NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Quality of Health Care in America; Kohn LT, Corrigan JM, Donaldson MS, editors. To Err is Human: Building a Safer Health System. Washington (DC): National Academies Press (US); 2000.

Cover of To Err is Human

To Err is Human: Building a Safer Health System.

Show details

6Protecting Voluntary Reporting Systems from Legal Discovery

Although all industries face concerns about liability, the organization of health care creates a different set of circumstances compared to other industries. In health care, physicians primarily determine the amount and content of care rendered. A hospital or clinic often produces the care directed by the physician. The consumer, purchaser, and health plan share in decisions to determine whether and how treatment decisions directed by the physician are paid, which influences access to care. Although some of these decisions could be under one umbrella, they are often dispersed across different and unrelated entities. Compared to other industries, there is no single responsible entity in health care that is held accountable for an episode of care. The physician, in particular, has a significant responsibility for the well-being of his or her patients and the decisions made concerning their care. This distinctive arrangement in organization and decision making in health care creates a unique set of liability issues and challenges in creating an environment conducive to recognizing and learning from errors.

The potential for litigation may sometimes significantly influence the behavior of physicians and other health care providers. Often the interests of the various participants in furnishing an episode of care are not aligned and may be antagonistic to each other. In this environment, physicians and other providers can be cautious about providing information that may be subsequently used against them. Thus, the prominence of litigation can be a substantial deterrent to the development and maintenance of the reporting systems discussed in this report.

Chapter 5 lays out a strategy to encourage greater recognition and analysis of errors and improvements in patient safety through a mandatory reporting system for errors that result in serious harm, and voluntary participation in error reporting systems that focus on "near misses" or errors resulting in lesser harm. The issue of whether data submitted to reporting systems should be protected from disclosure, particularly in litigation, arose early in the committee discussions. Members of the committee had different views. Some believed all information should be protected because access to the information by outsiders created concerns with potential litigation and interfered with disclosure of errors and taking actions to improve safety. Others believed that information should be disclosed because the public has a right to know. Liability is part of the system of accountability and serves a legitimate role in holding people responsible for their actions.

The recommendations contained in Chapter 5 and in this chapter reflect the committee's recognition of the legitimacy of the alternative views. The committee believes that errors that are identified through a mandatory reporting system and are part of a public system of accountability should not be protected from discovery. Other events that are reported inside health care organizations or to voluntary systems should be protected because they often focus on lesser injuries or non-injurious events that have the potential to cause serious harm to patients, but have not produced a serious adverse event that requires reporting to the mandatory system. Protecting such information encourages disclosure of problems and a proactive approach to correcting problems before serious harm occurs.

Although information about serious injuries and deaths due to errors should not be protected from discovery, it is important that information released to the public is accurate. As described in Chapter 5, mandatory reporting systems receive reports on adverse events, which are then investigated to determine whether an error occurred. The mere filing of a report should not, by itself, trigger release of information. Rather, information should be released after an investigation has been completed so the information that is released is accurate. This chapter focuses primarily on protecting information reported to voluntary systems, although aspects may also apply to protecting data submitted to mandatory systems until the information is ready for public release.

The committee believes that a different approach to promoting the collection, sharing, and analysis of such data (not considered in this chapter) would be to change the legal environment in which health care organizations and providers operate. Exclusive enterprise liability, shifting liability for medical injuries from individual practitioners to responsible organizations, has been suggested to possess several advantages over the current liability system. 1 , 2 , 3 One of these is to remove the fear of personal liability from individual health care workers, eliminating this incentive to hide errors. Another proposed reform, no-fault compensation for medical injuries, might promote reporting by eliminating the adversarial inquiry into fault and blame that characterizes the current liability system. 4 Workplace injuries to employees are handled within an example of such a no-fault, enterprise-liability system. 5

Together, enterprise liability and no-fault compensation might produce a legal environment more conducive to reporting and analysis, without the elaborate legal and practical strategies needed to protect data under the current liability system. An analysis of enterprise liability and no-fault compensation systems is beyond the scope of the Quality of Health Care in America project, but the committee believes that the issue merits further analysis.

This chapter examines legal precedents and practical experiences bearing on how and to what extent information can be protected in error reporting systems when it leaves the health care organization that generated it. Legal protections like state peer review shields and laws created to protect a specific reporting system have much promise. Many current state peer review statutes, however, may not protect data about errors shared in collaborative networks, especially across state lines, or reported to voluntary reporting systems (e.g., independent data banks). A combination of practical and legal safeguards may be the best approach to protect the data in voluntary reporting systems from discoverability. The practical safeguards of anonymous reporting and de-identification (removal of identifying information after receipt of the report) can confer some, but not complete, protection. Statutory protection could add three benefits to some level of de-identification: (1) it could provide an added measure of security for the data; (2) it could protect from subpoena identifiable reporters and recipients of the reports; and (3) it could permit the reporting system to obtain and retain information that might identify the reports and reporters.


RECOMMENDATION 6.1 Congress should pass legislation to extend peer review protections to data related to patient safety and quality improvement that are collected and analyzed by health care organizations for internal use or shared with others solely for purposes of improving safety and quality.

Existing law often shields data about errors within an institution, but this protection may be lost when the data are transmitted elsewhere, for example, to other institutions collaborating in an error reduction initiative or to a voluntary reporting system. Unless such data are assured protection, people will be reluctant to discuss them and opportunities to improve will be lost. A more conducive legal environment is needed to encourage health care professionals and organizations to identify, analyze, and prevent errors without increasing the threat of litigation and without compromising patients' legal rights. Information about errors which have resulted in serious harm or death to patients and which are subject to mandatory reporting should not be protected.


The systematic reporting and tracking of safety problems is an important approach to quality improvement. There are many ways to gather, maintain, and use safety-related data. Systems can vary considerably according to their key characteristics (e.g., type of events reported, who reports, voluntary or mandatory submission, location and maintenance of a data bank), which also affect the likelihood of vulnerability to discovery in legal process.

All such systems face two bedrock issues: (1) how to motivate health care practitioners and others to submit information, and (2) how to maintain reported data in a systematic way that is useful to practitioners. A central concern for both is the extent to which confidentiality of information should be maintained given a litigious society. Access to detailed information compiled by peer reviewers, risk managers, or others could greatly help a plaintiff's lawyer to build and prove a case. This in turn creates a strong disincentive to collect and report such information.

Plaintiffs' interest in and uses of information on errors depend on the level of identification of the data. A fully identified report will always be of interest to the plaintiff involved in the case reported. But even if the data are identified or aggregated by institution or physician, but not by patient, they may still be useful in claims against the institution for negligent supervision or credentialing—causes of action that are well known to the plaintiff's bar. Data from which all personal and organizational identifiers have been removed could still be used to prove some elements of certain types of cases, such as causation (e.g., injuries similar to the plaintiff's were caused by the same mechanism or problem; there was reason for the defendant to know of problems with a certain process or device). The latter use is probably not common today, possibly in part because of the scarcity of such data. The more that liability moves from individual focus to a focus on organizations, the more useful general information may become.

Plaintiffs can seek information from three components of a reporting system: (1) the original reporter; (2) the personnel who receive, investigate, or analyze the reports; and (3) the data per se as they reside in the data bank. The way in which plaintiffs can gain access to these targets is described in the next section. Two avenues are available to protect each of these targets: laws that prevent discovery and practical methods that render the reporter unfindable or the data unuseful to the plaintiff. These protections may apply differently to the three possible targets of discovery. They are described in more detail, along with the experience that reporting systems have had with them. The purpose of the analysis is to illuminate the legal policy and design choices facing those who want to protect data collection, sharing, and analysis of information on adverse events and errors.

The committee notes that protecting data in a reporting system as recommended in this chapter does not mean that the plaintiff in a lawsuit could not try to obtain such information through other avenues if it is important in securing redress for harm; it just means that the plaintiff would not be assisted by the presence of a reporting system designed specifically for other purposes beneficial to society.

The Basic Law of Evidence and Discoverability of Error-Related Information

Demands for information on errors can come from any of the plaintiffs in medical malpractice lawsuits, which are almost always based on state law. * Whether and when plaintiffs can obtain access to such data or have such information admitted as evidence at trial depend on the general rules of evidence and civil procedure, as applied by a state judge under particular circumstances. Rules vary by state, but most are similar to the federal rules described below. State differences are mentioned when relevant.

Trial Admissibility and the Rule of Relevance

The basic legal principle governing whether information can be used by a plaintiff in a civil trial is the rule of relevance. The formal threshold of relevance is quite low: whether the evidence would have "any tendency" to make any element of the cause of action (mainly, existence of negligence, causation of harm, presence of damages) more or less likely. 6 Moreover, trial judges are accorded broad discretion in judging whether an item of evidence is relevant, 7 and they make such determinations on a case-by-case basis. 8 In practice, then, a piece of evidence is relevant to a particular case if the judge says it is, unless there is no arguable basis for its relevance.

All relevant evidence is admissible at trial unless there is a specific exception or reason for it to be inadmissible, 9 such as the evidentiary privileges discussed below. The attorney-client privilege, for example, can prevent certain clearly relevant statements by the client from being introduced at trial.

Information on errors could be relevant to a malpractice lawsuit in three ways. First, if the data are reported about the particular case in dispute, so that the report and the litigation are about the identical circumstances, every piece of information would undoubtedly be relevant. This use of data would apply only to databases with identified data about errors that produce injury; the specific identification is what makes the information relevant, and the data would help establish liability in the lawsuit. The information could show negligence, causation (i.e., relation of the injury to the medical care that prompted the report), and possible damages.

Second, information about similar occurrences to the case in dispute is relevant to lawsuits that allege not merely one negligent occurrence, but negligence in a practitioners' engaging in a certain activity at all. It may be argued that an individual doctor's record makes it negligent to fail to refer a patient to a better-qualified practitioner. Similarly, a suit may allege negligent oversight in credentialing or supervision by the institution, medical group or health plan within which the doctor practices. In such a lawsuit, the plaintiff would argue that the occurrence of similar problems before the case in dispute should have or did put the defendant on notice of a pattern of problems that should have been corrected before the plaintiff's injury occurred. The previous occurrences would have to be similar in salient aspects to the data sought from the bank, for example, a particular sort of complex surgery. This use of prior similar-occurrence data would require data identified at least by institution, because the notice has to be shown with respect to a particular defendant. In one case, for example, a plaintiff who was injured by implantation of a pacemaker was allowed access to records of other instances of pacemaker implantation to help make a case for negligent supervision of the physicians by the hospital. 10

Third, data on similar occurrences might also be relevant in more limited ways—to help some lawsuits prove certain aspects of their cases. If, for example, there is a dispute about whether a particular instrumentality could have caused the injury ("causation"), evidence that it caused similar injuries in other instances could be relevant. Other points that could be proven with similar-occurrence data include the defendant's ability to correct a known defect (e.g., a systems weakness or device problem), the lack of safety for intended uses, and the standard of care. Using similar occurrences in this manner would not require identified data, and the similar instances could have come before or after the event that is the subject of the lawsuit.

A recent Florida case combined the notice and causation purposes of similar-occurrence evidence. An obese patient alleged that the defendant obstetrician injured her child by delivering her on a standard bed, rather than a drop-down bed. The court held that the records of other obese patients the doctor had delivered were relevant and discoverable. If other infants suffered similar injuries when a standard bed was used, this should have afforded the obstetrician notice that this method was deficient. Conversely, if no such injuries occurred when drop-down beds were used, this might be relevant for causation. In this instance, the other patients' names were removed from the records. 11 A similar rationale could easily apply to a collection of data on errors.

Pretrial Discoverability

The potential for discovery is even greater than indicated by the preceding section on trial admissibility. The requirement of relevance applies to whether a piece of evidence can be admitted into the record at trial. A pretrial process called "discovery" can extend a plaintiff's reach even further by allowing the plaintiff access to information that would not be admissible at the trial, but could lead to admissible evidence at the subsequent trial. Discovery is the process by which each party can obtain evidence in the possession of the other party and nonparties. It typically consists of requests for copies of documents and questions asked under oath of the other party (called interrogatories if written and depositions if oral). It may also extend to the production of physical objects or even the plaintiff's person for a medical examination. Persons or organizations that are not parties in a lawsuit can also be compelled to provide verbal, documentary, or physical evidence.

Relevance for discovery purposes is broadly and liberally construed. If there is a doubt about relevance, judges will generally permit discovery. 12 The information asked for need not be admissible at trial, as long as it reasonably might lead to the discovery of admissible evidence. 13 Therefore, a report of a medical error need not itself be admissible to be discoverable. The report could point the plaintiff toward relevant facts needed to prove the case. The report could inform the plaintiff, for example, of theories or conclusions about what contributed to the occurrence of the error. This knowledge could help direct the plaintiff's search for admissible evidence, for example, by suggesting the existence or importance of pertinent documents, witnesses, and questions that the plaintiff would not have otherwise considered.


Discovery can be obtained from nonparties as well as parties to the action. Nonparties include any person or organization that is not named in the lawsuit as being allegedly liable for the injury. They could include external data banks, quality consultants, accrediting bodies such as JCAHO, and other persons or organizations that have information on errors. Subject to the judge's approval, the party seeking discovery simply issues a subpoena to the nonparty for the information. 14 The same methods of discovery generally apply to nonparties as to parties, except that interrogatories (a set of written questions) normally cannot be used with nonparties. With regard to the scope of discovery, the major difference for nonparties is that, if compliance with the subpoena Would impose a burden on the nonparty, the court may impose a higher standard of relevance on the request for discovery. Judges may also be more apt to limit the scope or duration of a party's probing of a nonparty's information.

Judges are given substantial discretion over discovery from nonparties as well as discovery from parties to the lawsuit. Thus, the person or entity that reported or shared the error information, independent investigators, organizations that maintain information on errors, and those who work for such organizations could be subject to subpoenas, as long as compliance with the subpoena would not impose an undue burden. Even a data bank that maintains information with no personal or organizational identifiers would not protect a reporter to the data bank from being compelled to testify under oath about his or her recollections of the case, if the reporter could be identified by the plaintiff. The ease of identifying the reporter in practice is variable. It could be straightforward, for example, if a single physician was responsible for all quality assurance reviews in a medical group. Similarly, those who receive, de-identify, investigate, and analyze reports could be compelled to testify if they could be identified with sufficient particularity to be served with a subpoena.

Legal Protections against Discovery of Information about Errors

Three main types of legal protections can block the discovery of data on errors. These include (1) general rules of evidence (not restricted to the medical context), (2) the medical peer review privilege, and (3) special statutory privileges enacted for particular reporting systems. This section discusses each of the protections in turn, along with their limitations.

General Rules of Evidence

Three general rules of evidence could potentially protect error information from disclosure—the remedial action privilege, the attorney-client privilege, and the work product doctrine. Each has some applicability to reporting systems, but each also has significant limits.

Remedial Action

By a long-standing rule of evidence, a showing that remedial action has been taken after an injury cannot be admitted as proof that the injury resulted from negligence or a defective product. One rationale for this rule is to encourage defendants and potential defendants to improve safety, without having to worry that doing so might be taken as an admission of prior substandard practice. The other rationale for the rule is that remedial measures are not necessarily relevant to negligence: that is, one can seek to prevent nonnegligent as well as negligent injuries. All states but one have adopted this rule. 15

Some states have extended this rule to include self-evaluative reports or other postinjury analyses and reports. This might include evaluative reports on health care errors. The policy rationale for the rule would argue for this extension; without it, defendants might be unwilling to undertake the analyses needed to devise remedial measures. A California court, for example, recently held that the rule protected the records of peer review committees from discovery, independently from California's peer review statute, which also applied. 16

However, other states have ruled the opposite way or have not yet reached the question of whether evaluative reports are protected. 17 Even in states that have extended the remedial measures rule to evaluative reports, protecting the reports outside of the institution involved in the lawsuit would require yet another extension of the rule. Another problem is that even if the reports are protected from being used by a plaintiff to prove the main elements of the cause of action (such as negligence), they could still be admissible for other purposes. A plaintiff could use them, for example, to impeach a witness (i.e., contradict a witness' testimony), prove causation, or prove the feasibility of taking preventive measures. 18

Furthermore, the discovery privilege applies to critical evaluation (analysis, opinions, and conclusions) but not to facts of the event, so plaintiffs can still obtain factual information contained in the reports to support their case (e.g., what happened, who was there, what was said, whether the equipment was functioning normally). 19

Attorney-Client Privilege

Communications with one's attorney are privileged from discovery. The purpose of the privilege is to encourage free communication between clients and lawyers so that clients may have the full benefit of legal advice. The privilege is nearly absolute, in that an opposing party can almost never argue that it should not be applied in particular circumstances. * It can be waived, however, by the client to whom it belongs; the attorney has a permanent obligation to the client and can never waive the privilege.

Attorney-client privilege will rarely if ever be useful in protecting reports sent to an external entity. Typically, the client is the medical institution, which generally includes only senior management for purposes of this privilege. A report from a floor or charge nurse, for example, may not qualify. The most important problem, however, is that even if a document is originally covered by the attorney-client privilege, once it is sent to any nonparty, including external data banks or independent collaborating institutions, it loses the protection of the privilege. In other words, sending a report to one's attorney does not immunize it from discovery if it is also used for other purposes.

Attorney Work Product Doctrine

This rule protects materials that are created by or on behalf of a lawyer in preparation for litigation. The purpose is to protect the thoughts and plans of the lawyer, and the privilege can be waived only by the lawyer. Some states do not apply this doctrine to protect reports on errors, not even those kept internal to an organization, such as incident reports. 20 These states view the reports as being generated in the ordinary course of business. In addition, the protection afforded by the work product doctrine is not absolute; it can be overcome if the other party has need of the materials and would be unable without hardship to obtain the equivalent information. 21 In this situation, the facts of the event can be discovered, but the thoughts, opinions, and plans of the lawyer remain protected (i.e., may be removed before the materials are produced in discovery).

Peer Review Privilege

The peer review privilege is the most promising existing source of legal protection for data on errors. This privilege is statutory and is specific to medical peer review within specified settings and meeting specified standards. Every state, except one, statutorily protect from discovery various records and deliberations of peer review committees.* 22 , 23 The quality improvement purpose of peer review is consistent with the purpose of reporting systems; the statutes' value in protecting reporting, however, depends on fitting the reporting system to the specifics of each protective statute.

These statutes vary considerably in their reach and strength. Overall, this makes them a problematic source of legal protection for data on errors. Some protect only documents generated by the peer review committee, whereas others protect information provided to them. In addition, the treatment of incident reports within an institution, such as a hospital, varies by state. Some statutes have specific requirements for the composition of qualifying peer review committees (e.g., that physicians constitute a majority of the members). In some states, a hospital committee must be under the aegis of the medical staff, not the administrative staff. 24

Some states restrict the privilege to in-hospital committees or committees of professional societies. Many statutes may not cover collaborations among institutions, even if all are within an integrated delivery system. The California statute is one of the broadest and might apply to collaborative reporting systems and external data banks. California defines a peer review body as including "a medical or professional staff of any licensed health care facility, a nonprofit medical professional society, or a committee whose function is to review the quality of professional care provided by the members or employees of the entity to which the committee belongs." 25 No statute expressly covers systems or collaborations that cross state lines.

States can develop statutes to accommodate reporting systems, such as in Oklahoma. In that state the law protects any information, including interviews, reports, statements, memoranda, or other data, that is provided "for use in the course of studies for the purpose of reducing morbidity or mortality." The recipients may use such information "only for the purpose of advancing medical research or medical education in the interest of reducing morbidity or mortality." The findings and conclusions resulting from these studies are also protected. The Oklahoma Supreme Court has upheld the protection under this statute for records generated by a hospital infectious disease committee that reviewed every case involving infection in order to improve infection control. 26 It would appear possible to devise reporting systems that would meet the requirements of this statute.

Even when peer review information qualifies for the privilege, it may nonetheless be discoverable under some circumstances. The information may not be protected in allegations of negligent supervision or credentialing by an institution, because the performance of the peer review process is what is at issue in such claims. Some state medical licensing boards have gained access to peer review information for disciplinary purposes. 27 Some state courts employ a balancing test to determine whether a plaintiff should have access to facts contained in peer review documents (though not opinions or conclusions), balancing how crucial this is to the plaintiff (e.g., not available in any other way) against how much trouble and expense it imposes on the defendant. * Moreover, state or federal law enforcement authorities may be able to discover the information for use in criminal proceedings, although instances of criminal prosecution for medical errors are exceptionally rare. Many states' statutes prevent a plaintiff from compelling a member of the peer review committee to testify, but one might testify voluntarily. 28 To close this loophole, hospitals can adopt bylaws prohibiting staff members from disclosing any information obtained through the peer review committee.

There is federal protection for the practice of peer review under the Health Care Quality Improvement Act of 1986 (42 U.S.C. Image img00002.jpg Image img00002.jpg11101 et seq.). This statute establishes peer review immunity from damage suits when the participants act in good faith in any peer review process that meets the act's standards for structure and fair process. Peer review is defined quite broadly, and protected participants include everyone involved in the process, from investigators to witnesses to medical peers.

Statutory Protections Specific to Particular Reporting Systems

Some statutes have been crafted to protect specific reporting systems. Examples of these follow, along with some indications of their success in practice. All provide limited precedent for protecting data.

National Practitioner Data Bank (NPDB)

The federal Health Care Quality Improvement Act of 1986 (42 U.S.C. Image img00002.jpg Image img00002.jpg 511101 et seq.) requires all malpractice insurers and self-insurers to report claims paid on behalf of named practitioners to the NPDB maintained by the Health Resources and Services Administration (HRSA). Decisions affecting clinical privileges of physicians and dentists must be reported by hospitals, state boards or professional associations; hospitals and other entities may voluntarily submit reports on other practitioners. Practitioners are also allowed limited space in the data bank to comment on the information reported (often asserting that the payment was made solely for tactical legal reasons, not in recognition of medical failures). The reporting obligation is limited to specified formal determinations about consequential errors in medicine (claims settled, discipline meted out) and does not extend to simple observation of medical errors "in the field."

With regard to confidentiality, the act allows only designated authorized users to obtain information from the data bank, mainly hospitals and other health care organizations that credential practitioners. Regulations call for authorized users to use data only for credentialing or peer review and to keep data only within departments doing such authorized activities. The NPDB may not give information on any practitioner to any malpractice insurer, defense attorney, or member of the general public, although plaintiffs' attorneys may query the bank under very limited circumstances. Strong monetary penalties exist for unauthorized disclosures from the NPDB. Bills have often been filed in the Congress to "open up" the bank for public access, but these have always been opposed by federal authorities and have never been close to enactment. There is nonetheless substantial concern among practitioners that legislative change will eventually succeed.

Completeness of reporting is difficult to assess. Some physicians are said to avoid being reported to the data bank by settling lawsuits in the name of a corporate defendant and being dropped individually from the lawsuit. Insurers and corporate defendants, in turn, are said to report increased difficulty in settling claims because of the resistance of practitioners to being reported. HRSA sources interviewed said that they believe reporting is good, and said that occasional complaints referred to them almost always turn out to have been reported. HRSA interviewees said that there have been no known leaks from HRSA or from any contractor that has maintained the database. Complaints about leaks have been too general and non-specific to investigate.

The claims data in the data bank are effectively "protected" from discovery in a lawsuit involving the injury-producing error that was reported because the applicable lawsuit must already be over. Claim closure is what generates the duty to report, including information from the settlement. Plaintiffs might be interested in the data as similar-occurrence information, but no civil lawsuit subpoenas have been issued to the data bank; the protecting federal law preempts any attempts to obtain data for a state lawsuit. The NPDB does not face the problem of having to protect any investigators of reports, because it conducts no independent investigation, being prohibited by law from modifying information submitted in reports. Those who generate reports do face inquiries, however; when a physician is under review for privileges at a hospital, for example, the institution will routinely ask liability insurers and doctors about their reported history of malpractice and discipline, and no confidentiality applies.

Quality Improvement Organizations (QIOs)

Also known as peer review organizations (PROs), these entities monitor the utilization and quality of care for Medicare beneficiaries, including quality improvement projects, mandatory case review and oversight of program integrity (see Chapter 7). One responsibility involves the investigation and evaluation of instances of possibly substandard care provided to fee-for-service Medicare beneficiaries. Case review information with patient identifiers is not subject to subpoena in a civil action (42 CFR Section 476.140).

Veterans Health Administration System

The Veterans Health Administration (VHA) is planning to implement a voluntary, non-punitive reporting system on a pilot basis. This system is being designed after the aviation model (see Chapter 5) for eventual use throughout the VHA delivery system. A specific federal statute confers confidentiality for quality assurance within the VHA. The VHA's general counsel has not formally issued an opinion on whether the new reporting system will be protected by this statute, but VHA officials believe it will be. Because the system is not yet operational, there has been no opportunity for the statute's application to the reporting system to be challenged (the federal Tort Claims Act waives governmental immunity for the VHA, so it generally can be sued for medical malpractice).

Food and Drug Administration

Via its MedWatch system, the FDA receives reports from practitioners and manufacturers of serious adverse events and product problems related to medications and devices within its regulatory authority. Strict confidentiality rules apply to the identities of both reporters and patients; governing laws include the federal Privacy Act and the Freedom of Information Act. Agency regulations since 1995 have protected against disclosure of voluntary reports held by pharmaceutical, biological, and medical device manufacturers, by preempting state discovery laws.

New York Patient Occurrence Reporting and Tracking System

New York operates a leading example of a type of state regulatory system that collects reports of various types of adverse events. Access to individual reports is protected by statute. This statutory shield was challenged and was upheld by the courts, according to interviewees. Reports from hospitals are also protected by the statute protecting internal investigative reports and incident reports. If the department conducts an investigation of a specific event (prompted by a report or by a patient's complaint) official action is taken by the state (e.g., a statement of deficiencies), and the public and the patient have access to these findings. Accordingly, reporters can expect information reported to become public.

Practical Protections against the Discovery of Data on Errors

Two practical methods have been used to try to assure those who report errors that their reports will not be used in civil lawsuits against them or their colleagues. The first is simply to promise confidentiality by operational practice, but without full legal support in case of subpoena. Some organizations have tried to abide by a promise not to disclose the reporter's identity, and so far, have apparently been successful. However they appear to be vulnerable to subpoena.

The second practical protection is to obtain and maintain the data in a manner that prevents identification of the reporter or the specific event, even if a plaintiff obtains access to the report. This can be done with anonymous reporting (in which case the data recipient never receives any identified information to begin with) and by de-identification of reported data (in which case the identity of the reporter is removed after receipt of the report, often after a short lag to permit clarification or additional information to be obtained from the reporter). This section relates experience with these methods.

Confidentiality by Promise and Practice

A promise of confidentiality is sometimes the only option available to private organizations today. Two organizational examples are described below. Operational practice to maintain confidentiality can also be important within organizations that have dual roles—quality improvement and enforcement—so that the information on errors is sequestered behind an internal curtain of confidentiality and made available only to those who need access to it for purposes of analysis and prevention. Even such a "firewall" may not have credibility for reporters. The Aviation Safety Reporting System, for example, was not fully trusted by reporters until it was moved from within the Federal Aviation Administration (FAA) to a separate agency, the National Aeronautics and Space Administration (NASA).

JCAHO's sentinel event system is a notable example of confidentiality based on promise and practice. When first proposed in 1996, the policy caused controversy among hospitals fearful of disclosure to JCAHO. JCAHO has since changed its policy to permit hospitals to disclose details through on-site inspection by JCAHO investigators so that information stayed inside the institution and was not reported externally to JCAHO. One legal fear is that disclosure of internal quality data to outside reviewers not under a peer review statute will lead to discovery from JCAHO in lawsuits; indeed, many fear that disclosure to JCAHO would invalidate even the nondiscoverability protections each hospital enjoys for its own data under its state peer review statute. * A practical fear is that involving numerous outsiders will increase the potential for security breaches. JCAHO is seeking federal statutory protection as a definitive solution to the problem.

The Medical Error Reporting (MER) System also relies on a promise of confidentiality. It receives identified reports of medication errors, almost exclusively from practitioners. The reporter is given the option of not being identified to the sponsoring organizations (see Chapter 5), FDA, and the relevant pharmaceutical company, but the reporter's identity is maintained within the MER data system. Sometimes, anonymous reports are received. Lawyers have requested and been given copies of general reports on a particular problem, but not specific case reports. The data bank has never been subpoenaed, but the director considers this to be a significant risk that likely contributes to substantial under reporting.

Anonymous Reporting

The intent of anonymous reporting is to ensure that the reporter cannot be identified from the report. The information, therefore, can be used primarily as unidentified similar-occurrence data to prove particular aspects of a case, such as causation. The potential for this kind of generalized legal risk may not significantly deter reporting.

The use of anonymous reporting can reduce the effectiveness of the reporting system. On a practical level, a loss of information can occur because the data system is restricted to receive only the information transmitted initially by the reporter. The recipient cannot go back to the reporter to get clarification and additional information.

At a more fundamental level, some detailed information can be lost to the system because it might tend to identify the specific event or the reporter. This is especially true for injury-producing errors, because of the greater knowledge of the error possessed by a plaintiff compared with persons not involved in the event being reported. Plaintiffs know detailed information about their own cases that could enable each to identify with some certainty even an anonymous report or reporter about the specific injury being litigated. This information could include the dates of the event and the injury, nature and severity of the injury, type of facility, types of practitioners, and type and location of error. The names and types of specific equipment and drugs involved in the error, if any, also could help make the report identifiable to a plaintiff. As a result, information that is important to meet the needs of the reporting and analysis system might have to be omitted because it would serve to make the report identifiable to a plaintiff.

One example of an anonymous reporting system, is MedMARx. Hospitals submit reports on medication errors to MedMARx over the Internet, identified by a random number known only to the submitting hospital. This preserves anonymity, but allows the hospital to compare its experience to similar institutions. Because information is collected in a standardized format, the need to go back to the reporter for additional information is minimized. The usefulness of data for comparisons is enhanced by including "demographic" information on reporting hospitals (e.g., size, teaching status, location of error within hospital), but within categories sufficiently large to frustrate any attempt to identify reporters.


Two programs de-identify data as a practical protection against discovery. The Medical Event Reporting System for Transfusion Medicine (MERS-TM) is a private collaboration between blood centers and hospital transfusion services in Texas. Reports are generated within the protected quality assurance structures at each institution, but the Texas peer review statute may not apply to the data bank itself. Only near-miss data have been included to date, but the operators of the data bank are nonetheless extremely concerned about the possibility of receiving a subpoena. De-identification is the primary protection, but it causes them to lose information they would like to have about the reporting institution, such as the type of center, size, and location.

In the Aviation Safety Reporting System (ASRS), the reporter's name and contact information are retained temporarily in case additional information is needed. De-identification usually occurs within 72 hours of the initial receipt of the report. There has been no breach of identity of the reporter in more than 20 years of operation.


Litigators have strong incentives and powerful legal tools to obtain information about errors to assist them in lawsuits for medical injuries. Many reporting systems contain information that would be useful to plaintiffs. The more that the content of a particular reporting system resembles the claims files of a medical liability insurer, the more attractive a target reporting system is for the plaintiffs. For example, a reporting system that focuses only on identified injury-causing errors from a small number of institutions is more attractive to plaintiffs than one that collects large numbers of nonidentified near misses from many different types of reporters in different states.

Fear of legal discoverability or involvement in the legal process is believed to contribute to underreporting of errors. Collaborative quality improvement efforts may be inhibited by the loss of statutory peer review protection that may occur when data are shared across institutions. Some form of protection appears necessary for each of the three components of an error reporting system: (1) the original reporters; (2) the various recipients of the information (including processors, investigators, de-identifiers, and analyzers); and (3) the reported information itself. Information voluntarily shared should be done with appropriate safeguards for patient confidentiality.

Legal protections are the only possible way to protect identified reporters, report recipients, and reports from discovery but legal protections are not without problems. Specific statutory protection for a particular reporting system may be the most desirable form of protection, but this may not be a realistic option for many systems. Some states' peer review statutes could be used by some types of reporting systems—for example in California and Oklahoma—but the assurance of protection is not ironclad. Other states' statutes would need revision to accommodate external data banks and collaborative efforts. This would require careful drafting that could survive state-by-state political processes, with careful attention to the scope of the protection, definitions of authorized users and uses, potential loopholes, and the like.

A more promising alternative, proposed recently by the Medicare Payment Advisory Commission (1999), is for Congress to enact protective federal legislation. 29 Such legislation could be enacted immediately and would not rely on actions to be taken by 50 different states.

Practical methods can be very useful in protecting nonidentified reporters, recipients, and reported data, but they also have some weaknesses, so reporters may not fully trust them. The level of protection of practical methods differs somewhat for the three components of reporting systems. Reporters could be protected from subpoena if all potentially identifying information is absent from the report, but anonymous reporting and de-identification may not be effective if the likely reporter can be identified readily by the plaintiff independent of the reports. This may occur, for example, when only one person is the logical or mandated reporter for an organization or department within the organization.

Similarly, recipients of reports (processors, investigators, etc.) might become identifiable to a plaintiff. A recipient who handles large numbers of reports may not remember details about any specific report. However, if an investigator spent some time on-site looking into a particular event, as might a JCAHO investigator examining a hospital's root cause analysis of a particular sentinel event, practical methods of protection would likely fail.

Any reported data of an injury-causing error can be protected from use in a lawsuit involving that specific reported injury by practical methods (anonymous reporting or de-identification). In nonidentified form, the report might still be useful to plaintiffs in other cases as a similar occurrence, but whether this type of use would deter reporting is an empirical question that might vary with the reporting system and might change over time. In addition, anonymous reporting and de-identified reporting both cause reports to lose some information. The information loss would likely be greatest for reports of injury-producing errors, which an informed plaintiff might seek.

Legal protections may help patch up the weaknesses of practical methods of protection. Depending on the nature of the reporting system (geographic catchment, type of reporters, number and type of events reported), legal protection may be a necessary supplement to practical protections for possibly identifiable reporters, recipients, and reports. Supplementary legal protection also could ameliorate the loss of data that might otherwise occur to preserve nonidentifiability. If legal use of similar-occurrence data does in fact deter reporting, then legal protection may be desirable to prevent even this type of use. The strongest legal protections would cover the entire chain of custody of the information, from its initial generation to its ultimate use. This strong form of protection is used, for example, in the Health Care Quality Improvement Act's protection for the peer review process.

The committee concludes that some combination of legal and practical protections would be best. Each alone is imperfect, but they are mutually reinforcing and together can provide the strongest assurance of confidentiality.


Steves, Myron F. A Proposal to Improve the Cost to Benefit Relationships in the Medical Professional Liability Insurance System. Duke Law Journal. 16:1305–1333,1975.
Abraham, Kenneth S. and Weiler, Paul C. Enterprise Medical Liability and the Evolution of the American Health Care System. Harv L Rev. 108:381,1994.
Sage, William M.; Hastings, K. E.; Berenson, Robert A. Enterprise Liability for Medical Malpractice and Health Care Quality Improvement. Am J Law Med. 20:1–28,1994. [PubMed: 7801972]
Bovbjerg, Randall R. and Sloan, Frank A. A No Fault for Medical Injury: Theory and Evidence. University of Cincinnati Law Review. 67:53–123,1998.
Many lessons from Workers' Compensation and one limited medical no-fault approach are set out in Bovbjerg and Sloan, 1998.
Federal Rule of Evidence 401: ''Relevant evidence means evidence having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.".
Weinstein's Federal Evidence 2nd ed., 1998, Vol. 2 , Section 401.03.
Weinstein's Federal Evidence, 2nd ed., 1998, Vol. 2 , Section 401.07.
Federal Rule of Evidence 402.
Ziegler v. Superior Court of County of Pima (1982, app) 134 Ariz. 390, 656 P2d 1251. In this case, the names of the patients were removed to protect their privacy.
Amente v. Newman 653 So 2d 1030, 20 FLW S172 (1995, Fla).
Moore, James W.; Vestal, Allan D.; and Kurland, Phillip B. Moore's Manual: Federal Practice and Procedure. 2(15):03 [2] [a] , 1998.
"The information sought need not be admissible at the trial if the information sought appears reasonably calculated to lead to the discovery of admissible evidence." Federal Rule of Civil Procedure 26(b).
Federal Rule of Civil Procedure 45.
Rhode Island Rule of Evidence 407.
Fox v. Kramer (Calif. 6th App. Dist. 1999) 1999. Daily Journal D.A.R. 1772.
Leonard, David R., New Wigmore's Treatise on Evidence: Selected Rules of Limited Admissibility, Ch. 2, 1999. Suppl., Section 2:46–1.
Federal Rule of Evidence 407.
Leonard, David R., New Wigmore's Treatise on Evidence: Selected Rules of Limited Admissibility, Ch. 2, Supp., Section 2:46–51,1999.
State ex rel. United Hospital Center, Inc. v. Bedell (W. Va. 1997) 484 SE2d 199; Columbia/HCA Healthcare Corporation v. Eighth Judicial District Court, (Nev. 1997) 936 P2d 844.
Columbia/HCA Healthcare Corporation v. Eighth Judicial District Court, (Nev. 1997) 936 P2d 844.
Brennan, Elise D. Peer Review Confidentiality. American Health Lawyers Association Annual Meeting, 1998.
Mills, D. H. Medical Peer Review: The Need to Organize a Protective Approach. Health Matrix. 1 (1):67–76,1991. [PubMed: 10121880]
Mills, 1991.
California Business and Professions Code Section 805.
City of Edmond v. Parr, 1978 OK 70, 578 P.2d 56 (Okla. 1978).
Arnett v. Dal Cielo, 42 Cal. Rptr. 2d 712 (1995); Arizona Occupations Code Section 32-1451.01(E).
West Covina Hospital v. Superior Court, 41 Cal. 3d 846, 718 P. 2d. 119 (1986).
See Medicare Payment Advisory Commission (1999), recommendation 3C, at p. 36.


  • ASRS (Aviation Safety Reporting System). 1999. Program Overview. http://olias​ , html accessed 28 July 1999.
  • Berwick, Donald. M. Continuous Improvement as an Ideal in Health Care. N Engl J Med. 320:53–56,1989. [PubMed: 2909878]
  • Bodenheimer, Thomas. The American Health Care System—The Movement for Improved Quality in Health Care. N Engl J Med. 340(6):488–492,1999. [PubMed: 9971876]
  • Brown, Lowell C. and Meinhardt, Robyn. Peer Review Confidentiality: Those Old Protections Just Ain't What They Used to Be. Whittier Law Review. 18:99–104,1996.
  • Bovbjerg, Randall R. and Sloan, Frank A. No Fault for Medical Injury: Theory and Evidence. University of Cincinnati Law Review. 67:53–123,1998.
  • Friend, Gail N., et al. The New Rules of Show and Tell: Identifying and Protecting the Peer Review and Medical Committee Privileges. Baylor Law Review. 49:607–656,1997.
  • Joint Commission on the Accreditation of Healthcare Organizations. Sentinel Event Policy and Procedures, 1998. http://wwwa​​/ns-search/sentinel/se_poly​.htm?NS-search-set=​/36c06/aaaa17864c065ea&NS-doc-offset​=0& accessed February 9, 1999.
  • Kutrow, Bradley. Accident Reports Take on New Status with North Carolina Court Ruling. The Business Journal of Charlotte , June 1, 1998. http://www​​/charlotte/stories/060198/smallb4.html accessed January 19, 1999.
  • Leape, Lucian. Error in Medicine. JAMA . 272:1851–1857,1994. [PubMed: 7503827]
  • Leape, Lucian L.; Woods, David D.; Hatlie, Martin J., et al. Promoting patient safety by preventing medical error, JAMA . 280:1444–1447,1998. [PubMed: 9801008]
  • Liang, Bryan A. Error in Medicine: Legal Impediments to U.S. Reform. J Health Polit Policy Law. 24:27–58,1999. [PubMed: 10342254]
  • Medicare Payment Advisory Commission. Report to the Congress: Selected Medicare Issues. Washington, DC: MedPAC, June, 1999.
  • National Patient Safety Foundation. Diverse Groups Come Together to Improve Health care Safety Through the National Patient Safety Foundation. Press Release August 29, 1997 <http://www​.ama-assn​.org/med-sci/npsf/pr897​.htm>.
  • Pape, Julie Barker. Physician Data Banks: The Public's Right to Know Versus the Physician's Right to Privacy. Fordham Law Review. 66:975–1028,1997. [PubMed: 10182429]
  • Smarr, Lawrence E. A Comparative Assessment of the PIAA Data Sharing Project and the National Practitioner Data Bank: Policy, Purpose, and Application. Law and Cont Prob. 60(1):59–79,1997.
  • Weiler, Paul C.; Newhouse, Joseph P.; and Hiatt, Howard H. Proposal for Medical Liability Reform. JAMA . 267:2355–2358,1992. [PubMed: 1564776]



Error data may be sought in other types of cases as well, such as antitrust or libel claims by physicians against medical organizations. Further, regulators may seek data on injuries, either under their general authority (notably, state licensing boards that can discipline practitioners) or under specific statutory schemes of regulation that mandate reporting and investigation of consequential errors (discussed below).


There are limited exceptions not relevant here, such as the duty of a lawyer as an officer of the court to report a client's plans to engage in future criminal activity.


New Jersey is the exception, according to a 50-state survey of peer review statutes that was undertaken in part to understand how JCAHO's proposed ''sentinel event" reporting would fare under the statutes.


An unknown but key issue is the extent to which general harm to incentives to generate data would enter into a court's balancing.


The 50-state survey on peer review noted above was undertaken as part of the reaction against the initial JCAHO proposal for mandatory reporting of identified information.

Copyright 2000 by the National Academy of Sciences. All rights reserved.
Bookshelf ID: NBK225185


  • PubReader
  • Print View
  • Cite this Page
  • PDF version of this title (2.0M)

Related information

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...