.J.S. Records §111 (2011).
Fed. R. Evid. 401.
Fed. R. Evid. 403.
Fed. R. Evid. 404(b).
Fed. R. Civ. P. 26(b)(2)(C)(iii).
Fed. R. Civ. P. 26(c).
Fed. R. Civ. P. 45(c).
Andrews v. Eli Lily & Co., Inc., 97 F.R.D. 494 (1983).
97 F.R.D. at 502.
Deitchman v. E.R. Squibb & Sons, Inc., 740 F.2d 556 (7th Cir. 1984).
740 F.2d at 561.
Wolpin v. Phillip Morris, Inc., 189 F.RD. 418 (C.D. Cal. 1999).
Patient Protection and Affordable Care Act, Public Law 111-148, § 10332 (2010).
Patient Protection and Affordable Care Act, Public Law 111-148, §10332(e)(4)(D) (2010).
See, e.g. Va. Code Ann. §32.1-38 (2011) (immunity from civil liability or criminal penalty unless such person acted with “gross negligence or malicious intent”); Ariz. Rev. Stat. Ann. §36-666 (2010) (immunity from civil or criminal liability if the provider acted in “good faith and without malice”); Iowa Code §139A.3 (2010) (immunity from any liability, civil or criminal, for any person “acting reasonably and in good faith” while reporting); Kan. Stat. Ann. §65-118 (2010) (immunity from any liability, civil or criminal, if provider reported “in good faith and without malice”).
See, e.g. N.C. Gen Stat. §130A-142 (2010) (a provider who reports “shall be immune from any civil or criminal liability that might otherwise be incurred or imposed as a result of making that report”).
See, e.g. Neb. Rev. Stat. §71-503.01 (2010) (immunity for providers from suits for slander, libel, or breach of privileged communication); Nev. Rev. Stat. §629.069 (2010) (immunity for providers from civil liability only).
See, e.g. KB v. Mills, 639 N.W.2d 261 (Mich. Ct. App. 2002); State v. Superior Court, 930 P.2d 488 (Ariz. Ct. App. 1997); Alicia T. v. Cnty of L.A., 222 Cal App. 3d 869 (Cal. Ct. App. 1990); Criswell v. Brentwood Hospital, 551 N.E.2d 1315 (Ohio Ct. App. 1989).
See e.g. Idaho Code § 39-1392 (2011) (“all peer review records shall be confidential and privileged, and shall not be directly or indirectly subject to subpoena or discovery proceedings or be admitted as evidence, nor shall testimony relating thereto be admitted in evidence, or in any action of any kind in any court or before any administrative body, agency or person for any purpose whatsoever”); Ohio Rev. Code Ann. § 2305.252 (2011) (“proceedings and records within the scope of a peer review committee of a health care entity shall be held in confidence and shall not be subject to discovery or introduction in evidence in any civil action against a health care entity or health care provider…).
Minn. Code § 154.61 (a, g), § 145.64 (2010).
Va. Code Ann. § 8.01-581.17 (2011).
735 Ill. Comp. Stat. 5/8-2101 (2010).
Adkins v. Christie, 488 F.3d 1324 (11th Cir. 2007). [PubMed: 23638498]
Marshall v. Spectrum Medical Group, 198 F.R.D. 1 (D. Me. 2000).
Price v. Howard County Gen. Hosps., 950 F. Supp. 141 (D. Md. 1996).


  • PubReader
  • Print View
  • Cite this Page

Related information

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...