Professional Documents
Culture Documents
Erm-Health Care PDF
Erm-Health Care PDF
Erm-Health Care PDF
Copyright 2009 by
AMERICAN HEALTH LAWYERS ASSOCIATION
1025 Connecticut Avenue, NW, Suite 600
Washington, DC 20036-5405
Web site: www.healthlawyers.org
E-Mail: info@healthlawyers.org
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form,
or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express,
written permission of the publisher.
Printed in the United States of America
ISBN: 978-1-4224-6085-6
978-1-4224-6084-9 (Members)
This publication is designed to provide accurate and authoritative information with respect to the subject matter covered.
It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services.
If legal advice or other expert assistance is required, the services of a competent professional person should be sought.
from a declaration of the American Bar Association
Preface
Healthcare entities face risk in all facets of their organizations, from changes in patient demographics, to use of complex, constantly changing technology, and increased regulatory mandates. It is
critical that they identify and address potential risk, and equally important for these organizations to
have a game plan that crosses all departmental barriers. The benefit to having a comprehensive risk
management process and plan that encompasses the entire enterprise becomes more important every
day. Indeed, Standard & Poors, a major credit rating agency, announced in 2008 that it would add an
enterprise risk management (ERM) review for nonfinancial companies to further enhance its rating
process.
Health Lawyers wants to express its tremendous gratitude to all of the authors of the Enterprise
Risk Management Handbook for Healthcare Entities. This new publication addresses the need for and
implementation of a proper risk management system that will address and assess the myriad areas of
importance in the healthcare setting.
The coverage begins with an overview of ERM and its evolution. The impetus for many organizations to adopt ERM was the passage of the Sarbanes-Oxley Act of 2002, the legislative response to
scandals involving accounting and compliance in the private sector. While nonprofit healthcare entities were not the focus of the legislation, many began to voluntarily comply with the principles and
financial controls incorporated in the legislation. A renewed focus on the responsibilities of boards of
directors to identify and manage organizational risks increased the impetus to embrace ERM.
The authors provide guidance on how to structure an ERM system, as well as insight on risk
financing methods. They delineate how to manage risk in various settings, including contract management, claims management, environmental compliance, human research, peer review and credentialing,
due diligence in business transactions, consent to treatment and numerous others. Finally, coverage
includes insight on the impact that the implementation of electronic health record (EHR) systems,
combined with the advent of e-discovery rules, will have on traditional documentation issues.
Health Lawyers commends Enterprise Risk Management Handbook for Healthcare Entities to all
healthcare attorneys and others in the healthcare field that need to understand the assessment of and
planning for risk management in the healthcare setting. We anticipate that it will prove to be a useful guide for healthcare entities and their counsel in understanding this critical area of the healthcare
environment and the law as it continues to evolve.
iv
Acknowledgments
The Editor-in-Chief would like to thank Peter L. Leibold, the American Health Lawyers Association (AHLA) Executive Vice President/Chief Executive Officer, for his support of the Enterprise Risk
Management (ERM) Affinity Group, as well as John Washlick and Brian Gradle, who as Chairs of
AHLAs Hospital and Health Systems Practice Group lent their unwavering encouragement to the ERM
Affinity Group and this effort. Thanks to Trinita Robinson, AHLAs Vice President of Practice Groups,
for always being there for the Affinity Group and serving as the link throughout this process.
I also want to offer my tremendous gratitude to our reviewers, who improved this publication by
taking the time to read the chapters and offer insightful guidance and comments to the authors. They
were Roberta Carroll, Connie Crawford, Sheila Hagg-Rickert, Mary Marta, Erin Muellenberg, Peggy
Nakamura, Kathy Wire, and Leigh Collier. My thanks also to Alice Kush for her early involvement in
the project. And finally, I would also like to thank Cynthia Conner, AHLAs Vice President of Professional Resources, and Will Harvey, AHLAs Director of Business Development and Publishing, for
their constancy, expertise, and willingness to do what was necessary to make this publication a reality.
Ellen L. Barton
Editor in Chief
vi
Contributing Authors
Introduction
Roberta Carroll, RN, ARM, CPCU, MBA,
CPHRM, CPHQ, LHRM, HEM, DFASHRM
Senior Vice President, Aon Healthcare
Sheila Hagg-Rickert, JD, MHA, MBA,
DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management,
CHRISTUS Health
Human Capital
Deborah Martin Norcross, Esq.
MartinNorcross LLC
Financial
Legal/Regulatory
Hazard
Sheila Hagg-Rickert, JD, MHA, MBA,
DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management,
CHRISTUS Health
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative
Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company
Operational
Fay A. Rozovsky, MPH, DFASHRM, Esq.
President, The Rozovsky Group, Inc.
Mark A. Kadzielski, Esq.
Fulbright & Jaworski, LLP
Yvonne K. Puig, Esq.
Mark Faccenda, Esq.
Fulbright & Jaworski LLP
Emily Rhinehart, RN, MPH, CIC, CPHQ
AIU Holdings, Inc.
vii
Jeffery Layne
Christopher N. Kanagawa
India K. Brim
Fulbright & Jaworski LLP
Strategic
Technology
Joshua I. Rozovsky
The Rozovsky Group, Inc./RMS
viii
Ellen Barron
Ellen Barron has more than 25 years experience in Marketing, Communications, Strategy and related
disciplines. She has provided leadership to these functions in community hospitals, academic medical centers and large, multi-site health systems. Ellen has served on the boards of both a national
marketing professionals association, as well as a multi-state health system. She has acted as an expert
facilitator for health- and insurance-related organizations; presented at numerous national and regional
meetings; and published more than 30 articles. She is an independent consultant with her own firm,
Profit Management Group, in West Chester, PA.
India K. Brim
India K. Brim is a Healthcare associate in the Washington, D.C. office of Fulbright & Jaworski,
L.L.P. As an associate, she focuses her practice on healthcare issues including regulatory compliance,
fraud and abuse, hospital and laboratory certification, and Medicare/Medicaid reimbursement matters. Ms. Brim also has experience in handling government investigations and healthcare litigation.
Ms. Brim received her BA from Spelman College, magna cum laude, in 2003 and her JD from Duke
University in 2006. She is admitted to practice law in Maryland and the District of Columbia.
Roberta L. Carroll
Roberta L. Carroll, RN, ARM, CPCU, MBA, CPHRM, CPHQ, LHRM, HEM, DFASHRM, is a Senior
Vice President of Aon Healthcare, based in Tampa, Florida. Ms. Carroll is also a faculty member for
the ASHRM-sponsored Barton certificate program Essentials module, is a member of ASHRM and
served on its board for six years, serving as President in 1995-1996. Ms. Carroll received a Bachelor
of Science degree in Health Services Administration and a certificate in Emergency Medical Services
Systems Administration from Florida International University and a Master of Business degree from
Nova Southeastern University. She is a well-known author, speaker, and teacher in the areas of: alternate risk financing, risk mitigation strategies and solutions, claims administration, early intervention
programs, enterprise risk management (ERM), strategic planning, and reengineering. Her activities
are on a local, state, and national level and her professional and committee activities are numerous.
She is a member of the American Health Lawyers Association and its Risk Management Affinity
Group of the Hospitals and Health Systems Practice Group.
Richard L. Clarke
Richard L. Clarke, DHA, FHFMA, is President and Chief Executive Officer of the Healthcare Financial Management Association (HFMA), Westchester, Illinois, a professional membership association
with more than 34,000 members in 70 chapters who share an interest in the financial management
of the delivery of healthcare services. Richard attained Fellowship (FHFMA) in HFMA in 1983. He
served as President of the Colorado chapter of HFMA, served on its National Matrix, and was a member of HFMAs Principles and Practices Board. He holds a bachelors degree in Industrial Distribution
from Bradley University, Peoria, Illinois (1970), a masters degree in Business Administration in manEnterprise Risk Management for Healthcare Facilities, First Edition
ix
agement/finance from the University of Miami, Coral Gables, Florida (1972), and a Doctor of Health
Administration (DHA) degree from the Medical University of South Carolina, Charleston, SC (2005).
Dr. Clarke has also written numerous articles and publications on healthcare finance.
Joseph V. Conroy, IV
Joseph V. Conroy, IV, is an associate in the law firm of Eckert Seamans Cherin & Mellot, LLC, in their
Philadelphia office. He focuses his practice on professional liability as well as general liability law. His
practice areas include litigation, and product liability. Joe received his JD from Villanova University
School of Law in 2007, and his BS from Villanova University in 2004.
John R. Evancho
As Senior Vice President and Chief Compliance Officer, John is accountable for the development and
direction of compliance, privacy and risk management programs for OSF HealthCare, an integrated
health system based in Peoria, Illinois. John began working at OSF as Vice President of Operations
for OSF HealthPlans. Prior to joining OSF, John served in various executive capacities in both Compliance and Operations for several national health insurance companies. John earned his JD from
Harvard Law School, his MTS from Harvard Divinity School, a BA from the University of Louvain in
Belgium and a BA from Duquesne University in Pittsburgh.
Mark Faccenda
Mark Faccenda is an Associate in Fulbright & Jaworski L.L.P.s Washington, D.C. office. As part of the
firms Health Care Practice Group, Mark has represented healthcare industry clients on regulatory and
transactional matters. Representative clients include pharmaceutical manufacturers, academic medical
centers, health systems, physician groups, physician/hospital joint ventures, long term care facilities
and durable medical equipment suppliers. Mark received his JD and MHA, Health Administration,
from the University of Pittsburgh in 2005, and his BS in Biology, from Pennsylvania State University
in 1995. Mark is admitted to practice law in Pennsylvania. He is a member of the American Health
Lawyers Association.
Amanda J. Flanagan
Amanda Flanagan is an associate with Sheehy, Ware & Pappas, P.C. Her practice is focused on personal injury, wrongful death, and premises liability. She also defends employment claims. Amanda
received her JD from South Texas College of Law (2003) and her BA from the University of Texas at
Austin (1999).
Phyllis F. Granade
Phyllis F. Granade is a Partner in the Atlanta office of Adorno & Yoss. She began her legal career
as a legal consultant to the Medical College of Georgia Telemedicine Center. Phyllis legal practice
includes assisting clients with privacy and security compliance issues, particularly the HIPAA privacy
and security regulations. She frequently defends clients during privacy and security investigations
brought by the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights
(OCR) and the Centers for Medicare and Medicaid Services (CMS), respectively. She received her JD
from the University of South Carolina School of Law, and her AB, cum laude, from the University of
Georgia in 1991. She is a member of the American Health Lawyers Association, and is a Vice Chair of
its Health Information Technology Practice Group.
Steven O. Grubbs
Steven O. Grubbs is a Shareholder with the Houston, Texas firm Sheehy, Ware, and Pappas, P.C. Mr.
Grubbs is a member of the firms labor and employment, commercial litigation, and general litigation
sections. He has considerable first-chair trial experience in State and Federal Court, and has handled
arbitrated matters concerning employment law issues. He has prepared briefing and conducted oral
arguments before several Texas Courts of Appeals and to the Texas Supreme Court. He received his JD
from South Texas College of Law in 1996, and his BBA from University of Texas at Austin in 1992.
Mr. Grubbs is admitted to practice law in Texas. He is a member of the American Health Lawyers
Association.
Sheila Hagg-Rickert
Sheila Hagg-Rickert serves as Senior System Director of Risk Management for CHRISTUS Health
based in Houston. In this capacity, she is responsible for oversight of CHRISTUS loss prevention,
claims management and risk financing programs. Sheila holds a JD from the University of Iowa and
Masters of Business Administration and Masters of Healthcare Administration degrees from Georgia
State University. She has earned Chartered Property and Casualty Underwriter (CPCU) and Certified
Professional in Healthcare Risk Management (CPHRM) designations and is a Distinguished Fellow
of the American Society of Healthcare Risk Management. She also served on the ASHRM board. She
is a member of the American Health Lawyers Association.
Daniel G. Hale
Daniel G. Hale serves as General Counsel of Trinity Health and leads the office of Community Benefit
and Public Affairs in fulfillment of Trinity Healths Mission to improve the health of the communities it serves. Under his leadership, community benefit activities are advancing to serve more people,
improve and expand access to equitable care, integrate care for chronic conditions, and influence
state and federal healthcare policies. Prior to joining Trinity Health, Dan was General Counsel of
Franciscan Health System, a Partner in Drinker Biddle & Reath in Philadelphia, PA and in Baker &
Hostetler in Columbus, OH. Dan is Chair of the Catholic Health Associations Health Reform InitiaEnterprise Risk Management for Healthcare Facilities, First Edition
xi
tive committee, dedicated to promoting universal health coverage. Dan is currently on the Audit &
Corporate Responsibility Committee of Catholic Healthcare Partners and on the Board of Trustees of
the Michigan Public Health Institute. Dan earned his law degree from Capital University Law School,
graduating cum laude, and his AB degree in English from Kenyon College. He is a member of the
American Health Lawyers Association.
Peter J. Hoffman
Peter J. Hoffman, Esq. is a Member of the Philadelphia office of Eckert Seamans Cherin & Mellott,
LLC, a large general practice law firm headquartered in Pittsburgh, Pennsylvania. He received his
BA from Washington and Jefferson College, his MA from State University of New York Graduate
School of Public Affairs, and his JD, cum laude, from Temple University School of Law where he
was the Executive Editor of the Law Review. Mr. Hoffman was a member of the Pennsylvania Select
Committee on Medical Malpractice from 1984 to 1986. He was a member of Governor Rendells
Medical Malpractice Task Force, and is currently Counsel to the Commonwealth of Pennsylvania
Patient Safety Authority. He is a Past President of the Pennsylvania Defense Institute. He was the
recipient of the Defense Research Institute Exceptional Performance Citation in 1989 and the Fred H.
Sievert Award in 1989. Mr. Hoffman was a co-author of the book Laws and Regulations Affecting
Medical Practice. He was the Chairman of Hearing Committee 1.15, Supreme Court of Pennsylvania
Disciplinary Board from 1993 to 1998, and served on the faculty for the Temple University School
of Law, Masters of Laws in Trial Advocacy and Academy of Advocacy. He has been listed as a top
attorney in Philadelphia Magazine each time the article appears, and has been listed in Best Lawyers
in America since 1995. He was listed as one of the top 100 lawyers in Pennsylvania in Pennsylvania
Super Lawyers 2004, 2005, 2007, and 2008. Mr. Hoffman was a member of the Temple Inns of Court.
He is a member of ASHRM, a Fellow of the International Academy of Trial Lawyers and Fellow of the
American College of Trial Lawyers, as well as the American Board of Trial Advocates.
Mark A. Kadzielski
Mark A. Kadzielski is the partner in charge of the West Coast Health Law practice at Fulbright &
Jaworski, L.L.P. His practice focuses on the representation of hospitals, medical staffs, managed care
enterprises, and institutional and individual healthcare providers throughout the United States in a
broad spectrum of matters, including government regulatory investigations, contracting issues, credentialing, licensing, medical staff bylaws, Joint Commission accreditation and Medicare certification.
Mr. Kadzielski is a member of the California Bar, the American Health Lawyers Association and the
California Society for Healthcare Attorneys. Since 1991, on the basis of peer evaluations, he has been
selected for the Healthcare Law Section of The Best Lawyers in America. In 2004, 2005, 2006, 2007,
2008, and 2009 he was selected by his peers as a Southern California Super Lawyer in Health Law.
In 2005, he was named to the American Health Lawyers Associations inaugural class of Fellows,
one of only four attorneys in California and forty attorneys nationwide to receive this honor. Also
in 2005, 2006, 2007, and 2008 he was selected as one of the top ten leading Healthcare Lawyers in
California by Chambers USA as a result of extensive interviews with clients and peers. Mr. Kadzielski
xii
has authored numerous books, articles, and chapters in healthcare publications. He is a nationwide
speaker on a wide range of health-related subjects. Mr. Kadzielski is a 1976 graduate of the University
of Pennsylvania Law School.
Christopher Nathan Kanagawa
Christopher Nathan Kanagawa is Senior Counsel with Fulbright & Jaworski L.L.P. and practices in
the healthcare, e-business and corporate areas. His healthcare legal experience includes counseling
both e-health and general healthcare clients. Christophers e-business experience includes advising
numerous clients, including healthcare systems and start-up Internet e-health companies, on corporate,
contracting and regulatory issues. Christopher also regularly advises traditional healthcare clients,
including healthcare systems and national health care providers and suppliers. Mr. Kanagawa received
his JD in 1998 from the University of Tulsa-College of Law and his BA in 1991 from the University of
Tulsa. Christopher is admitted to practice law in Missouri and Illinois. He is a member of the American
Health Lawyers Association.
Maria D. Lain
Maria D. Lain has over 30 years of healthcare experience with a focus on business solutions to achieve
profitability by integrating operations effectiveness, resource management, employee ownership and
accountability, and customer satisfaction. Within her job functions she has worked with organizations
to generate concepts and approaches that align culture, strategy and vision to achieve tangible change,
growth and income. Ms. Lain is currently the Service Line Director for Womens Health and Oncology
at The Chester County Hospital, West Chester, PA. She holds an MBA from Duke University, Raleigh,
North Carolina.
Marilyn Lamar
Marilyn Lamar is an attorney with more than twenty years of experience in corporate and information
technology law, including electronic health records (EHR) and HIPAA privacy and security issues.
Her practice includes a broad range of outsourcing, licensing, and other technology transactions on
behalf of hospitals, health plans, physicians, group purchasing organizations and technology companies. Before joining Liss & Lamar, P.C., Marilyn was a capital partner at McDermott Will & Emery
LLP where she chaired the Health Law Departments Information Technology practice group and cochaired its HIPAA practice group. She also chaired the Health Information and Technology Practice
Group of the American Health Lawyers Association (AHLA) from 2002 to 2005 and serves on its
Quality Council. Marilyn is also a member of the Healthcare Information and Management Systems
Society (HIMSS), serving on the Ambulatory IS Steering Committee, the Payer Roundtable and the
Legal Aspects of the Enterprise Task Force. After graduating from the University of Chicago Law
School, Marilyn served as a law clerk for the Honorable Richard D. Cudahy, United States Court of
Appeals for the Seventh Circuit. She is a frequent author and speaker on EHRs, evolving liability
issues involving information technology, HIPAA privacy and security and outsourcing.
Enterprise Risk Management for Healthcare Facilities, First Edition
xiii
Eileen Lampe
Eileen Lampe is a Member of the firm Eckert Seamans Cherin & Mellott, LLC in Philadelphia, PA.
She has tried numerous high exposure cases to verdict, and also serves as a mediator for healthcare
disputes. She also has experience in the premises liability, nursing home liability, and healthcare and
risk management practice areas. In addition, Ms. Lampe is often asked to be a mediator. Ms. Lampe
received her JD in 1986 from the University of Richmond T.C. Williams School of Law, and her BA
in 1981 from Franklin and Marshall College. She is admitted to practice law in Pennsylvania and
New Jersey.
R. Jeffrey Layne
R. Jeffrey Layne is a Partner in the Austin, TX office of Fulbright & Jaworski L.L.P. His practice
focuses on federal and state regulatory, administrative, and litigation-related health law matters,
including Medicare and Medicaid fraud and abuse and research compliance issues. His health-related
litigation experience includes criminal, False Claims Act and administrative litigation related to a
wide variety of Medicare and Medicaid fraud and abuse, reimbursement, and compliance issues. Jeff
represents clients from across the spectrum of the healthcare industry, including hospital systems,
university health systems, pharmaceutical and medical device manufacturers and distributors, pharmacies, suppliers, and managed care organizations. Mr. Layne received his MPH in 1998 from Harvard
University, his JD in 1994 from Duke University Law School and his BBA, magna cum laude, in 1990
from Texas Christian University. Jeff is admitted to practice law in Texas and the District of Columbia.
He is a member of the American Health Lawyers Association.
Mary OToole Mahoney
Mary OToole Mahoney is Associate General Counsel at Tufts Associated Health Plans, Inc., a managed care organization in Watertown, Massachusetts. She joined Tufts Health Plan in 1995. Mary
is responsible for providing legal guidance to the companys board of directors and management
on corporate governance and transactions, financial, tax, and accounting matters. She also serves as
primary counsel on executive and employee benefits and compensation, and intellectual property.
Mary has served as counsel to numerous areas of the company over the years, including general risk
management, clinical services, all areas of contracting, technology and e-business. In addition, Mary
has been counsel on a variety of transactional matters for the plan. Mary received her BS in Nursing
and Philosophy from the University of Scranton in 1986 where she was a graduate of the Special
Jesuit Liberal Arts Honors Program, and her JD from the University of San Francisco in 1991. She is a
member of the Board of Directors of A Place to Turn, an emergency food pantry serving the metrowest
area of Boston.
xiv
Elizabeth M. Mills
Elizabeth M. Mills is Senior Counsel in the Chicago office of Proskauer Rose LLP. As a member
of the Firms Health Department, she concentrates her practice on nonprofit organizations and their
tax exemption concerns as well as healthcare organizations and hospital-physician transactions. She
works with hospitals and other institutional healthcare providers, health maintenance organizations,
and academic medical centers, as well as other public charities, private foundations and charitable
giving vehicles. Elizabeths practice with tax-exempt organizations includes addressing tax exemption
compliance issues such as intermediate sanctions and use of tax-exempt bond-financed property, representing organizations being audited by the IRS, and assisting organizations in obtaining tax exemption
from the IRS. Ms. Mills received her JD, cum laude, in 1984 from the Northwestern University School
of Law, her MS in 1978 from the Harvard School of Public Health, her MA in 1975 from Stanford
University, and her BA in 1973 from the University of Kansas. She is admitted to practice law in Illinois. She is a member of the American Health Lawyers Association, and serves as a Vice Chair of its
Tax and Finance Practice Group.
Peggy Nakamura
Peggy Nakamura, RN, MBA, JD, DFASHRM, CPHRM is Assistant Vice President, Chief Risk Officer, and Associate Counsel for Adventist Health. In this role, she oversees a comprehensive Risk
Management Department, including self-administered/self-insured programs in workers compensation, professional, general and managed care liability. She was awarded the Distinguished Service
Award from the American Society of Healthcare Risk Management in 2008, and is a past President of
ASHRM. Ms. Nakamura holds an associate degree in Nursing from Sacramento City College, Sacramento, California, and a bachelors degree in Biological Sciences from the University of California,
Davis. In addition she has an MBA from Golden Gate University in San Francisco, California, and
a Juris Doctor from McGeorge School of Law also located in Sacramento. Ms. Nakamura is faculty
for the California Hospital Associations Consent Law, Consent Basics, and EMTALA seminars. She
also is faculty for ASHRMs Barton Certification Program in the Advanced Forum module. She is a
member of the American Health Lawyers Association, and currently serves as Chair of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.
Nicola Nelson
Nicola Nelson is an associate at the Rockford, Illinois office of Hinshaw & Culbertson LLP, where
her practice is focused primarily in environmental law. She advises and represents municipalities,
organizations, and business entities with respect to environmental permitting and compliance, as well
as enforcement actions. Prior to coming to Hinshaw & Culbertson, Ms. Nelson clerked as a judicial
extern to the Honorable Anne M. Burke of the Illinois Supreme Court. She also previously clerked as
a judicial extern to the Honorable Amy J. St. Eve, United States District Court, Northern District of
Illinois. Ms. Nelson graduated first in her law school class and was class valedictorian.
xv
in representation of hospitals in emergency guardian and treatment order cases. Ms. Plump received
her JD from Fordham University School of Law, her MA in Education from LaSalle University, and
her BA, cum laude, from Bucknell University. She is admitted to practice law in the United States
District Court.
Nancy T. Poblenz
Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM serves as Litigation and Loss Prevention Director
for CHRISTUS Health, based in Houston Texas. In this capacity, she is responsible for the claims
investigation and litigation management of all matters involving the healthcare system, including
professional, general, employment, business, class action and other litigation against any CHRISTUS
Health facilities. She also coordinates the corporate response to all government and regulatory
investigations. As corporate Loss Prevention Director she is responsible for leading all corporate loss
prevention initiatives. She serves on various committees, including the corporate Quality Committee
and Clinical Policy Team, and is active on the CHRISTUS St. John Hospital Ethics Committee. Nancy
is a graduate of the University of Texas at Arlington, Baylor College of Dentistry and University of
Houston Law Centre. She is a member of the College of the State Bar of Texas and has previously been
in the private practice of personal injury, medical malpractice, and employment related litigation. Her
medical and nursing experience includes work in hospitals, clinics and long term care facilities. She is
a member of the American Health Lawyers Association.
Richard S. Porter
Richard S. Porter is a Partner with the firm Hinshaw & Culbertson LLP. He represents municipalities
and business enterprises in environmental law and litigation, and in general commercial and insurance
defense litigation. Mr. Porters environmental practice includes experience with CERCLA, NEPA,
RCRA, Clean Air Act, Clean Water Acts, Phase I and II reports, TACO program, Brownfields programs, NPDES permitting, environmental impact studies, Superfund litigation, underground storage
tanks, toxic tort actions, indoor air quality, asbestos abatement and solid waste management. Mr. Porter received his JD, cum laude, from the Southern Illinois University College of Law in 1992, and his
BS from the Illinois State University in 1988. He is admitted to practice law in Illinois.
Yvonne Karen Puig
Yvonne Karen Puig is a Partner at Fulbright & Jaworski L.L.P. Ms. Puig practices exclusively in the
healthcare area and represents hospitals, HMOs, medical schools and other institutional healthcare
providers. She has extensive experience in a variety of health law regulatory matters, including, but
not limited to: EMTALA, credentialing, due process hearings, and JCAHO accreditation and compliance. Her trial experience includes complex litigation, such as representation of hospital systems,
manufacturers and sellers of medical devices, and commercial litigation involving the health industry.
Additionally, she has experience reviewing business arrangements among managed care providers
and other statutory and regulatory compliance. Yvonne is also an author who has published numerous
Enterprise Risk Management for Healthcare Facilities, First Edition
xvii
articles on a variety of healthcare topics and liability updates. She received her JD in 1978 from The
University of Texas School of Law and her BA in 1975 from the University of Texas. Yvonne is admitted to practice law in Texas. She is a member of the American Health Lawyers Association.
Steven M. Puiszis
Steven M. Puiszis is a Partner in the Chicago office of Hinshaw & Culbertson LLP, and is a member
of their Business Litigation Practice Group, as well as its Electronic Discovery Response Team. He is
a well-known and highly experienced trial attorney and mediator with a wide-ranging litigation and
trial practice in state and federal court, who stopped counting after having taken more than 40 civil
and criminal jury trials to verdict. He is one of the few attorneys nationally who has ever successfully
defended through trial a federal class-action lawsuit. Mr. Puiszis received his JD in 1979 from Loyola
University Chicago School of Law, and his BS in 1976 from DePaul University. He is admitted to
practice law in Illinois. He is a member of the American Health Lawyers Association.
Emily Rhinehart
Emily Rhinehart, RN, MPH, CIC, CPHQ, is a Vice President at AIG Consultants, Inc., and has over
25 years of diverse healthcare experience. As a consultant and manager, she has developed and provided
a wide variety of products and services for the healthcare market including risk and quality management, performance measurement programs, patient safety programs, and infection control programs for
organizations in all healthcare segments. Ms. Rhinehart holds a Bachelor of Science in Nursing degree
and a Masters in Public Health with a concentration in Epidemiology. She is certified in healthcare
quality (CPHQ) and infection control (CIC). She entered the healthcare quality and risk management
arena after 15 years of outstanding success as a national and international leader in hospital infection
control and epidemiology. She has provided consultation in quality management and infection control
to healthcare organizations and industry in the US, Asia, Europe, Central and South America.
Nestor J. Rivera
Nestor J. Rivera is an Associate at the Atlanta, GA office of Carlton Fields PA. Mr. Rivera is a member
of the Firms Health Care Practice Group. His practice includes representation of healthcare providers
of all sizes in both operations/regulatory and litigation matters. He has advised clients on healthcare operations and regulatory matters, including: HIPAA and related federal and state privacy laws,
healthcare provider reimbursement and insurance coverage, guardianship, contract negotiation and
implementation, debt collection and credit reporting requirements, and other issues encountered by
healthcare providers on a daily basis. Mr. Riveras litigation experience includes representation of
healthcare providers of all sizes in breach of contract, tortious interference, payment of billed charges,
and other business claims. Mr. Rivera received his JD in 2000 from Emory University School of Law
and his BBA in 1997 from the University of Miami. He is admitted to practice law in Georgia and
Florida. He is a member of the American Health Lawyers Association.
xviii
Ila S. Rothschild
Ila S. Rothschild, MA, JD, is Special Counsel with the Office of General Counsel at The Joint Commission. As Special Counsel, Ila has advised The Joint Commission on a number of issues, among
them: credentialing/privileging; peer review and confidentiality; conflict management; risk management; disruptive behavior; telemedicine; leadership accountability; ethics; patients rights; patient
safety, and overall interpretation of accreditation standards. She has also co-authored briefs to the
Kentucky Supreme Court and the U.S. Supreme Court on issues relating to confidentiality of peer
review. Ila taught legal and ethical issues in healthcare as a lecturer-in-law at the University of Chicago Law School. A staunch advocate for patients rights, Ila has co-authored amicus curiae briefs
on end-of-life issues to the U.S. Supreme Court and the Supreme Court of California. Ila received
her bachelors degree with honors from the University of Wisconsin; her masters degree from the
University of Chicago; and her Juris Doctor from Chicago-Kent College of Law. She is licensed in
Illinois and California and is a member of the bar of the U.S. Supreme Court. She is a member of the
American Health Lawyers Association.
Fay A. Rozovsky
Fay A. Rozovsky, JD, MPH, DFASHRM, is President of The Rozovsky Group, Inc. An experienced
healthcare risk management consultant and attorney, Ms. Rozovsky works with clients along the
continuum of care, providing healthcare professionals, organizations and leadership with practical
risk management and patient safety solutions. She is a Distinguished Fellow of ASHRM, and a past
President of the Society. Ms. Rozovsky has lectured extensively and authored or co-authored over five
hundred articles and several books. A summa cum laude graduate of Providence College, Ms. Rozovsky
received her JD from Boston College Law School and an MPH from the Harvard School of Public
Health. She is an Affiliate Associate Professor in the Department of Legal Medicine at the Virginia
Commonwealth University School of Medicine. Ms. Rozovsky is admitted to the practice of law in
Florida and Massachusetts. She is a member of the American Health Lawyers Association.
Mary S. Schaefer
Mary S. Schaefer, RN, M.Ed, ARM, JD, is Corporate Director of Risk Management of Covenant Health
Systems. In her current role, Ms. Schaefer provides oversight and direction over a system-wide risk
management program, insurance operations, and Captive medical malpractice claims management.
She currently serves as a member of Covenants Quality Board Committee and Preferred Professional
Insurance Companys Claims/Risk Advisory Council. She currently chairs Covenants Risk Management, Insurance and HIPAA Committees. Ms. Schaefer received a Juris Doctor from the New England
School of Law and is admitted to the Massachusetts Bar. She also earned a Master of Education from
Boston University, a Bachelor of Science in the nursing program, cum laude, from Central Connecticut
State University. She also earned an Associate Degree in Risk Management from the Insurance Institute of America. She is a member of the American Health Lawyers Association, and an active member
of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.
xix
xx
Contents
Preface.......................................................................................................................... iv
Acknowledgments ....................................................................................................... v
About the Editor ......................................................................................................... vi
Contributing Authors................................................................................................ vii
Part IIntroduction
Chapter 1Enterprise Risk ManagementWhats It All About? .................................................3
1.1
Setting the StageManaging Risks ......................................................3
1.2
What Has Changed? ...............................................................................4
1.3
Risk Management as a Decision Making Process .................................4
1.4
Enterprise Risk Management (ERM).....................................................4
1.6
Risk Relationships ...............................................................................12
1.7
Risk Correlation ...................................................................................12
1.8
Responsibility for Enterprise Risk Management .................................13
1.9
Organizational Risk Appetite ...............................................................14
1.10
Risk Identification and Analysis ..........................................................15
1.11
Strategy Setting and Solution Identification ........................................18
1.12
Implementation ObstaclesMonitoring, Evaluating and
Changing the Program .........................................................................18
1.13
Benefits of ERM ..................................................................................20
1.14
ERM Success Factors ..........................................................................21
1.15
The Future Risk Management Professional .........................................22
1.16
Conclusion ...........................................................................................22
Table 1.1Reasons for Change ..........................................................23
Exhibit 1.1Values Doctrine ..............................................................24
Exhibit 1.2Risk Appetite/Risk Tolerance .........................................25
Table 1.2Qualitative Measure of Risk Frequency............................25
Table 1.3Measure of Time to Impact ...............................................26
Table 1.4Measure of Risk Severity ..................................................26
Table 1.5Fetal Hypoxia ....................................................................27
Exhibit 1.3Sample Risk Map ...........................................................28
Chapter 2Structuring an Enterprise Risk Management Program .............................................29
2.1
Introduction ..........................................................................................29
2.2
Laying the Groundwork .......................................................................29
2.3
Designing and Conducting the Initial ERM Risk
Identification Interviews and Survey Process ......................................32
2.4
Addressing Identified ERM Risks .......................................................35
2.5
Integrating ERM into the Corporate Culture .......................................37
2.6
Conclusion ...........................................................................................38
Appendix ..............................................................................................39
xxi
xxii
xxiii
xxv
xxvi
xxvii
xxix
Part I
Introduction
Principle #6: A charitable organizations board should ensure that the organization has adequate plans to protect its assets. This Principle indirectly endorses the
concept of enterprise risk management as a proper topic for formal board attention.
It concludes that boards are responsible for understanding the major risks to which the
organization is exposed, reviewing those risks on a periodic basis, and ensuring that
systems are in place to effectively manage those risks. Many nonprofit hospitals and
health systems have long maintained components of such a strategy (e.g., corporate
compliance plans, insurance covering key assets, quality of care oversight, technology
backup, asset insurance, and indemnification and insurance protection for officers and
directors). By this principle, however, the Panel describes additional components of
enterprise risk management and encourages boards to evaluate risk mechanisms from
a more global perspective.
From Principles for Good Governance and Ethical Practice: A Guide for Charities and
Foundations at http://www.nonprofitpanel.com/selfreg/Principles_Guide.pdf.
1
Enterprise Risk Management
WhatsItAllAbout?
Roberta Carroll, RN, ARM, CPCU, MBA, CPHRM, CPHQ, LHRM, HEM, DFASHRM
Senior Vice President, Aon Healthcare
1.1
The medical professional liability crisis of the 70s and 80s was the impetus for development of
most risk management programs. Initially, the emphasis was on insurable risk and facility hazards
with a financial and claims focus gradually moving toward responding to clinical risks. The movement
toward clinical risks was a reactive strategy to improve patient safety, albeit not necessarily said in
such terms. The risk management professionals thought their efforts to avoid, prevent, and manage
clinical risk would preserve the financial assets of the organization through the delivery of safe patient
care. Somewhere along the way, this message was lost.
The identification and management of organizational risks heretofore has been fragmented into
silos of responsibilities and accountabilities across the organization with no clear coordination, facilitation, or communication. For the most part, risks have been managed as if they were in standalone,
disparate business units with no oversight or relationship with other units.
Healthcare risk management programs started in the acute care hospital setting and have expanded
over time to other healthcare settings outside the conventional hospital borders. Common to most
healthcare risk management programs have been the development and implementation of early warning systems to identify organizational risks. The most familiar of all early warning systems is the
incident report. The incident report has been a reactive or retrospective internal source of information widely supported by nursing practitioners as a reporting tool for adverse events or happenings not
consistent with normal operations. However, even this cornerstone of healthcare risk management has
no common taxonomy, offering no standardization from one organization to the next. The majority of
states have adverse event reporting requirements: one is voluntary (Oregon), while others are mandatory. The data collected varies from state to state, and little to no strategies and solutions to mitigate
risk are offered. Without a common taxonomy or standardization of data sets among the reporting
systems, the wealth of information currently being amassed by individual state reporting systems has
no means by which trends can be identified, common themes recognized, lessons shared, or mitigation
strategies implemented. Current efforts by the World Health Organization (WHO), The Joint ComEnterprise Risk Management for Healthcare Entities, First Edition
The healthcare delivery system in the 21st century has changed dramatically from the not-too-distant past. Many of these changes have clearly placed the spotlight on healthcare as a setting of evolving
risks. See Table 1.1 for a listing of reasons why healthcare changed. This chapter will not discuss these
changes; however, it is important to remember that changeregardless of how well intended or necessaryis not without risk. Healthcare organizations need to identify and manage all its risks, not just
those with which they are familiar or comfortable, have previously identified, or can easily quantify.
The focus of risk management has changed, expanding to identify and assess risk proactively in
tandem with other risks, involving the highest levels of the organization (Board and C-Suite3) requiring the collaborative effort of all employees. No longer can healthcare risk management simply react
to clinical risks and hope that patient safety is achieved; efforts must focus on risks that affect the
entire organization and not just one aspect of operations.
1.3
Risk management as a management decision making process, espoused by George Head from
the Insurance Institute of America (IIA), has been around since the early 1970s. The risk management
process includes the following steps: (1) identifying risk and analyzing an organizations exposure to
loss; (2) examining alternate risk techniques; (3) selecting the best technique(s); (4) implementing the
technique(s) chosen; and (5) monitoring and making changes as necessary. This 5-step process has
been embraced by healthcare risk management professionals since those early days as well. It is within
this context that enterprise risk management will be discussed.
1.4
The following section will address the background of enterprise risk management, offer a definition in the context of healthcare, and identify activities that support ERM.
1.41
ERM Background
There has been much conversation on the topic of enterprise risk management in the past five
years but little progress in healthcare. ERM was first initiated within the financial sector which includes
banks, investment companies, brokerage houses, and insurers. Consequently, comprehensive systems,
processes, metrics, models, and best practices are well developed in this business sector. Couple those
with stringent regulations and government oversight, and you have a business sector that is more
sophisticated and mature in terms of ERM than healthcare. So, how is the dramatic decline in public
confidence and escalating home foreclosures created by the recent mortgage debacle explained? How
are the Wall Street investment firms scandals with investors losing billions justified? Understanding
that no organization or business sector is immune from catastrophic loss is a start.
Scandals involving accounting compliance and corporate governance such as those seen with
Enron, WorldCom, and Tyco prompted the passage of the Sarbanes-Oxley Act of 2002 (SOX). This
was the impetus for many organizations to implement enterprise risk management programs. The
requirements of SOX are focused primarily on publicly traded, for-profit companies; however, many
not-for-profit healthcare organizations are voluntarily complying with the principles and financial controls embedded within SOX. Additionally, SOX heightened the awareness of boards of directors as to
their responsibility for identifying and managing organizational risks and called the question of ERM
programs to the forefront.
The Treadway Commissions Committee of Sponsoring Organizations (COSO)4 in 2004 issued
the Enterprise Risk ManagementIntegrated Framework. This publication offered an ERM framework
and provided a set of best practices for organizations to use when implementing ERM programs.
This report was an expansion on the work companies were already doing to comply with SOX and
offered guidance for creating an organization-wide risk management.
Furthering support for ERM programs, beginning in 2007 financial companies will be asked a
series of questions about risk management in their evaluation by Standard & Poors (S&P), the debt
rating agency. The results of their evaluation are just one of many factors used to determine a companys debt rating. This evaluation, in part, determines the interest rate lenders charge for loans or bonds.
On May 7, 2008, Standard & Poors announced that the agency will enhance its global rating process
for non-financial companies to include a review of their ERM programs. S&P will begin to hold ERM
discussions with rated companies in the third quarter of 2008 and will begin to include commentary in
S&P reports in the fourth quarter. It is unlikely that the formal scoring of companies ERM capabilities will go into effect much before 2009 because a sufficient number of reviews to permit reliable
benchmarking needs to be conducted and evaluation criteria needs to be published.5 The impact that
S&P will have on rated healthcare organizations is still to be determined, but most likely will not be
an immediate priority.
4
COSO is the Committee of Sponsoring Organizations of the Treadway Commission. A voluntary council with members
from five accounting organizations, COSO represents a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors,
and the Institute of Management Accountants. For more information, go to http://www.coso.org.
5
Enterprise Risk Management: S&P Enhancement White Paper, Executive Summary. p. 2 May 2008, Aon Global.
ERM Defined
Creating a common language and accepted definition of terms is important when discussing enterprise risk management. Enterprise risk management means different things to different people. It is a
discipline, a practice, and a process. The following working definitions are offered:
Enterprise risk management is a discipline that engages professionals in the practice of
identifying, managing, controlling, and monitoring all risks to the organization.
And
Enterprise risk management can best be described as an ongoing business decision making
process instituted and supported by the healthcare organizations board of directors, executive
administration and medical staff leadership. ERM recognizes the synergistic effect of risks
across the continuum of care, and has as its goals to assist the organization reduce uncertainty
and process variability, promote patient safety and maximize the return on investment (ROI)
through asset preservation, and the recognition of actionable risk opportunities.
In Enterprise Risk ManagementIntegrated Framework,6 issued by COSO in 2004, enterprise
risk management is defined as a process, effected by an entitys board of directors, management
and other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
As discussed earlier, even though healthcare organizations have not made tremendous inroads
into ERM, it does not mean that they have not been managing risk. The difference between the previous methods of identifying and managing risks and ERM is the recognition of gain as a possible
outcome of risks, the identification of risks proactively as opposed to reactively and understanding
the synergistic relationship among and between risks. Risks do not exist in isolation and can best be
understood in terms of importance or contribution to a portfolio of risks. Risks cross organizational
structures and relationships and should be managed initially in a comprehensive manner from the
top-down. Over time, through education and practice, ERM will permeate the entire organization and
empower all employees to identify risks and recommend mitigation strategies. ERM becomes vertical
and horizontal and becomes a top-down as well as an upward process.
Available at http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/PDF_Manuscript/$file/COSO_Manuscript.pdf.
1.5.3
ERM Activities
ERM is a series of interrelated activities that are broad in scope and reflect an organizational-wide,
ongoing commitment. Failure to recognize the synergistic effect of risks across the full continuum of
healthcare settings jeopardizes the implementation of long-term risk mitigation strategies and increases
costs through inefficient deployment of resources. To be most effective, it should be part of strategic
planning for the organization and a proactive as well as reactive process.
When developing an organizational-wide ERM program, consideration must be given to differences in the setting or locale (acute care hospital, skilled nursing facility, physician office practice),
organizational structure (for profit, not-for-profit, governmental), business approach and strategy
(community based, faith-based, academic/teaching, integrated network), stakeholders and customers,
and systems and processes, as no organization is exactly alike and many organizations have disparate
parts. The challenge in developing an ERM program is consistency in process: getting everyone on the
same page, so to speak, at the same time and with the same focus.
1.5.4
Risk Domains
Regardless of the setting or locale, it is common practice to refer to domains or areas of risks
when discussing ERM. The following are typical areas or domains of risks under ERM with a common
description for each and examples. They can contract and expand depending upon the ERM definition,
organizational preference, settings, and uses.
1. OperationalRisks related to the business operation that result from inadequate or failed internal processes, people, or systems. The business of healthcare is patient/resident related with an
emphasis on the delivery of clinical care that is safe, timely, effective, efficient, and patientcentered. Examples of healthcare operational risk areas include but are not limited to:
Documentation
Quality Initiatives
99 Pay for Performance (P4P)
99 Variability in care and quality outcomes
Adverse event management
99 The use of disclosure and apology
99 Transparency
Chain of command
Medical professional liability
National Quality Forums list of 28 Never Events
Patient falls
Medication errors
National Patient Safety Goals (NPSGs).
10
ERM Framework
Risks can keep an organization from achieving its mission and strategy objectives. Risk management professionals can make a meaningful contribution by partaking in the strategic planning process
and should become partners with those responsible for strategy setting. All healthcare operations have
some level of risk. The risk management professional can assist the organization in considering risks
associated with new programs both clinical and non-clinical, going green, expansion into new markets such as those seen with medical tourism, mergers, acquisitions and divestitures, and the purchase
and implementation of technological advances, to name a few. Emerging risks can occur in any area
(financial, human resources, technological, legal and regulatory, etc.) and should be thoroughly evaluated to determine the impact to the organization. It may be necessary to engage the expertise of others
if the risk manager does not have the requisite skills necessary to evaluate those risks thoroughly. An
annual assessment of risks to the organization can lay the foundation for the development and review
of the strategic plan. Developing a comprehensive ERM framework will also support the yearly budgeting process mapped to risk initiatives.
It is also important to understand that the practice of risk management is not the practice of law,
medicine, nursing, accounting, actuarial science, or insurance. It is a management discipline supported
by a business decision-making process that utilizes the expertise of many professionals. While having
a clinical, legal, or other professional background may be helpful as a practicing risk management
professional, keep in mind that risk management decisions, recommendations, and opinions are based
on sound business practices and are not to be confused with rendering a legal opinion or a medical
recommendation.
11
Risk Relationships
Risks are uncertain events or conditions. Pure risk implies that there is no possibility of a gain.
Either a loss is realized or the status quo is maintained. There is another type of risk that ERM recognizes called speculative risk where there is the possibility of gain/profit or loss. The best example of
speculative risk is gambling. Not considering for a moment the odds of a particular outcome, in speculative risk the possibilities include winning or losing. In healthcare, many risks can be considered
speculative because of the possibility that, if managed appropriately, they can benefit an organization.
Benefits to the organization can include giving the organization a competitive edge, receiving additional dollars under P4P metrics, attracting a higher caliber of professionals to their staff, maintaining
or increasing market-share, and the like.
1.7
Risk Correlation
The synergistic effects of risks can impact more than one area or domain simultaneously. All risks
should be evaluated in concert with other risks. Risks may be positively or negatively correlated with
other risks. In risks that are positively correlated, as the probability of one risk increases so does that
of an associated risk. Employee dissatisfaction, diminished morale, and a negatively perceived work
environment often contribute to increased risks in the human capital domain. The human resource
department responding to these risks and the workforces desire for flexible hours and decreased number of work days implemented twelve hour work shifts. Oftentimes what was anticipated to be a
12-hour shift turns out to be greater than 12.5 hours. The risk associated with these longer shifts
increases the risks of fatigue, falling asleep, and an increase in medical professional liability. Studies
have shown that making an error almost doubled when nurses worked 12.5 or more consecutive hours,
and the majority of those errors were medication errors.7
In negatively correlated risks, the probability or impact of increasing one risk decreases that of
an associated risk. As an example of a negatively correlated risk, consider the organization that wants
to decrease the number of days patients are on ventilators in the intensive care unit; certainly a worthwhile goal. If the organization only strives to decrease the length of time patients are on ventilators,
they may not account for the number of re-intubation in the same unit during the same period of time.
The number of patient days on ventilator may decrease but the rate/number of re-intubations may
increase giving a false picture of positive outcomes. Risks need to be identified and managed together
to receive maximum benefit. Looking at risk in a silo may not account for the unrecognized trickledown or synergistic effect.
Utilizing an ERM framework will support the organizations ability to evaluate processes and
outcomes in tandem while understanding the cascading effect of risks or how independent intervening
events can come together at just the right time to create risks that affect the delivery of care. James
Reason best described this theory when explaining his Swiss Cheese theory of accident causation.
Reason explains that accident causation is akin to lining up small failures or fractures in organizational
systems and processes much like the holes in Swiss cheese. No one failure would cause the error, but
Scott L.D., Rogers A.E., Hwang W.T., and Zhang Y., Effects of Critical Care Nurses Work Hours on Vigilance and
Patients Safety, American Journal of Critical Care, January 2006, Volume 15, No. 1.
12
Because ERM takes a broad, high-level view of risks, it requires the commitment of strategically
placed professionals throughout an organization, including those in the C-Suite. All successful ERM
programs have this high level of organizational commitment. The responsibility for ERM however,
ultimately resides with the board of directors. This dictates that the board understands the principles
and practices of ERM, is conversant in how those practices and principles differ from traditional risk
management programs, supports an environment that embraces change, and sets strategy to support
ERM activities. Legal counsel can be particularly helpful in educating the board as to their risks
responsibilities and preparing them for ERM adoption. Other board responsibilities include:
creating and endorsing a Values Doctrine espousing the ERM process (see Exhibit 1.1);
reviewing identified organizational risks in concert with other risks;
approving risk ranking/scoring;
reviewing and approving initiatives and prioritization; and
reviewing status reports routinely (monthly/quarterly) until resolution.
The boards role in ERM is ongoing and continuous. Once solutions are implemented, they need
to be periodically assessed to ensure that the solution identified and implemented is still working
and fits the risk. Risks can and do change over time. What works today may not work tomorrow. In
addition, new risk will be identified and new solutions developed. ERM is a process, not a one-time
function; it is a series of related on-going activities. Understanding the answers to the following key
risk questions will assist the board in understanding ERM:
Enterprise Risk Management for Healthcare Entities, First Edition
13
Risk appetite is the amount of risk an organization is willing to assume for a return it hopes to
achieve. ERM assists an organization in selecting a strategy that is consistent with risk tolerance parameters. The concept of risk appetite is important for the board of directors to understand. Is the organization
risk adverse and insures all risks from the first dollar of loss, or are they risk takers with sophisticated
programs of self-insurance and other forms of alternative risk financing? Remember the more risks taken
the greater the responsibility for managing risks. See Exhibit 1.2, Risk Appetite/Risk Tolerance.
1.9.1
Earlier in this chapter when discussing speculative risk, it was identified that risks can have a positive outcome or gain. There are two significant questions to ask when discussing risk as a competitive
advantage. They are:
Is the risk more dangerous to our competitors?
Can we manage the risk better than our competitors?
The answers to these questions will help an organization take the lead among their competition.
Competitive advantage in the marketplace often discusses earnings per share or some other financial
metric. In healthcare, competitive advantage often has quality of care outcomes and decreased variability at its core.
1.9.2
14
The identification and analysis of risk is managements attempt to determine what risks can impact
strategy and the achievement of organizational goals. Both formal and informal methods are used to
identify organizational risk. Risk can be internal within an organization or external to it. Risks can
be identified retrospectively, concurrently, pre-interventional, and prospectively. The incident report,
the longest in-use risk identification tool (albeit not necessarily the best method to identify significant
risks) can be both a retrospective and concurrent method by which risks are identified depending on
the timeliness of the report. The use of occurrence reporting in high-risk areas (for example, every
delivery where a baby is born with an Apgar score of 5 at five minutes is reviewed or when a patient
returns to the emergency department within 48 hours after discharge) are forms of concurrent risk
identification used in clinical settings. The review of discharged patient medical records using a set
of predetermined screens is a form of retrospective risk identification. The Institute for Healthcare
Improvements (IHI) Global Trigger Tool for Measuring Adverse Events8 is another method for retrospective risk identification. Current efforts to minimize wrong-site, wrong person, wrong body-part
surgery through the use of a universal time-out is a type of pre-intervention risk identification. The
study of filed claims and lawsuits to determine trends that could likely form the basis for future claims
and failure mode and effects analysis (FMEA) are examples of prospectively identifying risks. Risks
can be identified on an organizational-wide basis or can be department/unit specific.
Available at http://www.ihi.org/IHI/Topics/PatientSafety/SafetyGeneral/Tools/IHIGlobalTriggerToolforMeasuringAEs.htm.
15
Once all organizational risks have been identified, analyzed, and placed in the risk register, thenext
steps are to:
Understand and attempt to quantify the potential magnitude or materiality of each identified
risk.
Consider the positive and negative consequences of events underlying identified risks across
an organization.
Incorporate at least two dimensions of risk: likelihood and severity.
Recognize that there may be a range of possible results associated with an event.
1.10.1.1
There are many tools to assist in the evaluation and assessment of identified organizational risk.
A few of them include: failure mode and effects analysis (FMEA), vulnerability analysis, quantitative
risk modeling, cost benefit analysis, risk scoring, risk maps/heat maps, financial analysis (simulation,
modeling), and a review of adverse outcomes data. How to determine a risks score and display it
graphically will be discussed as an example of risk assessment tools.
16
1.10.1.1.1
Risk Scoring
Once an exhaustive list of risks is assembled, it is helpful to evaluate the importance of one risk
over another. This methodology may be largely intuitive but in most cases takes into account probability, time to impact/discovery, and severity. A sample formula is displayed below. By developing a
score/rank for each risk, a priority order for each score can be displayed. The graphic display of these
results is called a risk map or heat map. See Exhibit 1.3, Sample Risk Map. The descriptor and detail
can change to fit organizational risk appetite or tolerance levels. For example, in the formula shown,
alevel 1 risk considered to be minor has a financial value less than $50,000. Some organizations may
find that range to be higher than their tolerance for risk and might change the range for minor risk to a
value at or below $5,000 while other organizations may find the level too low and raise the tolerance
to a value above $5,000,000. The value and ranges within the measure of risk frequency (probability),
(see Table 1.2, Qualitative Measure of Risk Frequency), measure of time to impact (see Table 1.3,
Measure of Time to Impact), and the measure of risk severity (see Table 1.4, Measure of Risk Severity) can all be changed to meet organizational preferences, appetite and tolerance. What is considered
to be of significance to one organization may be insignificant to another. These tables are offered only
as examples and should be reviewed by each organization for relevance and appropriateness. Once
a determination has been reached on how risks are to be scored, the scoring/ranking methodology
should not be changed without good cause. Consistency in how risks are evaluated is important.
Sample Formula
(Probability + Time to Impact) x Severity = Risk Score
(1- 5 + 1- 3) X 1- 5 = Risk Score
The highest score in the formula with this sample scoring is 40. The example offered in Table
1.5 is offered to highlight that even significant events can have lower scores due to a lower frequency
or number of events that occur during a given period. Keep in mind that events that score higher or
closer to a score of 40 most likely would have already been identified with solutions and strategies
implemented to reduce their frequency if not preventing them for occurring all together.
1.10.1.1.2
Risk Mapping
Risk mapping graphically depicts an organizations risks, displaying the relationship between
frequency and severity. It requires a team approach to identify and rank each identified risk. See
Exhibit1.3 for a Sample Risk Map. Prioritized risks are useful for:
data collection;
identifing risk mitigation strategies;
allocating capital and limited resources;
exploiting a competitive edge; and
improving knowledge of exposure and facilitates risk control techniques.
Once all risks are identified, evaluated and measured, the organization can develop prioritized,
organizational-wide solutions and strategies for dealing with those risks.
Enterprise Risk Management for Healthcare Entities, First Edition
17
In determining the strategies and solutions that may be appropriate to implement, risk projects are
identified and evaluated by:
Low-hanging fruitwhich risks are clearly identified and a solution readily available.
These risks are considered quick fixes and may not drain valuable resources. Keep in mind,
however, the possibly for negatively or positively correlated risk discussed earlier.
Resource allocation and availabilityHow will the solution or strategy suggested impact the
following:
99 Human capitalDoes you organization have the personnel available to initiate, manage,
and monitor a new project?
99 Financial/costDoes the risk resolution or mitigation strategy meet the organizations
risk appetite? Does the budget address these projects?
99 Time to completionWill the time to complete the project and monitor its progress take
so much time that the risk will have already changed, making the solution obsolete?
99 Expertise neededAre there available resources in-house, or will outside expertise
and consultation be necessary? If not, are there dollars in the budget to hire the needed
expertise?
99 Internal or externalDoes the project require the use of external resources (systems,
products, people, hardware)? If so, has the organization done a cost benefit analysis on
use of the resource?
99 Frequency and severity of riskHas the organization identified which risks to address
first? Is this by frequency, severity, time to impact, availability of resources, or some
other metric? Can the organization support its prioritization of risk projects?
Projects identified by individual, committee, department
99 What methodology will be used to identify, analyze, and assess and prioritize risks
throughout the organization? Will surveys and questionnaires supplemented by interviews with key staff be conducted? How will the organization receive the input from
frontline employees? Is there a forum to solicit ideas and suggestions? Will a person or
committee take charge to review all risk and assess their organizational impacts?
1.12
The ultimate success of an ERM program is like the success of any other cultural change within
the organizationonce implemented, it requires monitoring and reinforcement. Risks to the organization changes over time as new risks emerge and older, more well-known risks are appropriately
mitigated or eliminated. Strategies and solutions implemented to address identified risks need periodic
monitoring to ensure that the intended outcome is still being achieved. An even more basic question
is, does the risk still exists? With the continued limitation on scarce resources (time, money, and
people), monitoring the ERM program becomes a critical component of any ERM program. Ongoing
18
19
Benefits of ERM
The ERM process allows the organization to take a more strategic perspective of risk from the
top-down. This view should result in the following benefits:
development of strategies and solutions that support the organizations mission, vision, values doctrine and stakeholder value;
anticipation (better) of the unexpected;
treatment of risks that is more efficient and effective;
comprehension of organization-wide cost;
establishment of methodology for assessing future risks;
ABC News, December 9, 2008, Fannie, Freddie Ignored Risky Loan Warnings, by Huma Khan. Their own risk
managers raised warning after warning about the dangers of investing heavily in the subprime and alternative mortgage
market. But these warnings were ignored by the two chief executives, said Henry Waxman, Chair of the House Oversight
and Government Reform Committee.
20
The following are considered success factors when implementing an ERM program:
Leadership support and a positive culture
Broad-based employee involvement
Consistency
99 in assessment
99 in scoring measurement
Quantifying and benchmarking results
Decreased variability through evidence-based practice (EBP)
Monitoring and evaluation
99 Internal
99 External.
21
The evolution of enterprise risk management is redefining the scope of practice for the professional charged with risk management responsibilities. Risk management professionals need to be
facilitators of change, action seekers, and well-networked within their own organizations and externally, enabling them to call upon outside experts when necessary. Changing risk management into
organizational-wide strategies to address ERM is not for the weak at heart. Increased responsibilities
require enhanced skills. The Risk and Insurance Management Society (RIMS), in their white paper
entitled The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, identifies skills
for the successful enterprise risk manager.10 RIMS divides the necessary skills sets into conceptual
skills, core competency skills, business skills and technical skills. Conceptual skills include: planning, organizing, decision making, management process, ethical judgment, organizational architect,
and strategic thinking. Core competency skills are separated into interpersonal skills and personal
skills and include leadership, negotiations, innovation, communication, and being motivated. Business
skills, as one would expect, include legal, accounting, compliance, human resources, finance, marketing, safety, and security to name just a few. Project management, the risk management process, risk
financing and knowledge of insurance, enterprise risk management information systems, risk control,
and claims management are all technical skills necessary for todays enterprise risk manager. The
enterprise risk management professionals are well-networked ringleaders, orchestrators, and facilitators of change.
1.16
Conclusion
By understanding the concepts of enterprise risk management and advocating its practices, principles, and processes, legal counsel adds value to the board of directors and executive leadership as
knowledgeable members of the ERM team. With this understanding, legal counsel will be better positioned to offer sage counsel in an area not yet fully understood by boards and executive leadership at
most healthcare organizations. A thorough understanding of ERM will assist in identifying and minimizing risks, helping to create a competitive advantage, decreasing costs, managing staff and patient
expectations, minimizing waste, and supporting the delivery of patient care in a safe environment.
Although healthcare organizations have not yet made tremendous inroads into ERM, that does
not mean that they have not been managing risk. It just means that there continues to be a tremendous
opportunity to make a meaningful difference. There is still much to do!
The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, Bill Coffin, Editor. RIMS 2009.
10
22
Patients
Families
Medical staff
Board of directors
Executive leadership
Professional caregivers
Community
3. Increased use of the internet as a source for health knowledge and exchange
4. Movement to a paperless environment and the promotion of electronic medical/health records
5. Continuous need for and access to outcomes data
6. Local, regional, and national competition
7. Increased financial oversight and scrutiny
8. Emphasis on patient-centered care and transparency
9. Changing lines of authority
99 Staff empowerment
10. Variability in clinical care
99 Hesitancy to follow evidence-based practice
11. Increase in regulatory requirements, standards, regulations and standards
99 Standard & Poors to evaluate rated agencies on ERM progress
99 Sarbanes-Oxley Act of 2002 requirements trickle over into healthcare
99 CMS IPPS changes related to hospital-acquired conditions
12. Promotion of disclosure and apology programs
13. Reliance on complex, changing technology
14. Reduced reimbursement
15. Advances in medicine
23
Values Doctrine
Values Doctrine
Enterprise Risk Management
Quality patient care is at the center of all we do and core to our business objectives.
Creating a culture that supports a safe environment for all is paramount to the Organizations
mission and objectives. This includes not only our patients and their families but our employees, board members, volunteers, and medical staff.
We promote an enterprise-wide early warning system and framework for the comprehensive
identification and resolution of all organizational risk.
We adhere to an early intervention program that supports prompt investigation, open and
honest communication, transparency, disclosure, and apology and compensation (when
appropriate) to injured patients that is fair and equitable.
Employee empowerment and service recovery are principles with which all employees are
trained and participation is encouraged.
In promotion of our organization as a learning environment, we will share with all stakeholders the lessons learned from patient safety and risk-related issues.
To safeguard the delivery of patient-centered care we will strive for patient/family participation in strategy setting and membership on functional teams designed to identify and mitigate
the potential for loss.
Understanding that risks can cross all aspects of the organization, we will endeavor to identify and assess all risks in a manner that is both strategic and timely in order to preserve
resources, maintain fiscal integrity, support the workforce, and create an environment that
promotes transparency.
This Values Doctrine is endorsed by the organizations board of directors, executive leadership,
and medical staff and is supported by all employees and volunteers.
24
Exhibit 1.2
Table 1.2
Level
Descriptor
Extremely rare
Rare
Periodic
Recurrent
Occurs frequently
25
Level
Descriptor
Warning occurs over a long period of time (months or years) providing opportunity
to adjust or react
Warning occurs over a shorter period of time (days or weeks) providing some opportunity to adjust or react
Table 1.4
Level
Descriptor
Minor
Moderate
$50,001$500,000
Major
$500,001$1,000,000
Severe
$1,000,001$5,000,000
Catastrophic
Over $5,000,000
26
Table 1.5
Risk
Fetal
hypoxic
event
Fetal Hypoxia
Cause
(Risk Factor)
Impact
Lifetime injury or
Failure to
death
recognize
fetal distress Medical malpractice
loss
Failure to
Increased insurance
interpret fetal rates
monitoring
Loss of reputation
Inability
Increased scrutiny by
to perform
JCAHO, State
emergency
Difficulty attracting
c-section
staff
Internal Controls
Education
Use of technology to facilitate
recognition of
fetal distress
New policies
ensuring emergency c-section
readiness
PR advertising
new measures
Recommended
Actions
Score
Biannual fetal
monitor training
Identify/
Purchase new
technology
22.5
Float
obstetricians
Host Mothersto-Be Event
27
28
2
Structuring an Enterprise Risk Management
Program
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health
2.1
Introduction
Healthcare organizations come to the realization that they need to explore an enterprise risk
management (ERM) program from a variety of different directions. It sometimes starts with a senior
corporate officer or the organizations risk management professional learning about ERM in a seminar,
an article, or through conversations with a peer. At times a member of the governing board with ERM
experience in another industry questions whether such an approach might be applicable in a healthcare setting. Other times leaders simply become increasingly aware that traditional risk management
processes and activities, no matter how successful, fail to capture a significant and growing portion of
the most serious risks facing the organization.
However a healthcare organization comes to appreciate its need for an ERM initiative, it is important that the organization identify the right people, devote sufficient resources, and allow enough time
to appropriately structure the ERM process. It is equally important that the governing board and senior
leadership team of the organization be prepared to confront the fundamental cultural and operational
assumptions that such a process is likely to reveal and embrace the broad-based organizational changes
that a successful ERM process will likely entail.
2.2
Prior to embarking on a large-scale exploration of ERM, the senior leaders and governing board
of a healthcare organization need to identify the goals for the process. While it is neither possible
nor appropriate to be overly prescriptive at the outset, it is helpful to reach consensus on a few key
questions:
Who will lead and champion the ERM process?
Does the identified team have sufficient time and expertise to assume such a role? If not, can
other work responsibilities be modified and additional educational resources provided?
29
While the decision to embark upon an ERM project typically rests with an organizations senior
management team and governing board, responsibility for day-to-day exploration of the issues and
design of the initial ERM project is usually vested in an ERM working group. The working group
should be capable and willing to develop an in-depth understanding of ERM theory and processes and
to frame the issues in developing the initial ERM risk assessment survey. The working group should
also be prepared to assist with designing and launching a comprehensive ERM implementation process for the organization and making recommendations for required organizational restructuring and
resource reallocation.
While the organizations risk management professional is often a key member of the working
group, it is advisable to include other disciplines in order to assure the appropriate breadth of perspective for a successful launch. Internal audit, with its broad focus of organization-wide standards and
compliance, and strategic planning, with its global and futuristic orientation, frequently make good
partners with traditional risk management in forming the working group. Legal, corporate compliance,
and clinical operations representatives may also be good candidates for inclusion, depending on the
organizational structure of the healthcare entity.
Regardless of who is named to the working group, the team should typically include no more than
four to six members. Even in a large and complex healthcare organization, it is important that the team
be small enough to meet frequently in the face of competing schedules and to reach consensus easily.
The team must be nimble enough to adjust quickly to changes in focus and orientation that may occur
in the course of the project.
30
One of the first tasks facing the designated ERM working group is to design the framework for
exploring and implementing the organizations ERM process. Such a design process typically begins
with developing a methodology for identifying and prioritizing the various risks that may potentially
impact the organization. While the working group could review the relevant literature to find a standardized list of risks impacting healthcare organizations or could seek the assistance of a consultant in
developing such a list, it is preferable to develop it internally. Developing an organization-specific listing of critical risks not only allows the working group to capture risks unique to a given organization,
it allows the entitys management team to begin thinking about risk from a fundamentally different
perspective. The work done in identifying, defining, categorizing, and prioritizing specific risks is a
valuable part of the overall ERM education process and assists members of the management team in
internalizing the differences between ERM and a more traditional risk management orientation.
The preferred approach for identifying risks potentially impacting a healthcare organization is
for the working group to conduct interviews of small groups of managers and other leaders to determine risks in their respective areas along with current mitigants. The information gathered from the
interviews can then be synthesized into a survey document in which various risks identified can be
analyzed as to their likelihood (anticipated frequency or probability of occurring within a given time
frame) and impact (anticipated severity in terms of potential to prevent the organization from reaching
its desired objectives). Additionally, identified risks can be considered in terms of the adequacy of current risk mitigation effortssome risks that could be potentially disastrous to the organization without
the application of appropriate risk treatment or risk financing strategies may be perceived as much less
onerous if they are subject to adequate mitigation efforts. The risk remaining after the risk mitigation
efforts are applied may be characterized as residual risk.
31
The best way to develop a listing of risks facing an organization is to ask the people who know
it bestits managers and leaders. As an initial step in the ERM assessment effort, the working group
should conduct interviews with groups of organizational leaders to elicit their views on risk. It is desirable that groups be kept small, no more than 10 to 12 people, and that one to two hours be allowed
for each interview. For multi-facility healthcare organizations, leaders at both the corporate system
level and the local facility level should be included, as their views regarding important risks may well
differ.
In setting the stage for the discussion of risks, the working group may pose a question such as,
What risks facing ABC Health Care keep you up at night? The working group should also emphasize
that risks to be considered should not be limited to things traditionally handled by the organizations
risk management department, such as medical professional liability claims or catastrophic property
losses (although such risks need not be excluded), and should include any risk to the organization
capable of seriously impairing its ability to meet its stated objectives.
In framing the discussion of risk, it is sometimes helpful to discuss three discrete types of risks
that might be considered by the interviewees:
1. Event Risks: Risks associated with specific events such as a flood or hurricane, a pandemic
disease outbreak, or a terrorist attack. Such risks most closely parallel risks addressed through
traditional risk management programs.
2. Process Risks: Risks associated with the organizations failure to design and implement
appropriate business, clinical, or other processes or to effectively monitor and correct deviations from established processes. The concept of process risk is less tangible than event risk
and may be less apparent to individuals without prior experience with ERM. Process risks
might include failure to retain and recruit sufficient numbers of qualified staff or failure to
collect a sufficient proportion of patient care revenues.
32
33
One of the greatest challenges in implementing an ERM program is preventing the process from
dead-ending with the risk assessment. Healthcare organizations, like their counterparts in other industries, seem to suffer from a natural tendency to consider the interviews, risk assessment survey, results
analysis, and resulting risk prioritization as an end in themselves. In fact, these activities are but the
beginning of the ERM process.
Once survey results are tabulated and risks ranked and displayed, the working group should report
its findings back to the ERM oversight committee. The Committee then needs to determine the specific
risks on which to aim its initial focus. For most organizations, it is recommended that no more than
three to 10 risks are tackled at the outset. Typically the risks identified through the survey assessment
process are global in nature and pervasive in scope and require the effort of a multi-disciplinary team
of experts both within and external to the organization to address. Attempting to adequately explore
and manage too many risks during the implementation phase of the ERM process is a sure recipe for
disaster. It is better to deal effectively with a handful of risks than to superficially consider a larger
number.
Enterprise Risk Management for Healthcare Entities, First Edition
35
36
Moving beyond the risk identification and assessment process and fully integrating ERM into
the organizations culture is a challenging endeavor for most healthcare organizations. To be fully
operationalized, ERM must become a core process, reflected in strategic planning, budgeting, and performance measurement and improvement activities, and embraced by every level of the organization.
The governing body of the organization, as well as it senior management team and other leaders, need
to set risk-adjusted goals and objectives and consider risks holistically across the enterprise. Such a
view of risk avoids a reactive, siloed focus on the mitigation of individual risks and allows for intelligent risk taking utilizing risk-based decision support and performance measurement tools.
The ERM implementation process typically involves an analysis of the organizations risk tolerance. Healthcare entities vary in their ability to withstand the potentially adverse consequences of risk
based on their competitive and cash positions, revenue stream, access to credit and degree of financial
and operational predictability. Organizations in highly volatile markets and those operating under
severe financial pressures tend, out of necessity, to be more risk averse then their peers; however, even
similarly situated organizations may view risk differently and have very different risk appetites.
While defining an organizations risk tolerance precisely may be difficult, a few relatively simple
techniques can be employed to aid in the analysis. Just as entities typically conduct a cost-benefit
analysis of proposed projects to determine which of several competing projects to pursue, organizations can think in terms of a risk-reward analysis to consider proposals from an ERM perspective.
Those endeavors that offer the greatest probable reward for the least residual risk, given the costs and
anticipated effectiveness of available risk mitigation options, should be pursued. Just as organizations
typically look for a specified internal rate of return for their business initiatives, managers can come to
appreciate that projects must be able to demonstrate a specific risk/reward gap in order to be pursued.
Healthcare organizations should also approach their strategic planning and budgeting functions
from an ERM perspective. Rather than setting goals and objectives and budgetary targets as absolutes,
it is helpful to think of them within an ERM framework. What is the likelihood that the organization
will meet this specific goal or budgetary target? Is there a possibility that the organization will exceed
it, and if so, by how much? What is the probability that the organization will fail to meet it? What are
the risks that are driving those probabilities? Can those risks be mitigated (if negative) or enhanced (if
positive)? What are the costs (financial and otherwise) in pursuing such mitigation or enhancement,
and how likely are these activities to be effective? When considering risk treatment strategies, it is
important to bear in mind the law of diminishing marginal returns: while quick fixes and relatively
obvious risk mitigation or enhancement efforts may yield large returns, the closer one gets to completely eliminating or optimizing a risk, the higher the incremental costs tend to be in proportion to the
incremental benefits, so that completely eliminating or optimizing risk is not feasible.
Enterprise Risk Management for Healthcare Entities, First Edition
37
Conclusion
Enterprise risk management for healthcare organizations is still a discipline in its infancy. While
much work remains to be done, healthcare entities that begin by assembling the right initial team,
developing a thoughtful process of risk identification and assessment, and devising an implementation
strategy that focuses on integrating ERM into the corporate culture of the organization over the longterm will be rewarded with a better understanding of the inter-relationships among the risks they face
and be better equipped to anticipate and manage those risks effectively.
Risky Business: Employing Enterprise Risk Management to Sustain Growth, Mitigate Threats and Maximize Shareholder Value, APQC, 2007.
5
38
Appendix
1.
Political/Legislative
Changing regulations and rates/standards for reimbursement by government payors threaten the
organizations ability to maintain operations.
2.
Regulatory Compliance
Noncompliance with laws, regulations, and accreditation standards results in lower quality, lost
revenues, unnecessary delays, adverse publicity, penalties, and fines.
3.
Competitor
Actions of competitors (e.g. new product and service introductions, predatory pricing and competitor mergers) or new entrants to the market handicap the organizations activities, competitive
advantage or even its ability to survive.
4.
Catastrophic Loss
A major disaster or pandemic directly or indirectly impedes the organizations ability to sustain
operations, provide essential products and services, or recover operating costs.
5.
Catholic Identity
Compliance with ethical and religious directives challenges the organizations ability to enter and
remain in profitable markets or to deliver state-of-the-art and full-range clinical services demanded by
customers.
6.
Not-For-Profit Status
Failure to identify and accumulate relevant information and maintain appropriate operations
regarding the organizations not-for-profit status results in noncompliance with tax regulations and the
loss of not-for-profit status.
7.
Leadership
The organizations people are not being effectively led, which results in a lack of clarity, direction,
motivation to perform, management credibility, and trust throughout the organization.
8.
Organizational Structure
The organizations corporate and/or legal structure impedes its capacity to change, develop relevant business plans, or implement long-term strategies.
39
System Value
System functions fail to align or fail to appropriately support regional operations and create additional burdens on the regions without adequate accountability or the addition of value.
10.
Business Planning
Lack of a systematic and cohesive business planning process or failure to establish and execute
clear operating strategic priorities impacts the organizations ability to focus and formulate realistic
and relevant business strategies.
11.
An inability to determine and implement accurate performance measures consistent with established business strategies threatens the organizations ability to achieve its long-term objectives.
12.
Alignment
Misalignment of objectives, goals and strategies throughout individual operational units threatens
the organizations capacity to achieve its overall objectives, maintain core operations and execute
strategy.
13.
Physician Alignment
Failure to effectively integrate physicians with the organizations business and mission needs
results in quality deficiency, inadequate patient volumes, duplicative services and loss of profitable
service lines.
14.
Patient-Centered Approach
Strategy
The organization develops strategies geared towards desired revenues or short-term goals rather
than indicated costs or long-term objectives resulting in failure to meet operating income needed to
sustain long-term business operations.
16.
International Operations
Failure to appreciate cultural, market, political and regulatory risks results in underperformance
or loss of investment.
40
17.
Change Readiness
The organization is not open to or does not implement critical processes or product and service
improvements quickly enough to keep pace with changes in the marketplace or to achieve anticipated
savings or productivity gains. It holds on too long to failing operations and strategies. The desire for
unanimity impedes the organizations ability to act.
18.
Authority/Accountability
Unclear roles and levels of authority result in a lack of coordination between parties, duplication
of efforts, unexpected outcomes, performance gaps or the assumption of unacceptable compliance/
business risks. Failure to hold associates accountable leads to poor results.
19.
Associate Competence
Lack of knowledge, training and development activities preclude associates from effectively
discharging their current operating responsibilities, as well as preclude creating a workforce that is
flexible and prepared for future challenges in implementing the organizations long-term strategies.
21.
Management Development
Lack of cross-training, mentoring, orientation, flexible recruiting and retention strategies as well
as succession planning for key positions results in a lack of leadership, technical skills, and ability to
provide our customers with the organizations products and services.
22.
Resource Availability
Unavailability of essential, qualified associates impedes the organizations capacity to grow, execute strategy and generate future financial returns.
23.
Unionization
Failure to deal effectively with union efforts results in organizational discord, operational impairment, and resource misalignment.
41
Lack of functional integrity in the information system infrastructure and application systems
results in unauthorized access to data, incomplete, inaccurate, or non-timely delivery of information
and processing of transactions.
25.
Ineffective and inflexible technology infrastructure impairs the organizations ability to effectively and efficiently support the current and future information and operational/compliance needs of
the organization.
26.
Inability to access important information when needed impedes the continuity of the organizations critical operations and processes.
27.
Failure to accumulate relevant and reliable external and internal information to prepare accurate
and complete financial statements and related disclosures affects stakeholders (including lenders and
regulators) ability to assess the organizations financial status and leads to surprise adjustments to
financial results.
28.
Investment Portfolio
Collections
Failure to collect payments as due from patients, vendors, or other third parties exposes the organization to excessive write-offs and collection costs. Inability to either obtain cash on a timely basis
or convert non-cash assets to cash when needed precludes the organization from paying or meeting its
current obligations.
30.
Transaction Processing
Inadequate processes for billing, collecting, paying, recording, reconciling, and monitoring transactions in financial systems results in inaccurate and/or noncompliant collections, transactions and
data for preparing internal management and external financial and operational reports.
42
31.
Clinical Quality
Quality failures, reflected through patient outcomes and satisfaction, significantly affect the organizations reputation, efficiency, compliance and accreditation status, future sales, market share and
reimbursement.
32.
Inadequate development and implementation of products and services impedes the organizations
ability to meet or exceed customers needs and wants. Difficulty in developing and integrating new
clinical technologies leads to inefficient, noncompliant operations, inaccurate information and loss of
competitive advantage.
33.
Cost Control
Failure to identify and implement a flexible cost structure at the System and regional levels that is
responsive to market conditions results in an inadequate operating margin.
34.
Contract Management
The organization defers plant and equipment maintenance and replacement to meet other strategic
and operating goals which results in unsafe and unattractive facilities.
Source: CHRISTUS Health, 2008.
43
Part II
Financial Issues
3
Insurance and Risk FinancingThe Basics
Ellen L. Barton, JD, CPCU
Principal, ERM Strategies, LLC
3.1
Introduction
Most healthcare lawyers develop their expertise in insurance and risk financing through
onthejob training. This may occur because of any number of circumstances including when in-house
counsel assumes responsibility for risk management or when the chief financial officer asks them to
review an insurance policy. With outside counsel, this may occur when a client asks them (as part of
merger negotiations) to review the parties insurance program for adequacy. Regardless of the situation, it will serve healthcare lawyers well to develop a working knowledge of basic insurance and risk
financing concepts in order to enhance their understanding of enterprise risk management and their
ability to provide advice and counsel on such matters.
3.1.1
Risk Financing
It is probably most appropriate to provide an overview of risk financing in the context of the risk
management process. The risk management process has five steps:
1. Identify and analyze loss exposures.
2. Examine alternative risk management techniques for treating the loss exposures:
a. Risk Control
Risk Avoidance to avoid the risk
Loss Prevention when dealing with frequency
Loss Reduction when dealing with severity
b. Risk Finance
Retention
i.
ActiveNon-insurance, self-insured
InsurerCommercial Carrier
47
Retention
Retention may involve the current expensing of losses, i.e., paying for losses out of available cash
as they occur. For example, hospitals often chose to retain losses such as lost eyeglasses or dentures.
Retention may also involve either funded or unfunded loss reserves. Unfunded or funded loss reserves
involve an accounting entry that shows a potential liability for a loss; or an organization can set aside
funds for expected losses, known as ear marked funds. Thus, in the example involving lost eyeglasses
or dentures, a hospital may chose to put aside a set amount of funds for such losses based on previous
experience or simply decide to pay such losses out of current operating funds.
For large retained losses, an organization might find itself borrowing funds to cover uninsured
losses. Borrowing to pay losses might result in a reduction in the organizations line of credit or ability
to borrow for other purposes; and, in time, will require earnings to repay the loan. More formalized
methods of self-insurance may involve a trust fund or captive insurance company, which are used
to finance specified types of losses. A trust fund is simply a bank account (generally) for the organizations own risksadministered by a formalized agreement or statement of coverage. A captive
insurance company is an owned or affiliated corporation established to insure the risks of the parent
corporation or its members. Captives can also be organized to assume the risk of outside parties.
3.1.3
Transfer
There are two basic risk transfer techniques: first, a contract providing indemnification or hold
harmless obligations; second, an insurance policy. Contracts for services may provide that the person
providing the service will hold the organization harmless from liability resulting from the service
providers actions or agree to indemnify the organization from such liability. Insurance, on the
other hand, is defined as a contractual relationship that exists when one party (the insurer), for a
consideration (the premium), agrees to reimburse another party (the insured) for a loss to a specified
48
49
Principles of Insurance
An insurance policy is a legal contract. In order for a contract to exist, four elements must be present: offer and acceptance (an agreement); consideration (money/premium); competent parties; and a
legal purpose.
3.2.1
Key Concepts
50
Elements of Insurability
1. Pure risk: A category of risk in which loss or maintenance of the status quo are the only
possible outcomes; there is no beneficial result or possibility of a gain. Pure risk is related to
events that are beyond the risk-takers control. Speculative risks, on the other hand, allow for
the possibility of a gain, a loss, or the maintenance of the status quo. An example is gambling.
The gambler has an opportunity (or chance) to win, lose, or draw (break even). For a risk to
be insurable it must be accidental, fortuitous. Therefore, only pure risks are insured through
conventional insurance markets.
2. Insurable interest: The insured must have an ownership interest in or control of the property
at the time of the loss.
3. Definable loss: A definable loss is one in which there is the ability to determine the time and
amount of the loss.
4. Unexpected loss: A loss that is accidental and fortuitous (in the sense of occurring by chance,
not in the sense of luck).
3.3
Insurance CompanyTypes
There are two major types of insurance companies: private and governmental. Private insurance
companies are those owned and operated by private citizens that issue most coverage types, but they
exclude risks that are considered uninsurable such as unemployment, flood, etc. Government-owned
and operated insurance companies generally write coverage that is not underwritten by the private
sector such as unemployment, flood, etc. In addition, government-owned and operated insurance
companies compete with private insurers in limited lines such as workers compensation in monopolistic states. Private insurance companies can take one of several forms: stock companies, mutual
companies, or fraternal or benevolent societies. Stock companies are simply those that are owned
by stockholders. Mutual companies are owned by policyholders and share their profits in the form
of dividends to policyholders. Fraternal or benevolent societies provide formal insurance plans for
life and health insurance products for their members and are exempt from federal and state taxes and
certain laws. Reciprocals are unincorporated associations whose members (subscribers) insure one
another. An attorney-in-fact manages such organizations. Finally, Lloyds is a group of individuals who
share in the making of insurance contracts. Individuals directly accept risks for personal profit or loss.
Enterprise Risk Management for Healthcare Entities, First Edition
51
Insurance companies are generally considered to be approved or non-approved. Approved companies are licensed to conduct insurance business in a particular state. The companies are then considered
admitted and must file rating schedules and coverage plans with the state department of insurance.
Admitted carriers also participate in the states guaranty fund. State guaranty funds protect insureds
(albeit limited in financial payments) in case the insurer becomes insolvent or is unable to meet its
financial obligations. Non-admitted carriers are generally referred to as surplus lines carriers. Surplus
lines carriers may legally operate within a state and are typically used for hard-to-place risks. Surplus
lines carriers do not participate in state guaranty funds. Such companies also have great flexibility in
their rating schedules and coverage forms and do not have to file them with the state department of
insurance.
3.3.3
As mentioned previously, it is important that the insurance company providing coverage for an
institutions risks be financially stable. There are a number of companies that monitor the financial stability of the insurance industry and regularly publish reports. They are: A.M. Best Company, Standard
& Poors, Moodys, security committees of major brokerage companies, state insurance departments,
National Association of Insurance Commissioners (NAIC)which has no regulatory authority but
promulgates uniform standards for insurance company operations and financial operating ratiosand
Insurance Service Organization (ISO). Monitoring the ratings of an institutions insurance companies
should be done on an annual basis or more often if an insurer financial stability is called into question
or the ratings have been downgraded by one of the major rating agencies. Insurers are rated both on
their stability and their size; generally the larger the company, the more capacity it has, enabling it to
write larger risks. An unstable company, however large, is a risky proposition.
52
3.3.4
Certificates of Insurance
It is often necessary to provide proof of insurance to outside third parties. This is done through
a mechanism called a certificate of insurance. Insurers (or their authorized delegates) issue them on
behalf of and at the request of their insured. Programs of self-insurance will often issue a memorandum of coverage letter as proof of coverage when so requested.
3.4
The insurance transaction involves a number of steps in a process that can take anywhere
from several days to several months and includes: the selection of a broker and/or consultant, the
application/submission for insurance, selection of prospective insurance carriers, the underwriting
transaction, the evaluation of insurance proposals, the execution of the insurance contract, and finally,
planning for the next renewal.
3.4.1
The broker/consultant assists and advises throughout the entire process. Your broker should have
a special knowledge of you and your facility, the healthcare industry, the marketplace and insurance in
general. In addition, the broker should have the resources to deal with all or most aspects of your insurance program, and a service philosophy that is based on integrity, forming a partnership based on solid
information. Organizations, while not required, can utilize the services of an insurance consultant to
perform some of the typical broker services such as, assistance with coverage specifications, coverage
comparison, placement evaluation. They can also draft request for proposals (RFPs) and assist with
broker selection.
3.4.2
The application for insurance contains required information regarding the insured, its operations,
and the risk that is being underwritten. In addition, the submission will outline the requested program structures, various options and coverage specifications. Other required information includes a
historical perspective of the organizations insurance programs, an organizational chart, a summary
of exposures (generally for the preceding 10 years), loss experience (for 10 years) with analyses, the
last three years financial statements, a description of the applicants risk management program, and a
description of the claims management program with particular emphasis on reserving practices. The
application and attachments provide an opportunity for the prospective insured to tell its story in a way
that provides a level of comfort to the prospective insurance company. Several prospective insurance
companies are rewarding insureds with up-front premium discounts for implementing proactive risk
management/patient safety initiatives. When telling its story, the prospective insured is well served to
emphasize those initiatives as such programs could translate into premium savings as well as making
the risk more acceptable to underwrite.
53
There are numerous criteria that could be used to select a group of carriers to bid on the prospective
risk: (1) the portfolio of insurance products (that is, the coverages available); (2) the financial strength
of the company; (3) the companys claims paying philosophy; (4) the companys risk management and
loss control services; (5) the companys longevity in the marketplace; (6) the companys reputation;
(7) the quality of the companys policy administration services; (8) the companys flexibility to meet
current and future needs; (9) the companys management stability; and (10) the companys admitted/
surplus lines status by state. It may be unrealistic to expect to find a single insurer who can provide all
lines of insurance desired as carriers tend to specialize in certain lines.
3.4.4
Underwriting is the process by which the insurability of the risk is determined, at what amount of
coverage, and for what price. The goal of underwriting is to allow the insurance company to provide
its products and services at a profit to the insurer. The underwriting process involves selecting risks
that are consistent with the companys line of business, assuring that the risks can be spread, avoiding
adverse selection, and designing a premium structure that will yield underwriting profits. Underwriting also involves classifying risks and pricing them appropriately as well as designing products with
coverage terms and conditions that include selected limits and retentions.
3.4.5
The first question to be asked in evaluating insurance proposals is whether the proposal addresses
the risks? Does the proposal meet your objectives regarding price and coverage? It is helpful to compare (in an easy-to-read chart format) the current in-place program with options from proposed carriers
in terms of the following items: limits, coverage, exposures, losses, exclusions, service experience and
personnel, financial rating of the carriers, overall cost and financial security requirements, and conditions required by the insurer. Other considerations by which insurance proposals should be evaluated
include: the context of the market conditions, minimum requirements of regulatory authorities, bond
covenants, contracts, etc. Finally, you need to ask if the proposal will accommodate your long-term
risk financing goals.
3.4.6
When an order for insurance coverage is placed, the insurance company or authorized agent will
issue a binder which outlines key terms of the coverage, provides evidence of insurance, and is limited
in time. The binder obligates (binds) the insurer to the terms described in the binder. The insurance
company will then issue a policy with all the specific coverage information included and will issue
certificates of insurance to appropriate parties as instructed by the insured. Concurrent with placing
coverage, the insured and insurer will determine the process and procedures for identifying, notifying the carrier and managing claims, risk management services to be delivered, and identifying any
insurance changes particularly where coverage is diminished or eliminated. Finally, the risk manager
needs to communicate the new insurance coverage details to the institution and all interested parties.
54
The best time to plan for the next renewal is when you finish the current renewal. This is the time
when issues and concerns are uppermost in mind. In addition, planning should include monitoring
the current insurance program and underwriting markets for continued financial stability, evaluating
service providers (such as brokers, third party administrators managing claims, and defense counsel),
maintaining a log of risk management improvements, internal and external benchmarking, and tracking changes in the risk profile.
3.5
Occurrence coverage provides coverage for a claim that occurred during the policy period regardless of when the claim is reported to the insurance company. Claims-made coverage provides coverage
for a claim that occurred after the inception or retroactive coverage date of the policy and is reported
to the insurance company while the policy or any replacement policy is still in effect. The retroactive
date defines the beginning of the coverage period for the claims-made policy. This date is retained
on an indefinite basis if the insured remains with the same carrier. The retroactive date will usually
predate the effective date on the policy in order to provide seamless coverage and mitigate any coverage gaps. If an insured changes claims-made carriers, the original retroactive date can be maintained
or an extended reporting endorsement can be purchased from the exiting carrier, in which case a new
retroactive date is then established with the new insurance carrier. The extended reporting endorsement may be referred to as the discovery provision, as tail coverage, or as an extended reporting period
(ERP). This endorsement is attached to the exiting policy and extends the reporting period past the
expiration of the policy. It covers events that occurred while claims-made coverage was in place and
that would have been covered had the old policy been continued. In making a decision to purchase
coverage for an extended reporting period, the following issues should be considered: (1) the availability of such coverage; (2) the length of the reporting period; (3) cost of tail; and (4) cost and provisions
for reinstatement.
Most medical professional and general liability policies are claims-made; however, some self-insurance trusts and captive insurance companies provide occurrence-based coverage. Thus, understanding
the implications of each of these types of coverages is important.
3.6
The policy limit represents the maximum amount the insurer will pay for losses. The per claim
limit applies to a specific loss. The aggregate limit applies to all losses within a policy term (usually
a year). Therefore, policy limits of $1 million/$3 million mean the insurer will pay a maximum of
$1million for any one claim, and a maximum of $3 million for all claims, of whatever size (up to
$1 million), taken together. There are also primary limits and excess limits, which simply refer to
Enterprise Risk Management for Healthcare Entities, First Edition
55
A deductible is defined as that portion of an otherwise insured loss that is borne by the insured. A
retention, on the other hand, is defined as that portion of a loss assumed by the insured, in the form of
self insurance. To illustrate the difference, consider a deductible policy with a $1 million policy limit
and a $100,000 per claim deductible. If a $1 million claim occurs, the insurance carrier is responsible
for paying the full amount of the claim and recovering the deductible from the insured. Thus, the
total amount of insurance available is $900,000. Coverage through a self-insured retention (SIR) is
in addition to the coverage limit purchased. SIRs are popular with insureds because of the ability of
the insured to manage the claim within that layer of coverage. Purchased insurance is excess of the
SIR and increases the amount of coverage available to pay a covered claim. If the insured purchases a
$1million policy and has a $100,000 SIR, the coverage available for a covered loss is $1.1 million.
3.6.2
It is important to understand whether expense costs (i.e., defense counsel, expert witness fees,
etc.) are considered within the limit (also known as cost inclusive) or outside the limit (also known as
cost exclusive) and how they will affect premium costs as well as funding requirements. When expense
costs are within the limit of liability, coverage limits will erode faster and excess or umbrella policies
will drop down and respond quicker. It is not hard to understand why policies written with expense cost
included within the limit will be cheaper on a primary basis but more expensive on an excess basis.
Consider for a moment a birth injury case, one of the most expensive claims to defend: under policies
where expense costs are within the policy limit, coverage could be exhausted through the payment of
56
Insurance companies determine premiums based on several rating schemes. Two of the more
common procedures are manual rating and loss (or experience) rating. In manual rating, an insurance
company uses the premium rate specified in an insurers or rating bureaus manual for a particular line
of insurance. Loss rating is a method of adjusting the premium for an insured based on the insureds
own loss experience compared to the loss experience of insureds facing the same exposure. Most captive insurance companies use loss rating.
3.7
The main sections of an insurance policy can be described by the acronym DDICEE and are as
follows:
1. The Declarations Page, also called the dec page, specifies the type of policy and coverage,
the policy number and policy forms, the policy period, the name and address of the insured,
the broker or agent, the limits and deductibles/retentions, the effective/retroactive dates of
coverage, the type of business, the policy premium, and a listing of the endorsements or
extensions of coverage.
2. Definitions define specific terms in the policy that are usually bolded to signify that they have
specialized meanings. The definitions section of the policy is designed to clarify coverage
Enterprise Risk Management for Healthcare Entities, First Edition
57
MMSEA adds new reporting requirements for group health plan arrangements (GHP) and for liability insurance (including self-insurance), no-fault insurance, and workers compensation laws or plans to report the identity of a Medicare
beneficiary whose illness, injury, incident, or accident was at issue as well as such other information specified by the Secretary to enable an appropriate determination concerning coordination of benefits, including any applicable recovery claim.
See 42 U.S.C. 1395y(b)(7) and (8). A specific website has been created by HHS/CMS for mandatory insurer reporting
and can be accessed at http://www.cms.hhs.gov/MandatoryInsRep/01_Overview.asp#TopOfPage.
2
58
3.8
An insurance policy will describe in detail the specific risks that are covered. Below is a nonexhaustive list of the many different types of insurance coverage that healthcare institutions might
consider depending on their various exposures.
3.8.1
Non-owned aircraft liability insurance provides coverage for bodily injury and property damage
caused by an accident involving a non-owned helicopter using the helipad or an accident involving
non-owned aircraft for which the insured is responsible. Losses from aircraft accidents are excluded
from normal general liability and property insurance, so this coverage is needed if, for example, the
insured operates a helipad.
3.8.2
Boiler and machinery insurance provides protection for explosion of boilers and other pressure
vessels and accidental damage to equipment. It also covers resulting damage to other property, including property in the care of the insured, for which the insured is liable. Boiler and machinery insurance
may be included in blanket property insurance.
3.8.3
Commercial automobile insurance protects against loss arising out of the ownership, maintenance, and use of automobiles and their equipment including those that are owned, hired, or borrowed,
and those that are not owned but for which the insured has responsibility, such as the personal car of
an employee used to run a company errand. In this last instance, the liability coverage provided for
these vehicles is excess over the coverage the vehicle owner may have. The excess coverage does not
apply to the employee individually unless the coverage is endorsed to cover employees as additional
insureds. Automobile liability is usually written on a combined bodily injury and property damage
limit. Automobile physical damage is written on an actual cash value basis for comprehensive loss
(fire, theft, windstorm, hail) and collision. Collision is always written subject to a deductible. There
are special automobile exposures in healthcare given the following: personal use of company cars
(permission for such use can be granted); employees as additional insureds (remember, the employees
policy will respond first); and personal use of non-owned automobiles (for which one should have
drive other car coverage and personal umbrella coverage). Note, too, that coverage does not apply
to physical damage to employees automobiles, even if they are used in business. Garage insurance,
not automobile insurance, applies to losses to vehicles in employer-operated garages and parking lots.
Additional exposures involve ambulances used for emergency transport and other patient transport as
well as auxiliary and volunteer exposures.
59
Commercial general liability protects against financial loss resulting from bodily injury and property damage from the insureds liability to third parties arising out of the premises the insured owns
or occupies, operations, products, and completed operations, advertising, personal injury liability, and
liability the insured assumes under contract, subject to the exclusions of the policy. The coverage is
usually rated based on square footage and/or receipts. The most common general liability exposures
include liability arising out of contracts, visitors, product liability, libel, slander, false imprisonment,
defamation of character, and sexual abuse by non-professional employees. Because of potential coverage gaps, it is recommended that general liability insurance be purchased from the same insurer that
provides the organizations professional liability. The biggest reason for this is that most commercial
general liability policies will exclude coverage for bodily injury for any person who is in the insureds
building or on the insureds premises for the purpose of receiving any type of medical evaluation, care,
or treatment. Thus, coverage for such injury to patients needs to be covered under a medical professional liability insurance policy. Having one company provide both coverages eliminates the potential
for disputes.
3.8.5
D&O insurance protects directors, trustees, officers, and other key executives as identified in
the policy from personal liability for wrongful acts (misstatements, misleading statements, acts,
omissions, neglect, or breach of duty) and insures that the organization is covered for its obligation to
indemnify its officers, directors, trustees, and key executives. Under this coverage, the insurer shall
pay on behalf of the Company all losses for which the company grants indemnification to the insured
persons and which the insured persons have become legally obligated to pay on account of any claim
for a wrongful act. There are three coverage parts: Insuring Agreement A provides individual coverage
to the director (trustee), officer or key executive when the corporation (e.g., a hospital) cannot provide
indemnification. Insuring Agreement B provides corporate reimbursement when directors, trustee,
officers, and key executives can be indemnified. Insuring Agreement C, if purchased, provides entity
coverage for loss from covered wrongful acts that it is legally responsible to pay. Healthcare exposures
include committee membership (peer reviewloss or denial of privileges) compliance issues, antitrust,
wrongful termination (including committee decisions and routine personnel activities), sex and age
discrimination (failure to supervise employees accused of misconduct), diligence (alleged waste or
neglect of assets, failure to manage), breach of loyalty (conflict of interest), and contractual issues with
outside stakeholders.
3.8.6
60
3.8.7
Fiduciary Liability
Fiduciary liability insurance covers breach of fiduciary responsibility under common law or ERISA
for directors and administrators of an organizations pension plan and health & welfare funds.
3.8.8
Fidelity Coverage
Fidelity insurance, also referred to as commercial crime coverage, provides coverage for several
different types of crimes: (1) dishonesty of employees; (2) forgery or alteration; (3) theft of money
and securities; (4) funds transfer fraud coverage; and (5) computer fraud. Coverage can be endorsed to
cover other risks as well such as kidnapping, ransom, and extortion coverage. One way to remember the
major coverages is to remember the 3 Ds representing dishonesty, disappearance, and destruction.
3.8.9
A general liability policy covers loss to third parties resulting from premises exposure of parking areas but excludes losses to property in your care, custody, and control. A garagekeepers legal
liability policy provides coverage for physical damage to automobiles in your care, custody, and control for which you are legally liable. Valet services can result in automobile physical damage exposures
not covered in any other form of coverage.
3.8.10
Helipad premises liability covers bodily injury and physical damage arising out of the use, ownership, or operation of a helipad including slips and falls that occur during the loading and unloading of
patients and bodily injury of bystanders and property damage to others. A separate policy is needed for
this coverage since it is explicitly excluded under the commercial general liability policy. This coverage can be combined with non-owned aircraft coverage.
3.8.11
Managed care delivery mechanisms take a variety of forms: preferred provider organizations
(PPO) plans that contract with providers for discounted fees or for payments based on a fee schedule; health maintenance organizations (HMO) group practices, staff models, or independent networks
that provide comprehensive care for a fixed price paid in advance of rendering services; independent
practice associations (IPA) organizations that contract with a managed care plan to deliver services in
return for a single capitation rate. The IPA in turn contracts with the individual providers to provide
the services either on a capitation basis or on a fee-for-service basis. A physician-hospital organization (PHO) is a legal or informal organization that bonds hospitals and their attending medical staff.
Frequently, such organizations are developed for the purpose of contracting with managed care plans.
Point of service plans (POS) or open ended HMOs (OEHMO) are managed care programs that allow
the patient to select a point of service between full benefits within a network or reduced benefits for
care outside the network. A primary care physician is used to facilitate services. Moreover, finally,
there are provider sponsored organizations (PSOs) which operate the PHO. Delivering care in this
manner brings some unique exposures (in addition to direct professional liability) that include: vicariEnterprise Risk Management for Healthcare Entities, First Edition
61
Medical professional liability insurance provides coverage for claims arising from providing
or failing to provide professional medical services. Professional medical services means any act or
omission in furnishing of healthcare services by or at the direction of a licensed professional, including furnishing food, medications, or appliances, the postmortem handling of bodies, or service by
any persons as members of a formal accreditation review board. While medical professional liability
policies vary greatly from carrier to carrier, most provide coverage for the following individuals and
entities: the corporate entity (including its auxiliary), board of directors or trustees, members of committees, employees, students, volunteer workers, member of religious organizations, and others at the
request of the insured, i.e., certain physicians, dentists, etc. Most medical professional liability policies
also contain specific exclusions: absolute or total pollution (typically excludes coverage in cases of
bodily injury that would not have occurred in whole or part but for the actual, alleged or threatened
discharge, dispersal, seepage, migration, release, or escape of pollutants at any time, physical and
sexual abuse, intentional/criminal acts, fines and penalties, occupational disease or injury, impaired
physicians, asbestos removal, punitive damages, and the loading and unloading of vehicles or aircraft.
In comparing one medical professional liability policy to another, the following issues should be
addressed: coverage type, named insured provision, retroactive dates, limits, defense costs, the claims
trigger, employee/physician coverage, extended discovery provisions (tail coverage), claims reporting
provisions, other insurance clauses, exclusions, and the coverage territory.
In reviewing physicians professional liability insurance, consider some key issues such as: coverage for ancillary exposures, death, disability, and retirement provisions, entity coverage, consent
to settle provisions, changes in specialty provisions, occurrence vs. claims-made coverage, and the
slotting of positions (mainly for group programs, employed physicians or residency programs where
rotation is frequent and the group of insured is large).
62
3.8.13
Property Coverage
Time element coverage is probably the most misunderstood coverage, and time element losses are
certainly the hardest claims to negotiate. Business interruption and extra expense coverage replace lost
earnings in an amount needed to cover an organizations continuing expenses and lost profits, where
the lost earnings arise from a covered event such as a fire or natural disaster. Continuing expenses
include: debt service, payroll for key personnel, insurance, contractual obligations, advertising, and
publicity. Business interruption insurance also may apply to managed care contracts.
3.8.15
Workers Compensation
63
Self Insurance
Self insurance is a risk management technique in which a calculated amount of money is set aside
to compensate for a potential future loss. If self insurance is approached seriously, money is set aside
using actuarial information and the law of large numbers so that the monies set aside (similar to an
insurance premium) are enough to cover the future uncertain loss. It is the funding of potential losses
that distinguishes being self insured from being uninsured.
Self insurance is possible for any risk that is predictable and measurable enough in the aggregate
to be able to estimate the amount that needs to be set aside to pay for future uncertain losses. For a risk
to be insurable, it must represent a future, uncertain event over which the insured has no control. In
addition, it must be possible to rate or price the risk. If the insurable event is one in a large number
of similar risks, the aggregate risk can be estimated according to the law of large numbers and the
probability of that event occurring in the future so that it can be quantified. Normally, catastrophic
risks such as earthquakes are not self insured as they are highly unpredictable and high in loss-value.
However, if the commercial market does not provide appropriate coverage at reasonable cost, it is not
uncommon for an organization to self insure a part of the risk.
The concept of self insurance is that by retaining certain risks and paying the resulting claims or
losses from designated funds, the overall process is cheaper than buying commercial insurance.
3.9.1
Underlying Principles
3.9.2
Methods of Implementation
65
Commentary
An organization that has adopted an enterprise risk management focus must first identify
its loss exposures and then treat such exposures through control, finance, and/or transfer.
Using an exposure analysis tool allows a thorough review of possible exposures. Healthcare
entities face very few risks that risk management (risk finance, loss prevention, and claims
management) cannot control. Thorough risk analysis is necessary: understanding plant and
equipment, operations, human resources, and business relationships is critical.
Healthcare lawyers need to understand the risk tolerance of an organization. It is this, sometimes intangible, aspect of an organization that will determine in large part how risk is treated.
An organization that has a well-informed governance structure, solid senior management,
and skilled risk management expertise (whether internal or external) will be far more likely to
use alternative risk financing mechanisms than an organization that is lacking in one or more
of these critical components.
Insurance agents, brokers, consultants, actuaries, investment managers, captive managers, and others can provide a needed measure of external expertise. However, the selection
process is critical. It is important to obtain background information on the experience and
expertise of such external resources, compare and contrast their strengths and weaknesses,
and obtain references.
Since significant healthcare exposures such as medical professional liability are more likely
subject to claims-made coverage, it is critical to understand retroactive dates and the nuances
of tail coverage under an extended reporting endorsement. It is also important to understand
the limits of coverage and how deductibles and/or retentions serve to increase or decrease
limits. Likewise, whether defense costs are inside or outside the limit can have a significant
impact on the dollars available to pay claims and premium costs.
The interpretation of an insurance policy is dependent upon careful reading and understanding of its essential partsthe declarations, the insuring agreement, the exclusions, the
conditions, the definitions, and the endorsements, and how they interact. Of particular significance are the definitions of the insured or named insured, additional insured, and additional
named insured.
There is a commercial insurance policy for almost every exposure. Captive insurance companies, whether single-owner or group-owned, issue policies of coverage similar to commercial
policies. Understanding the scope of coverage as well as the significant exclusions can aid
in evaluating an organizations risk financing program. Likewise, if a self-insurance trust is
used, the trust document contains important coverage information.
66
Conclusion
When all is said and done, from an enterprise risk management perspective, it is most important
to evaluate the effectiveness of the risk-financing program selected. This can be done internally or
externally. That is, an organization can establish its own benchmarks and track them over time, i.e.,
losses per occupied bed or admissions or losses per $100 of payroll. Alternatively, an organization
can use external cost of risk surveys, specific studies, or research papers. Whatever measure is used,
the point is that evaluation is a necessary component of a comprehensive enterprise risk management
programs risk-financing component.
67
68
Exhibit 1
Issue
Structure and Reporting
Requirements
Captives
Separate corporate entity
Comply with reporting requirements
of IRS, domicile regulations, etc.
Can accommodate directly or
through a fronting arrangement
Lines of Coverage
For-Profit Subsidiaries
Can accommodate
Reinsurance Markets
Investments
Repatriation of Funds to
Parent
Risk Management Program
Flexibility to Accommodate
Changing Health Care
Environment
Use of Surplus
Ease of Development and
Implementation
Trusts
Simply a funding mechanism operated by a Trustee
Minimal reporting, if any
Typically cannot accommodate this business, as it
would be subject to state
insurance regulations
Very limited as subject to
state regulations
Inclusion could jeopardize
tax-exempt status
Cannot access directly
More restrictive
More difficult
Perceived as formalized
and structured, but to a
lesser degree
Limited
Less flexible
Less complex and considered easy to develop,
implement, and manage
69
Issue
Capitalization
Mandatory Surplus
Requirements
Start-up Costs
Captive Management/
Trustee Fees
Domicile Fees and Taxes
Federal Income Taxes
Excise Taxes
Letter of Credit
Travel and Domicile
Legal Fees
Actuarial and Audits
70
Captives
Required
Yes
Trusts
Typically not required
Generally none
Yes
Yes
Yes
Yes
Yes
Yes, but can be exempt for not-for-profits
Yes, but can be exempt
Tied to capitalization and/or required
for fronting arrangements
Yes
Yes
Yes
None
Typically none
None
None
Generally not applicable
Yes
Yes
4
Claims Management: A Tool for Enterprise
RiskManagement
Mary S. Schaefer, RN, M.Ed, ARM, JD
Corporate Director of Risk Management, Covenant Health Systems, Inc.
4.1
Introduction
Most health lawyers are familiar with the basics of claims management but may not understand
how a cutting-edge claims management program can support an organizations movement to enterprise
risk management. Each element of effective claims management protects a healthcare organizations
reputation and financial assets. Further, while the majority of claims impacting a healthcare organization arise from medical professional and general liability, the claim management program described
below is applicable to all disputes arising from the enterprises activities.
4.1.1
A robust mechanism to report and review all potential disputes or events is a key component of
any ERM program. One subset of these events is potentially compensable eventsevents involving a
serious patient injury that may generate a claim for monetary damages. Other reportable events may
include those that dont cause serious injury, but which carry significant reputation or regulatory significance such as discharging an infant for a short time to the wrong family. Timely reporting of these
Enterprise Risk Management for Healthcare Entities, First Edition
71
Most risk management programs have reporting mechanisms in place, including computerized
event reporting, which allow the institutional risk manager to review and evaluate all patient-care
related events reported by staff. Larger health systems may also employ a corporate director of risk
management who is responsible for overseeing the entire risk management program. In that case, the
hospital risk manager will also submit a notice of significant events to the corporate office. Organizations should also determine who can receive reports of other claims or disputes, such as a medical staff
or contracting issue, and manage those. Leaving dispute management to individual departments can
create risk due to their failure to manage the conflict effectively.
Criteria for reporting events should be clear and disseminated to all healthcare providers and staff.
In developing the criteria, the institution should consider all relevant outside reporting programs, such
as those based on the National Quality Forums Serious Reportable Events (Never Events).2 Other
redflag warnings of an impending claim should be included in the reporting system:
1. Any threats of legal action by a patient or family member and any request for medical records
by an attorney.
2. Quality Improvement data collected within an organization from generic screening criteria
and other medical staff sources.
3. Complaints to the billing office about medical care.
4. Complaints voiced to volunteer services or patient advocates.
5. Escalating tension in physician relationships.
6. Product failures.
4.2.2
Peer review and quality improvement programs can identify reportable events and reduce many
risks for healthcare organizations, but they also generate data and documents that plaintiffs, the press
or regulators can use to the detriment of the entity. Because peer review and quality improvement protection of documents varies by state, incident or adverse event reports need to be maintained according
to the governing state protective statutes. Some statutes extend protection to information and records
For brevitys sake, this chapter will refer to claims but may also encompass the management of adverse publicity
or regulatory concerns. Many of the suggestions could also apply to conflicts in which the healthcare organization is the
aggrieved party, such as contract disputes or construction cases.
2
National Quality Forum, Serious Reportable Events in Healthcare 2006 Update, A Consensus Report, 2007.
1
72
Whenever a significant risk event occurs, documentation is critical. It often forms the centerpiece
for litigation and for dealing with regulatory concerns. The organization must educate all staff to
record only objective and factual accounts as soon as possible after the event. Documentation prepared
outside of the time immediately after events take place may appear self-serving and may actually compromise the healthcare organization. Reports should include only pertinent facts about the event. Staff
should reserve opinions about events or actions for protected conversations and records, such as an
attorney investigation or quality assurance meeting. For example, a nurse who records in an incident
report or in the medical record that the patient fell because of a delay in answering a call light could
harm the defense of the resulting claim. Her conclusion about the cause is an opinion which may not
be reflective of what had actually occurred. For example, a quality follow-up investigation reveals that
the patient contributed to his own fall by refusing to use the call light as instructed.
Business records such as medical records should never refer to a confidential investigation or
document. Such references disclose the existence of confidential information and they arguably
Lucinda Glinn, Navigating Provider Protections for Quality of Care ReportsFrom Peer Review Statutes to Common
Law Privileges, Hospitals and Health Systems Practice Group 9, AHLA, Spring 2007, at 16.
4
Mary Frances Grabowski and Paul Sanders, Shielding Documents From Prying Eyes, at 45, AHLA, Long Term Care
and The Law, February 23, 2005, Coronado, CA.
5
Id.
3
73
Medical device injuries can be caused by simple devices such as defective syringes or heating pads
as well as by complex equipment, including pace-makers, surgical tools, or kidney dialysis machines.
Recently, medical devices have also generated interest due to potential fraud in efforts to market them.
Other risk issues arise surround recalls by the manufacturer.
Whenever an equipment or device-related injury occurs (including property or financial losses,
for example, if an autoclave explodes), the item, its packaging, and all related disposables should be
preserved for safe keeping. The equipment should not be returned to the manufacturer. The unaltered
equipment must be independently evaluated with guidance by counsel. If the manufacturer insists on
inspecting the equipment, counsel should be involved in designing that process, and the device should
not leave the custody of the healthcare organization. If a device causes death or serious injury, the
federal Safe Medical Devices Act of 19906 requires that hospitals and nursing homes report file reports
with the Food and Drug Administration and/or the device manufacturer, if known.
4.2.5
A general liability incident involves accidents, injuries, property loss, or damage that occur on
an entitys property or as a result of the general negligence of its agents or employees elsewhere.
Examples include visitor falls, theft of patient personal property, or property damage to third parties. One must carefully distinguish general liability events from professional liability, as the legal
consequences often differ. Tort reform provisions or a different statute of limitations might apply to a
general liability claim, and a different insurance program may cover it. Sometimes they can be hard
to distinguish when an injury occurs in a healthcare setting. For example, a fall in a patient room is
generally considered a professional liability event if the patient falls, but general liability if a visitor is
injured. Automobile claims, in which an employee causes an accident, are a subset of general liability
that often has a third set of insurance considerations.7
Like any injury, general liability situations require prompt and thorough investigation, including
a physical inspection of the area and interviews of the victim and any witnesses. Staff completing an
incident report should be instructed to include information on whether warning signs were posted
(e.g., if the floor was wet or waxed prior to a fall.) Photographs should be taken, if relevant, before any
repairs are completed. Obtain the names, addresses, and phone numbers of any witnesses.
PL 101-629, Safe Medical Devices Act of 1990. Some events, primarily those causing death, must be reported to the
FDA; others only to the manufacturer.
7
Chapter 3 contains a more detailed discussion of insurance issues.
6
74
4.2.6
Directors and officers exercise governance functions within a healthcare entity, including oversight of institutional policies, implementation of entity strategies, and obedience to the organizations
mission. In that role, directors and officers (and sometimes the healthcare entity itself) may be liable
for violations of law or injuries arising from employment decisions, medical staff credentialing and
privileging processes, and corporate financial transactions. Relevant statutes and regulations include
anti-discrimination laws, the Stark laws, anti-kickback laws, the False Claims Act, and other antitrust
provisions.8 Strong risk management programs in those substantive areas will reduce the risk of claims
against the directors and officers. Other departments such as Internal Audit and Human Resources may
also be involved in those loss prevention efforts.
4.3
Whatever the basis for a dispute (general liability, professional medical liability, employment
practices, anti-trust, contract), a claim should be handled as a claim. Claim investigations should not
be confused with a hospitals internal quality or compliance review, but should be conducted separately. Early event investigations are critical to claims management in order to capture the statements
of all-important witnesses and to identify and protect relevant documents. As memories fade with
time, salient details about an event or claim can be lost, and this can affect the future defense of a case.
The earlier an investigation is launched into a potential claim, the less likely key evidence such as
x-rays, medical equipment, medical records, or business documents will get lost or thrown away.
An early investigation also allows the healthcare organization to understand any underlying contractual or process problems that led to the claim or dispute and to address those issues at the earliest
possible time.
Employees who are involved in an adverse event or claim should be advised not to discuss any
details of the case with colleagues or other treating clinicians. Such casual conversations could be
subject to discovery or used as evidence. Discussions about an event or claim should only take place
within the institutional peer review process or with assigned claim staff and defense counsel. Business
disputes, including medical staff issues, also deserve extreme caution regarding communication and
documentation processes.
Cooperation of the organizations employees with the assigned claim representative, defense
counsel or other designated agent, and assistance in the internal investigation of the adverse incidents
is critical. The risk manager or involved department manager can help to identify all involved personnel. The event file should include the current name, address, and telephone number of each person
with information or who is likely to be drawn into the matter by other parties. It is also useful to
include their department or work location, and to note whether the individual is full-time, part-time,
or contractual. All documentation regarding the investigation of a potential lawsuit is confidential and
privileged if handled by appropriate personnel under state law.
The American Health Lawyers Association has a number of resources available for further study of the substantive law
and loss prevention in these areas. Several of the chapters in this Handbook also address these issues in more detail.
75
Potential suits can first present through early reports of an event or a disagreement, or they may
first present as lawsuits. Since the lifespan of a case can extend over a period of three to four years,
healthcare institutions need an effective way to track and monitor all investigative reports, claim reports
from defense counsel, expert opinions, pleadings, and discovery in all open cases. Most claim professionals use a diary system to review recent developments and to track scheduled depositions, panel
hearings, and trial dates. Software systems can be very valuable in monitoring a number of cases.
4.4.1
A complete investigation should precede closing the file for any reported event, particularly if
the matter involves serious injury or presents the potential for significant loss or business disruption.
Without statements from all identified key witnesses and sequestration of key documents, it will be
much more difficult to defend the case later should the matter evolve into a claim or suit.
4.4.2
Matters that first arise as a claim or suit also require an immediate investigation but should also
trigger prompt consideration of the best way to manage the conflict. If prompt settlement seems wise,
then departments or entities that will suffer financial impact must contribute to the development of a
strategy, as the settlement will affect their budget, and their staff will likely have to support the ongoing lawsuit if one occurs. If prompt resolution seems unwise or unlikely, then the organization will
need to begin preparations for a lawsuit.
4.4.3
Lawsuit
Lawsuits generally bring long, expensive, and painful experiences for all involved. The risks from
a suit extend beyond the courtroom, and managing those risks requires activity well beyond counsels
office or the courtroom.
1. Guidance to Individuals Named in a Lawsuit: A lawsuit is a frightening and stressful experience for most people. An effective claims management program needs to provide handholding
and guidance for the hospital employees or physicians named as defendants in a lawsuit. The
claims professional and defense counsel should offer the following constructive guidance
during the initial process:
a. Early cooperation with the assigned legal team is essential. Named parties should be
instructed to seek or take advice from assigned defense counsel. The full legal team will
be comprised of the assigned claim professional or in-house manager, risk manager,
76
Some states mandate hearings by medical professional liability panels or tribunals to screen out
cases lacking in merit. Panel rules and structure vary by state, as do the results of an adverse finding
by the panel. Usually, these panels will weigh the credibility of evidence against the defendant healthEnterprise Risk Management for Healthcare Entities, First Edition
77
Because insurance models have changed dramatically over the past several years, defense counsel
must be able to adapt to the needs of very different clients. Litigation philosophies can vary significantly among healthcare systems and even among traditional professional liability insurance carriers.
Some healthcare organizations settle disputes more frequently and forego the expense of costly discovery and trial. Others take a more aggressive stance, preferring to take the majority of their cases
to trial. A one-size-fits-all mentality no longer applies to the needs of todays healthcare clients. It
behooves defense counsel, then, to understand the underlying values and beliefs of the healthcare
organizations they represent. And healthcare organizations need to select counsel with appropriate
aptitudes to support their preferences.
Professional liability carriers and healthcare systems have a pre-approved panel of defense counsel who are available to defend their insured physicians, hospitals, and employees. Generally, only
experienced attorneys who have built a solid track record as successful trial advocates are included in
these panels. Healthcare systems that include acute care and long-term care services need a cadre of
attorneys with expertise in both of these arenas. Defense counsel should work closely with the claims
professional, the hospital risk manager, and corporate risk management, if any, in managing the case.
Desirable criteria when selecting defense counsel include:
1. Attorneys who will try cases must be skillful and adept players in the courtroom.
2. In some cases, it might make more financial sense to recommend settlement when a case
turns, for example after the disappointing deposition of a named defendant.9 The ideal
defense counsel will identify cases that either bear undue risk or present good opportunities
for settlement early in the life of the case.10 Early resolution of cases not only saves the client
defense costs, but appropriate settlement recommendations instill trust and confidence in the
attorney.
3. As disclosure of unanticipated outcomes and early resolution become more widely accepted
on both sides of professional liability cases, healthcare organizations might consider assigning some cases to attorneys who focus their practice on early resolution. Sometimes the
personality and skill set required for non-litigated resolutions differs from the gladiator
approach that can serve trial counsel so well. An interesting conceptual model that reflects
this approach can be found in collaborative law. Most often practiced in family law settings,
this form of divided representation can also benefit clients in some personal injury situations.11 Generally, the parties agree to each engage a collaborative attorney, whose only goal
Id.
Id.
11
See www.collaborativelaw.com and www.twotracklawyers.com.
9
10
78
Obtaining Experts
Medical professional liability claims, construction claims, antitrust claims, and many other disputes require support from experts. They can lend technical support to counsel during the case, as
well. The experts must have access to all relevant information. Following the expert review, the claim
management team should meet with the expert to discuss the experts opinion and to assess whether
the expert would be a good candidate to testify at trial. Expert witnesses must be able to articulate
medical and technical concepts and standards clearly. They are often crucial to a determination about
whether or not to attempt early resolution of a dispute and, for that reason, all decision makers should
be involved in assessing the experts qualifications and input.
Because the outcome of a jury trial depends as much on the experts ability to connect with the
jury as it does on the actual facts, effective reserving will always consider the parties strength in this
area. Though often expensive, strong experts have an incredible impact on the ultimate value of a
case.
4.7
A claim reserve is an estimate of how much dispute will cost and represents money that is set aside
for the eventual possible payment of a claim and defense costs.13 If the healthcare organization is the
claimant, it must also account financially for the potential costs and recovery related to a case. A sound
reserving policy is critical to an effective claims management program. A claim management program
may establish reserves at any stage where an event seems likely to generate expenses or loss.
Robert Blasio, The Seven Best Practices of Highly Effective Medical Liability Defense Attorneys, www.westernlitigation.com/Litigation_Spotlight_6_06.asp.
13
Chapter 3 contains further discussion of risk financing alternatives which will affect the manner in which the reserves
impact the financial status of the organization.
12
79
Criteria for setting reserves for future substantive loss payments (settlements or jury awards) and
estimated claim expenses for any dispute may include:
type and severity of injury or loss;
expert opinions;
presence or absence of co-defendants and the amount of available insurance for all potential
defendants;
all parties attorneys skill and experience;
venue or jurisdiction;
usual philosophy and behavior of the judge;
specific statutes such as strict liability, caps on damages or multiple damage awards;
the parties actual economic losses; and
the parties appearance, credibility and presentation.
Robert Prahl, Setting Realistic Reserves-Projecting the Companys Future Obligations, http://www.aaisonline.com/
articles/RealisticResv.html.
15
Id.
16
Id.
17
Id.
14
80
Most organizations purchase excess and/or umbrella insurance policies to provide coverage in
high severity cases where the amount of loss exceeds the primary layer of insurance. These policies
also protect against a high aggregate total of losses. Excess coverage enables the insured to limit its
loss exposure over particular self-insured or primary insurance programs; umbrella coverage typically
provides coverage over a wider range of underlying programs. Both provide stability to an organizations financial position by protecting against volatility in losses.18
The insured has an obligation under the notice provisions of these policies to provide timely
notification of potential claims, asserted claims, and suits filed. To avoid a denial by the carrier, the
organization or claim manager must make sure the program satisfies all of its carriers reporting requirements. Generally, excess and umbrella carriers require timely notice of only high exposure events and
claims that could potentially reach the excess layer. In the professional liability context, this would
include serious obstetrical injuries, unexpected deaths, and severe neurological injuries. Coverage
triggered by aggregate losses may also require reporting on the total reserves and losses on all claims.
It is also important to apprise the excess carrier of all significant claim developments; some excess
carriers require defense counsel to copy them on all important correspondence and reports. The excess
carrier may conduct an onsite audit of the insureds processes to confirm that they generate adequate
investigations or proper reserves. In addition, the excess carrier may review the insureds loss control
plan and its ability to mitigate future losses.
4.8
Settlement of a claim or lawsuit is contingent on several factors. First, the decision should rest
on the principle of fairness to all parties. Disputes identified for settlement should always be resolved
as quickly as possible. The organization needs to balance the potential savings generated by a quick
settlement against the potential public impression that it fears publicity or litigation, a perception
that will encourage more claims. A strong program will consistently strive for fair settlements where
appropriate but avoid overpaying or last minute settlements, which can suggest a fear of litigation.
When insurers, either captive or commercial, refuse to settle cases in the face of a reasonable
demand, they risk liability for bad faith refusal to pay. Under many state statutes, a bad faith finding
will allow punitive damages or a statutory multiple of actual damages.
See Chapter 3 for further discussion of commercial risk financing opportunities for high-level exposure.
18
81
Once a party decides to settle a dispute, settlement may require only a simple negotiation process
between the parties and their counsel. But some cases may require the assistance of alternative dispute
resolution (ADR) processes. ADR has growing support as an alternative to jury trials for resolving
healthcare-oriented disputes. There are major benefits to both sides in using ADR. The proceedings are
private and confidential, ADR can reduce legal costs, and cases are often resolved more quickly. The
absence of a jury can also reduce the potential volatility of outcomes.
The most common forms of ADR include mediation and arbitration. Both utilize a neutral third
party, often retired judges and attorneys who receive special training. Any party to the dispute may
initiate an ADR process.
1. Mediation: In mediation, one or more selected neutrals will facilitate a negotiated settlement. Mediation allows the parties to disclose facts and discuss the case in a confidential and
safe environment. Often, mediation offers their first chance to discuss issues face-to-face.
Mediation does not result in a finding; if the parties are unable to agree on a resolution, the
claim or suit will continue.
2. Arbitration: Arbitration is an adjudication in which the parties select a trained individual
to decide their case in a private process.19 Arbitration works well in complex cases or where
the inflammatory nature of the case argues against a public trial. The parties in dispute voluntarily enter into a written contract to arbitrate. Although less formal than a trial, it results
in an enforceable final decision and is usually not subject to an appeal on the merits, only
for a failure of the arbitrator to follow the selected procedures. Parties to any agreement can
voluntarily require that resulting disputes will be resolved through arbitration. Benefits of this
approach include reduced legal costs, a speedier resolution to disputes, avoiding run-away
jury awards, and preserving the parties reputations by maintaining confidentiality.
Some healthcare providers and insurers encourage or require patients and clients to sign binding
arbitration clauses. This can raise a number of legal issues in different settings, especially if the facts
raise doubts about the voluntary nature of both parties agreement to arbitrate.20
4.8.2
1. Early Offers of Settlement: The early investigation and assessment of any dispute may lead
to consideration of prompt, early resolution. In professional liability situations, early offers
and settlements help manage defense costs but also provide resources to allow the injured
party to manage expenses, especially for serious injuries. The parties also benefit by avoiding adverse publicity. Evaluations of early offer programs in professional liability settings
have demonstrated benefits to the patients, who receive compensation earlier.21 Though most
Id. at 7.
Many of the decisions regarding arbitration clauses arise in health insurance and long-term care agreements. TheAmerican Health Lawyers Association has a number of resources on both of those issues.
21
Joni Hersch et al., Evaluation of Early Offer Reform of Medical Malpractice Claims: Final Report, U.S. Department
of Health and Human Services, June 2006.
19
20
82
Structured settlements involve the purchase of an annuity contract, bonds, or another secure
investment vehicle to provide periodic payments for the life of the subject (usually the
plaintiff) or for a designated period of time.22 If the parties use an annuity contract, then the
defendant buys a contract that pays benefits to the plaintiff or into a trust. If bonds or other
interest-bearing assets form the basis of the settlement, they are held in trust for the benefit of
the plaintiff. When a case involves a disputed life expectancy, as might occur with a severely
disabled child, the defendant can often purchase an annuity at a discount yet still provide
lifelong payments to provide for the plaintiffs needs.
4. Medicare and Medicaid LiensThe Governments Right to Recover: The Centers for
Medicare and Medicaid Services (CMS) added new reporting requirements under Section
111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007. These reporting rules do
not eliminate any existing statutory provisions or regulations but are designed to ensure payment of all Medicare liens associated with medical payments in personal injury cases. CMS
now require the reporting of any settlements, judgments, awards or other payments made to
or on behalf of a Medicare Beneficiary by liability insurers, including self-insurance, no fault,
and workers compensation.
Under the Medicare Secondary Payer Act, the Centers for Medicare Services may recover an
amount equal to the Medicare payment for injuries involved in the claim.23 Medicare need not
notify parties of the potential lien.
Paul Scott, Economic Issues: Analysis and Cross-Exam About Economic Evaluation: Present Value of Future Payments, Structured Settlements, Periodic Payments, and Annuities, DRI Medical Liability and Healthcare Law Seminar,
March 16, Phoenix, AZ, at 152.
23
42 CFR 411.24(c); see also Glenn E Bradford and Melinda M. Ward, The Medicare Super Lien Revisited, Vol 56
J. MO Bar No.1, 2000, accessed at http://www.mobar.org/journal/2000/janfeb/bradford.htm.
22
83
Individuals eligible for Medicaid assign their rights to third party payments to the states
Medicaid agency.24 The U.S. Supreme Court has ruled that states cannot assert a lien that
exceeds the plaintiffs compensation for medical payments 25
Inadequate management of pre-trial discovery can generate its own risk for healthcare organizations. Incomplete or inaccurate information provided to litigation opponents often undermines the
most valid litigation strategies. The entity must provide appropriate resources for the review and production of information to the other side. By the same token, a party must diligently assess its own
position to avoid a very public and unnecessary embarrassment if its case goes badly. Several areas
deserve special discussion.
4.9.1
New federal rules have highlighted this issue by stating clearly that all electronically stored information is subject to the same rules as other documents and things. Chapter 28 of this handbook
contains an in-depth discussion of the risk management issues created by the electronic storage of
data.
4.9.2
Focus groups and mock trials can provide valuable information for the evaluation of a case. In a
focus group, participants hear a modified case presentation. A consultant then guides a group discussion, designed to expose the groups response to designated aspects of the case. Though focus group
participants differ from actual juries, they can provide an opportunity for attorneys to test potential
themes for the case, to learn how best to prepare witnesses, and to obtain critical feedback on exhibits
or graphics designed for used in court.27 Online focus groups are less expensive and require less time
to achieve results.
Centers for Medicare and Medicaid Services, Third Party Liability, www.cms.hhs.gov/ThirdPartyLiability.
Arkansas Department of Health and Human Services, et al. v Ahlborn, 126 S. Ct.1752, 2006.
26
U.S. Department of Health and Human Services, Health Resources and Services Administration, National Practitioner
Data Bank, http://bhpr.hrsa.gov/dqa/.
27
Linda Crawford, Focus Groups: What They Can Do for You and What They Cannot, DRI Medical Liability and Healthcare Law Seminar, March 16, Phoenix, AZ, at 43.
24
25
84
4.10.1
Jury consultants have observed that many jurors walk away from professional liability trials confused.28 Lengthy trials and complex testimony in any case (not just professional liability) can contribute
to a jurys lack of understanding. This confusion can affect the outcome of a trial. To counter this
problem, defense counsel should use visual aids such as charts, graphs, x-rays, and physical models
that help clarify the case.29 Recently, computer technology has created the chance to present stunning
visual aids to understanding. Though expensive, these aids can be very convincing and enable the jury
to understand the organizations point of view clearly.30
A partys communication style before a jury can have a critical impact on the outcome of a case.
Time and resources invested in preparing key witnesses will generate tremendous benefits.
Jurors emotional response to a case often drives jury awards. Juries with a high level of sympathy
to the plaintiff and high anger for the defendant are more likely to award higher compensatory and
punitive damages.31 Often, large healthcare organizations find themselves litigating against injured
patients, terminated employees, physicians arguing that their career is ruined, or ancillary medical
providers who claim they were forced out of business. In any of those settings, counsel for either side
must acknowledge the potential importance of juror empathy and anger.
4.10.2
High-Low Agreements
A high-low agreement is a binding contract executed prior to trial by the insurer or self-insured
defendant and the plaintiff. It locks in upper and lower payment limits, which apply regardless of a
jurys eventual findings. These agreements can limit the defendant or insurers exposure in cases with
potential for a high verdict or for a jury verdict that could exceed the insureds policy limits. Plaintiff
attorneys also gain by ensuring that their clients will obtain the low amount even if the jury finds for
the defense.
4.11
Commentary
From an enterprise risk management perspective, poor claim management practices and
decisions can have a damaging ripple effect across the entire healthcare organization. An
under-reserved high-severity case endangers the financial well being of an organization and
30
31
28
29
Linda S. Crawford, A Clear Look at Jury Confusion, Medical Malpractice Law and Strategy, October 1997, at 4.
Id.
Id.
Robert D. Minick and Dorothy K. Kagehiro, Anger Management in the Courtroom, 46, For the Defense, 13, 2004.
85
Conclusion
A full assessment of enterprise risks must include consideration of risks resulting from ineffective
claim practices that can be costly to an organization. Methodologies to evaluate and maximize the
effectiveness of a claims program should include internal assessments and external independent audits
to support needed improvement. Routine self-audits should review the effectiveness of counsel and the
outcomes of claim assessment and decision-making processes. Routine outside audits should evaluate
the performance of contracted third party claim administrators or in-house claims management, as
well as the adequacy of claim reserves. Most important, the organization must examine its own role
in losses and not blame juries, plaintiff attorneys or other outside parties or processes for a failure to
improve its claim results.
86
5
ContractsAn ERM Approach
Peggy Nakamura, RN, MBA, DFASHRM, CPHRM
Assistant Vice President, Chief Risk Officer, and Associate Counsel, Adventist Health
5.1
Introduction
Contract Review
To begin the process, an individual or department should be responsible for maintaining, and
revising as necessary, a current listing of all subsidiaries, affiliates, joint ventures or other legal partnerships into which the organization has entered. The listing should identify the correct legal names
and incorporation dates, as well as the existence of any dbas (doing business as) and their basic legal
structure. Utilizing this list as a part of the review process is critical when ascertaining that the correct
legal name is used in the contract.
Associated with this important element is the identification of the proper signatory to the contract.
An effective loss control technique is to implement an enterprise-wide policy specifying who, by position or title, has signing authority and the applicable category or type of contract. Attachment 1 is a
sample policy, Contract Review, Execution and File Maintenance, that can be used for this purpose. In
addition, healthcare organizations often have what is referred to as a Table of Authorities which lists
signature authority by dollar amount/type of contract/position.
Enterprise Risk Management for Healthcare Entities, First Edition
87
Given the myriad of departments and individuals involved in contract review, it is essential to
have an efficient system for managing the renewal and review process and categorizing the type of
contract being considered and the individuals involved. A comprehensive contract-file management
system, whether manual or software driven, can facilitate the process and assure senior management
the review is timely and comprehensive.
88
While all distinct provisions are arguably of major importance to contract performance, in the
ERM environment certain areas require special attention. In particular, insurance requirements, indemnification/hold harmless provisions, and any limitations of liability are potential areas of increased risk
to the organization and may be undetected unless proper loss control measures are implemented.
5.4.1
In the introductory clause of most contracts, the individuals and/or entities are identified. A common problem in boilerplate contracts is the failure to use the full name of the contracting individuals
or the legal name under which the entity is registered or incorporated in its home jurisdiction. Without
correction, this oversight can lead to significant problems in aligning insurance coverages and contract
requirements. The legal name and the covered entity/individual for insurance coverages must be the same
so as to avoid disputes in any subsequent claims or litigation involving the subject of the contract.
Enterprise Risk Management for Healthcare Entities, First Edition
89
Insurance Requirements
From the organizations perspective, contracts requiring the organization to procure various types of
insurance must be aligned with the risk transfer or risk financing vehicle utilized for any particular risk.
For instance, an organization may choose to have a self-insurance program for professional and
general liability risks but select a commercial insurance policy (risk transfer) for property losses or
directors and officers liability. Why does this distinction matter?
In contract insurance requirements, typical language requires the organization provide evidence
of an insurance policy with a rated or qualified insurance carrier in the state in which the contract will
be performed. A self-insured organization, regardless of funding the self-insurance vehicle, is not an
insurance company and is not governed by the states insurance regulations. Therefore, any references
to commercial insurance policies must be modified to reflect programs of self-insurance whenever
applicable so as to avoid a material breach of the contract terms. The contract must accurately reflect
the type of risk financing vehicle used by the contracting parties for each required line of coverage.
Depending on the scope and type of contract, the required coverages might include:
workers compensation;
automobile liability;
fidelity/crime;
property;
5.4.3
Indemnification/Hold Harmless
Indemnification provisions are among the most challenging to understand for nonlawyers, and yet
they can result in severe financial consequences if the reviewing party does not understand the indemnitors scope of responsibility and the reasonableness of the risk assumption. Indemnity provisions are
very prevalent in healthcare contracts and represent a contractural risk transfer worthy of attention.
Any manager or executive reviewing this method of risk transfer should have a basic understanding of
the legal framework underlying the indemnification provision and the liabilities assumed upon execution of the contract. Therefore, in-house counsel is well-advised to establish systems for additional
review of indemnification provisions before the contract is executed and when nonlawyers are a part
of the contract review process.
A few ERM-based considerations for in-house and outside counsel include:
90
Does the assumption of risk fit within the various commercial insurance or self-insurance
programs for the organization?
Does the commercial insurance policy or self-insurance document permit or allow liability
assumed by contract?
What is the risk appetite of the organization if coverage is not available or the limits of coverage are inadequate?
Enterprise Risk Management for Healthcare Entities, First Edition
Evidence of Insurance
As a practical matter, any contract imposing insurance requirements on the contracting parties
should also include a provision requiring the insured party to provide evidence that the insurance
(orself-insurance) coverage is in place. The required evidence might range from a simple certificate
of insurance to providing copies of the actual insurance policies (rarely done). Regardless, the policy
period, named insured party(ies), type of coverage, and policy limits should be apparent on the document and reviewed for compliance with contract insurance requirements.
5.4.5
Notice of Cancellation
In the event an insurer cancels the insurance policy during the term of the contract, a notice
of cancellation provision typically requires the insurer to provide advance notice of cancellation or
material change in coverage to the certificate holder (i.e., healthcare entity). The insurers providing
certificates of coverage must agree to this notification provision in advance, and it should be reflected
on the certificate document. An example of a Notice of Cancellation provision is:
All certificates of coverage shall provide for 30 days written notice to Healthcare Entity prior
to the cancellation or material change of any insurance referred to herein.
5.4.6
Limitation of Liability
A limitation of liability provision in healthcare is often found in architecture, construction, supplier, manufacturing, and software vendor contracts. Limiting the contracting partys ultimate liability
to a predetermined amount (often tied to contract price) essentially transfers the liability exposure
beyond that level to the organization.
From an ERM perspective, limitation of liability in lesser-value contracts can significantly impact
the risk assumption profile of the organization, often without detection. Particular attention should be
given whenever the limitation of liability provision affects errors and omissions, professional acts,
breach of contract, breach of security, personal injury, and property damage.
5.4.7
Waivers of Subrogation
Subrogation is the substitution of another person in the place of the original creditor, or party
entitled to the legal rights or claims. If the insured party has waived subrogation rights or released
the offending party prior to a loss (via contract) the insurers (or self-insurers) rights of subrogation
against the culpable party are eliminated.
91
Will the commercial insurer, or self-insurance program, permit a waiver of subrogation rights?
Who is responsible to contact the appropriate parties and retain the documentation?
If the contract includes insurance costs as a part of the contractor's pricing, is it prudent for
the organization to waive subrogation rights in situations involving the contractor's insurer?
5.5
There are a number of healthcare contracts that might not rise to the attention of legal counsel and
yet deserve thoughtful attention in an ERM environment.
5.5.1
Clinical Affiliations
Will the sponsoring educational institution provide coverage for the students/residents health
plan and professional liability? If not, does the student have personal health and professional
liability policies?
Which party (sponsoring educational institution or receiving organization) covers the workers compensation liability for the student/resident? If neither party covers this exposure, is
this clearly stated in the contract?
The structure and scope of student/resident supervision should be clearly specified. The receiving organization always retains administrative and clinical responsibility for any patient care
provided on its premises and regular staff cannot be replaced by students/residents.
Students/residents are to abide by the organizations policies and procedures, and may be
removed from the facility at the organizations discretion for any misconduct.
The contract should specify whether the sponsoring institution is responsible for completing
the background criminal screening required by state or federal law.
5.5.2
Independent Contractors
Temporary or independent contractors present unique challenges because they often work in single departments as a result of close working relationships with department managers. As a result, the
performance expectations might be captured in an informal document or less-than-complete contract.
Obviously, this business relationship can pose additional risk to the organization if contract review
principles and processes are not applied to the situation.
92
The organization should not assume responsibility for the contractors negligence, property
damage, personal injury, or compliance with laws, statutes, regulations, or accreditation
requirements as they affect the contract services.
Responsibility for the safe handling and disposal of hazardous materials or medical waste
rests with the organization or individual producing such materials, unless noted in the contract to the contrary.
Performance expectations must be clear, objective, and quantifiable. Vague or general statements should be avoided.
5.5.3
One of the most critical contract elements involves the responsibility of the agency to ensure
the competency and qualifications of the staff it sends to the organization. The agency, at a minimum, should perform initial licensure or certification verification, criminal background checks, and
an applicable competency evaluation. In addition, the agency should provide adequate health, workers
compensation, and professional liability coverage for its employees, and indemnify the organization
for their employees negligent acts.
5.5.4
Equipment Purchases
What warranties does the vendor supply, how are the warranties negated, and how does this
fit with the organizations insurance or self-insurance coverages?
Who, how, and where will the service and maintenance be provided?
Who in the organization can authorize equipment purchases and who monitors the purchase
and service or maintenance contracts?
5.6
Commentary
Most significant contracts for construction, capital asset acquisitions, or joint venture arrangements are authorized and approved by the organizations governing body and signed by the
CEO or CFO. However, in the interests of greater efficiency and organizational knowledge,
should other officers of the organization be authorized to sign contracts? Who can sign equipment purchasing or leasing, maintenance and repair, clinical affiliation, or supplemental
staffing contracts? An important distinction exists between those individuals in the organization who, by virtue of their role or job function, are best suited to review and/or negotiate key
terms and those who have signing authority on behalf of the organization. To be effective,
the contract review policy should be approved by the governing body and contain sufficient
detail so as to be successfully implemented throughout the enterprise.
93
Healthcare lawyers should incorporate ERM principles in the contract review process. For
instance, middle and upper management in all departments of the organization are involved
at some level with contracts: relationships, maintenance, monitoring, negotiations, or review.
Involving key individuals in the process and educating staff about contract terms is an opportunity for healthcare attorneys to add value and contribute to an organizations success.
Major risk exposures exist in what might appear to be small or insignificant contracts. From
an ERM standpoint, the logical approach is to involve multiple disciplines, departments,
and involved individuals as a contract review process is developed and implemented in the
organization.
5.7
Conclusion
Healthcare contracts come in many shapes and sizes, varying degrees of complexity, use of boilerplate language and unnecessary legalese. The ERM approach can assist with a thoughtful and careful
review of contract language by those individuals most involved in the subject matter which leads
to an enhanced identification of risk for the enterprise and a more appropriate assumption of risk. No
one attorney or executive can manage the myriad of contracts and contractual relationships without an
infrastructure in place. Utilizing ERM concepts in the contracting process is one positive approach to
creating such an infrastructure and minimizing the inadvertent assumption of risk.
References
Contractual Risk Transfer, Strategies for Contract Indemnity and Insurance Provisions, International Risk Management Institute, Inc., 2007.
Operations and Risk Management, Contract Review and Execution Policy CRE-1, AHLAs Guide to
Healthcare Legal Forms, Agreements, and Policies, First Edition, American Health Lawyers Association, 2008.
Attachments
Attachment 1Policy: Contract Review, Execution and File Maintenance
Attachment 2Contract Transmittal
Attachment 3Annual Evaluation of Service Provided by Contract
Attachment 4Contract Review Worksheet
Attachment 5Components of Contract Review
Attachment 6Contract Review and File Maintenance
Attachment 7Heath Care Contracts: Key Issues
94
95
96
From:
Date:
Contract Reviewer
Subject:
The contract named above has been reviewed and requires:
Yes
No
Officer Signature:
Further Negotiation:
Certificates of Insurance:
Other:
Based upon this contract review, the following managers/departments should receive specific contract
terms:
Manager:
Dept:
Manager:
Dept:
Manager:
Dept:
c: Contract File
Contract Review
Other
97
YES
NO
N/A
COMMENTS
98
REQUIRED ELEMENT/ISSUE
YES
NO
N/A
COMMENTS
If appropriate, contract service providers may participate in Entity-provided annual updates or education provided by
contract service will be reviewed by Infection Control Practitioner to assure that Entity standards are met.
** If appropriate, information to be reviewed by individual responsible for Entity education program to assure the Entity
standards are met and providers are given necessary education to perform their functions.
*** If appropriate, information to be provided by individual who is responsible for oversight of performance improvement activities.
Forward to:
Reviewers Signature:
Enterprise Risk Management for Healthcare Entities, First Edition
Date:
99
Date:
Contract:
Description:
Services to Be Provided:
Primary:
Secondary:
100
From:
To:
Termination/Notice:
Insurance Requirements:
Performance Description:
Outstanding Issues/Questions:
Enclosures:
Contract
Corporate RM Review
Legal Opinion
Correspondence
YES
NO
COMMENTS
101
ISSUE
YES
NO
COMMENTS
6. Does the contract require that the contracting party provide evidence of insurance or
a certificate of insurance for each insurance
required?
7. Does the contract require that the entity be
notified of material change or cancellation
of the contracting partys coverage?
8. Does the contract give the entity the right to
cancel the contract in the event of insufficient
or lack of appropriate insurance coverage as
required?
9. Does the contract specify that the insurance
requirement will outlive the term of the
contract?
10. Is there an appropriate indemnification/
hold harmless clause based on which party
has control or ownership of the liability
exposure?
INDEMNIFICATION/HOLD HARMLESS
1. Is the indemnification mutual?
2. Are the parties assuming liability for only
their own negligent acts?
PERFORMANCE OF THE PARTIES
1. Is there a full description of each partys
obligations and responsibilities?
2. Are the financial arrangements understandable and reasonable?
AMENDMENTS/EXHIBITS
1. Are all reference documents (amendments
or exhibits) attached?
GOVERNING LAW
1. Is the state in which the contract terms are
implemented or executed the governing law?
CONTRACT SIGNATORIES
1. Are the names, signatures, and titles of the
parties represented on the signature page?
102
Original to:
Duplicate to:
Business Associate
Construction
Consulting
Corporate Compliance
Equipment Maintenance
Equipment Purchase
Independent Contractor
Leases
Managed Care
Professional Services
Service Agreements
Student Affiliation
Supplemental Staffing
Transfer Agreements
103
Contract Type
Issue
Clinical Affiliations
Independent Contractors
expectations
clear
and
Contract Type
Equipment Purchases
Issue
Yes/No/
Comment
105
Contract Type
Supplemental Staffing
Agencies
Issue
Yes/No/
Comment
106
Financial Challenges
6
Financial Challenges
Richard L. Clarke, DHA, FHFMA
President and CEO, Healthcare Financial Management Association (HFMA)
6.1
Introduction
A fundamental tenet of effective enterprise risk management (ERM) is to provide value for an
organizations stakeholders (owners, investors, customers, employees, and communities) within an
uncertain and changing environment and to deal effectively with potential future events that create
that uncertainty. The importance of ERM was highlighted in May 2008 when one of the major credit
rating agencies announced that it would enhance its rating process for nonfinancial companies through
an ERM review.1
The aim of healthcare financial managers is to ensure resources are available that enable their
organizations to provide high-quality and safe healthcare services that are valued by their stakeholders
today and in the future. To provide this value, governing boards and management teams must understand the challenges and risks inherent in an uncertain and changing environment.
Financial management in this environment involves a strategic focus as healthcare organizations
experience increasing financial challenges. Examples of those more strategic functions include creating competitive strategy and helping link clinical and financial operations to improve volume, strategic
position, efficiency, payment, and clinical outcomes; a perfect fit with ERM processes.
In all of these activities, uncertainty and change are ever present. And with increasing uncertainty
and change, ERM becomes more vital. In the finance risk domain, issues include payment system
changes and compliance with Medicare/Medicaid regulations, diminished capital access because of
unstable credit markets and a weakening economy, revenue risks from the need to serve a growing
number of uninsured patients, andfor not-for-profit organizationscoping with ongoing challenges
to tax-exempt status.
Standard & Poors, Enterprise Risk Management: Standard & Poors To Apply Enterprise Risk Analysis to Corporate
Ratings, May 7, 2008.
107
Financial Challenges
The best way to understand the risks associated with healthcare finance is to review the key business challenges and drivers confronting healthcare organizations and to identify the risks inherent in
each.2 Those challenges can be grouped into four areas familiar to business management:
volume;
cost;
pricing/payment; and
capital.
6.2
Volume
For hospitals, inpatient admissions and outpatient visits have been growing slowlyat a rate of
less than 1% over the past five years. However, over that same time, the volume of nonhospital outpatient healthcare services has grown much more rapidly.
For example, while hospital inpatient surgery volume between 2001 and 2005 remained static,
total outpatient surgery volume (in hospital and nonhospital settings combined) grew 25%.3 Similarly, hospitals have been losing ground in the percentage of outpatient surgeries, with the percentage
performed in hospital-based facilities falling almost 10% compared with the percentage performed
in nonhospital facilities over the past five years.4 And although volumes for some primary care and
medical specialties have increased, payment rates have not kept pace with cost increases. In this case,
more volume does not increase profitability.
Many factors drive this shifting from inpatient to outpatient visits and from hospital to nonhospital venues. Poor economic conditions drive down elective and non-urgent services, population
changes impact volume, and competitive forces increasingly are a factor.
Competition is driven in part by a payment system that gives nonhospital providers a competitive
advantage in that they are able to focus on the most profitable services while hospitals face a higher
cost structure to support essential but unprofitable, mission-related services (such as burn units or
inpatient psychiatric units). The current payment system also attracts equity capital investors (including physicians) who see opportunities in the inequities of the current payment system. Competition is
particularly strong in services such as orthopedics and cardiology, and it is coming from physicians
and investor-owned companies, sometimes in partnership. Frequently, traditional hospitals are fighting
for market share with imaging centers, surgicenters, ambulatory care centers, urgent care centers
inshort, facilities without beds.
Healthcare finance leaders surveyed by the Healthcare Financial Management Association (HFMA)
cite physician integration as the most significant issue to affect hospital volume over the next several
2
The information about healthcare business challenges is adapted from HFMAs Healthcare Finance Outlook: 20082013,
Westchester, IL: Healthcare Financial Management Association, 2007.
3
Avalere Health analysis of Verispans Diagnostic Imaging Center Profiling Solution, 2004, and American Hospital
Association Annual Survey data for community hospitals, 19812004.
4
Verispans Diagnostic Imaging Center Profiling Solution, 2004.
108
Financial Challenges
years. A related issuethe movement toward nonhospital treatment facilities, such as retail settings
ranked as the second most significant factor that will influence hospital volume. (See Exhibit 1.)
To enhance their volume, hospitals and physicians are seeking integration opportunities to align
incentives, enhance market share, and develop stronger negotiating positions. In some settings, this
integration is relatively loose, using directorships, stipends, management contracts, gainsharing, and
leasing to link hospitals and physicians. In other settings, the integration is much tighter, using integrated delivery systems and various joint venture models.
Risk issues related to declining volume include coverage of fixed and overhead costs. That is,
as volume drops, the fixed cost per unit of service increases since there are fewer encounters over
which to spread fixed cost, such as depreciation, interest, and general overhead. Increasing volume
also carries risk. If the increased volume produces revenue per unit of service that does not cover the
increased variable or marginal cost per unit, then overall profitability declines. Finally, strategies to
impact volume (either up or down) carry a variety of risks. These range from community and government reaction to service elimination that reduces unprofitable volume to investment risks related to
strategies to increase volume.
6.3
Cost
The most significant components of cost are well known to healthcare finance executives: laborand
supplies. For most provider organizations, these costs represent anywhere from 50 to 80% of operating
costs. Labor costs are driven by factors such as nursing and other shortages, as well as rapidly rising
benefit costs. Supply costs are driven largely by the use of high-cost physician-preference items. When
looking at healthcare expenses in terms of inflation, the greatest increases for hospitals over the next
three years are likely to be seen in the areas of professional liability insurance, food, energy, equipment, and supplies.5
The dimension of the problem with rising costs can be seen from a finding by Moodys Investors
Service that in FY06 expense growth outpaced revenue growth for the first time in many years. That
gap narrowed in FY07, but expense growth remains an issue.
Healthcare finance leaders surveyed by HFMA found that the issue with the greatest influence on
hospital costs over the next three to five years is accelerating regulatory requirements. The factor listed
as second most significant was increases in cost of supplies and pharmaceuticals. (See Exhibit 2.)
To address cost issues, hospitals are working aggressively to enhance efficiency and productivity to ensure that human resources are used effectively. On the supply side, efforts focus on engaging
physicians in the process of purchasing supplies to help control use of expensive physician-preference
items. Other joint administration-clinician efforts focus on enhancing efficiency in clinical processes.
Cost issues represent an important challenge for healthcare organizations. Inappropriate costcutting efforts such as inadequate staffing, utilization of excessive temporary staffing or poorly trained
R-C Healthcare Management Hospital Inflation Data, 2nd Quarter, 2007, proprietary information from R-C Healthcare.
Used with permission.
5
109
Financial Challenges
staff, deferred maintenance and capital replacement, and inappropriate or inadequate supply levels
may increase risks related to care delivery. Overstaffing due to poor staffing management protocols,
inadequate capital planning, or poor supply-chain management also carries risks, including reduced
profitability and liquidity. The human capital risk domain is particularly affected by cost issues and
highlights the importance of involving human resources while making strategic decisions for the
organization.
6.4
Pricing/Payment
Healthcare payment and pricing systems are fraught with illogic and unfairness, creating problems for all healthcare stakeholders.
Nearly half of hospital payment derives from Medicare, Medicaid, and other government health
programs. And although these programs represent a smaller percentage of payment for most physicians, they are still significant. Due to federal and state budget constraints, government payment is
falling increasingly short of covering the costs of treating their beneficiaries. Indeed, Medicares future
is tenuous without a significant increase in government funding or a reduction in spending. Recent
estimates suggest that the trust fund for Medicare Part A could be insolvent as early as 2016.
According to healthcare finance leaders surveyed by HFMA, stagnant or declining Medicare and
Medicaid payment rates, guided by federal budget pressures, will be the most significant factor affecting healthcare payment and pricing over the next three to five years. (See Exhibit 3.)
Although providers continue to institute cost-control measures, they cannot make up the payment
shortfall. As such, the cost of these shortfalls is generally passed through to consumers. One estimate
shows private payors pay $1.22 for every dollar of hospital costs as a result of this cost-shift hydraulic, sometimes described as a hidden tax on healthcare purchasers.6
As healthcare costs continue to escalate faster than overall inflation, many employers are responding by eliminating employee health benefits or shifting more of the burden of payment to consumers
in the form of higher deductibles and copayments. These actions lead hospitals to face the additional
burden of uncompensated care associated with caring for uninsured and underinsured patients and, in
many cases, lead to further need to cost shift.
A particularly troublesome consequence of cost shifting is that, over time, hospital prices may
lose their relationship to rational benchmarks, such as cost, value, or market demand. Consumers are
the big losers in this situation, finding it virtually impossible to determine what their financial obligations will be for services, while hospital staff find it challenging to educate their communities about
the complex mechanisms that result in their pricing.
Many healthcare organizations are also grappling with rising levels of nonpayment for services
provided. These problems result in part from the trend toward reduced employee health benefits or
higher copayments and deductibles noted earlier, compounded by the economic effects of the recession
Allen Dobson, Joan DaVanzo, and Namrata Sen, The Cost-Shift Payment Hydraulic: Foundation, History, and Implications, Health Affairs 25, January/February 2006, 2233.
6
110
Financial Challenges
that began in 2007. Effective management of increasing bad debt levels requires a multi-disciplinary
effort within the organization, including patient financial service, case management, and risk management staff.
On the positive side, federal and commercial payors are making strides to link healthcare payment to actual achievement of quality processes and outcomes. And stakeholders are slowly coming
together to seek consensus on a better payment and pricing system.
As noted earlier, inadequate payment per unit of service is a key concern. And uncertainties
related to major payor sources such as Medicare and Medicaid increases both short-term operating
risks as well as longer-term strategic risks. Pricing concerns expressed by the public and policy makers
increase the risk of increased price regulation and hence reduced pricing flexibility. This increases the
uncertainty of producing the level of revenue per unit of service to cover increasing costs of providing
that unit of service.
6.5
Capital
Capital spending for healthcare organizations, especially hospitals, is driven by factors such as the
need to update or replace aging facilities, prepare for an aging population, and acquire new medical
technology. Hospitals have taken on significant amounts of debt to support increases in capital spending. Much of this capital investment is for replacement, modification, and in some cases, expansion of
facilities as well as investments in medical and business information technologies.
After years of relatively easy access, that situation is changing. Rising costs and payment challenges are eroding the margins for many healthcare organizations, and with that comes erosion of
credit quality. Exhibit 4 illustrates the growing gap between hospitals that are more creditworthy
and those that are less. In 1990, 5% of the credits rated by Moodys Investors Service were Aa rated,
65%were A rated, and 27% were Baa rated. By July 2007, the curve had attened, with 16% Aa rated,
44% A rated, and a larger 30% Baa rated. Late in 2008, several ratings agencies lowered their outlook
on both not-for-profit and for-profit hospital sectors to negative from stable and indicated that they
expect a rise in rating downgrades over 2009.
Experts predict that the cost of capital will go up in the next three to five years (see Exhibit 5)
because of concerns the rating agencies have over the medium term and the current turmoil in the
credit markets. This rising cost could well coincide with slowing growth in payment and volume for
healthcare organizations. The result could be a significant challenge to their profitability and ability to
finance their future endeavors. For example, financing of physician alignment strategies such as joint
ventures may prove significantly more difficult. Both hospitals and physician groups may need to
consider other compensation-based strategies to achieve alignment goals.
Profitable healthcare organizations will continue to have access to capital at relatively lower costs,
but they too are seeing the cost of capital increase. Unprofitable organizations will struggle even more
to keep up. The gap between the haves and have-nots can only accelerate as quality becomes more of
a differentiating strategy. Although the rising tide of the mid-2000s lifted most boats, that tide quickly
ebbed amid financial market turmoil and the economic downturn. While healthcare organizations at
Enterprise Risk Management for Healthcare Entities, First Edition
111
Financial Challenges
the top may continue to have access to capital, those in the middle tier may see their margins reduced,
and those at the bottom may see their margins drop to a negative level.
Capital finance issues such as capital demand (capital expenditures for facilities and equipment)
and capital access (cash from operations, equity, debt, contributions, grants) carry enormous risks.
Increased capital expenditures increase the fixed cost profile of an enterprise, which reduces flexibility
in times of uncertainty and requires new revenue streams to support increased cash flow demands.
Additionally, structuring of debt portfolios with both variable and fixed interest rate debt instruments carries credit market risks that are driven by national and global financial market dynamics.
Recent turmoil in the credit markets demonstrate how the risk profile of the enterprise can change
outside of managements control based on its debt structure. Too much variable debt increases volatility, but too little significantly increases the cost of capital.
Finally, capital issues also relate to the enterprises investment portfolios that are influenced by
many of the same market forces. Accounting and financial reporting requirements to mark investments
to market demonstrate the swings in asset values that can occur when financial markets rise and fall.
These accounting requirements also create a reporting risk as markets move up and down. Highly
variable debt portfolios and highly speculative investment portfolios can quickly change the financial
position of an enterprise.
6.6
112
Commentary
The organization must have a clear vision of its fiscal policies that is well known to all
stakeholders. Some organizations will struggle to survive and maintain market share, while
others will not only maintain sound operations but realize revenue growth. Knowing where
the organization is in this cycle is critical.
Financial risks must be comprehensively identified in the context of enterprise risk management in order for the organization to appropriately prioritize its goals and objectives.
While many risks are not amenable to traditional risk transfer arrangements such as the purchase of commercial insurance coverage, use of techniques such as risk avoidance or loss
control should be considered in the overall context of managing financial risk.
The ability for the organization to be fiscally prudent in todays economy requires clear strategic direction by an engaged board of directors and implementation tactics by competent
leadership.
The increased responsibility of the board of directors combined with heightened scrutiny
by regulators requires that board members, individually and collectively, be informed about
healthcare operations that may impact the financial performance of the organization and that
they are knowledgeable about current market and external financial trends. A thoughtful ERM
approach, considering the finance risk domain, can enhance the fiscal rewards and reduce the
risks to the organization.
Financial Challenges
6.7
Conclusion
Understanding the business drivers of volume, cost, pricing/payment, and capital is critical in
evaluating the risk profile of a healthcare organization. These drivers are directly associated with
key financial risks, including the ability to raise and maintain access to capital, contracting issues,
and risk-financing treatments such as insurance and self-insurance. The strategies that are developed
must operate within the mission, vision, and objectives of the enterprise. In addition, management
and governance must consider the events that may impact the organizations risk profile. Few risks
exist in isolation. Risks associated with areas such as operations, human capital, legal and regulatory,
and technology may ultimately become a financial risk to the organization. Effective enterprise risk
management is a critical adjunct to successful financial management.
113
Financial Challenges
Exhibit 3 Most Significant Factors Affecting Hospital Prices/Payment: 2008-2013
Source: Moodys Investors Service, Inc. and/or its affiliates. Reprinted with permission. All rights reserved.
114
Financial Challenges
115
Financial Stewardship
7
Financial Stewardship
Elizabeth M. Mills, Esq.
Senior Counsel, Proskauer Rose LLP
7.1
Introduction
In 2006, approximately 59% of the hospitals in the United States were operated by organizations
exempt from federal income tax because they are described in Section 501(c)(3) of the Internal Revenue
Code (Code). Of the remainder, 23% were operated by governmental units and 18% were operated by
for-profit entities.1 Nationally, in 2005 approximately 41,000 health-related organizations were Section
501(c)(3) tax-exempt organizations.2 This chapter is principally directed toward tax-exempt3 healthcare
organizations, although Section 7.5 on Use of Property Financed with Tax-Exempt Bonds and portions of Section 7.3 Tax Reporting and Payment Issues will be of interest to governmental entities,
and portions of Section 7.4 Corporate Oversight of Financial Affairs will be of interest to for-profit
healthcare organizations.
This chapter first explains the significance of maintaining tax exemption, the risks to tax exemption,
and how tax exemptions can be managed. The next section summarizes public reporting requirements
for tax-exempt healthcare organizations as well as employment tax issues and risks. Attention is then
focused on the current focus from many sources on governance as it relates to financial management
of the health organization. Finally, there is a brief summary of the risks when property financed by taxexempt bonds is not used in compliance with applicable requirements and how those requirements can
be met.
7.2
7.2.1
Tax exemption provides substantial financial and non-financial benefits to healthcare organizations. Primary benefits are:
The organization does not pay federal or, usually, state income tax on its net income, except
to the extent it is derived from activities that are unrelated to exempt purposes (such as pharmacy or equipment sales to non-patients).
American Hospital Association, Fast Facts on US Hospitals, http://www.aha.org/aha/resource-center/Statistics-andStudies/fast-facts.html. Excludes federal hospitals.
2
Blackwood, Wing, and Pollak, The Nonprofit Sector in Brief: Facts and Figures from the Nonprofit Almanac 2008,
accessible at http://nccsdataweb.urban.org/kbfiles/797/Almanac2008publicCharities.pdf.
3
When used in this chapter, tax-exempt organization or exempt organization means an organization described in
Section 501(c)(3) of the Code unless another section or another type of tax exemption is indicated.
1
117
Financial Stewardship
The organization is eligible to use the proceeds of tax-exempt bonds, thereby reducing financing expenses. See Section 7.5 on Use of Property Financed by Tax-Exempt Bonds.
The organization is eligible to receive charitable contributions that are deductible by donors.
Perhaps less today than in the past, the organization enjoys the halo effect associated with
charitable organizations.
Tax-exempt organizations must generally be recognized by the Internal Revenue Service (IRS) as
having that status, either through applying to the IRS for recognition of exemption or through inclusion in a group exemption ruling (such the group ruling issued to Catholic organizations).4 The IRS
may revoke an organizations tax exemption following an audit, which may be prompted in one or
more of the following ways:
a news report concerning the organization that piques the IRSs interest;
the IRSs selection criteria for auditing tax-exempt organizations (which may include assets,
income, type of activity, and other factors).
If the IRS revokes an organizations tax exemption, one immediate consequence can be that the
organizations tax-exempt bonds become taxable (that is, the interest on the bonds is no longer tax-free
to the holder). This is usually an event of default on the bonds, which may accelerate the organizations
debt and cause it to be immediately due and payable. Although a tax-exempt organization can challenge an IRS-proposed revocation of tax exemption both in administrative proceedings and in court,
a formal notice of proposed revocation is usually viewed as a material event that must be disclosed
to the markets. This disclosure can adversely affect the interest rate on the organizations outstanding
bonds if they are variable-rate or need to be remarketed, as well as adversely affecting public opinion.
Thus, revocation of tax exemption or even proposed revocation of tax exemption is usually not an
acceptable outcome for organizations using tax-exempt debt. The alternative, if the IRS has concerns
about whether the organization is operating consistent with tax exemption, is to conclude the audit
with a closing agreement between the IRS and the organization which lays out specific actions that the
organization will take and provides that the organization remains tax-exempt.
In addition, tax-exempt healthcare organizations are frequently eligible for exemption from property tax on their property and sales tax on their purchases. Property and sales tax exemptions are often
more important financially to healthcare organizations than exemption from tax on income; property
and sales taxes must be paid regardless of the organizations profitability, while income taxes need be
paid only if there is taxable income. Property and sales tax are governed by state and local law and
are not generally tied to federal income tax exemption. However, an organization that loses its federal
Organizations that are exempt from income tax under other subsections of the Code, such as Section 501(c)(4) social
welfare organizations or Section 501(c)(6) professional and trade associations, are not required by law to obtain recognition from the IRS of their tax-exempt status, although most do. Some types of 501(c)(3) organizations, such as churches
and very small organizations, are not required to obtain recognition of their status pursuant to Section 508 of the Code.
4
118
Financial Stewardship
income tax exemption is likely to be scrutinized by state and local taxing authorities for continued
compliance with property and sales tax exemption requirements, and an organization that does not
meet federal standards may not meet the (frequently) more stringent requirements for property or sales
tax exemption. For current issues in property tax exemption challenges, see Section 7.2.5 on Property
Tax Exemption below.
For these reasons, maintaining tax-exempt status is of utmost importance to exempt organizations. The next parts of this section summarize the requirements for maintaining tax exemption.
7.2.2
Tax-exempt organizations must be organized and operated for exempt (charitable, educational,
scientific, or religious) purposes.
Being organized for exempt purposes means that the articles of incorporation (not the corporate
bylaws) of the organization (or other organizing document if not a corporation):
The organization must operate primarily to achieve exempt purposes. If a substantial part
of the organizations activities is to achieve non-exempt purposes, it may not be eligible
for exemption. This criterion is frequently measured by the percentage of the organizations
activities (as measured by expenses, revenues, board time, employee time, or other relevant
factor) that are devoted to exempt as opposed to non-exempt purposes (for example, carrying on a business unrelated to exempt purposes), although there is not a simple formula or
numerical cutoff.
119
Financial Stewardship
The organization must not permit its net earnings to inure to the benefit of any private
shareholder or individual7 (inurement). The IRS, regulations, and courts interpret net earnings to mean the income or assets of the organization as well as its profits, and interpret
private shareholder or individual to mean a person with a personal and private interest in
the activities of the organizationbasically insiders such as directors and officers.8 Thus,
a tax-exempt organization may not provide an equity-type interest (such as a right to receive
profits) to a non-exempt person or organization and may not engage in transactions with
insiders that result in the exempt organization receiving less than fair market value.
The organization must serve public, rather than private, intereststhat is, it must not confer benefits on individuals or other persons (even disinterested persons) other than benefits
created as an incident to achieving exempt purposes.9 Thus, an exempt organization can be
disqualified for tax exemption because its activities benefit individuals even though those
individuals are not in control of the organization and even though the organization does not
engage in prohibited inurement.
The potential for violation of these standards can arise in many aspects of healthcare operations,
including: relationships with employed physicians; relationships, such as leases, service contracts, and
recruitment, with independent medical staff physicians; joint ventures with physicians or other nonexempt entities; compensation relationships with external managers and service providers; executive
compensation; financial relationships between the exempt organization or its affiliates and its directors
or officers; reimbursement of employees expenses when such reimbursement may be viewed as for
political contributions made by the individuals; and use of the exempt organizations resources in support of a political candidate. Many of these risks, particularly in physician and service relationships
and joint ventures, can be addressed through review in the contracting or transaction process. Risks
associated with executive compensation can be addressed through implementation of rebuttable presumption of reasonableness procedures referenced in Section 7.4. Risk associated with financial
relationships with directors or officers can be addressed through the rebuttable presumption of reasonableness procedures and conflict of interest procedures for transactions with interested persons.
Finally, risks associated with political campaign activity that may be attributed to the exempt organization can be addressed through systemwide policies and education detailing political campaign
behavior that is prohibited, as well as direction to accounts payable and expense reimbursement staff
to question transactions that have the appearance of involvement in political activities.
7.2.3
In addition to or instead of loss of tax exemption, the IRS can impose penalties (technically, excise
taxes) on the violating exempt organization or those who have benefited from the violation. The penalties of broadest applicability are the so-called intermediate sanctions, or taxes on excess benefit
transactions, contained in Section 4958 of the Code. Under these provisions, a disqualifiedperson
Code Section 501(c)(3).
Treas. Reg. 1.501(a)-1(c); General Counsels Memorandum 39862 (December 2, 1991); United Cancer Council Inc. v.
Commissioner, 165 F.3d 1173 (7th Cir. 1999).
9
American Campaign Academy v. Commissioner, 92 T.C. 1053 (1989).
7
8
120
Financial Stewardship
(a person who is in a position to exercise substantial influence over the organization, such as a director
or officer) who engages in an economic transaction with an exempt organization in which the exempt
organization receives less than fair market value consideration is subject to a penalty of 25% of the
excess benefit amount. The disqualified person must also correct or undo the offending transaction.
Directors and officers who knowingly approve the excess benefit transaction (whether or not they
individually benefit from it) are also subject to a tax, up to $20,000 in the aggregate. Exempt organizations must report on the Form 990 whether they have engaged in an excess benefit transaction during
the reporting year and whether they have discovered in the reporting year an excess benefit transaction
that occurred in a previous year, as well as the details of the transaction. Thus, the exempt organization
must self-report an excess benefit transaction to the IRS and indirectly to the public.
The key to whether a transaction with an insider is an excess benefit transaction is whether the
transaction is at fair market value. The intermediate sanctions regulations provide a process that, if
followed, provides the exempt organization and the insider a rebuttable presumption that the transaction is reasonable.10 This rebuttable presumption means that if the IRS believes a transaction is an
excess benefit transaction, it is the IRSs burden to prove that the transaction was not at fair market
valuea reversal of the usual situation, in which it is the taxpayers burden to prove it is entitled to
exemption. The rebuttable presumption requires that a compensation amount or a transaction (such as
sale of property) be 1) approved in advance by a disinterested committee or board that has 2) obtained
and relied upon appropriate data as to comparability prior to making its determination and 3) has
concurrently documented the basis for its determination.11 While the presumption of fair market value
does not apply if any element of the requirements is not met, satisfying as many of the rebuttable presumption requirements as possible is still desirable and helpful in demonstrating that the transaction
is in fact at fair market value. The risk of engaging in an excess benefit transaction, then, can be managed by executive compensation and conflict of interest policies that require compensation changes
or special benefit adjustments for executive employees, as well as financial transactions between the
organization and directors, officers, and other potentially disqualified persons, be approved through a
process that meets the rebuttable presumption of reasonableness.
Another penalty that can be imposed is on an exempt organizations expenditures for political
activity. For exemption purposes, political activity means activity that relates to influencing the outcome of an election for public office. As noted above, Section 501(c)(3) strictly prohibits exempt
organizations from engaging in any political activity. No de minimis amount is permitted. Section4955
provides that the IRS may impose a tax equal to 10% of the amount of the political expenditure on an
exempt organization making such expenditures. This is a tool for the IRS to use, short of revoking tax
exemption, to address isolated or inadvertent expenditures. As in the case of intermediate sanctions,
the organization must disclose on the Form 990 whether it has engaged in any political expenditures.
An exempt organization may participate in lobbying activities (attempting to influence legislation), but only as an insubstantial part of its activities. The statutory standard of insubstantial is,
of course, vague. Many exempt organizations are eligible to make a Section 501(h) election under
Treas. Reg. Section 53.4958-6. The regulations make clear that if the rebuttable presumption is not satisfied, no inference should be drawn that the transaction is at other than fair market value.
11
Id.
10
121
Financial Stewardship
which the dollar amount of permissible lobbying expenditures is determined by a formula based on
the organizations expenditures. If an electing organization spends more than the permitted amount on
lobbying activities, the organization is subject to an excise tax on the excess expenditure.12 Because
exempt healthcare organizations, particularly hospitals, have extensive exempt activities, lobbying
activities typically do not exceed permitted levels, either under the 501(h) election or under the general
insubstantial standard. However, to prevent inadvertent violations, it is desirable to have corporate
policies limiting lobbying activities to an insubstantial portion of the organizations activities and
specifying who within the organization may engage in or direct such activities, so that the extent of
lobbying efforts is known and can be reported as required.
7.2.4
The IRS has interpreted these standards as they apply to hospitals in Revenue Ruling 69-545.13
Revenue Ruling 69-545 concludes that the following factors indicate that a hospital operates for the
charitable purpose of promoting the health of the public (the community benefit standard):
The hospital has a board of directors made up of community leaders, rather than physicians
and other persons interested in the operation of the hospital.
The hospital has an open medical staff (that is, medical staff membership is available to qualified physicians in the community, rather than to a few physicians who control the hospital).
The hospital has an emergency room that treats all in need of emergency services regardless
of ability to pay.
The hospital accepts Medicare and Medicaid patients and other patients who can afford to
pay for their care.
The criterion of a community board has been adapted to modern multi-corporate systems by IRS
interpretation that an organization controlled by an exempt organization with a community board
satisfies this criterion.14 Entities that deliver healthcare services but that are not hospitals or residential facilities are subject to the same community benefit standard, modified as appropriate for their
activities.15
Notably, these criteria, which were articulated shortly after the establishment of the Medicare
and Medicaid programs, do not include the provision of non-emergency services without charge to
those unable to pay. Since that time, it has become evident that these programs have not provided the
anticipated access to care. The IRS, the Senate Finance Committee, other administrative and legislative bodies, and class action plaintiffs attorneys have examined exempt hospitals provision of free
122
Financial Stewardship
care to those unable to pay and questioned whether exempt hospitals in fact operate differently from
for-profit hospitals.16
The recent revisions to the Form 990 discussed in Section 7.3 Tax Reporting and Payment Issues
(the information return filed by exempt organizations) require substantial, very specifically defined
reporting on exempt hospitals charity care policies, amount of charity care provided, amounts of other
types of community benefit provided, and billing and collection practices. Information on the Form 990
is available to the public. Many states also have enacted statutes addressing exempt hospitals provision
of charity care, including community benefit reporting requirements, hospital billing practices requirements, limitations on collection practices, and in some cases requirements that a certain amount of
charity care be provided. A compilation of information from the American Health Lawyers Association,
the Healthcare Financial Management Association, the Catholic Health Association, and VHA concerning community benefit, charity care, and the Form 990 is available at http://www.990forhospitals.org/.
If they have not already done so, exempt healthcare organizations should review their charity care
policies and procedures, in preparation for completing the new Form 990 if for no other reason. In this
area, the manner of implementation is even more important than the policy; the best policy is worthless
if it is not applied correctly and a needy patient is denied care or unfairly pressed for payment. This
review can include:
The charity care policy itself: what criteria a patient must meet to qualify, how income and
assets are determined, whether there is a limit based on patients income on the total amount
the patient may be asked to pay, and how exceptions may be made and documented.
Collection practices: the organization has clear written standards and practices to be used in
collection activities, interest-free payment plans are available, wage garnishments and body
attachments are not used in ordinary circumstances, legal action is taken only when there is
evidence of patient income or assets available to make payment, outside collection agencies are
required to adhere to the organizations practices, patient accounts are reviewed prior to collection agency assignment to confirm that financial assistance was offered if the patient is eligible,
specified collection actions require review and approval at specified institutional levels.
Employee training: detailed and updated training materials for patient accounts personnel
are maintained, training on charity care policies is provided to all appropriate administrative
and clinical staff.
Public disclosure of charity care policies and procedures: policies are clear and understandable (taking into account languages of communities served), availability of financial
assistance is indicated on bills, policies are communicated to the community and to patients.
Staff Discussion Draft of Potential Non-profit Hospital Reforms, Senate Committee on Finance, July 17, 2007, available
at http://finance.senate.gov/press/Gpress/2007/prg071907a.pdf; Hospital Compliance Project Interim Report (Summary
of Reported Data), Exempt Organizations function of IRS Tax Exempt and Government Entities, 2007, available at
http://www.irs.gov/pub/irs-tege/eo_interim_hospital_report_072007.pdf.
16
123
Financial Stewardship
7.2.5
If healthcare organizations property is subject to property taxes, this can be a significant financial
impact, particularly since property taxes are not dependent on the income generated by the property
that is, they must be paid whether the facility is making money or not. Generally, property is exempt
from property tax if it is owned by a charitable organization and used for charitable purposes.17 State
and local governments periodically challenge the tax-exempt status of hospital property, with a flurry of
such attacks in the 1980s in Utah, Pennsylvania, and Vermont, among other states. Recently, appellate
courts in Illinois have upheld the denial of property tax exemption for hospitals and community health
centers, and the Provena case is now before the Illinois Supreme Court.18 The rationale set forth in the
Provena decision is that the organization owning the property is not an institution of public charity
and the property is not used exclusively for charitable purposes, the statutory standard, because: only
a small amount of the care providedunder 1%was charity care; it provided discounts to patients
unable to pay in part and then sued them for nonpayment of the remaining balance; its operating income
was derived almost entirely from charges; and its primary activity was to sell medical services in the
same manner as a for-profit hospital. The appellate court rejected the hospitals efforts to demonstrate
community benefit. This focus on charity care dollars and collection practices is in line with current
efforts in Congress and the IRS to refine the community benefit standard for income tax exemption.
As described above, it also means that healthcare organizations that bill and collect for services should
have internal controls over sending accounts to collection and over initiating lawsuits for payment to
limit such actions to situations in which there is some reason to believe that the patient has the ability
to pay. A few instances of perceived unfair collection treatment of poor patients, if picked up by the
media, can trigger IRS attention, property tax exemption review, and Congressional inquiries.
7.3
As mentioned in Section 7.2.4, the IRS has redesigned the Form 990, or annual information
return, that must be filed by most tax-exempt organizations,19 to require reporting of substantially more
and more detailed informationparticularly about governance issues (as discussed in Section7.4 on
Corporate Oversight of Financial Affairs below), community benefit provided by hospitals, and
tax-exempt bond use. One reason the Form 990 revision has received so much attention is that exempt
organizations must make their Forms 990 available to the public for three years following the date the
return was due.20 In addition, the IRS provides filed Forms 990 for display on Guidestar.org. Thus,
information disclosed on the Form 990 is almost immediately available to the public, the press, and
government investigators. (The only exception to the requirements for public disclosure is that the
list of donors to the organization attached to Form 990 as Schedule B need not be disclosed.) Exempt
Some states tax real property only, while others tax both real and personal property.
Provena Covenant Medical Center and Provena Hospitals v. Illinois Department of Revenue, No. 4-07-0763, Ill. App.
(4th Dist.) August 26, 2008; Community Health Care, Inc. v. Illinois Department of Revenue, 307 Ill. Dec. 519 (3d App.
Dist. 2006).
19
Private foundations (see note 6, supra) file a different form that was not revised and have always had to file that form
regardless of level of financial activity.
20
Code Section 6104(d). The organization must also make its exemption application filed with the IRS available to the
public; if the organization received exemption before 1987, it must make the application available only if it had a copy in
its possession in 1987.
17
18
124
Financial Stewardship
organizations that have more than $1,000 in gross income subject to unrelated business income tax
must also file a Form 990-T to report taxable income and pay any tax due. Effective for returns filed
after August17, 2006, Section 501(c)(3) organizations must also make their Forms 990-T available
to the public. Smaller organizations that are eligible to file a Form 990-EZ rather than a Form 990
must make that form available under the same rules. More information on the requirements for making returns available to the public is available in IRS Publication 4221-PC and on the IRS web site at
http://www.irs.gov/charities/index.html. Of particular note is the requirement that a copy be available
for inspection on a walk-in basis during normal business hours; this means that a person must be designated to have these documents. Persons who ask for access to these documents and do not receive it
can complain immediately to the IRS, and the IRS takes these complaints very seriously.
Until recently, small exempt organizationsthose with $25,000 or less in annual gross receipts
did not have to make an annual filing with the IRS. In addition, there was not a specific provision that
exemption was endangered by failure to file. Beginning for tax years ending on or after December 31,
2007, all exempt organizations that do not have to file Form 990 or Form 990-EZ must complete an
online filing with the IRS providing basic information such as name and address. An organization that
is a supporting organization described in Section 509(a)(3) of the Code must also now file a Form990
regardless of the level of its financial activity.21 Importantly, an organization that fails to make the
required filing for three consecutive years now loses its tax-exempt status effective as of the date the
last missed filing was due, and exemption cannot be restored retroactively unless the organization
shows reasonable cause for the failure to file.22 Loss of exempt status for an affiliate in a healthcare
system that occupies tax-exempt bond-financed property can have particularly severe unintended consequences, so this new provision makes vigilance in filing particularly important.
If an exempt organizations unrelated business activities will generate a tax liability on the
Form 990-T of $500 or more, the organization must pay estimated taxes in the same way as taxable corporations. Further, while many states automatically treat organizations that are exempt from
income tax at the federal level as similarly exempt at the state level, many states require that exempt
organizations with a federal unrelated business income tax liability also file a state unrelated business
income tax return and pay state income tax on that income. This state filing is sometimes overlooked,
and interest and penalties for failure to file for several years can be costly.
As organizations eligible to receive tax-deductible charitable contributions, exempt healthcare
organizations must also comply with the requirements for providing substantiation to donors for
quidpro quo contributionsthat is, contributions in which the donor receives something of value in
return, such as the right to attend a benefit dinner. In this situation, the donor may deduct as a charitable contribution only the amount contributed in excess of the fair market value of the item received.
Inaddition, donors who contribute $250 or more to a charity may not deduct the contribution unless
they receive substantiation of the contribution from the charity. The exempt organization is not technically required to provide this substantiation to the donor but usually does so to prevent unhappy
donors. These substantiation requirements are set forth in more detail in IRS Publication 1771.
Code Section 6033(l).
Code Section 6033(j).
21
22
125
Financial Stewardship
Like other employers, exempt organizations that have employees must withhold and pay federal
and state employment taxes and file employment tax returns. Penalties for failure to withhold or failure
to pay can be significant.23 In addition, the organization should confirm that individuals it is paying
and treating as independent contractors (as opposed to employees) actually qualify as independent
contractors. Determining whether individuals paid by the organization are employees as opposed to
independent contractors is important because if the organization treats individuals as independent
contractors and does not withhold or pay employment taxes, the IRS may reclassify the individual
as an employee and look to the employer for taxes, interest, and possibly penalties. In healthcare
organization audits, the IRS usually asserts the position that physicians performing medical director
or other administrative services on a part-time basis should be treated as employees of the healthcare
organization, rather than independent contractors.
Finally, while exempt organizations are often able to obtain exemption from state and local sales
taxes on items they purchase, they frequently are liable for withholding and paying sales taxes on
items they sell. Again, failure to register as a sales tax collector and to pay these taxes can result in
significant taxes and penalties.
In summary, particularly in a multi-corporate healthcare system, each entity may have multiple
filing obligations. The legal and finance functions should work together to make sure that filing
requirements are known and complied with. One system is to maintain a master entity list indicating
each entitys characteristics (e.g., type of entity, tax identification number, sales tax exemption status)
and filing requirements so that no type of filing for any of the entities is overlooked. This is especially
important now that an organization that fails to file its required IRS information return can lose its
tax exemption.
7.4
Like the board of directors of a for-profit corporation, the members of the board of directors of
a not-for-profit corporation (whether they are called directors, trustees, or some other name) have a
fiduciary duty to exercise due care in overseeing the affairs of the corporation. This includes oversight
of the corporations financial affairs. In general, the standard of care for not-for-profit corporation
directors24 is the same as for directors of for-profit corporationsthe prudent man standard, which
requires that directors discharge their duties in good faith and with the degree of diligence, care, and
skill which ordinarily prudent men would exercise under similar circumstances in like positions.
This section summarizes the views of the Panel on the Nonprofit Sector and the IRS on how this
duty applies to the activities of an exempt organization board in being the stewards of the corporations
financesoverseeing investment management, executive compensation, accounting and recordkeeping, tax reporting, and other matters. In 2007, the Panel on the Nonprofit Sector published Principles
for Good Governance and Ethical Practice: A Guide for Charities and Foundations,25 which lists
See Verret v. United States, 103 AFTR 2d 2009-1189 (5th Cir. 2009), which upheld a finding under unusual facts that a
hospital board chair and manager was personally responsible for more than $400,000 in taxes withheld but not paid over.
24
Trustees of a trust are generally held to a higher standard of care; trusts are not discussed in this section.
25
Available at http://www.nonprofitpanel.org/Report/index.html.
23
126
Financial Stewardship
33principles (the Panel Principles). In February, 2008, the IRS posted its own list of good governance
practices, Governance and Related Topics501(c)(3) Organizations26 (the IRS Practices).
With respect to investment management, Panel Principle 22 states in part:
The board of a charitable organization must institute policies and procedures to ensure that the
organization (and, if applicable, its subsidiaries) manages and invests its funds responsibly, in
accordance with all legal requirements.
IRS Practice 4.C. states:
The governing body...may be required either by state law or by the organizational documents
to oversee or approve major investments made by the organization. Increasingly, charities
are investing in joint ventures, for-profit entities, and complicated and sophisticated financial
products or investments that require financial and investment expertise and, in some cases,
the advice of outside investment advisors. The [IRS] encourages charities that make such
investments to adopt written policies and procedures requiring the charity to evaluate its
participation in these investments and to take steps to safeguard the organizations assets and
exempt status if they could be affected by the investment arrangement. The [IRS] reviews
compensation arrangements with investment advisors to see that they comply with federal
tax law.
The revised Form 990 asks whether an organization has adopted procedures and policies regarding participation in a joint venture or similar arrangement with a taxable entity; it does not specifically
ask about investment policies.
The National Conference of Commissioners on Uniform State Laws adopted a Uniform Prudent
Management of Institutional Funds Act (UPMIFA) in 2006.27 UPMIFA is intended to replace the
Uniform Management of Institutional Funds Act, adopted in 1972 and eventually enacted in 47 jurisdictions. UPMIFA updates the previous act by incorporating the rules of the Uniform Prudent Investor
Act, which was promulgated in 1994 and has been enacted in 43 jurisdictions. UPMIFA requires those
investing and managing the funds of a charity to:
act in good faith and in compliance with the prudent man standard;
in managing and investing funds, consider general economic conditions, the possible effect
of inflation or deflation, the expected tax consequences (if any) of investment decisions or
strategies, the expected total return from income and the appreciation of investments, other
resources of the institution, and the needs of the institution to make distributions and to preserve capital;
make decisions about each asset in the context of the portfolio of investments as part of an
overall investment strategy;
Available at http://www.irs.gov/pub/irs-tege/governance_practices.pdf.
Available at http://www.nccusl.org.
26
27
127
Financial Stewardship
128
Financial Stewardship
Panel Principle 21 states:
A charitable organization must keep complete, current, and accurate financial records. Its
board should receive and review timely reports of the organizations financial activities and
should have a qualified, independent financial expert audit or review these statements annually
in a manner appropriate to the organizations size and scale of operations.
IRS Practice 5.A. states:
[E]ven if an audit is not required, a charity with substantial assets or revenue should consider
obtaining an audit of its financial statements by an independent auditor. The board may
establish an independent audit committee to select and oversee an independent auditor. An
audit committee generally is responsible for selecting the independent auditor and reviewing
its performance, with a focus on whether the auditor has the competence and independence
to conduct the audit engagement, the overall quality of the audit, and, in particular, the
independence and competence of the key personnel on the audit engagement teams.
Form 990 asks whether organizations financial statements were compiled or reviewed by an
independent accountant, audited by an independent accountant, and subject to oversight by a committee within the organization. The instructions indicate that if the reporting organization is included in a
consolidated audited financial statementusually the case in a multi-corporate healthcare system
the organization should respond no to these questions but it may explain that it is included in a
consolidated audit.
The board of directors also has a duty to see that the corporation maintains financial and other
important records. Panel Principle 5 states:
A charitable organization should establish and implement policies and procedures to protect
and preserve the organizations important documents and business records.
IRS Practice 4.F. states:
The [IRS] encourages charities to adopt a written policy establishing standards for document
integrity, retention, and destruction. The document retention policy should include guidelines
for handling electronic files. The policy should cover backup procedures, archiving of
documents, and regular check-ups of the reliability of the system....Charities are required by
the [IRS] to keep books and records that are relevant to its tax exemption.
The revised Form 990 asks whether the organization has a written document retention and destruction policy.
Financial stewardship in todays environment also includes transparency to the public and other
constituencies. Panel Principle 7 states in part:
A charitable organization should make information about its operations, including its
governance, finances, programs and activities, widely available to the public.
Enterprise Risk Management for Healthcare Entities, First Edition
129
Financial Stewardship
IRS Practice 6 states:
By making full and accurate information about its mission, activities, finance, and governance
publicly available, a charity encourages transparency and accountability to its constituents.
The revised Form 990 asks how the organization makes its Form 1023, Forms 990 and 990-T,
governing documents, conflict of interest policy, and financial statements available to the public.
The revised form also asks whether the Form 990 was provided to the organizations board before
it was filed and asks for a description of the process, if any, used by the organization to review the
Form990.
Finally, while the issue may not be as commonplace for exempt healthcare organizations as it is
for other types of exempt organizations, an exempt organization should consider adopting a gift acceptance policy outlining the types of gifts (real property, partial interests, closely held stock, etc.) that
it will and will not accept and the types of conditions on property (for example, a restriction on sale)
that it considers acceptable. Gifts can carry potential liabilities; for example, gifts of real property can
present exposure to environmental issues. A gift acceptance policy can outline the types of information that must be presented (e.g., an environmental study) before a gift is accepted. Along these lines,
PanelPrinciple 30 states:
A charitable organization should adopt clear policies, based on its specific exempt purpose,
to determine whether accepting a gift would compromise its ethics, financial circumstances,
program focus or other interests.
7.5
A primary benefit of tax exemption for healthcare organizations is the ability to use the proceeds
of tax-exempt bonds. Tax-exempt bonds enjoy tax-favored status because the proceeds from these
governmentally issued bonds are used for the benefit of tax-exempt organizations or governmental
units. (The governmental issuer of the bonds may be a state or local health facilities authority, acounty,
acity, or other governmental unit; the issuer then lends the bond proceeds to the tax-exempt organization, or to the governmental user if it cannot issue the bonds itself.) The holders of these bonds are not
subject to income tax on the bond interest and the exempt organizations or governmental units enjoy
the corresponding benefit of lower interest. In exchange for this benefit, however, the use of the borrowed monies and the facilities they fund are subject to many restrictions. If these restrictions are not
observed, the result can be that the bondholders are taxed on the income they receive and the bonds
are in defaulta disastrous outcome. Further, the IRS has increased its enforcement of these restrictions in recent years, conducting compliance surveys and audits of bond users to determine whether
restrictions are being observed and whether appropriate records of the use of bond-financed property
are being kept.28 The revised Form 990 also requires, for reporting years starting on or after January 1,
2009, detailed information on the use of proceeds of each post-2002 outstanding bond issue.
See, e.g., the September 2008 report of the Tax-Exempt Bonds function of the IRS Tax Exempt and Government
Entities division on its tax-exempt charitable financings compliance project at http://www.irs.gov/taxexemptbond/
article/0,,id=186653,00.html.
28
130
Financial Stewardship
Thus, it is essential that the use of bond proceeds and bond-financed property be continually
monitored to prevent issues or, if problems have already occurred, to correct them as soon as possible.
Even though the governmental issuer is viewed as the taxpayer by the IRS, bond documents typically place responsibility for compliance with tax rules on the exempt organization or governmental
entity using the proceeds.29 If potential bad use is detected before it occurs, remedial action, such as
using bond proceeds for an alternative purpose or redeeming bonds, can be taken to avoid bad use.30 If
bad use has already occurred, voluntary compliance steps, resulting in a closing agreement and, usually, some payment, can be taken with the IRS.31 Use of bond-financed property and bond proceeds is
typically reviewed by bond counsel during a financing or refinancing. However, if a problem is discovered at that point and the IRS must get involved in a voluntary compliance agreement, the financing
can be delayed or derailed.
A primary restriction affecting ongoing compliance for bond-financed facilities throughout the
life of the bonds is that only a small portion of the facilities can be used by a private person or used
by a tax-exempt person in an unrelated trade or business. Such use is bad use. If bad use limits are
exceeded, the bonds may no longer be tax-exempt. For bonds issued for the benefit of tax-exempt organizations, the limit is generally that no more than three percent of the proceeds of an issue can be used in
a bad use if the permitted 2% of proceeds is used to fund the costs of bond issuance (ifless than 2% is
used for costs of issuance, the remainder increases permitted bad use). In addition, for bonds issued for
the benefit of tax-exempt organizations, bond-financed property must be owned by an exempt organization. For bonds issued for governmental facilities, the limit on bad use is generally 10%.
The percentage of bad use is measured for the facilities financed by each bond issue and over the
life of each bondin other words, it is measured on a bond issue by bond issue basis. One question
that frequently arises is how to determine which property is bond-financed and by which bond issue.
This can be very difficult to track because a single bond issue may fund the purchase of many items of
equipment as well as work on various parts of the physical plant. Also, recordkeeping can be difficult
because of the length of time (often up to 30 years) that bond issues are outstanding. The money borrowed in each bond issue is traced to the expenditures made with that money or with the bond issue
that the new bond issue is refinancing. Thoughtful allocations at the time of expenditure can prevent
future confusion or unnecessary restrictions. Responsibility for maintaining records of bond-financed
property and allocations should be clearly assigned to a position in the organization so that these
records can be preserved despite reorganizations or changes in personnel.
The following generally create bad use:
29
The bondholders who are not taxed on their interest income are technically the taxpayers; however, the IRS attempts to
resolve violations without taxing bondholders and instead works with the issuer. Notice 2008-31, 2008-11 IRB 592.
30
Remedial action provisions are in Treas. Reg. Sections 1.141-12 and 1.145-2.
31
Rev. Proc. 97-15, 1997-1 C.B. 635, sets forth in IRS formal closing agreement program. Notice 2008-31, 2008-11 IRB 592
describes the IRSs tax-exempt bond voluntary closing agreement program.
131
Financial Stewardship
An exempt organization uses bond-financed property to conduct an unrelated trade or business (such as reference laboratory services).
A service contract involving bond-financed property does not comply with the requirements
of Revenue Procedure 97-13,32 which sets forth IRS safe harbors for avoiding bad use. Aservice contract includes independent contractor and management arrangements but does not
include janitorial, billing, or equipment maintenance contracts.
Arrangements under which physicians receive no compensation from the hospital, but
instead provide services for which the physicians bill patients directly, may be service contracts which need to comply with Rev. Proc. 97-13, usually as per-unit fee
arrangements.
A service contract must generally meet the following requirements to comply with Rev. Proc.
97-13:
Compensation cannot be based on profits of the bond-financed facility, and cannot be calculated using both revenues and expenses of the facility.
The entity providing the services to the bond-financed facility cannot be a non-Section 501(c)(3)
entity controlled by or under common control with the facility. For example, a service contract with taxable subsidiary or Section 501(c)(4) affiliate in a multi-corporate system cannot
comply with Rev. Proc. 97-13.
Board and officer overlap between the service provider and the facility is limited.
The contracts term and compensation provisions must fall within one of several categories.
(Reimbursement paid to the service provider for expenses paid by the service provider to
unrelated parties is not treated as compensation for these purposes.)
per-unit fee and a fixed fee. The term of the contract does not exceed three years. The
contract is terminable by the facility on reasonable notice, without penalty or cause, at
the end of the second year of the contract term.
At least 50% of the compensation for services for each year during the term of the contract is based on a fee. The term of the contract does not exceed five years. The contract
is terminable by the facility on reasonable notice, without penalty or cause, at the end of
the third year of the contract term.
At least 80% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
10years or 80% of the useful life of the financed property.
At least 95% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
15years or 80% of the useful life of the financed property.
1997-1 C.B. 632, modified by Rev. Proc. 2001-39, 201-2 C.B. 38.
32
132
Financial Stewardship
As with the issues discussed at the end of Section 7.2.2 Standards for Tax-Exempt Status, the
key to compliance with these requirements is through the contracting process. Contracts for the lease
of property, sale of property, affiliations, joint ventures, and similar transactions should be reviewed
before the transaction is completed to determine whether bond-financed property is involved and, ifso,
whether remedial action is necessary. Contracts for services, whether they are for medical director,
hospital-based department, interpretation, physician independent contractor, dietary, or management
services, should be reviewed to confirming either that they meet Rev. Proc. 97-13 requirements or that
they do not involve bond-financed property.
7.6
Commentary
The matters discussed in this chapter fall primarily into the financial risk domain and, to some
extent, the legal and regulatory risk domain. It is rare that taking risk in financial stewardship produces
a competitive advantage. Further, while the risk frequency may be low, the risk severity is catastrophic.
Fortunately, for most healthcare organizations, risk reduction efforts frequently discover substantial
low-hanging fruit:
Board-level policies and procedures should be reviewed and amended or adopted as necessary. These policies should include:
implementing of procedures and recordkeeping for patient intake, billing and collection
that demonstrate compliance with the board-adopted policies and procedures, including
staff training and documentation thereof;
maintaining of a master list of legal entities and their tax and filing status so that filing
requirements can be met and tax-exempt status preserved;
133
Financial Stewardship
tracking of use of tax-exempt bond proceeds and monitoring of bad use amounts; and
providing direction to accounts payable and expense reimbursement staff to question
suspicious transactions.
Finally, the legal and contract management function should include review of proposed contracts and transactions for:
transactions that may provide private benefit, so that the need for such transactions can
be documented; and
7.7
Conclusion
governance policies;
charity care, collection, and community benefit policies, procedures, and results.
The same factors will be considered in whether property tax exemption should be maintained.
Inaddition to specific disclosures, the IRS will be attentive to tax-exempt boards oversight of financial
investments. Because of the potentially catastrophic financial consequences (including bond defaults)
of actual or threatened loss of tax exemption, and extensive disclosure requirements (making discovery of issues likely), the issues addressed in this chapter are a significant source of risk to tax-exempt
healthcare organizations but can be readily addressed.
134
Part III
Hazards
8
Energy Management as an ERM Process
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health
8.1
Introduction
An energy management initiative is not the first thing that comes to mind when healthcare organizations consider various enterprise risk management (ERM) opportunities. While discussions
regarding energy management no doubt routinely occur within healthcare organizations, especially in
a time of rapidly increasing energy costs, the literature reports few examples of healthcare institutions
that have approached the issue through an ERM framework. However, when traditional risk management competencies of risk identification and loss control, claims management, and risk financing are
applied to issues related to unchecked energy demand in the face of spiraling energy costs, an effective
enterprise-wide energy management strategy may result.
8.2
Energy costs are a significant budgetary item for large healthcare organizations, particularly for
hospitals. Hospitals typically operate within large physical plants on multi-building campuses in which
air temperature and humidity levels must be maintained within relatively narrow limits for the comfort
and safety of visitors and staff and the effective operation of equipment. They have constant ingress
and egress that make indoor climate control more difficult. They utilize large amounts of heated water
that must be available on demand and house large and complex medical equipment, such as MRIs and
CT scanners that require vast amounts of power to operate.
The costs of electrical power in the U.S. have risen over 133% in the past five years.1 Price
increases have also been seen for natural gas.2 In addition, the increased public focus in recent years on
global warming, climate change, and the consequences of failing to adopt a greener approach to construction, plant maintenance, and waste management has forced healthcare organizations, like other
large institutions, to step up their energy management efforts. Given the new criticality of effectively
managing skyrocketing energy costs while contributing to global sustainability through increased
corporate responsibility for reducing carbon emissions and preserving limited energy resources, the
energy management field is ripe for consideration from an ERM perspective.
U.S. Department of Labor, Bureau of Labor Statistics, Consumer Price Index Summary (Washington, DC: GPO, June 2008).
U.S. Department of Labor, Bureau of Labor Statistics, Producer Price Index Summary (Washington, DC: GPO, June 2008).
1
2
137
Opportunities for effective loss prevention abound in the area of energy management. Most such
efforts revolve around energy conservation programs aimed at reducing the organizations overall
energy usage and shifting energy demands to off-peak periods when energy costs may be less.3
Good conservation practices begin prior to breaking ground for new healthcare buildings. Organizations seeking to reduce energy costs can work with their planning and construction management
personnel as well as outside architects, engineering firms, and contractors to ensure new buildings
and major renovations incorporate green building techniques and adhere to principles articulated in
programs such as Energy Star4 and LEED.5 Purchase decisions for major patient care and other equipment can include consideration of energy efficiency.
External consultants can be employed to perform energy audits of existing buildings to identify
opportunities to improve energy efficiency through replacement or enhancement of existing roofing
systems, window glazing systems and heating, ventilation, and air conditioning (HVAC) equipment.
While capital available for the systematic replacement of such equipment tends to be limited in most
healthcare organizations, where such projects must constantly compete for dollars with technology
up-grades and remodeling of patient care areas, entities committed to an energy conservation strategy
can create a multi-year energy enhancement capital improvement plan to ensure that, over time, the
organization moves in a more energy efficient direction.
Most electrical utility providers offer variable rates for power used during different times of the
day, particularly in hotter months during which strains on the energy system peak in the late afternoon
and early evening period when temperatures reach their daily highs and air cooling demands are at their
highest. An operational review to identify high-energy demand activities that can be deferred from peak
energy periods to off-peak times will typically yield additional savings in overall energy costs.
8.4
Claims management activities related to risk management traditionally focus on selecting and
monitoring counsel, setting reserves, negotiating settlements, and performing other duties related to
defending various liability and workers compensation claims brought against the healthcare organi Texas Electric Choice Education Program. www.PowerToChoose.org (2007).
www.EnergyStar.gov (2008).
5
U.S. Green Building Council, Leadership in Energy and Environmental Design Green Building Rating System,
www.usgbc.org (2008).
3
4
138
When dealing with energy management, risk financing looks at the various financial models and
tools available to a healthcare organization to contain energy costs. Given the governmental deregulation of utilities,6 organizations in many parts of the United States now have the option to select from
multiple suppliers of energy when purchasing power for their operating needs. Terms and conditions,
prices and billing options may vary among various suppliers so, when consumer choice is an option,
healthcare entities may elicit proposals from various vendors to determine which best serve their
needs. Again, utilizing the services of an energy management consultant may be helpful. Rate plans,
budget billing options, and service terms may be somewhat complex and confusing, and it is often
useful to employ the services of a firm specializing in making distinctions among various providers in
determining the best fit for a given healthcare organization.
Daniel H. Cole and Pete Z. Grossman, The End of a Natural Monopoly: Deregulation and Competition in the Electric
Power Industry, Boston, MA: JAI Press, 2003.
6
139
Conclusion
Taking a comprehensive approach to energy management is still a new concept to most healthcare
organizations. While most have had various conservation and efficiency efforts in place for some time,
looking at the issue strategically as an enterprise risk has not been widely adopted. However, as energy
costs continue to rise and assume greater prominence in an entitys overall operating budget, there may
be a future trend toward adoption of an ERM framework to better address organization needs.
140
9
An Enterprise Risk: Pandemic Influenza
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company
9.1
Introduction
There has been much speculation about the emergence of a global influenza pandemic. An influenza pandemic is defined as a global outbreak of disease that occurs when a new influenza A virus
appears or emerges in the human population, causes serious illness, and then spreads easily from
person to person worldwide. Such viruses often occur first in other species (e.g., birds or pigs), subsequently infecting humans with direct contact to infected animals. A pandemic ensues once the virus
adapts to allow sustained human-to-human transmission. Pandemic influenza is distinguished from
seasonal influenza by its transmissibility: whereas most people have some immunity to seasonal influenza, humans have little natural immunity to pandemic influenza. Furthermore, the disease caused by
pandemic influenza may also be graver than that caused by the seasonal flu. Although estimates differ
slightly, influenza pandemics appear to occur roughly three times per century. The first pandemic was
reported around 490 BC.
The recent emergence of the H1N1 virus makes it clear that proactively identifying a virus with
pandemic potential is very difficult. Furthermore, novel flu viruses often result in multiple waves of
illness that arrive a few months apart. The severity of the illness my be different in each wave.
Just as the timing of a pandemic cannot be precisely predicted, neither can its severity. However,
modeling studies suggest that the impact of a pandemic on the United States could be substantial. In
the absence of any control measures such as vaccination or drugs, it has been estimated that a medium-level pandemic in the United States could cause 89,000 to 207,000 deaths, 314,000 to 734,000
hospitalizations, 18 to 42 million outpatient visits, and another 20 to 47 million illnesses. Between
15% and 35% of the U.S. population could be affected by an influenza pandemic, and the economic
impact of could range between $71.3 and $166.5 billion.1 There is currently no vaccine for the avian
flu, and antiviral treatments are in scarce supply in the United States.2
Centers for Disease Control and Prevention, Emerging Infectious Diseases: The Economic Impact of Pandemic Influenza in the United StatesPriorities for Intervention, Vol. 5, No. 5, SeptemberOctober, 1999.
2
Centers for Disease Control and Prevention, March 2006. Note: Vaccines prevent the flu while antivirals are generally
used to cure disease (if used in early stages). Antivirals can be used as a prophylaxis if large quantities are available.
1
141
shifts in consumer preferences leading to decreased demand for some products and increased
demand for others; and
Such outcomes will result in direct and significant impact on all types of business, including
healthcare. Furthermore, because pandemic will affect multiple risk domains (operations, human capital, finance, etc.), mitigation planning will require multi-disciplinary involvement. The assertion that
pandemic is a highly probable event with severe expected impact affecting multiple risk domains
qualifies it as a meaningful enterprise risk worthy of serious consideration.
9.1.1
The healthcare system itself will be forced to confront such challenges in the face of dramatically
increased demand for services. This situation is exacerbated by the fact that hospitals are themselves
a high-risk environment for contracting pandemic flu. For these reasons, healthcare facilities have an
urgent need to engage in rigorous pandemic planning if they are to fulfill effectively their missions
during a pandemic outbreak. Facilities should consider the following scenarios:
1. Surging demand: Whereas many businesses may experience a decline in demand for their
products, healthcare facilities will be faced with an unprecedented surge in demand for services
and must prepare accordingly. The CDC offers software that allows hospitals to put in population and hospital bed statistics to provide information about the range of hospital admissions
and total deaths. For example, a metropolitan area with over 4 million people could expect to
have nearly 14,000 hospital admissions over an eight-week timeframe, with over 2,500 deaths
due to influenza. Calculations can be made using a range of factors, from number of people
and hospital beds as well as the expected duration (6, 8 or 12 weeks) to the attack rate
(15%,25%, 35%). To work with this software, go to http://www.cdc.gov/flu/tools/flusurge/.
2. Employee fear of contracting pandemic flu at work: In addition to staying home due
to illness or the need to care for ill family members, employees in all lines of work may
fear coming into contact with their co-workers and contracting the virus. This fear may be
particularly great among healthcare personnel who know they will come into contact with
many infected people. This scenario is exacerbated by the fact that sufficient vaccines and
antivirals are unlikely to be availableeven to healthcare workersduring the early waves
of a pandemic. This environment of high absenteeism in the face of surging demand threatens
to impact quality of care materially.
3. Supply chain interruptions: The impact on the overall workforce will also mean interruptions in the supply chain, creating shortages of critical equipment and drugs and reducing
efficacy of care. As people throughout the world become sick, all businesses will be affected,
142
Duty to Patients
9.2.1
The primary mission of the healthcare facility is to provide safe and constructive care to its patients.
Not only is this an ethical duty, but a legal requirement, as well. For example state and federal government regulations require hospitals to provide a safe environment.3 The infectiousness of pandemic,
however, threatens the very safety of the hospital environment. The healthcare facility must make
every effort to mitigate this risk and, for this reason, an infection control program that consciously
addresses pandemic must be in place.
Because influenza is primarily spread through human-to-human contact, the pandemic infection
control procedures should, first and foremost, address the provision of adequate numbers of disease free
staff and/or volunteers. As mentioned above, healthcare workers will be in short supply and hospitals
will be pressured to reorient workers and stretch capacity however possible. For this reason, hospitals
need to understand which local, state, and federal agencies may have control in coordinating various
medical personnel during a pandemic and how this may affect a healthcare facilitys workforce.
More traditional infection control procedures must also be revisited and refreshed, including:
promotion of respiratory etiquette and hand washing among patients, staff, and visitors;
See, e.g., Murillo v. Good Samaritan Hospital, 99 Cal. App. 3d 50, 5657 (1999), imposing on hospitals duty to provide
safe environment in which to diagnose and treat patients.
143
provision of Personal Protective Equipment (PPE) and masks for patients, staff, and visitors;
disinfection of equipment.
CDC and others have published guidelines for infection control in the event of a pandemic, and
healthcare institutions should be diligent about documenting any change in policy. Furthermore, to the
extent possible, patients entering the healthcare facility during a pandemic should understand the additional risk. To this end, care providers should consider whether current informed consent and release
provisions are adequate or require revision.
As healthcare facilities consider stretching their workforce through use of volunteers, retired health
professionals, and out-of-state health professionals, they must also consider the legal ramifications of
such strategies including: licensure requirements, provision of workers compensation, professional
and general liability coverage, and proof of adequate training.
The use of volunteer services gives rise to several legal issues. Facilities should examine minimum
wage and overtime laws to determine whether they apply to volunteers. The Fair Labor Standards Act
defines volunteer rather broadly for purposes of wage and hour laws. A person who performs activities
without a promise or expectation of compensation for his or her personal pleasure falls outside the Fair
Labor Standards Act.4
State labor codes may, however, have a more narrow definition of volunteer for purposes of wage
and hour laws.5 In addition, healthcare facilities should analyze the applicable state workers compensation laws to determine what coverage, if any, is extended to volunteers.
Another consideration is the possibility that volunteers will expose themselves to liability by
offering their services. The potential liability exposure may discourage volunteers. Hospitals should
strategize how best to limit the liability exposure of volunteers. To address this concern during
Hurricane Katrina, one commentator reports that medical personnel were appointed as temporary
uncompensated federal employees. They were thus classified as employees of the United States and
qualified for the protections of the Federal Tort Claims Act (28 U.S.C. 2671 et seq.).6
144
9.2.2
States and counties may impose isolation and quarantine during a pandemic. Isolation refers to
the separation of persons who have specific infectious illness from those who are healthy. Quarantine
refers to the separation and restriction of movement of persons who, while not yet ill, have been
exposed to an infectious agent and therefore may become infectious.
Many levels of government have basic authority to compel isolation of sick people to protect the
public. States and local jurisdictions have primary responsibility for isolation and quarantine within
their borders, whereas the federal government has responsibility for preventing the introduction of
communicable diseases from foreign countries. A states authority to compel isolation and quarantine
within its borders is derived from its inherent police power. As a result of this authority, individual
states are responsible for isolation and quarantine practices within their state.
State and local regulations vary significantly and, whereas some states have codified new and
detailed provisions, others rely on old statutes that may be very broad in scope.7 Furthermore, in
some jurisdictions, state law governs the local public health departments whereas elsewhere, local
authorities may have greater responsibility. States may also look to the Model State Emergency Health
Powers Act for guidance.8 This Act is described in greater detail below. Many states have incorporated
various provisions of the Act.9
In addition to understanding the direct impact of isolation and quarantine on their own facility,
healthcare facilities should understand the laws of quarantine across state, tribal and country
borders and how quarantine may restrict trade and travel in their region, and how this may
affect the supply of critical staff and supplies. Furthermore, facilities should consider the fact
that they may be deemed isolation and/or quarantine facilities with legally restricted ingress
and egress, and prepare accordingly.
9.2.3
Security Considerations
The security of the facility and access to patients and supplies should also be revisited. In the
event that they are not deemed quarantine facilities, policies should be developed to govern visitor
access in the event of a pandemic and such policies should consider the treatment of anxious family
members and loved ones, with respect to the law. Healthcare facilities should give careful consideration to access requirements for parents of sick children, as well as dealing with practical scenarios,
e.g., how to handle children whose single parent and sole caregiver is under hospital care.
Healthcare facilities are likely to receive, house, and distribute items such as vaccines and anti
virals. Vaccine is unlikely to be available at all in the early days of a pandemic, and it is estimated that
antivirals will be in short supply. Because such items will be in high demand, it is critical to establish
See http://www.healthyamericans.org/reports/bioterror04/Quarantine.pdf for a summary of state quarantine and isolation laws.
8
See http://www.publichealthlaw.net/MSEHPA/MSEHPA2.pdf.
9
For a summary of state activity, see the MSEHPA State Legislative Activity Table at http://www.publichealthlaw.net/MSEHPA/MSEHPA%20Leg%20Activity.pdf and the MSEHPA State Legislative Surveillance Table at
http://www.publichealthlaw.net/MSEHPA/MSEHPA%20Surveillance.pdf.
7
145
Ethical Considerations
As implied above, some communities have begun difficult ethical discussions about the priority
of care provision during a pandemic. In addition to concern about who should have access to early
doses of vaccine and antivirals, much of this discussion has been focused around the hierarchy of
eligibility for ventilator care. Certain groups (including the very elderly and the chronically ill) have
been deemed by some communities to be lower priority for ventilator care in times of shortage. See,
42 U.S.C. 264.
CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws, Angie A. Welborn, updated January18, 2005, Order Code RS21414.
10
11
146
Discharge
Duty to Workforce
As always, the facility must ensure that its own employees are protected from infection to the
maximum extent possible. The Occupational Safety and Health Act (OSHA) requires employers
to provide a safe workplace free of hazards likely to cause death or serious physical harm to its
employees.14 OSHA permits the Secretary of Labor to impose temporary emergency standards if he
http://www.health.state.ny.us/diseases/communicable/influenza/pandemic/ventilators/docs/ventilator_guidance.pdf.
The Pandemic Ventilator Project whose goal is to attempt to construct a ventilator design for use in a Flu Pandemic that
can be made from readily available materials at the last minute also maintains a website which discusses the moral and
ethical dilemmas of limited ventilator access. See http://www.penvent.blogspot.com.
13
Ethical and Legal Considerations in Mitigating Pandemic Disease: Workshop Summary, Stanley M. Lemon, Margaret
A. Hamburg, P. Frederick Sparling, Eileen R. Choffnes, and Alison Mack, 2007.
14
29 U.S.C. 654.
12
147
If a full-time staff member stays home from work because he/she fears becoming infected,
will his/her salary be continued?
If an employee is compelled to work (in order to guarantee salary continuance) and becomes
infected, what are the legal ramifications?
29 U.S.C. 655(c).
Guidance on Preparing Workplaces for an Influenza Pandemic, OSHA Publication No. 3327-02N 2007,
http://www.osha.gov/Publications/influenza_pandemic.html.
17
Hospitals in California, for example, should consult the California Division of Occupational Safety and Health, which
promulgates additional regulations in addition to OSHA. See 8 Cal. Code of Regs., Chapter 3.2.
15
16
148
If salary continuance policy towards exempt and hourly employees differs, will this be considered discrimination?
How will overtime be paid? Does the facility have adequate reserves to meet estimated overtime requirements?18
If employees are asked to shelter-in-place at the facility for several days or weeks, how will
they be compensated for this additional service?
Are compensation policies in compliance with the Fair Labor Standards Act19 and any applicable state labor codes relating to compensation/meal and rest periods? 20
In the case of employees who do become ill, the hospital must consider how sick leave, vacation,
disability and workers compensation will respond. Considerations might include prioritizing sick
leave, disability, and vacation leave and determining how disability will be triggered. In determining
those circumstances in which sick leave will be paid, hospitals should create a policy that encourages
infected and potentially infected employees to stay home so as to reduce the possibility they may
infect other employees. Facilities should also consult with their disability insurers to discuss whether
the insurer would require proof of illness as a trigger for disability payments and if such proof is likely
to be available during a pandemic.
An analysis of vacation and sick leave should include examination of the Family Medical Leave
Act (FMLA)21 and any applicable state leave acts.22 FMLA permits employers to require the use of
paid leave (i.e., vacation and sick leave) in lieu of FMLA leave.23 State leave statutes should be examined to determine if they provide greater protections than FMLA.
In a healthcare environment, some employees are likely to contract flu in the workplace. For this
reason, employers must consider how workers compensation coverage will respond. Questions to
ponder include:
Does your institutions workers compensation cover pandemic flu?
If the institution is self-insured for any portion of its professional, general, or workers compensation programs, are its reserves adequate?
When will coverage be triggered?
Will exposure be considered a workplace injury covered by workers compensation?
Should the physician panel be suspended/expanded?
State overtime laws vary widely. Some states provide exemptions to overtime regulations for healthcare emergencies.
See, e.g., 8 Cal. Code of Regs. 11040.
19
29 U.S.C. 206 and 207.
20
Hospitals should pay particular attention to their states labor code provisions regarding meal and rest periods. Failure
to provide adequate meal and rest periods may lead to extensive penalties. See, e.g., California Labor Code 226.7 and
512 and 8 Cal. Code of Regs. 11040 and 11051.
21
29 U.S.C. 2601.
22
California, for example, has adopted the Family Rights Act which permits an employee to take leave to care for a sick
family member. California Government Code 12945.2 and 2 Cal Code of Regs. 7297.5. See also California Labor Code
233.
23
29 U.S.C. 2612; 29 CFR 825.207.
18
149
150
151
Healthcare facilities, and hospitals in particular, will have an especially unique responsibility
to their communities in the case of a pandemic. They will be looked to not only for lifesaving care
but also for information, leadership, and guidance in a time of chaos. Therefore, it is incumbent on
hospitals to obtain comprehensive knowledge of the local, state, and federal (e.g., CDC) officials with
whom they will coordinate during a pandemic and create a plan for communication with these individuals and their alternates. In addition to assisting in coordinating planning care efforts with county
and state health departments and other hospitals, these government entities will likely control the
access and flow of, not only vaccine and antiviral resources, but also information about the evolving
characteristics and movement of the disease. For this reason, appropriate coordination is essential to
preserving maximum availability and continuity of care.
Facilities must also consider how they will communicate with their communities. Items to be
considered in advance of a pandemic include:
designating a spokesperson for the media and public;
key messages you would like the public to hear and understand;
medium of communications;
how priority groups for vaccine and antivirals will be explained; and
how facilities will organize and communicate vaccination campaign efforts.
Many states are likely to look to the Model State Emergency Health Powers Act, which was drafted
in the wake of September 11. The Model Act provides broad authority for the states governor to:
declare a public health emergency;
grant the public health authority the ability to exercise emergency powers with respect to the
licensing and appointment of health personnel;
authorize state and local officials to use and appropriate property for patient care;
allow officials to destroy contaminated facilities or materials;
empower officials to provide care, testing, and treatment;
provide the public health authority with the ability to prioritize and ration healthcare
supplies;
mobilize organized militia into service of the state;
grant emergency access to individual health information under specified circumstances;
permit separation of affected individuals from the population at large (isolation and quarantine); and
provide various immunities with respect to liability to the state itself and those assisting the
state during a public health emergency.
152
This chapter addresses the duty of the healthcare facility to its various constituents in the case of
a pandemic. Other key relationships, such as those with suppliers, should also be taken into account.
Healthcare facilities should consider requesting pandemic preparation plans from key suppliers,
reviewing contracts to determine remedies for failure to supply (e.g., will pandemic be considered
force majeure?), and ensuring that the hospital is not dependent on sole-source provision for essential
products and services.
9.6
Conclusion
Although many enterprise risks are specific to an individual entity or geography, pandemic is a
material risk faced by all healthcare facilities. The severity of the event will be unprecedented and the
impact complex, as absenteeism disrupts all aspects of facility operations. Despite this extraordinary
level of hardship, the hospital will be obliged to provide the safest possible environment for patients
and staff. In addition, the facility has a special responsibility to provide information and leadership to
the public. These duties should be addressed by developing comprehensive pandemic plans that take
into account the facilitys ethical and legal obligations to patients, workforce and community. Such
planning should also strive to protect the organizational well-being of the facility during a pandemic
by carefully considering the financial and legal ramifications of various courses of action.
153
Volunteers
Division of Labor Standards Enforcements 2002 Update of the DLSEs Enforcement Policies and Interpretations Manual 43.6.5-43.6.7 O.L. 1988-10.27
http://www.healthyamericans.org/reports/bioterror04/Quarantine.pdf
http://www.publichealthlaw.net/MSEHPA/MSEHPA2.pdf
Mandatory Vaccination
42 U.S.C. 264
CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws,
Angie A. Welborn, Updated January 18, 2005 Order Code RS21414
Resource Allocation
http://www.health.state.ny.us/diseases/communicable/influenza/pandemic/ventilators/docs/
ventilator_guidance.pdf
Employee Safety
154
29 U.S.C. 654
29 U.S.C. 655(c)
Leave
29 U.S.C. 2601
Workers Compensation
29 U.S.C. 2612
29 CFR 825.207
California Comp. & Fire Co. v. Workmens Compensation Appeals Board, 68 Cal. 2d 157
(1968)
Accommodation
Reinstatement
29 CFR 825.214
Neisendorf v. Levi Strauss & Co., 14 Cal. App. 4th 509 (2006)
29 C.F.R 825.214
Facility Closure
Worker Adjustment and Retraining Notification (WARN) Act at 29 U.S.C. 2101 et seq.
155
10
Environmental Compliance in the Context
ofERM
Nicola A. Nelson, Esq.
Richard S. Porter, Esq.
Hinshaw & Culbertson LLP
10.1
Introduction
The United States Environmental Protection Agency (EPA or the Agency) rigorously applies
environmental statutes and regulations to healthcare facilities, and history has shown that the Agency
does not hesitate to impose stiff penalties for violations of its regulatory requirements. Environmental
contaminants associated with healthcare facilities include mercury, dioxin, and other persistent, bioaccumulative toxics (PBTs). In addition, hospitals are recognized as generating hazardous wastes such
as antineoplastic chemicals, solvents, formaldehyde, photographic chemicals, radionuclides, waste
anesthetic gases, and chemotherapy agents, as well as more common waste materials such as batteries,
light bulbs, and pesticides.
In response to Agency concerns about the environmental risks associated with healthcare facilities, EPA Region 2 launched a compliance initiative in 2002 that targeted facilities in New York, New
Jersey, Puerto Rico, and the Virgin Islands. That initiative offered incentives for self-auditing and
disclosure and warned of the Agencys intent to step up healthcare facility enforcement actions. This
well-publicized decision to target healthcare facilities delivers an unmistakable warning: environmental compliance is a vital component of an organizations enterprise risk management strategy.
Organizations must, therefore, be proactive in developing and updating their environmental compliance programs, and must be prepared for the possibility of an environmental inspection at any time.
To effectively manage risk in the context of the ever-changing, ever-expanding web of environmental
laws and regulations, organizations must arm themselves with detailed knowledge, enlisting the aid
of environmental law professionals to formulate policies and protocols that address the organizations
legal duties and areas of vulnerability.
It is vital for the organization to recognize that environmental considerations must not be compartmentalized and relegated solely to the development of policies dealing with the discharge of wastes
and refuse. Rather, a responsible organization will recognize that environmental considerations play a
role in almost every aspect of an organizations operations. Contract review, for example, should rouEnterprise Risk Management for Healthcare Entities, First Edition
157
The Appendix to this chapter includes a chart describing the record-keeping requirements for many of the relevant
laws and regulations discussed in the chapter, as well as some regulations that commonly apply to healthcare facilities
but are not specifically addressed in the chapter. An excellent source for additional information regarding environmental
issues of concern to healthcare facilities is the website of the Healthcare Environmental Resource Center (HERC) at
http://www.hercenter.org. For those seeking a truly comprehensive and detailed guide to environmental compliance, the
EPA makes available its 155-page Profile of the Healthcare Industry compliance manual, geared specifically toward those
in the healthcare field, at http://epa.gov/compliance/resources/publications/assistance/sectors/notebooks/health.pdf.
158
10.2
10.2.1
The Clean Water Act (CWA) is designed to protect the nations waters, which include both groundwater and navigable waterways.2 The CWA includes the national water quality standards program, a
permit program for the discharge and treatment of wastewater and stormwater, and a program designed
to prevent oil pollution.
The EPA defines water pollutants as any type of industrial, municipal, and agricultural waste discharged into water, including solid waste, incinerator residue, sewage, garbage chemical wastes,
biological materials, radioactive materials, heat, wrecked or discarded equipment and industrial,
municipal, and agricultural waste.3 Under the CWA, pollutants are classified as one of three types:
(1)toxic, (also known as priority), which includes dioxins, mercury, and ammonia; (2) conventional,
which includes biochemical oxygen demand (BOD) substances, total suspended solids (TSS), fecal
coliform, oil and grease, and pH; or (3) non-conventional, a catch-all category that includes any pollutant not identified as either conventional or priority.
Healthcare facilities may have a variety of wastewater sources, including sinks, drains, showers,
toilets, and tubs, as well as stormwater (which typically washes away dirt, debris, oil from parking lots,
pesticides, lawncare chemicals, and other pollutants). Unless a facility discharges wastewater directly
into a stream or river, it is categorized as an indirect discharger of wastewater. As an indirect discharger,
a facility is subject to all relevant wastewater regulations, including local sewer authority regulations,
and may be required to obtain an industrial user permit from the local municipal pretreatment program.
Municipal regulations usually prohibit the discharge of medical waste, and the CWA regulations prohibit
the discharge of fire or explosion hazards; corrosive discharges (with a pH of less than 5.0); discharge
of solid or viscous pollutants; heat discharge that would cause treatment plant influent to exceed 104
degrees F.; discharges that would create toxic gases, fumes, or vapors; and the discharge of other pollutants that could interfere with or pass through a treatment plant (for example, oil and grease).
A facility that uses or stores oil may be subject to the Spill Prevention Control Countermeasure
(SPCC) rule, and those with a total aboveground oil storage capacity of greater than 1,320 gallons,
or with a total underground storage capacity of greater than 42,000 gallons are subject to SPCC plan
requirements, which require the preparation and implementation of an SPCC plan to prevent the discharge of oil into navigable waters or adjoining shorelines.
In the context of the CWA, EPA inspectors are authorized to enter a facility to conduct an inspection to determine compliance. The most common areas of focus in a CWA compliance inspection are
wastewater discharges, stormwater discharges, and aboveground or underground storage containers.
Inspectors typically ask to review a facilitys permit for indirect discharge to the local municipality,
itsSPCC plans, its Phase II NPDES stormwater permits (for facilities in urban areas), and any NPDES
general permits for direct discharge into a water body.
EPA training materials concerning the CWA, as well as a link to the Act itself and the implementing regulations, are
available at http://www.epa.gov/watertrain/cwa.
3
USEPA NPDES website, http://cfpub.epa.gov/npdes/faqs.cfm (May 14, 2008).
2
159
The Resource Conservation and Recovery Act regulates facilities that generate, transport, treat,
store, or dispose of hazardous waste.4 Virtually all healthcare facilities are deemed hazardous waste
generators under RCRA, therefore compliance with RCRA and its implementing regulations represents a major area of concern for healthcare facilities.
Hazardous waste is classified as either listed (i.e., specifically identified hazardous substances,
including, for example, solvents and insecticides) or characteristic. Characteristic substances are those
with properties that EPA has identified as hazardous to human health or the environment, including
the characteristics of: (1) ignitability (substances that are flammable under certain conditions); (2)corrosivity (those that corrode metals or have a very high or low pH); (3) reactivity (those that readily
explode); and (4) toxicity (those that are known to be harmful or fatal if ingested, and are known to
leach into ground water, such as arsenic, lead, or mercury).
The RCRA regulations categorize facilities as Large Quantity Generators (LQGs), Small Quantity
Generators (SQGs), or Conditionally Exempt Small Quantity Generators (CESQGs), based on the
amount of waste they generate per month and the amount of waste stored onsite. These categories
determine the applicable regulatory requirements.
An EPA inspection for RCRA compliance is usually extensive and can take up to a week to
complete. Inspections typically focus on universal waste storage areas,5 used oil storage areas, vehicle
maintenance facilities, battery storage areas, transfer terminals, secondary containment structures, dispenser pumps and check valves, leak detection equipment, alarms, sight gauges, fill ports, catchment
basins, and cleanup equipment. Other areas that will be inspected include the facilitys laboratories,
pharmacy, and morgue.
An inspector will also review all required records relating to mandatory notifications of hazardous waste activity, hazardous waste manifests, manifest exception reports, biennial reports, inspection
logs, employee training documentation, the hazardous substance spill control and contingency plan,
material safety data sheets, spill records, the Spill Prevention Control and Countermeasure Plan, emergency plan documents, the placarding of hazardous waste and hazardous materials, permits, if any,
waste analysis plans, universal waste transportation/shipping records, records concerning underground
storage tanks (USTs), and all relevant permits.
The most common RCRA healthcare facility violations include a failure to comply with hazardous
waste generator regulations and related lack of documentation, failure to comply with UST regula The EPA handbook on understanding hazardous wastes is available for download at http://www.epa.gov/region02/
waste/public/sqg_pdf.pdf.
5
Universal waste includes batteries, pesticides, mercury-containing equipment, and lamps/bulbs. See 40 CFR Part 273.
4
160
The Emergency Planning and Community Right to Know Act (EPCRA) is designed to promote
emergency planning and preparedness.6 It mandates emergency planning, the notification of state and
local government with respect to the presence of certain chemicals, and the reporting of hazardous
substance releases. Emergency planning requirements apply to any facility that has any chemical designated as extremely hazardous (for example, liquid oxygen) at or above its planning threshold quantity,
and require that such facilities notify the State Emergency Response Commissioner (SERC) and Local
Emergency Planning Committee (LEPC) within 60 days of receiving or producing an extremely hazardous substance. EPCRA also requires that such facilities provide the LEPC with a representative to
participate in the emergency planning process. Reportable releases of a hazardous substance require an
emergency notification and written follow-up notice. Annual inventory reports are mandatory.
Typical records reviewed by an inspector evaluating EPCRA compliance include the facilitys
proof that required timely notifications were made for environmental releases of hazardous substances,
the facilitys emergency response plan, MSDS information, and inventory reporting forms.
The most common EPCRA healthcare facility violations include a failure to report accidental
chemical releases and emissions data to local authorities, and the storage of chemicals (e.g., heating oil
and gasoline) onsite above threshold amounts.
10.2.4
The Clean Air Act (CAA) is designed to protect and preserve air quality.7 In the context of healthcare facilities, the EPA is most concerned with a healthcare facilitys air conditioning and refrigeration
systems, boilers, medical waste incinerators, and with the presence of asbestos. All are subject to
federal emissions, monitoring, and recordkeeping regulations, which are strictly enforced. Facilities
that are deemed a major source of hazardous air pollutants (HAP) (10 or more tons per year of a single
HAP or 25 tons per year of combined HAPs), must obtain a Title V operating permit. Application
for a permit typically requires submission of information concerning emissions, control devices, and
general processes at the facility. Such permits limit emissions, and require monitoring, recordkeeping,
and reporting.
Detailed information on EPCRA is available from the EPA at http://www.epa.gov/Compliance/civil/epcra.
Although the CAA is federal legislation and establishes federal standards, state and local regulations may also apply,
and enforcement of the CAA generally occurs at the state or local level. The CAA and accompanying regulations may be
viewed online at http://www.epa.gov/air/caa.
6
7
161
The Toxic Substances Control Act (TSCA) is designed to facilitate the collection of data to evaluate, mitigate, and control risks posed by the manufacture, processing, and use of chemicals.8 The TSCA
regulations most relevant to healthcare facilities are the lead hazard reduction regulations (relevant in
renovations that may involve pre-existing lead-based paint); hexavalent chromium regulations (relevant with respect to water treatment in cooling towers); and polychlorinated biphenyls (PCB) hazard
reduction regulations (relevant in renovations, particularly those involving pre-1979 materials and
equipment that may contain PCBs). Other important regulations are those governing the use and disposal of asbestos, including the Asbestos Hazard Emergency Response Act (AHERA), which requires
the development of management plans and specifies work practices and engineering controls for the
removal and handling of asbestos.
The most common TSCA healthcare facility violations include failure to properly address lead
paint in buildings and lack of knowledge of a lead hazard.
10.2.6
The Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) regulates the distribution, sale,
and use of pesticides, including insecticides, herbicides, fungicides, rodenticides, and antimicrobials.9
The Act mandates that virtually all pesticides sold in the United States be registered by the EPA. Registration includes the classification of pesticides as unclassified, general use, or restricted use. Those
with the potential for causing unreasonable adverse effects on the environment may only be applied
by, or under the direct supervision of, a certified applicator. It should be remembered that a facilitys
sterilants, disinfectants, and sanitizers generally fall within the definition of antimicrobials, which are
regulated under FIFRA. The law mandates that labeling directions delineating the appropriate dilution,
specified contact times, and methods of application be followed.
162
The EPA compiles facility compliance data generated pursuant to the laws and regulations discussed above through the Integrated Date for Enforcement Analysis system (IDEA), which utilizes a
Master Source ID identification number to extract records and data from a variety of sources, to match
a facilitys Air, Water, Waste, Toxics/Pesticides/EPCRA, and enforcement records, and generate a list
of permit, inspection, and enforcement activity, resulting in a master list of records.10
Because the federal government maintains and tracks facility data and does not hesitate to punish organizations that fail to report and maintain mandatory records, the need for an organization to
engage in meticulous record-keeping is paramount. Maintenance of well-organized records not only
allows an organization to easily track its own compliance, it also enables the entity to prove compliance should the Agency assert that mandated records or reports are missing or were never filed.
10.3
Environmental Audits
The EPA has a self-policing audit policy designed to facilitate the discovery, disclosure, correction, and prevention of environmental violations. The auditing process minimizes the need for EPA
investigation enforcement actions, and offers the incentive of eliminating or drastically reducing the
penalties normally associated with violations.
The primary incentive of a healthcare facilitys environmental compliance is that any self discovered problem can be reported to the EPA without subjecting the facility to gravity-based penalties.
Gravity-based penalties are the portion of the penalty that is over and above the economic benefit of
noncompliance. In other words, gravity-based penalties are the punitive portion of the penalty.
The EPAs IDEA page allows users to query the IDEA database and obtain compliance monitoring, enforcement, and
demographic data online at http://www.epa.gov/compliance/data/systems/multimedia/idea.
10
163
Systematic Discovery
The violation must be discovered through environmental auditing or implementation of a compliance management system.
10.3.2
Voluntary Discovery
The violation must not have been detected due to a legally required (rather than voluntary) monitoring, sampling, or auditing procedure.
10.3.3
Prompt Disclosure
The disclosure must be promptly made in writing to the EPA, generally within 21 days of discovery (or less if required by law). Disclosure becomes required when a facility, director, employee, or
agent has an objectively reasonable basis to believe the violation has or may have occurred.
10.3.4
The discovery of the violation must occur before the EPA or another regulator would likely have
identified it through its own investigation.
10.3.5
The violation usually must be corrected within 60 days from the date of discovery (unless otherwise agreed to by the EPA).
10.3.6
Prevent Recurrence
The healthcare facility must take steps to ensure the violation will not recur.
10.3.7
The healthcare facility must not have committed the same violation (or closely related violations)
within the past three years. If a healthcare institution owns several parcels of land or facilities, this
exclusion might be triggered even though the violations occur at different parcels or facilities. However, if a facility is newly acquired, the existence of a prior violation does not trigger this exclusion.
10.3.8
Violations resulting in serious actual harm, such as those that present imminent and substantial
danger to the public, and those that violate specific terms of an administrative order, judicial order, or
consent agreement, may not be eligible. While at first blush it might appear that this exception could
164
Cooperation
Finally, the healthcare facility disclosing the violation must cooperate with the EPA in investigating and remediating the environmental issue.
If a disclosing entity meets all of the above-referenced policy conditions except detection of the
violation through a systematic discovery process, then gravity-based penalties are reduced by 75%.
In other words, a complete reduction of gravity-based penalties is only available if the discovery was
part of an environmental audit or environmental management system. Likewise, the Agency will not
recommend criminal prosecution of a healthcare facility that has disclosed violations if all policy
conditions are met. However, for the organization to enjoy this benefit, the discovery of the violation
must have resulted from the adoption of an environmental management system or auditing process and
must have been discovered in good faith.
In general, the EPA will not request copies of audit reports, although it may request documentation
evidencing a facilitys compliance with the management system. There is also a modified audit policy
that applies to small businesses with fewer than 100 employees, and that provides longer periods of
time within which to make disclosures.
10.3.10
Inspections
If an EPA inspector knocks on a facilitys door, the organization must be prepared to deal with
that inspection to avoid substantial civil and even criminal penalties. Inspectors are authorized to
enter a facility to conduct an inspection to determine if a healthcare organization is complying with
all relevant environmental laws. The inspection usually involves an opening conference, a review of
records, interviews, a tour of the facility, and a closing conference. The inspection may also involve
taking samples of discharges, the copying of records, and the photographing of portions of the facility.
If violations are found, a written notification will be sent explaining the violations and Agency recommendations for correction.
The inspection will usually not be pre-arranged and will often be multi-faceted, relating to a
variety of environmental laws, including air, water, and waste. There may be one or more inspectors,
all of whom should be required to provide their name, identify their affiliation agency, and produce an
official, photographic identification card.
The opening conference may be a formal meeting, a brief discussion, or a plan for inspection. The
inspector may ask about facility operations, facility layout and processes, and management structure,
and will identify which records he or she will want to review. The environmental records (e.g., emissions data, hazardous and non-hazardous waste manifests, landfill receipts, clean air permits, NPDES
permits, etc.) should be organized and kept readily accessible. Inspectors will be looking for past
records of up to three to five years old. A chart depicting document retention requirements for healthcare facilities is included at the end of this chapter. It is likely that inspectors will request copies of the
Enterprise Risk Management for Healthcare Entities, First Edition
165
166
The Significance for In-House Counsel, the Governing Board, and Executive
Leadership
A responsible healthcare organization must take appropriate steps to manage the risks associated
with environmental non-compliance. A failure to properly manage environmental concerns may lead
to contamination of land, air, or water; personal injury; civil or criminal penalties or proceedings; private lawsuits; and/or bad publicity. Clearly, the affected stakeholders include not only those within the
organization itself, but also those in the surrounding community, governmental agencies and entities,
and the natural environment. The potential risks may be quantifiable in the form of fines, penalties,
or loss of market share, or they may be non-quantifiable, such as hard-to-remediate environmental
degradation, physical injury to people or wildlife, or simply a loss of reputation or standing in the
community.
To manage these risks, healthcare organizations should focus their attention on regulatory compliance (i.e., loss prevention), since strict compliance not only minimizes the possibility that the
organization will be assessed fines or other penalties, it also generally provides a degree of assurance
that the organization will not create or contribute to environmental degradation. Due to the complexity
of environmental laws and regulations, which include state and local rules in addition to the federal
rules discussed in this chapter, in-house counsel and other members of the organizations leadership
team must commit to the creation and adoption of a systematic environmental plan so that nothing is
left to chance.
167
To manage the risk associated with potential environmental contamination and regulatory noncompliance, a healthcare organization should utilize the expertise of environmental professionals to
conduct an assessment of the organizations legal duties and responsibilities, as well as its areas of
vulnerability, and to develop a comprehensive system of protocols to ensure compliance and thereby
minimize risk. Such an assessment can then be used to develop an Environmental Management System
(EMS), which will identify and rank the organizations institutional objectives and most significant
environmental issues, and formulate a system to utilize records to track compliance, indentify of problems, and implement solutions. Although the EPA maintains a webpage with a how-to guide and
links for information that can be useful in developing an EMS,11 creation of an EMS without professional assistance can engender a false sense of security, and the notion of a do-it-yourself plan should
be viewed with great skepticism by an organization committed to the responsible management of risk.
Nevertheless, it is important for those responsible for managing an organizations environmental risk
to understand and recognize the components of a well-designed plan.
As the Environmental Protection Act explains, an EMS plan should be based on what it terms the
Plan, Do, Check, Act model. The Plan aspect of the model is self-explanatory, denoting the planning
phase in which an organization identifies its environmental responsibilities and vulnerabilities, and formulates its goals. The Do aspect of the EMS model involves implementation of the goals identified in the
planning stage. The models Check component refers to ongoing monitoring and corrective action, and
the Act component acknowledges the need to continually review, modify, and update the EMS plan.
The foundation of a good EMS plan will rest upon the development of a matrix of environmental
legal requirements, incorporating those imposed by the CAA, CWA, RCRA EPCRA, FIFRA, and
TSCA, as well as any relevant state or local laws and regulations. An EMS plan should also incorporate the organizations aspirational goals, such as increasing recycling and reducing waste. The matrix
should be updated regularly and should include a written procedure that describes the method that will
be used to stay current on changing regulations, the method to be used for measuring institutional performance against the matrix, and the procedures to be used for tracking problems with non-compliance
to ensure proper follow-up. It should create mandatory checklists that must be completed, and should
specify that the plan is to be audited annually, at which time the auditor(s) will assess whether problems that have been identified were corrected in a timely fashion.
An EMS plans written procedures should require the reporting of violations when mandated by
law and should create a list of performance-based objectives, such as maintaining compliance with
all applicable environmental regulations and submitting all necessary paperwork on time. It should
require the continual updating of objectives and targets and should specify a procedure for communicating updates to staff. It should require the development of written emergency response procedures
that are to be tested annually and updated where accidents reveal a problem with existing procedures.
As previously noted, record-keeping is the key element in an effective environmental compliance
program, therefore, it is important that here, too, records of all tests conducted, and any changes implemented, be carefully maintained.
http://www.epa.gov/ems/info/index.htm.
11
168
articulates the organizations legal duties and responsibilities under federal, state, and local
law?
A plan that meets these objectives, and has been developed with the help of a knowledgeable
environmental professional, offers a systematic way for an organization to evaluate and manage its
environmental risks and, as noted above, may provide an additional benefit by mitigating penalties if
regulators find a violation.
169
Commentary
Environmental risks should be evaluated in the context of the entire organization, recognizing
the potential interplay with occupational risk, the risk that may arise from contracts with third
parties, and other exposures.
Given the far-reaching implications of environmental impairment, environmental risk assessments should be part of the due diligence required in any acquisition or consolidation of
healthcare organizations.
Underground storage tanks, aboveground storage tanks, asbestos removal, and removal of
hazardous waste (particularly via onsite medical waste incinerators) have presented the most
time-consuming issues from the healthcare enterprise risk management perspective. The
issues involve not only loss prevention and reduction but the possibility of handling the
exposures (risk financing) through environmental impairment liability insurance or through
contracting (risk transfer) with third parties (such as hazardous waste removal companies) to
assume the risk of exposure.
Note that commercial general liability polices have excluded coverage for contamination
and pollution except when sudden and accidental. And, while there are some specialty lines
insurers who provide environmental impairment liability coverage (including clean-up costs),
the best approach to dealing with such exposures is to develop good loss prevention programs
(compliance programs) as outlined above.
10.7
Conclusion
Both regulatory non-compliance and environmental contamination can present grave risks to a
healthcare organization, and can give rise to repercussions that may include: the imposition of substantial fines; the creation of unsafe conditions for employees, patients, and the neighboring community;
the initiation of lawsuits; the generation of poor publicity; and loss of business.
As with most risks, the key to success lies in taking an aggressive, proactive approach, including
the periodic assessment of the organizations areas of vulnerability. Notwithstanding the complexity
of environmental regulation and the dangers of regulatory non-compliance, and the substantial risk
of environmental contamination that is inherent in the industry, a healthcare organization that establishes and implements detailed protocols, maintains a commitment to meticulous record-keeping, and
engages in an ongoing self-audit process can effectively manage its environmental risk.
170
Appendix
Recordkeeping Requirements for Many of the Relevant
Environmental Regulations Discussed In Chapter12
REGULATION
40 CFR 60.7
40 CFR 70.6
SUBJECT
MATTER
Air - New Source
Performance
Standards
(NSPS)
Air - Title V
permits
TYPES OF RECORDS
RETENTION
PERIOD
Records documenting: start-up, shut- 2 years
down, or malfunction of pollution control equipment; periods when continuous
monitoring systems or devices have been
inoperative; performance testing measurements; continuous monitoring system
performance evaluations and calibration
checks; emissions records and reports;
maintenance of equipment
Records required by the operating permit; 5 years
records documenting date, location, and
time of sampling or measurements and
operating conditions at time of sampling;
records identifying the entity performing the analysis, the method or analytical
techniques used in performing the analysis, the date analysis was performed, and
the results of the analysis.
Requirements can change over time, so practitioners are cautioned to periodically review the relevant regulations for
changes.
12
171
REGULATION
40 CFR 82.166
SUBJECT
MATTER
Air - Ozonedepleting Class
I and Class II
Refrigerants
TYPES OF RECORDS
RETENTION
PERIOD
As to appliances containing 50+ pounds 3 years
of refrigerant: servicing records showing
service dates, type of service performed
and quantity of any refrigerants added.
Owners that add their own refrigerant
must keep dated records of refrigerant
purchased and added.
Certified technicians must keep cop-
40 CFR 82.166
29 CFR
1910.1001
172
REGULATION
40 CFR 61.150
SUBJECT
TYPES OF RECORDS
RETENTION
MATTER
PERIOD
Asbestos - Waste Shipment records concerning all asbes- 2 years
disposal for
tos-containing waste material transported
demolition and off site, with records to include:
renovations
Name, address, and telephone number of
the waste generator
Name and address of local, state or EPA
Regional office responsible for administering the asbestos NESHAP program
Approximate quantity in cubic yards
Name and telephone number of the disposal site operator
Name & physical location of the disposal site
Date transported
Name, address and phone of transporter
40 CFR
262.20(e)
Hazardous
Waste (Small
Quantity
Generators)
Certification that contents being transported are fully and accurately described
by proper shipping name and classified,
packed, marked and labeled, and are in
proper condition for transport by highway per international and governmental
regulations.
Copies of reclamation agreements.
3 years after
termination or
expiration of the
agreement
173
REGULATION
SUBJECT
MATTER
40 CFR 262.40(a) Hazardous
40 CFR 262.44(a) Waste
TYPES OF RECORDS
Manifests.
Exception reports.
RETENTION
PERIOD
3 years from
date waste was
accepted by initial
transporter
3 years from date
waste was sent to
on-site or off-site
treatment, storage,
or disposal facility
(TSDF)
3 years from the
due date of the
report
3 years after
facility ceases
using or storing
PCBs
40 CFR 761.180 PCBs Annual Facilities that use or store PCBs: annual
records/log
records and annual log of disposition of
PCBs and PCB items, including all manifests generated or received by the facility;
Certificates of Disposal received by the
facility; inspection and cleanup records;
annual logs that provide all information
required under the regulations.
40 CFR 60.58c Medical Waste Records for emission control equipment 5 years
HMIWI records that identify data gaps in the recording
of emissions data or operating parameters, an explanation for the event, and
steps taken to correct the problem. Must
also identify dates, times, and duration
of malfunctions, the type of corrective
action taken, and dates when emissions or
operating parameters exceeded relevant
limits, as well as results of compliance
testing (initial and annual). Training and
qualification records also required.
174
REGULATION
SUBJECT
MATTER
40 CFR 171.11(c) Pesticides Certified RUP
7 USC 110
applicators
7 USC 136i-1
40 CFR 372.10
40 CFR 372.22
40 CFR 372.25
40 CFR 704.11
40 CFR 280.34
TYPES OF RECORDS
RETENTION
PERIOD
RUP records identifying names and 2 years
addresses of those for whom pesticides
were applied; pests targeted; date, time
and site of application; specific crop or
commodity; brand name; EPA registration number; amount of pesticide applied;
concentration of active ingredients; treatment area size; name and certification
number of person applying or supervising the application; and detailed information concerning pesticide disposal
(type, amount, method, and location of
disposal).
Toxic chemical Toxic chemical release forms and all sup- 3 years (5 years
release (Section porting documentation (including exemp- recommended, to
313 SARA Title tions, calculations, monitoring, testing, match the statute
III)
releases, receipts or manifests, estimates of limitations for
of treatment efficiencies, ranges of influ- EPCRA)
ent concentration to the treatment, the
sequential nature of treatment steps, and
actual operating data to support the treatment efficiency estimate for each toxic
chemical).
USTs - General Records of corrosion experts analysis of Through closure
records
site corrosion potential if no corrosion of the UST and 3
protection equipment is used; opera- years thereafter
tion of corrosion protection equipment;
UST system repairs, recent compliance
with release detection requirements; and
results of site investigation conducted at
permanent closure
175
REGULATION
40 CFR 280.45
SUBJECT
MATTER
USTs - Release
detection
TYPES OF RECORDS
RETENTION
PERIOD
Records documenting all written perfor- Performance
mance claims concerning release detec- claims: 5 years
tion systems and justification or testing
Tests (other than
provided by manufacturer or installer;
results of sampling, testing, or monitor- tank tightness): 1
ing; reports of all calibration, mainte- year;
nance, and repair of on-site release detec- Tank tightness:
tion equipment; manufacturers schedules retain until the next
of required calibration and maintenance. test is done
Maintenance: 1
year
Schedules:5 years
40 CFR 280.74 USTs - Closure Closure compliance records must be 3 years
maintained by owners and operators who post- closure
took UST system out of service, or by
current owners and operators of UST system site. May be mailed to implementing
agency if records cannot be maintained at
the closed facility.
40 CFR 280.111 USTs - Financial Evidence of financial assurance mecha- Until closure, or
responsibility
nisms used to demonstrate financial after corrective
responsibility- to be maintained at UST action is completed
site or operators place of work.
Hazard
29 CFR
Material safety date sheets; inventory of MSDS must be
Communication hazardous chemicals; container product kept as long as the
1910.1200(g)
Standard
warning labels; written employee train- chemical is used at
ing policies.
the location
176
REGULATION
29 CFR
1910.1020
40 CFR 112.3
SUBJECT
MATTER
Hazard
Communication
Standard
- Employee
exposure and
monitoring
records
Wastewater Spill Prevention,
TYPES OF RECORDS
RETENTION
PERIOD
Records of employee exposure and 30 years
monitoring, including medical surveillance information and efforts at exposure
reduction. Employees have legal right of
access to records, including after separation from employment.
Throughout facility
lifetime
3 years
3 years
5 years
3 years
177
Part IV
Human Capital
11
Minimizing Risk in the Employment Relationship
Deborah Martin Norcross, Esq.
MartinNorcross LLC
11.1
Introduction
Not that long ago, there was little need for enterprise risk management professionals to be educated about, or involved in, the human resources function. Unhappy employees did not file many
claims. When they did file, their disputes typically were investigated under a few federal laws by
administrative agencies rather than in the courts. Jury trials were not available for the most part, and
large awards were rare.
That landscape has changed dramatically. New and expanded employee rights laws have proliferated on the federal, state, and local levels. Employment disputes have become common in both federal
and state courts, often requiring lengthy and expensive discovery and motion practice. Defense costs
often exceed $100,000 for even the most uncomplicated individual case. Jury trials are routine, and
recovery of substantial awards, including punitive damages, by successful plaintiff-employees is common. Accordingly, the enterprise risk management professional cannot afford to leave to others the
responsibility of managing the risks attendant to the employment relationship.
The following discussion will be a useful guide for healthcare attorneys to understanding how
organizations assess and deal with their employment liability risks from an enterprise risk management perspective.
11.2
A complete description of the laws governing the employment relationship is beyond the scope
of this discussion. Federal laws that apply to most employers include: Title VII of the Civil Rights
Act of 1964 (prohibiting discrimination because of race, color, religion, sex, and national origin); the
Age Discrimination in Employment Act (prohibiting discrimination against employees who are 40 or
over); the Americans with Disabilities Act (prohibiting discrimination against qualified persons with
disabilities); the Family and Medical Leave Act (providing eligible employees with the right to unpaid
leaves of absence to care for a newborn or adopted child, certain family members, or the employees
own serious health condition); the Uniformed Services Employment and Reemployment Act (providing a broad array of protections for members of the military services); the National Labor Relations
Act (offering protections to employees engaged in union activities); the Fair Labor Standards Act
Enterprise Risk Management for Healthcare Entities, First Edition
181
Know what laws regulate employers in the organizations state and city. This information can be obtained from many sources, including the Human Resources department,
employment law counsel, the local department of labor or EEOC office, or from various trade
associations. If the organization utilizes outside employment counsel or consultants, ask them
to provide this information; most will do so without charge.
Know which laws apply to the organization. Most laws apply only to employers with
minimum numbers of employees; the number varies by statute and also may vary by how
employee is defined. Some laws exempt certain types of businesses, most often certain religious entities.
Know how to determine which employees are covered. Even if the organization is subject to a statute, all of its employees may not be covered. Sometimes a statute protects only
employees who have worked for an organization for a minimum length of time or who have
worked a minimum number of hours over a given period.
11.3
Employment law obligations arise even before an individual is hired and can continue long after
an employee leaves the organization. Enterprise risk management principles encourage the risk management professional to work closely with Human Resources to set best practices and then provide an
auditing function on either a regular or spot-check basis. To do this effectively, an organization must be
familiar with the specific risks attendant to each stage of the employment relationship and how to avoid
them. The following are practical suggestions for managing these stages and their attendant risks:
182
11.3.1
11.3.1.1
Job Descriptions
Make sure there is a written job description for each position in the organization. At a minimum,
job descriptions should include: (1) the positions duties and responsibilities, differentiating between
essential and non-essential functions; (2) the pay range for the position; and (3)the minimum criteria
(education, experience, etc.) necessary for the position. Care must be taken not to impose criteria that
are not necessary for successful performance of the positions duties.
11.3.1.2
Applications
Every applicant should be required to complete and sign an employment application. Application
forms should be reviewed to be sure that they are non-discriminatory, both on their face and in their
impact. For example, an application not only should refrain from asking for an applicants age but also
should not request information that would reveal age, such when the applicant graduated from high
school. Applications should recite the organizations employment-at-will and drug testing (if applicable) policies, and should contain release languageimmediately above the applicants signature
linepermitting background and reference checks and releasing the organization from liability.
11.3.1.3
Recruiting Sources
Employers can face discrimination claims and lawsuits if they fail to include all protected categories (members of minority groups, women, persons with disabilities, etc.) in their recruiting efforts,
no matter how inadvertently. Make sure the organization provides information about job openings to
organizations that serve minorities, women, and persons with disabilities, and communicates its nondiscriminatory hiring policies clearly and regularly.
11.3.1.4
Interviews
Untrained interviewers create enormous risks. Using an enterprise risk management approach, the
Human Resources department ensures that anyone with interviewing responsibilities knows whatand
what notto ask. A written list of interview questions or topics that is reviewed before the interview
can go a long way toward minimizing the risk attendant to the interview process.
11.3.1.5
Many organizations request references from applicants, but then do not check them. To the extent
permitted in the state where the organization is located, obtain the applicants consent (see Section
11.3.1.2, Applications, above) and check all references. Under some state laws, both requesting and
responding employers are protected from lawsuits based on reference requests. A healthcare organization also should consider conducting (or retaining an outside firm to conduct) a criminal background
check. Keep in mind, however, that an organization can refuse to hire an applicant only if a criminal
background check reveals a conviction (contrasted with an arrest that did not result in conviction) that
is job-related.
Enterprise Risk Management for Healthcare Entities, First Edition
183
Restrictive Covenants
Make sure applicants are asked to identify any restrictions they may have (such as non-compete,
non-solicitation, or similar agreements) with a prior employer. It is not uncommon for hiring employers to be sued for facilitating an employees violation of a pre-existing restrictive covenant.
11.3.2
11.3.2.1
New employees should be given a general orientation into the organizations policies and procedures, especially its problem resolution programs. Provide employees with copies of any existing
employee handbooks, codes of conduct, etc. Make sure the organization obtains a written, signed
receipt from employees acknowledging receipt of whatever has been provided to them and keeps
a sign-in sheet for all training sessions. If the organization makes policies and procedures available
only on an intranet, require employees to sign a statement acknowledging that they understand how
to access those policies and procedures. These suggestions are designed to prevent an employee from
later claiming that he or she was unaware of the policies and procedures.
11.3.2.2
Supervision
Employees with extraordinary technical skills or professional capabilities are not necessarily adept
at managing people. This often-ignored fact has led many employers to the courtroom. Organizations
that employ enterprise risk management principles should provide management training to all new
supervisors and managers. Consider establishing short-term mentoring relationships by pairing a new
supervisor or manager with a respected, experienced managerial veteran to provide support and catch/
correct problems early. Managerial performance should be evaluated as a critical component of every
supervisors performance evaluation.
11.3.2.3
Performance Evaluations
Every organization should evaluate every employees performance on some regular basis, most
typically once a year. Make sure the organization not only promises regular performance appraisals in
its policies but also actually ensures that they are done. Regularly conducted reviews force employees
and supervisors to communicate and can help identify potential problem areas and allow for early
intervention and correction. Additionally, regular performance evaluations can be invaluable when
defending against employment-related claims and in making difficult decisions when implementing
reductions in staff.
11.3.2.4
There is a complex interrelationship among state workers compensation laws, federal and state
mandated leaves of absence programs, and the American with Disabilities Act and its state counterparts. All aspects of this relationship must be analyzed whenever a workplace injury causes a serious
condition that may (or may not) qualify as a protected disability. Workers compensation claims must
184
Complaint Procedures
Every organization must have a procedure through which employees can raise complaints and
concerns, especially relating to matters such as perceived harassment (sexual or otherwise) or suspicions of other unlawful activity. In addition to the organization having such a policy in place, it
must also provide adequate safeguards to protect a reporting employee from any sort of retribution.
Although complaints should be handled as discretely as possible, a reporting employee cannot be
promised absolute confidentiality, which might impede a thorough investigation. Similarly, once a
complaint is received, it cannot be ignored even if the reporting employee asks that no action be
taken. Once a report is received, the organization is on notice that a potential problem exists. Failure
to act under those circumstances can create strict liability, severely limiting the organizations defense
options in the event of legal action.
185
Many reasons are offered for the current shortage of both physicians and trained nursesburnout,
medical school admission caps, shrinking reimbursement rates, insurance company demands, concerns over being sued, and even changing generational lifestyle expectations. Whatever the causes, it
cannot be escaped that the supply of trained professional staff is limited.
Long-term solutions to the problem will be multi-faceted, and likely will be highly influenced by
both legislative and political developments. In the shorter term, however, organizations can best meet
this crisis by, first and foremost, doing what it can to attract and retain quality professional staff. This
can include, for example, replacing autocratic top-down leadership with more participatory practices;
providing better continuing education support; offering mini-sabbatical or other lifestyle enhancing
programs; and ensuring that its professionals know, through regular internal and community-wide
communication vehicles, that both they and their input are recognized and valued. Organizations that
build reputations for being both supportive and collaborative not only have a better chance of retaining
professional staff but also in making their organizations more attractive from a recruiting standpoint.
11.3.4
Deciding to terminate an employee is perhaps the most difficult of all employer-employee interactions. It certainly is the stage of the employment relationship that most often leads to lawsuits. Proper
preparation, including adopting and following the practices and procedures described earlier in this
discussion, can minimize both the stress inherent in the termination process as well as the organizations exposure to costly and time-consuming litigation.
The two most common situations that lead to involuntary dismissals are the individual discharge
and the elimination of a position or positions.
11.3.4.1
Individual Terminations
Before discharging an employee, the organization should make certain that: (1) its policies and
procedures have been followed; (2) the steps taken before the decision to terminate was made are
properly documented; and (3) the decision to terminate this employee is consistent with the manner
in which the organization has treated other similarly situated employees. If the employee is a party to
an employment contract with the organization, it is important to make certain that the organizations
actions are consistent with the terms of the contract.
11.3.4.2
Reductions-in-Force
A reduction-in-force generally occurs when the number of employees in the employers overall
workforce (or within a work unit) is reduced to a lower number. It also can occur through the elimination of a specific position, function, or title. Any organization contemplating a workforce reduction
should consult with an employment lawyer who is familiar with the laws and regulations in the organizations industry and geographic location. The following process can help prepare for that consultation
and minimize legal exposure after a reduction:
186
Decide which positions (not which individuals) will be affected by the reduction.
Decide how many employees (again, not yet which individuals) within each position to
eliminate.
Evaluate selections to be certain no problematic patterns emerge and investigate any areas of
concern. It can be useful to have an objective committee review all selections as part of this
process.
11.3.4.3
Separation Agreements
Employees must be given adequate time to consider signing the agreement. Employees who
are age 40 and over must receive at least 21 days in an individual discharge; 45 days in a
group termination or reduction-in-force. Employees who are under 40 must receive only a
reasonable period of time to consider and sign the agreement.
Employees must be advised, in writing, of their right to consult with an attorney before
signing.
Employees who are age 40 and over are entitled to revoke the agreement for seven days after
they sign it. Younger employees have no revocation rights.
11.4
Employment lawsuits can be, and are, filed in both federal and state courts. No matter where they
are filed, employment cases often assert both federal law and state law claims. If an organization is
served with a complaint, it likely goes without saying that employment counsel should be contacted
without delay. If the organization maintains commercial employment practices liability insurance, the
carrier should be notified immediately. If, on the other hand, the organization insures this risk through
its own risk financing mechanism, appropriate individuals within the organization should be advised.
Enterprise Risk Management for Healthcare Entities, First Edition
187
Intake
To initiate a charge, the employee is required to complete an intake form, describing the acts the
employee contends constitute unlawful discrimination. Intake can be, and usually is, undertaken without a lawyer. Agency personnel assist employees in completing the charge forms and in articulating
their complaint.
11.4.2
A charge of discrimination is prepared by the EEOC and mailed to the employer. The employer
will be asked to submit a statement of its position in response to the allegations contained in the charge.
The employer may also be asked to provide specified data. The EEOC will set a deadline by which the
employer must respond. These documents may be sent to human resources, the employees supervisor,
the risk management department, or to some other department, depending on what information the
employee has provided to the EEOC. It is important that whoever receives the initial communication
make certain it gets to the individual with responsibility for responding without delay.
11.4.3
The EEOC investigation may go on for a while. The EEOC may ask for additional documents and
may seek to conduct interviews. The agency has the authority to conduct fact-finding conferences but
rarely exercises that authority. When it completes its investigation, the EEOC will issue a determination, holding either that there is no cause to believe discrimination occurred, or that there is cause.
188
A no-cause determination ends the matter at the EEOC level. With the no-cause determination, the EEOC also will issue a Notice of Right to Sue. The employee has 90 days following
receipt of the Notice of Right to Sue to file a complaint in civil court.
If the EEOC finds cause, it will initiate a conciliation. Essentially, the EEOC will try to get
the employee and the employer to come to an agreed upon resolution. While the conciliation
process is similar to a settlement negotiation, unlike most settlements, conciliated resolutions
are not confidential. If conciliation fails, the EEOC either will file a civil action on behalf of
the employee or issue a Notice of Right to Sue permitting the employee to file suit on his or
her own behalf. The EEOC does not have the authority to order an employer to pay any sum
or take any action. Some state and local agencies do have the authority to conduct public
Enterprise Risk Management for Healthcare Entities, First Edition
Commentary
Managing exposure to the panoply of employment laws and regulations can only begin
with a comprehensive understanding of what mandates apply to the organization. There are
multiple sources from which this information can be obtained, including internal human
resources and risk management personnel, in-house or outside labor counsel, and various
trade associations.
Healthcare lawyers need to appreciate that the consequence of non-compliance, no matter how
inadvertent, can be significant. Employment lawsuits are costly to defend, require substantial
investments of time by leadership personnel and co-workers, can be lead to large awards of
both compensatory and punitive damages, and can damage the organizations reputation,
making it more difficult to attract high-quality professionals in an already critical recruiting
environment.
Organizations need to facilitate frequent and open collaboration among its various departments regarding all phases of the employment relationship. The turf wars of the past, such as
those that sometimes occurred between human resources and risk management, or between
risk and the legal department, must be excised. Employment law exposure today is multifaceted; minimizing its risk can only be done effectively when all members of the leadership
team meet the Three Cs: Communicate, Consult, and Collaborate.
Healthcare lawyers also can assist their organizations by exploring litigation-avoidance techniques. The regular use of employment and separation agreements can minimize the number
and scope of employment lawsuits. Implementing alternative dispute resolution procedures,
such as internal appeal processes, mediation, arbitration, etc., also can be extremely useful.
11.6
Conclusion
This discussion obviously has not been able to cover every employment-related risk management
challenge faced by healthcare organizations. It should, however, provide a useful starting place and a
practical guide for managing an organizations employment practices risks. Enterprise risk management
experience shows that these risks can be significantly minimized when all related professionalsrisk
management, human resources, senior operational management, and legal counsel (whether in-house
or outside)make reduction of employment-related loss prevention a priority and work collaboratively to achieve that goal.
189
12
What to Expect and What to Do When OSHA
Comes Knocking
Steven O. Grubbs, Esq.
Amanda J. Flanagan, Esq.
Sheehy, Ware & Pappas, P.C.
12.1
Introduction
Congress enacted the Occupational Safety and Health Act of 1970 (the Act) after recognizing the
need for comprehensive job safety and health legislation. Not only were there a startling number of
work related injuries and deaths, but the injuries and illnesses arising in the workplace substantially
hindered interstate commerce because of lost production, lost wages, medical expenses, and disability
compensation payments. Currently, an estimated 6 million workplaces and 90 million employees from
every state, the District of Columbia, Puerto Rico, and all American territories are covered by the
Act. However, the Act does not apply to working conditions of employees over whom other state and
federal agencies exercise statutory authority to prescribe or enforce standard or regulations affecting
occupation safety or health.
The Acts primary purpose is to assure so far as possible every working man and woman in the
Nation safe and healthful working conditions and to preserve our human resources.1 In order to achieve
that purpose, the Department of Labor created the Occupational Health and Safety Administration
(OSHA). It is OSHAs responsibility to ensure that each employer keep its place of employment free of
recognized hazards that are likely to cause death or serious harm. In order to accomplish this purpose,
OSHA may conduct unannounced inspections, issue citations for violations, and assess monetary penalties ranging from $1 to $70,000 per violation. OSHA has recently made headlines for multimillion
dollar fines given to the most egregious of violators. In addition to monetary fines, the United States
Justice Department recently joined forces with OSHA to provide for criminal prosecution of the most
flagrant workplace safety violators.2 In assessing penalties, OSHA will consider the good faith of the
employer, the gravity of the violation, the employers past history of compliance, and the size of the
employer. In addition, the immediate consequence of receiving a monetary or criminal penalty, OSHA
citations may also affect future litigation arising from the workplace accident or death.
1
2
191
12.2.1
OHSA Standards
While explanation of the several thousand standards applicable to the healthcare industry exceeds
the scope of this chapter, a brief discussion of key OSHA standards may be useful. An employer must
comply with specific occupational safety and health standards promulgated under the Act. OSHA
standards are grouped under four broad industry categories: General Industry, Construction, Maritime
and Longshoring, and Agricultural. An employer must comply with the specific standards that apply
to its place of employment for which it has employees exposed to the hazard. OSHA has the burden
to prove by a preponderance of the evidence that the standard applies, that the employer was out of
compliance, and that there were employees exposed to the hazard. OSHA standards have been drafted
for literal compliance, and employers are expected to comply with them in every detail regardless of
an employers use of its own safety methods4 or an employees substantial experience.5 Further, an
employer must protect its employees even when they are in the process of abating a hazard.6
In addition to the responsibility to comply with specific standards, section 5(a)(1) of the Act
guards against hazards where no specific standard applies. Employers have a general duty to provide
a place of employment that is free of recognized hazards (the so-called general duty clause). This
works as a catchall provision. If an employee is injured, but there is no applicable specific standard,
OSHA may complain that the employer failed to provide a workplace free from recognized hazards.
Section 5(a)(1) is improper where a specific standard is appropriate. To prove a violation of section5(a)(1), OSHA must establish that the employer failed to render its workplace free of a hazard
that was recognized by the employer or its industry, and that was causing or likely to cause death or
serious physical harm. In addition, OSHA must demonstrate the feasibility and likely utility of spe OSHA Targeted Inspection Plan for 2005, at p. 12, August 9, 2005, http://www.osha.gov/pls/oshaweb/owadisp.
show_document?p_table=NEWS_RELEASES&p_id=11530.
4
Sierra Constr. Corp., 6 OSHC 1278, 1978 OSHD 22,506,
5
Cornell & Co., 5 OSHC 1018, 197677 OSHD 21,532,
6
H.S. Holtze Constr. Co., 7 OSHC 1773, 1979 OSHD 23,925, affirmed in part, reversed in part, H.S. Holtze Constr. Co.
v. Marshall, 627 F. 2d 149 (8th Cir. 1980).
3
192
OSHA maintains a list of the most frequently cited OSHA standards in the healthcare industry.9
This list may be found at www.osha.gov. Many healthcare employers are surprised to see that most of
the standards cited are not really healthcare related but are relevant to all industries. Medical services
and first aid, for instance, ranked only ninth on the list, behind wiring methods, lock out-tag out, and
exit routes.10 The following discussion will begin by highlighting the three most widely cited violations in the healthcare industry
12.2.2.1
Bloodborne Pathogens
The OSHA Bloodborne Pathogen Standard is the most frequently cited standard in healthcare.11
This requires employers to protect employees from exposure to blood or other potentially infectious
materials that may contain bloodborne pathogens.12 There are many bloodborne pathogens, but the
main infections that pose the greatest risk to workers are the human immunodeficiency virus (HIV),
Hepatitis B virus (HBV), and Hepatitis C virus (HCV). The Bloodborne Pathogens Standard applies
to employers who have employees with occupational exposure to blood or other potentially infectious
materials, even if no actual exposure incidents have occurred.13 In 2001, OSHA added an additional
requirement regarding the protection of employees from needlesticks. Every healthcare employer is
required use engineering and work practice controls to eliminate or minimize employee exposure to
bloodborne pathogens. Further, healthcare employers are mandated to keep a sharps injury log for
the recording of percutaneous injuries from contaminated sharps. Finally, healthcare employers are
required to adopt an exposure control plan.14
The exposure control plan requires the healthcare employer to adopt technology that eliminates or
reduces exposure to bloodborne pathogens.15 For instance, the plan must reference how the employees have been trained in self sheathing needles, and where to dispose of the sharps.16 Next, the plan
requires employees to document annually and implement appropriate commercially available and
effective safer medical devices designed to eliminate or minimize occupational exposure.17 Finally,
in the identification, evaluation, and selection of effective engineering and work practice controls, the
plan must have a requirement to solicit input from non-managerial employees responsible for direct
Titanium Metals Corp. of America v. Usery, 579 F. 2d 536, 542 (9th Cir. 1978).
Id.
9
http://www.osha.gov/pls/imis/citedstandard.sic?p_esize=&p_state=FEFederal&p_sic=80.
10
Id.
11
Id.
12
29 CFR 1910.1030.
13
Id.
14
Id.
15
Id.
16
Id.
17
Id.
7
8
193
20
21
22
23
18
19
Id.
Id.
http://www.osha.gov/pls/imis/citedstandard.sic?p_esize=&p_state=FEFederal&p_sic=80.
29 CFR 1910.1200.
Id.
Id.
194
Under the Act, OSHA is authorized to conduct workplace inspections and investigations to determine whether employers are complying with standards issued by the agency for a safe and healthful
workplace.26 Workplace investigations and inspections are conducted by OSHA compliance officers.
These officers do not typically provide an advance warning of the investigation/inspection. Rather,
their typical modus operandi is to simply arrive unannounced. An OSHA inspection is usually triggered by one of a several events, discussed in the following sections.
12.2.3.1
Targeted Inspection
26
27
24
25
29 CFR 1904.29.
Id.
OSH Act Sec. 8
29 CFR 1910.1030.
195
196
12.2.4
In general, OSHA relies on the element of surprise and does not give advance warning of an
inspection. In fact, OSHA is authorized to issue criminal penalties to anyone who gives an employer
advance notice of an inspection.33 An astute risk manager will act prospectively to make preparations
ahead of time for what to do in the event that a compliance officer arrives.
12.2.4.1
OSHA Posters
The first preparation to be made is to order the official employee rights poster from OSHAs website (DOL Poster PackageID# 5049) and post it in areas where nurses and other healthcare workers
congregate.34 If the medical center has a high number of employees who, for example, speak and/or
read Spanish to the exclusion of English, it would be advisable to order the Spanish version as well
(DOL Poster PackageID# 5052). Although it may sound ridiculous, healthcare employers have been
cited for failing to post the required posters.
12.2.4.2 Company OSH Officer and Action Plan
The next preparation item is to establish a healthcare facility Occupational Safety and Health
Officer (the Facility OSH Officer), and implement an Action Plan for execution when an inspection
occurs. Many times this officer is the General Counsel or outside attorney. The responsibilities of the
Facility OSH Officer are to assure that the Action Plan is carried out in the event of an inspection. He
or she should preemptively determine which standards and regulations apply to the healthcare facility,
and make sure all required written programs are up to date.
12.2.4.3 Updated OSHA Policies
There are a few programs that OSHA requires for almost every facility, including hazard communication, lock-out-tag-out, and fall protection.35 For the healthcare industry, several policies are
also on the short list of must-haves, including but not limited to bloodborne pathogens and needle
stick prevention, as noted above.36 Because OSHA will likely request a copy of those policies and seek
assurances that employees are trained in them, healthcare employers need to be sure their policies
are up-to-date with OSHAs requirements and that those policies are appropriately communicated to
employees.
12.2.4.4 Housekeeping
It is also a good idea for employers to do some housekeeping. If there are activities at the worksite
that regularly create an impression of disarray, extra time should be taken to make sure those areas
are clean and orderly if an OSHA visit is anticipated. For instance, if there is a janitorial closet that
OSH Act Sec. 17(f) authorizes up to $1,000 penalty and up to six months imprisonment, or both, for giving advance
notice of an inspection.
34
Look for the posters that apply to your business at http://www.osha.gov/pls/publications/pubindex.list#posters1.
See generally 29 CFR 1910 and 29 CFR 1926.
35
See generally 29 CFR 1910 and 29 CFR 1926.
36
Id.
33
197
198
43
44
45
46
41
42
45 CFR 164.512(a).
See 29 CFR 1904.29(b)(6)(10)
See id. at 1904.29(b)(7)(9).
See id at 1904.29(b)(6).
See id at 1904.29(b)(9).
See id.
199
The first visit to the place of employment by the OSHA compliance officer is a fact-finding mission. At this stage, OSHA typically knows very little about the situation and is only there to do a
big-picture investigation called a walk around. An employer and any employee representative have
the right to accompany an OSHA representative on his walk around.48 The corporate attorney should
accompany the OSHA compliance officer at all times. If an employee complaint is the reason for the
inspection, the healthcare employer will be given a copy of the employee complaint with the name of
the complainant redacted.
OSHA may or may not provide a warrant for this inspection. OSHA is allowed to seek an ex parte
(without notifying you) warrant to inspect your facility, without having any probable cause that a violation of the act was committed.49 Without a warrant, however, OSHA is prohibited from conducting
an inspection in the absence of consent. Be advised that in cases of a workplace fatality or other emergency situation, OSHA has nearly unlimited right of access and a warrant is generally not required.50
Nevertheless, remember that any items in plain view of the compliance officer are fair game in
the inspection. Therefore, if you grant access to a part of the healthcare facility, anything he observes
enroute to that part of the facility is open to inspection. It is not uncommon to take the compliance
officer on a circuitous route to the area of concern, so as not to take the officer past other areas of
concern (like the aforementioned janitors closet).
12.2.5.1
Employee InterviewsNon-Managerial
Following the facility inspection, the compliance officer will likely ask to interview employees.
Although a compliance officer generally has the right to private interviews with rank-and-file nonmanagerial employees, an employer is not obligated to produce an employee for an interview during
regular work hours if it creates a risk of injury to other workers or unduly disrupts the provision of
healthcare.51 However, reasonable arrangements can be made to produce the employee for interviews
after work hours or on the next regularly scheduled break. The prevailing wisdom is that neither the
healthcare representative nor the medical center attorney can participate in this interviewalthough
employees may ask that their own attorney or their employee representative (in union situations)
See id. at 1904.29(b)(10).
OSH Act Sec. 8(e).
49
See Marshall v. Barlows Inc., 436 U.S. 307, 98 S.Ct. 1816, 56 L.Ed.2d 305 (1978); see also Rockford Drop Forge Co.
v. Donovan, 672 F.2d 626 (7th Cir. 1982.).
50
For a more thorough discussion of warrants for an OSHA inspection, see Marshall v. Barlows, Inc., 436 U.S. 307
(1978.)
51
See Urick Foundry Co. v. Donovan, 542 F.Supp. 82 (W.D. Pa 1982); see also National Engineering & Contracting Co.,
v. OSHA, 928 F2d 762 (6th Cir. 1991).
47
48
200
201
At the conclusion of the onsite investigation, OSHA will conduct a closing conference. The purpose of the closing conference is to signify the formal end of the investigation and to review the
Departments findings with the employer. At this point, the compliance officer has a good understanding of what the citations will contain.57 It affords the healthcare facility and its legal counsel an
opportunity to visit with the compliance officer to discuss his or her potential findings before a citation
is issued.
Since anything stated during that closing conference is still fair game to be used against the
healthcare facility, the closing conference is best treated as a listening exercise rather than a free flow
exchange of ideas. OSHA sometimes uses the closing conference as a method to fish for what the
employers response to an issue will be before writing the citations so they can craft the citation around
the employers defenses. It is sometimes worthwhile to press the compliance officer for all information
collected that justifies a particular area of concern; however, this is sometimes futile.
It is also helpful to ask the compliance officer if there are any matters that should be corrected
by the employer. If so, the employer can begin taking steps to abate the hazard before the citation is
issued. Although the employer is not under any obligation to correct any issues prior to the issuance of
citations, OSHA will give the employer a deadline to comply at the time the citation is issued. Because
this abatement deadline can sometimes be brief, an employer will benefit by having additional time to
comply.
Another helpful item to obtain at the closing conference is a receipt from the officer itemizing
all the materials provided to him or her during the course of the investigation. Such a receipt helps
to assure that there is no misunderstanding about whether something was or was not provided to
OSHA.
Once the closing conference is completed, the OSHA compliance officer will return to his or
her office and begin drafting the citation(s). It is unlikely that a compliance officer will return to the
healthcare facility to conduct any additional investigation. The Act requires that citations should be
issued with reasonable promptness and imposes a deadline of six months following the occurrence
of any violation.58 It is not unusual for two or three months to elapse after the closing conference
before citations are received in the mail.
56
See Marshall v. Wollaston Alloys, Inc., 479 F.Supp. 1102 (D.Mass. 1979), affirmed, 695 F.2d 1 (1st Cir. 1982); compare Donovan v. Metal Bank of America, Inc., 516 F.Supp. 674 (E.D. Pa. 1981), appeal dismissed as moot 700 F.2d 910
(3dCir. 1983).
57
Although the Area Director reserves the right to change or supplement the recommendations of the compliance officer.
58 See OSH Act Sec. 9(a), (c).
202
12.2.6
Because deadlines begin to run on upon receipt of the citations, it is crucial that the healthcare
facilitys General Counsel be immediately notified when citations are received. The facility should
notify the mail room or any other person in charge of circulating the mail that any materials received
from OSHA should be immediately delivered to the person managing the inspection. Once citations
are received, an employer has only 15 working days to contest the citations before they become a
final and unappealable order from the Department of Labor. Hence, the date the citations are received
should be noted in the file and 15 working days from that date should be noted on the calendar.
Once a healthcare organization receives citations, it has essentially three options. First, the
employer can simply agree to the citations as issued, and write a check to cover any associated fine.
This is not recommended. The second option is to file a Notice of Contest and challenge OSHA in
court to prove the allegations asserted in the citations.59 It is strongly recommended that an employer
retain competent counsel should it choose this alternative. Although OSHA will do its best to convince
you to go forward without a lawyer, the fact remains that the employer will be in litigation and there
are traps for the unwary. The next option is to set up an informal conference. No matter what option an
employer ultimately utilizes, an informal conference with OSHA should always be sought.
12.2.6.1
Informal conferences
An informal conference is exactly what it sounds likean informal meeting with the OSHA
office that issued the citations. At the informal conference, the healthcare facility representative can sit
down with the local field office area director or his or her assistant area director and discuss ways to
resolve the citations without resorting to litigation. Typically, the area director will begin by discussing
the many variables present in an OSHA citation. In addition to the monetary penalties, OSHA citations
contain a gravity determinationOther than Serious, Serious, Willful, Repeat, and even Criminal.
The next variable in the citation is the language of the citation itself. This language can be negotiated in the same manner as the penalty amounts and the gravity. Many times, the language of the
citation is much more damaging to the employer than the dollar amount or the gravity.
The usual set of citations contains some fluff that OSHA uses during negotiations. In other words,
OSHA will cite a healthcare facility for some matters they know will not pass muster on appeal just to
give themselves some bargaining material. If a healthcare facility goes into the informal conference
with a realistic expectation of a workable solution, the healthcare facility will more than likely be able
to resolve the dispute at the informal conference. Generally, more than 90% of citations are resolved
at the informal conference level.
Perhaps the most important reason for resolving a claim at the informal conference is that, if the
healthcare facility is concerned about subsequent litigation resulting from the OSHA investigation, the
healthcare facility can request language in the settlement agreement that will give its attorney more
ammunition to argue against the admissibility of the citations in any subsequent civil action. While
such language by no means guarantees the inadmissibility of OSHA citations, it will give the healthcare
See OSH Act Sec. 10(a).
59
203
See Matthews & Fritts, Inc., 2 OSHC 1149, 197475 OSHD 18,455.
See Reich v. Manganas, 70 F.3d 434 (6th Cir. 1995).
60
61
204
12.3
Significance for In-House Counsel, the Governing Board, and Executive Leadership
Like death and taxes, at some point a visit from OSHA is a near certainty. The when and the why
is less certain. Therefore, when OSHA arrives unannounced, it is important to be prepared and know
your rights and responsibilities. It is also crucial for any in-house counsel, governing board, and executive leadership to keep in mind the big picture throughout the inspection and investigative process.
The consequences of a healthcare facilitys actions or inactions from the inspection to the issuance of
citation may affect future litigation. For example, simply paying the $5,000 fine without contesting
the citation or attempting to negotiate the citation language may end up costing tens of thousands of
dollars in any subsequent litigation. The ultimate goal is to reduce the impact of any citation issued and
to minimize the citations effect on future litigation.
12.4
Commentary
Know and understand the OSHA standards applicable to your facility. There are many
thirdparty safety and health compliance experts who can assist you with this.
Like any good boy scout, always be prepared. While, a healthcare facility may not know
when an OSHA official may arrive, it canand shouldprepare for it. For example, posting
the official employee rights poster from OSHAs website in both English and Spanish in areas
where workers congregate, and establishing a facility Occupational Safety and Health Officer
to implement and oversee an Action Plan for execution when an inspection occurs, are two
important ways to prepare. Also, make sure the healthcare facilitys OSHA recordkeeping
is up to date and its health and safety plan has been fully implemented. From a compliance
standpoint, it is worse to have a policy that is never or incompletely implemented, or worse,
implemented but not followed, than not having one at all. If a healthcare facility makes the
effort to have a comprehensive safety and health plan, the facility must follow your plan.
See the big picture. Actions that any healthcare administrator, risk manager or general counsel takes during an OSHA investigation will not only affect the outcome of the investigation,
but may also affect future litigation. For example, while OSHA citations are technically inadmissible hearsay, plaintiffs attorneys have circumvented this rule by allowing their expert
to review the citation and later testify about it. A citation that cites the healthcare facility
for having a willful disregard for safety will be powerful evidence in a subsequent gross
negligence case where the plaintiffs burden is to show that the healthcare facility willfully
disregarded the safety of the employee.
Set the tone from the beginning. When an OSHA compliance officer arrives, do not treat it
as an adversarial process. Avoid actions such as demanding a warrant or refusing to provide
employees or documents in a timely manner. These actions may be perceived by the compliance officer as hostile, and may diminish your chances of later resolving any issues or
obtaining favorable citation language.
Handle the warrant issue with care. OSHA will perceive a denial of entry and a demand for a
warrant as a hostile act and will assume the healthcare facility is hiding something by hindering access. Rest assured their inspection will be more comprehensive when they return with a
205
Negotiation is a valuable weapon in your arsenal. From the scope of the inspection to the
language in the citation, negotiating with the OSHA compliance officer may reduce the consequences of a citation or future litigation.
Do not inadvertently give OSHA additional ammunition to use against the healthcare facility. Because OSHA may issue citations for any violation seen while on the premises, avoid
inspection routes that would take the officer past any other areas of concern.
It is good to have a single point of contact. As more people become involved, information
becomes fragmented, and no single person will have the complete story. Therefore, only one
person should have principal communication with OSHA. That person could be the healthcare facilitys attorney or risk manager. Whoever he or she is, that person should be charged
with the exclusive responsibility of (1) providing written documents to OSHA and (2) knowing exactly what was said to OSHA, what was given to OSHA, and what OSHA has seen.
Remember, OSHA is listening. It is important to understand that the healthcare facilitys representative is on the record even at informal times such as the walk around. Stray comments
can and will be used by the compliance officer if it is relevant to his investigation. While it is
always important to be polite, the less that is said, the better.
12.5
Conclusion
OSHA is concerned about worker safety and it does its best to do its job fairly and apply the
standards uniformly. Unfortunately, the unprepared healthcare facility representative can be taken
advantage of if he or she is not ready for the inevitable OSHA visit. With careful planning, a healthcare
facility may assert some control over the process and reduce its exposure to significant OSHA fines
and subsequent litigation difficulties and, most importantly, foster a safer workplace.
206
Part V
Legal & Regulatory
Concerns
Adverse Event Reporting: Reporting for Patient Safety and Public Health
13
Adverse Event Reporting: Reporting for Patient
Safety and Public Health
Kathryn K. Wire, JD, MBA, FASHRM
Principal, Kathryn Wire Risk Strategies
13.1
Introduction
Since the 1999 Institute of Medicine report To Err Is Human1 spotlighted the significant role of
adverse events in healthcare, federal and state legislatures and agencies have moved to increase the
reporting and analysis of those events. The IOM expanded its call for improved healthcare outcomes,
including quality and safety reporting, in Patient Safety: Achieving a New Standard of Care (2004).2
Progress toward these goals has occurred in small steps, but it remains slow.
The number of adverse event reporting structures has increased since 1999, but they vary greatly.
On a state level, Oregon is the one state that has a voluntary adverse event reporting system; all the
remaining states that have adverse event reporting systems require providers to follow a proscribed list
of adverse events for which reporting is required primarily on the part of hospitals. The most prominent example of voluntary reporting is to Patient Safety Organizations enabled through the passage
of the federal Patient Safety and Quality Improvement Act of 2005. It is difficult to address mandatory adverse event reporting without considering the myriad other reporting programs that sometimes
overlap both the event reporting systems and each other. Quality reporting as an example, while theoretically voluntary, can take on some of the aspects of adverse event reporting and can have significant
implications on reimbursement and accreditation.
13.2
An Overview of Programs
Adverse event reporting systems take different forms and cover different issues. This chapter cannot realistically describe them in detail, but some specific programs warrant identification here.
1. A number of states encourage or require specific reports of adverse events,3 but they differ
on the specific occurrences that providers must report. Most draw heavily from the National
Accessible free online at http://www.nap.edu/openbook.php?isbn=0309068371.
Accessible free online at http://books.nap.edu/openbook.php?isbn=0309090776.
3
A Review of Current State-Level Adverse Medical Event Reporting Practices: Toward National Standards, Megan K.
Beckett, et al., Rand Health (2006). The National Academy for State Health Policy maintains an online list of state reporting statutes at http://www.nashp.org/_docdisp_page.cfm?LID=2A789909-5310-11D6-BCF000A0CC558925.
1
2
209
Adverse Event Reporting: Reporting for Patient Safety and Public Health
Quality Forum (NQF) list of 28 Serious Reportable Events or Never Events.4 See Appendix
for a list of those events.
2. In October 2008, the federal government implemented the Non-Payment for Hospital-Acquired Conditions, or CMS HAC, program that identifies events through billing codes and
dictates reimbursement consequences when the events occur, another form of event reporting.5 Using submitted billing codes, CMS is accumulating data on adverse outcomes with
every submission of a Medicare bill. The program can track a number of adverse outcomes;
CMS will deny reimbursement for care arising from some of them. It is anticipated that the
current list of 10 hospital-acquired conditions6 will continue to expand and be announced
with the yearly fiscal changes to the Centers for Medicare and Medicaid Inpatient Prospective
Payment System (CMS IPPS).
3. The 2005 Patient Safety and Quality Improvement Act encourages reporting for patient safety,
but even under the act, all reporting remains voluntary, and a very heterogeneous group of
organizations will receive and process the information. PSQIA is discussed in more detail
below.
4. CMS, unquestionably, does not want to be a primary payer when other forms of insurance
are available. To that extent and to add additional strength to the Medicare Secondary Payer
(MSP) statutes, the Medicare, Medicaid, and SCHIP Extension Act of 2007 was passed in
December 2007.7 Section 111 refers specifically to reporting obligations by liability insurers
including self-insured plans to report on behalf of Medicare beneficiaries dollars paid for certain adverse events. This in essence makes for a federal mandatory reporting requirement.
5. Section 5001(a) of the Deficit Redution Act (DRA) sets out new requirements for the Report-
ing Hospital Quality Data for Annual Payment Update (RHQDAPU) program. RHQDAPU
builds on the ongoing voluntary Hospital Quality Initiative (HQI). Hospitals are required
to report quality measures of process, structure, outcomes, patients perspectives on care,
efficiency, and cost of care that relate to services furnished in inpatient settings on the CMS
website. Currently, hospitals must report 30 quality measures to receive a full payment update
in FY 2009. By law, CMS must reduce payments to hospitals that do not successfully report
quality measures.
See www.qualityforum.org.
See Rules and discussion of CMS program regarding non-payment for hospital-acquired conditions at Federal Register
Vol. 73 No. 161, pp. 48471-91, accessible at http://edocket.access.gpo.gov/2008/pdf/E8-17914.pdf
6
The 10 conditions are : (1) foreign object retained after surgery; (2) air embolism; (3) blood incompatibility; (4) pressure ulcers stage III and IV; (5) trauma related to falls and other hospital associated incidents; (6) catheter-associated
urinary track infections (UTI); (7) vascular-catheter associated infections; (8) Surgical site infectionsMediastinitis after a
coronary artery bypass graft, certain orthopedic surgeries, bariatric surgery for obesity; (9) manifestations of poor Glycemic control; and (10) deep vein thrombosis (DVT) and pulmonary embolism (PE).
7
Mandatory Insurer Reporting Requirements of Section 111 of the Medicare, Medicaid and SCHIP Act of 2007 (MMSEA)
(Pub. L. 110173); Use: Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007 (Pub. L. 110173) amends
the Medicare Secondary Payer (MSP) provisions of the Social Security Act (42 U.S.C. 1395y(b)). For more information,
visit http://www.cms.hhs.gov/MandatoryInsRep/.
4
5
210
Adverse Event Reporting: Reporting for Patient Safety and Public Health
13.2.1
Non-Reporting Penalty
While most healthcare facilities will report to one or more of these systems, they may also report
to managed care organizations, voluntary non-governmental groups, and their own health system
management.
13.3
With this hodge-podge, it helps to consider the characteristics of different reporting systems that
most strongly influence their potential impact on organizational risk.
1. Adverse event reporting (mandatory or voluntary) relies on the submission, aggregation,
and analysis of information about specified undesirable outcomes from hospitals, in order
to design improved processes and support patient safety. The state programs that gather data
on never events are examples. Some report the data by facility, others do not. Some use
public health data to put the numbers in context noting, for example, the statewide number of
wrong-site surgeries as a percentage of total procedures. Generally, they view the events as
rare enough that they do not calculate rates for each facility.
2. Other programs center on universal outcome reporting, in which the agency gathers data on
all of the facilitys outcomes (denominator) and then assesses the proportion of undesirable
outcomes (numerator), to calculate a rate of failure or, conversely, of success. Facility mortality and infection rates fall in this category. This data is gathered from a variety of sources,
some administrative and some based on clinical record review.
3. CMSs HAC program represents another form of outcome reporting, pulling statistics from
billed diagnoses. It sorts through administrative (billing) data that indicates whether a defined
outcome occurred by tracking submitted diagnosis codes on the bills.
4. Other programs gather data on process compliance; they focus on whether recommended
processes take place, but dont directly track individual cases or outcomes. For example,
CMS and the Joint Commission collect data through the National Hospital Quality Measures on process points like administration of pre-operative antibiotics or aspirin for patients
with a possible heart attack.8 Process reporting should be combined with some form of outcome measurement to determine whether improving process compliance actually improves
outcomes.
The discussion below describes the more prevalent models and then discusses the potential risk to
the enterprise that can arise from either participation or non-participation in the programs.
211
Adverse Event Reporting: Reporting for Patient Safety and Public Health
The Patient Safety and Quality Improvement Act of 2005
and Patient Safety Organizations9
Amid the background pressure to devise a comprehensive reporting system for adverse events, the
federal Patient Safety and Quality Improvement Act of 2005 (PSQIA or Patient Safety Act) became
law. Final rules for implementing the PSQIA were published November 21, 2008.10 The Patient Safety
Act establishes a framework by which doctors, hospitals, and other healthcare providers may voluntarily report information on a privileged and confidential basis regarding patient safety events and
quality of care.11
The federal law removes one disincentive to reporting, as it protects patient safety activities from
discovery. Since reporting to a PSO is voluntary, it does little to address the IOMs goals of universal
reporting. As stated in the Federal Register on August 29, 2008, the Patient Safety Act requires PSOs,
to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner in order to permit valid comparisons of similar cases among similar providers. One
of the goals of the legislation is to allow aggregation of sufficient data to identify and address underlying causal factors of patient safety problems. In order to facilitate standardized data collection, the
Secretary of DHHS requested the Agency for Healthcare Research and Quality (AHRQ) to coordinate
the development of Common Formats for patient safety events. The Common Formats Version 0.1
Beta was released by AHRQ on August 29, 2008.12 Soliciting comments from the public, providers,
and PSOs will help AHRQ (assisted by the NQF) to revise future versions of the Common Formats.
AHRQ plans on publishing a revised version within six to nine months from its first Beta Version then
yearly thereafter,
This section does not offer a definitive discussion of the Patient Safety Act and its processes.
Rather, it will provide enough information to discuss the potential impact of PSO-related activities in
an enterprise risk environment.13
The Patient Safety Act centers on Patient Safety Organizations (PSOs), which will gather data
from healthcare providers.14 Figure 1 describes the flow of information under the Act. The data can
consist of adverse event reports or other patient-safety-related information. A PSO can analyze its own
data and can collaborate with other PSOs to analyze a broader base of information. The Patient Safety
Act protects data reported to and processed by the PSO, as well as PSO activities, from discovery and
most other forms of involuntary disclosure. A PSOs ultimate work product (free of identifiers) has no
protection. Aggregated data about patient safety issues will be available to PSO members, collaborating PSOs, and, possibly, to the public.
James M. Barclay and Ruden McCloskey contributed research and editorial assistance for this section.
Final Rule PSO Legislation, Federal Register, Friday, November 21, 2008, Vol. 73, No. 226, Rules and Regulations,
pages 7073170814. See: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf.
11
Federal Register, Vol. 73, No. 169, Friday, August 29, 2008, Notices.
12
The Common Formats can be accessed electronically at the following website of the Department of Health and Human
Services at http://www.pso.ahrq.gov/index.html.
13
The PSQIA assigns enforcement of the law to the AHRQ, which has an extensive website about the law, regulations, and the current status of implementation at http://www.pso.ahrq.gov/index.html. The Office of Civil Rights
has enforcement responsibility for the confidentiality provisions, and their website with information is accessible at
http://www.hhs.gov/ocr/psqia/.
14
The term provider encompasses nearly all types of healthcare providers. PSQIA 921(8). In that sense, the PSQIA
provides much broader protection to safety processes than many state quality and peer review statutes.
9
10
212
Adverse Event Reporting: Reporting for Patient Safety and Public Health
Figure 1
Healthcare providers that contract with a PSO, then gather and report their data also known as
Patient Safety Work Product (PSWP) via a Patient Safety Evaluation System (PSES), are protected
from disclosing that data. The regulations define the confidential data-gathering process narrowly, so
providers should use caution when counting on the confidentiality of their programs.
In summary, the Act outlines a program with these characteristics:
Healthcare providers gather information about adverse events (or other patient-safety-related information) and transmit it to one or more PSOs. They can choose which PSO, if any,
to use.
213
Adverse Event Reporting: Reporting for Patient Safety and Public Health
PSOs collect, aggregate, and analyze (via their PSES) the information reported by healthcare
providers. The Act assumes that by analyzing patient safety information, PSOs will be able
to identify patterns of failure and propose measures to eliminate patient safety risks and
improve care. PSOs can share data among themselves.
PSWP receives federal privilege and confidentiality protection. PSWP is the information
assembled and reported by providers to a PSO or developed by a PSO as part of its Patient
Safety Activities (PSAs).
Any information gathered for purposes other than reporting it to a PSO is not protected under
the Act, though it may be under state law.
Consent of all identified providers to a disclosure of PSWP can waive the confidentiality of
that information.
The Patient Safety Act preempts state law that is less protective of data disclosure but interferes neither with state law that provides greater protections nor with state law regarding
information that does not qualify as PSWP.
A provider may not take an adverse employment action against an individual who reports
patient safety concerns to the provider or directly to a PSO in good faith. 15
Protected PSWP cannot ordinarily be used in state, federal, or local civil or criminal actions
or administrative disciplinary proceedings. However, it can be used in criminal proceedings
if an in camera review determines that the PSWP (1) contains evidence of a criminal act,
(2) is material to the proceeding, and (3) is not reasonably available from any other source.
Courts can use PSWP to provide equitable relief in certain whistleblower actions. In short,
the PSQIA will not shield evidence of criminal or retaliatory behavior.
The government can assess monetary penalties for violations of confidentiality or privilege
protections.
PSOs are business associates and patient safety activities under the Act are healthcare operations for HIPAA purposes.
13.4
A growing number of states require that providers report adverse events to a state agency. Many
state reporting programs create active patient safety agencies to process and publish the information.
Most also provide protection against disclosure of non-aggregated data, though some states publish
Adverse employment action, as defined in 922(e)(2) of the Act, includes loss of employment, failure to promote an
individual, failure to provide any other employment-related benefit for which the individual would otherwise be eligible,
or an adverse evaluation or decision made in relation to accrediting, certifying, credentialing, or licensing the individual.
15
214
Adverse Event Reporting: Reporting for Patient Safety and Public Health
the events naming the institution.16, 17, 18 These programs differ from the federal structure in two ways.
First, they require reports while the federal law favors a voluntary system. Second, all reports go to one
agency. (State agencies that receive mandatory reports may also quality as PSOs). Under the Patient
Safety Act, a provider can report to any PSO, multiple PSOs or, in some cases, create its own. Some
state programs publicly report data by provider.
13.4.1
The Joint Commission has a well-established program requiring that providers report sentinel
events. The reporting process is complex and, in some cases, the provider need only demonstrate when
asked that it fully investigated the event with a root cause analysis. The Joint Commission gathers the
reports and issues periodic Sentinel Event Alerts based on its findings.19 As of December 2008, the
Joint Commission had issued 42 Sentinel Event Alerts on a variety of patient safety topics affecting
providers.
13.4.2
Several other programs gather reports regarding specific safety issues such as equipment malfunctions, medication errors, and adverse events from drugs. These programs generally protect
non-aggregated data from disclosure. MedWatch, the FDA safety information and adverse event-reporting program, gathers mandatory and voluntary reports about the safety of medications and medical
devices. The program also directs that some reports go to the manufacturers of the item, to be aggregated there and reported to the government.20
The Medication Errors Reporting (MER) Program implemented by the U.S. Pharmacopeia
(USP) created a reporting program which became the national model for healthcare providers
and patient to report medical errors on a confidential basis. The Institute for Safe Medication Practices (ISMP) has been a partner with USP since 1991 and has now taken over this
program. ISMP will continue to use these reports to affect changes in products and practice
both nationally and internationally. ISMP is a designated PSO which support the move of the
MER program from USP to ISMP.21
Another program which has seen recent change is MEDMARX. Previously managed and
maintained by U.S. Pharmacopeia, it has now been transferred to Quantros, a healthcare
technology company recently named as a PSO, to create a more robust database of medica-
Pennsylvania has one of the oldest and most active state organizations; further information is available at
http://www.psa.state.pa.us/psa/site/default.asp. Information about the Indiana Patient Safety Center can be accessed at
http://www.indianapatientsafety.org/. Both agencies report on their event reporting activities each year and issue safety
bulletins periodically when they believe a pattern of events requires attention.
17
See Hospital Adverse Event Reporting: Review of State Statutes and Administrative Rules (2006), at
http://www.nahdo.org/documents/25StateAdverseEventReportingRequirements.pdf. This report lists all state programs
and summarizes their requirements and also refers to some web resources for further information.
18
http://www.in.gov/isdh/23433.htm.
19
http://www.jointcommission.org/SentinelEvents/.
20
http://www.fda.gov/medwatch/What.htm.
21
For reporting or additional information, contact ISMP at www.ismp.org or 1-800-324-5723.
16
215
Adverse Event Reporting: Reporting for Patient Safety and Public Health
tion and other medical errors, and to deliver the output to a larger base of providers through
an improved user interface.22
Effective May 7, 2001, the FDA requires that hospitals and blood centers maintain a method
to report, investigate, and track errors and accidents. The Medical Event Reporting System for
Transfusion Medicine (MERS-TM), a web-based system, meets that requirement. MERS-TM
was developed under a grant by the Heart, Lung and Blood Institute and is maintained by
its developers at Columbia University. MERS-TM is an event reporting system developed
for transfusion services and blood centers to collect, classify, and analyze events that could
potentially compromise transfusion safety.23
13.5
The reporting of clinical data, whether mandatory or voluntary, carries some risks that can affect
the various ERM domains. Some connections are very clear while others are more subtle and require
investigation. ERM leaders must seriously consider both the myriad consequences of any reporting
system, and how those effects might appear in their organization. Reporting system variables will
substantially define the potential risks a reporting program presents for an organization. Questions to
answer include:
For negative or poor outcomes, what strategies and solutions are in place to prevent future
reoccurrence?
To what extent does the reporting process divert resources needed elsewhere in your
organization?
Table 1 outlines some of the likely risks of reporting programs, and associated steps an organization can take to reduce those risks.
13.6
Conclusion
Many healthcare providers dive into the reporting process blindly, assuming that the activity is
necessary and that it will benefit the organization. Because reporting requires substantial time and
energy, an ERM analysis will help determine the initial wisdom of participation, provide for the necessary resources to do it well, and allow for redirection if necessary. By assessing the risks, costs, and
benefits of reporting, the organization will knowingly engage in the process, understanding its goals
in participating. By watching how the reporting process works, the organization can redirect resources
In the interest of public health and to assist practitioners and patients, USP will post its five years of MEDMARX data
and eight annual reports on www.usp.org for free, ensuring full access to this clinically important information. All queries
about MEDMARX should be addressed to Quantros (www.quantros.com).
23
For more information, go to http://www.mers-tm.org/about.html.
22
216
Adverse Event Reporting: Reporting for Patient Safety and Public Health
and adapt its reporting efforts over time. By evaluating the results, it can know where to direct its
efforts in clinical improvement.
Participation in any reporting process must be weighed against competing uses for resources,
based on an analysis of all domains. How will the effort affect regulatory and legal compliance? How
will it affect the organizations financial picture? In what ways will it change the human resource picture, both by using human capital and influencing the organizations relationship with its employees?
Is the organization ready to make the necessary changes that results may require? How will the act of
reporting and the results of reporting impact the organizations reputation and relationships in all of its
various communities, including the medical staff?
If reporting is mandatory, some of these questions are not relevant. However, the entity can still
determine its own best response to possible reporting outcomes. Does it really want to be best? What
is the upside of being bestwhat will it really bring? What are the costs? What are the true downsides
of poor results?
Reporting, like any other organization activity, can support or detract from an organizations strategic goals. The ultimate result will depend on whether leadership examines reporting options like any
other business decision and then implements its conclusions effectively.
Table 1
RISK CONCERNS
1. Inaccurate reports cause risk in three areas:
The provider will have a false picture
of its patient safety needs and misdirect
resources.
The entire reporting system (e.g., a PSO
and its clients) may misdirect resources
based on bad information.
If aggregated data are published, then
the audience of those reports will have
a false picture of either individual providers or the safety of the healthcare
systems.
RISK SOLUTIONS
Because reporting is a relatively new phenomenon, providers lack standardized methodologies
for gathering or testing data internally. This can
lead to wide variations in the accuracy of reports.
When developing procedures to gather and report
data, concurrently establish protocols for data
review and testing to accomplish the following
checks:
Inspect the systems for generating data.
Are the sources likely to be accurate? Are
the systems comprehensive?
Compare the data to itself (over time and
between clinical areas) for consistency.
Use a gut check: does it look and sound
right?
How does the organization compare to
others, and does that comparison make
sense?
217
Adverse Event Reporting: Reporting for Patient Safety and Public Health
RISK CONCERNS
RISK SOLUTIONS
2. Any reporting structure that involves incen- Keep any direct consequences of reporting in
tives or punishment can encourage participants context by looking at the following questions:
to game the system. This leads to dysfunctional
What is the provider getting by meeting
results and potentially could impact patient care.
the goal? What is it giving up?
For example, the publication of mortality rates
may discourage providers from taking the sick What unintended shifts in clinical proest patients. Alternatively, it might discourage
cesses and/or outcomes have resulted (or
physicians from offering non-aggressive comare likely to result) from the incentives?
fort care for the sickest patients.
Can the link between the incentives and
the unintended result be broken?
How do the potential unintended consequences balance against the gain from the
reporting incentives?
Educate employees and physicians about the
downside of unintended consequences.
3. Issues subject to reporting tend to get more
attention, and that can divert valuable resources
from other provider needs. Mandatory reporting
systems do not usually address issues based on
individual assessments of providers. So unique
concerns not covered by the reporting systems
may be ignored for lack of capital and human
support.
Utilize an ERM framework to rank the risk of nonreporting or of ignoring reported issues against
the opportunity cost of directing resources to the
issues highlighted by outside programs with the
following questions:
What does the provider lose with noncompliance or gain with compliance?
Look at governance, regulatory, financial,
reputation, liability/legal, and human
resources implications.
How do those findings fit into the organizations strategic goals?
What other applications of those resources
will be abandoned?
Who will do the work? Is there new staff,
or will existing staff add this to their
responsibilities? Will it require new technology or additional staff? Is the diversion
of human and financial capital justified in
light of other strategic goals?
Can the content and structure of reporting be altered by reevaluating PSO
relationships?
218
Adverse Event Reporting: Reporting for Patient Safety and Public Health
RISK CONCERNS
RISK SOLUTIONS
4. Providers that do not improve will suffer dis- Several steps need to occur in the face of a persisproportionately. Ongoing data collection will tent failure to improve:
demonstrate their mounting failure to keep up
Analyze the benefits and risks of meetwith others who improve, as the move to transing the expectations (process outlined
parency puts more data out to consumers. The
above). Is continuing with this reporting
failure to improve can arise from a number of
and evaluation process mandatory? If not,
causes:
is it a good idea?
Insufficient resources to address the
Consider allocating the financial and
problem without compromising other
human capital for the difficult process of
strategic goals.
generating behavior change.
Inability or unwillingness to change
behavior to improve care, a purely local
effort unrelated to the reporting process
or the proposed solutions.
219
Adverse Event Reporting: Reporting for Patient Safety and Public Health
RISK CONCERNS
RISK SOLUTIONS
6. Public reporting of negative findings can lead Make sure that all relevant departments learn
to a loss of trust.
of the likely publication of unfavorable results
so systems like public relations, marketing, and
physician relations can prepare. Be ready to talk
about the efforts to improve. This requires the
organization to study and understand the data
before reporting it.
7. Efforts to improve reported results can lead to
the inappropriate use of medical treatments such
as antibiotics. For example, efforts to encourage
early administration of antibiotics for patients
with possible pneumonia resulted in overtreatment with those drugs.
8. Reports may mislead consumers if the under- Accuracy of data should be a priority.
lying data are not accurate or appropriately
The risk adjustment process often falls outside
risk-adjusted.
of the providers control. Address it through
Caution: If the provider knowingly incorporates audience education. If the risk adjustment is just
inaccurate reports into marketing materials, the wrong, examine the organizations data that sets
affected consumers could seek recovery under the risk adjustment. Is accurate information going
consumer protection laws which allow for into case mix calculations?
greater recoveries, attorney fees, or recovery in
Providers need to accept that no reporting or
the absence of physical injury.
measuring system is perfect.
9. An increase in the number of events reported
often indicates greater cooperation with a patient
safety program. Higher numbers also may lead
to an inaccurate perception of poor care.
220
Adverse Event Reporting: Reporting for Patient Safety and Public Health
RISK CONCERNS
RISK SOLUTIONS
10. Many laws protect whistleblowers who Good personnel records that include ongoing
report information to a PSO or state agency evaluations of competency and compliance with
from retaliatory treatment, including discharge. employee regulations can protect a provider
that takes action against a whistle blowing
employee.
Effective and trusted internal contact points
for concerned employees can deflect employee
reports to outside agencies. However, the
employer cannot mandate that employees report
internally first.
11. Information gathered and analyzed in antici- State quality and peer review statutes may propation of reporting may be discoverable, even if vide protection, and the organization should
consider those provisions when designing reportthe actual information reported is not.
ing structures.
Reported events may be published.
The PSQIA regulations do not protect information unless it is reported.
The ERM analysis should include consideration
of both the upside and downside of reporting,
as well as evaluating whether the information is
likely to be discoverable in another form, making
this threat less important. For example, if a plaintiff could ask for the facilitys infection rate and
get that information, then the protection of the
process that develops that figure is less important. Can the organization use its participation in
a quality or safety program as a positive thing?
221
Adverse Event Reporting: Reporting for Patient Safety and Public Health
AppendixNational Quality Forum 2006 Serious Reportable Events
Surgical Events
1. Surgery performed on the wrong body part.
2. Surgery performed on the wrong patient.
3. Wrong surgical procedure performed on a patient.
4. Unintended retention of a foreign object in a patient after surgery or other procedure.
5. Intraoperative or immediately post-operative death in an ASA Class 1 patient.
Product or Device Events
6. Patient death or serious disability associated with the use of contaminated drugs, devices, or
biologics provided by the healthcare facility.
7. Patient death or serious disability associated with the use or function of a device in patient
care, in which the device is used or functions other than as intended.
8. Patient death or serious disability associated with intravascular air embolism that occurs
while being cared for in a healthcare facility.
Patient Protection Events
9. Infant discharged to the wrong person.
10. Patient death or serious disability associated with patient elopement (disappearance).
11. Patient suicide, or attempted suicide resulting in serious disability, while being cared for in a
healthcare facility.
Care Management Events
12. Patient death or serious disability associated with a medication error (e.g., errors involving
the wrong drug, wrong dose, wrong patient, wrong time, wrong rate, wrong preparation, or
wrong route of administration).
13. Patient death or serious disability associated with a hemolytic reaction due to the administration of ABO/HLA-incompatible blood or blood products.
14. Maternal death or serious disability associated with labor or delivery in a low-risk pregnancy
while being cared for in a healthcare facility.
15. Patient death or serious disability associated with hypoglycemia, the onset of which occurs
while the patient is being cared for in a healthcare facility.
16. Death or serious disability associated with failure to identify and treat hyperbilirubinemia in
neonates.
17. Stage 3 or 4 pressure ulcers acquired after admission to a healthcare facility.
18. Patient death or serious disability due to spinal manipulative therapy.
19. Artificial insemination with the wrong donor sperm or wrong egg.
222
Adverse Event Reporting: Reporting for Patient Safety and Public Health
Environmental Events
20. Patient death or serious disability associated with an electric shock or elective cardioversion
while being cared for in a healthcare facility.
21. Any incident in which a line designated for oxygen or other gas to be delivered to a patient
contains the wrong gas or is contaminated by toxic substances.
22. Patient death or serious disability associated with a burn incurred from any source while
being cared for in a healthcare facility.
23. Patient death or serious disability associated with a fall while being cared for in a healthcare
facility.
24. Patient death or serious disability associated with the use of restraints or bedrails while being
cared for in a healthcare facility.
Criminal Events
25. Any instance of care ordered by or provided by someone impersonating a physician, nurse,
pharmacist, or other licensed healthcare provider.
26. Abduction of a patient of any age.
27. Sexual assault on a patient within or on the grounds of the healthcare facility.
28. Death or significant injury of a patient or staff member resulting from a physical assault
(i.e., battery) that occurs within or on the grounds of the healthcare facility.
223
14
Human Research and IRBs
Fay A. Rozovsky, JD, MPH
President, The Rozovsky Group, Inc.
14.1
Introduction
Clinical research is a major factor in healthcare organizations, from large teaching hospitals to
medical group practices and home health organizations. Human research spans the gamut, from investigational drugs and devices to behavioral studies. For healthcare organizations, being the venue for
sponsored research can result in a significant source of revenue. It can also expose healthcare entities
to an array of liability risk.
In many ways the ability to control clinical research risk exposure turns on the effectiveness of the
institutional review board (IRB) and research office. Due diligence in reviewing research protocols,
rigorous review of sponsor agreements, ongoing vigilance and oversight of research trials and billing
are important measure to thwart potential risk exposure.
Successful human research and IRB activity demands input from healthcare counsel for a healthcare entity. Understanding potential liability exposures and mechanisms to control it make human
research ripe for the application of enterprise risk management.
14.2
In the United States, human research is governed by both federal and state requirements. At the
federal level, some 19 federal departments and agencies follow what is termed the Common Rule,1
a set of consistent regulatory requirements that are found in the Code of Federal Regulations. Thus if
one views consent requirements for clinical trials overseen or sponsored by the Department of Energy,
the language would be the same in a corresponding section of the CFR for the Department of Health
and Human Services. One major exception is the Food and Drug Administration (FDA), which has
some variations, particularly in the area of consent to participation in clinical research trials.2
1
2
225
Using the Department of Health and Human Services regulations as a model for others under the
Common Rule, one can see the logic of the rules governing human research. The regulations identify
what are considered exempted activities10 and those that require review by an Institutional Review
Board.11 The regulations are quite specific, too, about the membership of the IRB and the obligations
of this group in reviewing protocols with a view to safeguarding the rights and welfare of research
subjects.12 Thus, the IRB is obliged to review study design with a view to approval of research trials,13
consent requirements and documentation,14 and, in appropriate cases, take action to either suspend or
terminate a protocol.15
A duly constituted IRB must give written assurances that it will comply with the federal policy on
human research.16 The Federalwide Assurance (FWA) for human research tracks the core principles
found in the Common Rule. The Office of Human Research Protections (OHRP) has created forms to
complete for the written assurance.17
The Federalwide Assurance (FWA) is the only type of new assurance of compliance accepted
and approved by OHRP for institutions engaged in non-exempt human subjects research conducted or
supported by HHS. Under an FWA, an institution commits to HHS that it will comply with the requirements set forth in 45 CFR part 46, as well as the Terms of Assurance.
FWAs also are approved by OHRP for federalwide use, which means that other federal departments and agencies that have adopted the Federal Policy for the Protection of Human Subjects (also
3
4
12
13
14
15
16
17
10
11
Cal. Health & Safety Code 24170; Cal. Penal Code 3500 et seq.
NY Pub. Health Law 2440 et seq.
Va. Code 32.1-162.16 et seq.
See, e.g., Md. Health Code Ann. 19-344.
Ariz. Re. Stat. Ann.31-321 et seq.
Okla. Stat. Ann. 63 2-101.
See, e.g., Ind. Code Ann. 16-34-2-6 and Neb. Rev. Stat. 28-342.
45 CFR 46.101(b).
Id.
45 CFR 46.103.
45 CFR 46,111.
45 CFR 46.117; for FDA consent requirements, see 21 CFR 50.25.
42.CFR 46.113.
42 CFR 46.103.
See the form at http://hhs/gov/ohrp/humansubjects/assurance/filasurt.htm.
226
Federal, state, and international legal requirements are but one side of a much more complex legal
context for clinical trials. To a large extent, sponsor agreements dictate the scope and dimensions of
human research. Subject recruitment, retention, and termination of subjects from a trial, conflict of
interest, access to data, record retention, suspension of research, payment, information sharing with
data safety monitoring boards (DSMBs), liability, and insurance are just some of the topics often
addressed in sponsor agreements. The terminology and phraseology used may often dictate the scope
of sponsor risk-taking and risk-shifting to healthcare facilities. As such, legal counsel should review
carefully the terms and conditions of a sponsor agreement with a view to diffusing needless liability
risk exposure.
20
21
22
18
19
227
228
14.5
A healthcare organization may or may not have its own IRB. Often a research protocol may be
approved by an IRB situated elsewhere. Under agreements, the local healthcare organization agrees
to participate in the trial, following the provisions of the research protocol. At other times the local
healthcare organization may have its own IRB and that body will review the protocol. In such a multicenter trial the opportunity is ripe for disputes about consent provisions between IRBs. Yet in other
situations a CRO or clinical review organization may be involved as the IRB.
Separate from the IRB what is often seen in healthcare facilities is a Research Office. Staffed
with individuals responsible for sponsored trials, clinical trials contracts, and daily administration, the
opportunity is great for high quality programs that detect early on the potential for regulatory noncompliance and billing issues. Many Research Offices include a Chief Research Officer or Director of
Research with compliance training.
The IRB often has a full-time administrator who is skilled at managing the work of the institutional review board. Training and certification programs exist for IRB personnel, including the CIP
program from PRIM&R.23 Other training programs including education materials are made available
by OHRP24 and propriety courses.25
At the IRB level, hands-on training is required for members. This includes orientation and regular
updates. The same kind of approach is prudent for principal investigators and their staff.
Training regimens should extend to senior management of the healthcare organization and the
board of directors or trustees. It should not be assumed that an IRBs approval is sufficient. With good
training, the board should know the types of questions to ask when providing final approval for a major
research project to be rolled out at the healthcare organization. At the senior management level, the
CFO, CNO, CMO, and risk management should be conversant with what is anticipated in the research
trial. In this way, coding, billing, insurance coverages, and staffing needs can be anticipated for the
human research investigation. Getting to this stage, however, requires rigorous review by legal counsel of the legal dimensions of the research project.
14.6
Human research involves clinical, financial, regulatory, liability, and fiduciary responsibilities.
Although the IRB may act on delegated authority of the board of directors of a healthcare entity, it
is the healthcare organization that is ultimately responsible for acting on the recommendations of the
Institutional Review Board. Negligent review or oversight can trigger liability for the organization.
Similarly, approval of an imprudent study resulting in losses for the organization can impact the liability of the board and officers of the organization in terms of their fiduciary responsibility as the good
Information on the Certification for Institutional Review Board (IRB) Professionals can be found at www.primr.og/
Certification.aspx?id=2068ekmensel=c580fa7b_48_80_btnlink.
24
See http://www.hhs.gov/ohrp/educational/index.html#materials.
25
See, e.g., Research Compliance & Research Integrity, www.hccs.com/research.html.
23
229
231
The following checklist provides a framework for an ERM approach to human research and IRB
administration. Central to such an approach is a collaborative effort among leadership, clinical research
professionals, risk management, billing, and the healthcare counsel.
the institution has a current FWA;
the institution has a template for reviewing and negotiating sponsor research agreements;
there is a training program with demonstrated competencies for principal investigators and
research staff;
there is a training program with demonstrated competencies for members of the IRB;
there is a training program with demonstrated competencies for personnel in the Research
Office;
there is a practice routine for identifying and partitioning billing and coding for clinical
research;
there is an internal audit process used on a regular basis to evaluate compliance with coding
and billing in clinical research;
there is a current policy and procedure that addresses administrative aspects of the IRB and
Research Office;
the IRB reviews research protocols consistent with applicable federal and state
requirements;
subject enrollment;
expedited review;
26
233
a policy and procedure for disclosure of adverse and unanticipated outcomes of clinical
research;
use of root cause analysis to evaluate research studies resulting in serious injury or death;
there is a linkage with the corporate compliance program zero tolerance process to address
identified issues of scientific misconduct and fraud and abuse;
there is a regular review of insurance coverages for clinical research including but not limited
to:
liability;
workers compensation;
property;
business interruption;
key person;
cyber risk;
identity theft;
intellectual property theft; infringement;
insurance specifications for international research.
Checklists aside, there are some specific measures for healthcare counsel to consider in helping
to give shape to an enterprise risk approach to clinical research and the work of the IRB. A threshold
initiative calls for legal counsel to identify the statutes and regulations that apply to research trials.
Identifying applicable law is fairly straightforward when a protocol involves competent adults
within the confines of the jurisdiction in which the research is to take place. However, it is quite another
Guidance for Clinical Investigators, Institutional Review Boards and Sponsors, Exception from Informed Consent
Requirements for Emergency Research, 71 Fed. Register 51,198 et seq. (August 29, 2006).
28
See, e.g., R.I. Gen. Laws 23-17-19.1.
27
234
Conclusion
Human research is an important aspect of the healthcare industry. It provides the context for
important innovations in clinical care and it offers the potential of a strong, consistent revenue stream
for a healthcare organization.
Human research trials also involve the unknown and risks abound to potential research subjects. It
is imperative that appropriate mechanisms are in place to safeguard the well-being of human subjects
and the integrity of the research process.
Enterprise risk management offers a context for addressing the range of risks associated with
human research trials and the work of the IRB. Pivotal to success is the involvement of legal counsel in
all segments of the ERM model for such endeavors. To this end, a useful list of resources can be found
in this chapter to help start the process toward an ERM model for clinical research.
F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to Regulatory Compliance,
San Francisco: Jossey-Bass, 2003.
29
235
236
E.A. Bankert and R.J. Amdur, Institutional Review Board: Management and Function, Second Edition. Boston: Jones and Bartlett, 2006.
P. Brent and L. W. Vernaglia, Editors, Clinical Research Compliance Manual: An Administrative Guide. New York, 2007.
R. Carroll, Editor, Risk Management Handbook for Health Care Organizations, Fifth Edition. San Francisco: Jossey-Bass, 2006.
F.A. Rozovsky, Consent to Treatment: A Practical Guide, Fourth Edition. New York: Aspen
Publishers (2007 with 2008 supplement).
F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to
Regulatory Compliance. San Francisco: Jossey-Bass, 2003.
F.A. Rozovsky and J.L. Conley, Health Care Organizations Risk Management: Forms,
Checklists & Guidelines, Second Edition. New York: Aspen Publishers, 2007 (with 2008
supplement).
Department of Agriculture
Department of Commerce
Department of Defense
Department of Education
Department of Energy
Department of Justice
Department of Transportation
15
Mandatory Disclosure of Adverse Events
toPatient/Family
Peter J. Hoffman, Esq.
Eileen Lampe, Esq.
Joseph V. Conroy IV, Esq.
Eckert Seamans Cherin & Mellott, LLC
Joan D. Plump, Esq.
Attorney at Law
15.1
Introduction
In 1999, the Institute of Medicine (IOM) released a landmark report, To Err is Human, which
revealed that medical injury was causing many deaths and called on the healthcare community to make
reduction of medical errors a priority. Since then, medical errors and tort reform have received a great
deal of attention and many changes have occurred in how healthcare organizations think about and
deal with adverse events.1
One essential change has been that now, after an adverse event, providers are encouraged and
often required to share information about what went wrong and why. Sometimes details relating to the
event must be reported so they can be studied, with the hope that organizations and people may truly
be able to learn from mistakes. Additionally, both to promote patient safety and in an attempt to help
contain skyrocketing medical professional liability costs, healthcare organizations and providers may
be required to disclose the occurrence of a adverse event to the affected patient, and perhaps to the
patients family.
Obviously, it is important for a healthcare organization to be aware of when disclosure of adverse
events is required. The people within those organizations also should understand why disclosure is a
beneficial practice for everyone involved, and how best to go about it. This chapter will deal briefly
with these subjects.
The American Society of Healthcare Risk Management (ASHRM) defines an adverse event as an injury that was caused
by medical management rather than the patients underlying disease. It may or may not result from a medical error. Medical
management includes all aspects of healthcare, not just actions and decisions of physicians and nurse.
237
Disclosure may be required by the Joint Commission, state law, insuring provisions, and organizational policies and procedures, just to name a few. This section will briefly discuss some of these
requirements.
15.2.1
The Joint Commission requires that patients, and when appropriate, their families be informed
about the outcomes of care, treatment, and services that have been provided, including unanticipated
outcomes.2 One element of performance under this standard is that, at a minimum, patients, and
where appropriate the family, be informed about unanticipated outcomes of care, treatment, and
services that relate to sentinel events considered reviewable by the Joint Commission.3 The list of
sentinel events considered reviewable by the Joint Commission includes the following:
any patient death, paralysis, coma or other major permanent loss of function associated with
a medication error;
15.2.2
State Law
Disclosure of adverse events or unanticipated outcomes also may be required by state law. As
of 2008, at least 12 states, i.e, California, Connecticut, Florida, Maryland, Nevada, New Jersey, New
York (only facilities licensed by the N.Y. Dept. of Mental Health), Oregon, Pennsylvania, South Carolina (Ambulatory Surgery Centers only), Tennessee, Vermont, and Washington, had statutes requiring
mandatory notification to patients of adverse events.5 Other states may well adopt similar laws as the
evidence supporting the practice of disclosure grows. Currently, many other states have laws that
exclude expressions of sympathy after an adverse event being from being used as proof of negligence,
but do not also require that adverse events be disclosed.6
2
JCAHO Standard RI.2.90, Comprehensive Accreditation Manual for Hospitals: The Official Handbook; Refreshed
Core, January 2007.
3
Id., Standard RI.2.90; EP2.
4
Id.
5
California (HospitalsIn Person), Cal. H & S Code 1279.1(c); Florida (Different Requirements for Hospitals and Physicians), Fla. Stat. 395.1051 and 456.0575; Maryland (Hospitals Only), COMAR 10.07.06.14 11(F); Nevada (Hospitals
and Physicians), Nev. Rev. Stat. 439.855; New Jersey (Hospitals and Physicians), N.J. Stat. 26:2H-12.25; New York
(Only Facilities licensed by Department of Mental Hygiene), 14 NYCRR, 624.6; Oregon (Hospitals and Physicians),
Oregon Law 2003, Section 4, Chapter 686; Pennsylvania (HospitalsIn Writing), 40 P.S. 1303.308(b); South Carolina
(Ambulatory Surgery Centers Only), S.C. Code of Regs. 61-91-601(C); Tennessee (Hospitals and Physicians), TCA
68-11-211(d)(1); Vermont (HospitalsIn Person), 18 V.S.A. Chapter 43A 1915(1)(D); Washington (Hospitals and
Physicians), RCW 70.41.3805.
6
Id.
238
Insurance Provisions
The prohibition of insurance companies not allowing healthcare providers to disclose and apologize is quickly giving way to a more patient-centered approach. In some instances, disclosure of adverse
events, along with an apology, is strongly encouraged under medical professional liability policies. For
example, the Colorado Physicians Insurance Company (COPIC) has formalized an apology process
that authorizes payment of up to $30,000 in expense restitution to affected patients.9 Under this program, which began in 2000 and which COPIC has entitled 3R for Recognize, Respond, and Resolve,
insured doctors are encouraged to continue the physician-patient relationship honest based on honest,
open communication and attend education on disclosure. Others medical professional liability insurers
have different types of programs to encourage disclosure of medical errors and adverse events.
15.2.4
It may also be the policy or a requirement of the healthcare facility that adverse events must be
disclosed to the patient and family. Such a requirement is becoming more common as the patient safety
culture expands. Two notable examples of healthcare systems in which disclosure is required are The
University of Michigan Health System (UMHS) and the Veterans Health Administration. In 2001,
UMHS began a new approach to claims management that included altering staff and institutional
behaviors that forced patients to resort to courts for satisfaction as the only alternative.10 Its disclosure policy is based on three principles, which are made public to staff members, the local bar and the
courts. These principles are:
1. UMHS will compensate quickly and fairly when inappropriate medical care causes injury;
2. UMHS will defend medically appropriate care vigorously;
3. UMHS will reduce patient injuries, and therefore claims, by learning from mistakes.11
40 P.S. 1303.308(a)
See Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med.
2006; 354:22052208.
9
Roberts, R., The Art of Apology: When and How to Seek Forgiveness, American Academy of Family Physicians (2007),
at www.aafp.org/fpm.
10
Boothman, R., Transparency: The Benefits of an Open and Honest Dialogue, presentation at University HealthSystem
Consortium in Oak Brook, IL, September 22, 2005.
11
Welti, M.K., Disclosure of Medical Adverse Events: A Study of the University of Michigan Health System Model, at
http://www.massbar.org/for-attorneys/publications/section-review/2007/v9-n1.
7
8
239
Professional Ethics
Ethical standards applicable to physicians also require disclosure in limited circumstances. For
example, The AMA Code of Ethics requires disclosure when a patient suffers significant medical
complications that may have resulted for the physicians mistake or judgment.14 Also, The American
College of Physicians (ACP) Ethics Manual provides that doctors should tell their patients about procedural or judgment errors if that information is material to the patients well-being.15
15.2.6
Moral Requirement
Finally, there is a strong feeling among some people and groups within the healthcare community
that disclosure of adverse events is necessary because it is the right thing to do; it is honest. Moreover,
it is how most people would want to be treated themselves, and how most people would want their
loved ones treated. Providers and others who share this philosophy often believe that a hospital and
its physicians and staff should avoid contributing to an adversarial relationship with patients through
incomplete communication and, consequently, should share all relevant information about care with
patients, including when and how adverse events occur.
As all the above discussion and examples demonstrate, disclosure of adverse events may be mandated by one or more law, standard, policy or philosophy that applies to the organization. Even if
disclosure is not mandated, the organization may believe that disclosure is in the institutions, the care
providers, and the patients best interests.
12
Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med. 2006;
354:22052208.
13
Id.
14
Wei, Doctors, Apologies, and the Law, 40 J. Health L. 107, 107149 (2007).
15
Id.
240
Barriers to Disclosure
Traditionally, there have been significant barriers to disclosure of adverse events to patients and
their families. One significant barrier has been a culture of blame in which the unrealistic expectation of perfection on the part of physicians, the punishment of practitioners and institutions for errors
or bad outcomes, the habit of fingerpointing, fear of loss of reputation or license, a tolerance for
errors as long as they are not caught, and fear of legal liability have all played a part. In this culture of
blame, there is little emphasis on relationships between healthcare providers and patients that involve
listening and full disclosure. This way of operating has existed for a long time for a variety of reasons,
including constraints on time and resources, lack of support from hospital administration for any other
way, fear of increased litigation, lack of scientific data to suggest a better way, and support for the
system within medical schools. As a result of all these factors, this way of operating became ingrained
in the medical culture.
Another formidable barrier to the disclosure of adverse events is the emotional challenge of disclosing and possibly apologizing for an error or bad outcome. This barrier is compounded by the fact
that many physicians do not have strong communication skills, as well as by a pervasive lack of awareness among providers of how silence or lack of information after an adverse event impacts patients and
their families. These barriers can sometimes be overcome when an organization adopts a consistent
practice of disclosing adverse events and provides education, training, and support to help providers
understand why, when, and how to talk with patients about adverse events.
15.3.1
To understand why disclosure is both important and also difficult, it is helpful to realize that both
patients and healthcare providers typically experience powerful emotions in reaction to an adverse
event, particularly if the event was caused by a medical error. The patient and family, as well as the
physician or other providers involved, are all likely to feel sadness, anger, anxiety, vulnerability and
worry. Partly because of these strong emotions, everyone involved needs emotional support and providers also need guidance in how to prevent an unfortunate situation from escalating. The involved
provider will likely feel shame, guilt, a sense of failure, grief, and job stress. Consequently, is important for the provider to be able to talk about the event with other providers and to have help in planning
and executing the disclosure conversation with the patient and family. The patient and family may feel
powerless and that their trust in the doctor has been violated. These feelings naturally will be compounded if the physician fails to acknowledge the adverse outcome and any error that caused it, and if
Enterprise Risk Management for Healthcare Entities, First Edition
241
How to Disclose
The law in some states, such as Pennsylvania, requires a hospital to give patients written notice
when an adverse event occurs.16 Such a requirement technically could be fulfilled simply by handing
or sending the patient a piece of paper that states an adverse event occurred, without offering any
additional information or an opportunity for questions or discussion. Disclosure by this method is
not likely to provide any benefit to either the patient or the physician and hospital. When disclosure
is mandated or done as a matter of policy, it is preferable for the disclosure to take place in person
through a conversations with knowledgeable providers present; offering an opportunity for the patient
and family members to ask questions and receive immediate answers. Disclosing an adverse outcome
without giving the patient sufficient information and a chance to ask questions is a practice that should
be avoided.
15.4.1
If adverse events are going to be disclosed to patients and their families as a matter of course at
the organization, it is important that each disclosure conversation is planned carefully and that those
involved receive guidance and assistance. Before any disclosure, those responsible for planning the
conversation should consider the following issues:
What will the patient and family want to hear and to know?
In deciding who should attend and speak, it is important to think about who has the best relationship with the patient; who has the best information about what happened; who knows the most about
40 P.S. 1303.308(b). This statute requires written notice to be provided within seven days of the occurrence or discovery of the event.
16
242
243
Sometimes when disclosure of adverse events is considered, the thought is that the disclosure
and an apology will serve as a remedy sufficient to protect the physician and the organization. When
considering and planning for disclosure conversations, it is important to remember that such disclosure and any attendant apology do not happen in a vacuum.21 They occur in the context of the whole
relationship between the patient and the providers. Disclosure conversations will be most effective
and helpful if the patient and the physician already have a history of speaking honestly and listening
to each other. Given this fact, it is advisable for all providers to establish a good relationship in which
the patient and all providers always communicate openly and honestly. This may improve patient care.
Moreover, the quality of the doctor-patient relationship is believed by many to be a primary factor in
determining if a patient will sue after an adverse event.
15.4.3
Be aware of body languageno hand on the door knob as though you want to leave the
room!
Identify and respond to interest (needs, concerns) not positions (demands, assertions).
Reflect what others have said.
Providers should speak and pace the conversation slower than normal whereby patients are
better able to absorb the information.
Providers should sit down with the patient and family and avoid configurations (the across
the desk) that further promotes them versus us.
Providers should use easy-to-understand terms, eliminating medical terminology, jargon, and
acronyms.
Providers should have all beepers, cell phones, BlackBerrys, PDAs, etc. turned off or on
vibrate only during the meeting. If necessary, medical coverage for providers in attendance
should be obtained for the meeting so that they are not distracted and can concentration on
the conversation at hand.
Providers in attendance should ask questions rather than assume they have all the answers.
Often, the patient and family will not know what questions to ask and will need prompting.
Providers should be aware that emotions will cloud everyones ability to process and absorb
information, therefore all important information should be repeated.
Finally, there are several things any hospital staff member or provider should not to do in a disclosure conversation. The list of what not to do includes:
245
Commentary
Increasingly, common requirements for mandatory disclosure mean that practicing in-house
counsel should be knowledgeable about what requirements are applicable, and will likely be
called upon to help implement and guide when and how mandatory disclosure is provided.
It is important to remember that reluctant and grudgingly given disclosure will offer far less
than maximum benefits to patients and the organization. Partial, inadequate or ill-prepared
disclosure conversations may actually harm ongoing patient-provider relationships and hamper continuing care. It is best if the organization is one in which disclosure occurs fairly
naturally because the prevailing philosophy is one of respect for patients and their right to be
informed about and participate in their own care.
Obviously, failing to disclose adverse events when required may subject the organization to
fines or penalties that are included in any legislation, regulation, or other source requiring
disclosure. Failing to foster an environment in which disclosure is just one aspect of a culture
of patient safety and transparency may negatively impact the quality of care and could also
subject the organization to increased liability.
Education and support for all care providers is needed to help any organization create an
environment of openness and honesty, in which disclosure of adverse events will be the norm
and will occur in a manner that will be beneficial to patients and the organization.
The governing board and executive leadership of any organization are the people best suited
to adopt, promote, and spread a philosophy and practice of transparency. They must support
and encourage the culture of patient safety before reluctant practitioners within an organization will be able to accept a shift from the traditional and harmful fallacy of physician
infallibility and from the old paradigm of non-disclosure of any adverse event.
15.6
Conclusion
If disclosure of adverse events is not currently practiced within your organization, it may become
so shortly. This change may come about because of statutes, standards, regulations or voluntary changes
in organizational culture that support the delivery of care that is patient centered. As more people
working in and with healthcare become familiar with and knowledgeable about patient safety philosophy and practices, disclosure may become the norm. The culture of blame appears to be evolving into
a culture of learning, in which transparency and honest communicationwhich necessarily require
disclosure of all adverse eventsare essential elements. This basic shift in how healthcare organizations think about and deal with adverse events involves everyone within the organization. Each person
within the organization has an obligation to support a culture that embraces patient-centered care. The
hope is that this cultural shift can benefit all involved, both providers and patients.
246
Resources
Berlinger, Nancy, After Harm, Baltimore: The Johns Hopkins University Press, 2005.
Leape L, ed. When Things Go Wrong: Responding to Adverse Events. Burlington, MA: Massachusetts
Coalition for the Prevention of Wedical Errors, 2006.
Liebman, Carol and Chris S. Hyman, Medical Error Disclosure, Mediation Skills & Malpractice
Litigation. www.medliabilitypa.org, 2005.
Mazur, K.M., Simon, S.R., Yood, R.A., Martinson, B.C., Guinter, M.J., Reed, G.W., and Gurwitz,
J.H., Health Plan Members Views about Disclosure of Medical Errors. Ann Intern Med. 2004;
140:40918.
Robbennolt, J.K., Apologies and Legal Settlement: An Empirical Examination. Mich Law Rev.
20032004; 102:406516.
Ruddell, Jane, Effective Patient-Physician Communication: Strengthening Relationships, Improving
Patient Safety, Limiting Liability. Lebanon, PA: Westcott Professional Publications, 2005.
Sorry Works! Coalition, http://www.sorryworks.net, 2005.
Stone, Douglas, Patton, Bruce, and Heen, Sheila, Difficult Conversations. New York: Viking, 1999.
Weiler, Paul, Hiatt, H.H., Newhouse, J.P., Johnson, W.G., Brennan, T.A., and Leape, L.L., A Measure
of Malpractice Cambridge, MA: Harvard University Press, 1993.
When Things Go Wrong: Responding to Adverse Events; A Consensus Statement of the Harvard
Hospitals, at www.macoalition.org, 2006.
Wu, A.W., Handling Hospital Errors: Is Disclosure the Best Defense? Ann Intern Med 1999;
131:9702.
Zimmerman, R., Doctors New Tool to Fight Lawsuits: Saying Im Sorry, Wall Street Journal,
18May 2004:A1.
247
16
Compliance and Enterprise Risk Management
John R. Evancho, JD
Senior Vice President and Chief Compliance Officer, OSF Healthcare
16.1
Introduction
This chapter describes the essential elements of a well-functioning corporate compliance program
for the healthcare industry. Reference is made both to the guidance provided under federal law as
well as best practices that have developed in the industry. By its very nature, an effective corporate
compliance program supports and enhances enterprise risk management (ERM). Just as ERM is a
comprehensive approach for health care organizations to analyze risk opportunities, to proactively
assess strategic and operational impact, and to effectively manage the response to achieve the organizations objectives, corporate compliance programs are designed to prevent, detect, and remedy
violations of the lawa critical component of ERM
Federal Sentencing Guidelines,1 produced by the United States Sentencing Commission an independent agency in the judicial branch, established in turn, by the Sentencing Reform Act of 1984,2
established a uniform approach to sentencing defendants in federal court. In 1991, the Guidelines were
extended to organizations found guilty of violating federal law.3 The Guidelines specify the steps that
an organization should take both before and after a criminal offense has occurred, steps that may well
serve to reduce the organizations culpability and, therefore, the fines or other penalties imposed on
the organization. These measures, which are designed to prevent, detect, and remedy violations of the
law, are the hallmarks of an effective corporate compliance program.4
Since 1998, the Office of Inspector General (OIG) of the federal Department of Health and Human
Services (HHS) has issued guidance, based, in part, on the Federal Sentencing Guidelines, with respect
to the elements of a compliance program for use by various types of healthcare providers. These comments are based, in turn, on the 1998 OIG Compliance Program Guidance (CPG) for Hospitals5 and
the 2005 Supplemental CPG for Hospitals.6 The 1998 guidance notes that it encompasses principles
United States Sentencing Commission, Guidelines Manual [hereinafter USSC], 8B2.1 (2004).
Title II of the Comprehensive Crime Control Act of 1984, 18 USC 4106.
3
USSC 8A1.1.
4
USSC 8B2.1(a).
5
63 Federal Register [hereinafter 63 FR] 89878998 (February 23, 1998).
6
70 Federal Register [hereinafter 70 FR] 48584876 (January 31, 2005). The 2005 guidance, on page 4858, specifically identifies itself as a document [that] may serve as a benchmark or comparison against which to measure ongoing
efforts.
1
2
249
Preliminary Points
Two important preliminary notes: first, the organizations governing authority8 and high-level
personnel9 must be interested and involved in the corporate compliance program. As the 1998 CPG
points out, Adopting and implementing an effective compliance program requires a substantial commitment of time, energy, and resources by senior management and the hospitals governing body.10 In
order for the directors and the senior leaders to be effective in their compliance roles, they should be
actively involved in the creation of the compliance program. The board of directors must be educated
about potential liability throughout the organization. A formal compliance orientation program for
new board members and new senior leaders and an ongoing education process for the board and the
senior leadership team, as a whole, should be in place.
The board and the leadership of the organization must create a culture that values the prevention,
detection, and resolution of compliance problems. The 2005 CPG states that the hospital should
endeavor to develop a culture that values compliance from the top down and fosters compliance from
the bottom up. Such an organizational culture is the foundation of an effective compliance program.11
The board and the senior management team must set the tone through ongoing support for the compliance program and must establish the expectation that all employees comply with applicable laws
and regulations and internal policies. The board should communicate, in a formal, consistent and
unequivocal manner, its commitment to compliance throughout the organization.12 The 1998 OIG
guidance makes clear that, as a first step, a good faith and meaningful commitment on the part of the
hospital administration, especially the governing body and the CEO, will substantially contribute to
the programs successful implementation.13
The board should determine compliance metrics and regularly review the organizations progress
against the measures, just as it does with financial targets and results. As the 1998 OIG CPG notes,
The existence of benchmarks that demonstrate implementation and achievements are essential to any
effective compliance program.14 The board must take steps to ensure that the organizations policies
and compensation structures do not create undue pressure to pursue profit over compliance. Also, the
board must allocate adequate resources to the compliance program.15
The second preliminary point: a written corporate compliance plan, issued under the CEOs auspices, needs to be drafted and disseminated. The plan outlines the key aspects of the compliance
program and specifies the consequences of noncompliance. It identifies and addresses the organiza 63 FR 8987.
Defined in USSC 8B2.1.
9
Defined in USSC 8A1.1.
10
63 FR 8988.
11
70 FR 4874.
12
USSC 8B2.1(b)(2)(A) and (B).
13
63 FR 8989.
14
63 FR 8988.
15
USSC 8B2.1(2)(C).
7
8
250
As mentioned, the Federal Sentencing Guidelines and the CPG set forth the specific elements of
an effective corporate compliance program: They include the following elements:
1. developing and disseminating written policies and procedures;
2. designating a compliance officer and a compliance committee;
3. conducting effective training and education;
4. developing effective lines of communication;
5. enforcing standards through well-publicized disciplinary guidelines;
6. auditing and monitoring; and
7. responding to detected offenses and developing corrective action initiatives.
These specific elements are discussed in greater detail below.
16.2.1
A healthcare organization should create and distribute both an enterprise-wide code of conduct
and more specific policies. The code of conduct is to be disseminated to all employees. Unlike the
more detailed policies, the code should be relatively brief and should cover general principles that are
Enterprise Risk Management for Healthcare Entities, First Edition
251
16
252
253
The board of directors of the healthcare organization should appoint a well-qualified corporate
compliance officer and should stipulate that the compliance officer be a member of senior management and report to the president, CEO, or chairperson of the board. The compliance area should
be independent of the legal and finance departments. According to the 1998 CPG, [f]ree standing
compliance functions help to ensure independent and objective legal reviews and financial analyses
of the institutions compliance efforts and activities. By separating the compliance function from the
key management positions of general counsel or chief hospital financial officer (where the size and
structure of the hospital make this a feasible option), a system of checks and balances is established to
more effectively achieve the goals of the compliance program.17 The compliance officer should also
have direct access to the board of directors or other governing body. In fact, the compliance officer
should present periodic reports to the board on the scope, direction, and implementation of the compliance plan. The compliance officer should have the authority to conduct independent investigations on
matters of compliance and should be provided with access to the individuals, documents, and other
sources that are needed to pursue the investigation. He or she should have the independent authority
to retain outside legal counsel.
The corporate compliance officer is responsible for properly organizing the compliance department and must see that the department has a clear, well-crafted mission. The department must receive
sufficient resources, including necessary staff and sufficient budget, as well as the needed authority
and autonomy. The compliance officer should strive to maintain good working relationships with other
areas, while remaining objective about their state of compliance.
Put broadly, the corporate compliance officer serves as the focal point of compliance activities
across the organization. The compliance officers overarching responsibility is to coordinate the development, implementation, and oversight of the compliance program, including periodic updating of
the program. The compliance officer should not be regarded, however, as the one individual who is
responsible for the organizations complying with federal and state laws and regulations and internal
policies and procedures. In an important sense, every employee is accountable for compliance, just as
they are for ERM. In healthcare systems consisting of more than one hospital or other operating units,
the compliance officers coordinating role is expanded. As the 1998 CPG notes, For multi-hospital
organizations, the OIG encourages coordination with each hospital owned by the corporation or foun-
63 FR 8993.
17
254
The underlying purpose of compliance education is to train members of the board of directors,
employees, volunteers, contractors and others who function on behalf of the healthcare organization,
so that they are fully capable of carrying out their responsibilities in compliance with federal and state
laws and regulations and the organizations standards and policies. Compliance education should be
included in every new employees orientation program. Training should be delivered at least annually
and should be provided more often for employees in positions or areas identified as highrisk. A policy
should be developed that specifies the frequency of training and mandates attendance. Participation in
compliance education programs should be tracked, and completion of compliance training should be
noted in an employees annual performance appraisal. Incentives may be offered to employees who
are actively involved in compliance education. Conversely, sanctions should be imposed, according
to the established policy, on employees who fail to attend training programs, and employees should
clearly understand the consequences for noncompliance with the training requirements.
Id.
18
255
A key objective of any corporate compliance program is to create and sustain a culture within the
healthcare organization that actively promotes compliance with federal and state laws and regulations
and internal policies and that, in turn, encourages employees at all levels of the organization to be
firmly committed to compliance. That commitment entails open communication of actual or potential
gaps in compliance, without fear of retaliation.
257
An important aspect of fostering a culture that promotes and supports compliant and ethical conduct is the fair and consistent enforcement of disciplinary standards in instances in which behavior
does not measure up to the requirements of federal and state laws and regulations or internal policies.
Consistency means that standards and penalties are applied evenly and fairly to employees across the
organization, from senior executives to managers, to employees, to members of the medical staff. Fairness implies that the penalties imposed on employees are commensurate, generally speaking, with the
relative degrees of their misconduct.
The policy should define the degrees of disciplinary actions that are to be taken in particular
circumstances, actions that include verbal and written warnings, financial penalties, termination of
employment, and suspension or revocation of clinical privileges. The policy should also establish
the processes for handling misconduct (keeping in mind that misconduct may take the form of either
commission or omission, the latter including the failure to take appropriate action either to stop wrongdoing or to report misconduct) and imposing discipline. The policy should identify the roles of those
responsible for taking appropriate steps in various cases, namely, senior leaders, supervisors, and
medical staff officers. Managers should be trained in the various aspects of the discipline policy and
process, including the importance of documentation at each stage, and they should be held accountable for failing to discipline employees appropriately, timely, and effectivelyand in compliance with
applicable laws and standards and internal policies and procedures. Supervisors are also responsible
for seeing to it that follow-up steps by or with respect to one or more employees are actually taken.
Periodically, the discipline policy should be reviewed with an eye to its fairness, generally, and
to the consistent application of its enforcement across the organization. The review should also look
at the effectiveness of the policy in deterring misconduct. In the area of employee discipline, the
compliance officer should work with the organizations human resources (HR) department in a wellcoordinated way, with respect both to assessing the policy itself and to handling specific instances of
Enterprise Risk Management for Healthcare Entities, First Edition
259
In the context of an effective compliance program, monitoring refers to reviews that are repeated
on a regular basis during the normal course of the operations of the healthcare organization. One
way in which monitoring may be used is to verify that the follow-up steps contained in a corrective
action plan have actually been taken and have had a demonstrable impact on operating procedures and
results. Auditing, typically, is a more formal process conducted by individuals who are independent
of the department or function that is the subject of audit. Audits may be conducted by internal (to the
organization, but outside of the area under review) or external auditors. Although monitoring and
auditing are often performed in response to a detected or suspected compliance problem, such reviews
should also be done on a proactive basis to strengthen operations and ferret out compliance gaps
before they become a major problem.
As such, the organization should develop a detailed audit plan and should reevaluate the plan
every year. The plan should include the frequency and timing of audits, as well as the needed reporting
and staffing. The plan should consider the findings of audits from prior years and should focus on risk
areas identified through earlier audits and on high-volume services provided by the organization. Audit
results should also be used to assess the need for particular compliance training programs.
The audit plan should require ongoing monitoring of compliance with federal and state laws and
regulations, the requirements of the federal healthcare programs, the findings of previous audits and
internal policies and procedures. This review may be performed by managers in some instances and
by designated auditors in other cases. The audit plan should include a frequent and thorough assessment of the billing systems that is directed at verifying the accuracy of claims submitted to the federal
260
A consistent approach to addressing detected violations of law and other compliance deficiencies
is essential. Investigations should be initiated as soon as compliance problems are uncovered and
should be conducted with a sense of urgency. At the same time, investigations should be thorough and
well documented at every step. Documentation should include a summary of the deficiency, a description of the way in which the problem was discovered, an outline of the investigative process, a list of
the documents reviewed, a list of the employees and other persons interviewed, copies of the interview
tools that were used and the interview notes that were made, changes in policies and procedures that
were implemented, recommendations that were made, disciplinary actions and other remedial steps
261
262
Commentary
The compliance function focuses on identifying compliance risk through the use of risk
assessment tools similar to those used in the enterprise risk management function. However,
compliance risk is only one category or component of an organizations ERM assessment of
opportunity risk.
Compliance focuses on adherence to various laws and regulations in order to eliminate risk.
And, while ERM is concerned with liability risk that may flow from a lack of adherence to
various laws and regulations, it is also concerned with the broader range of opportunity risks
generated through clinical operations, financial operations, human resources, strategic operations, technological issues, and natural disasters/hazards.
The nature of compliance is such that every employee to a greater or lesser extent has responsibility for the compliance function. So, too, every employee shares in managing a healthcare
Enterprise Risk Management for Healthcare Entities, First Edition
ERM and compliance share another critical element of success: open communication. Effective compliance programs depend on information that can be communicated through formal
(e.g., hotlines) or informal channels. Likewise, ERMs success depends on open communication of actual or potential incidents either through formal incident reporting systems or
informal conversations in hallways or over the phone.
A final characteristic of both ERM and compliance programs is that in order to be successful,
a healthcare organization must build and maintain a just culture. That is, a learning culture
that (1) places high value on communication; (2) has a well-established system of sharedaccountability; and (3) provides a safe haven in which errors may be reported without the fear
of disciplinary action for events in which there was no intent to harm.
16.4
Conclusion
Two brief points by way of conclusion: First, there is no one-size-fits-all approach to compliance.
As the 2005 OIG CPG acknowledges, [b]uilding and sustaining a successful compliance program
rarely follows the same formula from organization to organization.19 What is more important than
conforming to a defined model is the overall effectiveness of the program in meeting the specific
compliance needs of the healthcare organization. The 2005 guidance indicates that the OIG strongly
encourages hospitals to identify and focus their compliance efforts on those areas of potential concern
or risk that are most relevant to their individual organizations.20
Second, an effective compliance program should contribute to the fundamental purpose and
mission of the hospital and healthcare organization. The 1998 CPG sees compliance as a dynamic
process that helps to ensure that hospitals and other healthcare providers are better able to fulfill their
commitment to ethical behavior,21 or, as the 2005 CPG puts it, to honest and responsible corporate
conduct.22 Of course, the immediate goal of the OIG guidance is to assist hospitals and their agents
and subproviders develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of Federal, State and private health plans.23 More
broadly, the overarching outcome, as envisioned in the 1998 CPG, is a program that is regarded by
each employee and everyone else involved in providing or supporting care as an effective means to
advance the prevention of fraud, abuse, and waste in these healthcare plans while at the same time
furthering the fundamental mission of all hospitals, which is to provide quality care to patients,24 to
which the 2005 guidance adds as objectives enhancing healthcare providers operations and reducing the overall cost of healthcare services.25
21
22
23
24
25
19
20
70 FR 4874.
70 FR 4859.
63 FR 8998.
70 FR 4859.
63 FR 8987.
63 FR 89878988.
70 FR 4859.
263
Part VI
Operations
17
Consent to Treatment: An ERM Perspective
Fay A. Rozovsky, MPH, DFASHRM, Esq.
President, The Rozovsky Group, Inc.
17.1
Introduction
Consent to treatment is a fundamental patients right issue intrinsic across the continuum of
care. A topic that is the subject of federal and state legislation, regulation, case law and accreditation
standards, consent to treatment is also a topic of ongoing concern for counsel in an enterprise risk
management (ERM) healthcare organization.
This chapter addresses the basic requirements and exceptions in consent to treatment. A case
study demonstrates the enterprise risk management opportunities involved in consent matters. Practical ERM style risk management strategies are discussed, including measures to facilitate disclosure
communication involving adverse and unanticipated outcomes of care.
17.2
Although there are notable differences from one jurisdiction to another, the core elements of an
effective consent process are quite similar. These include the following elements:
a description of the probable benefits and probable risks associated with recommended tests
or treatment;
a discussion of alternative tests or treatment and the associated probable benefits and probable risks linked to these options; and
The discussion is one that is carried out between the caregiver and patient. The caregiver maybe a
physician, a dentist, psychologist, podiatric practitioner, or a physicians assistant or nurse practitioner
who, under the terms of relevant scope of practice legislation may be authorized to carry out such tests
or treatment.
267
There are a number of recognized exceptions to the rules of consent. These include the
following:
268
Impracticality of ConsentSimilar to the emergency situation, a patient presents with a lifeor health-threatening event that requires immediate care. As with the emergency exception,
time is of the essence. The difference is that in the impracticality exception the patient is
capable of participating in the consent process. The urgent nature of the situation precludes a
full-blown consent process. The caregiver asks the patient for relevant medication and medical history information and provides a brief description of what will be done to address the
life- or health-threatening event. The exception fits such situations as a patient who presents
in anaphylactic shock due to a snake bite, a food allergy, or a stroke in progress. The caregiver
uses the information provided by the patient to hone the care plan. Treatment is limited to
those diagnostic and therapeutic interventions that are necessary to address the life- or healththreatening event.
Therapeutic PrivilegeA patient who is at high risk for psychogenic, emotional, or physiologic injury may require a diagnostic or therapeutic intervention. Based on the patients
mental health, the caregiver is reluctant to impart some information required under the rules
of consent. The concern is that discussion of this information may cause harm. In such a
situation, the caregiver may wish to invoke the therapeutic privilege exception. To do so, it
is important to obtain a behavioral health consultation from someone not otherwise involved
in the care of the patient. If the behavioral specialist concurs with the attending caregiver,
he or she would then document his or her professional opinion, including what information
should be avoided in the consent discussion. The attending practitioner would then complete
the consent process absent the information that is considered likely to cause harm. A notation in the medical record would document what information was withheld and the rationale
for doing so. At a later time, the information withheld may be shared with the patient. This
exception is used rarely as it is at variance with the underlying principles of consent: individual choice making and autonomy.
17.4
Clinical Research
Some 19 federal departments and agencies follow a consistent set of regulations with respect to
human research. Termed the Common Rule, the regulations include very specific requirements with
respect to consent and participation in human research. A good illustration of the general requirements
for consent can be found at 45 CFR 46.116 and, for consent documentation, at 45 CFR 46.117.
Enterprise Risk Management for Healthcare Entities, First Edition
269
One of the important aspects of the consent process is communication of information necessary
for the patient or surrogate to make a treatment choice. Traditionally, the information conveyed came
by way of a conversation with the caregiver. He or she might supply ancillary details in an information
See 45 CFR 46.408.
See 21 CFR 50.20; 50.25 and 50.27.
See, for example, 21 CFR 102(d).
See 45 CFR 46.101(i) and 60 Federal Register 143, July 26, 1995.
Va. Code 32.1-162.16 et seq.
Cal Health & Safety Code 24170 et seq. and Cal. Penal Code 35.000 et seq.
NY Pub. Health Law 2440 et seq.
R.I. Gen. Laws 23-17-19.1.
See, e.g., Minn. Stat. Ann. 145.422.
10
See Pa. Stat. Ann. Title 20 5808.
1
2
270
17.6
Consent Documentation
271
Although many believe that consent risk exposure involves negligence and claims based on the
intentional tort of battery, there are other legal vulnerabilities. These include the following legal risk
exposures:
272
Breach of contract claimsallegations that the caregiver guaranteed a specific result or that
a healthcare organization failed to meet the terms and conditions of a general consent admission agreement.
Reputational risk and concomitant risk of loss of market sharea caregiver and a healthcare
organization may see a diminished market share as a result of adverse publicity stemming
from reputational harm. Such harm may flow from allegations of negligent consent, battery,
deceptive practices, fraud, misrepresentation, or allegations of professional misconduct in
patient information management.
Case Example
Dr. T.R. Enden, a renowned specialist in minimally invasive back surgery, had a wonderful reputation as a caring, compassionate, skilled surgery. Employed by Englet Hospital, Dr. Enden helped
build the minimally invasive surgery program at the healthcare organization.
Dr. Enden saw Julia Stewart in the hospital clinic. Ms. Stewart had sustained a herniated disk as
the result of a number of falls on the ski slopes. In her day, Ms. Stewart had won a number of championships and she was known today as an aggressive downhill racer on the senior ski circuit. She came to
Dr. Enden when conservative treatment and medication management failed to address her problem.
Ms. Stewart had a good discussion with Dr. Enden. He explained the probable benefits and risks
of the minimally invasive procedure. He described as well treatment alternatives and related benefit
and risk information. Ms. Stewart reviewed a DVD about the procedure, and she received a pamphlet
and an information sheet about the operation. Dr. Enden encouraged her to give it some thought and to
discuss with her husband whether this was the right approach to treat her back problem.
When she went home, Ms. Stewart reviewed the literature provided by Dr. Enden. She noted
discrepancies about benefits and risks between the brochure, the information sheet, and with what she
recalled from the DVD. Ms. Stewart discussed her concerns with her husband and he encouraged her
to perform a web search. Ms. Stewart found a number of scientific articles, blog entries, and newspaper reports. She learned that the procedure had a much lower success rate than that described to her by
Dr. Enden. She also learned that there were new noninvasive procedures available for her condition
that Dr. Enden had not discussed with her. However, she also found laudatory comments from patients
about Dr. Enden.
Conflicted and aching badly, she called the doctors clinic. Dr. Enden was not available, and her
call was transferred to Tim Langton, a nurse practitioner in the clinic. After listening to Ms. Stewarts
concerns, Mr. Langton said, I understand what you are saying. Dr. Enden follows the most current
research in the field to guide his treatment recommendations. I would not put a lot of stock in those
blogs and those avant-garde websites. All I can tell you he is the best. If it was me, I would have him
do my surgery. Let us know if you have any questions.
273
274
Legal/Regulatory Risk ExposureThere were numerous legal and regulatory risks in this
case study. The consent process was not consistent with recognized standards of care. The
physicians assistant may have exceeded the scope of his practice in the way in which he
interceded in the consent process. The intake H&P assessment on the day of surgery was not
in accordance with CMS requirements. If it can be established, Ms. Stewart may have a good
claim for misrepresentation, deceit, and fraud with respect to the success rate data provided
to her by Dr. Enden. In addition, if she decided to file a complaint with the accrediting body
for the hospital, there may be standards non-compliance regarding patient consent and intake
requirements. A formal patient grievance and complaint to the state agency or CMS could
trigger an onsite review. In each instance, there is apt to be substantial legal fees and staff
time involved in responding to the legal or regulatory action.
Operational Risk ExposureThe operational risk here involved a flawed H&P intake assessment. The questions posed to Ms. Stewart were quite general. There was no effort made to
expand the scope of inquiry to encompass encounters with other healthcare providers since
the office-based pre-operative assessment. This operational issue may be the most obvious
part of a much deeper issue, including inadequate training or demonstrated competencies for
those credentialed by the medical staff of the hospital to fulfill the H&P screening process.
Enterprise Risk Management for Healthcare Entities, First Edition
Staff Competencies Risk ExposureThe lack of familiarity with questions to pose during
the H&P update process suggest a need to examine carefully how credentialed personnel are
trained for this function. If it is determined that staff are assumed to know how to fulfill this
responsibility but lack the ability to do so, it is a staff competencies risk exposure.
17.9
Consent to treatment is not simply a clinical risk exposure. As seen in the case study earlier, flawed
consent practices can involve staff competencies, operational issues, and both legal and regulatory risk
exposures. In some instances, a flawed consent process can trigger reputational risk issues, too.
From an enterprise risk perspective, legal counsel has a pivotal role and responsibility with regard
to effective consent practices. Other key stakeholders in the organization also have accountabilities
for consent practices. Together, legal counsel, clinical leadership, and management might want to
consider the following enterprise risk management strategies in the context of consent to treatment:
Evaluate current consent policies and procedures and practices. Conduct a gap analysis
to identify variations from what is expected under applicable state and federal law and hospital policy.
Evaluate current medical staff bylaws and rules and regulations of the medical staff. Conduct a gap analysis to identify variations from what is expected under the medical staff bylaws
and rules and regulation in terms of consent and H&P screening requirements.
Take Corrective Action. Remove any ambiguity and confusing or conflicting information
to eliminate any misunderstandings from current policy, procedure, and practice routines.
Encourage similar action with respect to the medical staff bylaws and rules and regulations.
275
Consider interoperable consent information. Working with senior management and clinical
leadership, consider a process for making consistent and interoperable information provided
to patients in consent forms, information sheets, trusted websites, interactive computer programs, and brochures.
Offer practical consent education. Provide medical staff members with educational opportunities regarding consent to treatment. Include such programming topics as the following:
role and responsibility for the consent process;
assessing patient capacity to participate in the consent process;
how to accommodate patients with specific communication needs;
how to share information in an understandable manner;
managing multimedia information; and
how to document consent to treatment.
Consider consent screening in the H&P process. Work with clinical leadership to design
and implement a systemic approach for verifying patient understanding and readiness for
scheduled, elective procedures. Recognize that this would include a series of straightforward
rule in/rule out questions. Discrepancy situations would constitute a rule out until differences
can be resolved. Discrepancies would include:
17.10
Patients and their family members are often recipients of conflicting information in the caregiving process. The delivery of contradictory information is not intentional; rather, it is a consequence
of interaction with a myriad of healthcare professionals and administrative personnel.
Contradictory information can pose difficulties in terms of a persons understanding of the indications for treatment, clinical status, and outcomes of care. Sometimes too, patients and family members
contribute to this problem. Not accepting from the physician information about treatment, the prospective outcome, or actual results, patients and family members may seek out more details from a nurse,
a physicians assistant, or a trusted advisor in the healthcare field. As noted earlier, sometimes the
Internet is used for this purpose.
Contradictory information can jeopardize the caregiver-patient relationship. Distrust can impede
the free flow of important information. When an adverse or unanticipated outcome occurs, the prospect for poor patient communication can be accentuated.
276
View the consent process as a volume switch for controlling expectations. Encourage
caregivers to review regularly patient expectations about treatment and outcomes. Using
the consent process as the conduit for establishing effective communication is the first step.
The next step is to adjust expectations. In essence, consent becomes a volume switch on
the patients boom box of expectations.12 This concept is important, especially with patients
experiencing chronic illnesses. It is equally useful with patients who are terminally ill. By the
same token, those with a very poor sense of wellness and survival may benefit from a discussion to help increase expectations.
Each of these points is important as it forms the context for what is often a very challenging communication: disclosure of adverse and unanticipated outcomes of care.
17.11
In July 2001, the Joint Commission implemented a standard that called for a discussion of the
outcomes of care with patients, and when appropriate, with their families.13 Here the term outcomes
included unanticipated outcomes of care.
Although the Joint Commission may have helped formalize the need for discussion of adverse
and unanticipated outcomes of care, it was and remains the logical conclusion of the physician-patient
communication continuum that was initiated with the consent process. Most never questioned that
caregivers would happily share good news with patients. However, as the Joint Commission standard
implied, caregivers were loathe to share adverse information. Whether it was fear that such informa F.A. Rozovsky, Consent To Treatment: A Practical Guide, Fourth Edition. New York: Aspen Publishers, 2007 (with
annual supplementation).
12
Id.
13
R.I.1.2.2., Comprehensive Accreditation Manual for Hospitals. Oakbrook Terrace, Illinois: Joint Commission on
Accreditation of Healthcare Organizations, 2001.
11
277
J.R Woods and F.A. Rozovsky, What Do I Say? San Francisco: Jossey-Bass, 2003.
See e.g., Conn. Gen. Stat. Ann. 52-184d.
16
See e.g., Colorado Revised Statute 13-25-135.
17
Perspective on Disclosure of Unanticipated Outcome Information, American Society for Healthcare Risk Management, July 2001.
18
See Risk Management Pearls on Disclosure of Adverse Events, American Society for Healthcare Risk Management,
July 2006.
19
For an interesting set of insights on the topic, see Popp, P.L., How Will Disclosure Affect Future Litigation? ASHRM
Journal of Healthcare Risk Management, Vol. 23, No. 1: 59, 2003; and Gallagher, T.H. et al., Patients and Physicians
Attitudes Regarding the Disclosure of Medical Errors, JAMA. 289(8): 10011007, 2003.
20
See Kadzielski, M. and Barton, E., Tell Me Now and Tell Me Later: Disclosure and Reporting of Medical Errors,
AHLA Annual Conference, June 2007, Concurrent Session Paper.
21
Id. See sample disclosure policy from this session paper.
22
Id.
14
15
278
Legal counsel should take a leadership role in shaping a disclosure process that addresses a variety of risk issues that could emanate from discussion of and apology for unanticipated and adverse
outcomes of care. In this role, legal counsel can help facilitate policy and process design, taking into
consideration such issues as:
policy design consistent with requirements under applicable professional liability insurance
and captive management provisions;
279
policy design with respect to the medical staff bylaws and rules and regulations of the medical staff;
development of a mandatory reporting matrix under applicable federal and state law;
notice provisions with all levels of insurance carriers, captive managers, and third party
administratorsa process that can be completed collaboratively with the risk management
professional; and
coordination among various legal counsel, including compliance, accreditation, contract, and
defense counsel.
17.13
Conclusion
Consent communication and disclosure of unanticipated and adverse outcomes are integral components of a thoughtful enterprise risk management model in the healthcare field. Good communication
can help identify problems prior to treatment, leading to the potential for alternate care plans or the
caregiver putting in place strategies to lessen the risk of injury. Although patients may be angry and
upset about an unanticipated or adverse outcome, having a factual explanation may lessen the risk of
litigation.
In the nonemergent care setting, consent is the initiator of the communication process. Along the
way, that process can be used to provide clinical updates and adjust expectations of care. When used
effectively, consent sets a framework for disclosure of unanticipated and adverse outcomes, too. The
greater context for the communication process is enterprise risk management, a deliberate, thoughtful
recognition of potential risk opportunities coupled with strategies for eliminating, preventing, reducing, and transferring identified loss exposures. Seen in this way, consent to treatment and discussion
of adverse outcomes can help augment comprehensive efforts to achieve quality safe, effective, and
efficient patient care.
280
18
Peer Review and Credentialing in an Era
ofEnterprise Risk Management
Mark A. Kadzielski, Esq.1
Fulbright & Jaworski, L.L.P
18.1
Introduction
Peer review and credentialing are areas in which significant liabilities exist for healthcare organizations. Accordingly, astute legal counsel should periodically review a facilitys bylaws and policies
on peer review and credentialing, and keeps abreast of current developments in health law. The maintenance of state of the art bylaws and credentialing policies and procedures by a healthcare facility is
among the most effective preemptive risk management tools available.
Although health facilities have little, if any, control over the practice of medicine, they can exercise
substantial control over the qualifications and competence of practitioners and allied health professionals (AHPs) who are allowed to provide care to the facilities patients. In this era of increased healthcare
grading and transparency, effective peer review and proper credentialing are necessary for facilities
to improve utilization patterns and quality outcomes. The concomitant costs and inconveniences are
clearly outweighed by the benefits.
This chapter discusses aspects of peer review and credentialing for both practitioners andAHPs,
including sources of potential liability, federal and state requirements, and accreditation standards.
18.2
Practitioner Credentialing
281
Integrating these concepts into the standards allows the organized medical staff to conduct a more comprehensive evaluation of a practitioners professional practice.
The second new concept is Focused Professional Practice Evaluation. This concept allows the organized medical
staff to focus evaluation on a specific aspect of a practitioners performance. This process is used in the following two
circumstances:
When a practitioner has the credentials to suggest competence, but additional information or a period of evaluation is needed to confirm competence in the organizations setting.
If questions arise regarding a practitioners professional practice during the course of the Ongoing Professional
Practice Evaluation.
The third new concept is the Ongoing Professional Practice Evaluation. Traditionally, the credentialing and privileging
process has been a procedural, cyclical process in which practitioners are evaluated when privileges are initially granted,
and every two years thereafter. The process outlined in these credentialing and privileging standards is designed to continuously evaluate a practitioners performance. The process requires the medical staff to conduct an ongoing evaluation
of each practitioners professional performance. This process not only allows any potential problems with a practitioners
282
Enterprise risk management strives to stay current with federal and state laws concerning peer
review, credentialing and accreditation standards specific to the healthcare delivery system in which
they will be applied. For example, on the federal level, the Medicare Conditions of Participation for
Hospitals provide that [t]he medical staff must examine credentials of candidates for medical staff
membership5 They also require the periodic appraisals of the members of the medical staff.6 The
Medicare Conditions of Participation for Long Term Care Facilities provide that [p]rofessional program staff must be licensed, certified, or registered, as applicable, to provide professional services by
the State in which he or she practices.7 The Conditions of Participation for Home Health Agencies
provide that [p]ersonnel practices are supported by appropriate, written personnel policies. Personnel records include qualifications and licensure that are kept current.8 The Medicare Conditions of
Participation for Comprehensive Outpatient Rehabilitation Facilities provide that [p]ersonnel that
provide service must be licensed, certified, or registered in accordance with applicable State and local
performance to be identified and resolved as soon as possible, but also fosters a more efficient, evidence-based privilege
renewal process.
Joint Commission Hospital Accreditation Standards, MS.06.01.01.
The second and third new concepts should be included in Medical Staff Bylaws and/or policies and procedures to be compliant with Joint Commission standards.
4
National Committee for Quality Assurance. Standards for Health Plan Accreditation [hereinafter NCQA Standards for
Accreditation], CR3, Washington, DC: 2009.
5
42 CFR 482.22(a)(2).
6
42 CFR 482.22.
7
42 CFR 483.430(b)(5).
8
42 CFR 484.14(e).
Enterprise Risk Management for Healthcare Entities, First Edition
283
The HCQIA has played a significant role in the development of current peer review and credentialing practices. If a healthcare entity complies with certain credentialing procedures, HCQIA affords
monetary immunity, under both state and federal law, for claims arising out of such credentialing activities. There can be serious consequences for conducting a peer review that does not comply with the
requirements of HCQIA. For example, in 2004, a Texas federal court jury awarded a Dallas cardiologist
$366 million after determining that the hospital and the physicians who had participated in his summary
suspension were not immune from damages under HCQIA.12 The judgment was reversed by the U.S.
Court of Appeals for the Fifth Circuit in 2008. Nonetheless, the jurys verdict serves as an important
warning of the serious consequences for failing to conduct peer review in compliance with HCQIA.
HCQIA, perhaps more than any other body of law, has substantially shaped current peer review
and credentialing practices. The financial liability of not complying with HCQIA can be detrimental
42 CFR 485.54(b).
42 CFR 485.604.
11
42 CFR 485.705.
12
In Poliner v. Texas Health System, the jury, after the trial judge had determined the defendants were not entitled to
complete immunity under HCQIA, found them liable for breach of contract, defamation, interference with contractual relations, and intentional infliction of emotional distress arising out of the summary suspension of Dr. Lawrence Poliner. The
facts of this case are that on May 12, 1998, a patient presented to the emergency room of Presbyterian Hospital of Dallas
complaining of chest pains. Dr. Poliner, an interventional cardiologist, performed a procedure to open the patients artery.
However, he made a diagnostic mistake and missed the patients blocked artery. The patient latter suffered postprocedure
complications, and there were problems contacting Dr. Poliner afterwards. This patients case and other cases were brought
to the attention of Dr. James Knochel, the chairman of the hospitals Internal Medicine Department. The cases were also
submitted for review to the Internal Medicine Advisory Committee, also chaired by Dr. Knochel. Dr. Knochel, in consultation with other physicians at the hospital, decided to seek a temporary restriction of Dr. Poliners cath lab privileges in
order to allow for an investigation pursuant to the Medical Staff Bylaws. After a conversation with Dr. Knochel, Dr. Poliner
agreed to the temporary abeyance of his privileges and an ad hoc committee was appointed to review a sample of his
cases. This temporary abeyance lasted 29 days. Upon review of the cases, the ad hoc committee formally unanimously
agreed that Dr. Poliners cath lab and echocardiography privileges should be suspended, which they were. Dr. Poliner
requested a hearing pursuant to the Medical Staff Bylaws. The Hearing Committee concluded the suspension should be
upheld, but that Dr. Poliners privileges should be reinstated with conditions.
Thereafter, Dr. Poliner filed a lawsuit in federal court claiming that these events defamed him and constituted antitrust and
deceptive trade practices. The U.S. District Judge granted the defendants motions for summary judgment under HCQIA as
to the formal summary suspension, holding that the immunities applied to the facts of this case. However, the judge allowed
the case to go forward to a jury trial with regard to the initial 29-day temporary abeyance. The jury awarded Dr.Poliner
$366 million in damages. On March 27, 2006, the U.S. District Judge upheld the jurys finding but ordered the parties to
mediation to determine the proper amount of damages. Thereafter, on September 18, 2006, the judge granted the motions
of the hospital and one of the doctors to reduce the amount of damages to $22.5 million. Poliner v. Texas Health System,
No. Civ. A.3:00-CV-1007-P (N.D. Tex. 2006). On appeal. the Fifth Circuit set aside this judgment completely. Poliner v.
Texas Health Systems, 537 F.3d 368 (5th Cir. 2008). The appeals court held that immunity under HCQIA precluded any
monetary recovery. In reversing the judgment, the court adopted an objective standard for finding a reasonable belief that
the action was in furtherance of quality healthcare, as required for statutory immunity.
The recent case of Johnson v. Christus Spohn is also instructive regarding how important it is for organizations to properly
handle credentialing practitioners in light of the fact that there is no immunity under HCQIA for federal claims involving
racial discrimination. Johnson v. Christus Spohn, 2008 U.S. Dist. LEXIS 10058 (S.D. Tex. 2008). The reality is that it is
quite simple for a plaintiff to allege racial discrimination even in the absence of facts that suggest such discrimination.
9
10
284
Before the U.S. Congress enacted HCQIA in 1986, physicians were hesitant to participate in
peer review and credentialing activities because of the threat of litigation brought by reviewed and/or
disciplined physicians. One influential jury award of $2.2 million in damages, in the case of Patrick
v. Burget,13 in part spawned the enactment of HCQIA. Briefly, as set out in the Ninth Circuit Court
of Appeals opinion, in 1972, the Astoria Clinic, a multispecialty clinic in the small community of
Astoria, Oregon, employed Dr. Timothy Patrick as a general surgeon.14 In 1973, Dr. Patrick rejected a
partnership offer from Astoria Clinic and opened his own clinic.15 Physicians from the Astoria Clinic
subsequently participated in a peer review investigation of Dr. Patricks treatment of patients whose
care he had provided at the only acute care hospital in Astoria.16 Dr. Patrick sued these physicians and
the Astoria Clinic and successfully argued that the physicians were motivated by anticompetitive factors. The Oregon federal court jury found that their actions violated federal antitrust laws.17
In Johnson, Dr. Tone Johnson, an African-American physician with a general family practice in Corpus Christi, Texas,
and his wholly-owned professional corporation sued Christus Spohn Health System Corporation and 20 individual physicians who participated in the peer review process that resulted in the summary suspension of his clinical privileges and
the later termination of his clinical privileges to practice at several of its hospitals. In this case, the court granted summary
judgment to the defendants on all claims, other than racial discrimination, based on immunities provided by HCQIA and
Texas law. Then the court considered Dr. Johnsons allegation of race-based discrimination and found it largely consists
of questionable personal opinions and speculation with little evidentiary support. For example, Dr. Johnson alleged that the
Medical Executive Committee was all white and/or consider themselves to be white. In reality, all of the parties agreed
that the Medical Executive Committee included several Hispanic and Indian doctors. The court stated [n]otwithstanding
Dr.Johnsons curious remarks, the racial composition of the Medical Executive Committee fails to support an inference of
discrimination because, even assuming the Medical Executive Committee were made up of all white doctors or doctors
who consider themselves to be white, Dr. Johnson fails to show any actions on their part indicating a racial basis against
Dr. Johnson. As a result, the court granted the motion for summary judgment in its entirety.
In a similar case, Johnson v. Willapa Harbor Hospital, the U.S. District Court for the Western District of Washington ruled
that a hospital was entitled to summary judgment in another African American doctors action alleging discrimination, and
other state law claims with regard to the hospitals denial of his application for reappointment to the medical staff. Johnson
v. Willapa Harb. Hosp., No. 07-5336 (W.D. Wash. Oct. 16, 2008). The district court granted the hospitals motion for summary judgment on all claims. Specifically regarding the discrimination claim, the held that Dr. Antoine Johnson provided
no evidence that could give rise to unlawful discrimination.
In an interesting twist on Johnson v. Christus Spohn and Johnson v. Willapa Harbor Hospital, in Johnson v. Riverside
Healthcare System LP, Dr. Christopher Johnson filed a complaint alleging discrimination pursuant to federal law and
state law (Californias Unrue Civil Rights Act) after he was not reappointed to the medical staff at Riverside Community
Hospital after his privileges lapsed. Johnson v. Riverside Healthcare System LP, No,. 06-55280, (9th Cir., July 23, 2008).
Dr.Johnson, who designated himself as African American and bisexual, claimed that he had been harassed due to his
race and sexual orientation. Dr. Johnson treated patients at the hospital pursuant to a professional services agreement that
designated him as a contractor. The Ninth Circuit dismissed his state law discrimination claim holding that the state
law provides protections to consumers and customers but does not extend to situations involving employment. The court
determined that a contract physician working under the terms of a professional service agreement with a hospital was in a
position equivalent to that of an employee.
13
Patrick v. Burget, 800 F.2d 1498 (9th Cir. 1986), revd, 108 S. Ct. 1658 (1988).
14
Patrick, 800 F.2d 1498, 1502.
15
Id.
16
Patrick, 108 S. Ct. 1658, 1665.
17
42 U.S.C. 11101(5).
Enterprise Risk Management for Healthcare Entities, First Edition
285
HCQIA has two parts. The first part sets forth what is necessary to receive immunity from monetary
damages as a result of a professional review action, and the second part authorizes the establishment
of a nationwide system for reporting adverse professional review actions, known as the National Practitioner Data Bank.
HCQIA provides immunity from monetary liability to healthcare entities and individuals who
participate in professional review actions, including credentialing determinations, which meet certain
procedural requirements.19 Healthcare entities include hospitals, health maintenance organizations
(HMOs), and group medical practices that provide healthcare services and follow a formal peer review
process for the purpose of furthering quality healthcare.20 Professional societies also may be healthcare
entities under HCQIA if they follow a formal peer review process for the purpose of furthering quality
healthcare.21 Professional review action means an action or recommendation taken in the conduct of
a professional review activity based on the competence or professional conduct of a physician, which
adversely affects or could adversely affect the health or welfare of a patient.22 In addition, persons
who provide information to a healthcare entity regarding the competence or professional conduct of
a physician also are immune from damages under federal and state law, unless the person knowingly
provided false information.23
In order to qualify for immunity under HCQIA, a healthcare entity must comply with certain
procedural safeguards when conducting peer review on and credentialing a physician (defined as an
M.D., D.O., or dentist).24 In general, in order to receive immunity, a peer review or credentialing action
regarding the professional competence or professional conduct of a physician must be taken:
in the reasonable belief that the action was in the furtherance of quality healthcare;
after a reasonable effort to obtain the facts of the matter;
after adequate notice and hearing procedures are afforded to the physician or after such other
procedures as are fair to the physician under the circumstances; and
20
21
22
23
24
18
19
42 U.S.C. 11111(a)(1).
42 U.S.C. 11151(4)(A) (i)(ii).
42 U.S.C. 11151(4)(A)(iii).
42 U.S.C. 11151(9).
42 U.S.C. 11111(a)(2).
42 U.S.C. 11151(8).
Id.
286
The second part of HCQIA resulted in the creation of the National Practitioner Data Bank (NPDB).
Congress determined there was a need for a national physician reporting system in order to restrict
the ability of incompetent physicians to move from state to state without disclosure or discovery of
the physicians previous damaging or incompetent performance.30 Prior to the NPDB, tracking such
incompetent itinerants had been difficult at best. The NPDB serves as an information clearinghouse to
collect and release certain information related to the professional competence and conduct of physicians, and in some cases additional practitioners, to qualified healthcare entities.
Hospitals and other healthcare entities, such as HMOs and PPOs, must report (1) professional
review actions related to professional competence or professional conduct that adversely affect the
clinical privileges of a physician for more than 30 days; and (2) a physicians voluntary surrender or
restriction of clinical privileges while under investigation for professional competence or conduct.31
Hospitals, unlike other healthcare entities such as HMOs and PPOs, must query the NPDB when
screening applicants for a medical staff appointment or expanding clinical privileges, and must subsequently screen healthcare practitioners every two years who serve on the medical staff or who have
27
28
29
30
31
25
26
42 U.S.C. 11112(a).
42 U.S.C. 11112(b)(1).
42 U.S.C. 11112(b)(2).
42 U.S.C. 11112(b)(3).
42 U.S.C. 11112(b)(3)(C).
42 U.S.C. 11101(2).
42 U.S.C. 11133.
287
Another federal data bank, the Healthcare Integrity and Protection Data Bank (HIPDB), was opened
in 1999. The HIPDB contains information regarding certain final adverse actions against healthcare
providers, suppliers, or practitioners. Federal law prohibits the release of information contained in the
HIPDB to anyone except Federal and State government agencies, health plans, and self queries from
healthcare suppliers, providers and practitioners.35 Therefore, hospitals do not have direct access to
the HIPDB. Final adverse actions include: (1) civil judgments against a healthcare provider, supplier,
or practitioner in Federal or State court related to the delivery of a healthcare item or service; (2)Federal or State criminal convictions against a healthcare provider, supplier, or practitioner related to the
delivery of a healthcare item or service; (3) actions by Federal or State agencies responsible for the
licensing and certification of healthcare providers, suppliers, or practitioners; (4) exclusion of a healthcare provider, supplier, or practitioner from participation in Federal or State healthcare programs; and
(5) any other adjudicated actions or decisions that the Secretary establishes by regulations. Settlements
in which no findings or admissions of liability have been made are excluded from reporting. However,
any final adverse action emanating from such settlements and consent judgments otherwise reportable
under the statute will be reported in the data bank. All final adverse actions are required to be reported
regardless of whether such actions are being appealed by the subject of the report.
42 U.S.C. 11135(a).
42 U.S.C. 11137(a).
34
45 CFR 60.13. See, generally, Kadzielski, A New Quality Challenge: Coordinating Credentialing and Corporate
Compliance, 14 Annals of Health Law 409 (Summer, 2005).
35
45 CFR 61.14.
32
33
288
The Effect of the Americans with Disabilities Act on Current Credentialing Practices
Since it was first enacted into law, the Americans with Disabilities Act (ADA) has been the subject of much discussion with respect to healthcare organizations. It is useful to review what the law
requires with respect to care providers. Of equal import is the relationship of the ADA to the credentialing process.
18.2.8
The purpose of the ADA is to protect a qualified person with a disability (defined as a person
who has a physical or mental impairment that substantially limits one or more major life activities, a
person who has a history or record of such an impairment, or a person perceived by others as having
such an impairment) from discrimination in the employment, public services, and public accommodations arenas.38 The ADA has shaped current credentialing practices regarding the types of initial and
recredentialing inquiries that healthcare entities can make about a healthcare practitioners possible
physical or mental disabilities. However, applicability of the ADA to the credentialing of non-employee
practitioners, such as practitioners who seek to serve on the medical staffs of hospitals or contract with
managed care organizations, remains uncertain.
Title I of the ADA is applicable to the employment setting and prohibits employers from discriminating against qualified individuals with disabilities who are capable of performing the essential job
in question with or without reasonable accommodation.39 Title II of the ADA applies to state and local
government activities40 and Title III addresses owners and operators of public accommodations.41 All
three ADA titles affect credentialing procedures.
Title I unequivocally applies to the employment of practitioners at hospitals and other healthcare
entities. However, uncertainty exists about whether or not Title I applies to non-employee healthcare
practitioners, such as medical staff physicians at hospitals and contracted practitioners with managed
care organizations.42 Although no courts have specifically held that Title I applies in such non-employee
45 CFR 60.4-9; 45 CFR 61.4-11.
45 CFR 60.7, 60.9; 45 CFR 61.9, 61.11.
38
42 U.S.C. 12101 et seq.
39
42 U.S.C. 12112.
40
42 U.S.C. 12182.
41
Id.
42
For a more in-depth examination of the ADAs Title I application to non-employee practitioners, see Jack S. Schroeder, Jr.,
Credentialing Strategies for a Changing Environment: Establishing and Operating an Effective Program, BNAs Health L. &
Bus. Series No. 1000, 1000:05060507.
36
37
289
290
Despite the uncertainty of the ADAs application to the credentialing of non-employee practitioners, many concepts set forth in the ADA have served to shape the scope of credentialing inquiries.
The ADA regards mental illness, alcoholism, and past drug use as disabilities. However, such conditions may have a direct impact on patient safety and the practitioners ability to provide healthcare
services. Healthcare entities, therefore, have a need to request such information.
Until the courts or government agencies provide healthcare entities with more guidance concerning the scope and applicability of the ADA, the true impact of the ADA on credentialing practices
remains largely uncertain.
18.2.10
Section 504 of the Rehabilitation Act of 1973 is similar to the ADA in that it protects qualified disabled individuals from discrimination. The law provides that no otherwise qualified individual with a
disability shall be excluded from the participation in, denied the benefits of, or be subject to discrimination under any program or activity receiving Federal financial assistance.51 The nondiscrimination
requirements of the law apply to employers and organizations that receive financial assistance from
any federal department or agency. Therefore, Section 504 presumably applies to any healthcare facility participating in either Medicare or Medicaid. Where healthcare providers credential and employ
practitioners, Section 504 mandates nondiscrimination in the hiring process.
In the Menkowitz case, discussed above, the court held that Dr. Menkowitz (a non-employee of the
hospital) could continue his claim against the hospital based upon a violation of Section 504.52 However, in Wojewski, also discussed above, the court dismissed Dr. Wojewskis Section 504 claim on the
rationale that Section 504 was designed to prohibit discrimination in an employment relationship and,
therefore, did not apply to Dr. Wojewskis relationship with the hospital as a member of its medical
staff.53 The Wojewski court specifically distinguished the holding on this issue by the Menkowitz court.
Because Wojewski is a more recent interpretation, healthcare providers who do not employ practitioners or their medical staffs may take some comfort from this conclusion. However, as with the ADA,
the issue of whether Section 504 applies in the context of credentialing non-employee healthcare
practitioners remains debatable.
18.2.11
To varying degrees, most states supplement federal statutory credentialing provisions with their
own legislative pronouncements on credentialing. Through the enactment of regulations, many states
require a healthcare facility to credential its practitioners before granting clinical privileges. For
42 U.S.C. 794(a).
Menkowitz, 154 F.3d 113, 123.
53
Wojewski, 394 F. Supp. 2d 1134, 1142.
51
52
291
Accreditation Standards
Accreditation standards require that practitioners be credentialed prior to being granted privileges
to practice medicine at a facility. Apart from state law and the Medicare Conditions of Participation
for Hospitals, a governing bodys responsibility for credentialing practitioners who practice within
its hospital is established by accrediting bodies such as the Joint Commission. The Joint Commission
standards require that the mechanisms for appointment or reappointment to the medical staff and the
initial granting and renewal or revision of clinical privileges be fully documented in the medical staff
bylaws, rules and regulations, and policies.55
Outside the hospital context, similar standards exist for MCOs and ambulatory surgery centers
(ASCs) through accrediting bodies such as the NCQA and the Accreditation Association for Ambulatory Health Care (AAAHC), as well as a number of others. For example, the NCQA requires that
[t]he managed care organization document the mechanism for the credentialing and re-credentialing
of MDs, DOs, DDSs, DPMs, DCs, and other licensed independent practitioners with whom it contracts or employs who treat members outside the inpatient setting and who fall within its scope of
authority and action.56
18.2.13
Internet Credentialing
With the advent of the Internet, new opportunities are available for facilities in their ongoing
efforts to credential practitioners. Online databases, such as the Office of Inspector Generals (OIG)
List of Excluded Individuals/Entities (LEIE) and web sites maintained by state licensing authorities,
provide additional information regarding practitioners to the public, including consumers and individuals not otherwise entitled to similar information maintained by the National Practitioner Data Bank
(NPDB) or the Healthcare Integrity and Protection Data Bank. The existence of these databases may
also establish a new standard of care regarding the frequency of checking whether practitioners have
been disciplined. The OIG may impose a Civil Monetary Penalty of up to $10,000 for each item or
services furnished by an individual excluded from participation in a federal healthcare program (e.g.,
Medicare, Medicaid, etc.) on any individual or entity which contracts with the excluded individual. For
liability to be imposed, the provider submitting the claims for healthcare items or services furnished by
an excluded individual must either know or should know that the person was excluded.57 Thus, the
OIG urges health care providers and entities to check the OIG List of Excluded Individuals/Entities
56
57
54
55
292
58
293
Hospital counsel must be vigilant in advocating the establishment and maintenance of written
policies and procedures. Healthcare facilities that credential practitioners may be liable to those very
same practitioners for discrimination; restraint of trade; economic credentialing; violation of the facilitys bylaws, rules and regulations, and policies and procedures; and a plethora of other actions or
inactions. Effective risk management must be wary of not only the acts or omissions for which a
facility may be liable to practitioners who exercise privileges there, but also the potential liabilities a
facility may have to patients, their families, estates, and/or legal representatives.
Early implementation of written policies and procedures or protocols can be accomplished only
when legal counsel and risk managers keep abreast of the rapidly evolving healthcare sector and are
able to identify potential liabilities before they occur. Failure to perceive potential liability issues
early will result in a lack of written policies and procedures and the absence of a uniform and sound
approach to risk issues, thus increasing the risk of litigation. Effective implementation of policies to
minimize the legal risk associated with no longer novel causes of action such as negligent credentialing and economic credentialing should be undertaken.
18.4.1
Negligent Credentialing
Traditionally, there was no institutional liability for the negligence of individual providers. However, beginning in 1965 with Darling v. Charleston Community Memorial Hospital, various state courts
began recognizing a new doctrine called hospital corporate liability.59 In Darling, the Supreme Court
of Illinois held that the hospital had an independent duty to ensure that high-quality care was rendered
at its facility, and held the hospital accountable for negligently screening the competency of its medical staff. The vast majority of states have adopted some form of the hospital corporate liability theory
thereby providing some legal relief for the tort of negligent credentialing.60
Healthcare facilities and providers should not be surprised to see the doctrine of corporate liability
extended to MCOs, IPAs, and IDSs in the near future.61 Like hospitals, courts will likely conclude that
such entities have a duty to credential and recredential affiliated practitioners and monitor the quality
of care provided by affiliated practitioners. And if healthcare delivery systems credential practitioners,
such systems have a duty to credential them thoroughly and properly. If an MCO, IPA, or IDS breaches
its duty to provide high-quality care to a patient by failing to screen out incompetent practitioners or
take appropriate measures against practitioners who are providing substandard medical care, the entity
may be negligent based on a theory of corporate liability.
211 N.E.2d 253 (Ill. 1965). See Kadzielski, A New Quality Challenge: Coordinating Credentialing and Corporate
Compliance, 14 Annals of Health Law 409 (Summer, 2005).
60
See Kadzielski, Provider Deselection and Decapitation in a Changing Healthcare Environment, 41 St. Louis L.J. 891
(Summer, 1997), and cases cited at note 12, supra. In California, the theory of corporate liability for negligent credentialing
was established in Elam v. College Park Hospital, 132 Cal.App.3d 332 (1982).
61
In McClellan v. Health Maintenance Organization, 604 A.2d 1053, allocatur denied, 616 A.2d 985 (Pa. 1992), the
court held that an HMO may be held liable under the theory of ostensible corporate liability for failing to select and retain
only competent individuals.
59
294
Economic Credentialing
Currently, economic credentialing is a bone of contention between some practitioners and healthcare institutions. The term economic credentialing has been used to denote a credentialing, selection,
or termination action based, at least in part, on economic considerations. The current absence of a
definitive determination by state legislatures, courts, and professional associations on the parameters
of using economic criteria in credentialing decisions and the legal and medical communities failure to
provide an acceptable definition of the term may render the use of economic criteria a double-edged
sword with costly consequences.
In simple terms, economic credentialing is the use, in the credentialing of a practitioner, of data
that indicate his or her effect on the financial success of a facility. This term also refers to the use of
data that reflect the proportion of indigent patients admitted or treated by a particular practitioner at
a facility. The economic factors generally relate to a practitioners utilization of healthcare resources
and a providers profits for the facility resulting from his or her payer mix, market share, charges, and
collections.
Apart from the position (or lack thereof) of professional associations, the legislatures, and the
courts on economic credentialing, the economic pressures on healthcare systems make it probable that
economic factors will continue to be used in credentialing decisions. To minimize potential liability,
risk managers and legal counsel should be familiar with Medicares position on the use of economic
credentialing by hospitals. The Medicare Conditions of Participation for Hospitals provide that
[t]he governing body must [e]nsure that under no circumstances is the accordance of staff membership or professional privileges in the hospital dependent solely upon certification, fellowship, or
In Petrovich v. Share Health Plan, 188 Ill.2d 17 (1999), the Illinois Supreme Court considered portions of the health
plans member handbook that referred to the comprehensive high quality services purportedly provided by plan physicians to hold that an HMO could be held vicariously liable under an apparent authority theory for the malpractice of its
independent contractor physicians. See also Villazon v. Prudential Health Care Plan, 843 So.2d 842, 854 (Fla. 2003),
where the Florida Supreme Court held that the totality of the evidence led to the conclusion that the HMO had the right
to control the means by which plan physicians rendered medical care to enrollees.
62
295
Driven by the need to compete in a changing healthcare market, many different entities, such as
managed care plans, payers, and employers, may seek quality outcome information from a healthcare
delivery system. The quantifiable nature of such information renders it an effective marketing tool
that can be easily disseminated to the public, which can then compare individual providers and make
informed choices about the quality of the providers associated with a managed care plan. Quality
outcome information also allows employers to easily ascertain which managed care plan will be the
best one for its employees.
However, legal and regulatory constraints are often imposed on healthcare delivery systems that
can result in the nondisclosure of information or the limitation of the types of information that can
be disclosed. The entities to whom quality outcome information can be disclosed should be independently determined by each healthcare facility with the assistance of its legal counsel, which will play
a crucial role in maneuvering the facility through the quagmire of legal and regulatory provisions. By
creating written protocols and guidelines for disclosure, the risk manager can assist the organization in
handling such highly sensitive and confidential information.
First, such protocols should be based on applicable state lawif it exists. Second, facilities should
determine whether quality outcome information is protected from discovery. Statutory privileges
accorded to peer review information may protect quality outcome information if such information is
discussed and analyzed in the peer review process for peer review purposes. Whether a facility is willing to disclose such information should be dependent, in part, on whether the information is protected
by state law. Third, if a facilitys written policy permits the release of such information, the facility
should obtain written authorization from practitioners allowing its release. Preferably, such release
42 CFR 482.12(a)(7).
63
296
As noted earlier, the impact of the ADA and Section 504 of the Rehabilitation Act on the credentialing of healthcare practitioners remains unclear. The ADA prohibits discrimination based on the
physical or mental status of an individual.64 Section 504 of the Rehabilitation Act similarly prevents
discrimination based on the physical or mental status of an individual in any program or activity
receiving federal financial assistance, and thus Section 504 presumably applies to any healthcare facility participating in either Medicare or Medicaid.65
Courts have begun to address the applicability of the ADA to credentialing decisions at private
hospitals and/or other nonpublic healthcare facilities. In Menkowitz v. Pottstown Meml Med. Ctr., the
Third Circuit held that both the ADA and Section 504 of the Rehabilitation Act prohibits disability
discrimination against a medical doctor with staff privileges at a hospital. In Menkowitz, a practitioner
claimed he had been discharged in violation of the ADA and Section 504 of the Rehabilitation Act
when his clinical privileges were summarily suspended after he disclosed to the Medical Staff that
he had been diagnosed with attention deficit disorder. However, the Eighth Circuit upheld summary
judgment to a hospital being sued for violations of the ADA and the Rehabilitation Act by a cardiac
surgeon with severe manic-depressive disorder. The court held that a member of the Medical Staff was
an independent contractor who was not entitled to claim the benefits of either federal law, and directly
disagreed with the Menkowitz ruling.66 And, in 2008, the District Court for the Middle District of Pennsylvania granted an unusual judgment notwithstanding a jury verdict, overturning a $250,000 award
to a bipolar orthopedic surgeon, finding that he was a direct threat to patient safety.67 Obviously, this
issue is far from clearly resolved.
Facilities are granted broad discretion to collect and verify different types of information in the credentialing process. According to the Joint Commission, each facility must independently determine the
applicability of the ADA to its medical staff.68 Thus, a facility has the discretion to determine whether it
will require information pertaining to the physical or mental condition of the medical staff applicant.
42 U.S.C. 1210112213.
29 U.S.C. 794.
66
Menkowitz v. Pottstown Meml Med. Ctr., 154 F.3d 113, 123-24 (3d Cir. 1998) and Wojewski v. Rapid City Regional
Hospital, 2005 WL 1397000 (D.S.D. 2005).
67
Hass v. Wyoming Valley Health Care System, 553 F. Supp. 2d 390 (M.D. Pa. 2008).
68
The Joint Commission, Hospital Accreditation Standards (MS. 11.01.01).
64
65
297
Information Sharing and the Contractual Allocation of Risk in the Healthcare Enterprise
The proliferation of IDSs and the continuing consolidation of healthcare facilities raise issues of
information sharing between affiliated healthcare facilities. The development of credentialing policies
and procedures for practitioners and AHPs, as well as the actual credentialing of healthcare providers,
is costly and time-consuming. Healthcare facilities can decrease the time spent on such activities and
the associated costs, as well as eliminate duplication, by engaging in information sharing. Nevertheless, although information sharing is efficient and cost-effective if executed correctly, there are some
accreditation limitations and legal concerns that must be considered when determining the extent of
information sharing and the protection and use of the shared information.
298
Sharing confidential peer review information poses questions regarding the discoverability of this
sensitive information. Some states, including California, protect peer review documents of licensed
health facilities such as hospitals and federally certified ASCs. Based on a states definition of a healthcare facility and the concomitant protections that may be available, myriad healthcare entities, ranging
from hospitals to MCOs and ASCs, can share information.
Notwithstanding the statutory protections afforded peer review documents, facilities should
be wary of sharing confidential peer review information because any subsequent disclosure of peer
review committee records could result in a loss of this protection. Clearly, providing an entity with
confidential information makes it harder to control its dissemination. The risk of such disclosure and
the possible loss of statutory protection, if it is available, can be reduced if healthcare facilities enter
into written agreements limiting the sharing of such information for the purpose of peer review. Moreover, contract provisions should prohibit the further release of such information, identify the parties
entitled to review it, identify the method in which it should be maintained, and delineate a facilitys
liability for failing to comply.
Facilities engaged in information sharing can mitigate the risk of voluntary disclosure of peer
review information by executing confidentiality agreements between not only the healthcare facilities,
but also each healthcare facility and each of its peer review committee members. To avoid dissemination of additional information, facilities also should consider removing identifying information on
practitioners (other than the practitioner under consideration) and patients names from shared peer
review documents.
18.4.7
299
Fear of potential defamation litigation has been a stumbling block for many healthcare facilities asked to provide an honest, candid letter of reference to another healthcare facility on behalf
of a credentialed clinician. The concern is particularly significant when the healthcare facility possesses evidence that would likely deter the other healthcare organization from credentialing the care
provider.
Traditionally, rather than provide candid, detailed information, many healthcare facilities have
responded to such requests by offering an affirmation that the care provider had a staff appointment.
Such a reference would include dates of staff appointment and privileges delineation. However, no indepth information would be provided in response to a request for details about quality, concerns about
competency, or professionalism.
A 2005 lower federal court case in Louisiana sent shock waves among those responsible for handling medical staff credentialing issues. Although the Fifth Circuit Court of Appeals in 2008 overturned
the lower courts ruling with respect to the duty to disclose negative information, the case may still
be the sentinel indicator of change in such practices.72 In the initial underlying lawsuit in Washington
State, an anesthesiologist and a healthcare facility were sued for medical malpractice after Kim Jones,
a patient the doctor attended during surgery, was left with extensive brain damage. In the lawsuit, it
was claimed that Ms. Jones was injured due to gross negligence on the part of the anesthesiologist
and the fact that during the surgery the anesthesiologist was drug impaired. The defendants reached a
settlement with the plaintiff for $7.5 million.73
When it was conducting the credentialing process for the anesthesiologist, the Washington hospital had asked for information from references. One reference was from a Louisiana hospital where the
anesthesiologist had held privileges. The reference request asked for information about the physicians
current competence to perform anesthesia services. It had also asked its counterpart in Louisiana to
provide a candid assessment of the doctors training, continuing clinical performance, skill, and judgment, interpersonal skills and ability to perform the privileges request.74 The Washington hospital
provided a questionnaire for the Louisiana facility to complete for this purpose.
The response from the Louisiana healthcare facility indicated that the doctor had been an active
member of the medical staff in anesthesiology from March 1977 to September 2001. The letter also
Kadlec Med. Ctr. v. Lakeview Anesthesia Assocs., 2005 U.S. Dist. LEXIS 10328 (E.D. La. May 19, 2005). The ruling
involved a motion for summary judgment filed by the defendants, a medical group and a hospital in Louisiana. Thereafter,
there were additional decisions involving other motions. On May 26, 2006, a jury awarded more than $4 million in the
case for fraud and negligent misrepresentation. See C.M. Ostrom, Lawsuit Won Over Doctors Undisclosed Drug Problem,
Seattle Times, June 7, 2006. The Fifth Circuit later clarified this situation and absolved the hospital from any liability while
upholding the liability of all other defendants. 527 F.3d 412 (2008), cert. denied 129 S.Ct. 631 (2008).
73
Kadlec, 2005 U.S. Dist. LEXIS 10328 (E.D. La. May 19, 2005).
74
Id.
72
300
301
80
81
82
83
78
79
Id.
Id.
Id.
Further, the court determined that a genuine issue of material fact existed with regard to causation. Id.
Id.
C.M. Ostrom, Lawsuit Won Over Doctors Undisclosed Drug Problem, Seattle Times, June 7, 2006.
302
303
86
304
Commentary
Several steps can be taken to reduce the risk of liability associated with peer review and
credentialing. Developing an organization-wide risk management plan that addresses how
the healthcare entity allows practitioners to practice should eliminate a substantial degree of
inconsistency and minimize liability. A risk management plan should be based on a states
licensure laws, state and federal regulations, and the facilitys needs.
In addition healthcare organizations must institute and maintain standard bylaws, policies
and protocols that provide systematic guidance to administrators, surveyors, practitioners,
and other entities and individuals who are entrusted with critically important peer review and
credentialing functions.
Too often, in todays extremely competitive healthcare market, decision makers fail to take
necessary actions in accordance with their facilitys written bylaws, policies and protocols
or make exceptions for practitioners who are well respected in the community or who have
been on the hospital staff for many years. However, such a practice is hazardous, not only to
305
Conclusion
Peer review and credentialing pose several potential sources of liability for the healthcare organization. Discrimination, restraint of trade, negligent credentialing, failure to check whether the
practitioner has been excluded from participation in federal healthcare programs, and wrongful disclosure of peer review and quality outcome information are among the most serious.
Enterprise risk management plays a significant role in minimizing those sources of potential
liability. By documenting, and ensuring adherence to, the healthcare organizations peer review and
credentialing policies and procedures, and periodically reviewing them, legal counsel can minimize
potential liabilities associated with this process. Also, the ongoing and rapid changes in healthcare
are bringing changes in potential sources of liability. By staying familiar with current developments
in healthcare, astute legal counsel will be better able to foresee new areas of potential liability and
address them early.
306
19
Economic Credentialing: A Balancing of Risks
Yvonne K. Puig, Esq.
Mark Faccenda, Esq.
Fulbright & Jaworski L.L.P.
19.1
Introduction
Economic credentialing, sometimes known as conflict credentialing, is the result of ever increasing competition among the myriad players in the healthcare market. For every innovative business
model undertaken by a hospital or physician, there has been an equal and opposite attempt to limit
moves to gain market share or improve reimbursement. What hospitals once used to weed out less
cost-efficient physicians from the ranks of those with hospital privileges has become a bargaining chip
between increasingly equal participants in the grab for healthcare dollars. As the economic environment that has lead to increased economic credentialing continues to evolve, managing future risks
associated with economic credentialing will require hospitals and physicians alike to carefully monitor
and adjust to evolving legal approaches towards this practice.
Generally speaking, economic credentialing refers to the consideration of financial indicators
when hospitals grant (or deny) physicians staff membership or privileges. Historically, economic
credentialing was employed to remove or prohibit certain physicians from practicing at a particular
hospital. Targeted physicians typically had higher costs of treatment resulting from longer average
lengths of stay, higher infection rates, and increased test utilization. In an effort to reduce costs that
detracted from the hospital bottom line, those physicians whose care failed to satisfy specified financial benchmarks lost their rights to practice at the relevant hospital.
The physician-hospital relationship has been historically symbiotic and mutually beneficial. The
hospital benefited through reimbursement for inpatient services performed by the physician; the physician had no-cost access to inpatient facilities in which to practice. Eventually, however, physicians
became healthcare entity owners rather than mere practitioners, and hospitals began to recognize
physicians as competitors as well as partners. As physicians invested in specialty-specific healthcare
facilities, conflict credentialing was born. A hospital adopting a conflict credentialing policy seeks to
limit the privileges of a physician having financial interest in a competing healthcare entity, such as an
ambulatory surgical center or specialty hospital.
307
308
Background
19.2.1
The American Medical Association (AMA) defines economic credentialing as the use of economic criteria unrelated to quality of care or professional competence in determining a physicians
qualifications for initial or continuing hospital medical staff membership or privileges.5 The AMA
avers that current economic trends have led to credentialing decisions [based] on the level of a
physicians referrals to that hospital.6 While AMA opposes the use of economic criteria unrelated to
patient care to grant privileges, it acknowledges that [s]ome hospitals have established conflict of
interest policies or loyalty oaths to ensure that physicians who own, have financial interests in or
have leadership positions with healthcare entities or refer patients to competing healthcare entities
are refused staff privileges.7
AMA identifies another subset of economic credentialingthe grant of privileges to practice in
a hospital in exchange for physician assurance to not refer elsewhere. This may or may not be used in
conjunction with exclusive contractingthe grant of privileges to a certain group of physicians and to
the exclusion of other physicians of the same specialty or competing specialties. Exclusive credentialing refers to any policy adopted by a hospital that effectively requires physicians on staff to refer
only to that hospital by prohibiting its staff physicians from referring to other facilities.8
The AMA has asserted that [e]xclusive credentialing violates the federal Medicare and Medicaid
anti-kickback law, 42 U.S.C. 1320a-7b(b), in that prohibiting physicians from referring patients
to competing institutions is indistinguishable from an affirmative requirement to make referrals.9
AMAs position on exclusive credentialing is that the practice [harms] federal healthcare programs
by requiring that treatment be rendered in a more costly hospital setting [and] harms the health care
marketplace in that it has a chilling effect on new development of surgery centers, specialty hospitals,
or other innovations in health care delivery that have the potential to save the program money.10
309
The American Hospital Association (AHA) posits that the credentialing process is ultimately the
responsibility and domain of the hospital board of trustees; however, this responsibility is often delegated to the medical staff, in whole or in part. This responsibility has been delegated by the hospital
board, based on acceptance of the notion that professional peers have the knowledge and capability
to assess practitioners education and experience, and how they will influence their professional judgment and activity, subject to final decision making by the hospital board.11 AHA adopts the words of
the Wisconcsin Supreme Court in acknowledging the boards ultimate responsibility as well as power;
thedelegation of the responsibility to investigate and evaluate the professional competence of applicants for clinical privileges does not relieve the governing body of its duty to appoint only qualified
physicians and surgeons to its medical staff and periodically monitor and review their competency.12
Accordingly, AHA advocates that boards of trustees be granted discretion in establishing credentialing criteria. Because the board is concerned with the operation of the hospital as a whole, AHA
asserts that it is not only appropriate, but obligatory, that the credentialing process consider financial
as well as clinical concerns. A hospital board has the ultimate authority to make financial decisions
concerning the hospital.13 It is AHAs position that [n]ot only does existing case law support the
proposition that hospital boards are vested with the authority and responsibility to make financial
decisions for the hospitals, cases also support the concept that a governing bodys decision to close
the medical staff for particular procedures based on economic considerations is a valid exercise of the
boards authority to manage the business affairs of the hospital.14
Furthermore, AHA advocates that board decisions relating to credentialing, even based on economic factors, not be subject to judicial review.15 The ultimate authority over staffing decisions is
with the board of trustees, and a majority of courts also favors non-judicial review of decisions of
the board.16 The rule is well established that a private hospital has a right to exclude any physician
from practicing therein. The action of hospital authorities in refusing to appoint a physician or surgeon
to its medical staff, or declining to renew an appointment that has expired, or excluding any physician
or surgeon from practicing in the hospital, is not subject to judicial review.17
Looking to the future, AHA acknowledges that cost and outcomes data may be increasingly difficult to distinguish. However, the distinction may be immaterial as cost and quality are not necessarily
mutually exclusive. Rather, AHA argues that study of cost indicators is necessary for the delivery of
quality outcomes. The line between quality and business considerations in establishing and imple-
Brief for Mahan v. Avera St. Lukes as Amicae Curiae supporting Defendant/Appellant, Mahan v. Avera St. Lukes, 621
N.W. 2d 150, (S.D. 2001). Available at http://www.aha.org/aha/advocacy/legal/991130-amicus-brief.html.
12
Id., (quoting Johnson v. Misericordia Cmty Hosp., 301 N.W. 2d 156, 174 (Wis. 1981)).
13
Brief for Mahan v. Avera St. Lukes as Amicae Curiae supporting Defendant/Appellant, Mahan v. Avera St. Lukes, 621
N.W. 2d 150, (S.D. 2001). Available at http://www.aha.org/aha/advocacy/legal/991130-amicus-brief.html.
14
Id.
15
Id.
16
Id. (quoting Shulman v. Wash. Hosp. Ctr., 222 F.Supp. 59, 63 (D.D.C. 1963)).
17
Id.
11
310
Joint Commission
The Joint Commission adopts a neutral stance in the economic credentialing debate; it neither
requires nor prohibits the analysis of financial data in determining privilege status. The Joint Commission directs an organization to collect information regarding current license status, training,
experience, competence, and ability to perform the requested privilege in the course of making a
physician credentialing decision.19
19.3
As indicated above, GAO has tracked the healthcare industrys progression towards the use of
more specialty-specific facilities. GAOs determinations, however, may be inconclusive as to whether
the trend should be encouraged or stifled. Generally, GAOs findings confirm that specialty hospitals
treat less complicated cases with greater efficiency. Not surprisingly, GAO documented that specialty
hospitals shouldered less burden with respect to the delivery of undesirable cases. Our April 2003
study found that 21 out of 25 specialty hospitals treated a lower percentage of patients who were
severely ill compared with patients in the same diagnosis categories treated at general hospitals in the
same urban areas.20 Relative to general hospitals, specialty hospitals, as a group, were much less
likely to have emergency departments, treated smaller percentages of Medicaid patients, and derived
a smaller share of their revenues from inpatient services.21
Financially, it is difficult to determine whether specialty hospitals perform better through the creation of efficiencies or through the avoidance of complicated cases. In some cases, GAOs data failed
to demonstrate any cost-efficiency at all. Specialty hospitals tended to perform better than general
hospitals when revenues and costs from all lines of business and all payers were included. When the
focus was limited to Medicare inpatient business only, specialty hospitals appeared to perform about
as well as general hospitals.22
19.4
In 2002, AMA requested that the U.S. Department of Health and Human Services Office of
Inspector General (OIG) issue guidance regarding the possible application of the federal anti-kickback
statute to certain practices in connection with the granting of hospital staff privileges.23 Specifically,
AMA requested guidance regarding conflict and exclusive credentialing. According to the AMA, an
increasing number of hospitals are refusing to grant staff privileges to physicians who (1) own or
Brief for Mahan v. Avera St. Lukes as Amicae Curiae supporting Defendant/Appellant, Mahan v. Avera St. Lukes, 621
N.W. 2d 150, (S.D. 2001). Available at http://www.aha.org/aha/advocacy/legal/991130-amicus-brief.html.
19
The Joint Commission, Hospital Accreditation Standards, MS 06.01.03.
20
Government Accountability Office, Specialty Hospitals: Geographic Location, Services Provided, and Financial
Performance, GAO 04-167, 78, Oct. 2003.
21
Id. at 4.
22
Id. at 5.
23
67 Fed. Reg. 72,894, 72,895, Dec. 9, 2002.
18
311
Id.
Id.
26
67 Fed. Reg. at 72,895-96.
27
Letter from Michael D. Maves, M.D., M.B.A., for the American Medical Association, to Janet Rehnquist, Office of
Inspector General, Department of Health and Human Services, 3, Feb. 6, 2003. Available at http://www.ama-assn.org/
ama1/pub/upload/mm/395/sept_ltr_oig.pdf.
28
Letter from Rick Pollack, for the American Hospital Association, to Janet Rehnquist, Office of Inspector General,
Department of Health and Human Services, Feb. 5, 2003. Available at http://www.aha.org/aha/letter/2003/030205-cl-oig71-n.html.
29
OIG Supplemental Compliance Program Guidance for Hospitals, 70 Fed. Reg. 4,858, 4,869, Jan. 31, 2005.
30
Id.
24
25
312
Statutory Provisions
There has been no consistent approach to statutory resolution of the economic credentialing debate.
Of states passing legislation addressing the issue, some have favored express grants of power and
discretion to the hospital board and others have imposed express prohibitions on the use of economic
considerations in determining privilege status. To date, it has been difficult to ascertain a trend, if any,
in how future state legislatures will address the issue. Going forward, legislative efforts are not likely
to enforce sweeping prohibitions on all forms of economic credentialing. While active legislation may
be successful at limiting certain kinds of credentialing practices, such as conflict credentialing or the
inappropriate use of economic data, the vanishing line between cost and quality concerns ensures
that, in one form or another, hospitals will be able to consider a physicians bottom line in determining
privilege status.
For example, Illinois has adopted a credentialing statute defining economic credentialing as
theuse of economic criteria unrelated to quality of care or professional competency in determining
an individuals qualifications for initial or continuing medical staff membership or privileges.33 In the
interest of providing for the protection of the public health, Illinois limits the use of economic criteria
for the purposes of making physician credentialing decisions. The credentialing statute provides that
the citizens of Illinois are not served by the inappropriate use of economic criteria in determining an
individuals qualifications for initial or continuing medical staff membership or privileges as the use
of such criteria may deprive the citizens of Illinois access to a choice of the health care providers.34
Illinois requires that the physician credentialing process includes safeguards such as fair hearings and
Hospital Licensing Board oversight.35
The Texas Health and Safety Code provides for more explicit prohibition on conflict credentialing. A hospital, by contract or otherwise, may not refuse or fail to grant or renew staff privileges, or
condition staff privileges, based in whole or in part on the fact that the physician or a partner, associate, or employee of the physician is providing medical or health care services at a different hospital or
hospital system.36 Further, [a] hospital may not contract to limit a physicians participation or staff
Office of Inspector Gen., U.S. Dept of Health & Human Servs., OIG Semi-Annual Report for April 1, 2007September
30, 2007, 73, Dec. 1, 2007. Available at http://oig.hhs.gov/publications/docs/semiannual/2007/SemiannualFinal2007.pdf.
32
Id.
33
210 Ill. Comp. Stat. 85/2(b)(3).
34
85/2(b).
35
85/2(b)(3).
36
Tex. Health & Safety Code 241.1015(b).
31
313
Case Law
Jefferson Parish Hospital District No. 2 v. Hyde is considered to be the first instance of a court
addressing the merits of economic credentialing. In that case, the Supreme Court rejected antitrust
claims to uphold an exclusive contract to provide anesthesiology services.41 While courts have considered economic credentialing matters for the past 25 years under antitrust, tort, and contract theories, it
is difficult to predict an overall trend towards the appropriateness of economic credentialing. The two
most recent decisions have gone separate ways, supporting policies favoring integrity of the physicianpatient relationship and board discretion, respectively. These approaches to the economic credentialing
issue as resolved by various state courts are addressed below.
19.6.1
Arkansas
In Baptist Health v. Murphy, the Supreme Court of Arkansas addressed a dispute between a nonprofit hospital (Baptist) and cardiologists owning an indirect interest in a specialty hospital.42 The
hospitals board of trustees had adopted an economic conflict of interest policy that denied initial or
renewed professional staff appointments or clinical privileges at any Baptist hospital to any practitioner who, directly or indirectly, acquires or holds an ownership or investment interest in a competing
hospital.43 The Baptist Health court found sufficient evidence to support a claim for tortious interference with a business relationship, recognizing that patients have chronic cardiac problems requiring periodic treatments and, as a consequence, the relationship between appellees and their patients
39
40
41
42
43
37
38
241.1015(c).
241.1015(e)(1).
Ind. Code 16-21-2-5(2).
Va. Code Ann. 32.1-134.1.
Jefferson Parish Hosp. Dist. v. Hyde, 466 U.S. 2 (1984).
Baptist Health v. Murphy, 365 Ark. 115 (2006).
Id. at 119.
314
46
47
48
49
50
51
52
53
44
45
Id. at 124.
Id.
Id. at 127.
Id. at 129.
Id. at 130.
Murphy v. Baptist Health, No. CV 2004-2002, slip op. (Ark. Cir. Ct., Feb. 27, 2009).
Id. at 6.
Id. at 7.
Id. at 11, 13.
Id. at 14.
315
Missouri
The Missouri Supreme Court, in a decision relating to the revocation of physician privileges in
a fashion inconsistent with hospital bylaw requirements, refrained from [imposing] judicial review
on the merits of a hospitals staffing decisions, [acting] only to ensure substantial compliance with the
hospitals bylaws.54 Egan featured a credentialing decision based, in part, on ex parte peer testimony,
a procedural departure from bylaw requirements that decisions be based solely on information presented at an evidentiary hearing.
The Egan court noted that under Missouri law, a private hospitals decisions regarding staff
privileges are not subject to judicial oversight.55 However, the Egan court recognized that the adoption of Mo. Code Regs. Ann. tit. 19, 30-20.021(2)(C)1-5 required a limited departure from the
rule against judicial review. The statute states in relevant part that the bylaws of the medical staff
shall include the procedure to be used in processing applications for medical staff membership and the
criteria for granting initial or continuing medical staff appointments and for granting initial, renewed
or revised clinical privileges [and] shall provide for hearing and appeal procedures.56 The court
thus permitted the physician an injunction compelling the hospital to substantially comply with its
own bylaws before privileges may be revoked [g]iven the clear expression of public policy from the
regulation, and consistent with the overwhelming weight of authority.57
19.6.3
Alabama
In Radiation Therapy, P.C. v. Providence Hospital, the Supreme Court of Alabama upheld a
hospitals decision to transfer ownership of its oncology center to a separate entity to be run as an
office-based program. One major factor the board considered in deciding to transfer the program,
including medical and support personnel and assets, to [the new entity] was the federal Medicare
regulations adopted in 2001, which provided for more generous reimbursement of charges in an officebased practice than in a hospital-based practice.58 At a fair-hearing panel, the hospital indicated that
the boards decision to transfer was a business decision based on quality-of-care concerns and a need
to integrate cancer-care services.59 The physicians countered that the boards decision was motivated by the unsubstantiated belief that [the physicians] were not providing sufficient coverage at the
hospital.60 The fair-hearing panel found that the transfer adversely affected the clinical privileges of
[the physicians].61
The physicians asserted that the board considered criteria unrelated to quality of care.62 The
medical-staff bylaws provide that the decision of the fair-hearing panel is subject to review by the
board. According to the bylaws, the boards review of the panels decision, however, is limited to
56
57
58
59
60
61
62
54
55
316
South Dakota
The Supreme Court of South Dakota considered a case in which a hospital, in response to the
loss of operating room income, closed its medical staff for physicians requesting privileges to perform
certain spinal procedures and to perform orthopedic surgery.65 In South Dakota, a hospitals bylaws
constitute a binding contract between the hospital and the hospital staff members. It is also well settled
that when such bylaws are approved and accepted by the governing board they become an enforceable
contract between the hospital and its physicians.66
However, the Mahan court recognized that medical staff bylaws, derived from the power granted
under a hospitals corporate bylaws, only control items expressly addressed therein.67 Further, the
Mahan court stated that although some of the business decisions made by a board of directors may
affect the medical staff, merely because a decision of the [board of trustees] affects the staff does not
give the staff authority to overrule a valid business decision made by the [board of trustees]. Allowing
the staff this amount of administrative authority would effectively cripple the [board of trustees].68
19.7
65
66
67
68
63
64
Commentary
Hospitals and physicians alike need to be wary of economic trends in their respective service
areas and adjust their approaches to economic credentialing accordingly. Each should monitor
gaps in service delivery or reimbursement that could lead to the development of competitive
physician-owned specialty hospitals or ancillary facilities.
Hospital boards of trustees and medical staff boards should each ensure that their respective
bylaws contemplate economic credentialing and the extent to which economic indicators are
to play a role in the credentialing process. When economic factors are used in the credentialing process, those factors should be expressed as cost applies to quality. While courts have
split as to the appropriateness of credentialing based solely on competitive or economic considerations, combined cost-quality decisions are generally more readily accepted.
Id.
Id. at 912 (emphasis appearing in opinion).
Mahan v. Avera St. Lukes, 621 N.W. 2d 150, 153 (S.D. 2001).
Id. at 15354, (citing Read v. McKennan Hosp., 610 N.W.2d 782, 785 (S.D. 2000).
Id. at 155.
Id. at 158.
317
As bylaws and policies are revised to reflect the changing competitive environment, adhere
faithfully to those documents. In cases where boards have been granted discretion in adopting economic credentialing policies, disputes arise from the failure to apply the standards
adopted correctly.
Monitor local legal standards as they apply to economic credentialing. While states will continue to address the issue, opinions continue to diverge across jurisdictions.
19.8
Conclusion
If past history can be any guide, competition among physicians and hospitals will continue to
increase into the future. Because, in many cases, there is no clear understanding of what constitutes a
business decision as distinct from a medical decision, there will be many opportunities for hospitals
and physicians alike to assert that economic credentialing has granted one party inappropriate leverage over the other. Unfortunately, we can no more achieve a consensus on what constitutes economic
credentialing than we can conclude whether it is beneficial or not. Because the courts and state legislatures have split in their approaches to addressing this issue, the future lies wide open. If anything can
be drawn from historical approaches to the issue, however, it is that economic credentialing will likely
remain a viable business tactic, if for no other reason than a lack of clarity on what to prohibit.
318
Healthcare-Associated Infections
20
Healthcare-Associated Infections
Emily Rhinehart, RN, MPH, CIC, CPHQ
AIU Holdings, Inc.
20.1
Introduction
Healthcare-associated infections (HAI) are the focus of increased interest and scrutiny from
government agencies such as Centers for Medicare and Medicaid (CMS), private healthcare benefit
insurers, legislative bodies, and patient safety organizations. Some have opined that this increased
attention to this particular adverse outcome may lead to increasing liability and medical professional
liability claims. The history of the study of hospital-associated infections and the discipline of infection prevention and control may provide some insights into the current focus as well as some caveats
and practical advice for healthcare attorneys.
20.2
The discipline of hospital-based infection control began in the 1950s with the infection control
sisters in English hospitals and the occurrence of staphylococcal outbreaks in newborn nurseries.
The discipline became more organized through the 1960s with the interest and support of infectious
disease specialists and microbiologists and in 1972 the professional association, the Association for
Practitioners in Infection Control (APIC) was founded. (APIC is now the Association for Professionals in Infection Control and Epidemiology.) Over the past three to four decades Infection Control
Professionals (ICPs now referred to Infection Preventionists or IPs) have been supported by APIC,
the Centers for Disease Control and Prevention (CDC), the Society for Healthcare Epidemiology of
America (SHEA) and the American Society for Microbiology to develop and enhance this discipline
to its current status. While most hospital-based IPs are nurses, the field of infection prevention and
control is multi-disciplinary and in addition to nursing professionals includes physicians, microbiologists, epidemiologists, and public health professionals. Contributors from all of these disciplines have
brought infection surveillance, prevention, and control to its current prominence in healthcare with
focus on a specific adverse outcome - healthcare-associated infection.
When compared to other adverse outcomes that risk managers and legal counsel concern themselves about such as falls, medication errors, birth-related injuries, and the myriad of other events,
healthcare-associated infection are the most studied. In 1970 the CDC initiated the National Nosocomial Infection Surveillance system (NNIS) to study the occurrence of hospital-acquired (nosocomial)
infection. Through this project the CDC developed and standardized definitions and methods for
Enterprise Risk Management for Healthcare Entities, First Edition
319
Healthcare-Associated Infections
surveillance. Hospitals voluntarily participated in NNIS with 62 charter hospitals performing hospitalwide surveillance.1 By 2000, over 300 hospitals were providing data on selected sites of infection
and populations to NNIS for analysis. In addition to publishing the analysis of NNIS data,2 CDC also
published the definitions and methods for surveillance, allowing non-NNIS participants to perform
surveillance in their hospitals for comparison to the published NNIS results in order to benchmark
performance.3 No other adverse healthcare event has the benefit of this standardized, epidemiologic
approach.
In addition to sponsoring NNIS, in 1981 CDC began to publish evidence-based guidelines for the
prevention of healthcare-associated infections. Since the first Guideline for Prevention of Catheterrelated Urinary Tract Infection,4 other guidelines have addressed prevention of surgical site infection,5
healthcare-acquired pneumonia,6 and intravenous catheter-associated infections.7 Additional guidelines
address practices related to hand hygiene,8 environmental control,9 and prevention of occupational
infection in healthcare personnel.10 Most recently, the 1996 Isolation Guideline11 was revised and
resulted in two publications: Management of Multidrug-resistant Organisms in Healthcare Settings
2006 and Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings 2007.12
Infection prevention and control has also benefited from the published data and experience of IPs
and hospital epidemiologists to create a growing body of evidence for the prevention and control of
healthcare-associated infection. Many outbreaks have been described including the epidemiology and
analysis of risk variables, as well as a description of control measures and their effectiveness. There
are also studies of endemic infections that elucidate specific risk factors for various sites of infection
(e.g.,exposure to medical devices and critical care units) as well as prevention and control measures to
Monitoring Hospital-Acquired Infections to Promote Patient Safety United States, 1990-1999 MMWR March 03,
2000/49(08); 149-153.
2
CDC NNIS System. National Nosocomial Infections Surveillance (NNIS) system report, data summary from January
1992 through June 2004. Am J Infect Control 2004; 32:470-85.
3
Emori, I., Culver, D., & Horan, T. National Nosocomial Infections Surveillance System (NNIS): Description of surveillance methods. Am J Infect Control 1991; 19: 259267.
4
Wong, E.S. (1983). Guideline for prevention of catheter-associated urinary tract infections. Am J Infect Control 1983;
11, 2831.
5
Mangram AJ, Horan TC, Pearson ML, Silver LC, Jarvis WR, the Hospital Infection Control Practices Advisory Committee. Guideline for the prevention of surgical site infection, 1999. Infect Control Hosp Epidemiol 1999; Am J Infect
Control 1999; 20:247-280.
6
Tablan, OC, Anderson, LJ, Besser, R, Bridges, C, Hajjeh, R. Guidelines for Preventing Healthcare- associated Pneumonia, 2003. MMWR 2004; 53(RR03): 1-36.
7
OGrady, NP, Mary Alexander, M, Patchen ED, et. al. Guidelines for the Prevention of Intravascular Catheter-Related
Infections. MMWR 2002; 51(No. RR-10): 1 29.
8
Boyce, JM, Pittet, D. Guideline for Hand Hygiene in Health-Care Settings: Recommendations of the Healthcare Infection Control Practices Advisory Committee MMWR 2002;51(No. RR-16): 1 45.
9
Sehulster LM, Chinn RYW, Arduino MJ, et. al. Guidelines for environmental infection control in health-care facilities:
recommendations of CDC and the Healthcare Infection Control Practices Advisory Committee (HICPAC). MMWR 2003;
52 (No. RR-10): 148.
10
Bolyard, EA, Tablan, OC, Williams, WW, et. al. Guideline for infection control in healthcare personnel, 1998. Am J
Infect Control 1998;6:289-354.
11
Garner J. Guideline for isolation precautions in hospitals. Infect Control Hosp Epidemiol 1996;17:53-80.
12
Siegel JD, Rhinehart E, Jackson M, et. al. Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings, 2007. Available at: http://www.cdc.gov/ncidod/dhqp/pdf/isolation2007.pdf (accessed
05/23/08)
1
320
Healthcare-Associated Infections
protect at risk patients from infection. While there are many published articles in the medical literature
describing complications and adverse outcomes, the infection control data and evidence for prevention
and control is unparalleled.
Based upon this knowledge and the published experience in successfully preventing healthcareassociated infections,13,14 CMS has determined since some of these infections are preventable, they
will not reimburse hospitals for care related to these infections.15 In addition to several other iatrogenic conditions and beginning in October 2008, CMS will not provide reimbursement for the care of
catheter-associated urinary tract infection, catheter-associated bloodstream infection, or medianstinitis
surgical site infection related to open heart surgery. The list will be expanded in 2009 adding other
types of surgical site infection, ventilator-associated pneumonia, Staphylococcus aureus bloodstream
infection, and Clostridium difficile associated disease.16 Other private insurers have also determined
that they will not provide reimbursement for care of these infections unless they were present upon
admission to the hospital.17
This focus has drawn the attention of plaintiff attorneys as a preventable adverse outcome that
may be the basis for increasing lawsuits and claims of medical professional liability. Such claims may
be brought against the individual physicians as well as hospitals.
20.3
The incidence of healthcare-associated infection is most studied and documented in hospital settings; there is limited data from long-term care18 as well as data describing HAIs in hemodialysis
patients.19 The usual incidence (i.e., endemic occurrence) of HAIs related to other settings such as
home care, ambulatory clinics, and ambulatory surgery centers has not been studied. Experience in
these settings is most often found in the reports of outbreaks of infections.20, 21
Berenholtz, SM, Pronovost, PJ, Lipsett PA, et. al. Eliminating catheter-related bloodstream infections in the intensive
care unit. Crit Car Med 2004:32(10):2014-2020.
14
Resar R, Pronovost P, Haraden C, et. al. Using a bundle approach to improve ventilator care processes and reduce
ventilator-associated pneumonia. Jt Comm J Qual Patient Saf 2005;31(5):243-248.
15
Federal Register. 72(162): 47130-48175, August 27, 2007.
16
CMS Proposes to Expand Quality Program for Hospital Inpatient Services in FY 2009. Available at: http://www.cms.
hhs.gov/AcuteInpatientPPS/IPPS/itemdetail.asp?filterType=none&filterByDID=0&sortByDID=4&sortOrder=descendin
g&itemID=CMS1209719&intNumPerPage=10 (accessed 05/23/08)
17
Promoting Patient Safety: CIGNA to Stop Reimbursing Hospitals for Never Events and Avoidable Hospital Conditions (press release April 17, 2008). Available at http://newsroom.cigna.com/article_display.cfm?article_id=888. (accessed
5/24/08)
18
Tsan L, Davis C, Langberg R, et. al. Prevalence of nursing home-associated infections in the Department of Veterans
Affairs nursing home care units. Am J Infect Control. 2008;36(3):173-179.
19
Klevens RM, Edwards JR, Andrus ML, et al. Dialysis Surveillance Report: National Healthcare Safety Network
(NHSN)-data summary for 2006. Semin Dial. Jan-Feb 2008;21(1):24-8.
20
Acute Hepatitis C Virus Infections Attributed to Unsafe Injection Practices at an Endoscopy Clinic Nevada, 2007.
MMWR 2007;57(19);513-517.
21
Do, AN, Banerjee, R, Barnett B, Jarvis W. (1999) Bloodstream infection associated with needleless device use and the
importance of infection control practices in home health care setting. Journal of Infectious Diseases 179:442-4428.
13
321
Healthcare-Associated Infections
In 2007, authors from CDC published Estimating Health Care-associated Infections and Deaths
in US Hospitals, 200222 based upon data from NNIS and extrapolating data from other sources. This
much quoted paper estimates that 1.7 million patients acquired HAIs as the result of hospital care that
year. By their calculations, the authors estimate that these infections were related to 99,000 deaths,
making HAI the leading cause of death in the US. While acknowledging the limitations of the report
based upon its methodology, the authors emphasize the sobering need for improved infection surveillance, prevention, and control efforts.
Most if not all US hospitals perform some type of HAI surveillance since it is required for accreditation by the Joint Commission. The priorities for surveillance are based upon the risk and frequency
of infection, as well as the potential for prevention and control. Cases of potential HAI may be initially
identified by the IP through discussion with nurses, physicians, and other providers as well as review
of culture results and other laboratory data used for screening. Once a patient meets screening criteria,
the IP abstracts the prescribed surveillance data from the medical record in order to assess the infection
in each patient as well as prepare to aggregate the data into a periodic report (usually monthly). HAI
data is tracked and trended in an ongoing fashion to identify increases over previous periods as well as
identify newly emerging risks related to new procedures or newly emerging organisms. Surveillance
data may also detect clusters or outbreaks of HAI.
Surveillance data is principally organized by infection site (e.g., urinary tract, pneumonia, surgical site infection, etc.), location of care (e.g., ICU) or surgical service for surgical site infections, and
causative organism (e.g., S. aureus, E. coli, K. pneumonia, etc.). Rates of infection for the selected
period of surveillance are calculated in order to compare the current incidence with previous periods of
surveillance. Rates may also be compared to external benchmarks such as NNIS or to published data.
In 2002, urinary tract infections (UTI) were the most frequent HAI, contributing 32% of all infections. Surgical site infection (SSI) was the second most prevalent at 22% followed by pneumonia
(15%) and bloodstream infection (14%). All other sites of HAI account for the remaining 17%; this
would include infections such as skin and soft tissue infections, central nervous system infections and
eye infections, as well as other miscellaneous, less frequent sites of HAI. As the authors point out, SSI
is likely underestimated with the surveillance for this type of infection highly challenged since surgical
site infections frequently do not become evident until after discharge given the significant reduction
in post-operative length of stay in the past decade. Thus, SSI is underreported and under recognized
by most hospital-based surveillance programs. Not surprisingly, many of the HAIs occur in the ICU
population including 11% of SSIs and 25% of bloodstream infections. In critical care patients, pneumonia was the site most frequently associated with death.
IPs have calculated rates of infection within their hospitals for many years, stratifying data by site
of infection as described above as well as by relationship to device exposure. Thus, rates of catheterassociated UTI are calculated using catheter days as the denominator. NNIS reports the rate of UTI as
Klevens RM, Edwards JR, Richards CL Jr, Horan TC, Gaynes RP, Pollock DA, Cardo DM. Estimating health careassociated infections and deaths in U.S. hospitals, 2002. Public Health Rep. 2007 Mar-Apr;122(2):160-6.
22
322
Healthcare-Associated Infections
3.0 to 6.7 per 1,000 urinary catheter days in ICU patients.23 Catheter-associated bloodstream infections
are estimated to occur in ICU patients at 5.3 infections per 1,000 catheter days.24 Risk and incidence for
ventilator-associated pneumonia (VAP) appears to vary by length of intubation, underlying illness and
need for ventilator support; the longer a patient is intubated requiring ventilator support, the greater
the risk for developing VAP. Patients undergoing mechanical ventilation for more than 48hours have a
10% to 20% risk of developing VAP. 25 NNIS reports the cumulative incidence of VAP in ICU patients
to range from 2.9 to 15.2 cases per 1,000 ventilator days.26
The risk and incidence of surgical site infections is a bit more complicated and may involve
the stratification of risk using several methods and indices. The fundamental risk is described in a
strategy to apply a wound classification, based upon the intrinsic contamination of the surgical site.27
SeeTable1. Early studies using this stratification to predict the risk of SSI continue to be used as general benchmarks for risk. In their seminal study of 1980 which summarized 10 years of surveillance,
Cruse and Foord estimated the rate of SSI for clean wounds at 1.5%, clean contaminated wounds
at 7.7%, contaminated wounds at 15.2%, and dirty wounds at 40%.28 Eventually, CDC published
comparison rates based upon NNIS data describing the incidence of clean wounds at 2.1%, clean contaminated wounds at 3.3%, contaminated wounds at 6.4%, and dirty wounds at 7.1%.29 Many studies
involving various types of surgeries and populations have been published since to provide many more
reference data for the risk of SSI in specific types of surgery.
In addition to the site of infection, descriptive analysis of HAIs includes the type of organisms
causing each infection, expanded to describe the overall etiology of HAI at the specific site. For
example, UTI is most frequently caused by gram negative bacteria found in the bowel (e.g., E. coli,
Enterobacter sp.). While most community-acquired pneumonia is caused by gram positive organisms
such as Staph sp. and Strep sp., VAP is more commonly caused by gram negative organisms including Pseudomonas aurugenosa, Enterobacter sp., and Klebsiella sp. According to NNIS, nosocomial
pneumonia is caused by gram negative organisms 64% of the time.30 In contrast, catheter-associated
bloodstream infection is most often caused by gram positive organisms such as S. aureus, S. epidermidis, and Enterococcus sp.31 Organisms causing SSI may vary by site of operation, however gram
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1992 through June
2004, issued October 2004. Am J Infect Control 2004;32:470-85.
24
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1992 through June
2004, issued October 2004. Am J Infect Control 2004;32:470-85.
25
Crnich, CJ, Safdar N, Maki D. The role of the intensive care unit environment in the pathogenesis and prevention of
ventilator-associated pneumonia. Respir Care. 2005 Jun;50(6):813-36; discussion 836-8.
26
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1992 through June
2004, issued October 2004. Am J Infect Control 2004;32:470-85.
27
National Academy of Sciences National Research Counsel. Postoperative wound infections: the influence of ultraviolet
irradiation of the operating room and of various other factors. Ann Surg 1964; 160(suppl 2):1 132.
28
Cruse PJE, Foord R. The epidemiology of wound infection. A 10 year prospective study of 62,939 wounds. Surg Clin
North Am 1980;60:27-40.
29
Culver DH, Horan TC, Gaynes RP, et. al. Surgical wound infection rates by wound class, operative procedure and
patient risk index. Am J Med 1991;91 (suppl 3B):152-157.
30
Richards MJ, Edwards JR, Culver DH., et. al. Nosocomial infections in medical intensive care units in the US. Crit
Care Med 1999;27:887-892.
31
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1990 through May
1999, issued June 1999. Am J Infect Control 1999;27:520-532.
23
323
Healthcare-Associated Infections
positive organisms such as S. epidermidis and S. aureus predominate. In surgeries involving the lower
gastrointestinal tract, gram negative organisms from normal bowel flora can cause wound infections
and other abdominal infections as a post operative complication.
The epidemiology and causative organisms of HAIs has changed in the past decade due to the
significant increase in multidrug-resistant organisms (MDRO) such as methcillin-resistant S. aureus
(MRSA) and vancomycin-resistant enterococcus (VRE). MDROs are defined as bacteria that are resistant to one or more classes of antibiotics. They are usually named for one representative class of
antibiotics to which they are resistant (e.g., methcillin as a type of penicillin). However, MDROs are
usually resistant to most of the antibiotics that may be available for treatment.
First reported in 1968, MRSA has been around for several decades. However, its prevalence
has increased over time and public interest has increased significantly. In the early 1990s, MRSA
accounted for approximately 20-25% of all Staph aureus isolates from hospitalized patients.32 By
2003, 59.5% of the Staph aureus isolates from ICUs in hospitals participating in NNIS were methcillin-resistant.33MRSA is predominantly seen in lower respiratory tract infections and surgical site
infections, but also causes bacteremia and cardiovascular infections. Further review of MRSA in hospitalized patients in 1999-2005 reveals that hospital patients with MRSA increased 119%.34 By site
of infection, MRSA bloodstream infection increased from 41% to 54%; MRSA pneumonia increased
from 52% to 58% and other sites saw increases from 41% to 60%. These sites include infections coded
as cellulitis and abcess as well as surgical site infections. These rates are estimates based upon data
from the National Hospital Discharge Survey (NHDS), then extrapolated to all hospital discharges
for the period. Others have published data describing the increases in community-associated MRSA,
warning that its impact on hospitalized patients is increasingly evident and complicates efforts to
identify, prevent, and control MRSA in hospitals.35
Many variables have contributed to the increasing prevalence of MDROs including overuse of
antibiotics, higher acuity of hospitalized patients and prolonged length of stay, staffing shortages,
insufficient attention to hand hygiene, lack of compliance with isolation precautions, and insufficient
cleaning and disinfection of the hospital environment and equipment.
HAIs also occur in clusters and outbreaks of infection that are usually detected because they are
caused by the same infecting organism in a specific group of patients. This might include patients in
the same ICU or other patient care unit or those undergoing the same invasive procedure or surgery. IPs
are continuously in contact with the microbiology laboratory that serves as the sentinel for detecting
unusual increases as early as possible. Microbiologists may also detect new or unique microorganisms
as they are identified and tested against antibiotics. The trigger for an outbreak investigation may vary
Boyce JM, Jackson MM, Pugliese G, Batt MD, Fleming D, Garner JS, Hartstein AI, Kauffman CA, Simmons M, Weinstein R, et al. Methicillin-resistant Staphylococcus aureus (MRSA): a briefing for acute care hospitals and nursing facilities.
The AHA Technical Panel on Infections within Hospitals. Infect Control Hosp Epidemiol. 1994 Feb;15(2):105-15.
33
See supra note 2.
34
Klein E, Smith DL, Laxminarayan R. Hospitalizations and deaths caused by methicillin-resistant Staphylococcus aureus,
United States, 19992005. Emerg Infect Dis. 2007 Dec. Available from http://www.cdc.gov/EID/content/13/12/1840.htm
35
Klevens RM, Morrison MA, Nadle J. et. al. Invasive methcillin-resistant Staphylococcus aureus infections in the
United States. JAMA 2007;298(15):1763-1771.
32
324
Healthcare-Associated Infections
but in general the IP and hospital epidemiologist would initiate some type of investigation if the incidence of HAI in a particular group of patients (e.g., patients undergoing open heart surgery) appeared
to be greater than seen historically. For example, a hospital may know that its baseline rate of SSI in
cardiothoracic surgery is 1.8% historically and then sees an increase to 3% in one month, the surveillance data would be carefully examined to determine if a more robust investigation was warranted.
As mentioned, outbreaks of nosocomial infection may occur after specific types of surgery36 or
in specific patient care units.37 Occasionally, hospitalized patients become infected after exposure to a
healthcare worker with a communicable disease38 or to a common source that is contaminated with a
pathogenic organism.39 A full scale outbreak investigation is required to determine the cause or source
of the outbreak so that appropriate control strategies can be put into place to prevent further infections.
If the hospital staff cannot determine the cause of the outbreak and it continues, consideration should
be given to obtaining external assistance from the state health department or from the CDC Epidemic
Intelligence Service.
US hospitals have had infection prevention and control programs since the early 1970s. Program
responsibilities, resources, and organization have been guided by APIC and the Joint Commission
standards for Surveillance, Prevention and Control of Infection. The American Hospital Association
was also proactive in infection control in the 1970s and 1980s. In addition to performing surveillance
for HAIs, IPs are also responsible for implementing and monitoring prevention and control measure to
reduce the risk of infection in patients, staff, volunteers, and visitors. IPs continuously review patient
care procedures in all departments to assure the appropriate actions and processes for infection prevention are in place. The responsibility is broad in scope including basic strategies such as hand hygiene
(i.e., frequency, type of agent, etc.) to more technical strategies such as the appropriate cleaning and
reprocessing of reusable devices and instruments such as endoscopes. The IP is often the go to person for resources related to cleaning and disinfection of the hospital environment to sterilization and
disinfection of patient care devices and equipment. Similar to the role of the healthcare risk management professional, the IP is very knowledgeable of the operations of most departments and functions
involved in patient care.
One of the major documents within the Infection Control Program is the policy and procedure
for isolation precautions. Using the CDC guidelines for isolation40 and management of MDROs for
guidance, IPs organize and author the institutional procedures and then provide ongoing education and
consultation for their application.
Cooper MP, Lessa F, Brems B, Shoulson R, York S, Peterson A, Noble-Wang J, Duffy R, McDonald LC. Outbreak of
Enterococcus gallinarum infections after total knee arthroplasty. Infect Control Hosp Epidemiol. 2008 Apr;29(4):361-3.
37
Maragakis LL, Winkler A, Tucker MG, Cosgrove SE, Ross T, Lawson E, Carroll KC, Perl TM. Outbreak of Multidrug-Resistant Serratia marcescens Infection in a Neonatal Intensive Care Unit. Infect Control Hosp Epidemiol. 2008
May;29(5):418-23.
38
Bryant KA, Humbaugh K, Brothers K, Wright J, Pascual FB, Moran J, Murphy TV.
Measures to control an outbreak of pertussis in a neonatal intermediate care nursery after exposure to a healthcare worker.
Infect Control Hosp Epidemiol. 2006 Jun;27(6):541-5.
39
Matrician L, Ange G, Burns S, Fanning WL, Kioski C, Cage GD, Komatsu KK. Outbreak of nosocomial Burkholderia
cepacia infection and colonization associated with intrinsically contaminated mouthwash. Infect Control Hosp Epidemiol.
2000 Nov;21(11):739-741.
40
See supra note 12.
36
325
Healthcare-Associated Infections
The Infection Control department is also frequently responsible for occupational health issues
related to prevention of infectious diseases among staff, volunteers, and visitors. In addition to teaching
staff about isolation procedures to prevent exposures to patients with known or suspected communicable illnesses, IPs may also develop immunization programs to prevent infection should exposure
occur (e.g., hepatitis B and influenza). IPs investigate reported exposures to communicable diseases
and take action as appropriate to prevent illness in the exposed individual (e.g., providing prophylactic
antibiotics), monitor exposed individuals for the development of the illness, and then may have to
exclude healthcare workers from patient care duties to avoid exposing others.41 These activities contribute to the mitigation of workers compensation claims.
The discipline of infection prevention and control has been challenged by many developments
in the past several decades including new diseases such as HIV/AIDS and Legionnaires disease to
the more current shifts in the epidemiology of HAI and the increase in MRSA and other MDROs. It
appears that even greater challenges may be on the horizon as the healthcare industry and the society as
a whole focus increased scrutiny on patient safety and preventable adverse outcomes in healthcare.
20.4
Although HAIs are frequent adverse outcomes related to hospitalization, there is little case law
to demonstrate the actual liability exposure or frequency of claims directly related to HAIs. When
searching for jury verdicts and settlements, one finds few citations. When searching the medical literature, there are also few peer review articles describing the incidence of HAIs in medical professional
liability claims. One study conducted by the American College of Surgeons42 analyzed 460 closed
claims to evaluate the nature of the claimants injury and the contributory factors relating to the quality of care. The most common claims involved injury to the bile duct (12%), bowel (9%), and blood
vessels (9%). However, infections were also prevalent with 6% of patients experiencing SSIs and 14%
with infections at other sites. It is not clear in the analysis which specific injury was the primary cause
for filing the claim.
Another study which focused specifically on medical professional liability claims due to HAIs in
Philadelphia describes the analysis of 154 cases.43 The vast majority involved SSIs in clean surgical
wounds (75%) with orthopedics representing the largest number of cases followed by general surgery
and cardiac surgery. MRSA (n=45) and Staph epidermidis (n=27) were the most prevalent organisms
causing infection. Interestingly, the authors report that 72% of the cases were either settled or withdrawn. Those that went to litigation resulted in a plaintiff verdict 60% of the time. Although this is a
small sample from a single venue, one wonders if the lack of citations for jury verdicts and evidence
of medical professional liability claims brought primarily on the basis of HAI are more often than not
settled prior to litigation.
326
Healthcare-Associated Infections
While these articles focus on claims brought against individual physicians, hospitals are also at
risk for medical professional liability claims related to HAIs. This may be more common when there
is a significantly high incidence of infection among a specific patient population. In 2004, a Tenetowned hospital in Palm Beach Gardens, Florida settled 106 individual lawsuits with plaintiffs who
experienced infection following open heart surgery, including 20 deaths. The total settlement was
$31million.44 Twenty individual claims were brought against Jewish Hospital in Louisville, Kentucky
in 2004, all related to HAIs caused by MRSA. Plaintiffs were represented by the same attorney who
contended that the infections which occurred between 2002 and 2004 were due to gross negligence on
the part of the hospital.45
With the increased attention to HAIs and recent actions by CMS to deny payment of these potentially preventable complications, some healthcare attorneys predict that there will be an increase in
medical professional liability claims related to HAIs.46 This potential threat is also evidenced by the
increasing number of plaintiff websites that encourage patients and families to have their case reviewed
if they have experienced an adverse medical event including a healthcare-associated infection. Many
also discuss MRSA and imply that some negligence may have occurred if a patient has experienced an
infection with this specific organism.
More publically available data on HAIs may also contribute to this potential trend. In the past
several years, many states have enacted legislation to require public reporting of HAIs in some form.
Most of the states (22 at the time of this writing) require public reporting of aggregate rates of infections while others (2 at the time of this writing) require confidential reporting of rates to the state.47
Another half dozen states have various laws related to the reporting or screening and identification
of patients with MRSA.48 At the federal level, both the Senate and the House have introduced bills to
improve the prevention and detection of MRSA.49
The professional infection control organizations as well as CDC recognize the motivation for such
action to inform and protect the public. However, they have responded to these legislative mandates
in order to call attention to the potential perils of both types of legislation. While the definitions and
methods for HAI surveillance are well standardized, as described above, they were not developed with
the intention of public reporting of the data. Thus, in its 2005 paper Guidance on Public Reporting
of Healthcare-Associated Infections: Recommendations of the Healthcare Infection Control Practices
Advisory Committee (HICPAC),50 the committee provides guidelines on selection of reportable met Singer G. Tenet paying $31 million to settle suits. South Florida Sun-Sentinel. December 24, 2004.
http://us.f501.mail.yahoo.com/ym/ShowLetter?Msgld=8844_856326_6515_1156_48780_0_5. (accessed 05/24/08)
45
Riley J., 20 Lawsuits target Jewish Hospital over Infections. Courier-Journal.
http://www.courier-journal.com/localnews/2004/07/01ky/A1-jewish0701-10720.html. (Accessed 5/24/08)
46
Brown C, Mitchell KN, Scott KP. Litigation Impact of Never Events. Health Lawyers News (February 2008)
47
Summary of state activity on Hospital-acquired infections. (January 2008) Consumers Union. www.consumersunion.
org/campaigns/stophospitalinfections/learn.html (accessed 05/30/08).
48
http://www.apic.org/scriptcontent/custom/dyncontent/legislation/index. cfm?section=government_advocacy (accessed
05/30/08).
49
Congressional Legislation 110th concerning hospital infection reporting and antibiotic resistant infection detection
and prevention. (January 2008) Consumers Union. www.consumersunion.org/campaigns/stophospitalinfections/learn.
html (accessed 05/30/08).
50
Linda McKibben, MD,a Teresa Horan, MPH,b Jerome I. Tokars, the Healthcare Infection Control Practices Advisory Committee. Guidance on Public Reporting of Healthcare-Associated Infections: Recommendations of the Healthcare
44
327
Healthcare-Associated Infections
rics (process and outcome) appropriate for the type of facility as well as recommendations to improve
the reliability of the data. A stronger response was published by APIC and SHEA to the increasing
frequency of legislation related to MRSA detection and prevention.51 In this joint publication, the
organizations express their concerns over governmental mandates for the widespread use of active
surveillance cultures for detection of MRSA and other MRDOs, pointing out the lack of standard
methods, expense and stress on limited resources and the preference for a more targeted, planned
approach based upon a risk assessment within each organization.
More concern of litigation may arise from the identification of certain HAIs as never events,
suggesting that they are fully preventable. As described above, CMS has identified several HAIs (catheter-associated urinary tract infection, catheter-associated bloodstream infection, and medianstinitis
surgical site infection) for which hospitals will not receive reimbursement for care beginning in October
2008.52 This list expands in 2009 to include other types of surgical site infection, ventilator-associated
pneumonia, Staphylococcus aureus bloodstream infection, and Clostridium difficile associated disease.53 Commentary is emerging at the time of this writing regarding the rule changes by CMS54 and no
doubt the debate will continue. The concern expressed in a recent commentary regarding the increase
in liability exposure related to these conditions is that the plaintiffs bar will argue that these events are
preventableas declared by CMS.
20.5
While the surveillance, prevention, and control of HAIs is the primary responsibility of the infection prevention and control department, risk managers and legal counsel need to be aware of the
external expectations, standards, and requirements in order to support infection prevention and control
efforts and avoid potential accusations of negligence when HAIs occur. Failure to comply with these
standards may lead to increased liability exposure and come to bear in light of a medical professional
liability claim. Thus, legal counsel can protect organizational assets by helping to assure infection prevention and control programs are comprehensive in their compliance with current standards of care.
They should also assure that surveillance programs are sufficiently robust to monitor trends in HAI as
well as identify newly emerging problems.55
Healthcare-Associated Infections
20.6
As outlined above, strategies for prevention and control of HAIs are found primarily in the CDC
guidelines. Legal counsel should be aware of the external guidelines from CDC and other professional
organizations that may be viewed as the standard of care in medical professional liability litigation.
Thus, review and compliance with the various guidelines is critical.
Application of the recommended practices within the CDC IV guideline56 was significantly
enhanced by the Institute for Healthcare Improvement (IHI) through their 100K Lives Campaign.57
The approach to bundle insertion and care procedures for central IV lines has become the standard
approach with evidence that it prevents CA BSI.58 Prevention of VAP using the IHI bundle has had
similar success and adoption, thus becoming a standard of care.59 APIC has published a resource document for control of MRSA60 that enhances the MDRO guideline.
Efforts to prevent SSIs have been significantly enhanced through a national quality improvement
project called the Surgical Care Improvement Project or SCIP. Modeled on an initial project by the
Veterans Administration, other organizations including state-based Quality Improvement Organizations
and the American College of Surgeons adopted several evidence-based measures for prevention of SSI
as well as other surgical complications (e.g., adverse cardiac events and deep vein thrombosis).61 The
infection prevention strategies in SCIP include: (1) selection of the appropriate prophylactic antibiotic
and (2) administration within one hour prior to the initiation of surgery; (3) discontinuing antibiotics within 24 hours of surgery; (4) removing hair from the surgical site using clippers, not razors;
(5)monitoring and controlling serum glucose in cardiac surgery patients; and (6) returning patients
undergoing colon surgery to normothermia immediately post-operatively.
Once the practices from CDC guidelines and other sources to improve quality of care are incorporated into patient care procedures, the healthcare organization must educate staff (including attending
physicians and trainees) regarding the specific requirements of each procedure (e.g., use of a surgical
drape for the insertion of a central venous line). Education should be documented including a content
outline as well as a record of attendees. Subsequently, staff compliance with the procedures should be
monitored to ensure conformity. If compliance is not 100%, action must be taken to remove any barriers for compliance and assure ongoing, 100% compliance. If lack of compliance is based on behavior,
non-compliant individuals must be confronted and expectations for compliance made clear. The IP
will continue to monitor the outcomes of care (HAI) through routine surveillance and analysis of the
data.
329
Healthcare-Associated Infections
While this approach may seem overwhelming, a comprehensive approach involving Infection
prevention and Control, clinical staff, and the support of administrative leadership is necessary to
assure that current evidence-based practices are incorporated into organizational practice and such
practices are monitored. If a medical professional liability claim is brought in light of a CA BSI, VAP
or other HAI, lack of evidence of these types of efforts may weaken defense.
In addition to compliance with specific patient care practices, compliance with hand hygiene is
also a critical component of prevention and control of HAIs. The issue of hand hygiene has been challenging since its importance was recognized in the mid 1800s by Semmelweis in his efforts to prevent
puerperal fever. Many papers from the past two to three decades have confirmed the extreme lack of
compliance with prescribed hand hygiene procedures and frequency as outlined in the CDC guideline
on hand hygiene.62 With increased public awareness of HAI, visible and consistent hand hygiene practice is critical. Legal counsel can support this effort by assuring that staff have been properly educated
about the importance of hand hygiene and that compliance is monitored. As outlined above, if compliance is not 100%, barriers must be removed and a clear expectation for compliance by all staff must
be communicated by organizational leadership.
Legal counsel can also assure that all deliberations and actions related to prevention and control
efforts are documented in committee minutes, policies and procedures, and other appropriate methods.
If compliance with national guidelines is not implemented, discussion and rationale for an alternative approach should be well documented in minutes or other documents. Most hospitals continue to
maintain an Infection Control Committee; this would seem a logical body in which to conduct these
reviews and discussions and make recommendations to higher-level committees which oversee patient
safety.
20.7
In the past, surveillance of HAI was performed in a routine manner, data was reported to the Infection Control Committee and filed, and assuming that if the incidence of infection had not changed and
the rates were consistent with those reported by NNIS, no follow-up action was necessary. The current
environment and increased focus on HAIs mandates a more proactive approach not only in anticipation of public reporting, but to assure preventable infections are not occurring. Thus, the incidence
of infection at each site must be examined and analyzed to determine if there were breaches in the
process of care that may have contributed to the adverse outcome. Such analysis and discussion should
be documented in committee minutes. Any potential breaches should be investigated with results
subsequently documented, including actions to assure strict compliance with appropriate prevention
strategies. Legal counsel should provide guidance in determining if these discussions should be protected and then how to do so.
As surveillance results related to SSIs are reviewed and analyzed, in addition to the CDC guidelines recommendations for the prevention of SSIs,63 compliance with the various components of SCIP
should also be examined, especially if infections are occurring. If they have not been fully adopted,
See supra note 8.
See supra note 5.
62
63
330
Healthcare-Associated Infections
legal counsel can be instrumental in gaining commitment from the chief of surgery and the surgical
departments in adopting SCIP. Many IPs are currently monitoring compliance with SCIP measures as
part of their surgical site infection surveillance. As mentioned above, failure to comply with national
patient care standards such as those identified in SCIP may put hospitals at increased risk. The healthcare organization may be the target of professional liability claims if it is not fulfilling its duty to assure
quality care. Failure to adopt and monitor strategies such as those incorporated in the SCIP project can
lead to a poor defense should lawsuits be brought against individual physicians or against the hospital
for failure to monitor and prevent these occurrences.
Data reviewed by the Infection Control Committee relating to SSIs may or may not include surgeon-specific rates. Such data would usually not be reviewed by the committee unless there was a
significant difference in inter-surgeon rates. Legal council should work with the Infection Control
Committee chair (usually a physician) to assure such data is reviewed in a setting that provides protection for peer review.
20.8
Public reporting of HAIs should not be undertaken without full understanding of the requirements for such reporting as well as an intelligent organizational approach when planning compliance
with such reporting. Legal counsels role in this challenge is critical and requires that first he or she
understand the recommended methods for HAI surveillance and assure the methods are appropriately
applied to assure reliable data. This may require the assistance and assessment by external experts who
are more familiar with the methods and application of definitions of infection as proposed by NNIS.
Once the internal process is viewed as satisfactory, the external requirements for state reporting must
be reviewed and analyzed to assure compliance and to avoid provision of inappropriate or unnecessary
data. While hospitals must be compliant with the required reporting, legal counsel can guide and direct
the IP regarding the provision of the information as required. An internal review of the data should
be initiated prior to any release to the state agency; such a process should include legal counsel not
only to assure compliance, but to alert them to any data that demonstrates rates of infection that may
appear to be adverse to the organization. Risk reduction strategies to decrease infection rates should be
discussed and implemented at this time if the organization has not already done so.
20.9
Outbreak Investigation
331
Healthcare-Associated Infections
to trigger an outbreak investigation. However, most IPs would initiate an investigation based upon
the occurrence of a single finding of an unusual organism in a clinical culture (either a rare or unusual
organism or an unusual sensitivity pattern) or an increase in the incidence of a specific HAI (e.g., surgical wound infections in a specific type of surgery, bacteremia in a patient population). The increased
incidence does not have to be statistically significant (that can take too long to determine and will be
part of the analysis of the outbreak, if appropriate).
When an investigation is initiated, even preliminarily, the IP should document discussions of
the situation with the hospital epidemiologist, risk management professional, and other administrative and clinical staff in memos and/or reports. Decisions for additional investigative activities (e.g.,
surveillance cultures) as well as prevention and control activities (e.g., information about the increase
in infections to clinical staff with reinforcement of the importance of hand hygiene) should also be
documented. Legal counsel can assist the IP in providing guidance regarding the level of detail and
format in which to record these discussions and activities. Such documentation not only facilitates
communication within the organization, but memorializes discussions and actions should a lawsuit be
filed and information beyond that found in the patients medical record is needed.
Outbreaks can occur from a variety of causes. Some are caused by a single reservoir of contamination such as contaminated antiseptics or problems in processing endoscopes. In most cases, infectious
organisms are spread from one patient to another via the hands of healthcare staff. This may occur
more frequently in an ICU setting where the patients have more indwelling devices and patients are
not in single rooms. Inadequate hand washing sinks or poor compliance with hand hygiene by healthcare staff may also contribute to transmission. Rarely, outbreaks are related to a single human carrier
who transmits the infectious agent to patients (e.g., S. aureus). Occasionally, IPs will note an increase
in SSIs from a single surgeon. In such a scenario, the investigation would focus on the peri-operative
care including selection and administration of prophylactic antibiotics, as well as other facets of surgical care. In these circumstances the same type of documentation should be maintained as in any other
outbreak investigation. However, such investigations and their documentation should be conducted to
assure peer review protection. Legal counsel should assist the IP as well as the medical staff leadership
to assure this protection.
20.10
Governing bodies and senior executives of hospitals are responsible for the quality of care provided, including prevention and control of healthcare-associated infections. In the past they have relied
upon the IPs and hospital epidemiologists to manage the infection prevention and control program.
However, the stakes have been raised with the recent CMS rule changes, public reporting of infection rates, and the overall increasing public interest in HAIs including MRSA. Failure to give proper
attention to these issues can result in lost revenue as well as damage to reputation, should an outbreak
of infection occur and be reported in the press or an individual infection resulting in a medical professional liability claim occur. The former event can result in an investigation by state authorities,
resulting in a public record which can be accessed by plaintiffs attorneys as well as the general public.
Court records and testimony from individual litigation can also be accessed.
332
Healthcare-Associated Infections
Board members and senior management should all be educated about the current events around
healthcare-associated infections. They should also be aware of the organizations own infection prevention and control efforts as well as results of surveillance. This can be accomplished through regular
reporting and review of surveillance data through the Boards quality or patient safety committee.
Some initial education regarding infection prevention, control and surveillance of HAIs may be helpful to provide a baseline of understanding. Provision of external benchmark data such as NNIS data
may also be helpful. Healthcare organizations in states with requirements to report infection data will
be under additional scrutiny; thus the Board must be brought up to speed on the state requirements as
well as the healthcare organizations own data that will be reported and made public. Legal counsel
can be very helpful in adding to the information provided by the IP and providing direction and advice
on reporting of data as well as documenting internal review and efforts to reduce risk.
20.11
Commentary
Infection Control (IC) professionals have worked for over four decades to develop standardized
surveillance systems for HAIs. This effort has resulted in significant data as benchmarks for all sites
of infection and the related risk factors. In addition, the discipline has developed evidence-based best
practices to minimize and prevent HAIs. Infection surveillance, prevention and control programs are
the model for patient safety. Thus, infection prevention and control has become a focus of legislative
and regulatory bodies as well as private healthcare insurers; many predict that plaintiffs attorneys
will be next to focus on this ostensibly preventable adverse outcome of healthcare. In their continuing
effort to avoid liability and protect the assets or their organization, legal counsel must also focus on the
structure and processes to prevent HAIs.
Such a focus should lead legal counsel to:
Become educated on the current incidence of HAI in their organization with a focus on surgical site infection and the incidence of infection at all sites in the ICU populations;
Identify clinical areas or populations where surveillance data indicates opportunities for
reducing risk and the incidence of infection, in collaboration with IC professionals and those
responsible for patient safety;
Become knowledgeable about current policies and procedures for the prevention of HAI and
the compliance with current best practices;
Identify areas of non-compliance and determine if changes are necessary and practical,
with special focus on prevention of SSIs and selection and administration for prophylactic
antibiotics;
Determine what public reporting is currently required or anticipated, along with specific
requirements in order to guide IPs in preparation and submission of reports;
Become a member of the infection control team to assure awareness of special incidents
involving actual or potential HAIs and any investigations of unusual infections;
Offer support to the infection prevention and control function to assure appropriate and sufficient resources;
333
Healthcare-Associated Infections
Provide guidance regarding the protection of infection control information and data for quality assurance and peer review purposes; and
20.12
Conclusion
As should be evident from the discussion above, the infection prevention and control function
is complex, reaching into all aspects of the organization. Hospital administrators and boards have
relied upon the diligence of the IPs and Infection Control Committee chairs to ensure that the patient
care procedures are compliant with currently published best practices. Joint Commission standards
for Infection Surveillance, Prevention, and Control set organizational requirements for leadership
accountability and organizational support and oversight of the function. In most organizations most of
the time, leadership assumes the prevention and control of HAIs is continuing successfully. However,
if there is an event that brings actual or potential professional liability then the leadership engages
more proactively to determine if there is a problem and if additional actions are necessary to address it.
Such an approach is no longer adequate nor practical. Governing bodies, senior management, clinical
leaders, and medical staff leaders must be more proactive in assuring the surveillance, prevention, and
control of HAIs is being conducted in a robust manner with the appropriate resources. This includes
sufficient staff to perform the function with adequate resources (e.g., computer software for surveillance, administrative assistance for obtaining surveillance data) as well as opportunities for education
to assure that staff are aware of current issues and standards of care. It also includes adequate laboratory
support as well as appropriate microbiology and serologic laboratory resources. More sophisticated
laboratory resources such as pulse-field gel electrophoresis that may be useful in an outbreak investigation should be made available from reference laboratories or state labs.
Legal counsel and the risk management function should be proactive in assuring the infection
control function is adequate and appropriate to organizational needs. Occasionally, a sentinel event
will involve a death or adverse outcome related to an HAI. The IP should be intimately involved in the
root cause analysis of such events. Along with clinical staff, the IP can assist in determining if there
was any deviance from the expected behavior or care in prevention of infections.
There is a strong parallel to be drawn between risk management and infection control in that each
function may be lead by a professional who is trained and certified in the specific discipline. However,
neither professional can fully implement or manage their specific function without the understanding,
cooperation, and support of the leadership, including legal counsel.
334
Healthcare-Associated Infections
Wound Class
Description
Class I or
A normally sterile space. No
Clean wound
inflammation encountered. Wound
primarily closed and drained, if necessary, with closed drains.
Space where normal flora is
Class II or
Clean-contam- encountered.
inated wound A minor break in surgical asepsis in
a Class I surgery would become a
Class II.
Class III or
contaminated
wound
Class IV or
dirty and
infected
wounds
Examples
Orthopedic, neurologic, cardiovascular
surgeries
Predicted
Incidence of
infection30
2.1%
Surgery of the
respiratory, urinary,
gastrointestinal
or genital tracts
under controlled
conditions.
Traumatic surgery
such as orthopedic
or neurosurgery.
3.3%
Surgery to drain
abdominal sepsis;
amputation of an
infected, necrotic
limb.
7.1%
6.4%
335
21
The Patient Experience, Transparency, and ERM
Terie Zimmerman, RN, BSN, JD, ARM, CPHRM, DFASHRM
VP Chief Quality, Risk and Patient Safety Officer, Community Mercy Health Partners
21.1
Introduction
This chapter will provide an overview of the application of Enterprise Risk Management
(ERM) principles to patient safety and quality. ERM is a technique applied across multiple settings
within an organization to identify risks and apply effective risk management strategies to limit the
repercussions that those risks present.1 Patients and the healthcare workers and providers within its
walls are the healthcare organizations greatest assets.
In applying ERM principles to the context of patient safety, healthcare attorneys must be aware
of the potential injury facing consumers seeking treatment within their facilities, and the work currently
being done to offset that exposure. Whether labeled as patient safety, clinical effectiveness, quality,
performance improvement, or something else, improving the quality and safety of providing patient
care is the goal of healthcare providers and organizations. This chapter will provide an overview of
patient safety and performance improvement tactics being used to offset the exposures of healthcareacquired patient injuries and the roles and responsibilities of governance, leadership, management,
and frontline staff in assuring patients receive safe care within the healthcare system.
21.2
Patient safety, a highly passionate topic due to the fact that a poor outcome means that someone
was or could have been injured or killed while receiving medical treatment, has become a sub-specialty in many healthcare settings. The development of patient safety departments and officers is a
direct result of the awareness that a number of accidental medical injuries are routinely sustained by
patients while receiving healthcare.
In 1999, the Institute of Medicine (IOM) report, To Err is Human: Building a Safer Health System
was released quantifying the staggering number of deaths related to healthcare delivery.2 This report
focused the nations attention on the fact that anywhere from 44,000 to 98,000 preventable deaths
1
Carroll, Roberta , ed., Risk Management Handbook for Healthcare Organizations, Vol. I, 5th ed. (2006), Jossey-Bass,
Inc., San Francisco, CA.
2
Kohn L, Corrigan J, Donaldson M, eds. To Err Is Human: Building a Safer Health System. Washington, DC: Committee
on Quality of Healthcare in America, Institute of Medicine: National Academy Press, (2000; accessed December 17, 2008).
http://www.iom.edu/File.aspx?ID=4117>
337
21.3
Over the past 10 years or so, an awareness has also developed that not all patient safety and quality improvement opportunities are created equal. Healthcare improvement opportunities identified
as low hanging fruit, are adverse patient care events that occur with predictable frequency. These
would include pressure ulcers developed during acute inpatient experiences, medication errors, falls,
hospital acquired pneumonia and other hospital acquired infections, wrong site/wrong patient surgery,
Wachter, Robert M. Wachter, Understanding Patient Safety 27 (2008).
Id.
3
4
338
Along with the awareness of the occurrence of medical mistakes and accidents, a budding awareness of the lack of available healthcare information has also developed. This has resulted in a call
for transparency in American healthcare. Transparency is the desire of the public to have access to
billing and accounting information (how much was billed, what were the hospital costs and what was
charged to other patients with different insurance coverageor none at all) as well as quality performance metrics. Many organizations are calling for greater transparency in healthcare in addition to
consumers, government regulators, and government agencies. Michael O. Leavitt, Secretary of the
Department of Health and Human Services, has championed transparency by stating that people
deserve to know, indeed have a right to know, what their healthcare costs and how good it is. Patients
should be able to go to an Internet site, type in the name of the common medical procedure and see
the facilities in their area that provide it. They should also be able to see information about quality,
examine a general rating of the facility or learn useful information like the number of patients who
undergo that procedure in the facility each year.8
As a result of the request for transparency in healthcare, reporting measures on quality metrics,
patient satisfaction data, financial and accounting data, and other information has become widely
available.
The National Quality Forum. The National Quality Forum Updates Endorsement of Serious Reportable Events in
Healthcare. (2006; accessed December 17, 2008). http://www.qualityforum.org/pdf/news/prSeriousReportableEvents1015-06.pdf.
6
The Leap Frog Group. Position Statement on Never Events (2006; accessed on December 17, 2008.) http://www.leapfroggroup.org/for_hospitals/leapfrog_hospital_quality_and_safety_survey_copy/never_events.
7
Centers for Medicare Medicaid Services (2008). Medicare Program; Proposed Changes to the Hospital Inpatient Prospective Payment Systems and Fiscal Year 2008 Rates Release of Publication (2008; accessed December 17, 2008). http://
www.cms.hhs.gov/AcuteInpatientPPS/downloads/CMS-1533-P.pdf.
8
Leavitt, M, Transparency in Healthcare a Priority (2006; accessed December 17, 2008). http://hill6.thehill.com/healthcare-may-2006/transparency-in-healthcare-a-priority-2006-05-10.html.
5
339
Another component of open sharing of information is fully involving patients and their families
in their own healthcare experience. Ideally, patients and families should be considered the center of
the healthcare team. As the complexity of healthcare increases, staffing levels become stressed, and
healthcare reimbursement becomes leaner, the involvement of the patient and family in their own care
is becoming more important than ever. From a patient safety perspective, the patient and family can
be a strong line of defense in preventing a healthcare error from occurring. Additionally, consumer
involvement on committees that address quality and patient safety issues can provide a stream of
information not available from any other source. This type of first hand involvement by healthcare
consumers comes with its own risks and needs to be approached carefully. The waiver of certain
privileges and discovery of information not previously known to general consumers might create
challenging legal issues. But if approached thoughtfully and managed carefully, the value of unbiased
eyes seeing a medical process for the first time and sharing that experience with others can definitely
outweigh the risks that bringing in an outsider can pose.
For example, some organizations have begun to include patients in root cause analyses (RCA).
The RCA is a quality improvement process that is completed after an event that triggers the concern
that something contrary to standard practice has occurred and that requires a structured review by a
multidisciplinary committee. The purpose of the analysis is to identify the root causes that could have
contributed to the patients injury and to eliminate them from the involved healthcare system. Using
this type of process improvement technique, the patients and/or familys role would be to not only act
as a fact witness but to help the healthcare team identify variables that they were previously unaware
of and to assist the healthcare team to form an action plan geared at preventing a reoccurrence of the
adverse event.9 Additionally, patients and family members are being asked to sit on quality, patient
safety, and other committees to give them access to information previously limited to those affiliated
with the organization.
Spath, Patrice, ed., Engaging Patients as Safety Partners: A Guide for Reducing Errors and Improving Satisfaction 201227 (2008), Health Forum, Inc. Chicago, IL.
9
340
The Impact of National Initiatives (IHI, NPSF, NQF, AHRQ, Leap Frog)
Due to their awareness of the need for radical changes in the level of safety practiced while healthcare is being delivered, federal agencies, state agencies, certifying groups, private agencies, special
interest groups, and others are taking a strong interest in the topic. These groups include but are not
limited to: Centers for Medicare and Medicaid Services (CMS), Department of Defense (DOD), Institute for Healthcare Improvement (IHI), the Joint Commission (JC), the National Quality Forum (NQF),
the National Patient Safety Foundation (NPSF), the Agency for Healthcare Research and Quality
(AHRQ), the Leap Frog Group, and many others. This broad involvement has done much to promote
changes in technology, advances in patient safety, understanding of human factors, nationally-driven
initiatives, and other things that impact patient care. National and international initiatives are being
promoted that encourage providers to join the effort and practice certain patient safety practices that
are considered evidenced-based approaches to patient safety. Just two examples of these initiatives are
the IHI 5 Million Lives Campaign and the NQF Endorsed Safe Practices for Better Healthcare. These
initiatives, as well as others, can be credited for helping to shape many of the patient safety programs
and practices currently being practiced.11 The following topics are an example of some of the common
patient safety initiatives currently underway.
21.5.1
Challenge to Leadership
Healthcare senior leaders and governance bodies are now being called on to aggressively sponsor
patient safety and performance improvement initiatives. IHIs Board on Board Initiative, defines and
spreads the best-known leveraged processes for hospital Boards of Directors, so that they can become
Consumers Advancing Patient Safety (www.patientsafety.org), Medically Induced Trauma Support Services (http://
www.mitss.org/patients_families_home.html), Persons United Limiting Substandards and Errors in Healthcare (http://
www.pulseamerica.org), are a few examples of groups representing consumers injured by and concerned with medical
accidents and error.
11
Descriptions of the IHI - 5 Million Lives Campaign and the NQF Safe Practices are outlined in Appendix A and can be
accessed at http://www.ihi.org/IHI/Programs/Campaign/Campaign.htm?TabId=1 and http://216.122.138.39/publications/
reports/safe_practices_2006.asp.
10
341
Patient Safety Leadership WalkRounds are described by Dr. Allen Frankel of IHI in the following manner: Senior leaders are encouraged to use weekly Patient Safety Leadership WalkRounds to
demonstrate their organizations commitment to building a culture of safety. WalkRounds are conducted in patient care departments (such as the emergency departments, operating rooms, radiology),
the pharmacy, and laboratories. They provide an informal method for leaders to talk with front-line
staff about safety issues in the organization and show their support for staff-reported errors.13 These
WalkRounds have a powerful effect on opening the lines of communication between leadership
and staff when performed well. Discussion topics might be as simple as staff identifying that white
emergency pull cords in the bathrooms hang against white walls so that patients cannot distinctly see
the cord to pull it in the case of an emergency. Conversely, issues can be as complex as staffing pattern
needs, technical malfunctions, and identification of processes and systems that do not work.
21.5.3
The healthcare environment is one of extreme complexity. While technical performance is critical
to sound medical practice, communication and decision making errors can still occur, especially in
chaotic environments. Experts in aviation have developed a method of safety training, Crew Resource
Management (CRM), whose core principles center around the performance of the entire aviation team
instead of solely around the pilots performance. Improvements in the safety record of commercial
aviation may be due, in part, to this training.14 The American Healthcare Research Quality (AHRQ)
has recommended that this model of training be applied to healthcare settings.15
21.5.4
Simulation Training
Simulation training is a method of training that has been used in naval, aviation, and many other
settings. Simulator training is now being used in healthcare situations such as maternal infant emergencies, code blue resuscitation techniques, and others. Simulator training allows healthcare providers to
practice high risk procedures under conditions that mirror those encountered during high risk patient
care situations without endangering the patient. It also allows healthcare providers to simulate rarely
occurring conditions that require accurate identification and immediate treatment response times. The
International Healthcare Institute, 5 Million Lives Campaign (2006; accessed December 17, 2008). http://www.ihi.org/
IHI/Programs/Campaign/Campaign.htm?TabId=1.
13
Patient Safety Leadership WalkRounds, Institute for Healthcare Improvement (accessed December 17, 2008). http://
www.ihi.org/IHI/Topics/PatientSafety/SafetyGeneral/Tools/Patient+Safety+Leadership+Walkrounds%E2%84%A2+(IHI
+Tool).htm.
14
1. Helmreich RL. On error management: lessons from aviation. BMJ 2000;320:781-5.
15
L. Pizzi, N. Goldfarb, D. Nash, Thomas Jefferson University School of Medicine and Office of Health Policy & Clinical Outcomes, Chapter 44, Crew Resource Management and its Applications in Medicine (accessed December 17, 2008).
<www.ahrq.gov/clinic/ptsafety/chap44.htm>.
12
342
The reimbursement model of healthcare as well as the changing environment of safety requires
that prior methods of problem solving and performance improvement be reconsidered. Healthcare
models are changing to those adapted from industry. Plan-Do-Study-Act (PDSA), Six Sigma and Lean
are examples of methods that use traditional performance improvement tools in a very specific manner. The end result is hoped to be that of eliminating waste (i.e., time, efforts, supplies, etc.), so that
processes can become much more effective, efficient, and safe.
21.5.6
Reimbursement Tactics
In the interest of accelerating the work being done around providing safe patient care, pay-forperformance and other payment strategies are being considered. CMS describes its efforts as follows:
The foundation of effective pay-for-performance initiatives is collaboration with providers and other
stakeholders, to ensure that valid quality measures are used, that providers arent being pulled in conflicting directions, and that providers have support for achieving actual improvement. Consequently,
to develop and implement these initiatives, CMS is collaborating with a wide range of other public
agencies and private organizations who have a common goal of improving quality and avoiding unnecessary healthcare costs, including the NQF, the JC, the National Committee for Quality Assurance
(NCQA), the AHRQ, the American Medical Association (AMA), and many other organizations.16
In some instances, healthcare organizations would actually receive higher compensation if a patient
had incurred an injury within its doors than if not. For example, consider a patient who has a surgical
procedure generally requiring a one or two day hospital stay. If that patient becomes infected with
a hospital-related organism that develops into a systemic infection, then the new diagnosis would
require additional medical care and resources. Under the previous payment methods the hospital most
likely would have received more money for the additional care required. Now, with certain exceptions
that are beyond the scope of this chapter, it will not.
21.5.7
Electronic medical records present many opportunities for improving the quality and clarity of
communication in healthcare. Ease of access, storage, and readability are just a few of the benefits
that electronic medical records provide. These benefits as well as other considerations are more fully
discussed in another section of this book.
Centers for Medicare Medicaid Services, Media Release, Pay for Performance (2005; accessed on December 17,
2008). http://www.cms.hhs.gov/apps/media/press/release.asp?counter=1343.
16
343
Patient safety is the concept of keeping patients free of accidental harm while receiving healthcare. Errors causing harm to patients have long been considered personal failures on the part of the
healthcare professional. It was often thought that the person making the error was not paying attention,
they just did not care, or were sloppy in what they were doing. Over time, the accountability pendulum
has swung from holding just the caregiver responsible to releasing them from any responsibility. In
order for positive change to occur, it is now becoming recognized that both the individual healthcare
provider as well as the healthcare system must be held mutually accountable.
The 1999 IOM report describes the need for system change:
The initial reaction when an error occurs is to find and blame someone. However, even
apparently single events or errors are due most often to the convergence of multiple contributing
factors. Blaming an individual does not change these factors and the same error is likely to
recur. Preventing errors and improving safety for patients require a systems approach in order
to modify the conditions that contribute to errors. People working in healthcare are among the
most educated, and dedicated workforce in any industry. The problem is not bad people; the
problem is that the system needs to be made safer.17
While admitting that system failures are often the latent causes of medical accidents, the struggle
for healthcare organizations is to determine whether the system failure relieves the individual healthcare professional of any personal accountability for patient injury. James Reason, David Marx and
others have been pivotal in helping organizations address this concern. According to Marx, most injuries occur as a result of system and personal performance failures that both must be addressed after an
incident has occurred.18 In his Just Culture work, Marx describes four behavioral concepts that are
important in understanding the inter-relationship between discipline and patient safety: human error,
negligence, intentional rule violations, and reckless conduct.19 By using an algorithmic approach to
understanding what category the healthcare providers actions causing the patient injury (or potential
injury) falls under, an organization can determine whether or not disciplinary action should follow.20
A system approach to healthcare errors calls for recognition and support by the healthcare attorney. Each instance of potential or actual patient injury is case-specific and it may or may not be
appropriate to sanction a healthcare provider with customary remedial measures traditionally followed
in healthcare. (These include actions such as verbal warnings, write-ups, suspensions and/or firing
the involved employees.)
Institute of Medicine (1999). To Err Is Human: Building a Safer Health System 49 (1999; accessed on December 17,
2008). http://www.iom.edu/File.aspx?ID=4117.
18
See generally, Marx, David, Patient Safety and the Just Culture: A Primer for Healthcare Executives, (2001; accessed
December 17, 2008). http://dodpatientsafety.usuhs.mil/index.php?name=Downloads&req=getit&lid=724.
19
Id.
20
Id.
17
344
21.6
Customer feedback is important for organizational growth. In a hospital organization, there are
many customers: the patient, the patients families and/or significant others, the hospitals employees
and medical staff. By actively listening to each of these constituents an organization can take its pulse,
celebrate its strengths, and work on its weaknesses. If an organization is successful at this, risk will be
reduced and patient volumes and market share will increase.
While this section will focus primarily on patient feedback, hospital success with patient feedback
is predicated on employee alignment and physician alignment.
21.6.1
What is measured?
Hospitals survey their patients using standardized surveys that assess access, personalized care,
comfort, nurse care, physician care, discharge, and overall ratings. The survey is used to determine
overall satisfaction and some level of excellence for each of these major categories. In addition to
these standardized surveys, Medicare now requires that a random sample of patients also receive the
Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) survey. Beginning
July 1, 2007, use of HCAHPS is required by the Centers for Medicare and Medicaid Services (CMS)
in order for general acute care hospitals to maintain eligibility for full reimbursement updates. Voluntary participation in HCAHPS began in October 2006. CMS initiated public reporting of those early
participants results in March 2008. The instrument asks patients to rate the frequency of events during
their care (never, sometimes, usually, and always). Public reporting will include the percent that the
patient response is always.
The HCAHPS survey is organized under the following headings: Your Care from Nurses; Your
Care from Doctors; Your Experiences in the Hospital; When You Left the Hospital; Overall Rating of
the Hospital; and About You.
The HCAHPS survey questions will be reported in similar domains: Communication with Doctors; Communication with Nurses; Responsiveness of Hospital Staff; Pain Control; Communication
about Medicines; Cleanliness and Quiet of the Physical Environment; and Discharge Information.
Press Ganey, one of the largest companies that provide patient satisfaction surveys to hospitals has
integrated the HCAHPS tool in their survey distribution and a random sample of patients may either
get a Press Ganey or HCAHPS survey, thus allowing hospitals to participate in the public reporting
initiative without disrupting ongoing performance improvement initiatives.
21.6.2
There is an overwhelming amount of data that hospitals collect. Patient satisfaction results from
a national vendor like Press Ganey or from Medicare via HCAPS are not necessarily easy to read,
understand, or intuitive. While administrators may understand the mean score, standard deviation,
The section on Patient Satisfaction was written by Maria Lain, MBA, Service Line Director for Womens Health &
Oncology, The Chester County Hospital, 701 E. Marshall Street, West Chester, PA 19380.
21
345
A complaint is a gift. Information about simple things like sockets in disrepair, surfaces that
are uneven, and furniture and equipment that are unstable frequently come out of comments that
patients make when they are surveyed. The ability to get this feedback can ultimately improve hospital
operations and make the environment safer. Press Ganey has conducted research that indicates there
is a strong relationship between a patients satisfaction and the likelihood of a lawsuit. Press Ganey
research and external studies show that providers focusing on patient satisfaction see reductions in
malpractice as a result.22 Regardless of the survey tool used, there are two key drivers that address
a patients perception and resulting satisfaction with their care: how well the nurse related to and
delivered care to the patient, and how well the entire operation was able to personalize its care for that
one patient. The author represents one of many hospitals that are in a risk retention group. When we
compare our exposure to that of others in the group, ours is lower. The hospital has focused on many
initiatives to address patient safetyits customer service initiative has placed it in the 99th percentile
in with a peer group. Service quality is driven at the local/unit level.
21.6.4
A model to build a platform for change at the local level may include as a first component a communication plan that begins to create interest. Initially it is important to post baseline information. It is
also good to learn from others. Below are recommended first steps.
Evaluate what is done at best practice hospitals
Post and trend patient satisfaction results monthly
The next phase is the more active phase for change, where staff is involved in the development,
recommendations, and implementation of change.
In order to be successful the following key principles are important and should be incorporated
into the work:
Commitment to Excellencewhat is this? The definition will be department derived.
Measuring important thingsidentify what is to be measured, establish reasonable goals, and
monitor the success.
http://www.pressganey.com/cs/research_and_analysis/patient_satisfaction/medical_practice_resources.
22
346
347
348
Commentary
In practicing the enterprise risk management approach it is important to understand the benefits and potential exposures that a robust patient safety or quality program brings with it. A
basic working knowledge of the guiding principles of patient safety will assist counsel to be
more effective in anticipating and understanding how to address any related legal concerns.
Be aware that the areas of greatest opportunities for organizational performance improvement can be readily identified by national data, as well as internal data, and understand that if
organizations fail to address and improve in those areas, patient safety and the financial well
being of the organization can be at risk.
Recognize that the lack of progress in quality improvement efforts can certainly be a risk
exposure if discovered by an opponent in litigation, a state or federal agency, a certifying
body, or others.
In addition to reporting the correct and appropriate data required by outside agencies, healthcare providers should also be aware of the extent of the information regarding the organization
that is made public on internet sites and other sources, and monitor those not only for accuracy but for the impact that the information can have on the organization as a whole.
In putting the principles of Just Culture into action, healthcare counsels guidance in assuring that the proper human resource policies are in place and that the organization follows the
policies fairly and consistently can serve not only to enhance patient safety efforts but also to
reduce the risk of exposure to loss from employment-related issues.
More and more healthcare systems are practicing transparency and open disclosure following medical accidents involving error. One thing that is important to anticipate is that the
response of the involved patient, his or her family, the media, and the public may be inflamed
due to the emotion and/or lack of understanding of the facts surrounding the event. Having
a plan in place to address those possibilities is important to maintaining the reputation of the
organization and its healthcare providers.
Many developments in quality and patient safety are resulting in the sharing of highly
confidential information with outside consultants, consumers, board members, and others.
Anticipate that HIPAA Business Associate Agreements, contracts, confidentiality statements,
special privacy training, and other requirements may be indicated in each instance. A consistent method of identifying what will be needed for tracking completion of documents and
training before the organization allows the information to be shared is recommended.
Data mining and data reporting rely heavily on highly complex information technology systems. The impact that multiple interfaces and different systems can have on data integrity is
important to understand. Organizations need to have monitoring systems in place to assure
Leadership and Board involvement in Patient Safety and Quality initiatives is crucial. The
Board must be educated in the responsibilities that members have in this regard. The Board
must understand how to challenge and hold leadership accountable for meeting and exceeding benchmarks that were previously accepted as satisfactory. Todays constant challenge
is to successfully have healthcare organizations perform quality services and provide safe
patient care free from medical error and system failures. The governance boards must understand their role in assisting their organization to rise to that challenge.
21.8
Conclusion
Healthcare organizations are responding to the need to improve performance and to provide safe
patient care. In applying ERM principles to this area, one must understand how quality measures and
providing safe patient care can impact an organizations reputation and financial status. An organization must have established quality metrics in place that constantly monitor its performance. It is no
longer acceptable to consider success in terms of merely achieving the internal or external benchmark. For quality benchmarks, constant improvement is fast becoming the norm.
The call for transparency in healthcare organizations creates risk exposures beyond those previously experienced. Monitoring the organizations performance against quality metrics, understanding
the impact that those results will have, and anticipating that such information may become public is
a reality in todays constantly changing healthcare environment. Providing quality care and services
and safe patient care protects the most valuable assets of the organizationits patients, providers and
staff.
349
350
351
Deliver Reliable, Evidence-Based Care for Acute Myocardial Infarctionto prevent deaths
from heart attack
Prevent Surgical Site Infections by reliably delivering the correct peri-operative antibiotics at the proper time
Prevent Harm from High-Alert Medications starting with a focus on anticoagulants, sedatives, narcotics, and insulin
Reduce Surgical Complications by reliably implementing all of the changes in care recommended by SCIP, the Surgical Care Improvement Project (www.medqic.org/scip)
Prevent Pressure Ulcers by reliably using science-based guidelines for their prevention
Reduce Methicillin-Resistant Staphylococcus aureus (MRSA) infectionby reliably implementing scientifically proven infection control practices
Get Boards on Board by defining and spreading the best-known leveraged processes for
hospital Boards of Directors, so that they can become far more effective in accelerating organizational progress toward safe care.
Institute of Healthcare Improvement, 5 Million Lives Campaign (2006; Accessed on December 17, 2008). http://www.
ihi.org/IHI/Programs/Campaign/Campaign.htm?TabId=1.
23
352
3. Ensure that written documentation of the patients preferences for life-sustaining treatments
is prominently displayed in his or her chart.
4. Following serious unanticipated outcomes, including those that are clearly caused by systems
failures, the patient and, as appropriate, the family should receive timely, transparent, and
clear communication concerning what is known about the event.
5. Implement critical components of a well-designed nursing workforce that mutually reinforce
patient safeguards, including the following:
a nurse staffing plan with evidence that it is adequately resourced and actively managed
and that its effectiveness is regularly evaluated with respect to patient safety;
senior administrative nursing leaders, such as a chief nursing officer, as part of the hospital senior management team;
governance boards and senior administrative leaders that take accountability for reducing patient safety risks related to nurse staffing decisions and the provision of financial
National Quality Forum, About Us (2006; accessed on March 10, 2008). http://www.qualityforum.org.
24
353
7. All patients in general intensive care units (ICUs) (both adult and pediatric) should be managed by physicians who have specific training and certification in critical care medicine
(critical care certified).
8. Ensure that care information is transmitted and appropriately documented in a timely manner
and in a clearly understandable form to patients and to all of the patients healthcare providers/professionals, within and between care settings, who need that information in order to
provide continued care.
9. For verbal or telephone orders or for telephonic reporting of critical test results, verify the
complete order or test result by having the person who is receiving the information record and
read back the complete order or test result.
10. Implement standardized policies, processes, and systems to ensure the accurate labeling of
radiographs, laboratory specimens, or other diagnostic studies so that the right study is labeled
for the right patient at the right time.
11. A discharge plan must be prepared for each patient at the time of hospital discharge, and a
concise discharge summary must be prepared for and relayed to the clinical caregiver accepting responsibility for post-discharge care in a timely manner. Organizations must ensure that
there is confirmation of the receipt of the discharge information by the independent licensed
practitioner who will assume responsibility for care after discharge.
12. Implement a computerized prescriber order entry (CPOE) system built upon the requisite
foundation of re-engineered evidence-based care, an assurance of healthcare organization
staff and independent practitioner readiness, and an integrated information technology
infrastructure.
13. Standardize a list of do not use abbreviations, acronyms, symbols, and dose designations
that cannot be used throughout the organization.
14. The healthcare organization must develop, reconcile, and communicate an accurate medication list throughout the continuum of care.
15. Pharmacists should actively participate in medication management systems by, at a minimum,
working with other health professionals to select and maintain a formulary of medications
chosen for safety and effectiveness, being available for consultation with prescribers on medication ordering, interpretation and review of medication orders, preparation of medications,
assurance of the safe storage and availability of medications, dispensing of medications and
administration and monitoring of medications.
354
355
* See the report for applicable care settings for each practice, detailed specifications, and additional background, implementation, and reference at http://216.122.138.39/publications/reports/safe_practices_2006.asp.
356
Part VII
Strategic Issues
22
Public Relations, Marketing, and Advertising
Ellen Barron, Esq.1
Profit Management Group
22.1
Introduction
Today, there is much emphasis throughout corporate America, as well as among healthcare organizations promulgating greater accountability for patient safety, upon the principle of transparency.
This principle is based upon the belief that full disclosure of product safety and quality, financial
performance, and other similar information will enable consumers, whether potential investors or
potentials users of the products and services, to make better-informed decisions. Further, it is expected
that transparency in information-sharing will alleviate the likelihood of financial mismanagement,
decrease the potential for fraud, and act as a brake on the potential for unscrupulous or dishonest
behavior. The goal of transparency is to freely offer information that willin theoryenable investors
to make better decisions and to enable patients to select healthcare providers that offer safer care and
better outcomes. Excellence in public relations and marketing is the best strategy for assuring transparency and, in turn, support enterprise risk management efforts to minimize liability exposures from
these activities.
22.2
An organizations image and reputation are assets that have evolved over time and are not the
result of a one-time ad campaign, well-publicized adverse outcome, or special event. Rather, these
cumulative assets must be preserved and enhanced. A carefully crafted communications strategy will
serve this over-arching goal of asset preservation and enhancement, even in difficult circumstances,
if:
assures that its communications and actions are consistent, both internally and externally;
The Advertising section of this chapter was authored by Ellen L. Barton, J.D., CPCU.
359
Image and reputation are key elements of how consumers establish brand value. In recognition
that the brand is an organizational asset to be preserved and enhanced, communications strategies supporting enterprise risk management must support the brand standard. This means that the content
and the method of communication related to risk concerns must reinforce consumer trust and brand
value.
A major enterprise risk management (ERM) initiative that supports and is supported by Marketing in Public Relations is the Disclosure of Unanticipated Outcomes (see Chapter 15). Establishing
thoughtful policies and clearly articulating the expectations for disclosure provide this brand standard.
Education of all staff regarding the organizations policies and expectations is a critical success factor.
Assuring that disclosure communications adhere to the brand standard will help preserve trust.
22.4
Despite long-term efforts to build an open, honest, transparent, and value-added image and reputation, healthcare providers are tested by various crises that demand a carefully crafted communications
response. The principles of open, honest, and transparent are at no time more important than dealing
with the consequences of a negative event. In fact, one of the most frequently cited textbook arguments for addressing a crisis with transparency goes back to the 1982 Tylenol Crisis.
In this crisis, an individual tampered with the product packaging, inserted poison into a few
bottles, and caused seven consumer deaths. However, within months, the Tylenol Crisis was not
remembered for the damage done, but for the companys (McNeil Pharmaceutical, a division of J&J)
response: accepting responsibility for the problem (even though Tylenol had not caused the problem);
2
Fanjiang, Gary, MD, MBA; Ted Von Glahn; Hong Chang, Ph.D. et al. Journal of General Internal Medicine 22(10),
pp. 1463-66, October 2007.
3
Fanjiang et al.
4
Coombs, WT and SJ Holladay. Helping Crisis Managers Protect Reputational Assets: Initial Tests of the Situational
Crisis Communication Theory. Management Communication Quarterly, 16, pp. 165-186, 2002.
360
Mitroff, I.I.; K. Harrington; and E. Gai. Thinking about the Unthinkable. Across the Board 33(8), pp. 44-48, 1996.
Op. cit., Coombs, WT and SJ Holladay.
5
6
361
Disaster response
It is important to recognize that the fact-finding process necessary to address these potentially
harmful exposures to enterprise risk may identify multiple issues and concerns.
Medical Professional LiabilityIt is important to recognize that these concerns are reality-based.
Even in fairly small healthcare organizations, there may be more than 1,000 incident reports, indicating the potential for harm to a patient, filed each year. One large teaching hospital estimated that in the
first month of residency training, 140 residents committed more than 800 medication errors. Similarly,
it is not uncommon for 4 to 5% of all patients to experience some form of complication, adverse drug
reaction, or similar event, some of which may lead to permanent disability or even death. It is rare that
more than a very few of these events may trigger the need for a comprehensive communication.
However, it is almost axiomatic that when something significant goes wrong for a patient, more
bad things are almost sure to follow. In the event that an adverse outcome may have been caused by
an error, it is important that Risk Management be involved at the outset to characterize the level of
concern, identify underlying process and system breakdowns, and promptly reach out to communications leaders as needed for support.
Every single step of working effectively through this process is a communications opportunity.
(See Figure 2, Rules of Thumb for Positive Patient/Family Communication)
Violation of the publics/patients trustPatients have every right to believe and expect they
are safe and secure within the confines of a healthcare setting. This absolute need for safety includes
Dilenschneider, RL. The Corporate Communications Bible: Everything You Need to Know to Become a Public Relations Expert. New Millennium Press, 2000.
362
Argenti, P. Crisis Communication: Lessons from 9/11. Harvard Business Review, 80(12), pp. 103-109, 2002.
Business Roundtables Post 9/11 Crisis Communications Toolkit. The Business Roundtable, 2002. http://www.nfib.
com/object/3783593.html.
8
9
363
Be quick
Be accurate
Be consistent
Coombs, WT. Crisis Management and Communications. Institute for Public Relations, October 30, 2007.
http://www.instituteforpr.org/essential_knowledge/detail/crisis_management.
10
364
Media Relations
The communications goals with the media in every situation related to organizational risk are:
Provide prompt, open, and honest communications. This is essential in maintaining and
enhancing the communitys trust and supporting the brand standard.
From time to time, despite best efforts to the contrary, the organization may face media scrutiny.
For most healthcare leaders, media attention in a crisis is a source of great concern. What strategies are
the most effective in dealing with these situations?
First, recognize that the minute an e-mail is sent or an internal memo to leadership is distributed,
the matter is no longer confidential and, instead, is public information. Therefore, such communications should be minimal and carefully worded. View every communication as being in the public
domain.
Second, the media is not out to get you. It is only doing its job. The possibility of a major medical error or similar risk event is news. If the organization has taken care to develop positive media
relations, then it is somewhat likely to be treated more kindly if there is an adverse event.
Third, most reporters are inquisitive. It is part of the job description. They will ask leading questions. Remember: its their job. Dont convey anger, hostility, defensiveness, or evasion. Instead, give
yourself time to think. You are not obligated to respond to every question immediately. Respond to
pressing questions with an offer to investigate the matter and follow-up with the reporter.
Fourth, understand that reporters are working to a deadline, whether its the print time for the
newspaper or finalizing stories for a local newscast. Be respectful of the deadlines. If you cant respond
by deadline, say so. Dont allow yourself to be pressured into a premature response. However, if you
tell a reporter that you will get back to them within two hours, make sure you do iteven if it is to
provide an update as to the status of the request.
Fifth, remember that all your preparation will be reduced to a three minute or less sound bite on
a newscast. In a newspaper, a paragraph or two will very likely cover the providers position, while
interviews with the patient/patients family, industry experts, and other information will fill the rest
of the column. Message clarity, brevity, and consistency are importantwhat will be highlighted
can be unpredictable and often not what the organization might wish. Therefore, the organizational
spokesperson must stay on message.
Next, remember that very few risk events result in media attention. Even significant professional
liability cases that go to trial rarely result in any media coverage, while other topicssuch as an
Enterprise Risk Management for Healthcare Entities, First Edition
365
Increased attributions of organizational responsibility, or blame, for the crisis result in a greater
likelihood of reputational harm and reduced likelihood of using the organizations services in the
future. Therefore, in addition to managing the crisis as effectively as possible, it is essential for the
organization to address post-crisis business as usual. The organization needs to continue providing
updates about the investigation of the crisis, corrective actions taken and recovery efforts to both external and internal stakeholders. Continued use of the intranet, along with text messages, broadcast voice
messages and e-mail, are all useful tools for employees, while the internet site may be kept live and
updated for an extended period as a media information source.
Returning to the fallout from the Tylenol Crisis, McNeil Pharmaceutical focused on reputational
repair as a primary strategy once the crisis had begun to dissipate. McNeil encouraged consumers
to purchase Tylenol again by developing tamper-proof packaging; offering coupons for significant
discounts with purchase; and training their sales force to educate the medical community about its
renewed emphasis upon product safety and value.
A healthcare provider may well want to consider similar tactics, such as community health education programs, advertorials regarding safety improvements purchased in the local newspaper or
other media, and using its web site for explaining its safety commitment in detail. In addition, the organizations leaders should educate its employees regarding their role in ongoing safety improvements
and how to respond constructively to patients and familys questions, as well as contribute positive
word-of-mouth out in the communities where they live. All of these actions will lay the groundwork
for reputational repair and image renewal.
366
22.5
In an increasingly competitive environment, marketing and advertising have become the keys to
survival for many healthcare organizations. Changes brought about by market reform initiatives aimed
at controlling rising healthcare costs have left many providers aggressively competing for shrinking
healthcare dollars. The continuing trend among employers and managed care organizations to provide
patients with greater choices of providers has served to sharpen the competitive behaviors of many
providers. Like other core activities of healthcare organizations, marketing and advertising initiatives
have the potential to lead to increased risk and liability.
22.5.1
There are several potential sources of rules, regulations, and laws applicable to hospital advertising that can lead to tort liability. Those sources are often intertwined and more than one may apply to
the advertisement. One major group of laws prohibits advertisers from competing unfairly by confusing the public as to the source of a product or by stealing a competitors ideas or works of authorship.
These federal laws relate to copyrights, patents, and trademarks. A second group of laws prohibits
false or misleading advertising. In addition, most states also have laws regulating advertising.
While federal and state laws are obvious sources of potential liability and the standards are relatively clear, a more troublesome and less predictable consequence of hospital advertising is legal action
by patients based on the content of the advertising. There are several different types of actions that
may result from advertisements: contract and estoppel claims; professional liability (although to date
no court has so held, it is conceivable that advertisements could constitute evidence of the applicable
standard of care or could even establish an agreement to provide a higher standard of care than that
applicable to similarly situated healthcare providers. For example, advertisements stating that an institution provides the highest-quality care may obligate that institution to provide the highest-quality
care rather than the standard that would be usual for such an institution; and ostensible agency.
Liability for making unjustified claims about quality of care or results of treatment is a relatively
rare phenomenon. By far the greatest exposure that healthcare organizations face as a result of their
advertising campaigns occurs when statements made in advertising create vicarious liability for the
acts of non-employed physicians. When these advertising claims have the effect of creating the public
perception that physicians associated with the healthcare organization are in fact agents of the healthcare organization, the healthcare organization assumes liability for their actions. That has been the
finding of several courts that have considered this issue.12
Advertising can, however, result in liability in other ways as well. The Pennsylvania Superior
Court established a new precedent in advertising liability in the case of McClellan v. HMO of Pennsylvania. The court overturned the trial courts dismissal and held that the plaintiff could pursue the
This section is based on Chapter 9, Advertising LiabilityA Growing Risk Management Concern, by Ellen L.
Barton, J.D., CPCU, and William M. Klimon, Esq., in Risk Management Handbook for Health Care Organizations, Vol.
III, 5th Edition, Jossey-Bass, San Francisco, 2006.
12
Pamperin v. Trinity Meml Hosp., 423 N.W.2d 848, 853 (Wis. 1988); Boyd v. Albert Einstein Med. Ctr., 547 A.2d 1229,
1232 n.6, 1234-35 (Pa. Super. Ct. 1988); Sword v. NKC Hosps., Inc., 714 N.E.2d 142, 145, 152-53 (Ind. 1999); Martell v.
St. Charles Hosp., 523 N.Y.S.2d 342, 349-52 (N.Y. Sup. Ct.1987).
11
367
Regulatory Implications
In addition to civil liability in the form of tort claims by patients, healthcare organizations also
face potential federal regulatory liability for their advertising practices. The FTC, empowered by the
federal government to regulate advertising practices, as noted above, can take action against any entity
that it deems has engaged in false advertising. The FTC can impose fines as well as other sanctions
for violations of the statutes it is empowered to enforce.14 But, sanctions usually take the form of a
consent order to cease and desist, a settlement that requires the advertiser to stop the objectionable
advertising. Consent orders also frequently require the advertiser to maintain all documents relied
upon in making its claim as well as other relevant information. A consent order is not a finding of fact
and, unlike other types of settlements, is a matter of public record.15
Marketing and advertising initiatives are critical to a healthcare organizations survival and, like
other critical activities; they increase the risk of liability. As mentioned early in this chapter, marketing
and advertising initiatives also provide important services for patients: to educate consumers about
healthcare services and to inform them of the options available. But there may also be a tendency for
healthcare advertising to follow the trend of general advertising by making grandiose and exaggerated
claims. It is on these types of ads that some consumers may base their decision about where to go
for healthcare. The clear risk management lesson is that any information provided to the public (but
especially information about the credentials of the independent medical staff) must be accurate and the
responsibility for verification is with the entity that is disseminating the information.
Because of the questionable economic benefits of advertising and the potential liability that can
arise from it, healthcare institutions need to be particularly careful in their advertising. Healthcare risk
management professionals must approach advertising liability not as a necessary evil, but as a risk
associated with one of the organizations core functions that must be managed. As with other liability
exposures, advertising liability can be managed with a systematic approach to identification of risks
and appropriate intervention to reduce or eliminate these risks.
The following types of communications and strategies for their use will assist in minimizing
potential liability:
Be careful about using opinion messages. Be certain that there is substantiation for whatever
is claimed.
McClellan v. HMO of Pennsylvania, 604 A.2d 1053, 1056-58, 1060-61 (Pa. Super. Ct. 1992).
15 U.S.C. 45, 54 (2005).
15
In re NME Hosps., Inc., 115 F.T.C. 798 (1992) (consent order); In re Cancer Treatment Ctrs.
of America, Inc., 121 F.T.C. 692 (1996) (consent order).
13
14
368
22.6
Commentary
From an enterprise risk management perspective, marketing and advertising liability can be managed with a systematic approach to identification of risks and appropriate intervention to reduce or
eliminate these risks.
Become familiar with professional standards relating to healthcare marketing and advertising practices. The American Hospital Association and The American Marketing Association
have developed standards that cover all aspects of marketing and advertising.16 These documents provide standards and useful guidance that should be followed in designing advertising
campaign strategies.
Become familiar with the organizations marketing philosophy and planned advertising initiatives. This will provide the context for the decisions made and the priorities established in
connection with the organizations marketing plan.
Develop a partnership with the person responsible for the organizations marketing activities
and the risk management professional who is a resource for risk management implications of
advertising campaigns and marketing activities.
Develop a system for early review by both legal counsel and risk management of proposed
advertising initiativeswhether written in-house or by outside consultantsto identify
potential exposures.
Pay particular attention to advertising campaigns that may create the appearance of an
agency relationship with independent contractors, particularly emergency room physicians,
anesthesiologists, radiologists, pathologists, and other providers whom the patient does not
specifically select. Ensure that appropriate notations in the advertising campaign spell out the
nature of the relationship, and make sure that prominently posted signs and other notices to
patients reinforce this message.
Incorporate language into the consent for treatment forms that clearly indicates that the
patient understands that those providing treatment may not be employees of the healthcare
provider.
If the name of a specific physician or other provider is to be used in advertising, assume that
the organization will be held vicariously liable for the acts of that provider. Plan risk financing strategies accordingly.
Avoid any representations about the high quality of providers associated with the organization, and ensure that all providers are properly credentialed and insured.
American Marketing Association, Code of Ethics:Ethical Norms and Values for Marketers, http://www.marketingpower.com/content435.php#.
16
369
Work with the organizations corporate compliance officer to ensure that all advertising campaigns meet the organizations standard for corporate integrity.
Review the healthcare facilitys insurance program to assess what, if any, coverage would
apply to claims arising out of marketing and advertising. In addition to the professional liability coverage that would apply in situations in which the advertisement was used to create
a standard of care, the healthcare entity should maintain coverage for advertising injury.
Healthcare facilities in which staff or volunteers write their ads, as well as facilities that
hire advertising agencies, are generally covered under most advertising liability insurance.
In contracts with advertising agencies, however, indemnification or hold-harmless clauses
should be used to require the agency to be responsible for any liability caused by its actions.
22.7
Conclusion
No organization is immune from an adverse event. Planning, preparation, and anticipation are the
best ways to minimize damage to organizational reputation.
Each risk event is an opportunity to avert crisis. Both risk events and crises are learning experiences. Management should not only enable corrective action as required for future risk management
and crisis prevention, but should also analyze its crisis management effort, the effectiveness of its
communications strategies, and modify its crisis management and response systems as part of its commitment to continuous learning and improvement.
Legal counsel, in conjunction with risk management professionals can manage the increased
liability risks associated with the organizations marketing and advertising activities by adopting a systematic approach to the identification of these risks and implementing appropriate interventions. This
is best accomplished by developing and maintaining collaborative relationships with those responsible
for the organizations marketing activities. By becoming a resource to those involved in developing
marketing initiatives, the healthcare attorney becomes a valuable partner in the process and helps the
organization to avoid unnecessary risk while supporting organizational advancement.
370
Include a decision tree that helps determine the gravity of the crisis and the scope of the
response
Communications templates
371
372
DONT:
DONT hesitate to ask questions until you
understand the facts, circumstances and
patients preferences
23
ERM and Managed Care
Mary Mahoney, Esq.
Tufts Health Plan
23.1
Introduction
While there are standards common to many healthcare risk management programs, there is much
less consistency among risk management programs in managed care organizations (MCO). Why? One
possible reason is that, unlike hospitals that must meet The Joint Commission requirements specifically relating to risk management, MCO accreditation does not include risk management. There are
no standard risk management principles shared by MCOs as there are for hospitals. For MCOs, the
development of any integrated risk management program may be a new concept. What follows is
one view of how a managed care enterprise risk management program can be structured and how it
provides value to a managed care organization. This chapter will also describe additional steps to be
taken to further develop an enterprise risk management (ERM) program.
MCOs are not like hospitals. They do not have patients and, as a result, do not have incident
reports, experience sentinel events or never events, and usually are not subject to claims for medical professional liability. So, what are the risks that MCOs manage day in and day out and how can in
house and outside counsel help guide the MCO through those risks? This chapter will describe those
risks. It will not provide detailed analysis of each risk or how to avoid each specific risk since the
specifics of managed care liability are described in many other writings. It will, however, describe the
processes and systems that can be utilized to manage those risks when they do occur.
23.2
Many MCOs have risk management functions. Most were developed on concepts borrowed from
the hospital setting.
23.2.1
Risk Management functions often focused on medical care provided to those to whom the MCO
provides healthcare coverage, or members. The MCO would typically have a risk manager who
would either respond, or coordinate a response to a high-risk situation. Since most MCOs moved
away from a staff model structure, the concern was not usually direct medical professional liabilEnterprise Risk Management for Healthcare Entities, First Edition
373
As MCOs have faced increased financial challenges, medical cost containment has been examined more closely. Clinical Services departments have become more responsible for the medical costs
of the MCOs members and are accountable for the savings flowing from their medical management
programs. As a result, clinical service staffs have become much more engaged in the financial challenges facing the organization. They have, in turn, invited more awareness and integration to the risk
management functions they perform.
At some MCOs, much of this coordination involves the legal department. Usually, there is a key
contact person for member risk management issues. That person ordinarily has contacts throughout the
organization to resolve issues. One approach is to move to decentralized management with centralized
communication. There may be a contact person or risk manager within the legal or another department. That role is responsible for coordinating issues that by their nature involve a higher level of
public scrutiny and that involve individuals in multiple areas within the company. The Risk Manager
does not necessarily manage these situations. Rather, he or she is responsible for assuring that a coordinated response is in place. There may be designated and trained individuals within most departments
in the company to manage risk. If the risk falls primarily within one of those departments, that person
has primary responsibility for coordinating a response and communicating with the rest of the team.
In addition, there may be designated lawyers who handle many varieties of risk managementmember
risk, financial risk, litigation risk, provider risk, public relations risk, regulatory or legislative risk, and
fraud. The risk manager would notify or involve a lawyer as necessary, or the lawyer can be contacted
by anyone else in the organization.
374
23.2.3
Next Generation
Risk management programs within MCOs have evolved and become more integrated. The next
step will be to introduce the concept of Enterprise Risk Management and create a robust program.
This involves taking the approach of decentralized management with coordinated communication to
the next level of being truly integrated with the financial risk management efforts within the company.
Many existing risk management mechanisms will fall under the umbrella of the ERM program.
There may, of course, be many varied approaches to risk management. For example, there could
be a medical cost containment program that qualifies and quantifies efforts throughout the company
that relate to decreasing medical costs per member. These include care management programs as
described earlier, but also include fraud prevention and recovery and actuarial services. The aforementioned member risk management program would also exist. In addition, there should be functions
within the finance areas to assess, quantify, and manage pure financial risks. This approach moves into
a new generation where these risks are centrally discussed, described, and quantified. This approach
allows an analysis of these risks and these programs, as well as a fresh look at risk to implement a more
global, or enterprise-wide risk management program.
23.3
Other chapters address how to structure an overall ERM program. In order to understand how to
coordinate an enterprise risk management program within an MCO, it is important to understand the
risks typically faced by MCOs that would be encompassed within such a program.
23.3.1
Pricing has traditionally been the biggest financial risk facing insurance organizations. Like insurers, MCOs must set a price before they are able to determine their costs because those costs are
incurred in the future and subject to many variables. Following is a description of the unique aspects
of pricing and third party risks in managed care.
23.3.1.1
MCOs set premium prices and administrative fees before the year during which the premium or
fee will apply. MCOs now use actuarial services and predictive modeling to estimate as closely as
possible the likely medical costs they will face in any given year. These estimates are used to develop
a pricing structure that will allow for as much profit margin as sustainable in the given marketplace.
MCOs generally face intense pricing competition. As a result, premiums generally cannot be set in
such a way as to guarantee profitability. As a result, the pricing risk remains.
23.3.1.2
An MCOs relationships with other third parties also greatly impact its financial risk portfolio.
375
One of the unknown factors of great concern to a MCO is healthcare costs. Defining the relationship between the MCO and healthcare providers is one of the most important efforts in managing the
financial risk of the MCO.
Because MCOs on an insured basis accept premiums to cover all medical costs, financial management can be somewhat of a gamble. To reduce the risk associated with that, the MCO must do as good
a job as possible of estimating its medical costs. The variations of that risk depend on a number of
factors involving healthcare providers including the following:
1. Whether the provider is contracted
2. Whether the contract sets reasonable reimbursement levels
3. Whether the contract includes any form of financial risk sharing
4. Whether the MCO has market power sufficient to charge premiums that will cover provider
reimbursements
5. Whether an out of plan provider will be willing to accept usual and customary charges or
demand its own fee schedule
Whether the provider is equally driven to control healthcare costs has a tremendous impact on an
MCOs ability to manage cost.
23.3.1.2.2 The Insured Risk Pool
An MCOs risk pool may vary from year to year. The health status of the insured membership and its
utilization patterns that create the risk pool will greatly affect the financial risk of the organization.
23.3.1.2.3 Outsourcing
MCOs, like other organizations, now outsource many functions. These include care management,
disease management, information technology, customer service, claims review, and a myriad of other
functions. With the increased return on investment that outsourcing can bring, also comes risk. The
main risks to a MCO associated with outsourcing include privacy and security breaches, legal and
regulatory compliance challenges, meeting secondary contract requirements, satisfying accreditation
standards, and meeting necessary business performance standards.
23.3.2
Denials of Coverage
Whether through its utilization management, prior authorization, claims review, or appeals processes, denials of coverage have long been a significant risk facing MCOs. Denials of coverage are
often blamed for adverse medical outcomes (including death). Regardless of the medical outcome,
denials of coverage can result in intense, adverse publicity if the issue is currently a hot topic or if the
covered person presents with a particularly sympathetic situation.
376
23.3.3
Quality of Care
MCOs have established programs that set quality standards and monitor for quality of care issues.
Most MCOs in this era do not employ healthcare providers, but rather arrange for the provision of
healthcare services by contracting with a network of healthcare providers. In this scenario, MCOs do
not usually face claims for medical professional liability. They may, however, be held accountable for
the quality of care provided by that network.
23.3.4
Technology
As the technology used by MCOs becomes more robust and comprehensive, so too do the risks
of its use. With the added benefit of the internet and web, wireless technology, hand held devices
and healthcare networking come increased risks of privacy and security breaches. As MCOs become
more dependent on technology for business function, capacity and availability become increasingly
important. Some of the functions now performed by technology that were previously manual include
web enrollment, premium billing and payment, collection, claims adjudication, claims submission and
correction, claims funding, and utilization management. The increased dependence on these technologies for daily business function requires that MCOs be prepared in the event of systems failure or
obsolescence. IT upgrades can take years to plan and implement because of the complexities of information transfer, system compatibilities and capabilities, and building and testing requirements. The
MCO must stay ahead of the technology curve by planning and investing to maintain its competitive
technological edge.
23.3.5
Legal Compliance
Managed Care organizations are heavily regulated. It can be very challenging to keep up with
the myriad and complex laws and regulations that apply to various aspects of the business. Without
mentioning all of the laws and regulations that pose risk, a couple laws that pose potentially significant
financial risk are identified below.
In recent years, many healthcare institutions have consolidated and others have established alliances. Such an environment poses increased risk of antitrust violations. This can impact the MCO
negatively if it is the target of an investigation, but can also impact the MCO if a competitor or provider network gains market dominance.
The federal False Claims Act also presents an ongoing risk to any health plan engaged with the
federal government. The False Claims Act allows for whistleblower claims, whereby an ordinary
citizen, or relator, may file suit on behalf of the government against a government contractor for
submitting claims that are knowingly false or that the contractor should know are false, to the government for payment. These suits, called qui tam suits often result in significant damages awards.
The relator is often an employee or former employee of the contractor, resulting in the nickname of
whistleblower.
377
Issues as Employer
MCOs, like all other organizations, face additional risks as an employer. Actions for the negligence, vicarious liability, and violations of law of its employees often become the direct risk of the
MCO. Additionally, MCOs must follow all applicable labor, employment, and benefits laws as they
relate to their employees and contractors. Nonprofit MCOs must be particularly sensitive to the limitations of executive compensation and benefit plans that are available to nonprofit employers.
23.3.7
The most significant risks posed by advertising, marketing, and sales are overstatement (of both
attributes and associations) and promising something that the MCO cannot deliver. These claims are
often made during a sale, in the Request for Proposal (RFP) process, or in print and media advertisements. The MCO can inadvertently find itself bound by a statement that it did not expect to meet,
may not be able to meet, or can meet only at a significantly increased cost. (See Chapter 22 for more
information on Marketing and Advertising Liability.)
23.3.8
Public Relations
The public relations risks faced by MCOs are huge. For a Health Maintenance Organization
(HMO) to keep a positive public image requires daily vigilance and a lot of relationship building
with opinion leaders. Any of the risk factors identified above can be magnified by media and public
attention because of public relations. The public relationships that often come into play include local
and national media outlets, newspapers, state and federal representatives, and activists groups (for
particular medical disorders, ethnic groups and healthcare reform).
23.3.9
Tax Exemption
An emerging and major risk faced by all nonprofit MCOs is the potential loss of tax-exempt status. Until recently, most nonprofit MCOs felt pretty secure in their tax-exempt status. Following the
recent decisions in the Vision Services Plan1 cases, however, MCOs may face additional scrutiny. A
MCO must ensure that all of its filings and public statements exhibit a mission that is consistent with
and supports its tax-exempt status.
In addition, in many states, nonprofit organizations are being subjected to additional reporting,
disclosure, and governance requirements, similar to Sarbanes-Oxley. While much in this area continues to evolve, it is an area to watch carefully as it is currently the focus of increased state and federal
attention.
Vision Service Plan, Inc. v. United States of America, 265 Fed. Appx. 650; 2008 U.S. App. LEXIS 2388; 2008-1 U.S.
Tax Cas. (CCH) P50,160; 101 A.F.T.R.2d (RIA) 656.
1
378
23.3.10
Disasters
Like most other U.S. business organizations, a disaster (natural or otherwise) poses huge risks to
both the financial solvency of MCOs as well as to its covered members. A MCO must perform a comprehensive assessment of the risks to the organization and its ability to provide access to healthcare
for its members if a disaster strikes. A MCO needs to use comprehensive, multi-disciplinary teams to
brainstorm and identify the risks to the operation of the organization and its business.
23.4
In order for an MCO to effectively manage risk, the board must be actively aware and engaged.
The board should require reporting on these efforts on a regular basis. The board is obligated to be
familiar with the risks facing the organization. The board should be advised of and educated about best
practices for governance. The board and the leadership team should also require that risk management
efforts and reporting within the MCO be multi-disciplinary.
The leadership team should foster an atmosphere of shared responsibility and cross-pollination. If
the leadership team establishes shared responsibility and reporting as a goal of the organization, then
the underlying efforts will take root and yield more fruitful results.
23.4.2
In todays marketplace, it is imperative for a MCO to have robust medical cost containment
programs. Over the past few years many MCOs have added to traditional utilization management
programs, such as case management, to add many additional and much more aggressive programs.
For each of these programs, predictive modeling is utilized to estimate savings. But, more importantly, each program is analyzed from an actuarial perspective to determine its return on investment.
These programs may include, among other things, health coaching, focused disease management,
prior authorization of targeted services based on evidence-based medicine, and fraud prevention and
recovery.
379
Traditional financial risk management (including the use of insurance to transfer risk, review of
reserves, risk based capital, and investment portfolios) continues to play an important role in an overall
risk management program for a MCO. However, the financial risk management review is now more
inextricably linked with medical review of risk. With the increased usage of actuarial analysis, medical
risks are now assigned quantitative values and can be viewed against the financial portfolio for a truer
sense of the organizations actual global risk. The medical risks can now also be evaluated against and
side-by-side with financial and other operational risks so that the MCO can strategically focus its risk
mitigation efforts.
23.4.4
Key Staff
In order to successfully manage risk, the MCO must have identified staff that is responsible and
trained to perform these functions. A MCO should have some staff trained in risk management available to provide the following functions:
23.4.4.1 Rapid Response Team
A rapid response team is a multi-departmental team that is ready to convene on short notice when
a critical, time sensitive issue must be addressed. There can be one such team within an MCO or many
such teams charged with different types of risk scenarios (one for medical or member risk, one for
financial risk, one for disasters, etc.). All members of such a team must possess risk management skills
and training and should be familiar with the subject risk.
23.4.4.2 Dispute Resolution Contact, Risk Manager, or Ombusdperson
While a rapid response team can provide crucial input on a complex issue, often a risk arises that
requires rapid resolution when it would be impractical or unnecessary to convene such a team. In that
instance, a MCO should have a primary contact person or corporate risk manager available who can
competently handle the matter. It is imperative for that person to have excellent judgment and significant contacts and recognition throughout the company so that these sorts of issues will make their way
to him or her for resolution. Part of the risk managers role is building awareness of what risk is and his
or her role in mitigating risk. This can be done through trainings and meetings. It is also very important
for the risk manager to be closely linked with the executive team, government affairs, and public relations, as it is those areas that are most often contacted on high profile matters. For the risk manager to
succeed in this role the leadership team also needs to get behind the risk manager and let it be known
throughout the company (and with key external contacts) that he or she is acting with authority.
380
The office of the general counsel plays a crucial role in risk management within a MCO. In most
MCOs, lawyers are involved in most aspects of the business. As a result, they are often able to see
trends and issues across spectrums sooner than those who work in one area. In house lawyers manage risk every day in their work. As a result, all lawyers within the general counsels office should
understand their role in the risk management structure of the organization as it pertains to their areas
of expertise. One lawyer should always be available for the rapid response team that covers issues that
straddle many areas of expertise. In that role, general risk management skills are necessary.
At the global level, the general counsel can play a significant role in encouraging the advancement
of the risk management program and promoting its use. The general counsel should advocate for the
implementation of business interventions that will minimize or quantify risk and work closely with the
chief financial officer to lead the organization on these efforts.
23.4.4.3.2 Contracts
Lawyers can also play a significant role in the use of contracts to share or transfer risk. To the
extent possible, lawyers should seek to mitigate the risk the company takes on or educate the business
team about how contracts impact the companys overall risk profile. For example, a current trend in
healthcare provider contracting is to pay for performance. When using such as reimbursement methodology, a lawyer should educate his or her clients as to how uncertain debt obligations create greater
financial risk for the organization. The lawyer can also educate the clients in the use of contracts to
provide some measure of business and financial stability. For example, longer-term contracts allow the
MCO to project anticipated income out over a longer period of time.
23.4.4.4 FinanceChief Financial Officer, Treasurer, Actuarial
The Chief Financial Officer (CFO) and Treasurer play key roles in risk management. Traditionally, the CFO has held responsibility for the financial risk of the company as it related to reserves,
risk based capital, and the investment portfolio. More recently, the role of the finance department
has expanded. Because of Sarbanes-Oxley and similar laws, many organizations have implemented
internal controls, particularly as to their finances. The internal audit team often has responsibility for
this function. Actuarial analysis has become increasingly important and it is utilized to take data on
risk from other areas and interpret that risk into quantifiable values so that it can be compared, apples
to apples, with other risk in the company. In the current economic environment, the treasurer may
face increased scrutiny as to the financial portfolio and must use the financial resources to match the
MCOs risk tolerance and capital needs. This coordination of information throughout the company
has allowed the CFO to have a much closer handle on the real global risk the company faces. The
CFO then uses this information to communicate with the board of directors and to mitigate that risk
through insurance, portfolio adjustment, planning, investing, and other strategies.
381
382
23.5
Commentary
Risk Management in MCOs has evolved over the last several years from a silo approach
(medical risk versus financial risk) to a more integrated, corporate risk management approach.
While some MCOs have implemented ERM, most have not fully adopted this concept. The
question is how to get there from here.
Adoption of an enterprise approach to risk management must start at the top. Boards of directors of both for profit and nonprofit organizations are being held increasingly accountable for
the financial stability of the organization. An ERM program will provide the directors with a
better sense of the global risks facing the organization and how the organization is addressing
those risks.
The process of implementing ERM is described in detail in Chapter 2. For a MCO to implement ERM, the MCO will need to undertake a comprehensive assessment of its risks (financial,
medical, and operational) and its risk tolerance. The identified risks must be analyzed and
quantified. The MCO then needs to prioritize the risks for implementation and risk mitigation purposes. The MCO should consider implementing a new or modified risk management
structure to support the ERM program. While that may include naming a Chief Risk Officer,
it may be as simple as having all risk management programs report up to the same leader
or leaders. Some MCOs may consider ERM an umbrella that encompasses its existing risk
management efforts, and choose to focus their efforts on only a select number of programs
that monitor higher level risks. The ERM program should be led by the chief financial officer,
with guidance from the general counsel and should be required to report up to the board of
directors.
Through an enterprise risk management program, a MCO can get a better handle on its global
risk because better integration and better coordination will lead to better outcomes. An organization that knows its risks and has taken an integrated approach to mitigating those risks
can create a competitive advantage for itself in the marketplace. ERM can provide the structure for strategic decision-making that can result in that competitive advantage. By knowing
its risk, an MCO can act sooner to mitigate risks and perhaps get ahead of the competition in
positioning itself for future success.
23.6
Conclusion
There has been no standard approach to risk management in MCOs. The risk management approach
of MCOs has changed over time from a silo approach focused on medical and financial risk to a more
integrated approach where medical risk is considered part of the financial risk and analyzed side by
side. Most MCOs are considering implementing ERM, but many have not done so. To do so will
require adoption at the board and leadership level and deeper integration amongst risk management
efforts. Implementing ERM should position a MCO for strategic opportunities and should strengthen
a MCOs ability to withstand a significant risk event.
383
24
ERM in the Context of Mergers, Acquisitions,
Divestitures, and Joint Ventures
Daniel G. Hale, Esq.
General Counsel, Trinity Health1
24.1
Introduction
Due diligence in the context of Mergers, Acquisitions, Divestitures or Joint Ventures (Strategic
Transactions) is one of the oldest and most frequently practiced form of enterprise risk management
(ERM). In their simplest terms, the aim of each process is to discover, understand, and quantify areas
of specific concern or threat to an organization in the broadest sense, and then to develop a strategy
for addressing those concerns. In the due diligence process, just as in the ERM process, those areas of
concern may be as broad or as narrow as the organization wishes; but in each case, it is important for
the organization to have a clear understanding of what it intends to do with the results of the process.
A sound due diligence process is designed to discover as much as possible about the other party or
parties to a forthcoming Strategic Transaction in order to make an informed judgment about whether
or not to proceed or how to change the anticipated terms to accommodate the risks identified.
24.2
Definitions
There is no universally agreed upon definition of the term due diligence in the context of Strategic Transactions. Blacks Law Dictionary says that due diligence means A prospective buyers
or brokers investigation and analysis of a target company, a piece of property, or a newly issued
security.2 Some have defined due diligence from the buyers perspective as meaning that level of
inquiry and investigation of the Target companys business, finances and operations necessary to provide the potential purchaser with adequate information about the business and affairs of the Target.3
Still others have defined due diligence from both the buyers and sellers perspective as the affirmative duty to ensure compliance with disclosure obligations and the investigation that is part of nearly
every corporate acquisition, whether out of an affirmative duty or a thought to a future defense.4
The author greatly acknowledges the assistance of Joshua Moore, Staff Attorney, Trinity Health.
Blacks Law Dictionary (8th ed. 2004).
3
McMillan, Michael K., Due Diligence In Health Care Mergers And Acquisitions, Commercial Law and Practice Course
Handbook Series, p. 783 (Practising Law Institute April-May 1996).
4
Katz, David A., Due Diligence In Acquisition Transactions, June, 2007 Practising Law Institute PLI Course Handbook,
Conducting Due Diligence 2003, 579-580.
1
2
385
No matter how it is defined, however, Strategic Transaction due diligence is consistent with the
ultimate purpose of ERM as defined by the Commission of Sponsoring Organizations of the Treadway
Commission:
Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.5
The description of the purpose of due diligence by one commentator is remarkably similar:
The purpose of due diligence in the context of a proposed acquisition transaction is to provide
the potential acquirer with sufficient information regarding the target company so that the acquirer may make a reasoned decision as to whether or not to pursue such a transaction and, if
the decision is made to pursue such a transaction, what the appropriate terms and price might
be. The decision made with respect to price must also consider potential liabilities, including
any post-transaction indemnification obligations.6
24.2.2
While there is no universally accepted description of a due diligence process, due diligence can
be productively analyzed as having three distinct phases:
Phase I: Very preliminary inquiries directed to the other party or parties to a potential transaction
to determine if there are any deal killers that would make further efforts useless. Issues that could
arise in this Phase might include the loss of a license to operate essential services, banishment from
participation in Medicare, or similar concerns that might stop any interest in proceeding.
Phase II: This phase of due diligence is often the most extensive inquiry, leading to intense scrutiny of financial and operational issues. Issues that arise in this phase of due diligence might also
result in deal killers, but they are more likely to result in changes to essential terms of the Strategic
Transaction such as price, control, or other key transactional issues.
Phase III: After the inquiries in Phases I and II, Phase III is generally directed at essential information needed to bring the Strategic Transaction to a close. Matters such as licensing verification,
corporate good standing, and similar issues are most often Phase III concerns, although it is certainly
possible that an issue could arise that would jeopardize the transaction itself. Much of the information
gathered in Phase III is likely to be directed toward ensuring a smooth transition to the new business
model.
Enterprise Risk ManagementIntegrated Framework: Executive Summary, Comm. of Sponsoring Orgs. of the Treadway Commn (2004), available at http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf.
6
Katz, supra note 4, at 582.
5
386
24.3
Strategic Transactions have the potential to greatly affect any organizations ERM program. For
the healthcare organization, the potential that a Strategic Transaction will affect its ERM program is
even greater based on the intense regulatory framework within which healthcare organizations operate. As a result, from the time that an organization begins contemplating a Strategic Transaction, the
organization must give consideration as to how the transaction may affect its ERM program. The due
diligence process is designed in large measure to discover those matters that need to be considered
from an overall ERM perspective and to ensure that those risks are not discovered after a Strategic
Transaction closes.
Typically, the first formal document that sets forth the parties early discussions is a letter of intent.
This document may or may not bind the parties to complete the transaction, but typically the parties
reserve the right to not complete the transaction pending satisfactory conclusion of the due diligence
process, regulatory approvals and final governance approval.7 Other issues, such as confidentiality
provisions and standstill agreements to preserve the status quo during negotiations, are also typically
addressed in the letter of intent. Because certain risks can still affect a healthcare organizations ERM
program at the letter of intent stage of a transaction, these risks should be considered at the early stages
of discussing and drafting a letter of intent.
24.4
One of the most important aspects of a Strategic Transaction with another healthcare organization,
through which the healthcare organization acquires, merges or divests corporate interest, is the due
diligence process. Phase I of the due diligence process begins after each healthcare organization and
their boards and/or management teams have made a decision that a proposed transaction may be in the
best interests of each healthcare organization and have some formal agreement describing their intent
to explore the possible transaction. The finalization of the transaction is generally contingent on final
approval by the board and/or management after all phases of the due diligence process is complete and
both parties desire to proceed with the transaction.
The due diligence process gives a healthcare organization the opportunity to review corporate,
business and operational records, and documents related to all aspects of the other healthcare organization. This allows governance and management of a healthcare organization the opportunity to identify
the risks and liabilities of the other healthcare organization, and it provides them with information
measuring both the potential and outstanding risks and liabilities of the other healthcare organization.
Based on the information obtained during the due diligence process, the board and management can
then make an informed decision to finalize, or close, the proposed transaction or withdraw from the
proposed transaction altogether.
Typical language to avoid inadvertently committing to closing a transaction is as follows: Both Parties reserve the
right, in their sole discretion, to reject any and all proposals made with regard to a potential strategic relationship and to
terminate discussions and negotiations with the other at any time. Without limiting the preceding sentence, nothing in
this Agreement requires either Party to enter into a strategic relationship or to negotiate such strategic relationship for any
specified period of time.
387
When a healthcare organization enters into a Strategic Transaction with another healthcare organization, certain of the other healthcare organizations risks and liabilities may be assumed by or
transferred to the acquiring or merging healthcare organization. Conversely, when a healthcare organization divests itself of certain interests through a Strategic Transaction, some of that organizations
risks and liabilities may be retained after the transaction closes. The object of a due diligence process
(coupled with thoughtfully crafted documentation) is to ensure that the assuming or the retaining of
risks and liabilities are done deliberately with full knowledge of any associated risk.
Whether the risks and liabilities of the acquired or merged healthcare organization are transferred
to the surviving healthcare organization is highly dependent on the structure of the transaction.8 These
pre-existing risks and liabilities may take many forms, such as financial, legal, quality, or other risks.
As noted previously, the underlying principle of a healthcare organizations ERM program provides that a board should have adequate plans to protect its assets.9 The due diligence process in a
Strategic Transaction becomes an integral part of a healthcare organizations ERM program because,
regardless of the type of Strategic Transaction, it is likely that certain risks and liabilities may be
transferred or shifted through the transaction. Thus, identifying these risks and liabilities at an early
stage allows a healthcare organization to have the opportunity to measure the risks and liabilities
proactively. Additionally, because acquisitions, mergers, divestitures, and joint ventures potentially
include risks and liabilities that encompass multiple business units across a healthcare organization,
integrating these transactions, and specifically the due diligence process, into a healthcare organizations ERM program allows the pre-existing risks and liabilities to be addressed and managed more
effectively. Further, it provides for a global perspective of the risks and liabilities at the board and
senior management levels.
More specifically, a proper in-depth analysis of the organizations risks and liabilities during the
due diligence phase of the transaction serves three purposes. First, it provides for identification of
the risks and liabilities that will be assumed, transferred, or retained by the healthcare organization
through the transaction. Second, it allows the healthcare organization to gauge and understand the
ERM program of the other healthcare organization and allows the healthcare organizations own ERM
program to have an opportunity to assign priority to those risks and liabilities. Finally, and possibly
most importantly, it provides the business unit(s) that have responsibility and accountability over the
specific risks or liabilities identified during the due diligence process with the opportunity to proac-
The various transaction structures through which an organization acquires or merges with another organization are
discussed in more detail below in the following Part.
9
See chapter 1.
8
388
The structure of a Strategic Transaction will have a direct impact on how the existing risks and
liabilities of another healthcare organization may be transferred. Even though the transaction documents may describe allocation of risks and liabilities between the parties, careful consideration should
be given to selecting the transaction form that best suits the needs of the parties with regard to that
allocation determination. A proper identification and prioritization of the risks and liabilities that are
transferred during the due diligence process allows a healthcare organization to proactively mitigate its
ongoing risks and liabilities. For this to occur, awareness of the benefits and risks of the transactions
structure by the board and management of a healthcare organization is crucial. The more common
transaction structures in the healthcare industry, and the potential transfer of risks and liabilities that
occur through these types of transactions are briefly summarized below.
24.6.1
Statutory Merger
A statutory merger occurs when two separate healthcare organizations agree to join, or merge, and
form one successor healthcare organization. When a statutory merger occurs, the risks and liabilities
of both healthcare organizations are generally transferred to, and assumed by, the successor healthcare
organization. The assumption of risks and liabilities extends not only to disclosed or known risks and
liabilities, but also to those risks and liabilities that are undisclosed or unknown at the time of the
transaction. Thus, the due diligence process is instrumental to the successor healthcare organizations
ERM program, as it will form the framework in which the successor healthcare organization identifies
and prioritizes the risks and liabilities that will exist after the transaction closes.
24.6.2
Another common Strategic Transaction occurs when a non-profit healthcare organization acquires
the membership or directorship interest of another non-profit healthcare organization. In this type of
transaction, the risks and liabilities of the acquired healthcare organization remain with the original
healthcare organization, but because of the substitution of membership or directorship, the liabilities
of the acquired organization become those of the family of organizations of the acquirer unless the
transaction documents are able to carve out certain assets and the risks and liabilities associated with
those assets.
As is the case with a statutory merger, the acquiring healthcare organization assumes undisclosed
or unknown risks and liabilities as well as the disclosed or known risks. Therefore, the due diligence
process is also instrumental to a healthcare organizations ERM program when it acquires another
healthcare organizations membership or directorship interest. Again, this process will provide the
framework through which the acquiring healthcare organization identifies and prioritizes the risks and
liabilities that the acquiring healthcare organization will assume.
Enterprise Risk Management for Healthcare Entities, First Edition
389
Asset Acquisition
In an asset acquisition, all or certain of the assets of one healthcare organization are transferred
to another healthcare organization. Unlike a statutory merger or the acquisition of a membership or
directorship interest of a non-profit organization, the risks and liabilities that are assumed by or transferred to the acquiring healthcare organization, and which will become part of the acquiring healthcare
organizations ERM program, are generally more limited and specific.
In an asset acquisition, the terms of the transaction documents generally control the risks and
liabilities that will be assumed by, or transferred to, the acquiring healthcare organization.10 In this
respect, the acquiring healthcare organization has some measure of control over the risks and liabilities
that it assumes. Many times, these risks and liabilities only extend to risks and liabilities associated
with the actual assets that are acquired. Thus, the transactions impact on managing and monitoring the
acquiring healthcare organizations ERM program will be much less substantial than that necessary
in a statutory merger or acquisition of a membership or directorship interest of a non-profit healthcare
organization.
24.6.4
A type of acquisition that is specific to the healthcare industry is a physician practice acquisition.
In this type of transaction, a healthcare organization acquires the practice of a physician or a physician healthcare organization. When this occurs, the acquiring healthcare organization may or may not
assume the existing risks and liabilities of the practice it is acquiring, depending on the negotiations of
the parties. State or federal regulations and the specifics of a transaction will determine what can and
cannot be transferred or rejected.11 For example, in some jurisdictions patient records can be subject
to sale and in others not. Therefore, the due diligence process in these types of transactions need to
be tailored to the risks and liabilities that the acquiring healthcare organization will assume or have
transferred to it in order for the acquirers ERM program to identify and prioritize these risks and
liabilities.
24.6.5
When a for-profit healthcare organization is acquired by another healthcare organization, the risks
and liabilities assumed by the acquiring healthcare organization may be limited to the assets of the
company whose stock it acquires. Although liability may be limited in a stock acquisition, the attendant
risks and liabilities of the acquired for-profit healthcare organization still pose issues for the acquiring
healthcare organizations ERM program. Although risks or liabilities that materialize after the acquisition may not directly impact the assets of the acquiring healthcare organization, they nonetheless have
the potential to substantially reduce the value of the acquiring healthcare organizations investment by
reducing the value of the acquired for-profit healthcare organization.
Some laws may supercede the terms of the transaction documents and affect the allocation of risks and liabilities.
Id.
10
11
390
24.6.6
Divestitures
While due diligence is generally perceived to be the buyers burden and prerogative in a Strategic
Transaction, the seller also has a unique interest is pursuing due diligence on itself. Nearly every Strategic Transaction final agreement will call for the Seller to make representations and to give warranties
regarding the business or assets being sold. While lawyers often disagree over the standard to be used
for measuring the degree of inquiry to be undertaken by the seller (ranging from no representation
or warranty at all, to the best of knowledge not having undertaken an independent inquiry, to strict
liability), it is almost certain that a failure to disclose what was known in some parts of the business
or knowable with little effort could lead to liability down the road. In fact, many agreements contain
a provision to withhold a portion of the purchase price in escrow for a period of time to reduce the
ultimate price if undisclosed liabilities surface later.
In addition, the seller may have legitimate due diligence concerns about the buyer and its ability
to actually close the transaction or to make good on promises it will make at the transactions closing
(for example, promises regarding employment conditions for the sellers employees post-closing). As
a result, sellers as well as buyers should take the due diligence process seriously and actively participate in it.
24.6.7
Joint Ventures
Aside from acquisitions, mergers and divestitures, healthcare organizations enter into other forms
of transactions with each other, commonly described under the very general heading of joint venture. The transactions may actually be a true joint venture, a partnership, a limited partnership, a
limited liability corporation, or some other form of legal entity or organization, each of which carries
its own unique risks.
The risks and liabilities associated with these types of transactions are distinct from the risks and
liabilities associated with a more traditional acquisition or merger. In a joint venture, a healthcare
organization generally does not assume any existing risks or liability of its joint venture partners.
Therefore, an in-depth review of the joint venture partners corporate records and documents generally
does not occur.
However, risks and liabilities may arise out of the joint venture operation and consequently be
shared between the partners. Thus, much like when a healthcare organization acquires the stock of a
for-profit organization, the value of the healthcare organizations investment in the joint venture may
be reduced, or wiped out entirely.
In this respect, it becomes even more imperative for a healthcare organization to incorporate its
ERM program into the joint venture. Minimally, a healthcare organizations ERM program should be
in a position to review the ongoing operations of the joint venture to assess risks that may arise out of
the joint venture operation.
391
In a Strategic Transaction, the risks and liabilities stretch across all units of the healthcare organization. Some of these risks and liabilities are general risks and liabilities that organizations in all
industries encounter, while some are very specific to healthcare organizations.
Most of the risks and liabilities discussed in this section have also been addressed in other chapters
in this book. However, since a Strategic Transaction has the potential to involve substantial risk to the
healthcare organization, some of the more significant, as well as some of the more common, risks that
need to be identified in the due diligence process in furtherance of the organizations ERM program
are discussed briefly in this section. The scope and depth of the review in each of the following areas
should be tailored to the structure of the transaction, and the risks and liabilities assumed or divested
by the healthcare organization, as determined by both the structure of the transaction and the transactional documents themselves. NOTE: The following discussion is necessarily a brief overview of
specific issues that should be highlighted during a due diligence review. It is not a comprehensive
list of issues or a comprehensive discussion of specific inquiries that should be made during a
due diligence process. There are many published lists to assist in due diligence processes, including
several in the meeting materials from the Annual American Health Lawyers Association Meetings.
24.7.1
It is important for the health care practitioner to understand that no due diligence will ever be perfect, and thus it is even more important for the practitioner to have a discussion with his or her client
about the limitations of due diligence in order to avoid subsequent misunderstandings. Ascertaining
whether a company is in full compliance with all applicable laws at any one point in time is nearly
unattainable, either internally as a manager or externally as an investor assessing corporate performance or a community concerned with regulatory or corporate accountability. Generally speaking,
there is no single management or monitoring system that comprehensively assures full compliance
with all legal requirements on a continuous, uninterrupted basis.12
24.7.2
24.7.2.1
Corporate Organization
One of the most important aspects regarding general risks and liabilities relates to corporate
organizational issues. Specific corporate organizational issues to consider include the good corporate
standing of the organization (whether or not all forms have been properly filed and approved by
the applicable state and local jurisdictions), officer and director actions, and valid 501(c)(3) status
for non-profit organizations. To identify these risks, a review of the organizations corporate records
(articles, bylaws, resolutions, and minutes) should be undertaken during the due diligence process.
Monsma, David and Buckley, John, Non-Financial Corporate Performance: The Material Edges Of Social And Environmental Disclosure, 11 U. Balt. J. Envtl. L. 151, 152 (2004).
12
392
393
24.7.3.1
In the tax-exempt setting, the biggest potential tax risk to a healthcare organization may be the
other organizations 501(c)(3) status and challenges to that status. While this is especially true in
Strategic Transactions involving merger or acquisition of a membership interest, there are real tax
implications to many other transactions, especially those characterized as joint ventures above.
If the transaction is with another tax-exempt entity, the due diligence should confirm that
501(c)(3) status exists and that there are no pending challenges to that status. This analysis should be
more than a simple check of the status, but should also include an in-depth review of key issues such
as the organizations charity care policies and practices, general community benefit practices, and
compensation levels and processes to ensure that those policies and practices support the organizations 501(c)(3) status.
394
13
395
When two organizations come together, through merger, acquisition, joint venture, or any other
transactional form, the single most overlooked aspect of due diligence is the compatibility of the culture of the two organizations. No two organizations function in exactly the same ways, no matter their
apparent similarities. Business goals can be quickly undermined by the inability of the two cultures
to adapt and to move toward integration. ERM processes should ensure that due diligence includes an
effective assessment of the two cultures and a clear understanding of what it will take for the two organizations to successfully integrate, including the retention of key employees to help assure a smooth
transition or integration of the organizations.
396
24.9
Managing Costs
Due diligence processes can be very expensive. Parties to a transaction often engage outside
professionals to conduct all or parts of the due diligence process. Outside counsel, consulting firms of
various kinds and even outside clerical support to assist with the gathering and collating of data and
document requests are a few of those third parties that may be involved.
Because the rational of many Strategic Transactions is often to save costs by consolidation of
expense categories among the transactions participants, it is not uncommon to have the expense of
due diligence challenged by business operations. This is especially the case when the transaction itself
involves business enterprises with small dollars involved, but in which there is a great deal of regulatory risk if noncompliant matters are not discovered.
Accordingly, those in charge of conducting due diligence processes need to be advocates for the
value of the process and remind management periodically of the potential cost to the organization if
discoverable risks go undiscovered and later create significant financial, regulatory, or reputational
issues for the organization.
24.10
24.10.1
Because due diligence is potentially a long, expensive, and complex process, it is essential to its
success that there be a clearly established leader to manage all aspects of due diligence. That position
is often, but not necessarily the lead lawyer involved in the transaction. Organizations that have a
designated business development team may choose that function to lead the process instead. In any
event, it is essential that there be one point of contact through which all due diligence requests and
responses flow.
That due diligence leader should assure that an accurate log of all incoming and outgoing responses
is maintained and that the appropriate peopleand only the appropriate peoplehave access to the
documents necessary to conduct the analysis. Limiting the contacts between the parties to one central
contact point will also avoid needless duplication and more easily resolve disagreements between the
parties.
24.10.2
Checklists
Due diligence checklists range from the simplistic, to the complex and sophisticated, to the overwhelming and over-reaching. However, because it is impossible to anticipate every issue that may
surface during due diligence, it is important that checklists be somewhat flexible, with some issues that
barely surfaced during the early stages taking on greater importance later, while others that seemed
urgent drop out of sight.
In addition, due diligence lists and questionnaires are by their very nature subject to interpretation
and often raise issues or concerns in the receiving party. For those reasons and others, it is critical to
Enterprise Risk Management for Healthcare Entities, First Edition
397
As noted above, there are at least three discernable Phases in a due diligence process: (1) early
due diligence designed to confirm preliminarily that the Buyer does indeed have an interest in the
transaction and that there are no obvious deal-breaker issues, (2) the earnest due diligence phase that
is most labor intensive, and (3) the integrative phase where the Buyer continues to examine the Seller
in detail but primarily for the purpose of assessing integration strategies after the deal closes. The key,
however, is to begin the entire processand subsequently each stage of the processas early as possible. The bulk of due diligence in the acquisition transaction takes place before the acquirer agrees
to proceed with the acquisition. It becomes a very expensive process for the acquirer if it chooses to
terminate the process or to bear extra costs if items which should have been taken into account during
the due diligence investigation arise later in the process.14
24.11
There is no consensus way to document the results of the due diligence process. Some prefer written reports, while others prefer oral presentations with accompanying visual aids. If there is a concern
about the ability of the organization to maintain the confidentiality of the report, clearly the oral report
format should be preferredespecially if given by counsel under the protection of privilege. What is
essential is that the decision-makers within the organization receive a full report and have time to ask
questions regarding the report and its process, and that the report-giver adequately document for his or
her own purposes the details of the report and the context in which it was given.
24.12
Commentary
Healthcare businesses are highly regulated and complex. In the current environment, regulation
changes frequently and the business itself is undergoing constant change. For example, in the world
of tax-exemption alone, the advent of the new IRS Form 990 is likely to substantially increase the
public and governmental scrutiny of tax-exempt organizations and may significantly change the regulatory landscape. It is essential for practitioners to understand, and for them to educate their clients to
understand, that no due diligence process can ever be an absolute failsafe against unexpected surprises
that surface after a transaction is completed. Although there is often pressure to minimize either the
intrusiveness or the expense of due diligence, a part of the practitioners role is to educate her or his
client to the exposures that exist when due diligence processes or minimized. In that regard, it is often
helpful to ensure that the due diligence process is viewed as a team effort, including business leaders
and others in the organization, and not just a function of the legal or risk management department.
14
398
24.13
Conclusion
The matters discussed in this chapter are complex, and specific issues described can present significant risks to a healthcare organization. This chapter can do no more than provide an introduction to
some, but not all, of the many and varied issues that should be considered. There are many examples
of checklists for conducting due diligence available through the American Health Lawyers Association that provide more detailed guidance. However, readers are cautioned that no single checklist can
cover every issue that should be examined in a Strategic Transaction. Consulting with experienced
practitioners familiar with the complex regulatory world of healthcare is essential in minimizing risks
in such transactions.
399
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
25
Medical Tourism Risks: Have Patient Will
Travel To Thailand, India, and the Taj Mahal!!
Ila Rothschild, MA, JD1
Healthcare Attorney
25.1
Introduction
You, like millions of Americans, are either uninsured, under-insured or have high healthcare
insurance deductibles.
You are now in need of major surgery, be it a hip or knee replacement or a cardiac artery
bypass graft (CABG).
Upon researching the cost of obtaining this necessary medical treatment within the United
States, you have determined that your ability to obtain this needed care is cost prohibitive.
However, your Internet research uncovers the term medical tourism,2 where citizens of
highly developed countries travel to less developed areas of the world3 to obtain medical
services at a substantially lower cost than that provided in the individuals home country.
Its ironic. There was a time (and there still is) when foreigners traveled to the United States in
need of sophisticated medical care that their nation could not provide. Witness the Shah of Iran, who
traveled in 1979 to Manhattan to be treated for lymphatic cancer. Although, many adults and children
come to the United States for complex medical procedures, clearly the reverse is happeningthat is
U.S. citizens are taking the opposite journey, that of serving as medical tourists in countries outside of
the United States.
It is not uncommon for Americans to go to Canada to obtain lower cost pharmaceuticals. Many
Mexicans and retired Americans living in the Southwest travel to Mexico for lower cost dental care.4
The opinions stated in the chapter are merely those of Ila S. Rothschild, Esq., and not those of The Joint Commission.
A search of the term medical tourism in May of 2007 uncovers at least 777,000 sites. Michael D. Horowitz and Jeffrey A. Rosensweig, Medical TourismHealth Care in the Global Economy, November-December 2007, The Physician
Executive, 24 [hereinafter, Horowitz, Medical Tourism].
3
Id. at 24, 26, Table 1. The term medical tourist is synonymous with medical traveler. Both terms will be used
throughout the chapter.
4
Annette B. Ramirez de Arellano, Patients Without Borders: The Emergency of Medical Tourism, 31 Interl J. of Hlth
Services, 193, 194 (2007).
1
2
401
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
For those Mexicans traveling back to their home country for dental and medical care, they are in an
environment closer to family and health practitioners who speak Spanish and are familiar with the
Mexican culture.5
Recently, U.S. News and World Report6 chronicled the journey of Brad Barnum who traveled
from Ruidosa, New Mexico to Wockhardt Hospital located in Bangalore, India as he underwent successful knee and hip surgery.7 The surgery, including airfare, hotel and other costs totaled $28,000.8
These costs of travel, hospital, and physician draw a stark comparison to U.S. costs, which could have
cost Mr. Barnum approximately $125,000.9
The United States is at a critical crossroads with respect to providing affordable safe quality
healthcare. The statistics are staggering. As of 2006, healthcare spending for a family of four exceeded
the annual earnings of a minimum-wage worker.10 Between the years 2000 and 2007, healthcare premiums increased 91%, while wages only saw an increase of 24%.11 Moreover, many businesses and
insurance plans have restricted benefits. In fact, smaller businesses have been forced to triple the cost
of employee deductibles.12 The result has been that certain prescription drug benefits have been eliminated and dental and vision care have either been curtailed or totally eliminated by health plans.
In 2005, almost 47 million Americans lacked healthcare insurance, up from 31 million uninsured
in 1987.13 A recent study published by the Commonwealth Fund found that the number of underinsured Americans had risen dramatically.14 For the year 2007, approximately 14% of nonelderly
In response to the number of Mexicans and Americans traveling to Mexico, a number of marketing groups are building
additional hospitals in Mexico to cater to the influx of medical tourists. Grupo Empresarial Los Angeles, Mexicos largest
private hospital chain plans to spend $700 million and build 15 hospitals. The goal is to increase the number of Americans
utilizing its hospitals from 5% to 20%. Currently, Grupo Angeles hospital, in Tijuana, treated 40,000 patients in 2007.
Christus Health, a non-profit hospital chain based in Irving, Texas, has 6 hospitals in Mexico. Procedures performed at
these hospitals include hip replacements, spinal fusions, knee surgery and angioplasty. Christus will be building another
hospital across the border from Texas to attract more American medical tourists. Mexico Builds Hospitals to Lure Medical
Tourists from America, Bloomberg.com at 1-3, March 27, 2008, http://www.bloomberg.com/apps/news?pid=20670001&
refer=home&sid=audTNhllsFSg.
6
U.S. News & World Report, at 42, May 12, 2008.
7
Id. at 45. (Wockhardts hospitals in Bangalore and Bombay operated on about 850 U.S. patients in 2007, more than
double the 2006 total.).
8
Id.
9
Id. In addition, hospitals, like Miamis Jackson Memorial Hospital, cater to wealthy, international, and privately insured
patients. The hospital is developing a program of seamless medical care that goes from soup to nuts and arranges for
medical and hospital care, as well as transportation and other necessary travel and medical accommodations. Florida
public hospital goes five star route, Fierce Healthcare, July 9, 2006 (visited March 10, 2008), http://www.fiercehealthcare.
com/story/fla-public-goes-five-star-route/2006-07-10.
10
Arnold Milstein and Mark Smith, Will the Surgical World Become Flat? 26 Health Affairs 137 (January/February
2007) (hereinafter Milstein, Surgical World) citing California HealthCare Foundation, Health Insurance: Can Californians
Afford It? 3, 2005, http://www.chch.org/documents/insurance/Health Insurance Affordability.pdf.
11
C. Schoen, S.R. Collins, J.L. Kriss, M.M. Doty, How Many Are Underinsured? Trends Among U.S. Adults, 2003-2007,
The Commonwealth Fund, at w298 (June 10, 2008) (hereinafter Schoen, How Many Are Underinsured?).
12
Id. at w298 (citing authors analysis of data from Henry J. Kaiser Family Foundation/Health Research and Educational
Trust & Employer Health Benefits Surveys, 2000 and 2007.).
13
Nathan Cortez, Patients Without Borders: The Emerging Global Market for Patients and the Evolution of Modern
Health Care, 83 Ind. L. J. 71,72 (2008) (hereinafter Cortez, Patients Without Borders) (citing, Carmen DeNavas-Walt,
Bernadette D. Proctor and Cheryl Hill Lee, U.S. Census Bureau, Income, Poverty, and Health Insurance Coverage in the
United States: 2005 at 20, 23 (Aug. 2006), http://www.census.gov/prod/2006pubs/p60-231.pdf).
14
Schoen, How Many are Underinsured? at w299. (The article defined underinsured as insured individuals whose outof-pocket medical expenses amounted to 10% or more of their income (or 5% if they were low income individuals below
5
402
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
adults were underinsured and 25% of adults (49.5 million) were uninsured for all or part of the year.15
All told, 75 million adults or 42 % of the under-65 adult population had either no or inadequate insurance in 2007, up from 35% in 2003.16
Not surprisingly, an estimated 350,000 Americans sought medical care overseas in 2003, with
a projected number of six million Americans estimated to seek care outside of the United States by
2010.17 With the rise in healthcare premiums and deductibles; pre-existing conditions serving as the
vehicle by which insurance companies will not cover the condition for a specified period of time; the
desire of consumers to obtain procedures not covered by insurance (i.e. cosmetic surgery; fertility
treatment, drug rehabilitation; and gender reassignment), exorbitant medical practice insurance premiums, and a graying baby boomer tsunami,18 it is inevitable that Americans would turn elsewhere
for lower cost medical care. Used as a metaphor from a move with the same title, this conflagration of
factors has lead to the perfect storm of medical tourism.
This chapter will discuss medical tourismits advantages and risks. It will further focus on some
issues that have promoted and intensified the growing interest in medical tourisms, as well as discuss
those risks inherent when healthcare is obtained outside of the United States.
Part I will focus on the intricacy of factors that have influenced the choice of medical tourism
destinations and medical care. Part II considers the legal ramifications of medical tourism from the
perspective of providers, patients, physicians, and payors. The question to be answeredis medical
tourism merely a blip on the spectrum of healthcare services, or is it a service that will continue to
see growth and ultimately become a sophisticated new healthcare industry as Americans pursue quality healthcare at low cost?
200% of the federal poverty line) or if their deductibles equaled or exceeded 5% of their income.)
15
Id. at w300.
16
Id.
17
Howowitz, Medical Tourism at 24 (citing H. Baliga, Medical tourism is the new wave of outsourcing from India, India
Daily, Dec. 23, 2006, http://222.indiadaily.com/editorial/145858.asp. Contra Tilman Ehrbeck, Ceani Guevara, and Paul
D. Mango, Mapping the Market for Medical Travel, The McKinsey Quarterly, May 2008, http://www.mckinseyquarterly.
com/article_print.aspx?L2=12&L3=63&ar=2134.) (Hereinafter, Tilman, Mapping the Market for Medical Travel). (The
McKinsey Quarterly places medical tourism at 60,000 to 85,000 inpatients per year. However, this number does not
include individuals who obtain emergency medical care; medical tourists who travel abroad for wellness procedures like
massages or acupuncture; or expatriates who seek care.)
18
Bruce Einhorn, Medical Travel is Going to Be Part of the Solution; David Boucher of Blue Cross & Blue Shield of South
Carolina is forging alliance that allow members to go abroad for surgery and other procedures, Business Week Online,
March 18, 2008, http://www.business week.com/globalbiz/content/Mar2008/gb20080312_835774.htm (Last visited May
12, 2008). (Here in the U.S. you have the Silver Tsunami. In 2008, 365 Americans an hour will turn 62. Over half are
selecting early Social Security and many do not have employer-sponsored medical plans. The number turning 62 goes to
1.400 an hour by 2010 and the numbers continue to stack up until the peak of 2017.) See also, Jonathan S. Edelheit, The
U.S. Healthcare Crises: Rising Supply of American Patients, Medical Tourism, March 2008, 30, www.medicaltravelauthority.com (The author notes that there is a growing marketplace for medical tourisms in the U.S.Baby Boomers. As
the Baby Boomer generation gets older, they will place an extra burden on the US. healthcare system, and many will start
looking overseas for their orthopedic and cardiac procedures.).
Enterprise Risk Management for Healthcare Entities, First Edition
403
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
25.2
25.2.1
Among the factors to consider when traveling abroad to obtain medical care is the need to research
the political stability as well as the culture of the country being visited. Who is the main driver of
medical tourism in the country?19 If medical tourism is driven primarily or regulated strongly by
the government, there may be greater assurance that the international consumer would be adequately
protected because the countrys reputation would be at stake.20 An example of country driven medical
tourism is found in Dubai, United Arab Emirates, where the Dubai Health Authority (DHA) requires
all of its hospitals to be Joint Commission International accredited (see below).21 The Director-General
of DHA stated, This is not the end it is the start for us to continue offering special services across our
medical outlets, to take our work procedure a step higher, and develop the qualifications of the service
providers to comply and keep up with the rapid growth in Dubai.22 The Dubai government has raised
more than $100 million to develop medical facilities that will enhance medical care, research, and
education.23 With the assistance of Harvard Medical International, the United Arab Emirates plans to
develop a 435-acre state of the art Dubai Healthcare City before 2010.24
Similarly, in 2003, Singapores government launched the Singapore Medicine Initiative that is
meant to promote Singapore as a healthcare destination.25 American medical institutions (John Hopkins and Duke Medical Center) and pharmaceutical companies (GlaxoSmithKline and Novartis) have
collaborated with the Singapore government to promote excellence in healthcare.26
Regardless of a foreign countrys attempt to encourage and develop medical tourism, political events have had a profound impact on global economy and medical travel. Internal and external
conflicts, terrorism, and acts of nature (e.g. tsunamis, devastating earthquakes, and cyclones) have
prevented, from time to time, medical tourists from traveling to foreign countries for medical care. For
example, after September 11, 2001, the travel of individuals from the Middle East to the United States
was significantly curtailed. Between 2001 and 2003, travel from one country in the Middle East to the
United States saw a decline from 44% to 8%. Although, numbers have returned to the pre-9/11 level,
it took the political market over 6 years to adjust to its pre-terrorism numbers.27
For a number of years, the American Medical Association (AMA) has vocalized its concern
regarding complications involving international organ transplantation. The AMA, in a report to the
19
Darren Tan and Dr. Jeremy Lim, Selecting Medical Travel Destination, December 2007, Medical Tourism, 10 (Other
sources of information include the U.S. State Department regular travel advisory and the World Bank publicationGovernance Matters 2007).
20
Id.
21
UAE: JCI status for six more facilities, International Medical Travel Journal, March 20, 2008.
22
Id.
23
Josef Woodman, Patients Beyond Borders, 301 (2007) (hereinafter Woodman, Patients Beyond Borders).
24
Id. (Despite the United Arab Emirates push to create a mecca of medical tourisms, travelers who have an Israeli
passport or who have traveled to Israel, and have had their passports stamped, will be denied entrance into United Arab
Emirates. It is unfortunate that political/religious matters trump healthcare needs of travelers.)
25
Id. at 265.
26
Id.
27
Tilman, Mapping the Market for Medical Travel at 5.
404
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
2008 Annual Meeting of the AMA (held in Chicago June 14-18, 2008) expressed its concern with
transplant tourism or organ trafficking. The AMA defined transplant tourism or organ trafficking
as traveling to another country for the purpose of organ transplantation, [and] thereby increasing
the possibility of exploitation of donors through coercive practices including paid donation.28 In
its report, the AMA referenced a 2007 resolution that the AMA and the World Medical Association
(WMA) would collaborate to provide ethical guidelines regarding transplant tourism. Also referenced
was a 2007 World Health Organization (WHO) report of guiding principles on organ donation and
transplantation. The principles, entitled Global Knowledge Base of Transplants consist of an ambitious four-part program meant to protect the safety and rights of living donors; to disseminate laws
and regulations applicable to transplantation activities in Member States;29 provide information and
organization of transplantation services in Member States; and most importantly, collect and disseminate information on threats to the success of transplantation, including information on the safety and
ethics of practices and on measures to counter these threats.30 Of interest, 193 Members States are
members of WHO. Member States of WHO are defined as those countries that are members of the
United Nations and agree to accept WHOs constitution. Other countries may be admitted as members
of WHO when their applications have been approved by a majority of the World Health Assembly.31
India, Nepal, China, and Philippinescountries that have been cited for organ trafficking are members
of WHO.32 Clearly, much remains to be seen as to whether pressure on these countries to comply with
WHOs transplantation guidelines will lessen the occurrence of organ trafficking, and at the same time,
ultimately encourage ethical and legal transplants.
There are also many cases of medical tourists who travel to foreign countries to obtain procedures
that are either unavailable or illegal in the tourists home countries. For example, Americans travel
to Mexico for immunologic treatments banned in the United States, Germans acquire donor eggs
in Spain, [and] Austrian lesbians secure sperm abroad.33 We are also seeing a rise in reproductive
tourism that involves any number of personal and governmental issues: privacy, governmental regulatory authority, developing technology, and commercialismall of which vary in intensity from one
country to other.
The desperation of individuals who yearn for a healthy child are the driving force for medical
tourists to travel to the United States, Brazil, Spain, and Saudi Arabia to obtain, for example, preimplantation genetic diagnoses that will assist the prospective parents in determining whether they carry
a gene for Tay-Sachs or help the prospective parents in preselecting the babys sex.34
Other medical tourists are willing to pay $6,000-10,000 and travel to India to obtain the services
of a surrogate mother.35 In India, specialized clinics contract with poor Indian woman who agree
Report of the AMA Board of Trustees, Ethical Procurement of Organs for Transplantation, B of T Report 13-A-08).
Id.
30
Id. at 4, 5.
31
http://www.int/countries/en (Last visited June 27, 2008).
32
http://www.who.int/countries/en (Last visited June 12, 2008).
33
Debora Spar, Reproductive Tourism and the Regulatory Map, 352 NEJM 531 (Feb. 2005).
34
Id.
35
Jennifer Miller, Medical Tourism Ethics II: Outsourcing Wombs to India, Jan. 8, 2008, http://www.bioethicsinternational.org/?p=424 (Last visited Feb. 2, 2008).
28
29
405
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
to serve as surrogate mothers. The mothers are housed in clinic dormitories for the duration of the
pregnancy, where they are constantly monitored and provided with pre-natal healthcare.36 One might
cringe and feel that this is commercialism carried to its ugliest extreme. However, many of the surrogate mothers, who claim to love pregnancy, feel that the compensation they are given is empowering
them to provide homes and education for their children (most of these women live in households that
have yearly earning of merely $600).37
At the other end of the spectrum is the organization Dignitas, a Swiss not-for-profit organization
that provides aid-in-dying services for those individuals who are terminally ill. Dignitas, founded in
1998, has been headquartered, until recently, in an apartment complex located in the suburbs of Zurich,
Switzerland. For a fee of $6,800, foreigners wishing aid-in-dying can travel to the apartment complex
where they are given a lethal cocktail of barbiturates. Over the years, approximately 753foreigners
have used Dignitas services. In September 2007, Dignitas was evicted from its headquarters and has
resorted to assisting individuals to die in parked cars (akin to Dr. Kevorkians model of assisted suicide). The organization is currently seeking new space for its services.38
25.2.2
International Accreditation
One of the most critical pieces in ensuring that safe quality healthcare is provided abroad is to
investigate how medical care is provided and measured at foreign hospitals. Clearly, medical tourists
do not have the knowledge or expertise to guide them in determining what medical care standards
medical facilities must meet. The globalization of healthcare, however, is bringing to the fore the
importance of international accreditation by such organizations as the Canadian Council on Health
Services Accreditation and its international arm, Accreditation Canada International (ACI).39 ACI is
currently in communication with approximately 30 hospitals in the Middle East, North Africa, the
Caribbean, Latin American, and Europe.40 It has a cadre of over 550 healthcare professionals who
survey hospitals in Canada and abroad that wish to be accredited. ACIs purpose is to guide clients
through every step in the accreditation process: readiness assessment, self assessment, onsite survey, accreditation report, and post-survey coaching.41 Between surveys, ACI works with its clients,
through the philosophy of continuous quality improvement to assure that quality patient safety and
optimum services42 are the linchpins of service provided to the international medical traveler. ACI
Id.
Id.
38
Michael Leidig and Henry Samuel, Evicted Suicide Service Goes on Road, Nov. 10, 2007, http://www.smh.com.au/
cgi-bin/common/popupPrintArticle.pl?path=articles/2007/11/09/11943295009959.html# (Last visited June 15, 2008).
39
Kenny Koyle, International Expansion, The International Medical Travel Journal, Issue 04 2008 (Last visited May 17,
2008).
40
Id. Interview with Wendy Nicklin, President & CEO of the Canadian Council on Health Services Accreditation
(CCHSA).
41
Id.
42
Id. (Similarly, the Australian Council on Healthcare Standards (ACHS) was established in 1974 to improve the quality
of care provided by healthcare facilities in Australia. In February 2004, the ACHS decided to accredit hospitals outside of
Australia and thus established the Australian council on Healthcare Standards International (ACHSI). As part of its Evaluation & Quality Improvement Programme, ACHSI standards stress safe management of blood, fall prevention, continuity
of care between healthcare providers and infection control. Currently, hospitals in India, the Asia-Pacific and Middle East
have shown interest in ACHSI.)
36
37
406
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
has already accredited six hospitals in the Middle East. The latest hospital to be accredited is Sharjah
Teaching Hospital in Sharja, United Arab Emirates; it has 210 beds and over 114 dental chairs.43
Among all of the accrediting organizations, The Joint Commission is the oldest and largest
accreditation organization, founded in 1951. The Joint Commission evaluates and accredits nearly
15,000 health care organizations and programs in the United States, including more than 8,000 hospitals and more than 6,800 other health care organizations that provide long term care, assisted living,
behavior health care, laboratory and ambulatory care services.44 The Joint Commissions international affiliate, Joint Commission International (JCI), has evaluated and accredited hospitals outside
of the United States since 1999.45 JCIs accreditation mandate is ambitious. The JCI accredits foreign
hospitals, ambulatory care organizations, clinical laboratories, medical-transport organizations, care
continuum and certifies a number of disease or condition-specific services including primary care,
maternal and well-child care, chronic kidney disease, HIV-AIDS, oncology care, cardiac disease, and
diabetes care.46 Accreditation by JCI is rigorousthe entire process, up to the point of accreditation,
may take as long as four years. The facilities being accredited must collect data and show JCI surveyors that they have established a plan to meet patient safety and quality of care standards.47
JCI standards, though similar to The Joint Commissions standards, are modified to adapt to the
cultural needs and laws and regulations of countries outside of the United States.48 In addition to
developing standards that apply to the qualifications of physicians and nurses, matching medical care
to the needs of the patient, and establishing anesthesia procedures and safe use of medication, the JCI
collaborates with and assists the hosting countries in developing their own accreditation standards.49
Critical to this piece, is that patients be spoken to in their own native tongue. Most, if not all, JCIaccredited hospitals have medical and nursing staff who speak any number of languages, including
English and the languages of other medical tourists. Pursuant to JCI standards, privacy and confidentiality must be respected and medical recommendations and complete medical records must follow
patients upon their return to their native countries.50
In August 2005, in line with the JCIs mission to collaborate with foreign countries, the WHO
designated The Joint Commission and JCI as the worlds first WHO Collaborating Centre dedicated
Canada: CCHSA International Becomes Accreditation Canada International, International Medical Travel Journal,
http://www.imtjonline.com/news/canada-cchsa-international-becomes-accreditation-canada-international (Last visited
May 27, 2008).
44
The WHO Collaborating Centre on Patient Safety (Solutions), the World Alliance for Patient Safety and the Commonwealth Fund, Announce Action on Patient Safety (High 5s) Initiative, WHO Collaborating Centre on Patient Safety
(Solutions) News Release, Dec. 4, 2006.
45
Tom Otley, Accredit to the Nation, International Medical Tourism Journal, 01 2007, 32, 34.
46
Id.
47
Id. at 33.
48
Karen Timmons, The Value of Accreditation, Medical Tourism, December 2007, 12, 13. (An example of the JCI acceptance of cultural variation is in the arena of informed consent. Although most informed consent forms are filled out by the
patients, often in front of a witness, some cultures mandate that family members, other than the patient, are the only ones
who can consent on behalf of the patient.)
49
Id.
50
Id.
43
407
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
solely to patient safety.51 As part of this collaboration, a number of organizations, including the WHO
Collaborating Centre for Patient Safety, implemented the High 5s initiative, which will develop protocols for patient safety.52 The initiative, which includes the collaborative efforts of Australia, Canada,
New Zealand, The United Kingdom of Germany, the Netherlands, and the United States, is to achieve
significant, sustained, and measurable reduction or elimination of five highly prevalent patient safety
problems found in hospitals.53 The five most prevalent patient safety concerns include: (1) Prevention
of patient care hand-over errors; (2) Prevention of wrong site/wrong procedure/wrong person surgical
errors; (3) Prevention of continuity of medication errors; (4) Prevention of high-concentration drug
errors; and (5) Promotion of effective hand hygiene practices.54 As a means of incorporating these
protocols country wide, each country is expected to designate an agency that can enroll at least 10 hospitals to cooperate with this initiative. Tools, including patient safety indicators, root causes analyses,
adverse events, and cultural and economic indices,55 will be utilized as hospitals work to prevent harm
to patients and to promote high levels of patient safety.
Recently, the JCI launched an additional tool to assist foreign countries in evaluating, applying,
and implementing science-based evidence surrounding the relationship between design, patient safety,
and quality.56 Teams of clinical practitioners and engineers will help organizations to establish and
maintain an environment that promotes safe patient practices.57
To date, the JCI has accredited over 150 hospitals, approximately seven ambulatory care entities,
five clinical labs, and a number of disease certification programs relating to acute stroke, acute myocardial infarction and heart failure.58
Although foreign hospitals are to be applauded for their efforts to seek and maintain accreditation
and to have medical staffs that are trained in the United States and board certified, the question remains
as to whether patients will receive quality medical care. For example, patients who obtain surgical care
abroad are subject to complications from infectious diseases that may be indigenous to the foreign
country. India, Thailand, Malaysia, and Costa Rica have a higher incidence of tuberculosis, hepatitis
A, and amoebic dysentery, all of which could deleteriously impact patient recovery after surgery.59
Although patients may ask foreign institutions or physicians about surgical complications, it remains
difficult to verify whether the statistics quoted are correct.
WHO Collaborating Centre for Patient Safety Solutions, Joint Commission International Centre for Patient Safety,
http://www.jcipatientsafety.org/24971/ (Last visited May 12, 2008).
52
Joint Commission International Centre for Patient Safety, High 5s Project, http://www.jcipoatientsafety.org/24433/
(Last visited May 12, 2008).
53
The WHO Collaborating Centre on Patient Safety (Solutions), The World Alliance for Patient Safety and the Commonwealth Fund, Announce Action on Patient Safety (High 5s) Initiative, Who Collaborating Centre on Patient Safety
(Solutions) News Release, Dec. 4, 2006.
54
Id. at 2.
55
Id. at 3.
56
USA: JCI Launches New Consulting Programme, International Medical Travel Journal, March 20, 2008.
57
Id.
58
Joint Commission International, Joint Commission International (JCI) Accredited Organizations, http://wwwjointcommisioninternational.org/23218/iortiz/ (Last visited May 12, 2008).
59
Douglas W. Lundy, M.D., The Liability Implications of Medical Tourism, American Academy of Orthopedic Surgeons,
May 31.2008, http://www.aaos.org/news/aaosnow/feb08/managing 7.asp. (Last visited May 31, 2008).
51
408
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
Moreover, Americans take safe blood transfusions for granted, knowing that there are rigorous
standards in place to prevent the transfusion of tainted blood or incorrectly typed blood. As part of the
medical travelers due diligence, if there is a possibility the traveler may need a blood transfusion, the
patient should ask where the blood came from; were donors screened for HIV, hepatitis, syphilis, and
malaria; and how does the hospital ensure that the right blood is transfused into the right patient.60
One of the major risks of traveling long distances for medical care is postoperative venous thromboembolism (VTE). In a recent study, researchers found a number of factors that contributed to the
risk of VTE occurring (within 28 days post-op) in medical tourists who had traveled more than 5000
km to obtain surgical care.61 Factors contributing to the risk included, long periods of relative immobility (economy class syndrome), obstruction to venous return due to compression of popliteal veins at
the edge of the [airplane] seat, and possible dehydration due to decreased fluid intake or too excessive
use of alcohol during the flight.62 Another interesting point made by the study is that VTE developed
earlier in the post-operative stage, suggesting that VTE may have developed on the long flight to the
foreign country. 63 Medical travelers are urged to obtain medical evaluation prior to any long distance
flight. When arranging how much time a medical tourist should recuperate after major surgery, the
traveler, on the advice of his or her physicians, should build in significant post-operative recuperation
to minimize any post-operative VTE complications.64 Ultimately medical tourists should weigh the
benefits of traveling long distances for surgery versus the risks of post-operative complications.
25.2.3
Many foreign countries are well known for promoting and advertising medical tourism. For
example, Brazil is well known for hospitals and clinics that specialize in cosmetic surgery.65 Antigua
is best known for the treatment of substance abuse addiction.66 The rock star Eric Clapton founded
Crossroads Centre in 1997. In 2006, 87% of the clients visiting Crossroads were international patients,
with 73% coming from the United States.67 Barbados is well known for in-vitro fertilization and other
types of cutting edge reproductive procedures.68 Thailand and India boast top-notch cardiac and orthopedic procedures.
Singapore, for example, has at least eleven hospitals that are JCI-accredited and over 410,000
medical tourists traveled to Singapore in 2006 for medical care.69 As a means of encouraging Americans to travel to Singapore for medical and surgical care, three Singapore hospitals operated by
ParkwayHealth (Mount Elizabeth Hospital, Gleneagles Hospital, and East Shore Hospital) are now
Avery Comarow, Medical Tourism: Under the Knife in Bangalore, U.S. News & World Report at 42, 49, May 12,
2008.
61
Ognjen Gajic, M.D.; David Ol. Warner, M.D.; Paul A. Decker, M.S.; Rimki Rana, M.D.; Dennis L. Bourke, M.D.; and
Juraj Sprung, M.D., PhD, Long-Haul Air Travel Before Major Surgery: A Prescription for Thromboembolism? Mayo Clin.
Proc., 728 (June 2005).
62
Id. at 729.
63
Id.
64
See Woodman, Patients Beyond Borders at 13.
65
Woodman, Patients Beyond Borders, at 19.
66
Id. at 186, 187.
67
Id. at 187.
68
Id. at 188.
69
Three Hospitals in Singapore Join Companion Global Healthcare Network, PRNewsire, and March 6, 2008.
60
409
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
the first foreign hospitals that are set to provide medical care to members of BlueCross BlueShield
of South Carolina and Blue Choice.70 This affiliation, orchestrated by Companion Global Healthcare
Inc., serves the uninsured, insurance companies, and employer groups by providing for travel, medical
appointments, case management, and medical follow-up.71
Although many foreign hospitals have their own websites that detail the services provided by the
institutions, many medical travelers rely upon health travel agents or medical tourism companies
that have formed partnerships with leading hospitals in these countries that offer cardiovascular services, cosmetic surgery, dental care, neurosurgery, ophthalmology, and orthopedics.72 For example,
the website, HealthbaseHealthcare Beyond Boundaries, states that its primary purpose is quality
of care and that its hospitals, which are JCI-accredited, are screened based on the quality of care,
procedural availability, pricing, and overall patient experience.73 One of its hospital groups, Apollo
Hospital Group (located in New Delhi, India) has over 7,000 patient beds spread out among 38 hospitals.74 Escorts Hospital, also located in India, boasts that it performed over 9,756 angiographies,
2,707coronary interventions, and 5,519 cardiac surgeries in 2005.75
Countries that in the past had not allowed their hospitals to advertise their medical services are
now recognizing the economic advantage of promoting healthcare to medical travelers. One such
country is South Korea. In the past, South Korea had laws and regulations that did not allow its hospitals (considered as non-profit organizations) to advertise healthcare procedures.76 As soon as South
Koreas Parliament reverses its law preventing advertising, hospitals will be allowed to work with
travel agencies in order to provide a full cadre of services for the medical traveler, including air fare,
medical services, hotel accommodations, and even visits to local tourist attractions.77 By promoting
medical tourism to its neighbors China and Japan, as well as Russia and the United States, South
Korea hopes that it will increase the number of medical tourists to 100,000 in 2012, provide medical
care to 6,000 of its local natives, and add $900 million to its local economy.78
To provide information to the general public, The Joint Commission Internationals (JCI) website
has links to accredited hospitals in over 50 countries. By mouse clicking on the JCI site and Wockhardt
Hospital, for example, the medical traveler is immediately taken to the Wockhardt website where all
sorts of information are readily available. Wockhardts website recommends that the medical traveler
contact certain physicians through listed websites or phone numbers. The website also lists the physicians credentials as well as the physicians prior education and current hospital positions. By clicking
on the name of a randomly chosen physician the medical traveler is able to determine the previous
posts the physician held, his or her specialty, training, and teaching experiences. In fact, the website
allows the medical traveler to arrange an appointment with a physician and to email Wockhardt staff
Id.
Id.
72
Woodman, Patients Beyond Borders at 267.
73
http://www.healthbase.com/hb/pages/hospitals.jsp (Last visited March 10, 2008)
74
Id.
75
Id.
76
South Korea: Hospital Prepare for New Laws, International Medical Travel Journal, http://www.imtjonline.com/news/
south-korea-hospitals-prepare-for-new-laws (Last visited June 12, 2008)
77
Id.
78
Id.
70
71
410
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
regarding any questions the medical traveler might have. Furthermore, Wockhardt lists its collaboration with Harvard Medical International, which adds to the credibility of Wockhardt. Hospitals, like
Harvard, provide foreign hospitals with medical expertise, along with standards oversight and best
practices discipline.79 In addition to establishing protocols to deal with infection control and patient
safety, Wockhardt is participating in a global study to monitor infection rates in hospitals.80
Given that many of the foreign hospitals are accredited, the medical traveler must take an additional step in his or her inquiryhas any of the hospitals ever lost its accreditation and what types of
patient complaints have been filed against the hospital. Foreign hospitals should be forthcoming to the
medical traveler, although, as mentioned above, it is difficult to verify a hospitals data. Accreditation
organizations, like JCI, provide medical tourists with the most current accreditation information.
25.2.3
Concomitant in determining which foreign hospitals are appropriate for various procedures, the
potential medical traveler must painstakingly research the qualifications of the medical practitioners
who will be providing care to the traveler. Here, in the United States, there is a broad range of questions to ask of physicians or surgeons prior to obtaining medical care. Questions that should be asked
include the following: (1) Where did the physician obtain his or her undergraduate and medical school
degree; (2) Where did the physician complete his or her residency, did he serve as a chief resident, did
he or she go on for any fellowship in any particular specialty; (3) Is the physician board certified and
in what specialty; (4) Did the physician do any research in any particular specialty and under whom
did she train; (5) Where is the physician licensed (many physicians are licensed in more than one
state); (6)At what hospital(s) is the physician on staff; what medical staff privileges does the physician have; has the physician ever been suspended from the medical staff or had his or her privileges
revoked; (7)How does the physician keep his or her skills and knowledge current; (8) If the physician
is a surgeon, what kinds of surgery does the surgeon perform; how many operations does the physician perform in a year; does the surgeon have staff privileges to perform the surgical procedures at an
accredited healthcare facility; and (9) What is the physicians safety record? Has the physician been
involved in any adverse events or medical professional liability actions? In addition, consumers can
go to the American Board of Medical Specialties website, as well as other websites to obtain current
information on physicians.
Determining the competency of healthcare practitioners in foreign countries is more complex
due to the difficulty of verifying information obtained from the physician or medical travel agency.
The problem is that medical travelers are not as familiar with the type of training foreign practitioners obtained. Many physicians are board certified in the United States and then return to their
native country. Still others are trained at prestigious universities and hospitals throughout the world.
Websites of foreign hospitals or medical travel companies offer some guidance. For example, IndUShealth.com, a website devoted to assisting the medical traveler obtain healthcare in India, assists the
traveler in selecting the appropriate Indian hospital and physician depending upon the medical needs
Woodman, Patients Beyond Borders at 227.
Id. a t227. See also, http://www.wockhardhospitals.net/general/jci.asp (Last visited May 31. 2008).
79
80
411
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
of the traveler. The website lists the costs of obtaining any number of procedures in India (e.g. hip
replacement/resurfacing, knee replacement, CABG, gastric bypass, and laparoscopic surgeries). It also
lists the approximate cost of travel, airfare, obtaining passport/visa, ground transportation, hotels, and
meals.81
If the medical traveler ultimately decides that it is to his or her advantage to travel to a foreign
country for medical care, websites like the one for the International Society of Aesthetic Plastic Surgery (ISAPS) can offer guidance for travelers. With respect to obtaining plastic surgery, the medical
tourist is urged to check the ISAPS site that lists the names and addresses of over 1,600 internationally
certified plastic surgeons. The site also urges patients to check the physicians references, talk directly
to the doctor and the doctors staff, and discuss possible complications, aftercare, and appropriate
follow-up in the medical travelers home country.82 A website that has actual videos of surgical procedures being performed (whether they are cardiac, abdominal, or laparoscopic procedures) is that of the
National Library of Medicine. The website also gives the medical traveler advice on how to choose
the right physician for the specific surgical procedure.83 Despite having made as informed a decision as
possible, the medical tourist must also ponder the legal ramifications of obtaining potentially negligent
healthcare in a foreign land.
25.3
412
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
Hospital providers may be seeking to diversify their investment portfolio by entering into joint
venture or other business relationships in foreign countries. These providers may develop package
programs that encompass the full spectrum of medical and hospital care, along with transportation and
accommodations.
Payors will play an important role in the expansion of the medical tourism market with an increasing demand from patients to shift from the self-pay to a reimbursement model. Overseas medical
care has the potential to save payors money just as medical tourism cuts costs for individual patients.
However, the difficulty of assessing quality of care is a major barrier to payors offering coverage of
overseas procedures.
As physicians, providers, and payors journey into global alliances in non-U.S. countries, there
will be many unanswered legal questions. The legal uncertainty ranges from a variety of multidisciplinary issues from jurisdictional to public policy concerns.
25.3.1
Jurisdiction
As discussed above in the patient context, the classic issue is the hurdle of where the controversies
involving the medical tourism plaintiff be litigated? While most states have a long-arm statue that may
be applicable, (depending on whether there are sufficient contacts with the forum jurisdiction) legal
counsel for a U.S.-based provider that has foreign operations should be prepared to do an analysis of
how to keep the plaintiff litigant in a jurisdiction more favorable to the patient, physician, provider, or
payor client.
There are three main lines of defense for a defendant seeking to defeat a plaintiffs attempt to
bring suit in a U.S. forum: personal jurisdiction, forum non conveniens, and forum selection clauses
in a contract.
From the point of view of a physician, provider, or payor, it is important to note that avoiding specific personal jurisdiction may be complicated by communications between the foreign medical service
provider and the patient, the patients domestic medical team, and any medical travel broker that may
facilitate travel arrangements and records transfer. Physicians, providers, and payors may find their
websites scrutinized to determine whether the foreign medical services are linked to solicitations in the
United States. At a minimum, the foreign based provider must have some initial or minimal contacts
with the U.S. to inform the patient of its services. The courts have devised a sliding scale approach to
determine the degree to which a foreign medical services website will establish minimum contacts.85
For example, a court will look to the presence of a website, an email link, the exchange of information
over the website, toll-free phone numbers and advertising materials to determine whether the websites
conduct was such that it would reasonably anticipate being hauled into [a U.S.] court.86
The doctrine of forum non conveniens provides another powerful vehicle for avoiding litigation in
the United States depending upon, of course, whose interests are being represented. A court considering a forum non conveniens argument engages in a balancing of public and private interests, which
Hersey Co. v. Pagosa Candy Co., 2008 WL 1730538 at *4 (M.D.Pa.).
Good v. Fuji Fire & Marine Ins. Co., Ltd., 2008 WL 822453 at *3 (C.A.10(N.M.)).
85
86
413
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
usually includes where it will be more convenient to litigate the particular matter. For instance, most
of the fact witnesses and evidence will be located abroad and attempts to bring key parties, witnesses,
and evidence to the United States may be cost prohibitive. Forum non conveniens is very fact intensive
and courts may be reluctant to litigate a case where there is little if no connection to the plaintiffs
home forum.
Finally, courts will uphold forum selection clauses in contracts as long as the clauses are reasonable
and the negotiations were fairly entered into. For example, contracts between physicians, providers,
and payors will be analyzed for location of parties and witnesses, choice of law, and provisions that
the patient is a third-party beneficiary. Forum selection clauses should, therefore, be drafted to cover
both contract disputes and torts arising out of the subject matter of the contract. Adding a well drafted
forum selection (and choice of law) clause to a contract is a good way for hospitals and physicians to
control where future litigation may take place.
25.3.2
Business Issues
Legal counsel should carefully review the business operations of the foreign investment company
or healthcare system. A close review of issues of control, bylaws, and articles of incorporation may
ultimately impact liability. Payors and employers should be advised of the risks that may arise as they
explore opportunities to reduce costs by using foreign healthcare providers for their health benefit
plans.
25.3.3
AMA Guidelines
Legal counsel should also be knowledgeable regarding the new AMA Guidelines on Medical
Tourism pertaining to patient care, after care, Health Insurance Portability and Accountability Act
(HIPAA), and legal liability issues. The guidelines provide that:
a. Medical care outside of the U.S. must be voluntary.
b. Financial incentives to travel outside the U.S. for medical care should not inappropriately
limit the diagnostic and therapeutic alternatives that are offered to patients, or restrict treatment or referral options.
c. Patients should only be referred for medical care to institutions that have been accredited by
recognized international accrediting bodies (e.g., the Joint Commission International or the
International Society for Quality in Health Care).
d. Prior to travel, local follow-up care should be coordinated and financing should be arranged
to ensure continuity of care when patients return from medical care outside the U.S.
e. Coverage for travel outside the U.S. for medical care must include the costs of necessary
follow-up care upon return to the U.S.
f. Patients should be informed of their rights and legal recourse prior to agreeing to travel outside the U.S. for medical care.
g. Access to physician licensing and outcome data, as well as facility accreditation and outcomes data, should be arranged for patients seeking medical care outside the U.S.
414
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
h. The transfer of patient medical records to and from facilities outside the U.S. should be consistent with HIPAA guidelines.
i.
Patients choosing to travel outside the U.S. for medical care should be provided with information about the potential risks of combining surgical procedures with long flights and vacation
activities.
25.3.4
Given the additional entities sometimes involved in treating medical tourists, proper communication between the overseas provider and the patients domestic medical team regarding medical records
and coordination of pre-and post-procedure treatment is essential to establish an appropriate standard
of care (an ultimate liability issue in any suit based on a poor medical outcome).
25.3.5
Claims of professional negligence or malpractice will likely be based on the laws of the country in
which the medical treatment took place. Misrepresentation of the credentials of the treating physician
or facility may also be alleged. In addition, hospitals may also be subject to vicarious liabilityall
depending upon the laws of the country in which the client is doing business.
25.4
Commentary
It is clear that medical tourism brings with it some new and interesting enterprise risk
issues for the hospital that chooses to expand its operations into foreign territories. (Note,
however, that religious organizations have for centuries been providing healthcare as part of
their foreign ministries.) Such issues include appropriate insurance coverage for all operations and physical structures (See Chapter 3 for review of various coverages), implementing
appropriate clinical policies and procedures, employee safety training, etc.
In addition, as an employer, a hospital may find itself handling interesting employee relations
issues should an employee decide to become a medical tourist when the employers plan does
not cover specific medical treatment.
25.5
Conclusions
25.5.1
This chapter has taken medical tourism on quite a ride. There are those medical tourists who
choose to travel to foreign countries for their medical care because they are underinsured or uninsured; they may require a procedure that is either experimental or is considered illegal in their native
country. In addition, employers, employees, and insurance companies are beginning to recognize the
economic value in obtaining safe quality healthcare in foreign countries at substantial savings. As
an additional incentive, insurance companies, like AOS Assurance Co., a Barbados-based insurance
company, are providing insurance for those medical travelers who may become victims of medical
415
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
professional liability abroad.87 The insurance product, Patient Medical Malpractice Insurance (PMMI)
handles medical negligence claims in accordance with the patients own home country standards, and
claims are paid in U.S. currency. No lawyers or lawsuits are involvedand claims are simply settled
in an environment that is 80 percent faster than the traditional litigation environment.88 The insurance, however, only covers those foreign hospitals that are accredited by JCI and have physicians who
are U.S. board certified, or similarly certified abroad.89 As more employers pursue insurance options,
knowing that quality care will be provided abroad and financial reparation will be available without
the need for protracted litigation, the course of medical tourism will take an even more dramatic
upswing.
As mentioned above, the AMA recognizes that patients, who are unable to obtain affordable insurance and healthcare in the United States, are traveling abroad for their health and that patients need to
be vigilant in researching and obtaining quality foreign medical care. Finally, until the United States
effectively and successfully addresses healthcare reform issues and can provide healthcare for the
uninsured, medical tourism will continue to evolve and thrive.
25.5.2
The new concept of medical tourism will force all players in the healthcare spectrum to rethink
and to review all aspects of the healthcare industry. Clearly, medical tourism has opened the door
for many new business opportunities and for those with entrepreneurial spirits, but these opportunities come with a new set of unfamiliar risks. Similarly, as medical tourism globalizes there will be a
tremendous potential benefit to patients, physicians, providers, and payors. The next few years will
be a very exciting time as both sides of the spectrum mesh and provide the type of quality healthcare
required by all patients.
Insurer Covers Malpractice in Overseas Care, Workforce Management, Sept. 28, 2007, http://www.workforce.com/
section/00/article/25/13/99_printer.html (Last visited June 15, 2008).
88
Id.
89
Id.
87
416
26
Retail Health Clinics
Jeffery Layne
Christopher N. Kanagawa
India K. Brim1
Fulbright & Jaworski L.L.P.
26.1
Introduction
Gone are the days when the only options available to a person with a runny nose or a child in need
of a vaccination for school were the emergency room or a primary care physicianoptions that can be
inconvenient to most work schedules. Over the past few years, this country has seen an explosion of
retail health clinics (RHCs) popping up not only in national drug stores and big box retail stores, but
also regional grocery chains. As of February 2009, more than 1,100 of these clinics had been opened
in 37 states across the U.S.2
The RHC concept provides customers with access to healthcare in convenient locations during
expanded hours, including evenings and weekends. RHCs offer a limited menu of medical services
that are often administered by a nonphysician, typically a nurse practitioner or physician assistant
under the indirect supervision of a physician. Appointments are generally not required, and customers can shop for groceries or household items in the host store while waiting for an exam. Services
provided in RHCs range from basic health screenings, such as diabetes and high blood pressure, to the
treatment of simple health conditions, such as ear and sinus infections, and the provision of flu and
other common vaccinations.3 All services are charged at a flat rate displayed in the clinic. Prices are
generally well under $100, with many services ranging between $45 and $75.4
Most RHCs now accept commercial insurance. Some of the major insurance companies such as
Cigna, United HealthCare, Humana, Aetna, and select Blue Cross Blue Shield plans have contracted
with RHCs to pay these clinics significantly less than they would pay a primary care physician for the
The authors would like to thank Summer Associates Lauren Battaglia and Tracy Stewart for their assistance in drafting
this chapter.
2
Andrew Thangasamy and Richard Cauchi, Retail Health Clinics: State Legislation and Laws, National Conference of
State Legislatures, February 18, 200, http://www.ncsl.org/programs/health/retailclinics.htm.
3
American Medical Association, Report 7 of the Council on Medical Service: Store-Based Health Clinics, 1 (2006),
available at http://www.ama-assn.org/ama1/pub/upload/mm/471/cms7A06.doc.
4
Julie Schmit, Could Walk-In Retail Clinics Help Slow Rising Health Costs?, U.S.A. Today, Aug. 28, 2006, available at
http://www.usatoday.com/money/industries/health/2006-08-24-walk-in-clinic-usat_x.htm.
1
417
418
To be able to analyze the federal and state laws governing RHCs and minimize the risks associated with establishing and operating an RHC, it is of paramount importance to understand how such
clinics are (or should be) structured. In general, the structure of a clinic will depend on whether the
state in which the clinic is operated maintains a prohibition against the corporate practice of medicine.
The corporate practice of medicine doctrine prohibits corporations and other business entities from
engaging in the practice of medicine. In its basic terms, this doctrine prohibits the employment of doctors by unlicensed individuals or by corporations that are not formed and owned by doctors.14 Many
states have some variation of this rule, while many states do not prohibit the practice at all. As will
be discussed in more detail in this article, nurse practitioners providing services in RHCs generally
require physician oversight or collaboration to some degree. As such, the corporate practice of medicine doctrine may easily be implicated.
Two states that have strict prohibitions against the corporate practice of medicine are Texas and
California. In Texas, arrangements in which a general business corporation employs physicians to
provide medical services to the clients of the corporation have been held to constitute the unlawful
practice of medicine by a corporation and a violation by the physician of the prohibition on aiding and
abetting the practice of medicine by a nonlicensed corporation.15 In addition, physicians are prohibited
from entering into partnerships, employee relationships, fee-splitting, or other situations with nonphysicians where the physicians practice of medicine is in any way controlled or directed by, or fees
shared with a non-physician.16 However, physicians and for-profit companies are permitted to enter
into independent contractor arrangements without violating the doctrine.17 In California, unlicensed
persons, including general business corporations, are prohibited from practicing or holding themselves
out as practicing medicine.18 The Medical Board of California notes that this policy is intended to prevent unlicensed persons from interfering with or influencing the physicians professional judgment.19
Id. at 1242.
George F. Indest, III & Barbara A. Egolf, Is Medicine Headed for an Assembly Line? Exploring the Doctrine of the
Unauthorized Corporate Practice of Medicine, 6 Bus. L. Today 32, 3334 (1997).
15
Gupta v. Eastern Idaho Tumor Institute, Inc., 140 S.W.3d 747, 752 (2004) (Under the Medical Practice Act, when a
corporation comprised of lay persons employs licensed physicians to treat patients and the corporation receives the fee, the
corporation is unlawfully engaged in the corporate practice of medicine) (citing Flynn Bros., Inc. v. First Med. Assocs.,
715 S.W.2d 782, 785 (Tex. App.Dallas 1986, writ refd n.r.e.)).
16
Texas Medical Board, Corporate Practice of Medicine, http://www.tmb.state.tx.us/professionals/physicians/licensed/
cpq.php (last visited June 13, 2008) (citing Tex. Occ. Code Ann. 164.052(13), (17)).
17
Id.
18
Cal. Bus & Prof. Code 2052. See also Cal. Bus & Prof. Code 2400 (Corporations and other artificial entities shall
have no professional rights, privileges, or powers).
19
Medical Board of California, Corporate Practice of Medicine, http://www.medbd.ca.gov/licensee/corporate_practice.html.
13
14
419
Under the Clinic Model, a for-profit company directly operates the RHC through a non-professional entity, such as a general business corporation or a limited liability company (the Clinic). This
model is generally limited to states that do not maintain a corporate practice of medicine prohibition.
Under the model, the Clinic employs (or otherwise contracts with) all of the clinic staff, including the
nurse practitioners who see and treat patients. In order to obtain the requisite physician supervision,
the Clinic either employs a physician to provide oversight for the nurse practitioners or enters into an
independent contractor agreement with a physician or physician group to provide such oversight.20
Finally, the Clinic directly bills patients and third party payors for the healthcare services provided by
the nurse practitioners in the RHC.
In general, the Clinic Model is preferable from the perspective of the for-profit company that
establishes the RHC because, among other things, the company directly receives the revenue from the
healthcare services provided at the RHC.
26.2.2
Under the Professional Entity Model, the RHC is operated through a friendly physician owned
professional entity (the Professional Entity). This model is typically used in corporate practice states.
Under this model, the Professional Entity employs (or otherwise contracts with) all of the clinic staff,
including the nurse practitioners who see and treat patients. In order to obtain the requisite physician
supervision, the Professional Entity either employs a physician to provide oversight for the nurse
practitioners or enters into an independent contractor agreement with a physician or physician group
to provide such oversight. The for-profit company enters into a contract with the Professional Entity
to provide a wide range of practice management services, such as billing and collection services and
other administrative services.21 In order to retain some control over the operations of the RHC, the forprofit company will typically enter into one or more agreements with the friendly physician owner
of the Professional Entity. Under the Professional Entity Model, the Professional Entity bills patients
and third-party payors for the healthcare services provided by the nurse practitioners in theRHC.
26.3
Generally, the key players involved in the development and operation of an RHC are governed
by different regulatory schemes. Often the risks associated with the development and operation of
an RHC will vary depending upon the role of each player involved. The following section discusses
For a discussion of required physician oversight, see Section 26.3.3.1 infra.
As discussed in more detail in Section 26.3.1.2 infra, the for-profit management company needs to fully understand its
role as a management services company versus acting as true provider of healthcare services.
20
21
420
The companies that seek to establish a chain of RHCs face the greatest potential risk that often
accompanies the operation of these clinics. As noted previously, the RHC business model has yet to be
perfected, typically involving high start-up and operational costs and a complex organizational structure. There have been numerous highly-publicized business failures in the RHC industry as a result of
these factors and other related market conditions.
26.3.1.1
Political Climate
For-profit companies that establish RHCs may likely face numerous challenges in the years to
come as more pressure is placed on state legislators to enact regulations to restrict the operation of
such clinics. State regulations of RHCs are likely to become more stringent as primary care physicians
continue losing money because their patients have opted to be treated for common ailments by a nurse
practitioner at a local RHC. Many states, such as Illinois, have already proposed various restrictions on
RHCs, including limiting the type of stores in which these clinics may be located,23 imposing greater
reporting and communication obligations, adopting stringent physician supervision and collaboration
requirements and prescribing more limitations on the practice authority of nurse practitioners.
On the other hand, a recent letter issued by the Federal Trade Commission (FTC) regarding an
RHC bill recently introduced in the Illinois State Legislature suggests that the proposed legislation
and the regulations mentioned above may go too far in imposing potentially burdensome restrictions
on RHCs.24 Of particular interest to the FTC was the fact that the proposed legislation may restrict
competition among RHCs if the statute is interpreted to exempt physician and hospital-owned clinics
from the burdensome requirements imposed on other operations.25 The FTC also questioned the rationale for prohibiting RHCs from being located in retail stores that sell alcohol or tobacco.26 The FTC
noted that, as written and depending on how the statute was interpreted, the proposed legislation may
be unduly burdensome and potentially harmful to competition.27
As illustrated above, the political environment in which RHCs exist is quite uncertain as states
begin to impose more stringent operational requirements for these clinics. Due to the various mechan For purposes of this article, we will focus on a national or regional for-profit company that operates RHCs in multiple
states.
23
A bill recently introduced in the Illinois state legislature contains a provision which would prohibit RHCs from being
located in a retail stores which sell tobacco or alcohol. Illinois House Bill 5372.
24
Letter from Maureen K. Ohlhausen, Director, Office of Policy Planning, Federal Trade Commission to the Hon. Elaine
Nekritz (May 29, 2008) (avail. online at http://www.ftc.gov/os/2008/06/V0800113letter.pdf) (regarding Illinois House Bill
5372, 95th General Assembly 200708).
25
Id. at 5.
26
Id. at 10.
27
Id. at 58.
22
421
A for-profit company that wishes to establish RHCs in multiple states must understand the parameters of each states corporate practice of medicine prohibition while structuring its operations. For
example, it is likely that the for-profit company will directly establish its RHCs in non-corporate practice states utilizing the Clinic Model. Alternatively, in corporate practice states, it will likely establish
RHCs utilizing the Professional Entity Model. The for-profit company needs to take care in understanding its role in each state. For example, when RHCs are operated under the Clinic Model, the
for-profit company will, through its nurse practitioners, be the treating provider. However, when the
RHCs are operated under the Professional Entity Model, the for-profit company will only act as a practice management company that provides services to the Professional Entity who will be the treating
provider. Failure of a company to fully understand this distinction and implement appropriate policies
can raise the level of risk to all of the key players involved in the operation of the RHC.
It is also important that a company operating in multiple states establish a corporate structure that
will help minimize its risks. One method a company can employ to minimize its risks is to establish a
separate legal entity for each state, and thereby limiting exposure of liability from its operations in one
state from the exposure to liability in another state. However, to fully benefit from such a corporate
structure (and thereby reduce its risks), the company will need to strictly adhere to corporate formalities with respect to its various subsidiaries.
26.3.1.3
Federal and state anti-kickback laws must be considered when establishing an RHC. In general,
these statutes, which are very broad, are designed to prohibit arrangements in which healthcare providers are incentivized to make recommendations or referrals based on economic considerations. For
example, the federal Anti-Kickback Statute (the AKS) imposes criminal liability on any individual
who knowingly solicits or receives any remuneration, directly or indirectly, in return for recommending or referring an individual for the furnishing of goods, items or services for which payment may
be made in whole or in part by a federal healthcare program, including Medicare and State Medicaid
programs.28 Most states have similar anti-kickback prohibitions, although many are broader in that
they apply to all healthcare servicesnot just those paid for federal healthcare programs.
One of the primary risks associated with the federal AKS and state anti-kickback statutes to the forprofit company (as well as the retail host store) results from the lease arrangement between for-profit
company and the host store. This is particularly true if the retail host store operates a pharmacy where
the nurse practitioner can refer RHC patients or otherwise recommend that RHC patients have their
prescriptions filled at the host stores pharmacy. Specifically, any acceptance on the part of the host
store of reduced rent or rent below fair market value could be viewed by state and federal authorities
as illegal remuneration in exchange for the referrals or recommendations to the host stores pharmacy.
42 U.S.C. 1320a-7b.
28
422
29
423
424
The host store typically receives several benefits from the presence of an RHC including potential
referrals from the RHC to the retail stores pharmacy and rent payments for the lease of clinic space
within the store. Nonetheless, these benefits also give rise to potential liability for the host store.
26.3.2.1 Anti-Kickback Statutes
As discussed above, the relationship between the host store and the RHC may potentially implicate the federal and state anti-kickback statutes if there is a potential for referrals from the RHC to the
host stores pharmacy, particularly if the RHCs rent payments are not set at fair market value. Additionally, if the rental charges are determined in a manner that takes into account the volume or value
of referrals or other business generated between the RHC and the host store, this may also implicate
the federal AKS and/or a state anti-kickback statute. Any indirect profit sharing agreements or other
arrangements between the RHC and the retail host store may also have significant anti-kickback or
fraud and abuse implications. In order to minimize the risk of a potential anti-kickback violation, the
rental charges should be set in advance, at fair market value and be commercially reasonable.
26.3.2.2 HIPAA Compliance
It is important to note that the host store may also have HIPAA obligations if it operates an RHC.
In such case, it may elect a written designation of its business activities that specifically involve
healthcare operations in order to comply with the HIPAA Privacy Standards.35 In basic terms, the retail
store must segregate its covered health records from other business records related to non-healthcare
functions.36 The costs of HIPAA compliance are often significant; however, if the retail store operating
an RHC fails to designate its healthcare components, the store may easily find itself subject to penalties for violating the HIPAA Privacy Standards.
26.3.3
Physicians
35
36
425
426
52
53
54
55
56
57
50
51
427
Nurse Practitioners
42 U.S.C. 1395nn(h).
18 Va. Admin. Code 90-30-120(A).
60
Id., at 90-30-120(E).
58
59
428
Commentary
The RHC business model generally is still highly experimental and difficult to implement.
Although the number of RHCs is growing rapidly, it is also important to remember that there
have been some large-scale RHC venture failures.64
Id., at 85-50-110(3).
Texas Board of Nursing, Guidelines for Determining APN Scope of Practice, available at http://www.bon.state.tx.us/
practice/apn-scopeofpractice.html.
63
18 Va. Admin. Code 90-30-220.
64
According to a report posted on the Wall Street Journal website on May 7, 2008, in recent months 69 clinics in 15 states
have shut down. See Goldstein, supra, note 8.
61
62
429
The structuring of an RHC entity, whether in the form of a single clinic or a large-scale,
multi-clinic venture, is largely dependent upon whether the state in which the clinics are to
be located has a corporate practice of medicine prohibition. Therefore, a careful examination
of state regulations and case law is required to minimize the risk of running into a corporate
practice of medicine issue.
Given the number of different players involved in the operation of an RHC, the risk factors
surrounding RHCs should be analyzed from various perspectivesfrom that of the supervising physician, nurse practitioner, retail host store, and the for-profit entity.
26.5
Conclusion
Making a special trip to a primary care physician for a flu vaccination or to receive antibiotics
for a sinus infection is now a thing of the past. The growing presence of RHCs makes receiving treatment for minor medical conditions as easy as stopping by the local grocery store or retail store on the
way home from work. RHCs have increased in popularity as consumers value their affordability and
convenience.
Despite their benefits, RHCs pose numerous legal and regulatory challenges, as many physicians
and other opponents challenge the quality of healthcare services provided at such clinics. As the RHC
industry continues to grow, many states will continue to enact strict regulations governing the establishment and operation of RHCs. The corporate practice of medicine statutes also serve as deterrent
to companies looking to expand the range of retail clinics into new states. Although RHCs appear to
be a growing trend, it still remains to be seen whether these clinics will be a dominant force within
the healthcare industry. Without a doubt, this one-time treatment model is appealing to consumers in
providing quick, affordable medical services for busy individuals with minimal waiting time and no
appointments necessary.
430
Part VIII
Technology
27
Telemedicine and Enterprise Risk Management
Phyllis F. Granade, Esq.
Adorno & Yoss
27.1
Introduction
433
One project demonstrated that remote pharmacy services provided to rural hospitals during
irregular hours (nights, weekends, and holidays) could more effectively detect and prevent
dangerous medication errors than traditional methods.
Another project demonstrated that remote pediatric care easily treated common childhood
illnesses from schools and child care centers, helping working parents who cannot leave their
jobs and saving money by reducing unnecessary visits to the emergency room.
Within ten years, many examples of cutting edge telehealth likely will no longer seem cutting
edge, and the use of certain telehealth technology may well represent the standard of care by that time.
In the meantime, facilities using telemedicine to deliver healthcare services should be prepared to
address the following risk management concerns.
27.2
Medical professional liability issues and accompanying risk management considerations are
everyday concerns for providers. The traditional principles of medical professional liability risk
management include: (1) appropriate and timely documentation of patient encounters and strong
record-keeping practices; (2) excellent provider-patient rapport; (3) patient informed consent, including a full explanation of the risks, benefits, and possible alternatives to the proposed treatment or
procedure; (4) appropriate and timely referral of patients; (5) maintaining or exceeding the expected
standard of patient care, including staying current in the providers specialty and participating in
appropriate continuing medical education; and (6) maintaining in good standing any necessary hospital privileges, state licensure and federal drug enforcement administration numbers. These principles
are as important to providers practicing medicine via telecommunications as they are for providers
who never touch a computer or participate in video-conferencing. There are, however, certain risk
management strategies that are appropriate for providers participating in patient care via telecommunications. Providers providing telemedicine services should consider the risk management ideas set
forth in this section.
434
27.2.2
A physician should know the ins and outs of operating the telemedicine equipment he or she
uses, and should recognize and report obvious malfunctions of the equipment. If a patient could incur
harm due to the failure of the equipment and interruption of the consult, the physician should know how
to respond in such an emergency, either by performing feasible equipment maintenance or continuing
the consult in another manner, such as over the phone. In non-urgent situations, the owner/operator of
the equipment (e.g., hospital or clinic) or the equipment vendor should be contacted to perform necessary maintenance as soon as possible. Also, non-physician personnel who use the equipment should
be trained in its proper use. Equipment, particularly software, should be updated periodically to ensure
the best results from telemedicine patient encounters.
A physician should use equipment appropriate for diagnosing and treating a patients particular
ailment; for example, a dermatology consultation conducted via video-conferencing may require a
camera and monitor with higher resolution than what is needed for a psychiatric consultation. The
physician should recognize the limitations of the telecommunications medium being used; e-mail or
the telephone may not provide sufficient information for the physician to make an accurate diagnosis.
A providers telehealth policies and procedures should speak specifically to training providers and
staff to: (a) understand the use of the equipment, including its limitations for diagnostic purposes,
(b) recognize problems with the equipment, (c) report equipment problems, and (d) know how to
respond to emergencies during patient encounters.
27.2.3
Documentation
435
Healthcare providers often do not place sufficient emphasis on the liability risks associated with
working with physicians and other healthcare providers. Regardless of the healthcare service provided,
physicians should ensure that agreements are in writing, and that each agreement fully describes the
duties, obligations, rights, and responsibilities of the parties. For example, a provider who contracts
with a teleradiologist for the provision of radiology services to his or her patients should be certain
to address the turn around time for reports, and which party will be responsible for the provision of
equipment necessary to transfer images (and the type of equipment to be used, so as to ensure compatibility). Agreements should fully define the roles each provider (e.g., consulting versus referring) will
play during the term of the arrangement, and the responsibility for patient care (including appropriate
provisions regarding physician credentials and privileges in accordance with The Joint Commission or
other accrediting organization, insurance, record-keeping, billing, and indemnification). Last but not
least, all arrangements should comply with state and federal law, including the federal Anti-kickback
Statute and the Stark Act.
27.2.6
The importance of general and professional liability insurance for individuals and entities providing services to patients via telecommunications cannot be over-emphasized. Prior to delivering any
healthcare information or service via e-mail, the Internet, video-conferencing, or any other telecommunications medium, the provider should ascertain whether the provision of such information or service
is covered by the providers current liability insurance policy. Any limitations on coverage should be
resolved with the insurance carrier, and any appropriate increases in coverage should be analyzed.
Importantly, some professional liability insurance carriers provide coverage only for certain states
or regions; in other words, a teleradiologist with coverage limited to the Northeast might be shocked to
learn that, despite holding a license to practice in a distant state, his or her professional liability coverage is not valid in that state due to restrictions in the policy. Just as importantly, professional liability
California requires that oral and written consent to a video-conferencing consultation be obtained from a patient prior
to the initiation of the consultation.
2
436
In its August 2008 summary report, the AHRQ noted that some of the telehealth programs it has
funded experienced technical challenges with telemedicine equipment:
One project indicated that vendor-supplied home monitoring devices failed to work on a
regular basis. As a result of this failure, approximately one-third of the patients who were
enrolled in the study became frustrated with the devices and stopped using them.
Two projects reported that the video cameras they were using to transmit video and still
images did not provide adequate resolution to yield clear images of small pills and patient
wound areas.
Any provider using telemedicine equipment, and any hospital or clinic furnishing such equipment, may find themselves sued for the equipments failure or malfunction if it causes harm to a
patient (e.g., resolution too poor to permit adequate diagnosis, or complete system failure during an
emergency consult). The AHRQ 2008 report also noted that its grantees stated that technical support
must be available around the clock to ensure patient safety. The report found that:
While large healthcare organizations have internal IT departments that provide support for
telehealth systems, smaller organizations rely primarily on vendors for technical support.
The level of support available to projects from vendors varied; many small companies were
closed during weekends and evenings.
Projects receiving vendor support that was not available 24 hours a day, 7 days a week
reported that such arrangements have the potential to negatively impact patient safety and
mission-critical patient services.
In this context, the importance of legal counsel is clear in ensuring that the provider takes the
appropriate risk management steps prior to purchase or lease of telemedicine equipment. First, appropriate vendors must be chosen. Vendors must be fiscally sound and with sufficient longevity and public
reputation to represent in good faith that the vendor will not only exist in the years to come, but is large
enough to provide 24/7/365 support. Second, legal counsel must ensure that contract negotiations
consider these issues (including the cost of support and upgrades), as well as insurance and indemnification. On the flip side, agreements with the largest equipment vendors frequently bring new meaning
to contracts of adhesion, and some of these larger vendors have reputations for being unwilling
to move much during contract negotiations. Third, counsel must consider the costs of telecommunications in all telehealth program negotiations. Fourth, interoperability is imperativetelemedicine
437
438
As telemedicine becomes more commonplace (especially the use of the Internet) the standard of care question that
may eventually arise is whether a practitioner should have used telemedicine to assist a patient and whether the physician
breached the standard of care (and his or her duty to the patient) by failing to make use of available technology.
8
Weaver v. University of Michigan Board of Regents, 506 N.W.2d 264, 266 (Mich. App. 1993).
9
Ortiz v. Shah, 905 S.W.2d 609 (Tex. App. 1995).
10
Weaver, 506 N.W.2d at 266.
11
King v. Fisher, 918 S.W.2d 108 (Tex. App. 1996), St. John v. Pope, 901 S.W.2d 420 (Tex. 1995).
12
Dodd-Anderson v. Stevens, 905 F. Supp. 937, 945 (D. Kan. 1995).
7
439
Standard of Care
Various professional organizations have promulgated standards related to the practice of telemedicine, including standards for the use of telemedicine equipment. For example, the American College
of Radiology has issued various standards that impact teleradiology, digital imaging, and radiologist
coverage of hospital emergency rooms.17 The American Telemedicine Association and other organizations are reviewing the need for specific standards related to telemedicine equipment and the practice
of telemedicine.
Phyllis F. Granade, Medical Malpractice Issues Related to the Use of Telemedicine - An Analysis of the Ways in Which
Telecommunications Affects the Principles of Medical Malpractice, 73 N.D. L. Rev. 65 (1997).
14
An interactive video consultation or the examination of still pictures by a consultant should be considered an examination of the patient for purposes of a physician-patient relationship. It is counterproductive to argue that telemedicine should
be relied upon by the public, and that in many cases reimbursement should be made for its use, but that services provided
by telecommunications do not hold the same measure of protection for the public (i.e., do not establish physician-patient
relationships) as do face-to-face encounters.
15
Granade, Medical Malpractice, citing Clarke v. Hoek, 219 Cal. Rptr. 845 (Cal. App. 1985).
16
Id., citing Dougherty v. Gifford, 826 S.W.2d 668 (Tex. App. 1992).
17
See American College of Radiology Technology Standard for Teleradiology: www.acr.org/Hidden/Economics/FeaturedCategories/mps/medicare_info/teleradiology/ACRTechnicalStandardsDoc4.aspx; the ACR Technical Standard for
Electronic Practice of Medical Imaging: http://www.acr.org/SecondaryMainMenuCategories/quality_safety/guidelines/
med_phys/electronic_practice.aspx and the ACR Practice Guideline for Radiologist Coverage of Imaging Performed in
Hospital Emergency Departments: http://www.acr.org/SecondaryMainMenuCategories/quality_safety/guidelines/dx/hospital_er%20_imaging.aspx.
13
440
27.4.3
With a traditional referral, a patient travels to the specialists office and responsibility for diagnosis and continued treatment lies primarily with the specialist. During an interactive video consultation,
the patients local physician may be involved and remain in control of the patients treatment after the
consultation with the distant specialist concludes. During a video consult the consultant will generally
not be the sole physician responsible for diagnosing the patient. For telemedical consultations, control
over the patients diagnosis and course of treatment (or at least those elements of diagnosis and treatment that are at issue during trial) may become a key element in establishing liability.
A specialist participating in a telemedicine encounter must understand that the involvement of the
referring physician does not prevent the specialist from establishing a physician-patient relationship
with the patient. Physicians treating a patient for the same illness may be jointly and severally liable
for professional liability damages. Case law evidences a trend toward allowing joint and several liability against independently treating physicians when the injury suffered by the plaintiff is not clearly
divisible in terms of which physician caused the harm.18 Stated more clearly, if it cannot be shown
which physician is responsible for the patients injury, it is possible that a court will find those physicians involved with the treatment of the patients illness to be jointly and severally liable.19
27.4.4
Abandonment Claims
In order to prove abandonment, a plaintiff must show (1) the unilateral severance of the physicianpatient relationship by the doctor; (2) the severance occurred without reasonable notice or without
adequate provision of alternative medical care; and (3) the severance was at a time when there was a
necessity for continuing medical treatment.20 Abandonment may be avoided by providing the patient
with an alternative source for medical treatment, such as referring the patient to another physician.
To reduce the likelihood of an abandonment claim, a healthcare provider offering advice via telecommunications should establish a safety net checklist to ensure that a patient will continue to have
access to adequate medical care after the telemedical evaluation concludes.21 For example, a physician
treating or diagnosing a patient via telecommunications should know (1) whether after the consult
concludes the patient will be receiving continued healthcare supervision or treatment, (2) who will be
providing the care, and (3) that the patient has been provided with an emergency contact number if,
after considering factors (1) and (2), the distant physician is not comfortable that the patient will have
access to adequate medical care after the conclusion of the telemedicine consult. In the event that the
services are provided via the Internet (for example, a web site devoted to offering medical consultations), the physician should attempt to reduce his or her liability exposure by placing limitations on
the types of medical advice offered via the Internet, requiring that the patient have a local primary care
Martin J. McMahon, J.D., Annotation, Joint And Several Liability Of Physicians Whose Independent Negligence In
Treatment Of Patient Causes Indivisible Injury, 9 A.L.R.5th 746 (1993).
19
Ravo v. Rogatnick, 514 N.E.2d 1104, 9 A.L.R.5th 1170 (N.Y. 1987), (holding a pediatrician jointly and severally liable
with an obstetrician for injuries negligently inflicted on a child, resulting in brain damage that rendered her severely and
permanently retarded. Although treatment by the physicians was not concurrent, the responsibility for the injury was not
divisible.).
20
King v. Fisher, 918 S.W.2d 108, 111 (Tex. App. 1996), Smith v. Lerner, 387 N.W.2d 576, 579 (Iowa 1986).
21
Id.
18
441
The use of telecommunications to deliver healthcare information and services has raised a significant issue regarding where the practice of medicine occurs. Traditionally, a physician practiced
medicine within the boundaries of the state in which he or she was licensed to practice. The physician
might treat patients from other states, but these patients traveled to the physicians state in order to
receive treatment. The use of the telephone to deliver professional advice to distant patients heralded
the dawn of a new era in jurisdictional questions. The courts were required to sift through conflicts of
law, public policy, and tort principles in order to determine the proper forum for a medical professional
liability suit.
Case law involving professional liability jurisdictional issues indicates the point of service is
not the patients location.22 In Wright v. Yackley, a medical professional liability action was brought
by an Idaho citizen against a South Dakota doctor.23 The Idaho citizen was originally treated in South
Dakota, and upon moving to Idaho called the South Dakota physician to request that a copy of an
existing prescription be mailed across the state line. The Idaho citizen then sued for injuries incurred
while taking the drug. The court found that no tort was committed within the state of Idaho sufficient
to establish jurisdiction over the South Dakota physician. The court stated that:
if the appellee was guilty of malpractice, it was through acts of diagnosis and prescription
performed in South Dakota. The mailing of the [existing] prescriptions to Idaho did
not constitute [a] new prescription. It was simply confirmation of an old diagnosis and
prescription...24
The courts footnote to the above comment states that the due process determination might have
been different if the doctor could be said to have treated an out-of-state patient by mail or to have
provided a new prescription or diagnosis in such fashion. 25 This implies that even the diagnosis or
treatment of a patient by mail might subject the physician to the jurisdiction of the distant patients
state.
Presbyterian University Hospital v. Wilson, 654 A.2d 1324 (Ct. App. Md. 1995), Ores v. Kennedy, 578 N.E.2d 1139
(Ct. App. Ill. 1991), Simmons v. State of Montana, 670 P.2d 1372 (Mont. 1983), McGee v. Riekhof, 442 F.Supp. 1276
(D.Mont. 1978),and Wright v. Yackley, 459 F.2d 287 (9th cir. 1972).
23
Wright v. Yackley, 459 F.2d 287 (9th cir. 1972).
24
Id. at 288.
25
Id.
22
442
28
29
30
26
27
Id., at 289.
Id., at 290.
Id.
Andrews v. Lofton, 57 S.E.2d 338, 342 (Ga. App. 1950); Irwin v. Arrendale, 159 S.E.2d 719, 725 (Ga. App. 1967).
Andrews, 57 S.E.2d at 342.
443
In the authors opinion, if a provider desires to deliver healthcare services using telecommunications technology, the provider should establish specific telemedicine policies and procedures (P&Ps).
The following topics are examples of the subjects which telemedicine P&Ps should address: (i) the
appropriate delivery of telemedicine, (ii) how and when to use telemedicine to provide care (e.g., when
to consult with a specialist), (iii) the record that will be kept of the encounter, (iv) the appropriate use
of telemedicine equipment, including maintenance schedules, updates/upgrades, and (v) telehealth
privacy and security issues, such as encryption. Last but not least, if the telemedicine consult will
result in the prescription of controlled substances to a patient, the practitioner should ensure compliance with the Ryan Haight Online Pharmacy Protection Act of 2008.31 The Ryan Haight Act prohibits
the prescription of controlled substances without an initial face-to-face consultation (often referred to
as f2f). The Ryan Haight Act negatively impacts the use of telemedicine services via the Internet
to prescribe to patients (absent an initial face-to-face consultation), and casts the prescription of controlled substances to telehealth patients into doubt even in the most above-board circumstances.
Teleradiology provides the best role model for telemedicine, since teleradiology services are
currently the most used and recognized telehealth service. This is due in part to the fact that there is no
face to face physician-patient relationship requirement in order for a provider to receive reimbursement from most payors for teleradiology services. Due to teleradiologys success, most institutional
providers have been working with some form of telehealth service and have adopted P&Ps related
to teleradiology services. These teleradiology P&Ps may be expanded to address most telehealth
services.
27.6
The greatest obstacle to the success of telemedicine has been the lack of consistent, comprehensive reimbursement for telehealth services. Regardless of the benefits offered by telemedicine,
in light of the overall lack of reimbursement for equipment and services available, it is little wonder
that telemedicine services have been slow to expand to the extent that technology permits. No healthcare provider should consider establishing a telemedicine program or service without first drafting a
detailed business plan that takes into consideration the costs of setting up the program, running the
program, and maintaining the programincluding equipment purchase and upkeep; medical professional liability insurance coverage; public relations; provider relations; and payor agreements (e.g.,
reimbursement amounts).
Many of the telemedicine programs initiated by academic medical centers and hospitals systems
have been funded, at least in part, by pilot programs or demonstration projects at the federal and/or
state level. Many of these programs fail to thrive once the grants disappear. Medicare has implemented
a limited number of telemedicine reimbursement benefits, but even those are subject to interpretation
by the intermediaries and carriers. Medicaid reimbursement for telemedicine differs vastly between
H.R. 6353, with a compliance deadline of approximately April 15, 2009 (the Act became effective 180 days after it was
signed by the President, October 15, 2008).
31
444
For purposes of determining jurisdiction, patient consults occur where the patient is located
and the practitioner should be licensed and insured accordingly.
State physician licensure requirements (and the resulting impact on medical malpractice and
professional negligence insurance coverage) continue to negatively impact the growth and
acceptance of telemedicine services.
Enterprise Risk Management for Healthcare Facilities, First Edition
445
447
28
Electronic Health Records: An Enterprise Risk
Approach
Marilyn Lamar, Esq.
Liss & Lamar, P.C
Nestor J. Rivera, Esq.
Carlton Fields, P.A.
28.1
Introduction
As information technology evolves, the use of electronic health record (EHR) systems has
emerged as an important factor in reducing both medical errors and the cost of healthcare.1 For this
reason, federal regulators created an exception2 from the Stark law and a parallel safe harbor3 under the
anti-kickback statute to permit hospitals to subsidize a portion of the cost of certain EHR technology
for physicians, assuming that all the requirements of these regulations are satisfied (collectively, the
EHR Rules). The importance of EHRs is also illustrated by the substantial funding made available to
certain physicians and hospitals that establish meaningful use of EHRs under HITECH and the future
reductions in Medicare reimbursement for those that fail to do so by 2015.4 The EHR Rules and other
regulatory aspects of EHRs are discussed below in this Chapter.
However, the implementation of new information technology (IT) does not always improve the
quality of care, and can introduce new risks. Some risks arise simply from the fact that using the
technology is a new skill that requires learning and practice. Others arise from to the actual design and
operation of the system. Negotiations with an EHR vendor can reduce some of these risks, but others
must be addressed by the healthcare provider in implementing the system and monitoring its ongoing
use. Healthcare providers that are subject to accreditation by The Joint Commission should also be
aware that some of the risks identified in this chapter and steps to address them have been identified in
The Joint Commissions Sentinel Event Alert 42.5
1
Commission on Systemic Interoperability, Ending the Document Game: Connecting and Transforming Your Healthcare through Information Technology, at http://ending the document game.gov (Oct. 25, 2005).
2
71 Fed. Reg. 45140.
3
71 Fed. Reg. 45110.
4
HITECH is the Health Information Technology for Economic and Clinical Health Act adopted as part of the American
Recovery and Reinvestment Act of 2009.
5
Safely implementing health information and converging technologies, Sentinel Event Alert, Issue 42, December 11,
2008, published by The Joint Commission, available at http://www.jointcommission.org/Sentinel Events/SentinelEventAlert/sea_42.htm
449
Terminology surrounding EHRs can be confusing because IT personnel, clinicians, vendors, risk
managers and counsel may have very different understandings of the same terms. This chapter uses the
definition of EHR published by the Health Information Management Systems Society (HIMSS):
The Electronic Health Record (EHR) is a longitudinal electronic record of patient health
information generated by one or more encounters in any care delivery setting. Included
in this information are patient demographics, progress notes, problems, medications, vital
signs, past medical history, immunizations, laboratory data and radiology reports. The EHR
automates and streamlines the clinicians workflow. The EHR has the ability to generate
a complete record of a clinical patient encounter, as well as supporting other care-related
activities directly or indirectly via interfaceincluding evidence-based decision support,
quality management, and outcomes reporting.7
Many important elements of an EHR will depend on the choices made by the client during implementation, e.g., the nature and extent of clinical decision support like drug alerts. Possible alerts include
drug-drug interactions, nonstandard doses, drug-lab test interactions, and drug allergy interactions.
System planners also must decide whether the reason for disregarding an alert must be documented
and subject to further review and whether the reason is included in the patients medical record. Users
of the EHR should understand these kinds of system choices and how they will affect care decisions
Forrester Research, Inc. estimates that $1.4 billion was spent on electronic discovery services in 2006 (across all
industries) and that this spending will increase to $4.8 billion by 2011. See http://www.forrester.com/Research/Document/
Excerpt/0,7211,40619,00.html.
7
http://www.himss.org/ASP/topics_ehr.asp.
6
450
The landmark Institute of Medicine study published in 20009 estimated that preventable medical
errors cause between 44,000 to 98,000 patient deaths each year. A later study estimated that 195,000
deaths were due to medical errors.10 EHRs that include computerized provider order entry (CPOE) systems and clinical decision support software are expected to reduce the number and severity of medical
http://www.himss.org/ASP/topics_phr.asp.
Kohn, L., J. Corrigan, and M. Donaldson. To Err is Human: Building a Safer Health System. Committee of Health Care
in America, Institute of Medicine, 2000.
10
HealthGrades. In-Hospital Deaths from Medical Errors at 195,000 per Year, Health Grades Study Finds. July 27, 2004.
8
9
451
Not permitting staff to enter orders for medications and testing until the patient had physically arrived at the hospital rather than entering orders before arrival based on radio contact
with the transport team.
The increased time required to enter orders on the system compared to the time previously
needed for handwritten orders.
Increased nurse and physician time spent at computer terminals rather than at the patient
bedside.
This study is unusual because most studies of CPOEs and EHRs show improved quality. But it
highlights how changes to workflow and technical requirements brought about by implementation of
a new system may increase risk. For example, new delays in ordering medication and tests and moving critical medications from the ICU may not have been necessary to implement the CPOE system,
and the hospital in question has revised those procedures. Fortunately, the hospital closely monitored
mortality rates immediately after implementation of the CPOE system and was able to make appropriate adjustments.
28.2.1
The development and implementation of an EHR system may help reduce a healthcare providers
exposure to medical professional liability claims by improving the quality and safety of medical treatment and care. An EHR system may also improve a providers defense of medical professional claims
by creating a more comprehensive healthcare record and providing better access to potential evidence.
In recognition of these potential benefits, a few professional liability insurance carriers provide limited
Commission on Systemic Interoperability. Ending the Document Game: Connecting and Transforming Your Healthcare
through Information Technology, at http://endingthedocumentgame.gov (Oct. 25, 2005).
12
Upperman, J.S., et al. The Impact of Hospitalwide Computerized Physician Order Entry on Medical Errors in a Pediatric Hospital. Journal of Pediatric Surgery. 2005; 40:5759.
13
Bates, D.W., et al. The Impact of Computerized Physician Order Entry on Medication Error Prevention. Journal of
the American Medican Informatics Association. 1999; 6:313321.
14
Han, Y.Y., et al. Unexpected Increased Mortality after Implementation of a Commercially Sold Computerized Physician Order Entry System. Pediatrics. 2005; 116; 15061512.
11
452
Expectations are high for safety improvements from electronic systems. Conversely, the risks
of the systems are often subtle, arising in both implementation and ongoing use. This should not be
surprising given that EHRs, CPOEs and other electronic systems are relatively immature technologies
operating in the complex, multi-provider, time-sensitive healthcare environment. They allow healthcare providers to capitalize on computer-based systems ability to quickly recall and manipulate large
amounts of data, but providers should not expect the systems to excel at making complex judgments.
As technology evolves, the potential risks will also evolve, so counsel should be alert to the concerns
identified below and to additional risks as they arise.
As noted in an article in Health Affairs, substantial gaps may exist between advocates vision of
e-prescribing and how physicians use commercial e-prescribing systems today.15 Although the authors
found that the e-prescribing systems often eliminated illegible prescriptions and allowed faster printing, they expressed concern about whether the anticipated benefits of e-prescribing will be achieved
given their survey findings of (1) inaccurate medication lists for patients, and (2) the complete deactivation of drug interaction alerts by some practices.
In addition, as healthcare entities adopt and integrate EHRs into regional or national networks, a
different standard of care may evolve, particularly if the EHRs include clinical protocols or clinical
decision support.
J. Grossman et al., Physicians Experiences Using Commercial E-Prescribing Systems, Health Affairs. 2007;
26: w393w404.
15
453
A 93-minute gap in the information normally recorded by the AARK system was not noticed
during surgery because it was blocked by other information on the screen. By the time plaintiffs expert questioned the gap, the missing information previously stored on other hardware
was no longer available to help defend the hospital.
An electronic entry made by the anesthesiologist stating that he was present at emergence
from anesthesia after surgery was time stamped by the AARK system. The electronic time
stamp showed that the anesthesiologist made the entry during the first hour of the seven-hour
surgery,16 a fact that would appear nowhere in a paper record.
The risks and unintended consequences of electronic systems are the subject of a growing body of
research focusing on a wide range of factors including changes in workflow, the impact of ergonomics
on system usage and changes in communications patterns among providers. These studies can help
providers identify pitfalls, but the research is at an early stage.
Ironically, these studies could make it more difficult for providers to defend cases involving errors
that arise while using EHR systems. Attorneys for plaintiffs are learning of the large amount of data
available from electronic systems and of these studies. Therefore healthcare attorneys must help their
clients recognize the risks that may arise in implementing and using these systems and develop strategies to mitigate the risks, at least through the involvement of clinical risk managers in the planning
and design process.
Vigoda M.M., Lubarsky D.A. Failure to Recognize Loss of Incoming Data into an Anesthesia Record Keeping System
Increased Medical Liability. Anesth Analg 2006; 102:17981802.
16
454
455
Han, Y.Y., et al. Unexpected Increased Mortality after Implementation of a Commercially Sold Computerized Physician Order Entry System. Pediatrics. 2005; 116; 15061512.
20
456
Hartzband and Groopman, Off the RecordAvoiding the Pitfalls of Going Electronic, New England Journal of Medi358;16, (April 17, 2008): 16561658.
22
E. Zych, Discovery of Electronic Health Records, paper included with materials for the May 22, 2008 teleconference
presented by the Health Information Technology Practice Group on EHRs and e-Discovery.
21
cine:
457
Negotiating and implementing an EHR system is an expensive and time-consuming undertaking for most organizations and there are widespread reports of significant cost overruns, delays, and
technical problems. The suggestions below can help attorneys identify contractual provisions that
may reduce some of the risks that are likely to arise with EHR systems, if successfully evaluated
and negotiated. However, these issues are only a subset of the many provisions to negotiate in any
software license or services arrangement. The reader must note that this section is not a complete list
of issues that require negotiation.23
As noted above, HITECH provides funding for certain hospitals and physicians that meet the
meaningful use requirements (to be established by regulation) and reduces the Medicare reimbursement available to those who do not achieve meaningful use by 2015. Providers that wish to satisfy the
HITECH requirements should consider including specific contract language to address whether the
vendors EHR will enable the provider to satisfy the HITECH requirements for meaningful use as
they are set forth in the then current and future regulations.
Attorneys can provide important assistance in an EHR acquisition by taking an active role in
helping the provider understand each partys actual obligations under the contract and how that may
differ from the clients expectations. This step is critical because client healthcare providers often
misunderstand the capabilities of EHR systems and the substantial resources necessary to implement
and maintain them.
Therefore, in addition to negotiating the business and legal terms in the vendors standard contract, counsel for the EHR buyer should confirm that the clients IT personnel and senior management
understand: (a) exactly what the vendor is offering, (b) what the vendor is not providing that must be
obtained from another vendor or the client, (c) the scope of effort and resources that the client will
need to implement the system, (d) whether all other business terms are accurately reflected, and (e)
how caution in implementation and ongoing monitoring during the use of the system can reduce risk
and allow for necessary adjustments.
By negotiating the contract as outlined below, providers can reduce the risks presented by this
technology.
A. Duration and Scope of the Vendors Support Commitment
1. The agreement needs to specify the number of years during which the vendor will support the software and any conditions or exceptions to this obligation. The period specified is often much shorter than the client expected.
2. Discussing the vendors view of the EHR products life cycle presents an opportunity to
explore the likelihood that the new system will be replaced at some point and the need
for contract provisions to address transition services and data conversion.
3. Ideally, the client should only be committed on a year-to-year basis but the vendor should
be obligated to support the product for the entire period anticipated by the client (fre For a broader discussion of elements to be negotiated in IT contracts, see the Health Information and Technology
Practice Guide (Elisabeth Belmont, Ed., 2003) American Health Lawyers Association.
23
458
459
The currently recognized certifying body for purposes of the interoperability requirement is the CCHIT.27
3. In order to address the interoperability requirement of the EHR Rules, the client should
receive a representation and warranty from the vendor that the licensed version and new
releases of the software will be interoperable as defined in the EHR Rules. The vendor
could make this representation based on the general definition of interoperability in the
EHR Rules or if the EHR technology has been certified by CCHIT.
4. The client should be aware that some EHR vendors feel that the general definition of
interoperability in the EHR Rules is too vague and they therefore choose to rely on
CCHIT certification. This may present timing issues for future versions and the risk that
the CCHIT certification standards may change.
5. If the vendor is not willing to promise that all future versions will be interoperable (either as defined in the EHR Rules or by CCHIT certification), one compromise would be
to allow the client to delay moving to a new version until CCHIT certification or other
evidence of interoperability is provided by the vendor. However, this will not address
the need to use governmental updates and error fixes that might be included in the new
(uncertified) version.
6. The EHR Rules also require that the EHR technology must include either electronic
prescribing capability or an interface to the recipients existing electronic prescribing
system that meets the Medicare Part D standards.28 The client therefore will want the
vendor to represent and warrant that the technology meets this standard.
The Final Regulations of Stark Law Exceptions and Anti-Kickback Statute Safe Harbors for the Donation of E-Prescribing and Electronic Health Records Items and Services (Edward F. Shay and Rebecca L. Williams, eds., 2008) American
Health Lawyers Association Member Briefing.
25
42 CFR 411.357(w)(2) and 1001.952(y).
26
42 CFR 411.351.
27
See http://cchit.org.
28
42 CFR 411.357(w)(11) and 1001.952(y)(10).
24
460
461
462
463
464
465
While a single healthcare provider can benefit from implementing an EHR system, the greatest benefits result from the networking of EHRs among healthcare providers, pharmacies and other
healthcare entities to create a full picture of a patients healthcare history and needs. Yet the same
features that generate this promise also lead to the major regulatory concerns about EHRs: security and
fraud and abuse in the acquisition and implementation of the systems.
Electronic records present a number of security risks that fall into two categories. First, the physical integrity of the data must be protected from a different set of hazards than those facing paper
records. Second, the very accessibility offered by EHRs puts them at risk for unauthorized access.
The federal regulations surrounding EHR systems recognize these risks, and uniformly require that
providers address them during system implementation. The rest of this section addresses those issues
in more detail.
In 2004, President George W. Bush created the position of National Coordinator for Health Information Technology (NCHIT) within the Office of the Secretary of the Department of Health and
466
Ensures that appropriate information to guide medical decisions is available at the time and
place of care;
Improves healthcare quality, reduces medical errors, and advances the delivery of appropriate, evidence-based medical care;
Reduces healthcare costs resulting from inefficiency, medical errors, inappropriate care, and
incomplete information;
Promotes a more effective marketplace, greater competition, and increased choice through
the wider availability of accurate information on healthcare costs, quality, and outcomes;
Improves the coordination of care and information among hospitals, laboratories, physician
offices, and other ambulatory care providers through an effective infrastructure for the secure
and authorized exchange of healthcare information; and
Ensures that patients individually identifiable health information is secure and protected.
28.5
Ensuring the privacy and security of the information contained within an EHR system is probably the most important consideration in its development and implementation. HIPAA addresses
these concerns directly. In addition, the Stark and Anti-Kickback provisions (discussed in more detail
below) provide incentives to meet specific standards for security and privacy of information stored on
EHRs.
HIPPA Privacy Rule31 and Security Rule32 impose requirements on covered entities regarding the creation, storage, use and disclosure of patient protected health information (PHI). While the
Privacy Rule applies to all PHI regardless of form, the Security Rule applies only to electronic PHI
(EPHI). Since the Security Rule is unique to electronic PHI, the following discussion will address only
the requirements imposed by the Security Rule that affect organizations developing and implementing
an EHR system.
28.5.1
The Security Rule contains three categories of standards: Administrative, Physical, and Technical.
They share some general characteristics:
The Security Rule standards set a minimum level of security for electronic PHI. A covered
entity may choose to implement internal security policies and procedures that exceed the
Security Rule standards.
31
32
467
The Security Rule allows scaled standards based upon the size, capabilities, and complexity
of the covered entity.
The covered entity must perform internal risk analysis and vulnerability assessment.
Failure to implement and comply with the Security Rule standards could result in the violation of the Security Rule standards and the Privacy Rule.
The Security Rule standards are technology neutral; they do not require any particular technology but establish conditions once an entity incorporates technology.
28.5.2
Security Standards
The Security Rule sets out 18 security standards or safeguards which fall into three categories:
administrative, physical, and technical. Thirty-five required and addressable implementation
specifications further define the standards. For addressable implementation specifications (AIS), the
covered entity has three options: (1) implement the specification, if it is reasonable and appropriate
for the covered entity; (2) if the AIS is not reasonable or appropriate, implement an appropriate and
reasonable alternative security measure to accomplish the purpose of the AIS; or (3) decide not to
address the standard after determining that the AIS is not reasonable and appropriate and that the
Security standards can still be met in another manner. The covered entity must document its rationale
for not adopting a security measure that addresses the AIS. Table 1 below outlines these standards and
the related specifications.
28.5.3
In addition to the administrative safeguards, the Security Rule standards also require that covered
entities include in their business associate agreements language contained in 45 CFR 164.314(a)
(2) in order to protect the security of electronic PHI. The following template language reflects those
specifications:
468
Business Associate shall implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI
that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
Business Associate shall report to Covered Entity [Optional: within ___ (___) business
days; or on a quarterly basis] any security incident of which it becomes aware, as such
term is defined in the HIPAA Security Rule. [Optional: The report to Covered Entity shall
identify: the date of the security incident, the scope of the security incident, the Business
Associates response to the security incident, and the identification of the party responsible
for causing the security incident, if known. Thereafter, Business Associate shall provide periodic updates regarding the security incident, at Covered Entitys written request.]
Business Associate shall ensure that any agent, including a subcontractor, to whom it provides EPHI agrees [Optional: in writing] to implement reasonable and appropriate safeguards
to protect EPHI.
28.5.4
Covered entities must maintain written records (which may be electronic) of the implemented
policies and procedures supporting security activities and of any required action, activity or assessment, including the following:
Covered entities must maintain documentation (e.g., policies, procedures, and agreements
required by the Security Rule standards) for six years from the date of creation or the date
they were last in effect, whichever is later.
28.5.5
Those responsible for managing EHR risk should confirm that the appropriate staff has executed
the following steps, which will support HIPAA compliance and constitute much of the risk management process for the physical security of the system:
28.5.5.1 Administrative Safeguards
Conduct a risk assessment of the current or proposed EHR system to identify security
threats;
Implement policies and procedures for preventing, detecting, reporting, and addressing security violations (including sanctions);
Educate and train workforce members about their obligations to protect the privacy and security of PHI;
Develop internal policies to address disciplinary actions and sanctions for unauthorized or
inappropriate access to PHI; and
Update business associate agreements to include an agreement to abide by the Security Rule
standards
Conduct a risk analysis of the physical security of computer stations and other hardware
through which PHI is stored, maintained, or transferred;
Limit physical access to equipment and locations that contain PHI; and
Develop policies and procedures addressing the back up and storage of electronic PHI and the
legal destruction of same.
469
Employ user IDs, passwords, access codes, biometrics, and other authentication tools to prevent unauthorized use;
Conduct periodic audits of the EHR system to ensure that employees are not misusing the
system; and
Educate and train workforce about the covered entitys security audit practices and plans for
enforcement.
28.6
The adoption of EHR systems has encountered resistance at the provider level for several reasons, including implementation expense, the time and energy to acquire and implement the system,
concerns about the systems effect on workflow, and Stark and anti-kickback concerns. Undoubtedly,
providers also fear the learning curve involved in adopting any new technology. Unfortunately, many
efforts by large hospitals or systems to support smaller providers as they grapple with these anxieties
could trigger regulatory violations.
Cost imposes one of the largest barriers to the development and implementation of a system wide
or regionally networked EHR. While larger healthcare providers, such as hospitals and large health
systems, usually have the financial resources to implement and maintain an EHR system, smaller providers do not. The potential for violating fraud and abuse laws discourages larger healthcare providers
from assisting physicians and other smaller entities in their efforts to acquire the systems. Because
they fear conflicting with fraud and abuse laws, many healthcare providers have chosen not to develop
and implement a fully functional and networked EHR system.
The Stark statute, the anti-kickback statute33 and their corresponding regulations34 address possible payment for referrals.
35
36
33
34
Strict liability provisions, the Stark laws35 impose possible civil penalties, including exclusion from the Medicare and Medicaid programs. They prohibit a physician and his or her
immediate family from making referrals for designated health services to an entity, and
prohibit those entities from submitting claims for prohibited referrals, where the physician (or
immediate family) has a financial relationship with the entity, unless an exception applies.
The anti-kickback provisions36 impose criminal penalties on those who willfully or knowingly solicit, offer, pay, or receive remuneration for a referral for which payment can be
made under a government program, unless the arrangements falls under one of several safe
harbors. As with Stark, violations of the anti-kickback law often result in civil monetary
penalties and exclusion from the Medicare and Medicaid programs, as well as large fines or
imprisonment.
42 U.S.C. 1395nn.
42 CFR part 411.
42 U.S.C. 1395nn; 42 CFR part 411.
42 U.S.C. 1320a-7b(b), 42 CFR part 1001.
470
The Stark and anti-kickback EHR exceptions are nearly identical, and they allow nonmonetary
remuneration consisting of items and services in the form of software or information technology and
training services that is necessary and used predominantly to create, maintain, transmit, or receive
electronic health records, if the arrangements meet all of the 13 conditions in Table 2 (EHR table).
The Stark provisions apply when an entity (as defined by 42 CFR 411.351) provides the items and
services to a physician, The antikickback provisions address a broader pool of recipients such as health
plans or other individuals or entities that provide covered services and submit claims for payment.
The Stark and anti-kickback e-prescribing exceptions are also nearly identical, and they allow
nonmonetary remuneration consisting of items and services in the form of hardware, software, or
information technology and training services that is necessary and used solely to receive and transmit
electronic prescription information, if the following conditions listed in Table 3 are met.
28.6.2
While the Stark and anti-kickback EHR provisions (EHR rules) are similar, and the Stark and antikickback e-prescribing provisions (e-prescribing rules) are also similar, there are some key differences
between the EHR rules and the e-prescribing rules.
39
40
37
38
The category of items and services covered by the EHR rules (EHR Qualifying Technology)
is much broader than the category of items and services covered by the e-prescribing rules
(e-Prescribing Qualifying Technology). The e-prescribing rules apply to items and services
necessary and used solely to transmit and receive electronic prescription information, while
the EHR rules apply to items and services predominantly used to create, maintain, transmit,
or receive EHRs. Furthermore, the e-prescribing rules include hardware, while the EHR rules
do not.
71 FR 45140.
42 CFR 411.357(v), (w).
71 FR 45110.
42 CFR 1001.952(x), (y).
471
EHR Qualifying Technology and e-Prescribing Technology both must comply with standards
for e-prescribing adopted by CMS. However, the EHR rules also require that the items and
services be interoperable.
Whereas the e-prescribing rules are concerned with criteria that take into account both directly
and indirectly the volume or value of referrals, the EHR rules are concerned only with methods that take into account directly the volume or value of referrals.
Under the e-prescribing rules, there is no limit on the value of donation for E-Prescribing
Qualifying Technology. The EHR rules are more limiting and require a recipient to pay 15
percent of the donors cost for the donated items and services, and the donor is prohibited
from financing such payments on behalf of the recipient.
The EHR rules expire on December 31, 2013. The e-prescribing rules have no expiration.
28.6.3
This section outlines only basic information about possible fraud and abuse exposures generated
by multi-party EHR system development. Healthcare entities planning to share or network their technology need to include someone knowledgeable of these issues on their planning team. As systems roll
out, sound risk management also requires ongoing review for any changes in financial or supporting
relationships that could stumble into forbidden territory under the Stark and anti-kickback laws.
28.7
Conclusion
EHR selection, implementation, and operation offer tremendous opportunities to apply enterprise
risk management processes. These activities create risk and opportunity in many areas for a clinical provider or healthcare organization. The EHR forms the nucleus of a complex system that can
potentially affect clinical care, reimbursement, employee satisfaction, patient satisfaction and liability.
Managing all the risks requires a thorough understanding of the provider organization and the EHR
system, from the first choices in implementation to monitoring the system in practice and making
periodic adjustments. Retention and protection of data and the ability to reproduce it dependably can
protect the organization in disputes, whether with the government or an injured patient. These responsibilities merit multi-disciplinary support, with input from clinical staff, risk management, counsel, IT,
and other relevant departments. The time commitment may be significant, but the benefits in patient
safety, cost reduction and quality measurement should make it well worth the effort.
472
Information System Activity Review (Required) Procedures to regularly review records of information system
activity, such as audit logs, access reports, and security
incident tracking reports.
(Required) Identify security official responsible for
development and implementation of the Required
security policies and procedures.
Authorization and/or Supervision (Addressable)
Procedures relating to workforce accessing electronic
PHI or locations where electronic PHI might be
accessed.
Workforce Clearance Procedure (Addressable)
Procedures to determine if access is appropriate.
Termination Procedures (Addressable) Terminate
employees access to electronic PHI when
employment ends or as otherwise Required.
Isolating Healthcare Clearinghouse Functions
(Required) If clearinghouse is part of larger
organization, protect unauthorized access of
clearinghouses electronic PHI by larger organization.
Access Authorization (Addressable) Policies and
procedures for granting access to electronic PHI.
Access Establishment and Modification (Addressable)
Establish, document, review, and modify users right
of access to workstation, transaction, program, or
process based on covered entitys access authorization
policies.
473
Administrative Standards
5. Security Awareness and Training Security Reminders (Addressable) Periodic security
Required for both covered entity
updates.
workforce and management.
Protection From Malicious Software (Addressable).
Log-in Monitoring (Addressable) Monitor log-in
attempts and report discrepancies.
Password Management (Addressable) Create,
change, and safeguard passwords.
6. Security Incident Procedures
Response and Reporting (Required) Identify and
respond to suspected or known security incidents;
mitigate harmful effects; document incidents and
outcomes.
7. Contingency Plan Protect Data Backup Plan (Required) Create and maintain
retrievable exact copies of electronic PHI.
systems containing electronic
PHI from emergencies and Disaster Recovery Plan (Required) Restore any loss
of data.
other occurrences, such as fire,
vandalism, system failure, and Emergency Mode Operation Plan (Required) Enable
continuation of critical business processes.
natural disaster.
Testing and Revision Procedures (Addressable)
Periodic testing and revision of contingency plans.
Applications and Data Criticality Analysis
(Addressable) Assess relative criticality of specific
applications and data in support of contingency plan.
8. Evaluation
(Required)
Evaluation covers all components of the Security Rule
and not just the information systems
Performance of a periodic technical
and non-technical evaluation.
9. Physical Safeguards
Contingency Operations (Addressable) Allow
10. Facility Access Controls
facility access in support of restoration of lost data
Prevent unauthorized physical
under disaster recovery plan and emergency mode
access to IT systems and the
operations plan in event of emergency.
facilities in which they are housed,
Facility Security Plan (Addressable) Safeguard
while permitting authorized
facility and equipment from unauthorized physical
access.
access, tampering, and theft.
Access Control and Validation Procedures
(Addressable) Control and validate access to facility
and software for testing and revision purposes, based
on role or function.
Maintenance Records (Addressable) Document
repairs and modifications to facility security
components.
474
Administrative Standards
(Required) Specify proper functions and attributes
of surroundings of workstations accessing electronic
PHI.
Physical safeguards for workstations that access
electronic PHI, to restrict access to authorized users.
Disposal (Required) Address final disposition of
electronic PHI and/or the hardware or electronic media
on which it is stored.
Media Re-use (Required) Removal of electronic PHI
from media before media is made available for re-use.
Accountability (Addressable) Maintain record of
movements of hardware and electronic media and any
responsible person.
Data Backup Storage (Addressable) Create a
retrievable, exact copy of electronic PHI, when
needed, before movement of equipment.
475
Administrative Standards
Integrity Controls (Addressable) Security measures
19. Transmission Security
to ensure that transmitted electronic PHI is not
Technical security measures to
improperly modified without detection.
guard against unauthorized access
Encryption (Addressable) Mechanism to encrypt
to electronic PHI that is being
electronic PHI whenever deemed appropriate.
transmitted over an electronic
communications network.
476
1. The software is interoperable (as defined 1. The items and services are provided to an
individual or entity engaged in the delivery of
by 42 CFR 411.351) at the time it is prohealthcare by an individual or entity that provided to the physician. Software is deemed
vides services covered by a federal healthcare
interoperable if a certifying body recognized
program and submits claims or requests payby the Secretary has certified the software
ment, either directly or through reassignment,
no more than 12 months prior to the date it
to the federal healthcare program, or a health
is provided to the physician).
plan.
2. The donor (or any person on the donors 2. The software is interoperable at the time it is
provided to the recipient. Software is deemed
behalf) does not take any action to limit or
interoperable if a certifying body recognized
restrict the use, compatibility, or interoperby the Secretary has certified the software no
ability of the items or services with other
more than 12 months prior to the date it is proelectronic prescribing or electronic health
vided to the recipient).
records systems.
3. The physician pays 15% of the donors costs 3. The donor (or any person on the donors
behalf) does not take any action to limit or
for the items and services, and the donor
restrict the use, compatibility, or interoper(or any party related to the donor) does not
ability of the items or services with other
finance the physicians payment or loan
electronic prescribing or electronic health
funds to be used by the physician to pay for
records systems.
the items and services.
4. Neither the physician nor the physicians 4. Neither the recipient nor the recipients practice (or any affiliated individual or entity)
practice, including employees and staff
makes the receipt of items or services, or the
members, makes the receipt of items or seramount or nature of the items or services, a
vices, or the amount or nature of the items
condition of doing business with the donor.
or services, a condition of doing business
with the donor.
477
5. Neither the physicians eligibility for nor 5. Neither the recipients eligibility for nor the
amount or nature of the items or services may
the amount or nature of the items or services
be determined in a manner that directly takes
may be determined in a manner that directly
into account the volume or value of refertakes into account the volume or value
rals or other business generated between the
of referrals or other business generated
parties. Notwithstanding this condition, the
between the parties. Notwithstanding this
parties may make determinations of eligibilcondition, the parties may make determinaity based on:
tions of eligibility based on these factors:
The total number of prescriptions written by the physician (but not the volume
or value of prescriptions dispensed or
paid by the donor or billed to a federal
healthcare program);
The size of the recipients medical practice (e.g., total patients, total patient
encounters);
478
6. The arrangement is set forth in a written 6. The arrangement is set forth in a written agreement that:
agreement that:
Is signed by the parties;
Specifies the items and services being provided, the donors cost of the items and
services, and the amount of the recipients
contribution;
479
9. The items and services do not include staff- 9. The items and services do not include staffing of the recipients office and are not used
ing of physician offices and are not used
primarily to conduct personal business or
primarily to conduct personal business or
business unrelated to the recipients medical
business unrelated to the physicians medipractice.
cal practice.
10. The electronic health records software con- 10. The electronic health records software contains electronic prescribing capacity.
tains electronic prescribing capacity.
11. The arrangement does not violate the 11. Before receipt of the items and services, the
recipient pays 15 percent of the donors costs
Anti-Kickback Statute or any other law
for the items and services, and the donor (or
or regulation governing billing or claims
any affiliated individual or entity) does not
submission.
finance the recipients payment or loan funds
to be used by the recipient to pay for the items
and services.
12. The transfer of items or services occurs and 12. The donor does not shift the costs of the
items and services to any federal healthcare
all conditions in this exception are satisfied,
program.
on or before December 31, 2013.
13. The transfer of items or services occurs and 13. The transfer of items or services occurs and
all conditions in this safe harbor are satisfied,
all conditions in this exception are satisfied,
on or before December 31, 2013.
on or before December 31, 2013.
480
1.
2.
3.
4.
Anti-Kickback E-Prescribing
Safe Harbor
The items and services are provided by: (1) 1. The items and services are provided by: (1)
a hospital to a physician who is a member
a hospital to a physician who is a member of
of its medical staff, (2) a group practice
its medical staff, (2) a group practice to a
to a prescribing healthcare professional who
physician who is a member of the group
is a member of the group (as such terms
(as such terms are defined in Stark), or (3) a
are defined in Stark), or (3) a Prescription
Prescription Drug Plan sponsor or Medicare
Drug Plan sponsor or Medicare Advantage
Advantage organization to a prescribing
organization to pharmacists and pharmacies
physician.
participating in the network of such sponsor
and to prescribing healthcare professionals.
The items and services are provided as part of, or are used to access, an electronic prescription
drug program that meets the applicable standards under Medicare Part D at the time the items
and services are provided.
The donor (or any person on the donors behalf) does not take any action to limit or restrict the
use or compatibility of the items and services with other electronic prescribing or EHR systems.
For items and services that are of the type that can be used for any patient without regard to
payor status, the donor does not restrict, or take any action to limit, the physicians right or ability to use the items or services for any patient.
5. Neither the physician nor the physicians practice (including employees and staff members)
makes the receipt of items or services, or the amount of nature of the items or services, a condition of doing business with the donor.
6. Neither the physicians eligibility for nor the amount or nature of the items or services is determined in a manner that takes into account the volume or value of referrals or other business
generated between the parties.
7. The arrangement is set forth in a written agreement that:
Is signed by the parties;
Specifies the items and services being provided, the donors cost of the items and services;
Covers all of the electronic prescribing items and services to be provided by the donor (or
any affiliate).
This requirement is met if all separate agreements between the donor and the physician (and the
donor and any family members of the physician) incorporate each other by reference or if they
cross-reference a master list of agreement that is maintained and updated centrally and is available
for review by the Secretary upon request. The master list must be maintained in a manner that preserves the historical record of agreements.
Enterprise Risk Management for Healthcare Entities, First Edition
481
Anti-Kickback E-Prescribing
Safe Harbor
8. The donor does not have actual knowledge of, and does not act in reckless disregard or deliberate
ignorance of, the fact that the physician possesses or has obtained items or services equivalent to
those provided by the donor.
482
29
Radio Frequency IdentificationA Challenge
forHealthcare
Joshua I. Rozovsky
The Rozovsky Group, Inc./RMS
Phyllis F. Granade, Esq.
Adorno & Yoss
29.1
Introduction
Radio Frequency Identification (RFID) technology is often misunderstood in the healthcare arena.
Much of the opposition to RFID implementation stems from misconceptions regarding its capabilitiesthat RFID allows individuals or objects to be tracked with pinpoint accuracy everywhere they
go. Discussions over injectable RFID tags (implants) have raised issues of ethical use of RFID
technologies, and led to legislation in several states banning the forced implantation of RFID tags.1
Some critics voice concerns that information on a tag, such as a social security, passport, or credit card
number, might be intentionally corrupted or stolen from a distance. A major manufacturer has creating
RFID shielded envelopes.2
RFID is an extremely valuable technology in the healthcare setting, and has already seen wide use
in healthcare environments and pharmaceuticals. With EPC or barcode identification, products such as
pharmaceuticals can be traced back to the manufacturer and identified globally via the Internet-linked
EPC or GS1 database. Data about the particular drug, or which patients are taking it, are not stored
on the RFID tag, or in the EPCglobal database. That information would be stored in the healthcare
facilitys own servers and the EPC Code (e.g. tag serial number) would be linked to that patient or
drug information.3
There remain competing standards for RFID tags, with many available choices for tag type and
capability. Implementing a successful RFID strategy requires understanding of the multidisciplinary
risk factors associated with this technology, and requires close cooperation between multiple parties
North Dakota and Wisconsin have banned the involuntary insertion of RFID chips into employees. See, N.D. Code
12.1-15, Wisc. Stat. 146.25.
2
National Envelope Corporation. Smart Card Guard Envelopes. These envelopes would protect the enclosed RFID chip
from being skimmed or read by a hackers RFID reader. http://www.nationalenvelope.com/prod/SmartCardGuardEnvelopes.htm.
3
An Accountable Supply Chain: Pharmaceutical Pedigree Handout. Healthcare Distribution Management Association.
www.healthcaredistribution.org/issues_in_dist/pdf_epc/AIDC-0403-1_pharma0516033.pdf.
1
483
What is RFID?
The term RFID can describe several different types of systems. This has been a source of
confusion for prospective buyers of RFID systems, and for advocates concerned about privacy and
security. Failing to understand the different types of RFID devices can also lead to disappointment
when purchased systems are found to be incompatible with a new type of asset to be tagged or with
existing IT infrastructure. Alternatively, poorly planned systems may be vulnerable to, or the cause of,
electromagnetic interference.
RFID tags are a combination of a radio receiver and transmitter (called a transponder), antenna(s),
memory, and a controller. Typically, these devices are manufactured to contain just a microchip and
one or more antennas. The chip and antenna are placed inside a paper, plastic, or glass capsule or label
that can then be affixed to an object.
RFID is often implemented as a smart label. Information about the object (such as an inventory
or patient number) can be retrieved by computer when a user scans the tag. In this sense, RFID is often
described as a barcode replacement. RFID tags can offer several advantages over barcoding:4
Tags do not have to be directly exposed to the reader, so tags on objects in a box can be
scanned without unpacking
Because the tag does not have to be on the outside of the packaging, the tag can be more
durable than a barcode
Anywhere from dozens to thousands of tags can be scanned in quickly and automatically,
instead of requiring slow, sequential scanning
Some tags allow the tag data to be changed by the user (they have read/write capabilities).
Groups of tags can be selected by the reader and their data read, or even changed
More complex tags have encryption and password functionality, and access to the data can be
password-locked
Some advanced types of tags (semi-passive and active) can be connected to sensors or beacon
information, allowing for telemetry functionality and real-time location tracking.
RFID in Healthcare A Panacea for the Regulations and Issues Affecting the Industry? UPS Supply Chain Solutions,
White Paper. 2005. http://ups-scs.com/solutions/white_papers/wp_RFID_in_healthcare.pdf.
4
484
29.3
Passive tags (the most common), have no battery. If the tag is brought close enough to an
external reader (also called an interrogator) the readers transmissions provide instructions to the tag,
such as to retrieve the information stored in it. The reader emits enough radio-frequency energy to
provide the electricity needed to operate the tag, allowing it to transmit its responses back to the reader.
Because there is no battery to malfunction or run out, the tags can be very small and have a longer
lifespan. The tag will remain off until it encounters a compatible RFID reader from which powers
it wirelessly. Appropriately selected tags can be placed almost anywhere any other type of label (such
as barcodes or property tags) could be placed, and can also be hidden inside packaging. The range on
passive tags is less than that of the battery-assisted tags described below, with actual range varying
significantly based upon the frequency chosen.
Two types of RFID tags do have onboard batteries. It is important for healthcare risk managers
to understand the differences between these devices because their relative risks differ significantly in
terms of implementation, cost, and privacy concerns.
Semi-passive tags (sometimes also called battery-assisted passive or semi-active tags) contain
a battery to help power the microchip inside the tag and any sensors packaged with it. Like
passive tags, the semi-passive tag does not transmit anything until it is queried by the external
reader. For example, a semi-passive tag with a temperature sensor could populate a chart of
the temperatures encountered by a shipment of drugs during transport and communicate that
information when queried by a reader. Semi-passive tags will have a much greater range than
passive tags because the chip receives assistance from the battery in turning itself on. The
disadvantage of any battery-connected tag is their much greater cost and size compared to
passive devices.
Risk Management Tip: Risk managers should be aware of any deployment within the organization of semi-passive tags because the extended range can increase privacy and security
concerns. An advantage of semi-passive and active tags over passive systems is that despite
their greater range, they require less radio frequency (RF) output power to achieve that range
because the RF signal from the tag only needs to convey information back to the reader. In a
passive system, the reader must emit much more power because its RF output has to turn on
and power the passive tags within range.
Active tags do not require a reader to power the communication at all. Active tags contain
a battery and a more advanced transmitter. Active devices can often initiate communications without an interrogator first querying them. Some tags may be configured to require
reader activation (they are normally in sleep mode) similar to semi-passive tags. These
tags are larger, more expensive, and have been used in the container shipping industry and
in locating and storing information on railroad cars. When used with three or more readers
in different locations, they can form a real-time location system based on triangulation. If
global positioning system (GPS) receivers are interfaced to the tag, this can provide another
means of real-time tracking in areas where the GPS satellite signal can be received (generally
outdoors). In healthcare, medical equipment carts and other expensive, portable devices may
485
Risk Management Tip: Legal counsel must be aware of the use of active tag technology in
healthcare settings. Limits on active tag technology should be clearly defined in any RFID
implementation strategy, with an approval process for the use of such devices. Clear guidelines must be established if active tags are used to track patients, such as ankle bracelets.
29.4
Beyond passive, active, and semi-passive RFID tag types, other technical characteristics can significantly affect the risk opportunities presented by a particular RFID implementation proposal. The
range of the tags and readers is of significant concern for several reasons, including:
Privacy & Security: from how far away can someone read or modify the data on the tag, or
track its location?
Interference: Longer-range readers and tags are more likely to interfere with each other
(called a collision). More powerful readers can also be a source of electromagnetic interference to other electronic devices in a healthcare environment. In recent tests published by
JAMA, RFID devices caused 34 electromagnetic interference incidents in 123 tests of medical devices, at a median range of 30 cm.5
Incompatible Frequencies and Related Issues: RFID readers and tags designed for a particular frequency are not compatible with those designed for another frequencya
high-frequency(HF) reader cannot read ultra high frequency (UHF) tags. Meanwhile, a lowfrequency (LF) system may use tags with a very small data capacity and shorter range, but
could provide better penetration of liquids, and fewer problems around metallic items. This
is why LF tags are used in implantable tags, and often seen on bottles of liquid formulations
and metal cans. Each frequency range also provides new opportunities for potential electromagnetic interference with different existing systems (or systems that might be added to the
healthcare environment later) that occupy nearby frequencies.
Differences in International Standards: Note that other countries may employ different frequencies for their UHF and microwave tags, rendering them incompatible in the U.S. This
is of some concern if the healthcare entity seeks to incorporate manufacturer-installed RFID
tamper-resistant or anti-counterfeiting seals into a pharmaceutical safety program. The
only globally accepted frequencies are those at LF and HF.6
Other Issues: The systems frequency can affect other limitations, including what materials the tag can be attached to, how much data the tag can store, and how many tags can be
read at one time. For example, the type of RFID tags attached by the hospital in a pharmacy
van der Togt, van Lieshout, Beinat, Binnekade, Bakker. Electromagnetic Interference from Radio Frequency Identification Inducing Potentially Hazardous Incidents in Critical Care Medical Equipment. JAMA p. 2884. June 25, 2008 Vol.
299, No. 24.
6
Page 120, CompTIA RFID+ Study Guide. Sweeney, Patrick J. Indianapolis: 2007.
5
486
The purpose of any RFID tag is to link data to the tagged object or person. For a small LF or
HF tag, this is often done in much the same manner as a traditional barcode: the scanned barcode or
RFID chip provides a number linked uniquely with a particular record. That record is then retrieved
from a database and displayed either in print or on-screen, or the system automatically modifies the
record in the database (such as counting items of that type in inventory). For pharmaceuticals and
general-purpose items, some electronic product codes (EPC codes) can be linked to the manufacturer
via global databases such as that maintained by EPCglobal, an organization focused on creating global
standards for RFID.
In order for the tag to communicate with a database or interface correctly with a reader, the information retrieved from the tags memory and the protocol used for the radio communication between
the devices has to follow the same data and air standards. The chosen standards must reflect the
long-term interoperability requirements of a healthcare data system. Maintaining the standards-compliance of a system should be a consideration in any contracting bid. Several organizations promote
basic RFID standards, including GS1, EPCglobal, and the ISO. There are currently two generations
of RFID technologies recognized. Generation 2 is the current standard, which is divided into various
classes of tags. These classes specify certain tag features, such as encryption, sensors, tags that also
can be readers, and tags with extra memory capacity. Most tags with these features are not yet recognized as meeting these EPC class standards. There are also many vendor-specific, manufacturer, and
facility-based proprietary standards in use:
International Standards Organization: The ISO has defined standards for RFID tags and their
uses, such as non-contact access control passes. Some ISO standards have been incorporated
into the EPC standards and vice-versa.
GS1 and EPCglobal: Many UHF tags now use the EPC standards by GS1, an industry
organization. EPCglobal supports RFID technologies in the GS1 system. Current EPC implementations allow the unique EPC code to be looked up on the EPC database to obtain its
history. Some tags have a user-writable area (for use at the facilitys discretion, such as a
patient identification number).7
487
RFID readers, semi-passive, and active tags are all powered radio transmitters. As a result, the
Federal Communications Commission (FCC) has authority to regulate the transmissions from these
devices. The regulations promulgated by the FCC regarding radio frequency devices are found at
47C.F.R. Part 15. Frequencies are selected for RFID use in the U.S. pursuant to frequency allocations
and international agreements. Different regulatory processes result in differences in RFID devices,
including frequency assignments around the world. It must be noted that all RFID devices must be
certified by the FCC in the U.S. Licensure may be required for operation of transmitters if they exceed
the power output limits specified by the FCC.
It is important to ensure that tags and readers used in the U.S. be certified by the FCC, use International Telecommunication Union Region 2 (North and South America) frequency allocations, and
do not exceed FCC power output limits. The certification of RFID readers and other equipment can
be checked online.9 Changing the antenna on a reader can increase the effective power output of a
reader, requiring its transmitter power to be reduced. Legal counsel needs to verify that readers sold
to the healthcare facility by outside vendors meet FCC specifications. Contracts with outside vendors
must include a means for recovery and replacement of readers found to have been decertified or sold
improperly. The FCC should be notified of any apparent interference problems that conflict with Part
15 regulations, under which non-licensed RFID devices may operate.10
The FCC also regulates radio frequency safety. Debate continues over the exact dangers posed
by radio waves (RF radiation). While the power of RFID installations is very low compared to many
other types of radio transmitters, including some portable handheld radios, healthcare organizations
should incorporate RF safety into personnel training. Safe exposure limits should be discussed with
outside vendors, documented carefully, and updated if any changes are made to the installation (such
as adding a new antenna, shortening a cable to the antenna, or increasing the reader power output).
Part15 regulates radiated emission limits.11
RFID Crack Raises Spectre of Weak Encryption. InfoWorld. Paul Roberts. http://www.infoworld.com/article/05/03/17/
HNrfidcrack_1.html?RADIO%20FREQUENCY%20IDENTIFICATION%20-%20RFID.
9
Federal Communications Commission, Office of Engineering and Technology. FCC ID Help
http://www.fcc.gov/oet/fccid/help.html.
10
47 C.F.R. Part 15.
11
47 C.F.R. 15.109.
8
488
29.7
29.7.1
When the RFID tags are used in a medical device, FDA regulation is also a concern. A number
of RFID devices have been approved as medical devices by the FDA. Tagging surgical instruments,
using non-approved RFID telemetry tags without authorization, or other non-approved uses for RFID
tags are potential source of liability. The FDA has issued letters permitting the marketing of at least
two RFID chips pursuant to the 510(k) medical device process. In 2004, the FDA cleared a surgical
markerthe SurgiChipconsisting of a tag or smart label with an integrated passive transponder, along
with a printer, encoder, and RFID reader. According to an FDA Talk Paper, SurgiChip works as
follows:
The patients name and surgical site are printed on the SurgiChip tag. The inside of the tag
is encoded with the date of surgery, type of procedure and name of the surgeon. The tag is
scanned with a desktop RFID reader for confirmation by the patient and is then placed into the
patients hospital file. On the day of the surgery, the tag is removed from the file and scanned
again, and the encoded information is verified by the patient. The tag, which has an adhesive
backing, is then placed on the patients body near the surgical site. In the operating room, the
tag is again scanned and the encoded information is verified with the patients chart. The tag
is removed just before surgery and returned to the patients hospital file.12
The other RFID chip cleared for marketing by the FDA as a Class II medical device is the VeriChip
Health Information Microtransponder System, an implantable RFID prescription device. According
to the FDAs 2004 letter to the Digital Angel Corporation permitting the marketing of the device:
The VeriChip Pocket Reader is indicated for use as a portable instrument that noninvasively reads the ID number of an implantable microchip that is inserted in the arm of the
patient. When activated, the VeriChip Pocket Reader displays a unique identification number
that may be used to access the patients identity and authorized health information from a
secure database. The VeriChip is indicated for use as a miniature implantable microchip
that is inserted into the subcutaneous tissue of the patient. The VeriChip provides the patient
a unique identification number that may be used to access a database containing the patients
identity and health information.13
Importantly, the FDA notes in the VeriChip letter that certain special controls are applicable to
this device because it is implantable. Absent meeting these special controls, the FDA states that an
implantable RFID device would be considered a Class III device subject to far more stringent requirements prior to marketing. Any entity considering implanting RFID devices in humans must consider
the FDA regulation found at 21 C.F.R. 880.6300, Implantable Radiofrequency Transponder System
12
13
489
Congress and the FDA are pursuing the possibility of regulation requiring the use of RFID to track
the manufacture and distribution of pharmaceuticals. This type of regulation or program is frequently
referred to as an ePedigree program. In April of 2008, a bill was introduced to Congress (H.R. 5839)
entitled Safeguarding Americas Pharmaceuticals Act of 2008 which would amend the FDCA to
require the issuance of regulations to establish an effective drug identification and tracking system
through which drug manufacturers, repackagers, wholesale distributors, and dispensers may authenticate the wholesale distribution history of any prescription drug H.R. 5839 would require the FDA
to propose ePedigree regulations no later than March 31, 2010, and to issue final regulations no later
than a year after the proposed regulations are promulgated. The proposed Act requires the FDA to
develop regulations that:
(i) establish standards for electronically accessible and interoperable databases through which
drug manufacturers, repackagers, wholesale distributors, and dispensers may authenticate the
wholesale distribution history of prescription drugs using the numerical identifiers required
under paragraph (2), while maintaining the proprietary information of each entity;
(ii) require the manufacturer or repackager of a prescription drug to apply such numerical identifier in at least 1 standardized form that is electronically readable;
(iii) require the repackager of a prescription drug to link electronically within such databases the
numerical identifier applied to the drug by the repackager to the numerical identifiers applied
to the drug by the manufacturer or previous repackager;
(iv) require each person that receives a prescription drug in wholesale distribution to authenticate
the transaction history of the drug by authenticating the numerical identifier with the appropriate database; and
(v) require protections to ensure patient privacy, in compliance with the regulations promulgated
under section 264(c) of the Health Insurance Portability and Accountability Act of 1996.
Id.
14
490
RFID is already becoming widely used in healthcare. Listed below are only a few possible uses
for which the technology could be deployed as new RFID products are brought to market. As discussed
previously, many of these applications require different frequencies and types of tags. A healthcare
entity may use several types of RFID systems throughout its organization, including low-frequency
RFID tags on smart cards used to access employee-restricted areas, HF tags in pharmaceuticals
tracking, UHF-passive tags for storing patient information on a wrist bracelet, and UHF-active tags
for determining in real time the location of a critical piece of equipment and its current usage or maintenance status.
Note that many of these applications may overlap, and that some may not yet be recognized as a
standard by GS1/EPCglobal. As an example of overlap between categories, a patient fall detection
active tag (an active tag used to signal the emergency) could also provide a means of immediately
locating the downed patient, known as a real time location system or RTLS. (See the Recommended
Reading list at the end of the RFID section for additional reference materials regarding potential RFID
applications in healthcare.)
Potential Active Tag Applications: Battery-supported tags that transmit to nearby RFID readers include the following:
o Bed check systemsalert based on status of patient activity, movement to/from bed.
o Restroom or staff assistance/call buttonsdetect patient call button activation, door
opening to a restroom, flushing of toilet, or use of the sink.
o Fall alert/detectionmanual or automatic alarm.
o Medical telemetrysending medical telemetry data via RFID.
o Intrusion and building emergency alarmsalert activated in response to fire, flooding,
carbon monoxide, panic alarm, glass break, window or door opening, etc.
o Medical equipment activationsends a signal to nearby readers if the equipment is
turned on. Could also be configured to transmit a signal when ready for use (such as
491
Potential Real-Time Location System (RTLS) active tag applications: These are active tag
applications (discussed previously) that use three or more readers, or GPS technology to
show in real-time where the tagged object is located in a facility.
o Active patient surveillancesends a beacon periodically to nearby RFID readers, which
use triangulation techniques to determine the tag location. Alternatively, the active tag
may rely on a satellite GPS signal outdoors to determine location information, which is
then transmitted to nearby RFID readers. RTLS can be used to prevent elopement and
abduction with location information. To be effective, the system has to transmit frequently enough so that the location displayed on the monitor is recent enough to be useful.
o Active provider trackinglocate personnel within the institution. This is the same application as patient tracking, but used to locate personnel within a facility.
o Monitoring of equipment and pharmaceuticals in transport, possibly equipped with sensors for logging applications.
o Monitoring of equipment and pharmaceuticals, including blood product, when in storage.
o Tracking of equipment, assets, supplies, or pharmaceuticals in cases where a longer read
range is needed over passive tags.
o Vehicle or cart access controls (similar to the EZPass highway-toll system).
o Medical telemetry applications where the semi-passive tag stores data to be downloaded to the care provider system. This could include devices such as a home blood pressure monitor, implantable device controller, or insulin pump that will download their
data when interrogated by the care providers reader unit.
o Any application requiring a longer range where extra signal strength is required to overcome existing sources of interference, but an active device is not required.
492
Passive tag applications: most current RFID tags are of the passive type. These have been
used traditionally for inventory control applications, but UHF and microwave tags that contain larger memories are finding use as data storage devices in their own right. Some tags
include random-number generator capability, encryption, and passwords. These features are
Enterprise Risk Management for Healthcare Entities, First Edition
493
RFID tags used to track Hurricane Katrina dead. Michael Kanellos. Silicon.com/CNET. http://networks.silicon.com/
lans/0,39024663,39152382,00.htm.
16
SolutionsRFID page 9m, AHIMA Audio Seminar / Webinar. Disaster Recovery for Health Records Oct. 4,
2007.
17
LTC HIT Summit, Medication Management Slide Presentation. www.ahima.org/meetings/ltc/documents/LTC-Medication-Management.ppt. Also see Disaster Recovery for Health Records
15
494
29.9
RFID technology presents challenges in its implementation. The technology can suffer failures
from scenarios not previously encountered in a healthcare asset-tracking environment. For example,
potential risks for system compromise or failure can arise from bringing a new piece of equipment into
a room, changing from a tablet to a liquid prescription, running a new electrical line in a nearby room,
changing a computer around the corner, or moving from plastic to glass bottles.
RFID is also susceptible to perception challenges. The technology can be used for very shortrange applications or over extended distances. It can contain entire medical records or just a serial
number. Terms like tracking and radio frequency radiation are often misunderstood, and can be a
source of confusion and even fear to patients. Currently, there are consumer organizations vehemently
opposed to any use of RFID due to fears that the RFID in question will be used to track the individuals
and invade their privacy. A quick Google search for Stop RFID finds dozens of such organizations.
Undoubtedly, federal and state legislation will be proposed in the future that attempt to control
how RFID is used with regard to personal information and tracking people. Legal counsel should
remain alert for changes in this area.
29.10
One of the most frequent concerns is that the technology will allow recipients of RFID-enabled
products or identification cards to be tracked. It is critical to note that the term tracking can be
used in two different contexts when discussing RFID technologies. RFID tags, particularly passive
tags, are often used in the same way as barcode labels to track objects in supply chain or institution.
This is not the same as real-time location tracking, a concern from RFID tracking critics.
Tracking by barcode or RFID tag in a supply chain records the progress of an object through an
organization at various checkpoints. A patient could be tracked to the fourth floor because the
nursing station on that floor had scanned in a patients RFID-enabled bracelet upon his or her arrival.
The system does NOT track the patient between the time the tag or barcode was previously scanned
and its arrival at the nursing station. However, such tracking systems can prove invaluable when trying
to determine who last had custody of a particular item, and when. Access control cards are an example
of this type of checkpoint tracking. A passive system only records the location of an access control
card when someone uses it at a reader.
On the other hand, active RFID systems such as real-time location systems are often designed
to provide the type of tracking some privacy advocates fear. For that reason, legal counsel needs
to ensure that any use of RTLS technology follows an appropriate protocol for the organization. If a
system uses active tags but not as part of a real-time location system, legal counsel must ensure that
policies and procedures are in place to respond to accusations that such active technology could
be used with triangulation to track individuals. Furthermore, counsel should help to limit the use of
the term tracking to prevent the RFID program from being misunderstood or receiving negative
attention.
495
Unlike barcoding or magnetic swipe cards, some RFID tags can be read at a distance and, depending on the type of tag (see discussion on frequency and range), they may not need to be presented by
the bearer to be read. Indeed, this is one great advantage for RFID. Unfortunately, it raises the risk
management issues, such as potential identity theft or invasion of medical privacy from reading
a patients information off their RFID-enabled medical jewelry from a handheld reader. Active tag
ranges can approach a kilometer, allowing potential thieves to find very expensive or critical pieces of
equipment, disable the active tracking tags, and walk away with the equipment. Similarly, active tags
could act as beacons, broadcasting far too much information about the valuable object to which it is
attached.
All of these issues must be addressed during planning and in the organizations RFID policy. In
developing the RFID policy, legal counsel should bring together outside experts, vendors, and stakeholders within the organization (particularly from physical security and information technology) to
creatively address potential malicious exploitation of each RFID deployment, whether by internal or
external sources. Many RFID vulnerabilities are similar to those that result from wireless networking.
After weighing the countermeasures, legal counsel will be better equipped to advise executive leadership as to whether the deployment of the particular RFID system will truly enhance the organizations
posture concerning safety, security, and privacy.
Protective measures such as encryption technology, logging of all RFID transactions, and mandatory authentication of all readers in the IT system can help prevent the installation of an unauthorized
RFID reader on the network. Encryption should represent the strongest available using open and
well-known standards. Earlier forms of encryption and RFID credit card communications have demonstrated vulnerabilities.18 Routine radiofrequency environmental analysis and checking reader logs
for unexpected interference and reader collisions can provide a warning that an unauthorized reader
has been installed, possibly to steal access codes or other tag data. To reduce the risk of a malicious
party listening in on RFID transmissions (and to reduce interference), RFID reader output power
should be kept as low as possible without negatively affecting acceptable read rates. Upgrades to the
RFID software should be carefully coordinated to ensure that such upgrades do not create new vulnerabilities in other linked systems, such as in back-end databases. Internal firewalls and anti-intrusion
systems should also be deployed to keep the RFID system from having full access to the rest of the
network, and to prevent a hijacked reader or a malicious RFID tag from causing havoc. Indeed, at
least one wireless RFID virus has used an RFID tag containing malicious code to infect the systems
connected to the RFID reader.19
Heydt-Benjamin, Bailey, Fu, Juels, OHare. Vulnerabilities in First-Generation RFID-enabled Credit Cards. University of Massachusetts, RSA Laboratories, Innealta, Inc. http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/rfid-cc/
RFID-CC-manuscript.pdf.
Also see RFID Crack Raises Spectre of Weak Encryption above.
19
Rieback, Crispo, Tanenbaum. Is Your Cat Infected with a Computer Virus? Vrije Universiteit Amsterdam Computer
Systems Group. http://www.rfidvirus.org/papers/percom.06.pdf An excellent article on RFID security vulnerabilities, and
on the creation of the first RFID virus.
18
496
29.12
Radiofrequency Interference
Healthcare facilities can be electromagnetically noisy environments. Many new healthcare devices
rely on wireless communications in the same industrial, scientific, and medical (ISM) bands that RFID
devices use. Tag reading may fail because of interference from other transmission sources, and the
relatively powerful transmissions of RFID readers may cause other devices to malfunction, including
critical equipment. Because of interference-related challenges, any RFID implementation plan should
involve the RFID vendor performing at least one Full Cycle Faraday Analysis to record the ambient noise during normal operations. Testing of new medical devices with the RFID system should
occur in a controlled setting. The healthcare organization should incorporate lessons learned from its
own interference and incident reports when designing their own RFID exclusion zones or criteria.
Organizations should not rely on regulatory approvals alone when considering interference potential
between one or more RFID systems and other facility devices and systems.
Preferably, a consultant or outside counsel familiar with RFID, medical devices, and wireless
networks will help devise an implementation plan that minimizes the interference between the RFID
system and other devices. A pilot implementation can also help identify areas where interference may
be problematic, allowing adjustments prior to full implementation of a facility-wide RFID plan.20
29.13
RFID systems can be easier to use than a barcode scanner. A data entry technician can scan a shipment without unpacking the boxes, or verify their authenticity automatically. Attaching an RFID tag
can be as simple as attaching any other type of label, whether to a shipping box, identification bracelet,
or new equipment. However, staff may not be aware of the technical and perception challenges RFID
can present.
Staff members need to be prepared to answer basic patient concerns regarding privacy and security. A handout on the healthcare entitys RFID policy can help staff discuss the issues with those
concerned, particularly if tags are used in any direct way with patients. The pamphlet should be written in plain language for a non-technical audience. It should include basic information such as the
estimated range of the devices used in the healthcare facility and a list of objects to which the tags are
affixed.
Education sessions provide opportunities to assuage staff concerns about privacy and security,
such as theft of employee information or illicit access to their personnel file. Employees may also be
concerned that the system is an invasion of their privacy, used to track their whereabouts throughout
the facility. This perception could create morale challenges, with employees fearing that they are not
trusted.
Technical training should inform staff which tag types to use and how to affix them on different
materials. For example, tags on bottles belong on the neck of the bottle, preferably above the liquid.
The organization should also consider certifying staff members who play a major role in maintaining
Radiofrequency Identification Technology in Health Care: Benefits and Potential Risks. Binita Ashar, MD, MBA,
Ann Ferriter BS. November 21, 2007 Vol 298, No. 19. Journal of the American Medical Association (JAMA).
20
497
While it may seem prudent to place much of the responsibility for an RFID system on the health
information technology (HIT) department, the RFID system will have many other stakeholders and
parties that could affect its operation. If the organization divides up responsibility for the RFID system
by function (e.g., pharmacy, shipping and receiving, security, health information, etc.), system-wide
vulnerabilities, updates, and interference issues may escape resolution.
One concern is how the RFID readers interface with the facilitys records system. Whether the
RFID tag contains a patient identifier or an EPC-compatible product code, the number has to interface
somehow with the institutions backend database and possibly the Internet (for EPC codes or other offsite records). The facility must determine how this request will be handled securely. There may be little
purpose in encrypting tag contents if the contents are then sent out over an unsecured wireless network
or unencrypted onto the Internet. Facilities should define (1) who is responsible for maintaining the
connection between the RFID reader and the facility IT network and (2) who ensures that the RFID
firmware and middleware systems comply with the IT system policy for secure communications?
Physically securing the RFID readers, particularly portable units, is important because they can
scan protected information and locate valuable assets for illicit purposes. Portable readers also provide
possible access to the healthcare organizations backend network. Authentication of readers and the
credentials of the user, together with internal firewalls, can help protect the hospital network from
internal intrusion attempts. These steps also increase security with barcoding systems, patient data
entry carts, and automated network-enabled medical devices. All these systems, even network printers, are computers on the network and can be compromised by an attacker as a means of circumventing
the externally-facing firewall.
IT should be involved in ensuring that the system will not display protected information when
a scan is performed without security. For example, readers can scan in many tags at once (e.g., tags
belonging to everyone in a waiting area). The system should require passwords to access the tag data
(on those tags that support encryption), and the system should ensure that the computer attached to the
Radio Frequency Identification, CompTIA RFID+ Certification, http://certification.comptia.org/rfid/.
21
498
An RFID system integrated into a medical device or used in the security department may not be
seen as an IT department responsibility. Similarly, IT and security may regard the decommissioning
of an access control tag as being a human resources issue. Facility shipping and receiving may be
perceived as independent from pharmacy. All of these entities may use common readers on the same
frequencies following the same standards. Or any of those factors (readers, frequencies and standards)
may be different, which can make interference resolution and maintenance of the system a challenge.
Legal counsel should realize that potential interference issues, network security and privacy concerns
are all part of an RFIDenabled system.
Legal counsel should ensure that contracts with outside RFID vendors include a provision for
assessing the current and projected RF environment by performing the full-cycle Faraday analysis
mentioned earlier. Legal counsel should also ensure that outside contractors working in HVAC, electric systems, plumbing, carpentry, and other specialties that could affect the integrity of the system
be notified and work with RFID vendors to reduce conflicts. Agreements with such contractors may
include indemnification provisions covering damage to the integrity of the RFID system due to a failure to follow the RFID vendors guidelines.
SQL (Structured Query Language) is a database computer language designed for the retrieval and management of data
in relational database management systems (RDBMS), database schema creation and modification, and database object
access control management.
23
See ref. Is Your Cat Infected with a Computer Virus?
24
See JAMA article above, Electromagnetic Interference from Radio Frequency Identification Inducing Potentially
Hazardous Incidents in Critical Care Medical Equipment.
22
499
All devices are FCC certified and designed for the U.S.
Frequent system audits (including ambient electromagnetic noise), and pre-installation Full
Faraday Cycle analysis to determine ambient noise.
Familiarity with interference reports between RFID systems and healthcare devices, and a
willingness to test the system against any newly-purchased equipment or changes in equipment (including new acquisitions of similar make/model to those previously tested).
Consulting contract to advise on potential conflicts and warnings should other work need to
be done in the area (electric, water, HVAC, etc).
Maintaining multiple sources of readers and tags if purchased through the vendor, particularly if using a proprietary protocol.
HIPAA compliance.
29.17
RFID Backup
RFID can improve the efficiency of product movement, documentation, medication, equipment,
and personnel throughout an organization, improve the integrity of processes by reducing errors, reduce
the risk of patient loss (e.g., abducted newborns and wandering dementia patients), and allow detection of counterfeit and expired equipment or medication. RFID technology can improve the transfer
of information throughout the organization. If implemented well, the system can become a well-liked,
even essential, part of an organizations business model.
As a potentially important system, its failure must be anticipated. Legal counsel must ensure that
contracts with outside vendors arrange for the rapid restoration of service or replacement of equipment, and that insurance coverage extends to the system (e.g., business interruption). Clear guidelines
for staff must address managing without a functioning RFID implementation. Liability for a poten500
Different parts of the healthcare organization may seek to use RFID technologies without even
recognizing it as RFID. For example, non-contact access control cards and smart cards are a type
of RFID tag. Vendors may supply general-purpose items and medical equipment in cardboard boxes
affixed with or embedded with RFID tags for their own inventory control purposes. Equipment manufacturers may have embedded RFID tags in their products. In sum, the majority of healthcare facilities
are likely already using some RFID devices, thereby making it very difficult to say that we dont
(or wont) use RFID tracking in our organization. The facility must discover and review all uses for
RFID in the organization and coordinate a policy for the use (or restriction of) RFID technology.
Because of the potential liability associated with using RFID in the organization, issues ranging
from privacy to diversion or counterfeiting and infant abduction, legal counsel may be in the best position to act as a central clearinghouse for RFID policy. The first step in creating such an RFID policy is
to determine what departments, if any, are using RFID technologies currently. The potential areas in
which RFID could be used should be assessed. Any links that exist between the different departments
RFID infrastructure, including shared IT systems, contractors, or supply-chain should be noted, along
with vulnerabilities (legal and technical) that these links create.
Each type of RFID in use may expose the organization to different risks. Anticipating these risks,
with a particular focus on the links between systems and departments is important in developing an
appropriate RFID deployment policy. The risks of not deploying RFID, or of using alternative technologies such as barcoding or manual entry, should be explored. Important steps in developing a RFID
policy include:
Ensuring that organizational leadership gives legal counsel (or another appropriate department) the authority to create and enforce a unified RFID policy.
Why is RFID the appropriate solution? RFID can save money and time and reduce errors,
prevent diversion, counterfeiting, and provide a means for tracking people and objects to
improve efficiency and accountability. However, the organization should consider conduct-
501
Clear lines of responsibility are established for all uses of RFID technology, including
tag selection, data access, contracting of vendors, tag destruction or deactivation, and any
construction or introduction of equipment that could affect (or be affected by) the RFID
deployment.
Workforce, medical staff and if appropriate, business associates, are made aware of the
policy.
RFID usage at the facility is regularly audited for compliance with the policy.
29.19
502
Is RFID the right solution? RFID may serve as a useful tool in one area of a healthcare
organization and be problematic in another area. Implementation plans, assessment of the
organizations business processes, environmental planning and current risk opportunities all
must be considered. Is RFID the right solution, or does another technology or increased staffing/training offer a more effective solution?
RF Interference and Changes in Environment: RFID can be both susceptible to, and the cause
of, interference with other devices. This risk can be controlled if outside contractors and
others changing the electromagnetic environment are made aware of the potential for problems and an effective recognition and reporting mechanism is established when problems
do occur. Selection of reader frequency and tag type, RFID exclusion areas, and power settings can all be adjusted based upon such incident reports and ambient environmental noise
(AEN) measurements taken as part of full Faraday cycle testing. Testing of the RFID devices
around newly-acquired medical equipment, or previously untested devices, should be carried
out in the healthcare environment prior to deployment of RFID technologies or susceptible
equipment into a critical care situation. Do not simply rely on regulatory approvals to ensure
electromagnetic compatibility. Contracts with RFID vendors should focus on preventive testing and the need to minimize interference.
Vendor selection and chains of responsibility: In selecting a vendor, the need for backup
systems, non-proprietary or open standards, secondary sourcing for parts, technical support
24/7/365 and rapid maintenance service should all be emphasized. The vendor may also be
able to assist with developing employee-training programs. Inside the organization, development of the operational policy and maintenance of the system needs to be centralized,
with clear chains of authority over the system. The information technology department may
be an appropriate hub for technical issues, with the legal counsel working to develop an
organization-wide policy. Executive leadership needs to support policy developments and the
establishment of clear chains of command for responsibility for the RFID system.
Perception challenges, privacy, and security concerns: Many of the security and privacy
concerns regarding RFID exist because people assume RFID systems have nearly omniscient
powers to track and record information, when in fact most applications have very short range
and do not store anything beyond an EPC code or other serial number. Legal counsel needs
to know what aspects of RFID technology are being used, how, and what new features are
proposed by the facility he or she represents. Internal and external public relations needs
to clearly explain the technical limitations of the RFID systems employed and the protections that have been established to protect the security and privacy of staff, patients and the
public.
29.20
Conclusion
RFID technology allows the improvement of processes and quality in a wide variety of healthcare organization departments. Wireless tags can be easier and faster to use than barcoding, can scan
multiple tags, collectively and work over a longer distance. Used in medication readers or carried with
patients as a key to (or in the future, a form of) personal health record, or implanted to allow patient
and/or procedure identification, RFID technology can also be used to prevent fraud, diversion or the
administration of expired or damaged equipment or drugs.
However, multiple competing standards, multiple frequency ranges, very different RFID capabilities offered by vendors, and confusion over what data is contained or exposed by RFID system poses
significant risk management issues. Legal counsel must take a leadership role in establishing a unified
RFID policy for the organization. Counsel must work with vendors, leadership, employees, medical
staff, IT, and patients to maximize the RFID system availability with minimal interference issues to
ensure patient safety while increasing the efficiencies of the facility through effective RFID use.
503
504
30
E-Discovery and Enterprise Risk Management
Steven M. Puiszis, Esq.1
Hinshaw & Culbertson, LLP
30.1
Introduction
For years, healthcare risk management programs focused on clinical practice and related risks.
However, the implementation of electronic health record (EHR) systems, coupled with the advent of
e-discovery rules have introduced new concerns that spread far beyond the documentation issues
that historically occupied risk managers.
The federal e-discovery rules recognize that the discovery of electronically stored information
(ESI) presents a number of unique issues that do not exist with paper documents.2 The rules target five
specific areas:
505
of the
506
507
30.2.1
To grasp the risk management issues that EHR systems can trigger, counsel must first understand
the basic technological features of these systems. Many of todays EHR systems are relational databases containing thousands of files and fields of information that are connected by a series of pointers.
Each patient is assigned a specific identifier in a master-patient index. When someone accesses the
patients information, the system pulls the relevant data from its various files and fields, displaying
them on a computer screen.
EHR systems link the master-patient index directly to a hospitals billing and financial system. An
electronic interface between that master-patient index and various other modules ties in components
such as the laboratory system, the pharmacy system, the radiology system, the emergency department
system, etc.
Fed. R. Civ. P. 34(a) 2006 Amendment Advisory Committees Notes.
Fed. R. Civ. P. 26(b)(2)(B).
22
Id. (On a motion to compel discovery or for a protective order, the party from whom discovery is sought must show
that the information is not reasonably accessible because of undue burden or cost). See also Auto Club Family Ins. Co. v.
Ahner, 2007 WL 2480322 at *1 (E.D.La. Aug. 29, 2007) (denying motion to quash production because there was no showing made to support the argument that production would be unduly burdensome or costly).
20
21
508
EHR systems can be comprised of different modules or separate databases developed by different
vendors. Different EHR modules, databases and/or systems can have different features, applications
and levels of functionality that may influence their compatibility and interoperability. Depending upon
the system architecture, these modules or databases may be fully integrated into the overall EHR
system and be capable of sharing information with other modules of the system. However, that is not
always the case. The electronic data generated by a non-integrated module may not be transmitted to
or shared with other EHR modules in the system. These non-integrated modules or silos of information require a clinical user to open a series of applications, log in and then find the patient record
within each application before seeing the patients complete record.23 These silos of data may also
have to be separately preserved and searched for relevant ESI.
Vendors can customize their systems to meet a hospital, department, or services particular needs.
This can result in subtle yet significant differences between the same vendors EHR system at two
different hospitals or within different modules of a vendors system at the same hospital. As a result,
various modules or systems can produce printed records that appear different. The display of information on a computer screen may also differ in various departments depending upon how a particular
vendor customized that user or departments application display.24 Do not assume that all clinicians
using an EHR system have access to or know the complete patient record. 25
Different versions of a patients electronic records (or any ESI), some partial or outdated, and
some duplicates, can appear in different ancillary databases in the system. Questions about the integ National Institutes of Health, National Center for Research Resources, Electronic Health Records Overview, (April
2006) at p. 4.
24
Id. at p. 3 (EHRs are used in complex clinical environments. Features and interfaces that are very appropriate for one
medical specialty, such as pediatrics, may be frustratingly unusable in another (such as intensive care). The data presented,
the format, the level of detail, and the order of presentation may be remarkably different, depending on the service venue
and the role of the user).
25
E. Campbell et al., Types of Unintended Consequences Related to Computerized Provider Order Entry. Journal of the
American Medical Informatics Association, Vol. 13, No. 5 (2006): 54756.
23
509
Part of the complexity of EHR systems arises from their free-flowing nature. The ESI will grow
and evolve as new information about the patient is generated. While historical clinical data will not
change, some of the demographic data such as the patients age, address, and marital status may automatically be updated by the system as that information changes over time. This factor coupled with
the addition of new treatment information and records can make it difficult to pinpoint exactly how a
patients record looked at a specific point in the past.
System upgrades or the addition of new data fields can also affect the appearance of older data.
For example, when information concerning a prior hospitalization or visit is printed out after a system
upgrade, the newly added fields may appear as blanks because those fields did not exist when the
information was originally created. These types of system nuances should be identified and explained
to outside counsel, who can explain them to opposing counsel or the court before they become a
problem.
30.2.4
EHR systems typically incorporate various types of alerts, pop-ups, and clinical support features
intended to serve as aides in clinical decision-making. The failure to take action or the override of
an alert may become a key fact in litigation or a quality survey.27 Opposing parties may request the
alert or clinical support features of an EHR system. Unless periodically updated, those features could
potentially incorporate outdated or incorrect clinical standards.
Plaintiffs (and potentially regulators) will seek to discover practice patterns related to overrides, generally, or in specific cases. Organizations must monitor those patterns (see discussion in Chapter 28), and
also understand what potentially discoverable data about those patterns remains stored on the system.
30.2.5
The audit trail feature of an EHR system will disclose who accessed a patients electronic record,
how long they viewed it, what screen or page they viewed, whether any part of the record was printed
or altered and, if altered, what aspect of the record was changed. For many types of EHR systems,
Fed. R. Civ. P 34(b) 2006 Amendment advisory committee notes.
A recent review of the literature on drug safety alerts found that alerts were overridden in 49% to 96% of the cases
studied. See H. van der Sijs et al., Overriding of Drug Safety Alerts in Computerized Physician Order Entry, Journal of
the American Medical Information Association Vol. 13, No. 2 (2006): 138147.
26
27
510
The retention of ESI in multiple formats raises several thorny issues that the federal e-discovery
rules attempt to address. Various types of patient information are stored in different formats in EHR
systems, including image, sound and video formats. Some formats may be proprietary, belonging to
the vendor of the system.
If electronic data is produced in its native state, recipients of any data that is created or stored
in a unique or proprietary format may be unable to view it without the underlying software. It may
require translation into a different format, or the requesting party may seek direct access to a hospitals
EHR system.28
30.2.7
EHR systems typically time-stamp entries. If caregivers make untimely entries, the system will
clearly show that, which can raise a red flag in medical professional liability litigation, billing audits, or in
fraud and abuse investigations. The impact of time stamps on entry timing is [o]ne of the unanticipated
consequences of transitioning from paper to EHRs [and] the effect on documentation practices.29
The Advisory Committee Notes to Rule 34(b)(2) explain: Under some circumstances, the responding party may
need to provide some reasonable amount of technical support, information in application software, or other reasonable
assistance to enable the requesting party to use the information. Because proprietary licensing restrictions may limit the
type of information or assistance a hospital can provide the requesting party about the format used to create or store certain aspects of its ESI, translation of that data into another reasonably useable format may preclude direct access to the
organizations system. However, see Opperman v. Allstate New Jersey Ins. Co., 2008 WL 5071044 (D.N.J. Nov. 14, 2008)
(ordering production of a proprietary software owned by a third party and rejecting defendants trade secret and licensing
restriction arguments against its production).
29
M. Vigoda et al., The Medicolegal Importance of Enhancing Timeliness of Documentation When Using Anesthesia
Information System and the Response to Automated Feedback in an Academic Practice, Anesthesia & Analgesia 2006,
103:131136. In this article the authors note that some physicians may complete all documentation needed for billing
purposes at one time and warn: Some may consider that such documentation, if done prospectively, lends itself to fraud.
Id. at 131. Later the authors acknowledge that concerns over entry timing did not arise when their practice converted to
an electronic record-keeping system and this was an unrecognized pitfall in transitioning from paper-based records to an
EHR. Id. at 132.
28
511
Versioning is an e-discovery issue that should be addressed because prior versions of reports are
now stored in electronic systems and discoverable. This problem arises in several scenarios. It can
happen when authors correct early versions of reports, leading to the existence of several versions on
the system. It can also occur when staff files information in the wrong place, for example attaching a
report to the wrong patient. With paper record-keeping systems, this was not an issue. Only the final
version of a report signed by a clinician was included in the patients chart. Prior drafts or versions
were simply discarded. However, EHR systems retain prior drafts and document the changes.
30.3
Several concrete steps will move an organization into a robust e-discovery risk management program. Listed here, they are described in more detail below.
30.3.1
Healthcare organizations should develop a data or content map of their systems. This process
requires a multi-disciplinary team approach that should include members from the IT, HIM, risk
management, and legal departments. The organization should identify and document the following
components of its systems:
every piece of hardware and software involved in the creation, transmission, and storage of
ESI should be verified;
the flow of electronic information to and from those sources should be mapped; and
all locations where ESI resides within the system, even temporarily30 should be noted.
Staff should repeat that task for each application of the EHR system, resulting in a matrix of all ESI
repositories.
The mapping process is more involved than merely taking an inventory and creating a flow chart,
it should also note information about data types, volume, retention periods, and difficulties that may be
encountered in accessing ESI from any of its potential repositories. Data created and stored in unique
One hospital identified 300 data islands where clinical information was stored after auditing its clinical systems. See
National Institutes of Health, National Center for Research Resources, Electronic Health Records Overview, (April 2006)
at p. 2, citing Electronic Medical Records Help Physicians and Boost Revenues While Saving Millions, Microsoft Health
Care Industry Case Study, (November 2004).
30
512
Currently, most healthcare organizations have a hybrid record-keeping system, with some aspects
of their records in a paper format and others in one or more electronic formats. The organization
should identify all information generated and/or stored in an electronic format and those records that
are created and/or preserved on paper. The organization should clarify its philosophy and approach to
the retention of its paper and electronic records.
Rule 34 specifies that information should normally be produced in the form in which it is ordinarily maintained or in a reasonably useable form.32 Thus, questions during this process should focus on
how those records are ordinarily maintained. Are paper records scanned and made a part of the EHR
system? Are those parts of the ESI that the organization has designated as the patients legal health
record printed out and made a part of the patients chart? Or are the paper and electronic records
separately maintained?
The organization should further answer a series of questions relevant to the litigation hold process
which are addressed in more detail below.
30.3.3
The transition to electronic record keeping systems has increased the focus on information and
record management. Organizations must implement33 and consistently enforce34 document retention
policies. Courts have recognized that organizations are not obligated to retain all paper and electronic
See, e.g., Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F.Supp.2d 627, 63940 (E.D. Pa.
2007) (explaining how a computers cache file temporarily stores web pages and information accessed by the computer).
32
Fed. R. Civ. P. 34(b)(2)(E)(ii).
33
See Doe v. Norwalk Community College, 248 F.R.D. 372, 378 (D.Conn. 2007) (refusing to extend Rule 37(f)s safe
harbor provision because the defendant did not have one consistently applied, routine document retention policy or system
in place).
34
See Arthur Andersen LLP v. U.S., 544 U.S. 696, 704 (2005) (explaining document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in
business and that generally, it is not wrongful for a manager to instruct his employees to comply with a valid document
retention policy under normal circumstances); Willard v. Caterpillar, Inc., 40 Cal.App.4th 892, 921 (Cal. 1995) (explaining the good faith disposal pursuant to a bona fide, consistent and reasonable document retention policy could justify a
failure to produce documents in discovery).
31
513
A process for implementing a litigation hold and preserving relevant ESI and paper records should
be established to limit the risk of sanctions being imposed for the spoliation of evidence. A litigation
hold should be implemented whenever litigation is reasonably anticipated,37 and it should be applied
to information the destruction of which would prejudice the other party to that litigation.38 The failure to implement a litigation hold will preclude a party from invoking Rule 37s safe harbor against
the imposition of sanctions.39
The following questions should be addressed in a risk management assessment of systems when
designing a litigation-hold process:
Is ESI that is generated and temporarily stored by hospital equipment routed to the EHR
system or will it be lost forever if it is not promptly preserved?
How long is any ESI not included in the patients legal health record stored by each data
repository?
Does any application of the EHR or e-mail system have an automated delete feature that
should be overridden in the event a litigation hold is put into place?
See, e.g., Wiginton v. Ellis, 2003 WL 22439865 at *4 (N.D. Ill., Oct. 27, 2003) (an organization does not have to
preserve every single scrap of paper in its business); Concord Boat Corp. v. Brunswick Corp., 1997 WL 33352759 at *4
(E.D. Ark., Aug. 29, 1997) (same regarding e-mail); Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2003)
(Zubulake IV) (explaining a corporation is under no obligation to preserve every e-mail, electronic document, or backup
tape even upon recognizing the threat of litigation).
36
In re Prudential Ins. Co. of Am. Sales Practices Litig., 169 F.R.D. 598, 615 (D.N.J. 1997) (holding a haphazard approach
to document retention warranted an adverse inference instruction and a million dollar sanction); Finley v. Hartford Life
and Accident Ins. Co., 2008 WL 509084 (N.D. Cal. Feb. 22, 2008) (imposing sanctions for not timely producing the full
version of a video surveillance tape as part of its Rule 26(a) disclosures). In Finley, the court found it was unreasonable for
Hartford to rely on a system which contains so few checks and balances that the mere fact that an administrative assistant
did not look for a file could undermine Hartfords entire initial disclosure apparatus. Id. at *2.
37
Zubulake IV, 220 F.R.D. at 217. See also Silvestri v. General Motors, 271 F.3d 583, 591 (4th Cir. 2001) (The duty
to preserve material evidence arises not only during litigation, but also extends to that period before the litigation when a
party should reasonably know that the evidence may be relevant to anticipated litigation); Kronisch v. U.S., 150 F.3d 112,
126 (2d Cir. 1998) (same).
38
Miller v. Holzmann, 2007 WL 172327 at *3 (D.D.C. Jan. 17, 2007).
39
See Fed. R. Civ. P. 37(f) advisory committee note (The good faith requirement of Rule 37(f) means that a party is
not permitted to exploit the routine operation of an information system to thwart discovery obligations by allowing that
operation to continue in order to destroy specific stored information that it is required to preserve). Under the 2007 style
amendments to the federal rules, Rule 37(f) was renumbered and is now Rule 37(e).
35
514
Is the organizations philosophy and approach to its ESI and paper records clearly spelled out
in its document retention policies, and more importantly, have the organizations practices
been audited and are they consistent with those policies?
A duty to preserve is not triggered when there is merely a potential for litigation.40 Obviously,
the occurrence of a sentinel41 or never event42 should immediately trigger a duty to preserve potentially relevant information. However, otherwise attempting to determine when the threat of litigation
crosses the threshold from mere potential to reasonably anticipated, can be elusive. The Sedona
Conferences Commentary on litigation holds explains that making the determination requires consideration of various factors:
Counsel should carefully address the need to preserve ESI. Written litigation hold notices should
be sent to IT and HIM staffs as well as to any hospital employees who were directly involved in the
events leading up to the claim or who may have relevant knowledge.44 The notices should explain the
issues and defenses potentially involved in the litigation and broadly describe the types, categories, or
Lekkas v. Mitsubishi Motors Corp., 2002 WL 31163722 at *2 (N.D. Ill. Sept. 26, 2002).
A sentinel event is an unexpected occurrence involving death of serious physical or psychological injury or the
risk thereof. Serious injury includes loss of limb or function. The phrase or risk thereof includes any process variance
for which a reoccurrence would carry a significant chance of a serious adverse outcome. www.jointcommission.org/
sentinelevents/.
42
Never events are hospital-acquired conditions, for which CMS will not reimburse the cost of treatment. CMS list
of never events include: catheter-associated urinary track infections; air embolism; blood incompatibility; objects left in
the body following surgery; pressure ulcers; catheter-associated vascular infections; surgical site infections after coronary
artery bypass graft surgery hospital injuries such as fractures, dislocations, intracranial injury, burns and other unspecified
affects of external causes. See Fed. Register Vol. 73, No. 84 at 2354723552.
43
The Sedona Conference, Commentary on Legal Holds The Trigger & the Process (August 2007, Public Comment
Version) at p. 9.
44
While hold notices should be broadly disseminated,[t]he notice does not need to reach all employees, only those
reasonably likely to maintain documents relevant to the litigation or investigation. Miller, 2007 WL 172327 at *6, quoting
The Sedona Conference, Best Practices Recommendations & Principles for Addressing Electronic Document Production,
(2004 Annotated Version Comment 5.d) at p. 54.
40
41
515
E-mail and instant messages (IM) can present special concerns in regulatory or litigation matters. Does the organizations system have the capability of logging or capturing instant messages?47
If so, has that feature been activated?48 Does the organization have a process to incorporate electronic
communication with patients in their charts? Are the messages archived, or just kept on backup tapes?
What steps are required to retrieve them?
If an organizations policy provides that employees have no personal right of privacy in any material communicated or stored on its computer or e-mail systems, that policy may destroy a claim of
attorneyclient privilege as to any communications over the e-mail system. If so, have physicians and
staff been advised that the attorney-client privilege may not apply to e-mails sent or received via the
organizations system?49
Zubulake V, 229 F.R.D. at 432 (it is not sufficient to notify all employees of a litigation hold and expect that the party
will then retain and produce all relevant information. Counsel must take affirmative steps to monitor compliance so that all
sources of discoverable information are identified and searched).
46
Id. at 433 (The litigation hold should be periodically re-issued so that new employees are aware of it, and so that it is
fresh in the minds of all employees).
47
See Malletier v. Dooney & Bourke, Inc., 2006 WL 3851151 at *2 (S.D.N.Y. Dec. 22, 2006) (rejecting a spoliation claim
involving the failure to preserve colloquies from a customer relations chat room because the defendants technology did
not provide a ready means for retaining such communications). The court further noted that by the time the defendant
installed software that was capable of saving these communications, it was unlikely that any chat room comments would
have been pertinent to the lawsuit.
48
Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162, 177 (S.D.N.Y. 2004) (holding there was no duty to preserve
wave forms on an oscilloscope by printing the screen each time a wave form was altered because the data was ephemeral
in nature and it would have required heroic efforts far beyond those consistent with [the defendants] regular course of
business). The court observed a somewhat analogous situation arises with the use of Instant Messenger functions. 223
F.R.D. at 177 n.4. However, the court noted the question with IM was a close one because some IM programs have the
capability like e-mail of storing messages and because such information is intended to be transmitted to others. Id.
49
Scott v. Beth Israel Medical Center, Inc., 847 N.Y.S.2d 436, 43944 (N.Y. Supp. 2007) (holding no privilege attached
to a physicians e-mails to his attorney in view of the hospitals e-mail policy). However, in Quon v. Arch Wireless Operating Co., Inc., 529 F3d. 892 (9th Cir. 2008), an employers informal practice of not reviewing employees text messages
when the employees paid any monthly overage charge was sufficient to create a reasonable expectation of privacy in those
messages notwithstanding a written policy to the contrary.
45
516
30.3.6
Organizations should also determine what additional electronic information their system embeds
into its ESI. This is the phenomena of metadatadefined as data about data. Metadata is information
generated by computer systems that cannot be seen when a document is displayed on a computer
screen or when it is printed on paper.50 However, metadata is generated for every piece of data, document, or e-mail stored on or generated by a computer. Metadata may be discoverable if it is relevant to
the claim or defense of one of the parties,51 and is subject to litigation hold requirements.52
Some forms of metadata may provide relevant information in litigation, such as when the authenticity of a document is questioned or if establishing who received what information and when is
important to the claims or defenses of a party.53 There are different types of metadata which vary in
their potential importance to litigation and thus, their discoverability.
System metadata identifies the author of a document, the date it was created or modified, its
title, subject and size, the names of the person who revised and/or who last accessed the document.
Application metadata, reflects modifications to a document such as prior edits or editorial comments,
and includes data that instructs a computer how to display a document. Embedded metadata include
spreadsheet formulas, hidden columns, externally or internally linked files (such as sound files), hyperlinks references and fields, and database information.54 Similar metadata fields exist for e-mails.
While the metadata for standard documents or e-mails is readily available, with EHR systems,
the metadata for various data elements is not easily determined. Even some IT and HIM professionals
have difficulty accurately pinpointing the metadata associated with various data types generated by
EHR modules. There is no properties button for EHR systems that will reveal the metadata generated by the system or one of its applications. Where necessary, an organization should contact its
system vendor(s) to identify types of metadata created for different data types by various applications
of the system. This is important because the production of ESI in its native state, normally includes
any metadata associated with the ESI.
The Sedona Conference Glossary for E-Discovery and Digital Information Management Conference defines metadata
as information about a particular data set or document which describes how, when and by whom it was collected, created,
accessed, modified and how it is formatted. Can be altered intentionally or inadvertently. Can be extracted when native files
are converted to image. Some metadata, such as file dates and sizes, can easily be seen by users; other metadata can be hidden or embedded and unavailable to computer users who are not technically adept. Metadata is generally not reproduced
in full form when a document is printed.
51
Aguilar v. Immigration and Customs Enforcement Div., 2008 WL 6062700, *4 (S.D.N.Y. Nov. 21, 2008).
52
See, e.g., Williams v. Sprint/United Mgmt. Co., 230 F.R.D. 640 (D. Kan. 2005). However, several district courts have
taken a more narrow approach to the discovery of metadata. In Wyeth v. Impax Laboratories, Inc., 248 F.R.D. 169 (D. Del.
2006), the court observed Emerging standards of electronic discovery appear to articulate a general presumption against
the production of metadata. Another district court observed [i]n most cases and for most documents, metadata does not
provide relevant information. Kentucky Speedway, LLC v. NASCAR, 2006 U.S. Dist. LEXIS 92028 at *24 (E.D. Ky. Dec.
28, 2006). See also Michigan First Credit Union v. Cumis Ins. Society, Inc., 2007 WL 4098213 at*3 (E.D. Mich. Nov. 16,
2007) (refusing to order production of metadata because it would be overly burdensome with no corresponding evidentiary
value). Wyeth and Kentucky Speedway require a showing of a particularized need for metadata before it should be produced. Thus, hospitals should make every effort to preserve their metadata while resisting its production. Information as to
how costly and burdensome to produce the requested metadata should be presented to opposing counsel and the court.
53
Aguilar, 2008 WL 5062700 at *4 .
54
Id. at *34 (discussing when and under what circumstances, application metadata, system metadata, and embedded
metadata may be discoverable). They are not treated the same by courts. [T]he more interactive the application, the more
important the metadata is to understanding the applications output. Williams, 230 F.R.D. at 647.
50
517
The federal e-discovery rules recognize that the production of ESI from certain sources can be
extremely costly and that the time and effort required to produce it may outweigh the marginal benefit
gained by its production.55 The rules set up a two-tiered approach to the discovery of ESI. Rule 26
provides that parties should produce relevant, nonprivileged and readily accessible ESI. However, if
a party can demonstrate producing ESI from other sources would be too burdensome, then it need not
produce that ESI unless the requesting party can demonstrate good cause for its production.56
Neither the rules nor their accompanying notes explain what sources of ESI may be inaccessible
under Rule 26. The note to Rule 26(b)(2) explains, it is not possible to define in a rule the different
types of technological features that may affect the burden and costs of accessing [ESI].57 However,
the Standing Committee Report58 issued prior to the passage of the federal e-discovery rules provides
some guidance. The report identifies three sources of ESI that may be inaccessibleexamples under
current technology include deleted information, information kept on some backup-tape systems for
disaster recovery purposes59 and legacy data60 remaining from systems no longer in use.
Accordingly, organizations should proactively review all aspects of an EHR system to determine
if any sources of ESI would qualify as inaccessible, outlining the steps required to restore, process,
and produce ESI from those sources, including the hours and costs involved. That information can
support an argument that it would be unduly burdensome and/or costly to produce ESI from those
sources.
See, e.g., Petcou v. C.H. Robinson Worldwide, Inc., 2008 WL 54284 *2 (N.D.Ga. Feb. 25, 2008) (holding the burden
and expense of the proposed discovery outweighed its likely benefit where the discovery requests were overbroad and it
would cost hundreds of thousands of dollars to respond).
56
Fed. R. Civ. P. 26(b)(2)(B).
57
Fed. R. Civ. P. 26(b)(2) advisory committees note.
58
Report of the Judicial Conference Committee on Rules of Practice and Procedure to the Chief Justice of the United
States and Members of the Judicial Conference of the United States, reprinted in The New E-Discovery Rules, Dahlstrom
Legal Publishing (2007) at p. 15.
59
The data on backup tapes is typically compressed. Compression permits more data to be stored on tape but also makes
restoration of the tape time-consuming. In addition, data on backup tapes is typically recorded and stored sequentially and
is not electronically searchable. This means that to locate a particular file or an e-mail on a backup tape, all of the preceding information on the tape must be reviewed. These features make finding specific data or information on backup tapes
extremely costly and explain why backup tapes may be an inaccessible source of ESI. Zubulake I, 217 F.R.D. at 314; see
also Zubulake IV, 220 F.R.D. at 218 (As a general rule, the litigation hold does not apply to inaccessible backup tapes,
e.g., those typically maintained solely for the purpose of disaster recovery which may continue to be recycled on the same
schedule set forth in the companys policy).
60
Determine if backup tapes are used for anything other than disaster recovery. If information is periodically pulled
from backup tapes for routine business purposes, it is unlikely a court would view those tapes as inaccessible under
Rule26(b)(2)(B).
55
518
30.4
The federal e-discovery rules do not change the basic parameters of discoverability. Rather, they
target the unique nature of ESI. This section addresses the rules relating to ESI.
30.4.1
Rule 16(b)(2) requires that a district court issue a scheduling order no later than 120 days after
a defendant has been served or 90 days after any defendant has appeared.61 Rule 26(f)(1) requires
that the parties confer no later than 21 days before that scheduling order is due.62 At that conference,
Rule26(f)(3) mandates that the parties specifically address issues involving the presentation and discovery of ESI, including the forms in which it will be produced. The parties are also required to
discuss issues involving claims of privilege or work product. If they can agree on a procedure to assert
privilege or work product after the inadvertent production of confidential information, the must ask the
court to include their agreement in an order.63
This means outside counsel must be prepared to discuss e-discovery issues within 99 days of service on the client to meet the rules deadlines. Counsel will need to meet with a hospitals IT or HIM
staff early on to learn the nuances of its EHR and e-mail systems. Developing a data map before litigation occurs will decrease the amount of time IT or HIM staff will need to spend studying the system
and familiarizing their counsel with its intricacies.
30.4.1.1
The specific topics addressed at an initial Rule 26(f) conference may vary depending on the nature
of the claim asserted, the clients information and e-mail systems, the approach taken by opposing counsel on e-discovery and the district courts local rules.64 The Advisory Committee Notes to Rule26(f)
explain that the issues addressed at the initial scheduling conference may depend upon the nature of the
parties information systems, also emphasizing that it is important for counsel to become familiar with
those systems before the conference.65 Counsel should be prepared to address the following topics:
the scope of any ESI request including the types of data, subject matters, custodians, time
frames, electronic search capability, and metadata;
ESI production format(s); the pros and cons of producing ESI in those forms; whether ESI
will be produced natively or in another form; if in an imaged format any specific metadata
fields to be loaded in the image if metadata is requested;
519
the costs and burdens of producing ESI from the various sources; whether any sources are
inaccessible and whether the requesting party is willing to pay any portion of the costs of
producing ESI from those sources;
strategies for limiting duplicative and irrelevant data or e-mails such as de-duplication, keyword searches, filtering by file type, custodians, or date ranges;
exception reports; the review, processing, and production of password protected, encrypted,
or corrupted data and data with unrecognizable file extensions;
whether there is any need to preserve backup tapes or legacy data; and
anticipated problems producing any sources of ESI and any unique features of the clients
information systems.
Rule 26(b)(1) permits discovery regarding any non-privileged matter that is relevant to any partys claim or defense.69 It defines the concept of relevancy for discovery purposes broadly: Relevant
information need not be admissible at trial if the discovery appears reasonably calculated to lead to the
discovery of admissible evidence.70 Rule 26, however, attempts to limit the scope of e-discovery by
setting up a two-tier system for ESI.
68
69
70
66
67
520
The note to Rule 26(b)(2) explains that in addition to Rule 26s proportionality principles, additional factors should be considered in determining whether to allow discovery from an inaccessible
source:
521
Rule 34 permits a party requesting the production of ESI to specify the form in which ESI will be
produced.79 One of the ways e-discovery can be produced is in its native application or native state.
The term native, when used in an e-discovery context, simply refers to the program or file format
in which the ESI was created. In other words, producing a WordPerfect document in its native state
would require production in a WordPerfect format.
30.4.3
The two primary options for producing information electronically are natively or in an imaged
format. An organization should be aware of the advantages and risks of each form and should decide
on its preferred format before the initial Rule 26(f) scheduling conference.
30.4.4
Native State
The pros and cons of producing ESI in its native state include:
native files contain metadata and can include embedded comments, tracked changes, and
formulas used to create spreadsheets;
viewing a document produced natively requires the same software used to create it or a specialized software such as Quick View Plus;
it can be difficult to electronically search a large volume of documents in their native state
unless database software is used with optical character recognition (OCR) or extracted text.
30.4.5
Imaged Format
The most common imaged formats used in the production of ESI are the portable document
format (PDF) and tagged image file format (TIFF). The pros and cons of producing ESI in an imaged
format include:
imaged documents can be redacted and Bates stamped and cannot be altered;
metadata, embedded data, and tracked changes do not accompany the documentunless a
load file with specific metadata fields is added to the image;
78
79
522
imaged documents can be electronically searched if extracted text or OCR is added to the image;
When redacting an imaged document, remember that it has several layers. Beneath the imaged
layer is a text file. If only the imaged layer is redacted and the underlying text file is not, the confidential information can still be readily obtained.
30.4.6
Rule 34 specifies that where an objection is made to the requested production format or where no
form is specified in a discovery request, the responding party must specify the format it intends to use
when producing ESI.80 This provision is intended to encourage the resolution of production disputes
before the production of any ESI occurs. The note to Rule 34 explains that a party producing ESI in
a form of its choice, without identifying that form in advance of the production runs a risk that the
requesting party can show that the produced form is not reasonably useable and that it is entitled to
production of some or all of the information in an additional form.81
Additionally, if the responding party ordinarily stores ESI in a way that makes it searchable
by electronic means, the information should not be produced in a form that removes or significantly
degrades this feature.82 This however, presupposes that a dispute has triggered the duty to preserve
ESI. In the absence of a litigation hold and/or no duty to preserve information, an organization can
handle ESI in accordance with its established and routine document practices.83
Rule 34 recognizes that parties frequently store different types of ESI in different formats and
acknowledges that it may be unduly burdensome to require a responding party to produce all ESI in
the same format. Therefore, the rule permits the production of different data types in different formats,
but only requires the production of the same ESI in one format.84 In other words, a party does not need
to print out a report on paper and then produce it as a TIFF image.
30.4.7
The federal e-discovery rules contain a provision, Rule 37(e), that some have described as a safe harbor against discovery sanctions.85 However, the rule is more like a wading pool than a safe harbor.86 While
at first blush Rule 37(e) may sound impressive, there are at least four exceptions built into the rule.
Fed. R. Civ. P. 34(b)(2)(D) (formerly Fed. R. Civ. P. 34(b)).
Fed. R. Civ. P. 34(b) Advisory Committee Note.
82
Aguilar, 2008 WL 5062700 at *5, quoting Fed. R. Civ. P. 34 (b)s Advisory Committee Note.
83
See, e.g., Oxford House, Inc. v. City of Topeka, 2007 WL 1246200 at *34 (D. Kan. Apr.27, 2007).
84
Fed. R. Civ. P. 34(b)(2)(E)(iii) (formerly Fed. R. Civ. P. 34(b)(iii)).
85
Rule 37(e) provides, Absent exceptional circumstances a court may not impose sanctions under these rules on a party
for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic
information system. Fed. R. Civ. P. 37(e) (formerly Fed. R. Civ. P. 37(f)).
86
Oklahoma ex rel. Edmonson v. Tyson Foods, Inc., 2007 WL 1498973 at *6 (N.D.Okla. May 17, 2007) (The Court
further advises the parties that they should be very cautious in relying upon any safe harbor doctrine as described in new
Rule 37(f)).
80
81
523
One of the remaining conundrums under the federal e-discovery rules is whether a party has a
duty to preserve ESI from sources that it has designated as inaccessible. The note for Rule 26(b)(2)
crystallizes the issue:
A partys identification of sources of electronically stored information as not reasonably
accessible does not relieve the party of its common-law or statutory duties to preserve evidence.
Whether, a responding party is required to preserve and search sources of potentially responsive
information that it believes are not reasonably accessible depends on the circumstances of
each case. It is often useful for the parties to discuss this issue early in discovery.90
The note sends a clear signal that parties should attempt to reach an accommodation on this issue
whenever possible. Where an agreement with counsel cannot be reached addressing preservation of
inaccessible sources of ESI, the safest course is to bring a motion for a protective order spelling out
why it would be unduly burdensome to preserve ESI from those sources.
30.4.9
The inadvertent production of a privileged document is a specter that haunts every document
intensive case.91 E-discovery accentuates the problem because few organizations have the foresight
to segregate confidential ESI immediately into a privilege folder. The volume of ESI that needs to be
reviewed increases the risk that privileged information could be inadvertently produced. The federal
87
Id., Chambers v. NASCO, Inc., 501 U.S. 32, 46 (1991); (addressing a courts inherent authority to award sanctions);
Fed. R. Civ. P. 37 Advisory Committees notes for the 2006 Amendment: The protection provided by Rule 37(f) applies
only to sanctions under these rules. It does not affect other sources of authority to impose sanctions or rules of professional responsibility. See also Phoenix Four, Inc. v. Strategic Resources Corp., 2006 WL 1409413 at *7 (S.D.N.Y. May
23, 2006) (entering monetary sanctions under the courts inherent authority for the untimely production of electronic
documents).
88
See, e.g., Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F.Supp.2d 627, 641 (E.D.Pa., 2007)
(addressing the automatic deletion of temporary cache files by a computer and a refusal to impose sanctions because the
temporary files were automatically deleted by the computer system before the defendants had any reason to believe that
litigation was likely to occur).
89
Fed. R. Civ. P. 37 Advisory Committee Notes.
90
Fed. R. Civ. P. 26(b)(2) 2006 Amendment Advisory Committee Notes.
91
Federal Deposit Ins. Co. v. Marine Midland Realty Credit Corp., 138 F.R.D. 479, 479-80 (D.C. Va. 1991).
524
The rule provides that if information produced in discovery is subject to a claim of privilege or work product, the party
claiming the privilege must notify the party receiving the information of the basis for its privilege assertion. After being
notified, the receiving party must either return, sequester or destroy the information and may not use or disclose the information until the claim of privilege is resolved. The party which received the privileged material must also take reasonable
steps to retrieve that information from any third parties to whom it forwarded the information before being notified. The
party which received the privileged information is also permitted to present the information to the court under seal for a
determination of the privilege claim. Fed. R. Civ. P. 26(b)(5)(B).
93
Stanley, Inc. v. Creative Pipe, Inc., 250 F.R.D. 251, 258 n.5 (D. MD. 2008) (the recently adopted rules of civil procedure relating to ESI do not effect any change in the substantive law of privilege waiver).
94
See Fed. R. Civ. P. 26(b)(5)(B) 2006 Amendment Advisory Committee Notes: Rule 26(b)(5)(B) does not address
whether the privilege or protection that is asserted after production was waived by the production.
95
The law on privilege waiver varies between jurisdictions. There are three approaches generally taken as to whether
an inadvertent disclosure waives privilege. Under one approach, because a waiver involves the intentional relinquishment of an known right, the inadvertent disclosure of privileged information rarely, if ever, constitutes a waiver. See, e.g.,
Mendenhall v. Barber-Greene Co., 531 F. Supp. 951, 954 (N.D.Ill. 1982). Many of the decisions following this approach
also note that the privilege can only be waived by the client, and an attorneys inadvertent production cannot constitute a
waiver. At the other extreme, some courts have concluded that once the production of privileged information has occurred,
no matter how inadvertent, the privilege has been waived. Under that view, there is no way to restore confidentiality to a
document once it has been disclosed. See, e.g., Carter v. Gibbs, 909 F.2d 1450, 1451 (Fed. Cir. 1990); Fed. Deposit Ins.
Corp. v. Singh, 140 F.R.D. 252, 253 (D.Me. 1992). It appears that a majority of courts follow an intermediate balancing
approach which involves a review of multiple factors to determine if a party acted reasonably to protect the privilege under
the circumstances presented. See, e.g., United Investors Life Ins. Co. v. Nationwide Life Ins. Co., 233 F.R.D. 483, 48990
(N.D.Miss. 2006); Bud Antle, Inc. v. Grow-Tech, Inc., 131 F.R.D. 179, 183 (N.D.Cal. 1990).
96
See In re Sealed Case, 877 F.2d 976 (D.C.Cir. 1989) (holding inadvertent disclosure of privileged documents in discovery triggered a subject matter waiver).
92
525
526
See Pub. L. No. 110-322, 122 Stat. 3537 (2008); Rhoads Industries, Inc., v. Building Materials Corp. of America,
254F.R.D. 216, 218 (E.D.Pa. 2008) (applying F.R.E. 502 in a case where the inadvertent production occurred before the
rules enactment). However, the district court in Rhoads concluded that a waiver had occurred because the party that inadvertently produced the information failed to timely provide a privilege log as required by Rule 26(b)(5). Id. at 226.
107
The district court in Rhoads, 254 F.R.D. at 222, cited with approval the explanatory note to Rule 502 which provides:
A party that uses advanced analytical software applications and linguistic tools in screening for privilege and work product
may be found to have taken reasonable steps to prevent inadvertent disclosure. The implementation of an efficient system
of records management before litigation may also be relevant. The court in Rhoads went on to note that the retention of a
consultant who recommended and used a fairly sophisticated screening device to search for privileged documents showed
substantial compliance with Rule 502s requirement that reasonable care be taken to prevent the inadvertent disclosure
from occurring. Id.
106
527
Non-Party DiscoverySubpoenas
Healthcare entities possess patients health information, which is often relevant to a myriad of
disputes that do not involve the entity itself. Personal injury claims, divorces, child custody cases,
and custodial matters are just a few examples of the outside disputes in which parties will request or
subpoena ESI. Any organization must properly address the production of ESI to third parties in the
normal course of its business.
The federal e-discovery rules also address discovery from third parties. The various e-discovery
provisions found in Rules 26(b) and 34(b) were also woven into the fabric of Rule 45. Rule 45(c)(2)(B)
permits a party receiving a subpoena to file a written objection to producing ESI in the format specified in the subpoena the same type of objection that can be made to a production request under Rule
34(b)(2). Rule 45(d)(1)(B) also incorporates Rule 34(b)(2)(E)(ii)s requirements as to the forms of
productionwhere a subpoena does not specify any form, the person responding must produce ESI
in the form in which it is ordinarily maintained or in a reasonably useable form. Additionally, Rule
45(d)(1)(C) incorporates Rule 34(b)(2)(E)(iii)s one form of production rulea party responding to
a subpoena need not produce the same ESI in more than one form.
Just as with Rule 26(b), a party responding to a subpoena need not produce ESI from inaccessible
sources.108 The same burden-shifting approach found in Rule 26(b)(2)(B) is incorporated into Rule
45. The subpoenaed party has the initial burden of demonstrating that the production of ESI would
be unduly burdensome, but a court may still order discovery from those sources if the issuing party
can show good cause.109 The procedures under Rule 26(b)(2)(B) and Rule 45(d)(1)(D) are virtually
identical.
30.4.10.1 Protection from Significant Expense
Several provisions of the federal rules which predate the e-discovery amendments, protect nonparties from undue expense when responding to a subpoena. The e-discovery rules augment the
protection available to non-parties.
Rule 45(c)(1) obligates the party issuing a subpoena to take reasonable steps to avoid imposing
undue burden or expense on the party receiving the subpoena. The rule also provides that a court
must enforce this rule and impose an appropriate sanction on a party or attorney who fails to comply.110
Additionally, if the party receiving a subpoena serves a written objection before the time specified
for compliance or within 14 days after the subpoena was served, whichever is earlier, Rule 45(c)(2)
(B)(ii) mandates that any subsequent court order must protect the party receiving the subpoena from
significant expense resulting from compliance.111
No court has examined the interplay between Rule 45(c)(2)(B)(ii)s rule involving protection
against significant expense and Rule 45(d)(1)(D)s protection against producing information that
110
111
108
109
528
Commentary
The advent of the e-discovery rules have made IT and HIM departments more important than
ever before. E-discovery rules highlight the need for legal counsel to work closely with a
hospitals IT and HIM staffs.
Hospitals will need to explain their EHR and e-mail systems. Rule 30(b)(6) depositions of
the person(s) most knowledgeable about those systems are a staple of federal-court litigation
Therefore, hospitals should carefully identify the person(s) best suited for that task. In those
jurisdictions that require parties to designate an e-discovery liaison, the same person can also
fill that role.
It is common to delegate discovery tasks to less experienced personnel. However, the complexity of e-discovery argues against that approach. Courts have imposed sanctions for
e-discovery blunders committed by inexperienced staff charged with critical tasks without
adequate supervision.112
When the use of an outside e-discovery consultant is required, exercise due diligence in making that selection. Courts have held parties responsible for their vendors mistakes.113
Before selecting an e-discovery vendor, critically analyze the nature of the services required
and the projects scope. Is data collection, storage, review and/or production (i.e., litigation support) needed, or is data recovery or forensic expertise required? Many vendors have recently
entered the market and while many may claim to offer a full range of e-discovery services, in
fact, they may specialize in specific areas and subcontract the other services they offer.
Once an organization has identified the nature of the services required and the scope of the discovery-support project, consider issuing a request for information (RFI). Obtain information
about the vendors background, experience, past projects, and specific areas of e-discovery
expertise. Ask for technical literature, case studies or any other information that might shed
light on the vendors credentials. Ask for client references and contact them. Determine the
person(s) who will be assigned to your e-discovery project and review his or her qualifica-
112
See, e.g. Danis, 2000 WL 1694325 at 83741 (imposing a $10,000 sanction for delegating the preservation of ESI
to an inexperienced general counsel who did not know how to devise and manage document preservation). In Danis,
the court explained a company must see to it that the person(s) whether inside or outside the companygiven the task
[ofimplementing a document preservation plan] have the ability to perform the task. Id. at *40; Cardenas v. Dorel Juvenile Group, 2006 WL 1537394 at *9-10 (imposing sanctions for a paralegals failure to timely locate critical responsive
documents because she was unaware the companys accounting department maintained the particular files, explaining
[p]arties cannot be permitted to jeopardize the integrity of the discovery process by engaging in halfhearted and ineffective efforts to identify and produce relevant documents); In re Seroquel Product Liability Litigation, 244 F.R.D. at 660
n.6 (criticizing defendants search for relevant electronic data, and finding the decision to offer testimony about the search
methodology from a junior level attorney, only somewhat versed in technical issues and one who came late to the process
is puzzling).
113
In re: Seroquel Products Liability Litigation, 244 F.R.D. at 664 (a party is responsible for the errors of its
vendors).
529
Conclusion
Enterprise risk management must evolve to meet the new technological risks that EHR systems
and e-discovery present. Risk management programs must accomplish this seemingly daunting task to
remain effective in todays digital era. Healthcare organizations that master the nuances of their EHR
systems and the intricacies of the e-discovery rules, can control the risks that they present.
30.7
References
There are number of valuable e-discovery resources available on line. The Sedona Conference
is a leading resource on e-discovery and their publications outline best practices to follow. Its publications are available at www.thesedonaconference.org. Several e-discovery vendors also have useful
materials available on line. Kroll Ontrack has compiled hundreds of pages of e-discovery case summaries organized by jurisdiction and by topic on its web site at www.krollontrack.com. Another useful
site is www.discoveryresources.org sponsored by Fios, Inc. Other helpful resources include www.law.
com and www.abanet.org.
The Sedona Conference Working Group Series has published an excellent resource that outlines the substance of a
strong vendor selection process: Best Practices for the Selection of Electronic Discovery Vendors: Navigating the Vendor
Proposal Process, (June 2007 Version) that can be downloaded from its website.
114
530