Erm-Health Care PDF

Enterprise Risk Management
for Healthcare Entities

First Edition
BY A TASK FORCE OF THE RISK MANAGEMENT

AFFINITY GROUP
ELLEN L. BARTON, EDITOR-IN-CHIEF
Copyright 2009 by
AMERICAN HEALTH LAWYERS ASSOCIATION
1025 Connecticut Avenue, NW, Suite 600
Washington, DC 20036-5405
Web site: www.healthlawyers.org
E-Mail: info@healthlawyers.org
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form,
or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express,
written permission of the publisher.
Printed in the United States of America
ISBN: 978-1-4224-6085-6
978-1-4224-6084-9 (Members)
This publication is designed to provide accurate and authoritative information with respect to the subject matter covered.
It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services.
If legal advice or other expert assistance is required, the services of a competent professional person should be sought.
from a declaration of the American Bar Association
RECENT TITLES FROM HEALTH LAWYERS

Healthcare Capital Finance: In Good and Challenging Times
2009, perfect bound
Fifty State Survey of Certificate of Need and Licensure: Nursing Homes, Assisted Living, Home Health and
Hospice, First Edition with CD-ROM
2009, perfect bound
The Complete Connected Stark Laws & Regulations, Second Edition
2009, CD-ROM
Corporate Governance Implications of Nonprofit Executive Compensation, First Edition
2009, perfect bound
AHLAs Federal Healthcare Laws & Regulations, Fall 2008 Supplement to 2007-2008 Edition
2008, perfect bound
Guide to Healthcare Legal Forms, Agreements, and Policies with CD-ROM, 11/08 Supplement
2008, looseleaf
Healthcare Finance: A Primer, First Edition with CD-ROM
2008, perfect bound
Health Plans Contracting Handbook: A Guide for Payors and Providers, Fifth Edition with CD-ROM
2008, perfect bound
Stark Final Regulations: A Comprehensive Analysis of Key Issues and Practical Guide, Fourth Edition
2008, perfect bound
Peer Review Hearing Guidebook, First Edition with CD-ROM
2008, perfect bound
The Complete Connected Pharmaceutical and Medical Devices Laws & Regulations
2008, CD-ROM
Clinical Research Practice Guide with CD-ROM
2008, perfect bound
Guide to Healthcare Legal Forms, Agreements, and Policies with CD-ROM
2008, looseleaf
False Claims Act & The Healthcare Industry: Counseling & Litigation, Second Edition
2008, casebound
Stark Phase III Guidance Collection
2008, PDF
Fundamentals of Health Law with CD-ROM, Fourth Edition
2008, perfect bound
AHLAs Federal Healthcare Laws & Regulations, 2007-2008 Edition
2008, perfect bound 3-volume set
Legal Issues in Healthcare Fraud and Abuse: Navigating the Uncertainties, 2007 Supplement
2007, perfect bound
Ambulatory Surgery Centers: CMS Update on Payment and Coverage
2007, PDF
The Complete Connected Civil False Claims Act Laws and Cases
2007, CD-ROM
Telemedicine: Survey and Analysis of Federal and State Laws with CD-ROM
2007, perfect bound
Healthcare Entity Bylaws with CD-ROM
2007, perfect bound
The Fundamentals of Life Sciences Law: Drugs, Devices, and Biotech with CD-ROM
2007, perfect bound
Institutional Review Boards: A Primer
2007, perfect bound
Preface
Healthcare entities face risk in all facets of their organizations, from changes in patient demographics, to use of complex, constantly changing technology, and increased regulatory mandates. It is
critical that they identify and address potential risk, and equally important for these organizations to
have a game plan that crosses all departmental barriers. The benefit to having a comprehensive risk
management process and plan that encompasses the entire enterprise becomes more important every
day. Indeed, Standard & Poors, a major credit rating agency, announced in 2008 that it would add an
enterprise risk management (ERM) review for nonfinancial companies to further enhance its rating
process.
Health Lawyers wants to express its tremendous gratitude to all of the authors of the Enterprise
Risk Management Handbook for Healthcare Entities. This new publication addresses the need for and
implementation of a proper risk management system that will address and assess the myriad areas of
importance in the healthcare setting.
The coverage begins with an overview of ERM and its evolution. The impetus for many organizations to adopt ERM was the passage of the Sarbanes-Oxley Act of 2002, the legislative response to
scandals involving accounting and compliance in the private sector. While nonprofit healthcare entities were not the focus of the legislation, many began to voluntarily comply with the principles and
financial controls incorporated in the legislation. A renewed focus on the responsibilities of boards of
directors to identify and manage organizational risks increased the impetus to embrace ERM.
The authors provide guidance on how to structure an ERM system, as well as insight on risk
financing methods. They delineate how to manage risk in various settings, including contract management, claims management, environmental compliance, human research, peer review and credentialing,
due diligence in business transactions, consent to treatment and numerous others. Finally, coverage
includes insight on the impact that the implementation of electronic health record (EHR) systems,
combined with the advent of e-discovery rules, will have on traditional documentation issues.
Health Lawyers commends Enterprise Risk Management Handbook for Healthcare Entities to all
healthcare attorneys and others in the healthcare field that need to understand the assessment of and
planning for risk management in the healthcare setting. We anticipate that it will prove to be a useful guide for healthcare entities and their counsel in understanding this critical area of the healthcare
environment and the law as it continues to evolve.
iv
Enterprise Risk Management for Healthcare Facilities, First Edition
Acknowledgments
The Editor-in-Chief would like to thank Peter L. Leibold, the American Health Lawyers Association (AHLA) Executive Vice President/Chief Executive Officer, for his support of the Enterprise Risk
Management (ERM) Affinity Group, as well as John Washlick and Brian Gradle, who as Chairs of
AHLAs Hospital and Health Systems Practice Group lent their unwavering encouragement to the ERM
Affinity Group and this effort. Thanks to Trinita Robinson, AHLAs Vice President of Practice Groups,
for always being there for the Affinity Group and serving as the link throughout this process.
I also want to offer my tremendous gratitude to our reviewers, who improved this publication by
taking the time to read the chapters and offer insightful guidance and comments to the authors. They
were Roberta Carroll, Connie Crawford, Sheila Hagg-Rickert, Mary Marta, Erin Muellenberg, Peggy
Nakamura, Kathy Wire, and Leigh Collier. My thanks also to Alice Kush for her early involvement in
the project. And finally, I would also like to thank Cynthia Conner, AHLAs Vice President of Professional Resources, and Will Harvey, AHLAs Director of Business Development and Publishing, for
their constancy, expertise, and willingness to do what was necessary to make this publication a reality.
Ellen L. Barton
Editor in Chief
About the Editor

Ellen L. Barton, JD, CPCU (Editor in Chief), is an independent Healthcare Risk Management
Consultant. Ms. Barton is a graduate of Rosemont College and received her JD degree from the University of Cincinnati. She also holds the distinction of Chartered Property and Casualty Underwriter.
Ms. Barton has conducted numerous seminars on risk management issues on a national as well as
regional level and has published articles in related areas. Ms. Barton is admitted to the Bars of Ohio,
Maryland, and Pennsylvania and holds membership in the Maryland Bar Association, the Society of
Chartered Property and Casualty Underwriters, the American Health Lawyers Associationin which
she previously served as Chairperson of the Risk Management Affinity Group of the Hospitals and
Health Systems Practice Groupthe Maryland Society for Healthcare Risk Management of which she
was President for 2002-2003, and the American Society for Healthcare Risk Management (ASHRM)
of which she was President for 1990. She is also the 1993 recipient of the American Society for
Healthcare Risk Managements Distinguished Service Award. In 2001, the ASHRM Modules Program
The Barton Certificate in Healthcare Risk Management,was named in her honor.
vi
Contributing Authors
Introduction
Roberta Carroll, RN, ARM, CPCU, MBA,
CPHRM, CPHQ, LHRM, HEM, DFASHRM
Senior Vice President, Aon Healthcare
Sheila Hagg-Rickert, JD, MHA, MBA,
DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management,
CHRISTUS Health
Nicola A. Nelson, Esq.

Richard S. Porter, Esq.
Hinshaw & Culbertson LLP
Human Capital
Deborah Martin Norcross, Esq.
MartinNorcross LLC
Financial
Steven O. Grubbs, Esq.

Amanda J. Flanagan, Esq.
Sheehy, Ware & Pappas, PC
Ellen L. Barton, JD, CPCU

Principal, ERM Strategies, LLC
Legal/Regulatory
Mary S. Schaefer, RN, M.Ed, ARM, JD

Corporate Director of Risk Management,
Covenant Health Systems, Inc.
Peggy Nakamura, RN, MBA, DFASHRM,
CPHRM
Assistant Vice President, Chief Risk Officer, and
Associate Counsel, Adventist Health
Richard L. Clarke, DHA, FHFMA
President and CEO, Healthcare Financial
Management Association (HFMA)
Elizabeth M. Mills, Esq.
Senior Counsel, Proskauer Rose LLP
Kathryn K. Wire, JD, MBA, FASHRM

Principal, Kathryn Wire Risk Strategies
Fay A. Rozovsky, JD, MPH
President, The Rozovsky Group, Inc.
Peter J. Hoffman, Esq.
Eileen Lampe, Esq.
Joseph V. Conroy IV, Esq.
Eckert Seamans Cherin & Mellott, LLC
John R. Evancho, JD
Senior Vice President and Chief Compliance
Officer, OSF Healthcare
Joan Danielson Plump
Attorney at Law
Hazard
Sheila Hagg-Rickert, JD, MHA, MBA,
DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management,
CHRISTUS Health
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative
Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company
Operational
Fay A. Rozovsky, MPH, DFASHRM, Esq.
Mark A. Kadzielski, Esq.
Fulbright & Jaworski, LLP
Yvonne K. Puig, Esq.
Mark Faccenda, Esq.
Fulbright & Jaworski LLP
Emily Rhinehart, RN, MPH, CIC, CPHQ
AIU Holdings, Inc.
vii
Contributing Authors, continues
Terie Zimmerman, RN, BSN, JD, ARM,

CPHRM, DFASHRM
VP Chief Quality, Risk and Patient Safety
Officer, Community Mercy Health Partners
Jeffery Layne
Christopher N. Kanagawa
India K. Brim
Fulbright & Jaworski LLP
Strategic
Technology
Ellen Barron, Esq.

Profit Management Group
Phyllis F. Granade, Esq.

Adorno & Yoss
Mary Mahoney, Esq.

Tufts Health Plan
Daniel G. Hale, Esq.
General Counsel, Trinity Health
Marilyn Lamar, Esq.

Liss & Lamar, PC
Ila Rothschild, MA, JD

Healthcare Attorney
Joshua I. Rozovsky
The Rozovsky Group, Inc./RMS
Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM

Director, Litigation and Loss Prevention
CHRISTUS Health Risk Management
Steven M. Puiszis, Esq.

Hinshaw & Culbertson, LLP
viii
Nestor J. Rivera, Esq.

Carlton Fields, PA
Contributing Authors, continued
Ellen Barron
Ellen Barron has more than 25 years experience in Marketing, Communications, Strategy and related
disciplines. She has provided leadership to these functions in community hospitals, academic medical centers and large, multi-site health systems. Ellen has served on the boards of both a national
marketing professionals association, as well as a multi-state health system. She has acted as an expert
facilitator for health- and insurance-related organizations; presented at numerous national and regional
meetings; and published more than 30 articles. She is an independent consultant with her own firm,
Profit Management Group, in West Chester, PA.
India K. Brim
India K. Brim is a Healthcare associate in the Washington, D.C. office of Fulbright & Jaworski,
L.L.P. As an associate, she focuses her practice on healthcare issues including regulatory compliance,
fraud and abuse, hospital and laboratory certification, and Medicare/Medicaid reimbursement matters. Ms. Brim also has experience in handling government investigations and healthcare litigation.
Ms. Brim received her BA from Spelman College, magna cum laude, in 2003 and her JD from Duke
University in 2006. She is admitted to practice law in Maryland and the District of Columbia.
Roberta L. Carroll
Roberta L. Carroll, RN, ARM, CPCU, MBA, CPHRM, CPHQ, LHRM, HEM, DFASHRM, is a Senior
Vice President of Aon Healthcare, based in Tampa, Florida. Ms. Carroll is also a faculty member for
the ASHRM-sponsored Barton certificate program Essentials module, is a member of ASHRM and
served on its board for six years, serving as President in 1995-1996. Ms. Carroll received a Bachelor
of Science degree in Health Services Administration and a certificate in Emergency Medical Services
Systems Administration from Florida International University and a Master of Business degree from
Nova Southeastern University. She is a well-known author, speaker, and teacher in the areas of: alternate risk financing, risk mitigation strategies and solutions, claims administration, early intervention
programs, enterprise risk management (ERM), strategic planning, and reengineering. Her activities
are on a local, state, and national level and her professional and committee activities are numerous.
She is a member of the American Health Lawyers Association and its Risk Management Affinity
Group of the Hospitals and Health Systems Practice Group.
Richard L. Clarke
Richard L. Clarke, DHA, FHFMA, is President and Chief Executive Officer of the Healthcare Financial Management Association (HFMA), Westchester, Illinois, a professional membership association
with more than 34,000 members in 70 chapters who share an interest in the financial management
of the delivery of healthcare services. Richard attained Fellowship (FHFMA) in HFMA in 1983. He
served as President of the Colorado chapter of HFMA, served on its National Matrix, and was a member of HFMAs Principles and Practices Board. He holds a bachelors degree in Industrial Distribution
from Bradley University, Peoria, Illinois (1970), a masters degree in Business Administration in manEnterprise Risk Management for Healthcare Facilities, First Edition
ix
agement/finance from the University of Miami, Coral Gables, Florida (1972), and a Doctor of Health
Administration (DHA) degree from the Medical University of South Carolina, Charleston, SC (2005).
Dr. Clarke has also written numerous articles and publications on healthcare finance.
Joseph V. Conroy, IV
Joseph V. Conroy, IV, is an associate in the law firm of Eckert Seamans Cherin & Mellot, LLC, in their
Philadelphia office. He focuses his practice on professional liability as well as general liability law. His
practice areas include litigation, and product liability. Joe received his JD from Villanova University
School of Law in 2007, and his BS from Villanova University in 2004.
John R. Evancho
As Senior Vice President and Chief Compliance Officer, John is accountable for the development and
direction of compliance, privacy and risk management programs for OSF HealthCare, an integrated
health system based in Peoria, Illinois. John began working at OSF as Vice President of Operations
for OSF HealthPlans. Prior to joining OSF, John served in various executive capacities in both Compliance and Operations for several national health insurance companies. John earned his JD from
Harvard Law School, his MTS from Harvard Divinity School, a BA from the University of Louvain in
Belgium and a BA from Duquesne University in Pittsburgh.
Mark Faccenda
Mark Faccenda is an Associate in Fulbright & Jaworski L.L.P.s Washington, D.C. office. As part of the
firms Health Care Practice Group, Mark has represented healthcare industry clients on regulatory and
transactional matters. Representative clients include pharmaceutical manufacturers, academic medical
centers, health systems, physician groups, physician/hospital joint ventures, long term care facilities
and durable medical equipment suppliers. Mark received his JD and MHA, Health Administration,
from the University of Pittsburgh in 2005, and his BS in Biology, from Pennsylvania State University
in 1995. Mark is admitted to practice law in Pennsylvania. He is a member of the American Health
Lawyers Association.
Amanda J. Flanagan
Amanda Flanagan is an associate with Sheehy, Ware & Pappas, P.C. Her practice is focused on personal injury, wrongful death, and premises liability. She also defends employment claims. Amanda
received her JD from South Texas College of Law (2003) and her BA from the University of Texas at
Austin (1999).
Phyllis F. Granade
Phyllis F. Granade is a Partner in the Atlanta office of Adorno & Yoss. She began her legal career
as a legal consultant to the Medical College of Georgia Telemedicine Center. Phyllis legal practice
includes assisting clients with privacy and security compliance issues, particularly the HIPAA privacy
and security regulations. She frequently defends clients during privacy and security investigations
brought by the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights
(OCR) and the Centers for Medicare and Medicaid Services (CMS), respectively. She received her JD
from the University of South Carolina School of Law, and her AB, cum laude, from the University of
Georgia in 1991. She is a member of the American Health Lawyers Association, and is a Vice Chair of
its Health Information Technology Practice Group.
Steven O. Grubbs
Steven O. Grubbs is a Shareholder with the Houston, Texas firm Sheehy, Ware, and Pappas, P.C. Mr.
Grubbs is a member of the firms labor and employment, commercial litigation, and general litigation
sections. He has considerable first-chair trial experience in State and Federal Court, and has handled
arbitrated matters concerning employment law issues. He has prepared briefing and conducted oral
arguments before several Texas Courts of Appeals and to the Texas Supreme Court. He received his JD
from South Texas College of Law in 1996, and his BBA from University of Texas at Austin in 1992.
Mr. Grubbs is admitted to practice law in Texas. He is a member of the American Health Lawyers
Association.
Sheila Hagg-Rickert
Sheila Hagg-Rickert serves as Senior System Director of Risk Management for CHRISTUS Health
based in Houston. In this capacity, she is responsible for oversight of CHRISTUS loss prevention,
claims management and risk financing programs. Sheila holds a JD from the University of Iowa and
Masters of Business Administration and Masters of Healthcare Administration degrees from Georgia
State University. She has earned Chartered Property and Casualty Underwriter (CPCU) and Certified
Professional in Healthcare Risk Management (CPHRM) designations and is a Distinguished Fellow
of the American Society of Healthcare Risk Management. She also served on the ASHRM board. She
is a member of the American Health Lawyers Association.
Daniel G. Hale
Daniel G. Hale serves as General Counsel of Trinity Health and leads the office of Community Benefit
and Public Affairs in fulfillment of Trinity Healths Mission to improve the health of the communities it serves. Under his leadership, community benefit activities are advancing to serve more people,
improve and expand access to equitable care, integrate care for chronic conditions, and influence
state and federal healthcare policies. Prior to joining Trinity Health, Dan was General Counsel of
Franciscan Health System, a Partner in Drinker Biddle & Reath in Philadelphia, PA and in Baker &
Hostetler in Columbus, OH. Dan is Chair of the Catholic Health Associations Health Reform InitiaEnterprise Risk Management for Healthcare Facilities, First Edition
xi
tive committee, dedicated to promoting universal health coverage. Dan is currently on the Audit &
Corporate Responsibility Committee of Catholic Healthcare Partners and on the Board of Trustees of
the Michigan Public Health Institute. Dan earned his law degree from Capital University Law School,
graduating cum laude, and his AB degree in English from Kenyon College. He is a member of the
American Health Lawyers Association.
Peter J. Hoffman
Peter J. Hoffman, Esq. is a Member of the Philadelphia office of Eckert Seamans Cherin & Mellott,
LLC, a large general practice law firm headquartered in Pittsburgh, Pennsylvania. He received his
BA from Washington and Jefferson College, his MA from State University of New York Graduate
School of Public Affairs, and his JD, cum laude, from Temple University School of Law where he
was the Executive Editor of the Law Review. Mr. Hoffman was a member of the Pennsylvania Select
Committee on Medical Malpractice from 1984 to 1986. He was a member of Governor Rendells
Medical Malpractice Task Force, and is currently Counsel to the Commonwealth of Pennsylvania
Patient Safety Authority. He is a Past President of the Pennsylvania Defense Institute. He was the
recipient of the Defense Research Institute Exceptional Performance Citation in 1989 and the Fred H.
Sievert Award in 1989. Mr. Hoffman was a co-author of the book Laws and Regulations Affecting
Medical Practice. He was the Chairman of Hearing Committee 1.15, Supreme Court of Pennsylvania
Disciplinary Board from 1993 to 1998, and served on the faculty for the Temple University School
of Law, Masters of Laws in Trial Advocacy and Academy of Advocacy. He has been listed as a top
attorney in Philadelphia Magazine each time the article appears, and has been listed in Best Lawyers
in America since 1995. He was listed as one of the top 100 lawyers in Pennsylvania in Pennsylvania
Super Lawyers 2004, 2005, 2007, and 2008. Mr. Hoffman was a member of the Temple Inns of Court.
He is a member of ASHRM, a Fellow of the International Academy of Trial Lawyers and Fellow of the
American College of Trial Lawyers, as well as the American Board of Trial Advocates.
Mark A. Kadzielski
Mark A. Kadzielski is the partner in charge of the West Coast Health Law practice at Fulbright &
Jaworski, L.L.P. His practice focuses on the representation of hospitals, medical staffs, managed care
enterprises, and institutional and individual healthcare providers throughout the United States in a
broad spectrum of matters, including government regulatory investigations, contracting issues, credentialing, licensing, medical staff bylaws, Joint Commission accreditation and Medicare certification.
Mr. Kadzielski is a member of the California Bar, the American Health Lawyers Association and the
California Society for Healthcare Attorneys. Since 1991, on the basis of peer evaluations, he has been
selected for the Healthcare Law Section of The Best Lawyers in America. In 2004, 2005, 2006, 2007,
2008, and 2009 he was selected by his peers as a Southern California Super Lawyer in Health Law.
In 2005, he was named to the American Health Lawyers Associations inaugural class of Fellows,
one of only four attorneys in California and forty attorneys nationwide to receive this honor. Also
in 2005, 2006, 2007, and 2008 he was selected as one of the top ten leading Healthcare Lawyers in
California by Chambers USA as a result of extensive interviews with clients and peers. Mr. Kadzielski
xii
has authored numerous books, articles, and chapters in healthcare publications. He is a nationwide
speaker on a wide range of health-related subjects. Mr. Kadzielski is a 1976 graduate of the University
of Pennsylvania Law School.
Christopher Nathan Kanagawa
Christopher Nathan Kanagawa is Senior Counsel with Fulbright & Jaworski L.L.P. and practices in
the healthcare, e-business and corporate areas. His healthcare legal experience includes counseling
both e-health and general healthcare clients. Christophers e-business experience includes advising
numerous clients, including healthcare systems and start-up Internet e-health companies, on corporate,
contracting and regulatory issues. Christopher also regularly advises traditional healthcare clients,
including healthcare systems and national health care providers and suppliers. Mr. Kanagawa received
his JD in 1998 from the University of Tulsa-College of Law and his BA in 1991 from the University of
Tulsa. Christopher is admitted to practice law in Missouri and Illinois. He is a member of the American
Health Lawyers Association.
Maria D. Lain
Maria D. Lain has over 30 years of healthcare experience with a focus on business solutions to achieve
profitability by integrating operations effectiveness, resource management, employee ownership and
accountability, and customer satisfaction. Within her job functions she has worked with organizations
to generate concepts and approaches that align culture, strategy and vision to achieve tangible change,
growth and income. Ms. Lain is currently the Service Line Director for Womens Health and Oncology
at The Chester County Hospital, West Chester, PA. She holds an MBA from Duke University, Raleigh,
North Carolina.
Marilyn Lamar
Marilyn Lamar is an attorney with more than twenty years of experience in corporate and information
technology law, including electronic health records (EHR) and HIPAA privacy and security issues.
Her practice includes a broad range of outsourcing, licensing, and other technology transactions on
behalf of hospitals, health plans, physicians, group purchasing organizations and technology companies. Before joining Liss & Lamar, P.C., Marilyn was a capital partner at McDermott Will & Emery
LLP where she chaired the Health Law Departments Information Technology practice group and cochaired its HIPAA practice group. She also chaired the Health Information and Technology Practice
Group of the American Health Lawyers Association (AHLA) from 2002 to 2005 and serves on its
Quality Council. Marilyn is also a member of the Healthcare Information and Management Systems
Society (HIMSS), serving on the Ambulatory IS Steering Committee, the Payer Roundtable and the
Legal Aspects of the Enterprise Task Force. After graduating from the University of Chicago Law
School, Marilyn served as a law clerk for the Honorable Richard D. Cudahy, United States Court of
Appeals for the Seventh Circuit. She is a frequent author and speaker on EHRs, evolving liability
issues involving information technology, HIPAA privacy and security and outsourcing.
xiii
Eileen Lampe
Eileen Lampe is a Member of the firm Eckert Seamans Cherin & Mellott, LLC in Philadelphia, PA.
She has tried numerous high exposure cases to verdict, and also serves as a mediator for healthcare
disputes. She also has experience in the premises liability, nursing home liability, and healthcare and
risk management practice areas. In addition, Ms. Lampe is often asked to be a mediator. Ms. Lampe
received her JD in 1986 from the University of Richmond T.C. Williams School of Law, and her BA
in 1981 from Franklin and Marshall College. She is admitted to practice law in Pennsylvania and
New Jersey.
R. Jeffrey Layne
R. Jeffrey Layne is a Partner in the Austin, TX office of Fulbright & Jaworski L.L.P. His practice
focuses on federal and state regulatory, administrative, and litigation-related health law matters,
including Medicare and Medicaid fraud and abuse and research compliance issues. His health-related
litigation experience includes criminal, False Claims Act and administrative litigation related to a
wide variety of Medicare and Medicaid fraud and abuse, reimbursement, and compliance issues. Jeff
represents clients from across the spectrum of the healthcare industry, including hospital systems,
university health systems, pharmaceutical and medical device manufacturers and distributors, pharmacies, suppliers, and managed care organizations. Mr. Layne received his MPH in 1998 from Harvard
University, his JD in 1994 from Duke University Law School and his BBA, magna cum laude, in 1990
from Texas Christian University. Jeff is admitted to practice law in Texas and the District of Columbia.
He is a member of the American Health Lawyers Association.
Mary OToole Mahoney
Mary OToole Mahoney is Associate General Counsel at Tufts Associated Health Plans, Inc., a managed care organization in Watertown, Massachusetts. She joined Tufts Health Plan in 1995. Mary
is responsible for providing legal guidance to the companys board of directors and management
on corporate governance and transactions, financial, tax, and accounting matters. She also serves as
primary counsel on executive and employee benefits and compensation, and intellectual property.
Mary has served as counsel to numerous areas of the company over the years, including general risk
management, clinical services, all areas of contracting, technology and e-business. In addition, Mary
has been counsel on a variety of transactional matters for the plan. Mary received her BS in Nursing
and Philosophy from the University of Scranton in 1986 where she was a graduate of the Special
Jesuit Liberal Arts Honors Program, and her JD from the University of San Francisco in 1991. She is a
member of the Board of Directors of A Place to Turn, an emergency food pantry serving the metrowest
area of Boston.
xiv
Elizabeth M. Mills
Elizabeth M. Mills is Senior Counsel in the Chicago office of Proskauer Rose LLP. As a member
of the Firms Health Department, she concentrates her practice on nonprofit organizations and their
tax exemption concerns as well as healthcare organizations and hospital-physician transactions. She
works with hospitals and other institutional healthcare providers, health maintenance organizations,
and academic medical centers, as well as other public charities, private foundations and charitable
giving vehicles. Elizabeths practice with tax-exempt organizations includes addressing tax exemption
compliance issues such as intermediate sanctions and use of tax-exempt bond-financed property, representing organizations being audited by the IRS, and assisting organizations in obtaining tax exemption
from the IRS. Ms. Mills received her JD, cum laude, in 1984 from the Northwestern University School
of Law, her MS in 1978 from the Harvard School of Public Health, her MA in 1975 from Stanford
University, and her BA in 1973 from the University of Kansas. She is admitted to practice law in Illinois. She is a member of the American Health Lawyers Association, and serves as a Vice Chair of its
Tax and Finance Practice Group.
Peggy Nakamura
Peggy Nakamura, RN, MBA, JD, DFASHRM, CPHRM is Assistant Vice President, Chief Risk Officer, and Associate Counsel for Adventist Health. In this role, she oversees a comprehensive Risk
Management Department, including self-administered/self-insured programs in workers compensation, professional, general and managed care liability. She was awarded the Distinguished Service
Award from the American Society of Healthcare Risk Management in 2008, and is a past President of
ASHRM. Ms. Nakamura holds an associate degree in Nursing from Sacramento City College, Sacramento, California, and a bachelors degree in Biological Sciences from the University of California,
Davis. In addition she has an MBA from Golden Gate University in San Francisco, California, and
a Juris Doctor from McGeorge School of Law also located in Sacramento. Ms. Nakamura is faculty
for the California Hospital Associations Consent Law, Consent Basics, and EMTALA seminars. She
also is faculty for ASHRMs Barton Certification Program in the Advanced Forum module. She is a
member of the American Health Lawyers Association, and currently serves as Chair of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.
Nicola Nelson
Nicola Nelson is an associate at the Rockford, Illinois office of Hinshaw & Culbertson LLP, where
her practice is focused primarily in environmental law. She advises and represents municipalities,
organizations, and business entities with respect to environmental permitting and compliance, as well
as enforcement actions. Prior to coming to Hinshaw & Culbertson, Ms. Nelson clerked as a judicial
extern to the Honorable Anne M. Burke of the Illinois Supreme Court. She also previously clerked as
a judicial extern to the Honorable Amy J. St. Eve, United States District Court, Northern District of
Illinois. Ms. Nelson graduated first in her law school class and was class valedictorian.
xv
Deborah Martin Norcross

Deborah Martin Norcross, Esquire, has more than twenty-seven years of concentrated employment
law experience, providing clients in the healthcare industry with aggressive and effective representation and counsel in employment matters and litigation before state and federal courts and agencies
across the country. Deborah routinely counsels healthcare clients on workplace issues that arise during
the course of the employment relationship. In addition, she provides policy development and review
services, as well as supervisory training on how to avoid workplace disputes and how to best handle
problem situations. She is admitted to the courts of the states of New Jersey and New York, and the
Commonwealth of Pennsylvania.
Amy B. Norris
Amy Norris is the Associate General Counsel of Clif Bar & Company a leading maker of all natural
energy foods. Her current role is to provide advice and counsel on all operational matters and new
product development, both domestically and internationally. Prior to joining Clif Bar, Ms. Norris was
an associate with the law firm of Sheppard Mullin & Richter & Hampton, LLP where she was a member of the Finance & Bankruptcy Practice Group. There, she advised clients on all manner of business
operations. Ms. Norris earned her juris doctorate degree from the University of San Francisco and a
Bachelor of Arts from U.C. San Diego.
Gisele Norris
Gisele Norris, DRPH is National Director at Aon Healthcare Alternative Risk Transfer Practice.
Dr. Norris has spent 15 years in the healthcare industry focusing on issues of healthcare finance.
Gisele currently directs Aons Alternative Risk (ART) Practice in the Western United States and is
a principal leader of Aons Pandemic Preparedness Task Force. In her current role, Gisele provides
strategic consulting to several of Aons most prestigious clients. Prior to accepting her role with the
ART team, Gisele was responsible for the development of new healthcare product opportunities for
Aon internationally. Dr. Norris is widely published in various insurance industry publications. Gisele
received her BA from the University of California at Berkeley in 1988; Master of Public Health and
Master of Public Administration degrees from Columbia University in 1994; and a Doctorate in Public Health (with specialties in epidemiology and health policy) from the University of California at
Berkeley in 2000.
Joan Danielson Plump
Joan Danielson Plump is an attorney who is a member of the State Bars of New Jersey and Pennsylvania. Most recently she practiced with the firm of Eckert Seamans Cherin & Mellott, LLC, in
Philadelphia, PA, where she prepared and presented Continuing Medical Education classes for physicians and nurses, as well as Continuing Legal Education programs for lawyers. Prior to that she was
with McKissock & Hoffman, P.C., where she was Counsel to the Pennsylvania Patient Safety Authority from 2003 to 2005, and trained and supervised young lawyers in the firms beeper program used
xvi
in representation of hospitals in emergency guardian and treatment order cases. Ms. Plump received
her JD from Fordham University School of Law, her MA in Education from LaSalle University, and
her BA, cum laude, from Bucknell University. She is admitted to practice law in the United States
District Court.
Nancy T. Poblenz
Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM serves as Litigation and Loss Prevention Director
for CHRISTUS Health, based in Houston Texas. In this capacity, she is responsible for the claims
investigation and litigation management of all matters involving the healthcare system, including
professional, general, employment, business, class action and other litigation against any CHRISTUS
Health facilities. She also coordinates the corporate response to all government and regulatory
investigations. As corporate Loss Prevention Director she is responsible for leading all corporate loss
prevention initiatives. She serves on various committees, including the corporate Quality Committee
and Clinical Policy Team, and is active on the CHRISTUS St. John Hospital Ethics Committee. Nancy
is a graduate of the University of Texas at Arlington, Baylor College of Dentistry and University of
Houston Law Centre. She is a member of the College of the State Bar of Texas and has previously been
in the private practice of personal injury, medical malpractice, and employment related litigation. Her
medical and nursing experience includes work in hospitals, clinics and long term care facilities. She is
a member of the American Health Lawyers Association.
Richard S. Porter
Richard S. Porter is a Partner with the firm Hinshaw & Culbertson LLP. He represents municipalities
and business enterprises in environmental law and litigation, and in general commercial and insurance
defense litigation. Mr. Porters environmental practice includes experience with CERCLA, NEPA,
RCRA, Clean Air Act, Clean Water Acts, Phase I and II reports, TACO program, Brownfields programs, NPDES permitting, environmental impact studies, Superfund litigation, underground storage
tanks, toxic tort actions, indoor air quality, asbestos abatement and solid waste management. Mr. Porter received his JD, cum laude, from the Southern Illinois University College of Law in 1992, and his
BS from the Illinois State University in 1988. He is admitted to practice law in Illinois.
Yvonne Karen Puig
Yvonne Karen Puig is a Partner at Fulbright & Jaworski L.L.P. Ms. Puig practices exclusively in the
healthcare area and represents hospitals, HMOs, medical schools and other institutional healthcare
providers. She has extensive experience in a variety of health law regulatory matters, including, but
not limited to: EMTALA, credentialing, due process hearings, and JCAHO accreditation and compliance. Her trial experience includes complex litigation, such as representation of hospital systems,
manufacturers and sellers of medical devices, and commercial litigation involving the health industry.
Additionally, she has experience reviewing business arrangements among managed care providers
and other statutory and regulatory compliance. Yvonne is also an author who has published numerous
xvii
articles on a variety of healthcare topics and liability updates. She received her JD in 1978 from The
University of Texas School of Law and her BA in 1975 from the University of Texas. Yvonne is admitted to practice law in Texas. She is a member of the American Health Lawyers Association.
Steven M. Puiszis
Steven M. Puiszis is a Partner in the Chicago office of Hinshaw & Culbertson LLP, and is a member
of their Business Litigation Practice Group, as well as its Electronic Discovery Response Team. He is
a well-known and highly experienced trial attorney and mediator with a wide-ranging litigation and
trial practice in state and federal court, who stopped counting after having taken more than 40 civil
and criminal jury trials to verdict. He is one of the few attorneys nationally who has ever successfully
defended through trial a federal class-action lawsuit. Mr. Puiszis received his JD in 1979 from Loyola
University Chicago School of Law, and his BS in 1976 from DePaul University. He is admitted to
practice law in Illinois. He is a member of the American Health Lawyers Association.
Emily Rhinehart
Emily Rhinehart, RN, MPH, CIC, CPHQ, is a Vice President at AIG Consultants, Inc., and has over
25 years of diverse healthcare experience. As a consultant and manager, she has developed and provided
a wide variety of products and services for the healthcare market including risk and quality management, performance measurement programs, patient safety programs, and infection control programs for
organizations in all healthcare segments. Ms. Rhinehart holds a Bachelor of Science in Nursing degree
and a Masters in Public Health with a concentration in Epidemiology. She is certified in healthcare
quality (CPHQ) and infection control (CIC). She entered the healthcare quality and risk management
arena after 15 years of outstanding success as a national and international leader in hospital infection
control and epidemiology. She has provided consultation in quality management and infection control
to healthcare organizations and industry in the US, Asia, Europe, Central and South America.
Nestor J. Rivera
Nestor J. Rivera is an Associate at the Atlanta, GA office of Carlton Fields PA. Mr. Rivera is a member
of the Firms Health Care Practice Group. His practice includes representation of healthcare providers
of all sizes in both operations/regulatory and litigation matters. He has advised clients on healthcare operations and regulatory matters, including: HIPAA and related federal and state privacy laws,
healthcare provider reimbursement and insurance coverage, guardianship, contract negotiation and
implementation, debt collection and credit reporting requirements, and other issues encountered by
healthcare providers on a daily basis. Mr. Riveras litigation experience includes representation of
healthcare providers of all sizes in breach of contract, tortious interference, payment of billed charges,
and other business claims. Mr. Rivera received his JD in 2000 from Emory University School of Law
and his BBA in 1997 from the University of Miami. He is admitted to practice law in Georgia and
Florida. He is a member of the American Health Lawyers Association.
xviii
Ila S. Rothschild
Ila S. Rothschild, MA, JD, is Special Counsel with the Office of General Counsel at The Joint Commission. As Special Counsel, Ila has advised The Joint Commission on a number of issues, among
them: credentialing/privileging; peer review and confidentiality; conflict management; risk management; disruptive behavior; telemedicine; leadership accountability; ethics; patients rights; patient
safety, and overall interpretation of accreditation standards. She has also co-authored briefs to the
Kentucky Supreme Court and the U.S. Supreme Court on issues relating to confidentiality of peer
review. Ila taught legal and ethical issues in healthcare as a lecturer-in-law at the University of Chicago Law School. A staunch advocate for patients rights, Ila has co-authored amicus curiae briefs
on end-of-life issues to the U.S. Supreme Court and the Supreme Court of California. Ila received
her bachelors degree with honors from the University of Wisconsin; her masters degree from the
University of Chicago; and her Juris Doctor from Chicago-Kent College of Law. She is licensed in
Illinois and California and is a member of the bar of the U.S. Supreme Court. She is a member of the
American Health Lawyers Association.
Fay A. Rozovsky
Fay A. Rozovsky, JD, MPH, DFASHRM, is President of The Rozovsky Group, Inc. An experienced
healthcare risk management consultant and attorney, Ms. Rozovsky works with clients along the
continuum of care, providing healthcare professionals, organizations and leadership with practical
risk management and patient safety solutions. She is a Distinguished Fellow of ASHRM, and a past
President of the Society. Ms. Rozovsky has lectured extensively and authored or co-authored over five
hundred articles and several books. A summa cum laude graduate of Providence College, Ms. Rozovsky
received her JD from Boston College Law School and an MPH from the Harvard School of Public
Health. She is an Affiliate Associate Professor in the Department of Legal Medicine at the Virginia
Commonwealth University School of Medicine. Ms. Rozovsky is admitted to the practice of law in
Florida and Massachusetts. She is a member of the American Health Lawyers Association.
Mary S. Schaefer
Mary S. Schaefer, RN, M.Ed, ARM, JD, is Corporate Director of Risk Management of Covenant Health
Systems. In her current role, Ms. Schaefer provides oversight and direction over a system-wide risk
management program, insurance operations, and Captive medical malpractice claims management.
She currently serves as a member of Covenants Quality Board Committee and Preferred Professional
Insurance Companys Claims/Risk Advisory Council. She currently chairs Covenants Risk Management, Insurance and HIPAA Committees. Ms. Schaefer received a Juris Doctor from the New England
School of Law and is admitted to the Massachusetts Bar. She also earned a Master of Education from
Boston University, a Bachelor of Science in the nursing program, cum laude, from Central Connecticut
State University. She also earned an Associate Degree in Risk Management from the Insurance Institute of America. She is a member of the American Health Lawyers Association, and an active member
of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.
xix
Kathryn Kottemann Wire

Kathryn Kottemann Wire is Principal at Kathryn Wire Risk Strategies. She has managed professional
and general liability events in Missouri, Arkansas and south Texas. She also has consulted on development of risk and claim management models in system facilities and teamed with risk and quality
managers to maximize loss prevention based on poor outcomes. Ms. Wire also has been responsible
for defense management of all professional and general liability events for a regional system of nine
hospitals, four nursing homes and an extended network of ambulatory care. She initiated a program
for risk prevention and claims management, including investigation of all claims, oversight of outside
counsel and affiliated facilities (two hospitals,. a nursing home, home health agency and occupational
health). She received her JD/MBA in 1980 from Washington University, and her BS in 1976 from
Northwestern University. She is admitted to practice law in Missouri and Illinois. She is a member of
the American Health Lawyers Association.
Theresa M. Zimmerman
Theresa M. Zimmerman, RN, BSN, JD, ARM, CPHRM, DFASHRM, is the Vice President, Chief
Quality Risk Officer for Community Mercy Health Partners. She has over twenty years experience
in healthcare, risk management and law. She is past president of the Ohio Society of Healthcare Risk
Management, voted 2003 Ohio Risk Manager of the Year, and currently serves as president elect for
the American Society of Health Care Risk Management. In 2008, she was awarded the certificate of
recognition and designation of Distinguished Fellow for her contributions to the field of healthcare
risk management and patient safety by the American Society of Healthcare Risk Managers. In 2007
she was co-awarded the ASHRM Journal Author Excellence Award for an article calling for the inclusion of patients and family in root cause analysis after the occurrence of a serious adverse event. Terie
is a graduate from the Patient Safety Leadership Fellowship Health Forum (2003), Intermountain
Advanced Training Program in Health Care Delivery Improvement (2007), 2008 IHI Executive PSO
training program. She has also written for and spoken at state and national forums on legal, compliance, patient safety, leadership and risk management topics.
xx
Contents
Preface.......................................................................................................................... iv
Acknowledgments ....................................................................................................... v
About the Editor ......................................................................................................... vi
Contributing Authors................................................................................................ vii
Part IIntroduction
Chapter 1Enterprise Risk ManagementWhats It All About? .................................................3
1.1
Setting the StageManaging Risks ......................................................3
1.2
What Has Changed? ...............................................................................4
1.3
Risk Management as a Decision Making Process .................................4
1.4
Enterprise Risk Management (ERM).....................................................4
1.6
Risk Relationships ...............................................................................12
1.7
Risk Correlation ...................................................................................12
1.8
Responsibility for Enterprise Risk Management .................................13
1.9
Organizational Risk Appetite ...............................................................14
1.10
Risk Identification and Analysis ..........................................................15
1.11
Strategy Setting and Solution Identification ........................................18
1.12
Implementation ObstaclesMonitoring, Evaluating and
Changing the Program .........................................................................18
1.13
Benefits of ERM ..................................................................................20
1.14
ERM Success Factors ..........................................................................21
1.15
The Future Risk Management Professional .........................................22
1.16
Conclusion ...........................................................................................22
Table 1.1Reasons for Change ..........................................................23
Exhibit 1.1Values Doctrine ..............................................................24
Exhibit 1.2Risk Appetite/Risk Tolerance .........................................25
Table 1.2Qualitative Measure of Risk Frequency............................25
Table 1.3Measure of Time to Impact ...............................................26
Table 1.4Measure of Risk Severity ..................................................26
Table 1.5Fetal Hypoxia ....................................................................27
Exhibit 1.3Sample Risk Map ...........................................................28
Chapter 2Structuring an Enterprise Risk Management Program .............................................29
2.1
Introduction ..........................................................................................29
2.2
Laying the Groundwork .......................................................................29
2.3
Designing and Conducting the Initial ERM Risk
Identification Interviews and Survey Process ......................................32
2.4
Addressing Identified ERM Risks .......................................................35
2.5
Integrating ERM into the Corporate Culture .......................................37
2.6
Conclusion ...........................................................................................38
Appendix ..............................................................................................39
xxi
Table of Contents, continued
Part IIFinancial Issues

Chapter 3Insurance and Risk FinancingThe Basics .............................................................47
3.1
Introduction ..........................................................................................47
3.2
Principles of Insurance .........................................................................50
3.3
Insurance CompanyTypes ................................................................51
3.4
The Insurance Transaction ...................................................................53
3.5
Claims-Made vs. Occurrence Coverage ..............................................55
3.6
LimitsTerms and Conditions, Sublimits, Scheduled
Losses, etc. ...........................................................................................55
3.7
The Insurance Policy............................................................................57
3.8
Insurance Policies by Line of Coverage ..............................................59
3.9
Self Insurance.......................................................................................64
3.10
Captives vs. Trusts ...............................................................................65
3.11
Commentary.........................................................................................66
3.12
Conclusion ...........................................................................................67
References ............................................................................................68
Exhibit 1Captives vs. Trusts: Comparison of Key Issues ................69
Exhibit 2Captives vs. Trusts: Cost Comparison ..............................70
Chapter 4Claims Management: A Tool for Enterprise Risk Management ...............................71
4.1
Introduction ..........................................................................................71
4.2
Implementing a System to Identify and Report Disputes ....................71
4.3
Timely Investigations of Potentially Compensable Events
and Claims ...........................................................................................75
4.4
Tracking Claims, Events, and Disputes ...............................................76
4.5
Selection of Defense Counsel ..............................................................78
4.6
Obtaining Experts ................................................................................79
4.7
Establishing Sound Reserving Policies................................................79
4.8
Fair Resolution of Claims and Suits ....................................................81
4.9
Pre-Trial Preparation and Discovery....................................................84
4.10
Taking the Case to Trial: Issues and Strategies ....................................85
4.11
Commentary.........................................................................................85
4.12
Conclusion ...........................................................................................86
Chapter 5ContractsAn ERM Approach ................................................................................87
5.1
Introduction ..........................................................................................87
5.2
Contract Review...................................................................................87
5.3
Contract File Management ...................................................................88
5.4
Critical Contract Provisions .................................................................89
5.5
Specific Issues in Healthcare Contracts ...............................................92
5.6
Commentary.........................................................................................93
5.7
Conclusion ...........................................................................................94
References ............................................................................................94
Attachment 1Policy: Contract Review, Execution and
File Maintenance ..................................................................................95
Attachment 2Contract Transmittal Memorandum ...........................97
xxii

Attachment 3Annual Evaluation of Service Provided
By Contract ..........................................................................................98
Attachment 4Contract Review Worksheet .....................................100
Attachment 5Components Of Contract Review ............................101
Attachment 6Contract Review and File Maintenance ...................103
Attachment 7Healthcare Contracts: Key Issues .............................104
Chapter 6Financial Challenges ...............................................................................................107
6.1
Introduction ........................................................................................107
6.2
Volume ...............................................................................................108
6.3
Cost ....................................................................................................109
6.4
Pricing/Payment .................................................................................110
6.5
Capital ................................................................................................111
6.6
Commentary.......................................................................................112
6.7
Conclusion .........................................................................................113
Exhibit 1Most Significant Factors Related to Hospital
Volume: 2008-2013 ............................................................................113
Exhibit 2Most Significant Factors Affecting Hospital
Costs, 2008-2013 ...............................................................................113
Prices/Payment: 2008-2013 ...............................................................114
Exhibit 4Shift in Credit Quality, 1990-2007 ..................................114
Capital: 2008-2013.............................................................................115
Chapter 7Financial Stewardship .............................................................................................117
7.1
Introduction ........................................................................................117
7.2
Maintaining Tax Exemption...............................................................117
7.3
Tax Reporting and Payment Issues ....................................................124
7.4
Corporate Oversight of Financial Affairs...........................................126
7.5
Use of Property Financed by Tax-Exempt Bonds ..............................130
7.6
Commentary.......................................................................................133
7.7
Conclusion .........................................................................................134
Part IIIHazards
Chapter 8Energy Management as an ERM Process ...............................................................137
8.1
Introduction ........................................................................................137
8.2
Energy Management as an ERM Process ..........................................137
8.3
Energy Management and Loss Prevention.........................................138
8.4
Energy Management and Claims .......................................................138
8.5
Energy Management and Risk Financing ..........................................139
8.6
Conclusion .........................................................................................140
Chapter 9An Enterprise Risk: Pandemic Influenza ................................................................141
9.1
Introduction ........................................................................................141
9.2
Duty to Patients ..................................................................................143
9.3
Duty to Workforce .............................................................................147
9.4
Duty to the Community .....................................................................152
xxiii

9.5
9.6
Other Key Relationships ....................................................................153

Conclusion .........................................................................................153
Compendium of Pandemic Policy Resources ....................................154
Chapter 10Environmental Compliance in the Context of ERM .............................................157
10.1
Introduction ........................................................................................157
10.2
Environmental Laws that Affect Healthcare Facilities ......................159
10.3
Environmental Audits ........................................................................163
10.4
The Significance for In-House Counsel, the Governing
Board, and Executive Leadership ......................................................167
10.5
The Key to Success: Environmental Management Systems
(EMS).................................................................................................168
10.6
Commentary.......................................................................................170
10.7
Conclusion .........................................................................................170
Appendix ............................................................................................171
Recordkeeping Requirements for Many of the Relevant
Environmental Regulations Discussed In Chapter ............................171
Part IVHuman Capital
Chapter 11Minimizing Risk in the Employment Relationship ...............................................181
11.1
Introduction ........................................................................................181
11.2
Regulation of the Employment Relationship .....................................181
11.3
Managing the Stages of the Employment Relationship .....................182
11.4
Handling Challenges to Employment Decisions ...............................187
11.5
Commentary.......................................................................................189
11.6
Conclusion .........................................................................................189
Chapter 12What to Expect and What to Do When OSHA Comes Knocking ........................191
12.1
Introduction ........................................................................................191
12.2
The OSHA Process ............................................................................192
12.3
Significance for In-House Counsel, the Governing Board,
and Executive Leadership .........................................................................205
12.4
Commentary.......................................................................................205
12.5
Conclusion .........................................................................................206
Part VLegal & Regulatory Concerns
Chapter 13Adverse Event Reporting: Reporting for Patient Safety and Public Health .........209
13.1
Introduction ........................................................................................209
13.2
An Overview of Programs .................................................................209
13.3
An Overview of Reporting Processes ................................................211
13.4
Mandatory State Reporting ................................................................214
13.5
Reporting and Risk ............................................................................216
13.6
Conclusion .........................................................................................216
AppendixNational Quality Forum 2006 Serious Reportable Events ...............222
Chapter 14Human Research and IRBs ...................................................................................225
14.1
Introduction ........................................................................................225
14.2
Overview of Human Research Requirements ....................................225
xxiv

14.3
14.4
14.5
14.6
14.7
Federal Regulatory Infrastructure ......................................................226

Sponsored Research Trials .................................................................227
IRBs and the Research Office ............................................................229
Why an Enterprise Risk Management Model ....................................229
An Enterprise Risk Management Systems Checklist for
Human Research and IRB Administration .........................................233
14.8
Conclusion .........................................................................................235
Resources ...........................................................................................236
Chapter 15Mandatory Disclosure of Adverse Events to Patient/Family ................................237
15.1
Introduction ........................................................................................237
15.2
When Disclosure is Necessary ...........................................................238
15.3
Barriers to Disclosure ........................................................................241
15.4
How to Disclose .................................................................................242
15.5
Commentary.......................................................................................246
15.6
Conclusion .........................................................................................246
Resources ...........................................................................................247
Chapter 16Compliance and Enterprise Risk Management .....................................................249
16.1
Introduction ........................................................................................249
16.2
Elements of an Effective Corporate Compliance Program ................251
16.3
Commentary.......................................................................................262
16.4
Conclusion .........................................................................................263
Part VIOperations
Chapter 17Consent to Treatment: An ERM Perspective ........................................................267
17.1
Introduction ........................................................................................267
17.2
The Key Elements for Consent to Treatment .....................................267
17.2
Exceptions to the Rules of Consent ...................................................268
17.4
Clinical Research ...............................................................................269
17.5
Information Flow in the Consent ProcessAn Enterprise
Risk Exposure ....................................................................................270
17.6
Consent Documentation .....................................................................271
17.7
Risk Exposures in a Consent ERM Model ........................................272
17.8
Case Example.....................................................................................273
17.9
ERM Treatment of Consent Risk Exposures .....................................275
17.10
Setting the Context for Patient Communication ................................276
17.11
Disclosure of Adverse and Unanticipated Outcomes.........................277
17.12
Role of Legal Counsel in an ERM Framework for
Disclosure ..........................................................................................279
17.13
Conclusion .........................................................................................280
Chapter 18Peer Review and Credentialing in an Era of Enterprise Risk Management .........281
18.1
Introduction ........................................................................................281
18.2
Practitioner Credentialing ..................................................................281
18.3
Documentation of Credentialing Criteria...........................................293
18.4
Potential Liabilities Related To Credentialing ...................................294
xxv

18.5
Commentary.......................................................................................305
18.6
Conclusion .........................................................................................306
Chapter 19Economic Credentialing: A Balancing of Risks ....................................................307
19.1
Introduction ........................................................................................307
19.2
Background ........................................................................................309
19.3
Government Accountability Office ....................................................311
19.4
Office of Inspector General ................................................................311
19.5
Statutory Provisions ...........................................................................313
19.6
Case Law............................................................................................314
19.7
Commentary.......................................................................................317
19.8
Conclusion .........................................................................................318
Chapter 20Healthcare-Associated Infections .........................................................................319
20.1
Introduction ........................................................................................319
20.2
Background and History of Prevention and Infection
Control in the US ...............................................................................319
20.3
Epidemiology of Healthcare-Associated Infections ..........................321
20.4
Impact of HAIs on Healthcare Professional Liability........................326
20.5
Role of Legal Counsel .......................................................................328
20.6
Compliance with Published Guidelines .............................................329
20.7
Review of Surveillance Results .........................................................330
20.8
Public Reporting of Surveillance Data ..............................................331
20.9
Outbreak Investigation .......................................................................331
20.10
Governing Board and Executive Leadership .....................................332
20.11
Commentary.......................................................................................333
20.12
Conclusion .........................................................................................334
Table 1Classification of Surgical Wounds .....................................335
Chapter 21The Patient Experience, Transparency, and ERM.................................................337
21.1
Introduction ........................................................................................337
21.2
IOM Reports Impact on Healthcare ..................................................337
21.3
Highest Opportunity Areas for Patient Safety Improvement .............338
21.4
Call for Transparency.........................................................................339
21.5
The Impact of National Initiatives (IHI, NPSF, NQF,
AHRQ, Leap Frog) ............................................................................341
21.6
A Word about Patient Satisfaction .....................................................345
21.7
Commentary.......................................................................................348
21.8
Conclusion .........................................................................................349
Resources ...........................................................................................350
Appendix A ........................................................................................352
Part VII Strategic Issues
Chapter 22Public Relations, Marketing, and Advertising ......................................................359
22.1
Introduction ........................................................................................359
22.2
Image and Reputation ........................................................................359
22.3
The Brand Standard ........................................................................360
xxvi

22.4
Issues Most Likely to Test an Organizations Image and

Reputation ..........................................................................................360
22.5
And Now a Word about Advertising ..................................................367
22.6
Commentary.......................................................................................369
22.7
Conclusion .........................................................................................370
Figure 1Crisis Communications Plan Table of Contents ...............371
Figure 2Rules of Thumb for Positive Patient/Family
Communication ..................................................................................371
Figure 3Media Relations Dos and Donts.....................................372
Chapter 23ERM and Managed Care .......................................................................................373
23.1
Introduction ........................................................................................373
23.2
A Historical Perspective of Risk Management in a
Managed Care Organization ..............................................................373
23.3
What are the Risks? ...........................................................................375
23.4
How to Manage the Risks ..................................................................379
23.5
Commentary.......................................................................................383
23.6
Conclusion .........................................................................................383
Chapter 24ERM in the Context of Mergers, Acquisitions, Divestitures,
and Joint Ventures ...........................................................................................................385
24.1
Introduction ........................................................................................385
24.2
Definitions ..........................................................................................385
24.3
Strategic Transactions and a Healthcare Organizations
ERM Program ....................................................................................387
24.4
Strategic Transactions: The Due Diligence Process ..........................387
24.5
Transaction Risk Analysis and the ERM Program.............................388
24.6
Impact of the Form of Strategic Transaction on ERM
Program ..............................................................................................389
24.7
Overview of the Due Diligence Process in the Context of a
Enterprise Risk Management Program ..............................................392
24.8
The Most Often Overlooked Due Diligence Item: Culture ...............396
24.9
Managing Costs .................................................................................397
24.10
Managing the Strategic Transaction and the Due Diligence
Process ...............................................................................................397
24.11
Due Diligence Reports .......................................................................398
24.12
Commentary.......................................................................................398
24.13
Conclusion .........................................................................................399
Chapter 25Medical Tourism Risks: Have Patient Will Travel To Thailand,
India, and the Taj Mahal!!...............................................................................................401
25.1
Introduction ........................................................................................401
25.2
Part IChoice of Medical Travel Destination and
Medical Care ......................................................................................404
25.3
Part IILegal Ramifications of Medical Travel from the
Physician, Provider, and Payor Perspective .......................................412
25.4
Commentary.......................................................................................415
25.5
Conclusion .........................................................................................415
xxvii

Chapter 26Retail Health Clinics .............................................................................................417
26.1
Introduction ........................................................................................417
26.2
Retail Health Clinic Structures ..........................................................419
26.3
Enterprise Risk Management Considerations ....................................420
26.4
Commentary.......................................................................................429
26.5
Conclusion .........................................................................................430
Part VIIITechnology
Chapter 27Telemedicine and Enterprise Risk Management ...................................................433
27.1
Introduction ........................................................................................433
27.2
Telemedicine Risk Management Summary .......................................434
27.3
Telemedicine Equipment Risk Management Issues...........................437
27.4
Negligence in TelemedicineCase Law Review ..............................438
27.5
Clinical Risk ManagementExtending Performance
Improvement Policies to Telemedicine ..............................................444
27.6
ReimbursementMedicare, Medicaid, Grants and Private Pay .......444
27.7
Commentary & Conclusions ..............................................................445
Chapter 28Electronic Health Records: An Enterprise Risk Approach ...................................449
28.1
Introduction ........................................................................................449
28.2
Medical Professional Liability ...........................................................451
28.3
EHR Vendor Contracts .......................................................................458
28.4
Regulatory Concerns: HIPAA, Stark, and Anti-Kickback .................466
28.5
Patient Privacy and Security: HIPAA ................................................467
28.6
Fraud and Abuse ................................................................................470
28.7
Conclusion .........................................................................................472
Table 1HIPAA Security Rule: Security Standards .........................473
Table 2Stark and Anti-Kickback EHR Provisions .........................477
Table 3Stark and Anti-Kickback e-Prescribing Provisions ............481
Chapter 29Radio Frequency IdentificationA Challenge for Healthcare .............................483
29.1
Introduction ........................................................................................483
29.2
What is RFID? ...................................................................................484
29.3
Types of RFID Tags........................................................................485
29.4
Frequency and Range of RFID Tags ..................................................486
29.5
RFID Tag and Data Standardization ..................................................487
29.6
Regulatory Approvals by the Federal Communications
Commission .......................................................................................488
29.7
Food and Drug Administration Regulation ........................................489
29.8
Using RFID in Healthcare .................................................................491
29.9
Challenges for Legal Counsel ............................................................495
29.10
RFID Privacy Concerns .....................................................................495
29.11
Other Privacy and Security Concerns ................................................496
29.12
Radiofrequency Interference ..............................................................497
29.13
Training Staff and Educating the Public ............................................497
29.14
Information Technology Interface: Risks and Opportunities .............498
29.15
Who is Responsible for Maintaining the System? .............................499
xxviii

29.16
29.17
29.18
29.19
29.20
Selecting RFID Vendors and Consultants ..........................................500

RFID Backup .....................................................................................500
Who Controls RFID Policy in the Organization? ..............................501
Challenges that Require Special Attention ........................................502
Conclusion .........................................................................................503
Recommended Reading .....................................................................504
Chapter 30E-Discovery and Enterprise Risk Management ....................................................505
30.1
Introduction ........................................................................................505
30.2
Identify Technologically Based Risks of Your EHR System .............508
30.3
E-Discovery Risk Management Steps ...............................................512
30.4
The Federal Rules Approach to E-Discovery ...................................519
30.5
Commentary.......................................................................................529
30.6
Conclusion .........................................................................................530
30.7
References ..........................................................................................530
xxix
Part I
Introduction
Principle #6: A charitable organizations board should ensure that the organization has adequate plans to protect its assets. This Principle indirectly endorses the
concept of enterprise risk management as a proper topic for formal board attention.
It concludes that boards are responsible for understanding the major risks to which the
organization is exposed, reviewing those risks on a periodic basis, and ensuring that
systems are in place to effectively manage those risks. Many nonprofit hospitals and
health systems have long maintained components of such a strategy (e.g., corporate
compliance plans, insurance covering key assets, quality of care oversight, technology
backup, asset insurance, and indemnification and insurance protection for officers and
directors). By this principle, however, the Panel describes additional components of
enterprise risk management and encourages boards to evaluate risk mechanisms from
a more global perspective.
From Principles for Good Governance and Ethical Practice: A Guide for Charities and
Foundations at http://www.nonprofitpanel.com/selfreg/Principles_Guide.pdf.
Enterprise Risk ManagementWhats It All About?
1
WhatsItAllAbout?
Roberta Carroll, RN, ARM, CPCU, MBA, CPHRM, CPHQ, LHRM, HEM, DFASHRM
Senior Vice President, Aon Healthcare
1.1
Setting the StageManaging Risks
The medical professional liability crisis of the 70s and 80s was the impetus for development of
most risk management programs. Initially, the emphasis was on insurable risk and facility hazards
with a financial and claims focus gradually moving toward responding to clinical risks. The movement
toward clinical risks was a reactive strategy to improve patient safety, albeit not necessarily said in
such terms. The risk management professionals thought their efforts to avoid, prevent, and manage
clinical risk would preserve the financial assets of the organization through the delivery of safe patient
care. Somewhere along the way, this message was lost.
The identification and management of organizational risks heretofore has been fragmented into
silos of responsibilities and accountabilities across the organization with no clear coordination, facilitation, or communication. For the most part, risks have been managed as if they were in standalone,
disparate business units with no oversight or relationship with other units.
Healthcare risk management programs started in the acute care hospital setting and have expanded
over time to other healthcare settings outside the conventional hospital borders. Common to most
healthcare risk management programs have been the development and implementation of early warning systems to identify organizational risks. The most familiar of all early warning systems is the
incident report. The incident report has been a reactive or retrospective internal source of information widely supported by nursing practitioners as a reporting tool for adverse events or happenings not
consistent with normal operations. However, even this cornerstone of healthcare risk management has
no common taxonomy, offering no standardization from one organization to the next. The majority of
states have adverse event reporting requirements: one is voluntary (Oregon), while others are mandatory. The data collected varies from state to state, and little to no strategies and solutions to mitigate
risk are offered. Without a common taxonomy or standardization of data sets among the reporting
systems, the wealth of information currently being amassed by individual state reporting systems has
no means by which trends can be identified, common themes recognized, lessons shared, or mitigation
strategies implemented. Current efforts by the World Health Organization (WHO), The Joint ComEnterprise Risk Management for Healthcare Entities, First Edition
Enterprise Risk ManagementWhatsItAllAbout?

mission, and the Agency for Healthcare Research and Quality (AHRQ) are addressing just this issue.
The passage of the Patient Safety and Quality Improvement Act of 20051 (The Patient Safety Act) and
implementing regulations2 are anticipated to assist data collection and offer a repository of information
geared to improve patient safety.
1.2
What Has Changed?
The healthcare delivery system in the 21st century has changed dramatically from the not-too-distant past. Many of these changes have clearly placed the spotlight on healthcare as a setting of evolving
risks. See Table 1.1 for a listing of reasons why healthcare changed. This chapter will not discuss these
changes; however, it is important to remember that changeregardless of how well intended or necessaryis not without risk. Healthcare organizations need to identify and manage all its risks, not just
those with which they are familiar or comfortable, have previously identified, or can easily quantify.
The focus of risk management has changed, expanding to identify and assess risk proactively in
tandem with other risks, involving the highest levels of the organization (Board and C-Suite3) requiring the collaborative effort of all employees. No longer can healthcare risk management simply react
to clinical risks and hope that patient safety is achieved; efforts must focus on risks that affect the
entire organization and not just one aspect of operations.
1.3
Risk Management as a Decision Making Process
Risk management as a management decision making process, espoused by George Head from
the Insurance Institute of America (IIA), has been around since the early 1970s. The risk management
process includes the following steps: (1) identifying risk and analyzing an organizations exposure to
loss; (2) examining alternate risk techniques; (3) selecting the best technique(s); (4) implementing the
technique(s) chosen; and (5) monitoring and making changes as necessary. This 5-step process has
been embraced by healthcare risk management professionals since those early days as well. It is within
this context that enterprise risk management will be discussed.
1.4
Enterprise Risk Management (ERM)
The following section will address the background of enterprise risk management, offer a definition in the context of healthcare, and identify activities that support ERM.
Pub. L. 109-41 2(a)(5), 119 Stat. 424.

For information on Patient Safety Organizations, including the final rules, see http://www.pso.ahrq.gov/regulations/
finalrule.htm.
3
C-Suite = chief executive officer (CEO), chief financial officer (CFO), chief medical officer (CMO), chief nursing officer (CNO), chief operating officer (COO), chief administrative officer (CAO), chief risk officer (CRO), chief compliance
officer (CCO), etc.
1
2
Enterprise Risk Management for Healthcare Entities, First Edition
1.41
ERM Background
There has been much conversation on the topic of enterprise risk management in the past five
years but little progress in healthcare. ERM was first initiated within the financial sector which includes
banks, investment companies, brokerage houses, and insurers. Consequently, comprehensive systems,
processes, metrics, models, and best practices are well developed in this business sector. Couple those
with stringent regulations and government oversight, and you have a business sector that is more
sophisticated and mature in terms of ERM than healthcare. So, how is the dramatic decline in public
confidence and escalating home foreclosures created by the recent mortgage debacle explained? How
are the Wall Street investment firms scandals with investors losing billions justified? Understanding
that no organization or business sector is immune from catastrophic loss is a start.
Scandals involving accounting compliance and corporate governance such as those seen with
Enron, WorldCom, and Tyco prompted the passage of the Sarbanes-Oxley Act of 2002 (SOX). This
was the impetus for many organizations to implement enterprise risk management programs. The
requirements of SOX are focused primarily on publicly traded, for-profit companies; however, many
not-for-profit healthcare organizations are voluntarily complying with the principles and financial controls embedded within SOX. Additionally, SOX heightened the awareness of boards of directors as to
their responsibility for identifying and managing organizational risks and called the question of ERM
programs to the forefront.
The Treadway Commissions Committee of Sponsoring Organizations (COSO)4 in 2004 issued
the Enterprise Risk ManagementIntegrated Framework. This publication offered an ERM framework
and provided a set of best practices for organizations to use when implementing ERM programs.
This report was an expansion on the work companies were already doing to comply with SOX and
offered guidance for creating an organization-wide risk management.
Furthering support for ERM programs, beginning in 2007 financial companies will be asked a
series of questions about risk management in their evaluation by Standard & Poors (S&P), the debt
rating agency. The results of their evaluation are just one of many factors used to determine a companys debt rating. This evaluation, in part, determines the interest rate lenders charge for loans or bonds.
On May 7, 2008, Standard & Poors announced that the agency will enhance its global rating process
for non-financial companies to include a review of their ERM programs. S&P will begin to hold ERM
discussions with rated companies in the third quarter of 2008 and will begin to include commentary in
S&P reports in the fourth quarter. It is unlikely that the formal scoring of companies ERM capabilities will go into effect much before 2009 because a sufficient number of reviews to permit reliable
benchmarking needs to be conducted and evaluation criteria needs to be published.5 The impact that
S&P will have on rated healthcare organizations is still to be determined, but most likely will not be
an immediate priority.
4
COSO is the Committee of Sponsoring Organizations of the Treadway Commission. A voluntary council with members
from five accounting organizations, COSO represents a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors,
and the Institute of Management Accountants. For more information, go to http://www.coso.org.
5
Enterprise Risk Management: S&P Enhancement White Paper, Executive Summary. p. 2 May 2008, Aon Global.

Enterprise risk management calls for change from a reactive incident-based, clinically-focused
risk management program to a more holistic, multidisciplinary program focused on all risks facing the
organization. Assisting legal counsel in understanding the changing dynamics of organizational risks
and the synergistic effect which those risks have is vital to practicing proactively and is the basis for
this chapter.
1.5.2
ERM Defined
Creating a common language and accepted definition of terms is important when discussing enterprise risk management. Enterprise risk management means different things to different people. It is a
discipline, a practice, and a process. The following working definitions are offered:
Enterprise risk management is a discipline that engages professionals in the practice of
identifying, managing, controlling, and monitoring all risks to the organization.
And
Enterprise risk management can best be described as an ongoing business decision making
process instituted and supported by the healthcare organizations board of directors, executive
administration and medical staff leadership. ERM recognizes the synergistic effect of risks
across the continuum of care, and has as its goals to assist the organization reduce uncertainty
and process variability, promote patient safety and maximize the return on investment (ROI)
through asset preservation, and the recognition of actionable risk opportunities.
In Enterprise Risk ManagementIntegrated Framework,6 issued by COSO in 2004, enterprise
risk management is defined as a process, effected by an entitys board of directors, management
and other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
As discussed earlier, even though healthcare organizations have not made tremendous inroads
into ERM, it does not mean that they have not been managing risk. The difference between the previous methods of identifying and managing risks and ERM is the recognition of gain as a possible
outcome of risks, the identification of risks proactively as opposed to reactively and understanding
the synergistic relationship among and between risks. Risks do not exist in isolation and can best be
understood in terms of importance or contribution to a portfolio of risks. Risks cross organizational
structures and relationships and should be managed initially in a comprehensive manner from the
top-down. Over time, through education and practice, ERM will permeate the entire organization and
empower all employees to identify risks and recommend mitigation strategies. ERM becomes vertical
and horizontal and becomes a top-down as well as an upward process.
Available at http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/PDF_Manuscript/$file/COSO_Manuscript.pdf.
1.5.3
ERM Activities
ERM is a series of interrelated activities that are broad in scope and reflect an organizational-wide,
ongoing commitment. Failure to recognize the synergistic effect of risks across the full continuum of
healthcare settings jeopardizes the implementation of long-term risk mitigation strategies and increases
costs through inefficient deployment of resources. To be most effective, it should be part of strategic
planning for the organization and a proactive as well as reactive process.
When developing an organizational-wide ERM program, consideration must be given to differences in the setting or locale (acute care hospital, skilled nursing facility, physician office practice),
organizational structure (for profit, not-for-profit, governmental), business approach and strategy
(community based, faith-based, academic/teaching, integrated network), stakeholders and customers,
and systems and processes, as no organization is exactly alike and many organizations have disparate
parts. The challenge in developing an ERM program is consistency in process: getting everyone on the
same page, so to speak, at the same time and with the same focus.
1.5.4
Risk Domains
Regardless of the setting or locale, it is common practice to refer to domains or areas of risks
when discussing ERM. The following are typical areas or domains of risks under ERM with a common
description for each and examples. They can contract and expand depending upon the ERM definition,
organizational preference, settings, and uses.
1. OperationalRisks related to the business operation that result from inadequate or failed internal processes, people, or systems. The business of healthcare is patient/resident related with an
emphasis on the delivery of clinical care that is safe, timely, effective, efficient, and patientcentered. Examples of healthcare operational risk areas include but are not limited to:
Documentation
Quality Initiatives
99 Pay for Performance (P4P)
99 Variability in care and quality outcomes
Adverse event management
99 The use of disclosure and apology
99 Transparency
Chain of command
Medical professional liability
National Quality Forums list of 28 Never Events
Patient falls
Medication errors
National Patient Safety Goals (NPSGs).

2. FinancialRisks that affect the profitability, cash position, access to capital, or external financial
ratings through business relationships or the timing and recognition of revenue and expenses.
Examples of areas that can create financial risks include:
Billing, collection activities and account receivables
Emphasis on Medicare secondary payer statutes and non-payment strategies for never
events
Corporate compliance (fraud and abuse)
Charitable care
Possible loss of tax-exempt charitable status
Healthcare financing changes due to new administration and Congress
Credit and interest rate fluctuations
Stock market devaluation and its impact on an organizations financials
Capitation contracts
Foreign exchange rate
Days of cash on hand
Growth in programs and facilities
Capital structure
Capital equipment.
3. Human CapitalRisks that relate to the organizations most valuable asset, the workforce. This
is an explosive area of exposure in todays tight labor market including employee selection, retention and turnover, absenteeism, and compensation. Human capital risks have expanded and now
may include risk associated with the recruitment, retention, and termination of members of the
medical staff. Human resource areas that can cause or create risks include:
Culture and environmental
Wrongful termination
Sexual harassment
Disruptive behavior
Discrimination
Morale
Diversity
Fatigue
Staffing
Safety/Ergonomics
Absence and productivity management

Hiring practices
99 Competency
99 Literacy
99 Criminal background checks
99 Substance abuse
99 Employee handbook
99 Orientation and continuing education
Breach of contract
Position descriptions
Policies and procedures
Infection control.
4. StrategicRisks associated with brand and reputation and risks associated with business strategy,
failure to adapt to a changing healthcare environment, changing customer priorities and competition. Strategic risks can be associated with:
Managed care relationships
Antitrust
Conflicts of interest (perceived and real)
Marketing and sales
Advertising
Insurance coverage
Media relations
Business ventures
Mergers, acquisitions and divestitures
Contract administration.
5. Legal, regulatoryIncorporates risks arising out of licensure, accreditation, statutes, standards
and regulations, CMS CoPs (conditions of participation), product liability, management liability,
as well as issues related to intellectual property. The areas that can create risks are many, a few of
which include:
Statutes, standards, and regulations such as:
99 Emergency Medical Treatment And Labor Act (EMTALA)
99 National Practitioner Data Bank (NPDB)
99 Health Insurance Portability and Accountability Act (HIPAA)
99 Centers for Medicare and Medicaid (CMS) Inpatient Prospective Payment System
(IPPS)

Accreditation The Joint Commission, American Association for Ambulatory Health Care
(AAAHC), DNV Healthcare, Inc.
State licensure
Office of Inspector General (OIG)
Hazardous waste disposal
Integrity programs
3rd party reports
External reviews
Stark I and II safe harbors
Private inurement.
6. TechnologyThose risks associated with the use of machines, hardware, equipment, devices and
tools, but can also include techniques, systems, and methods of organization. Healthcare has seen
an explosion in the use of technology. Examples include:
Computerized physician/provider order entry system (CPOE)
Electronic medical/health record (EMR/EHR)
Radio Frequency Identification (RFID) used for:
99 Babynapping
99 Wandering
99 Surgical sponges, equipment
99 Inventory control
99 Patient tracking
Bar Coding
Robotics used in:
99 Remote surgery
99 Runners
99 Companions
99 Medication dispensing and packaging
99 Medical monitoring
Simulation
Telehealth/teleradiology such as:
99 Nighthawking (out-of-facility reading and interpretation of radiological reports
99 Picture Archiving and Communication Systems (PACS)
99 eICU.
10

7. HazardRisks attributable to physical loss of assets or a reduction in their value. Traditionally
insurable risk related to natural hazards and business interruption. Areas that can create hazard
risk include:
facility management;
patient valuables;
plant age;
earthquakes;
windstorm;
tornadoes;
hurricanes;
fire;
parking (lighting, location, security); and
construction/renovation.
1.5.5
ERM Framework
Risks can keep an organization from achieving its mission and strategy objectives. Risk management professionals can make a meaningful contribution by partaking in the strategic planning process
and should become partners with those responsible for strategy setting. All healthcare operations have
some level of risk. The risk management professional can assist the organization in considering risks
associated with new programs both clinical and non-clinical, going green, expansion into new markets such as those seen with medical tourism, mergers, acquisitions and divestitures, and the purchase
and implementation of technological advances, to name a few. Emerging risks can occur in any area
(financial, human resources, technological, legal and regulatory, etc.) and should be thoroughly evaluated to determine the impact to the organization. It may be necessary to engage the expertise of others
if the risk manager does not have the requisite skills necessary to evaluate those risks thoroughly. An
annual assessment of risks to the organization can lay the foundation for the development and review
of the strategic plan. Developing a comprehensive ERM framework will also support the yearly budgeting process mapped to risk initiatives.
It is also important to understand that the practice of risk management is not the practice of law,
medicine, nursing, accounting, actuarial science, or insurance. It is a management discipline supported
by a business decision-making process that utilizes the expertise of many professionals. While having
a clinical, legal, or other professional background may be helpful as a practicing risk management
professional, keep in mind that risk management decisions, recommendations, and opinions are based
on sound business practices and are not to be confused with rendering a legal opinion or a medical
recommendation.
11

1.6
Risk Relationships
Risks are uncertain events or conditions. Pure risk implies that there is no possibility of a gain.
Either a loss is realized or the status quo is maintained. There is another type of risk that ERM recognizes called speculative risk where there is the possibility of gain/profit or loss. The best example of
speculative risk is gambling. Not considering for a moment the odds of a particular outcome, in speculative risk the possibilities include winning or losing. In healthcare, many risks can be considered
speculative because of the possibility that, if managed appropriately, they can benefit an organization.
Benefits to the organization can include giving the organization a competitive edge, receiving additional dollars under P4P metrics, attracting a higher caliber of professionals to their staff, maintaining
or increasing market-share, and the like.
1.7
Risk Correlation
The synergistic effects of risks can impact more than one area or domain simultaneously. All risks
should be evaluated in concert with other risks. Risks may be positively or negatively correlated with
other risks. In risks that are positively correlated, as the probability of one risk increases so does that
of an associated risk. Employee dissatisfaction, diminished morale, and a negatively perceived work
environment often contribute to increased risks in the human capital domain. The human resource
department responding to these risks and the workforces desire for flexible hours and decreased number of work days implemented twelve hour work shifts. Oftentimes what was anticipated to be a
12-hour shift turns out to be greater than 12.5 hours. The risk associated with these longer shifts
increases the risks of fatigue, falling asleep, and an increase in medical professional liability. Studies
have shown that making an error almost doubled when nurses worked 12.5 or more consecutive hours,
and the majority of those errors were medication errors.7
In negatively correlated risks, the probability or impact of increasing one risk decreases that of
an associated risk. As an example of a negatively correlated risk, consider the organization that wants
to decrease the number of days patients are on ventilators in the intensive care unit; certainly a worthwhile goal. If the organization only strives to decrease the length of time patients are on ventilators,
they may not account for the number of re-intubation in the same unit during the same period of time.
The number of patient days on ventilator may decrease but the rate/number of re-intubations may
increase giving a false picture of positive outcomes. Risks need to be identified and managed together
to receive maximum benefit. Looking at risk in a silo may not account for the unrecognized trickledown or synergistic effect.
Utilizing an ERM framework will support the organizations ability to evaluate processes and
outcomes in tandem while understanding the cascading effect of risks or how independent intervening
events can come together at just the right time to create risks that affect the delivery of care. James
Reason best described this theory when explaining his Swiss Cheese theory of accident causation.
Reason explains that accident causation is akin to lining up small failures or fractures in organizational
systems and processes much like the holes in Swiss cheese. No one failure would cause the error, but
Scott L.D., Rogers A.E., Hwang W.T., and Zhang Y., Effects of Critical Care Nurses Work Hours on Vigilance and
Patients Safety, American Journal of Critical Care, January 2006, Volume 15, No. 1.
12

instead is the result of a series or combination of errors, any one of which if identified and corrected
could have eliminating the error.
ERM practices can be implemented from the individual position level through the senior organizational level. Staff involved in day-to-day departmental activities are in the best position to evaluate
risks within their area of competency or responsibility and can easily share their results with those
responsible for ERM. Those responsible for ERM need to be able to see the big-picture and connect
the dots. What might be a significant risk to a frontline manager may, in relationship to all risks facing
the organization, be insignificant.
The organizations ability to appropriately identify and manage risks can significantly affect public perception. The recent publicity surrounding disclosure and apology for preventable medical error
and the public attack on charitable care brings these issues front and center. Facilities that do not
practice transparency and full disclosure are taking a hit in public perception and confidence. This
will eventually (sooner rather than later) have a trickle-down effect and impact marketing strategies.
Organizations that have taken an early position to be fully transparent when dealing with patients,
their families, the public, and internally with staff are now reaping the benefits through positive public
relations, and improving future patient care through lessons learned. The potential for decreased costs
may be realized through reduced claims severity and reduced frequency of lawsuits.
1.8
Responsibility for Enterprise Risk Management
Because ERM takes a broad, high-level view of risks, it requires the commitment of strategically
placed professionals throughout an organization, including those in the C-Suite. All successful ERM
programs have this high level of organizational commitment. The responsibility for ERM however,
ultimately resides with the board of directors. This dictates that the board understands the principles
and practices of ERM, is conversant in how those practices and principles differ from traditional risk
management programs, supports an environment that embraces change, and sets strategy to support
ERM activities. Legal counsel can be particularly helpful in educating the board as to their risks
responsibilities and preparing them for ERM adoption. Other board responsibilities include:
creating and endorsing a Values Doctrine espousing the ERM process (see Exhibit 1.1);
reviewing identified organizational risks in concert with other risks;
approving risk ranking/scoring;
reviewing and approving initiatives and prioritization; and
reviewing status reports routinely (monthly/quarterly) until resolution.
The boards role in ERM is ongoing and continuous. Once solutions are implemented, they need
to be periodically assessed to ensure that the solution identified and implemented is still working
and fits the risk. Risks can and do change over time. What works today may not work tomorrow. In
addition, new risk will be identified and new solutions developed. ERM is a process, not a one-time
function; it is a series of related on-going activities. Understanding the answers to the following key
risk questions will assist the board in understanding ERM:
13

What are the organizations mission, vision, and strategy?
How does the organization include ERM in strategy setting?
What are the organizations objectives?
How will the ERM strategy be communicated and executed throughout the company?
How will each division/unit/team contribute to meeting the goals of the ERM strategy?
How will teams/individuals be held accountable for success?
Has the organization identified all the critical risks to which it is exposed?
Does our organization have effective controls in place to manage its critical risk?
Are risks greater now than 12, 18, or 24 months ago?
Are these risks within acceptable limits?
Do we have competent risk professionals to manage the process?
1.9
Organizational Risk Appetite
Risk appetite is the amount of risk an organization is willing to assume for a return it hopes to
achieve. ERM assists an organization in selecting a strategy that is consistent with risk tolerance parameters. The concept of risk appetite is important for the board of directors to understand. Is the organization
risk adverse and insures all risks from the first dollar of loss, or are they risk takers with sophisticated
programs of self-insurance and other forms of alternative risk financing? Remember the more risks taken
the greater the responsibility for managing risks. See Exhibit 1.2, Risk Appetite/Risk Tolerance.
1.9.1
Risk as a Competitive Advantage
Earlier in this chapter when discussing speculative risk, it was identified that risks can have a positive outcome or gain. There are two significant questions to ask when discussing risk as a competitive
advantage. They are:
Is the risk more dangerous to our competitors?
Can we manage the risk better than our competitors?
The answers to these questions will help an organization take the lead among their competition.
Competitive advantage in the marketplace often discusses earnings per share or some other financial
metric. In healthcare, competitive advantage often has quality of care outcomes and decreased variability at its core.
1.9.2
Your Organizations Risk Profile
An important aspect of ERM is a thorough understanding of your organization: its operations,

people, products, assets, processes, systems, stakeholders, customers, suppliers, and so on. In todays
competitive and economic environment, healthcare organizations are venturing across borders not
previously recognized, supporting the delivery of care in less-than-conventional settings, such as those
14

seen with medical tourism, a topic discussed in Chapter 25. Healthcare settings regardless of delivery
location vary and include:
Acute care hospital
Long-term care facility
Hospice
Rehabilitative
Behavioral health
Home care
Assisted living (ALF)
Skilled nursing (SNF)
Continuing care retirement communities (CCRC)
Ambulatory care
99 Physicians group practice
99 Ambulatory surgery (ASC)
99 Out-patient clinics
99 Convenient care clinics (CCC).
1.10
Risk Identification and Analysis
The identification and analysis of risk is managements attempt to determine what risks can impact
strategy and the achievement of organizational goals. Both formal and informal methods are used to
identify organizational risk. Risk can be internal within an organization or external to it. Risks can
be identified retrospectively, concurrently, pre-interventional, and prospectively. The incident report,
the longest in-use risk identification tool (albeit not necessarily the best method to identify significant
risks) can be both a retrospective and concurrent method by which risks are identified depending on
the timeliness of the report. The use of occurrence reporting in high-risk areas (for example, every
delivery where a baby is born with an Apgar score of 5 at five minutes is reviewed or when a patient
returns to the emergency department within 48 hours after discharge) are forms of concurrent risk
identification used in clinical settings. The review of discharged patient medical records using a set
of predetermined screens is a form of retrospective risk identification. The Institute for Healthcare
Improvements (IHI) Global Trigger Tool for Measuring Adverse Events8 is another method for retrospective risk identification. Current efforts to minimize wrong-site, wrong person, wrong body-part
surgery through the use of a universal time-out is a type of pre-intervention risk identification. The
study of filed claims and lawsuits to determine trends that could likely form the basis for future claims
and failure mode and effects analysis (FMEA) are examples of prospectively identifying risks. Risks
can be identified on an organizational-wide basis or can be department/unit specific.
Available at http://www.ihi.org/IHI/Topics/PatientSafety/SafetyGeneral/Tools/IHIGlobalTriggerToolforMeasuringAEs.htm.
15

Risk identification tools can be developed and used to survey leadership, and interviews can be
conducted to drill down further on risk previously identified. When preparing a survey tool care should
be taken to include all areas/domains of risk. Open-ended questions should also be asked to solicit
additional comments not covered by survey questions. Other questions might include:
What other aspects of your position keeps you awake at night?
Would you go to your emergency department if ill? And if not, why not?
Given unlimited resources, what would you implement first that could impact patient care?
What would you change first?
Where are we wasting resources and, if possible, where would you re-deploy them?
Additional survey instructions may also ask the participants to identify current risk mitigation
initiatives and risk owners. Asking participants to rank or prioritize the risks they identify will also be
helpful as you evaluate/assess each risk in the next step. During the risk identification step, you want
to ensure that every possible effort has been taken to identify all risks to the organization.
From the surveys, interviews, and other formal and informal methods used to identify risks, apreliminary risk register is developed categorized by area/domain, priority, risk owner, and current risk
mitigation efforts. Keep in mind that this list may be quite long initially and, until some filters are
incorporated in the assessment phase, it may appear cumbersome.
1.10.1
Risk Assessment and Evaluation
Once all organizational risks have been identified, analyzed, and placed in the risk register, thenext
steps are to:
Understand and attempt to quantify the potential magnitude or materiality of each identified
risk.
Consider the positive and negative consequences of events underlying identified risks across
an organization.
Incorporate at least two dimensions of risk: likelihood and severity.
Recognize that there may be a range of possible results associated with an event.
1.10.1.1
Tools to Evaluate Risk
There are many tools to assist in the evaluation and assessment of identified organizational risk.
A few of them include: failure mode and effects analysis (FMEA), vulnerability analysis, quantitative
risk modeling, cost benefit analysis, risk scoring, risk maps/heat maps, financial analysis (simulation,
modeling), and a review of adverse outcomes data. How to determine a risks score and display it
graphically will be discussed as an example of risk assessment tools.
16
1.10.1.1.1
Risk Scoring
Once an exhaustive list of risks is assembled, it is helpful to evaluate the importance of one risk
over another. This methodology may be largely intuitive but in most cases takes into account probability, time to impact/discovery, and severity. A sample formula is displayed below. By developing a
score/rank for each risk, a priority order for each score can be displayed. The graphic display of these
results is called a risk map or heat map. See Exhibit 1.3, Sample Risk Map. The descriptor and detail
can change to fit organizational risk appetite or tolerance levels. For example, in the formula shown,
alevel 1 risk considered to be minor has a financial value less than $50,000. Some organizations may
find that range to be higher than their tolerance for risk and might change the range for minor risk to a
value at or below $5,000 while other organizations may find the level too low and raise the tolerance
to a value above $5,000,000. The value and ranges within the measure of risk frequency (probability),
(see Table 1.2, Qualitative Measure of Risk Frequency), measure of time to impact (see Table 1.3,
Measure of Time to Impact), and the measure of risk severity (see Table 1.4, Measure of Risk Severity) can all be changed to meet organizational preferences, appetite and tolerance. What is considered
to be of significance to one organization may be insignificant to another. These tables are offered only
as examples and should be reviewed by each organization for relevance and appropriateness. Once
a determination has been reached on how risks are to be scored, the scoring/ranking methodology
should not be changed without good cause. Consistency in how risks are evaluated is important.
Sample Formula
(Probability + Time to Impact) x Severity = Risk Score
(1- 5 + 1- 3) X 1- 5 = Risk Score
The highest score in the formula with this sample scoring is 40. The example offered in Table
1.5 is offered to highlight that even significant events can have lower scores due to a lower frequency
or number of events that occur during a given period. Keep in mind that events that score higher or
closer to a score of 40 most likely would have already been identified with solutions and strategies
implemented to reduce their frequency if not preventing them for occurring all together.
1.10.1.1.2
Risk Mapping
Risk mapping graphically depicts an organizations risks, displaying the relationship between
frequency and severity. It requires a team approach to identify and rank each identified risk. See
Exhibit1.3 for a Sample Risk Map. Prioritized risks are useful for:
data collection;
identifing risk mitigation strategies;
allocating capital and limited resources;
exploiting a competitive edge; and
improving knowledge of exposure and facilitates risk control techniques.
Once all risks are identified, evaluated and measured, the organization can develop prioritized,
organizational-wide solutions and strategies for dealing with those risks.
17

1.11
Strategy Setting and Solution Identification
In determining the strategies and solutions that may be appropriate to implement, risk projects are
identified and evaluated by:
Low-hanging fruitwhich risks are clearly identified and a solution readily available.
These risks are considered quick fixes and may not drain valuable resources. Keep in mind,
however, the possibly for negatively or positively correlated risk discussed earlier.
Resource allocation and availabilityHow will the solution or strategy suggested impact the
following:
99 Human capitalDoes you organization have the personnel available to initiate, manage,
and monitor a new project?
99 Financial/costDoes the risk resolution or mitigation strategy meet the organizations
risk appetite? Does the budget address these projects?
99 Time to completionWill the time to complete the project and monitor its progress take
so much time that the risk will have already changed, making the solution obsolete?
99 Expertise neededAre there available resources in-house, or will outside expertise
and consultation be necessary? If not, are there dollars in the budget to hire the needed
expertise?
99 Internal or externalDoes the project require the use of external resources (systems,
products, people, hardware)? If so, has the organization done a cost benefit analysis on
use of the resource?
99 Frequency and severity of riskHas the organization identified which risks to address
first? Is this by frequency, severity, time to impact, availability of resources, or some
other metric? Can the organization support its prioritization of risk projects?
Projects identified by individual, committee, department
99 What methodology will be used to identify, analyze, and assess and prioritize risks
throughout the organization? Will surveys and questionnaires supplemented by interviews with key staff be conducted? How will the organization receive the input from
frontline employees? Is there a forum to solicit ideas and suggestions? Will a person or
committee take charge to review all risk and assess their organizational impacts?
1.12
Implementation ObstaclesMonitoring, Evaluating and Changing the

Program
The ultimate success of an ERM program is like the success of any other cultural change within
the organizationonce implemented, it requires monitoring and reinforcement. Risks to the organization changes over time as new risks emerge and older, more well-known risks are appropriately
mitigated or eliminated. Strategies and solutions implemented to address identified risks need periodic
monitoring to ensure that the intended outcome is still being achieved. An even more basic question
is, does the risk still exists? With the continued limitation on scarce resources (time, money, and
people), monitoring the ERM program becomes a critical component of any ERM program. Ongoing
18

ERM education will help reinforce the program, keep it fresh, and support routine program updates,
as necessary.
Obstacles that have been seen when developing ERM programs include:
Territorial turfCompetition among various units such as: quality assurance/management,
performance/process improvement, contemporary risk management, patient/environment of
care safety, corporate compliance, and internal audit needs to be identified and minimized.
Cultural incompatibility and diversity as barriers to careSuccessful organizations
understand the impact of culture and diversity and embrace differences. The complexities of
a changing workforce and its impact on the organization needs to be identified particularly as
it relates to staffing shortages and changes in the demographic of populations served.
Changing environment and cultureMoving from a punitive environment focused on individual employee error to an organizational emphasis on systems and processes is a paradigm
shift for most organizations. This shift does not happen overnight. Dealing with disruptive
staff, finger-pointing and blame, working individually and not as a unit, and the inability to
effectively communicate, all contribute to the complexity of change. How the organization
implements and manages change to the environment and its culture is critical to the success
of the ERM program and is no easy task.
Inability to team and effectively communicateOrganizations advocating a trusting,
caring, and learning environment are teaching employees and staff new skills in better communicating. These changes will help move ERM throughout the organization.
Limited use of technologyTechnological advances abound in healthcare, and the impact
is profound. Technology to support the core operations of healthcare will support patient
safety, decrease medical error, and allow for better management through effective and timely
communication and documentation of care and the ability to benchmark outcomes. Hopefully
technology will save time and save lives. Use of technology in healthcare includes: electronic
medical records/electronic health records (EMR/EHR), computerized physician/practitioner
order entry system (COPE), bar coding, risk management information systems (RIMS), radio
frequency identification (RFID), robotics, and a whole host of software programs aimed at
identifying benchmarking data, just to name a few.
No common healthcare taxonomy for ERMWhen you have seen one risk management
program you have seen just thatone risk management program. The same is true for ERM.
Currently there is no common taxonomy for terms, language, systems, methods, and/or processes in healthcare.
Inadequate senior-level supportThe board of directors and senior leadership (C-Suite)
need to not only understand the concepts associated with ERM but lend organizational support for program development.
No commonly accepted risk metrics by which ERM programs can be evaluated over time.
Length of time to implementWillingness to devote the time it takes to implement an
ERM program. Some organizations are happy to take smaller steps that will yield some benEnterprise Risk Management for Healthcare Entities, First Edition
19

efit while organizations will focus on better risk reporting from business units, and not push
for a broader more comprehensive program.
Limited expertise in risk and finance.
Difficult-to-quantify results or return on investment (ROI)Inability to demonstrate
immediate, quantifiable return on investment.
No follow-throughERM as an ongoing process should be imbedded into organizational
culture. Following, monitoring, and evaluating the programs progress is just as much a part of
the process as is risk identification and assessment. ERM programs are living concepts within
an organization of which change is a natural outcome. Without change and follow-through,
ERM programs become static, eventually dwindling in support and effectiveness.
Establishing solution before defining root cause of problem (subjective vs. objective
analysis).
Not including users of the system in its development of an ERM programSuccessful
ERM programs recognize the importance of employee involvement and contributions and
value their input.
Failure to take the advice of experts and those empowered with ERM program responsibilities. As an example, when Fannie Mae and Freddie Mac executives were being grilled before
members of the House Oversight and Government Reform Committee in early December
2008, it became clear through submitted documents that they did not heed the advice offered
by their own chief risk officers, and that failure to take internal advice was a significant contributing factor in the mortgage crisis of 2008/2009, costing taxpayers billions of dollars.9
Information is only as good as the organizations interest and ability to act upon it.
Organizations who are successfully pursuing enterprise risk management are addressing these
issues head on.
1.13
Benefits of ERM
The ERM process allows the organization to take a more strategic perspective of risk from the
top-down. This view should result in the following benefits:
development of strategies and solutions that support the organizations mission, vision, values doctrine and stakeholder value;
anticipation (better) of the unexpected;
treatment of risks that is more efficient and effective;
comprehension of organization-wide cost;
establishment of methodology for assessing future risks;
ABC News, December 9, 2008, Fannie, Freddie Ignored Risky Loan Warnings, by Huma Khan. Their own risk
managers raised warning after warning about the dangers of investing heavily in the subprime and alternative mortgage
market. But these warnings were ignored by the two chief executives, said Henry Waxman, Chair of the House Oversight
and Government Reform Committee.
20

development of strategic, organizational framework for managing risk;
conservation of limited resources;
promotion of transparency;
development of a framework for meeting financial disclosure requirements and support for
board education;
improvement in decision making;
allocation of limited resources/elimination of waste;
enhancement of the success for regulatory and compliance initiatives;
creation of formal linkages between units/divisions/organizations;
identification of risk interdependencies/clusters;
identification of significant or material risks using a structured and auditable process;
establishment of baseline estimates of probable loss utilizing a variety of modeling
methods;
operational contingency plans to reduce the impact of catastrophic loss;
establishment of new and more comprehensive risk management discipline;
identification of strategic competitive advantages;
development of an organization-wide taxonomy;
comprehension of relationships (correlations) between risks; and
promotion of patient safety and the delivery of care that is effective, efficient, and, most of
all, safe.
1.14
ERM Success Factors
The following are considered success factors when implementing an ERM program:
Leadership support and a positive culture
Broad-based employee involvement
Consistency
99 in assessment
99 in scoring measurement
Quantifying and benchmarking results
Decreased variability through evidence-based practice (EBP)
Monitoring and evaluation
99 Internal
99 External.
21

1.15
The Future Risk Management Professional
The evolution of enterprise risk management is redefining the scope of practice for the professional charged with risk management responsibilities. Risk management professionals need to be
facilitators of change, action seekers, and well-networked within their own organizations and externally, enabling them to call upon outside experts when necessary. Changing risk management into
organizational-wide strategies to address ERM is not for the weak at heart. Increased responsibilities
require enhanced skills. The Risk and Insurance Management Society (RIMS), in their white paper
entitled The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, identifies skills
for the successful enterprise risk manager.10 RIMS divides the necessary skills sets into conceptual
skills, core competency skills, business skills and technical skills. Conceptual skills include: planning, organizing, decision making, management process, ethical judgment, organizational architect,
and strategic thinking. Core competency skills are separated into interpersonal skills and personal
skills and include leadership, negotiations, innovation, communication, and being motivated. Business
skills, as one would expect, include legal, accounting, compliance, human resources, finance, marketing, safety, and security to name just a few. Project management, the risk management process, risk
financing and knowledge of insurance, enterprise risk management information systems, risk control,
and claims management are all technical skills necessary for todays enterprise risk manager. The
enterprise risk management professionals are well-networked ringleaders, orchestrators, and facilitators of change.
1.16
Conclusion
By understanding the concepts of enterprise risk management and advocating its practices, principles, and processes, legal counsel adds value to the board of directors and executive leadership as
knowledgeable members of the ERM team. With this understanding, legal counsel will be better positioned to offer sage counsel in an area not yet fully understood by boards and executive leadership at
most healthcare organizations. A thorough understanding of ERM will assist in identifying and minimizing risks, helping to create a competitive advantage, decreasing costs, managing staff and patient
expectations, minimizing waste, and supporting the delivery of patient care in a safe environment.
Although healthcare organizations have not yet made tremendous inroads into ERM, that does
not mean that they have not been managing risk. It just means that there continues to be a tremendous
opportunity to make a meaningful difference. There is still much to do!
The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, Bill Coffin, Editor. RIMS 2009.
10
22
Table 1.1 Reasons for Change

The following list is meant to offer just a sample of the myriad reasons why healthcare has
transformed over the recent past. It is not an exhaustive or mutually exclusive listing and changes
frequently.
1. Change in patient demographics
99 Diversity of patients, staff and physicians
99 Aging of the population
2. Enhanced expectations by a variety of stakeholders including:
99
99
99
99
99
99
99
Patients
Families
Medical staff
Board of directors
Executive leadership
Professional caregivers
Community
3. Increased use of the internet as a source for health knowledge and exchange
4. Movement to a paperless environment and the promotion of electronic medical/health records
5. Continuous need for and access to outcomes data
6. Local, regional, and national competition
7. Increased financial oversight and scrutiny
8. Emphasis on patient-centered care and transparency
9. Changing lines of authority
99 Staff empowerment
10. Variability in clinical care
99 Hesitancy to follow evidence-based practice
11. Increase in regulatory requirements, standards, regulations and standards
99 Standard & Poors to evaluate rated agencies on ERM progress
99 Sarbanes-Oxley Act of 2002 requirements trickle over into healthcare
99 CMS IPPS changes related to hospital-acquired conditions
12. Promotion of disclosure and apology programs
13. Reliance on complex, changing technology
14. Reduced reimbursement
15. Advances in medicine
23

Exhibit 1.1
Values Doctrine
Values Doctrine
Quality patient care is at the center of all we do and core to our business objectives.
Creating a culture that supports a safe environment for all is paramount to the Organizations
mission and objectives. This includes not only our patients and their families but our employees, board members, volunteers, and medical staff.
We promote an enterprise-wide early warning system and framework for the comprehensive
identification and resolution of all organizational risk.
We adhere to an early intervention program that supports prompt investigation, open and
honest communication, transparency, disclosure, and apology and compensation (when
appropriate) to injured patients that is fair and equitable.
Employee empowerment and service recovery are principles with which all employees are
trained and participation is encouraged.
In promotion of our organization as a learning environment, we will share with all stakeholders the lessons learned from patient safety and risk-related issues.
To safeguard the delivery of patient-centered care we will strive for patient/family participation in strategy setting and membership on functional teams designed to identify and mitigate
the potential for loss.
Understanding that risks can cross all aspects of the organization, we will endeavor to identify and assess all risks in a manner that is both strategic and timely in order to preserve
resources, maintain fiscal integrity, support the workforce, and create an environment that
promotes transparency.
This Values Doctrine is endorsed by the organizations board of directors, executive leadership,
and medical staff and is supported by all employees and volunteers.
24
Exhibit 1.2
Risk Appetite/Risk Tolerance
Table 1.2
Qualitative Measure of Risk Frequency
Level
Descriptor
Example Detail Description
Extremely rare
May occur in exceptional circumstances
Rare
Could occur at some time
Periodic
Will occur at some time
Recurrent
Will probably occur in most circumstances
Occurs frequently
Is expected to occur in most circumstances
Reprinted with the permission of Corey Gooch, Aon Corporation.
25

Table 1.3
Measure of Time to Impact
Level
Descriptor
Warning occurs over a long period of time (months or years) providing opportunity
to adjust or react
Warning occurs over a shorter period of time (days or weeks) providing some opportunity to adjust or react
No warning, impact is felt immediately
Table 1.4
Level
Measure of Risk Severity
Descriptor
Descriptor Financial Impact
Minor
Less than $50,000
Moderate
$50,001$500,000
Major
$500,001$1,000,000
Severe
$1,000,001$5,000,000
Catastrophic
Over $5,000,000
26
Table 1.5
Risk
Fetal
hypoxic
event
Fetal Hypoxia
Cause
(Risk Factor)
Impact
Lifetime injury or
Failure to
death
recognize
fetal distress Medical malpractice
loss
Failure to
Increased insurance
interpret fetal rates
monitoring
Loss of reputation
Inability
Increased scrutiny by
to perform
JCAHO, State
emergency
Difficulty attracting
c-section
staff
Internal Controls
Education
Use of technology to facilitate
recognition of
fetal distress
New policies
ensuring emergency c-section
readiness
PR advertising
new measures
Recommended
Actions
Score
Biannual fetal
monitor training
Identify/
Purchase new
technology
22.5
Float
obstetricians
Host Mothersto-Be Event
Carroll R.L., Norris G.A., Aon Healthcare, 2006.
27

Exhibit 1.3
28
Sample Risk Map
Structuring an Enterprise Risk Management Program
2
Structuring an Enterprise Risk Management
Program
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health
2.1
Introduction
Healthcare organizations come to the realization that they need to explore an enterprise risk
management (ERM) program from a variety of different directions. It sometimes starts with a senior
corporate officer or the organizations risk management professional learning about ERM in a seminar,
an article, or through conversations with a peer. At times a member of the governing board with ERM
experience in another industry questions whether such an approach might be applicable in a healthcare setting. Other times leaders simply become increasingly aware that traditional risk management
processes and activities, no matter how successful, fail to capture a significant and growing portion of
the most serious risks facing the organization.
However a healthcare organization comes to appreciate its need for an ERM initiative, it is important that the organization identify the right people, devote sufficient resources, and allow enough time
to appropriately structure the ERM process. It is equally important that the governing board and senior
leadership team of the organization be prepared to confront the fundamental cultural and operational
assumptions that such a process is likely to reveal and embrace the broad-based organizational changes
that a successful ERM process will likely entail.
2.2
Laying the Groundwork
Prior to embarking on a large-scale exploration of ERM, the senior leaders and governing board
of a healthcare organization need to identify the goals for the process. While it is neither possible
nor appropriate to be overly prescriptive at the outset, it is helpful to reach consensus on a few key
questions:
Who will lead and champion the ERM process?
Does the identified team have sufficient time and expertise to assume such a role? If not, can
other work responsibilities be modified and additional educational resources provided?
29

What level of resources can be devoted to the project? Can the leaders retain consultants,
statisticians, or other outside resources if needed?
Is there a specific timetable for the initial risk identification and prioritization process? For
the ERM implementation?
What outcome for the ERM effort is envisioned? An extension of current risk management
processes? A reorganization and restructuring of risk management activities? A fundamental
shift in direction and approach?
Even if some senior leaders or board members have significant ERM experience, it is helpful for
a in-depth educational process to precede the launch of any ERM effort. Key leaders can seek out
seminars and conference offerings on ERM and conduct structured interviews with peers as to how
other healthcare organizations are addressing ERM issues. More knowledgeable leaders can develop a
reading list for other directors and officers to acquaint them with current ERM theory and practice. It is
often helpful to interview ERM leaders in other regulated and complex industries, such as pharmaceuticals, telecommunications, aerospace, or financial services, to gain an understanding of how they have
approached ERM and how they have structured their internal processes. Such industries are typically
well ahead of the current state of healthcare in adopting ERM principles and can provide invaluable
insight into avoiding pitfalls in launching an ERM initiative.
2.2.1
Establishing an ERM Oversight Committee and Working Group
While the decision to embark upon an ERM project typically rests with an organizations senior
management team and governing board, responsibility for day-to-day exploration of the issues and
design of the initial ERM project is usually vested in an ERM working group. The working group
should be capable and willing to develop an in-depth understanding of ERM theory and processes and
to frame the issues in developing the initial ERM risk assessment survey. The working group should
also be prepared to assist with designing and launching a comprehensive ERM implementation process for the organization and making recommendations for required organizational restructuring and
resource reallocation.
While the organizations risk management professional is often a key member of the working
group, it is advisable to include other disciplines in order to assure the appropriate breadth of perspective for a successful launch. Internal audit, with its broad focus of organization-wide standards and
compliance, and strategic planning, with its global and futuristic orientation, frequently make good
partners with traditional risk management in forming the working group. Legal, corporate compliance,
and clinical operations representatives may also be good candidates for inclusion, depending on the
organizational structure of the healthcare entity.
Regardless of who is named to the working group, the team should typically include no more than
four to six members. Even in a large and complex healthcare organization, it is important that the team
be small enough to meet frequently in the face of competing schedules and to reach consensus easily.
The team must be nimble enough to adjust quickly to changes in focus and orientation that may occur
in the course of the project.
30

The working group should report to an ERM oversight committee made up of senior leaders and
governing board members who provide top-level support and resources for the project and guide the
development of specific goals and objectives. Again, the group should be kept small, no more than
three to four people. The CEO or COO, CFO, senior human resources official, general counsel, and
chairman of the board or of the finance or audit committee may be appropriate candidates for inclusion, depending on their understanding of and commitment to ERM and their ability to view the
organization holistically. While the ERM oversight committee need not micro-manage the work of
the working group, it needs to make sure to allow opportunities for innovation and creativity among it
members. The committee should meet periodically with the working group, receive progress reports,
and ensure that the project stays focused and on schedule.
The ERM oversight committee is responsible for overseeing development of the organizations
ERM infrastructure and for creating a framework within which the ERM process can take root and
expand over time. The committee also serves the function of selling the concept of ERM to other
senior managers and board members and of laying the groundwork for the fundamental organizational
changes that may come out of a successful ERM implementation process.
2.2.2
Developing an ERM Implementation Process
One of the first tasks facing the designated ERM working group is to design the framework for
exploring and implementing the organizations ERM process. Such a design process typically begins
with developing a methodology for identifying and prioritizing the various risks that may potentially
impact the organization. While the working group could review the relevant literature to find a standardized list of risks impacting healthcare organizations or could seek the assistance of a consultant in
developing such a list, it is preferable to develop it internally. Developing an organization-specific listing of critical risks not only allows the working group to capture risks unique to a given organization,
it allows the entitys management team to begin thinking about risk from a fundamentally different
perspective. The work done in identifying, defining, categorizing, and prioritizing specific risks is a
valuable part of the overall ERM education process and assists members of the management team in
internalizing the differences between ERM and a more traditional risk management orientation.
The preferred approach for identifying risks potentially impacting a healthcare organization is
for the working group to conduct interviews of small groups of managers and other leaders to determine risks in their respective areas along with current mitigants. The information gathered from the
interviews can then be synthesized into a survey document in which various risks identified can be
analyzed as to their likelihood (anticipated frequency or probability of occurring within a given time
frame) and impact (anticipated severity in terms of potential to prevent the organization from reaching
its desired objectives). Additionally, identified risks can be considered in terms of the adequacy of current risk mitigation effortssome risks that could be potentially disastrous to the organization without
the application of appropriate risk treatment or risk financing strategies may be perceived as much less
onerous if they are subject to adequate mitigation efforts. The risk remaining after the risk mitigation
efforts are applied may be characterized as residual risk.
31

The working group should review the interview process (Who will be interviewed and in what
groups? How long the interviews will last and who will conduct them? How will the results be tabulated?) and the resulting survey process (How will the survey be created and circulated? How will the
results be reported?) with the ERM oversight committee. The committee will also need to determine
how the results will be utilized to implement the ERM process and how the implementation and ongoing ERM process will be structured and monitored. Frequently the final report of the survey process is
shared with the governing board or a board-level committee such as the audit committee. From there
process owners are assigned to specific risks. Such process owners, typically senior-level managers
within the organization, can then receive additional training in analyzing the risks to which they have
been assigned and in assembling a task force of resources to develop loss prevention, occurrence
management, and risk financing strategies to effectively manage the risk. Process owners are also
responsible for helping to integrate identified risks into the organizations financial and operational
processes and for monitoring the organizations ERM performance.
2.3
Designing and Conducting the Initial ERM Risk Identification Interviews

and Survey Process
The best way to develop a listing of risks facing an organization is to ask the people who know
it bestits managers and leaders. As an initial step in the ERM assessment effort, the working group
should conduct interviews with groups of organizational leaders to elicit their views on risk. It is desirable that groups be kept small, no more than 10 to 12 people, and that one to two hours be allowed
for each interview. For multi-facility healthcare organizations, leaders at both the corporate system
level and the local facility level should be included, as their views regarding important risks may well
differ.
In setting the stage for the discussion of risks, the working group may pose a question such as,
What risks facing ABC Health Care keep you up at night? The working group should also emphasize
that risks to be considered should not be limited to things traditionally handled by the organizations
risk management department, such as medical professional liability claims or catastrophic property
losses (although such risks need not be excluded), and should include any risk to the organization
capable of seriously impairing its ability to meet its stated objectives.
In framing the discussion of risk, it is sometimes helpful to discuss three discrete types of risks
that might be considered by the interviewees:
1. Event Risks: Risks associated with specific events such as a flood or hurricane, a pandemic
disease outbreak, or a terrorist attack. Such risks most closely parallel risks addressed through
traditional risk management programs.
2. Process Risks: Risks associated with the organizations failure to design and implement
appropriate business, clinical, or other processes or to effectively monitor and correct deviations from established processes. The concept of process risk is less tangible than event risk
and may be less apparent to individuals without prior experience with ERM. Process risks
might include failure to retain and recruit sufficient numbers of qualified staff or failure to
collect a sufficient proportion of patient care revenues.
32

3. Strategic Risks: Risks associated with the organizations failure to identify or successfully
pursue appropriate business, financial or other strategies or the failure to appreciate when an
adopted strategy has failed and should be abandoned. Examples of strategic risks include the
failure to develop outpatient surgery centers as joint ventures with physicians and a competitor opens a surgery center next door or the failure to divest unprofitable previously-acquired
primary physician practices.
Another framework for categorizing risks that can be offered during the interview process is to
ask participants to think of risks within a series of identified risk domains. While some risks will cross
over and include aspects of multiple domains, the concept allows for individuals to think about risk in
holistic and comprehensive terms. Examples of risk domains include:
Human resources risks: risk associated with staff recruitment and retention and performance appraisal and incentives.
Financial risks: risk associated with revenue production and collection, billing, reimbursement, budgeting and investment activities.
Clinical risks: risks associated with diagnosis and treatment of patients.
Strategic risks: risk associated with failure to identify and pursue appropriate clinical and
business opportunities or to abandon unsuccessful strategies.
Reputational risks: risks associated with the organizations brand name or public image.
Physical risks: risks associated with the organizations property, plant and equipment.
Technology risks: risks associated with the failure of the organization to embrace emerging
technologies and those associated with technological vulnerabilities to security threats and
destruction of data.
While such a list of risk domains may not include every risk facing a healthcare organization,
itdoes assist interview participants in thinking expansively about risk.
Finally, interviewees should be encouraged to think about risk in positive as well as negative
terms. In traditional risk management, risk can only be a negativeeither your building burns down
or it doesnt; a patient falls from bed or does not. In contrast, ERM considers the up-side as well as
down-side potential of risk. The pursuit of a specific business strategy, while posing certain risks of
failure, also holds the potential for success. Thus risks can be viewed generally as uncertainty or variability from expected results and therefore neither positive nor negative in and of itself. Even for those
traditionally considered risks for which there is only down-side potential, the ability to manage risks
more effectively or efficiently than ones competitors can in itself be a competitive advantage and
operationally positive.
While providing a framework to assist interviewees with thinking about risk is helpful, the working group needs to be careful not to be too prescriptive nor to provide too many examples of specific
risks in its introductory remarks. The goal is to gain an understanding of those risks that pose the
greatest concerns for the healthcare organizations leaders, not to plant seeds in their minds as to what
the working group might define as important.
33

The members of the working group need to keep detailed notes of the interview discussions. Following the completion of the risk identification interviews, the group can then reassemble to develop
the list of risks to be included in a risk assessment survey process. When drafting the survey tool, the
working group should strive to include the risks that were cited repeatedly by different groups of interview participants and to synthesize similar risks into common themes. Often, participants may frame
a given risk very specifically from the perspective of a given department or professional discipline,
yet the risk may be able to be stated more generically to encompass other specific risks cited by other
groups. For example, a participant from the information systems department may express concern
about the vulnerability of the organizations computer systems to sabotage and hackers, and someone
from patient accounts may mention issues with inappropriate release of patient information. Both risks
may be included under a broader risk category pertaining to security vulnerability of electronic data
systems.
Ideally, by combining similar risks and focusing on those cited most frequently by various groups
of interview participants, the working group can whittle the large number of risks identified during
the interviews to 20 to 40 comprehensive risks facing the organization. Once this list is developed, a
definition needs to be drafted for each.
Developing risk definitions is often one of the most difficult tasks in the risk identification and
assessment process. The goal of the working group is to make the definitions generic enough to have
wide applicability within the organization and to capture a number of related risks within each definition while providing a clear understanding of the key focus of the risk. For an example of the risks
identified by one large healthcare organization and their assigned definitions, see Appendix to this
chapter.
The survey tool should ask participants to assess the identified risks in terms of likelihood of
occurrence (frequency) and impact on the organization if the risk does occur (severity). Participants
can either be asked to rate these variables qualitatively, such as high, moderate, and low or quantitatively by assigning specific probabilities to the anticipated frequencies, i.e., such as one in the next five
years, two to three times in the next five years, and specific dollar amounts to potential impacts. Each
approach has its advantages. While the qualitative method is somewhat easier to understand, it is more
subjective; one respondent may describe a specific risk having a $10 million impact on the organization as high, while another, perhaps more accustomed to dealing with large financial sums, may rate
the same magnitude of impact as moderate or even low. If the quantitative approach is selected, it is
helpful to include a reference guide with the survey that provides the dollar impact of sample large
losses with which the respondents may be familiar, such as the largest civil monetary penalty assessed
against a healthcare entity for violation of federal fraud and abuse laws and the largest medical professional liability verdict from the prior year as point of comparison.
In addition to capturing information regarding perceived likelihood and impact of various risks
facing the organization, the risk assessment survey may also query respondents on their views of the
adequacy of current mitigation efforts related to the risks. Some risks that might be considered significant if left untreated may be perceived as much less onerous because respondents are confident that
current loss control measures are adequate to prevent an occurrence or to severely limit its impact.
34

A qualitative scale that ranges from very well controlled to not even identified as a risk may be
useful for this purpose.
In addition to asking the respondents to characterize each identified risk in terms of likelihood,
impact, and adequacy of current controls, the survey may further ask each respondent to list his or her
top five most concerning risks and to comment further upon them. Not only do the comments themselves provide additional insight into the ERM concerns of the organizations leaders, but requiring
respondents to list top five issues provides additional clarity if there has been a tendency to rate all
identified risks similarly.
A number of software programs exist to automate the distribution of the ERM risk assessment
survey and allow for the tabulation of results via an organization-wide intranet or protected website.
While replies may be kept completely anonymous, it may be useful to gather some demographic information from respondents, such as department, clinical vs. non-clinical background, position within
the organizational hierarchy, length of service, and system vs. healthcare facility positions for larger
healthcare organizations. Having such information allows for comparing responses among various
groups to determine how identified risks may be perceived differently.
Tabulated results from the survey are assembled into a formal report to the ERM oversight committee. The report should include a brief review of the process employed to identify the selected risks
and develop the survey as well as an executive summary highlighting the key findings. A meeting
should be scheduled between the working group and ERM oversight committee to discuss the implications of the findings and plan for the next steps in the ERM implementation process. Once a general
plan is developed, a summary of survey results can be shared with survey participants. Presentations
can also be scheduled with groups such as the risk management, audit committee and or governing
board.
2.4
Addressing Identified ERM Risks
One of the greatest challenges in implementing an ERM program is preventing the process from
dead-ending with the risk assessment. Healthcare organizations, like their counterparts in other industries, seem to suffer from a natural tendency to consider the interviews, risk assessment survey, results
analysis, and resulting risk prioritization as an end in themselves. In fact, these activities are but the
beginning of the ERM process.
Once survey results are tabulated and risks ranked and displayed, the working group should report
its findings back to the ERM oversight committee. The Committee then needs to determine the specific
risks on which to aim its initial focus. For most organizations, it is recommended that no more than
three to 10 risks are tackled at the outset. Typically the risks identified through the survey assessment
process are global in nature and pervasive in scope and require the effort of a multi-disciplinary team
of experts both within and external to the organization to address. Attempting to adequately explore
and manage too many risks during the implementation phase of the ERM process is a sure recipe for
disaster. It is better to deal effectively with a handful of risks than to superficially consider a larger
number.
35

It is not always easy for the healthcare organization to determine which risks are its most serious.
A risk may score differently in likelihood and impact dimensions, with some risks having a remote
likelihood of occurrence but holding serious consequences for the organization if they do occur, and
others relatively likely but of lesser consequence. It is not readily apparent to most risk managers
how to combine these measures in a mathematically appropriate and statistically valid way. It is often
necessary to employ the assistance of a consultant to make sure that the survey results are interpreted
accurately. If the healthcare organization is self-insured, a discussion with the organizations actuary
may be a convenient and advantageous first step. Actuaries have a firm grasp of mathematical and statistical principles and, although assisting with the analysis of the ERM may pose different challenges
than compiling the typical actuarial report, may be very helpful in assigning values to the survey
results and helping the organization to appropriately prioritize its ERM risks.
The combined measure for rating likelihood + impact may be termed inherent risk. Inherent risk
considers the magnitude of the risk in its pure form, without any discount for loss prevention, loss
control, insurance coverage, or other risk mitigation strategy that may be employed by the organization to reduce either the likelihood of the risk occurring or its potential impact on the organization.
In contrast, the risk remaining after the application of risk mitigation strategies can be thought of as
residual risk. The ERM risk assessment survey should attempt to evaluate both inherent and residual
risks in order to gain a complete picture of the risks facing the organization.
Once the list of ERM risks to explore has been determined, the ERM oversight committee should
assign a process owner for each. The process owner is charged with responsibility for assembling a
task force of internal and external resources to further drill down into the assigned risk, identify the
key drivers and develop loss prevention and risk financing strategies for mitigating the risk. It is recommended that process owners be chosen from among the senior leadership team of the organization
for maximum visibility and access to resources and information.
The working group needs to develop educational resources and tools for the process owners to
assist them in understanding their roles and in creating a framework for examining the risks with which
they are charged. Training in techniques such as failure mode effect analysis1 and root cause analysis2
is often helpful, as well as an introduction to organizational improvement models like LeanSix Sigma3
and the Toyota Production System.4 A workshop format utilizing internal resources outside of the
working groups as well as outside consultants (as needed) may prove an excellent means of orienting
the process owners to their task. The content and format of the workshop should be approved and
promoted by the ERM oversight committee.
Once the process owners have received their initial charge and orientation and assembled their
task forces, the ERM oversight committee can set up periodic meetings or required reports to ensure
that the ERM process stays on track and makes progress in developing strategies to tackle the assigned
Smith, Deborah L., FMEA: Preventing a Failure Before Any Harm is Done, 2008 http://healthcare,isixsigma.com/
library/contnet/c040317a.asp.
2
Bellinger, Gene, Root Cause Analysis, 2004 http.//www.systems-thinking.org/ca/rootca.htm.
3
Smith, B., Lean and Six Sigma: A One-Two Punch, Quality Progress 36.4 (2003: 3741).
4
Spear, Steven J. and Bowen, H. Kent, Decoding the DNA of the Toyota Production System, Harvard Business Review,
September/October 1999.
1
36

risks. The working group continues to play a role in fostering ongoing support for the ERM process
and continuing to assist and encourage the various process owners and task forces during this critical
segment of the implementation phase. For most risks, the process owners should be expected to have
their final report of recommendations prepared within six to 12 months.
2.5
Integrating ERM into the Corporate Culture
Moving beyond the risk identification and assessment process and fully integrating ERM into
the organizations culture is a challenging endeavor for most healthcare organizations. To be fully
operationalized, ERM must become a core process, reflected in strategic planning, budgeting, and performance measurement and improvement activities, and embraced by every level of the organization.
The governing body of the organization, as well as it senior management team and other leaders, need
to set risk-adjusted goals and objectives and consider risks holistically across the enterprise. Such a
view of risk avoids a reactive, siloed focus on the mitigation of individual risks and allows for intelligent risk taking utilizing risk-based decision support and performance measurement tools.
The ERM implementation process typically involves an analysis of the organizations risk tolerance. Healthcare entities vary in their ability to withstand the potentially adverse consequences of risk
based on their competitive and cash positions, revenue stream, access to credit and degree of financial
and operational predictability. Organizations in highly volatile markets and those operating under
severe financial pressures tend, out of necessity, to be more risk averse then their peers; however, even
similarly situated organizations may view risk differently and have very different risk appetites.
While defining an organizations risk tolerance precisely may be difficult, a few relatively simple
techniques can be employed to aid in the analysis. Just as entities typically conduct a cost-benefit
analysis of proposed projects to determine which of several competing projects to pursue, organizations can think in terms of a risk-reward analysis to consider proposals from an ERM perspective.
Those endeavors that offer the greatest probable reward for the least residual risk, given the costs and
anticipated effectiveness of available risk mitigation options, should be pursued. Just as organizations
typically look for a specified internal rate of return for their business initiatives, managers can come to
appreciate that projects must be able to demonstrate a specific risk/reward gap in order to be pursued.
Healthcare organizations should also approach their strategic planning and budgeting functions
from an ERM perspective. Rather than setting goals and objectives and budgetary targets as absolutes,
it is helpful to think of them within an ERM framework. What is the likelihood that the organization
will meet this specific goal or budgetary target? Is there a possibility that the organization will exceed
it, and if so, by how much? What is the probability that the organization will fail to meet it? What are
the risks that are driving those probabilities? Can those risks be mitigated (if negative) or enhanced (if
positive)? What are the costs (financial and otherwise) in pursuing such mitigation or enhancement,
and how likely are these activities to be effective? When considering risk treatment strategies, it is
important to bear in mind the law of diminishing marginal returns: while quick fixes and relatively
obvious risk mitigation or enhancement efforts may yield large returns, the closer one gets to completely eliminating or optimizing a risk, the higher the incremental costs tend to be in proportion to the
incremental benefits, so that completely eliminating or optimizing risk is not feasible.
37

The road to full organizational integration of ERM principles is a long one. Few healthcare organizations have reached full ERM maturity, but experience from other industries shows that the process
can easily take two to five years.5 as the process develops, it is imperative that the ERM oversight
committee, working group, and process owners remain engaged, meeting frequently with departments, boards, committees and other groups throughout the organization to facilitate the incorporation
of ERM concepts into planning and operating activities at all levels of the organization until ERM
becomes just the way the organization does business and is fully incorporated into the organizational
culture.
In addition to ongoing monitoring and performance measurement of the degree to which ERM is
integrated into the corporate culture, strategic planning and operational decision-making of the organization, the working group and ERM oversight committee should plan to repeat the risk identification
and assessment process about every three years. Organizational priorities, regulatory and economic
environments, technology, and market conditions change rapidly for healthcare providers and risks
that seem monumental today may be inconsequential tomorrow. (Remember Y2K?) New risks are
constantly emerging. Survival for many healthcare entities in the future will likely depend on their
ability to perceive and manage changing threats quickly and to make timely and accurate decisions
about when to change a strategic course.
At some point it will be necessary to find a permanent home for Enterprise Risk Management
within the organization. Although ERM is by nature a multi-disciplinary process, there needs to be an
individual or department responsible for setting specific ERM goals, developing strategies to see that
those goals are met and educating the organization at-large regarding the continuing development of
ERM. Frequently these responsibilities are assigned to a chief risk officer (CRO). The CRO may be
selected from within the ranks of the current organization or recruited externally, but in either event it
is important to distinguish the role from that of the traditional risk manager. The CRO should ideally
report to the organizations Chief Executive Officer to remain independent from quality, finance, legal,
or other departments that might attempt to assert undue influence or limit the expansive role that is
appropriate to the ERM effort. While candidates with prior healthcare CRO experience are, at this point,
very rare, the CRO must possess a good understanding of the healthcare industry in general as well as
have specific expertise in finance, corporate compliance, organizational effectiveness, strategic planning, and traditional risk management. The job of CRO requires a very broad perspective and diverse
skill set, but holds opportunity for growth in a challenging and still-evolving field of endeavor.
2.6
Conclusion
Enterprise risk management for healthcare organizations is still a discipline in its infancy. While
much work remains to be done, healthcare entities that begin by assembling the right initial team,
developing a thoughtful process of risk identification and assessment, and devising an implementation
strategy that focuses on integrating ERM into the corporate culture of the organization over the longterm will be rewarded with a better understanding of the inter-relationships among the risks they face
and be better equipped to anticipate and manage those risks effectively.
Risky Business: Employing Enterprise Risk Management to Sustain Growth, Mitigate Threats and Maximize Shareholder Value, APQC, 2007.
5
38
Appendix
1.
Political/Legislative
Changing regulations and rates/standards for reimbursement by government payors threaten the
organizations ability to maintain operations.
2.
Regulatory Compliance
Noncompliance with laws, regulations, and accreditation standards results in lower quality, lost
revenues, unnecessary delays, adverse publicity, penalties, and fines.
3.
Competitor
Actions of competitors (e.g. new product and service introductions, predatory pricing and competitor mergers) or new entrants to the market handicap the organizations activities, competitive
advantage or even its ability to survive.
4.
Catastrophic Loss
A major disaster or pandemic directly or indirectly impedes the organizations ability to sustain
operations, provide essential products and services, or recover operating costs.
5.
Catholic Identity
Compliance with ethical and religious directives challenges the organizations ability to enter and
remain in profitable markets or to deliver state-of-the-art and full-range clinical services demanded by
customers.
6.
Not-For-Profit Status
Failure to identify and accumulate relevant information and maintain appropriate operations
regarding the organizations not-for-profit status results in noncompliance with tax regulations and the
loss of not-for-profit status.
7.
Leadership
The organizations people are not being effectively led, which results in a lack of clarity, direction,
motivation to perform, management credibility, and trust throughout the organization.
8.
Organizational Structure
The organizations corporate and/or legal structure impedes its capacity to change, develop relevant business plans, or implement long-term strategies.
39

9.
System Value
System functions fail to align or fail to appropriately support regional operations and create additional burdens on the regions without adequate accountability or the addition of value.
10.
Business Planning
Lack of a systematic and cohesive business planning process or failure to establish and execute
clear operating strategic priorities impacts the organizations ability to focus and formulate realistic
and relevant business strategies.
11.
Business Performance Measurement
An inability to determine and implement accurate performance measures consistent with established business strategies threatens the organizations ability to achieve its long-term objectives.
12.
Alignment
Misalignment of objectives, goals and strategies throughout individual operational units threatens
the organizations capacity to achieve its overall objectives, maintain core operations and execute
strategy.
13.
Physician Alignment
Failure to effectively integrate physicians with the organizations business and mission needs
results in quality deficiency, inadequate patient volumes, duplicative services and loss of profitable
service lines.
14.
Patient-Centered Approach
Failure to develop a patient-driven approach to care results in a loss of market share.

15.
Strategy
The organization develops strategies geared towards desired revenues or short-term goals rather
than indicated costs or long-term objectives resulting in failure to meet operating income needed to
sustain long-term business operations.
16.
International Operations
Failure to appreciate cultural, market, political and regulatory risks results in underperformance
or loss of investment.
40
17.
Change Readiness
The organization is not open to or does not implement critical processes or product and service
improvements quickly enough to keep pace with changes in the marketplace or to achieve anticipated
savings or productivity gains. It holds on too long to failing operations and strategies. The desire for
unanimity impedes the organizations ability to act.
18.
Authority/Accountability
Unclear roles and levels of authority result in a lack of coordination between parties, duplication
of efforts, unexpected outcomes, performance gaps or the assumption of unacceptable compliance/
business risks. Failure to hold associates accountable leads to poor results.
19.
Associate Performance Measurement
Unrealistic, misunderstood, subjective, or non-actionable performance measures cause managers

and associates to act in a manner inconsistent with the organizations objectives, strategies, ethical and
legal standards, and prudent business practice. Lack of integrity and equity in pay practices results in
decreased associate morale.
20.
Associate Competence
Lack of knowledge, training and development activities preclude associates from effectively
discharging their current operating responsibilities, as well as preclude creating a workforce that is
flexible and prepared for future challenges in implementing the organizations long-term strategies.
21.
Management Development
Lack of cross-training, mentoring, orientation, flexible recruiting and retention strategies as well
as succession planning for key positions results in a lack of leadership, technical skills, and ability to
provide our customers with the organizations products and services.
22.
Resource Availability
Unavailability of essential, qualified associates impedes the organizations capacity to grow, execute strategy and generate future financial returns.
23.
Unionization
Failure to deal effectively with union efforts results in organizational discord, operational impairment, and resource misalignment.
41

24.
Information Systems Integrity
Lack of functional integrity in the information system infrastructure and application systems
results in unauthorized access to data, incomplete, inaccurate, or non-timely delivery of information
and processing of transactions.
25.
Information Systems Infrastructure
Ineffective and inflexible technology infrastructure impairs the organizations ability to effectively and efficiently support the current and future information and operational/compliance needs of
the organization.
26.
Information Systems Disaster Recovery
Inability to access important information when needed impedes the continuity of the organizations critical operations and processes.
27.
Financial Accounting and Reporting
Failure to accumulate relevant and reliable external and internal information to prepare accurate
and complete financial statements and related disclosures affects stakeholders (including lenders and
regulators) ability to assess the organizations financial status and leads to surprise adjustments to
financial results.
28.
Investment Portfolio
The organization depends on investment income to off-set inadequate operating performance.

Investment portfolio strategy does not align with business strategy. Lack of relevant or reliable
information supporting investment decisions and the financial risks assumed results in poor short- or
long-term investments.
29.
Collections
Failure to collect payments as due from patients, vendors, or other third parties exposes the organization to excessive write-offs and collection costs. Inability to either obtain cash on a timely basis
or convert non-cash assets to cash when needed precludes the organization from paying or meeting its
current obligations.
30.
Transaction Processing
Inadequate processes for billing, collecting, paying, recording, reconciling, and monitoring transactions in financial systems results in inaccurate and/or noncompliant collections, transactions and
data for preparing internal management and external financial and operational reports.
42
31.
Clinical Quality
Quality failures, reflected through patient outcomes and satisfaction, significantly affect the organizations reputation, efficiency, compliance and accreditation status, future sales, market share and
reimbursement.
32.
Product Development and Integration
Inadequate development and implementation of products and services impedes the organizations
ability to meet or exceed customers needs and wants. Difficulty in developing and integrating new
clinical technologies leads to inefficient, noncompliant operations, inaccurate information and loss of
competitive advantage.
33.
Cost Control
Failure to identify and implement a flexible cost structure at the System and regional levels that is
responsive to market conditions results in an inadequate operating margin.
34.
Contract Management
Inadequate, irrelevant, or inaccurate contracting strategies and processes result in excessive or

inappropriate contractual commitments.
35.
Plant and Equipment Maintenance/Repair
The organization defers plant and equipment maintenance and replacement to meet other strategic
and operating goals which results in unsafe and unattractive facilities.
Source: CHRISTUS Health, 2008.
43
Part II
Financial Issues
Insurance and Risk FinancingThe Basics
3
Ellen L. Barton, JD, CPCU
Principal, ERM Strategies, LLC
3.1
Introduction
Most healthcare lawyers develop their expertise in insurance and risk financing through
onthejob training. This may occur because of any number of circumstances including when in-house
counsel assumes responsibility for risk management or when the chief financial officer asks them to
review an insurance policy. With outside counsel, this may occur when a client asks them (as part of
merger negotiations) to review the parties insurance program for adequacy. Regardless of the situation, it will serve healthcare lawyers well to develop a working knowledge of basic insurance and risk
financing concepts in order to enhance their understanding of enterprise risk management and their
ability to provide advice and counsel on such matters.
3.1.1
Risk Financing
It is probably most appropriate to provide an overview of risk financing in the context of the risk
management process. The risk management process has five steps:
1. Identify and analyze loss exposures.
2. Examine alternative risk management techniques for treating the loss exposures:
a. Risk Control
Risk Avoidance to avoid the risk
Loss Prevention when dealing with frequency
Loss Reduction when dealing with severity
b. Risk Finance
Retention
i.
ActiveNon-insurance, self-insured
ii. PassiveNot recognized

Transfer
i.
InsurerCommercial Carrier
ii. Non-insurerIndemnification and hold harmless agreements

47

3. Select the best risk management technique(s)
4. Implement the technique(s)
5. Monitor and evaluate the results.
Risk financing techniques provide funds to pay for losses that risk control techniques do not
entirely stop from happening. Such techniques are designed to obtain funds, at the least possible cost,
to restore the actual losses that strike the organization.
The following are criteria for selecting a risk financing technique: (1) the financial security each
technique provides; (2) the effect each technique has on the organizations long-term costs and, therefore, its profitability; and (3) control. It should be noted that risk financing techniques can be depicted
as a continuum for the covered entity moving from total risk transfer (where there is a guaranteed cost
of risk financing through the purchase of insurance) to a blended risk transfer/retention (where the
organization may have deductibles, self-insured retentions, insurance, and reinsurance) to total risk
retention (where there is no insurance or reinsurance).
3.1.2
Retention
Retention may involve the current expensing of losses, i.e., paying for losses out of available cash
as they occur. For example, hospitals often chose to retain losses such as lost eyeglasses or dentures.
Retention may also involve either funded or unfunded loss reserves. Unfunded or funded loss reserves
involve an accounting entry that shows a potential liability for a loss; or an organization can set aside
funds for expected losses, known as ear marked funds. Thus, in the example involving lost eyeglasses
or dentures, a hospital may chose to put aside a set amount of funds for such losses based on previous
experience or simply decide to pay such losses out of current operating funds.
For large retained losses, an organization might find itself borrowing funds to cover uninsured
losses. Borrowing to pay losses might result in a reduction in the organizations line of credit or ability
to borrow for other purposes; and, in time, will require earnings to repay the loan. More formalized
methods of self-insurance may involve a trust fund or captive insurance company, which are used
to finance specified types of losses. A trust fund is simply a bank account (generally) for the organizations own risksadministered by a formalized agreement or statement of coverage. A captive
insurance company is an owned or affiliated corporation established to insure the risks of the parent
corporation or its members. Captives can also be organized to assume the risk of outside parties.
3.1.3
Transfer
There are two basic risk transfer techniques: first, a contract providing indemnification or hold
harmless obligations; second, an insurance policy. Contracts for services may provide that the person
providing the service will hold the organization harmless from liability resulting from the service
providers actions or agree to indemnify the organization from such liability. Insurance, on the
other hand, is defined as a contractual relationship that exists when one party (the insurer), for a
consideration (the premium), agrees to reimburse another party (the insured) for a loss to a specified
48

subject (the risk) caused by designated contingencies (hazards or perils).1 Reinsurance is a contractual
arrangement involving the purchase of insurance by an insurer from another insurer. It is basically insurance for the insurance company; reinsurance has a stabilizing effect by smoothing the ups
and downs of fluctuating loss experience. It also increases the capacity of the insurance company to
write business and provides it with catastrophic protection against the adverse effects of large losses
from natural forces or man-made disasters. There are two forms of reinsurance: facultative and treaty.
Facultative reinsurance usually covers a single transaction handled directly with the reinsurer. Many
facultative reinsurance policy forms are drafted (or manuscripted) to fit the specific risks insured
against. These risks are often, unique, large, and/or hard to insure. With treaty reinsurance, the reinsurer
agrees in advance to accept certain classes of exposure as outlined in a treaty. The insurer assumes the
underwriting authority on behalf of the reinsurer.
1. Types of Insurance
a. First party insurance provides coverage for the insureds own property or person so that
the insured will be restored to the same financial position that he or she had prior to the
loss.
i. Examples of first party coverage: are fire/property; business interruption; boiler &
machinery; builders risk; flood; earthquake; crime; HMO/capitation stop loss; and automobile collision and comprehension.
b. Third party insurance, also called liability insurance, provides coverage to a party other
than the insured to make that person whole for loss or injury caused by the insured. As its
name implies, it involves three parties: the one who is harmed, the insurer, and the insured
that caused the harm or damage.
i. Examples of third party liability coverage are medical professional liability; general
liability; automobile liability; directors & officers; errors & omissions; employers liability; environmental impairment; and excess/umbrella liability.
c. Health and welfare insurance, also called social insurance, provides coverage for medical and related expenses.
i. Examples of health and welfare insurance are: workers compensation; health benefits;
vision coverage; dental coverage; life insurance; long term disability; and short term
disability.
d. Financial Guarantees are different from the traditional concept of insurance in that assets
are pledged for the full amount of the risk transferred.
i. Examples of financial guarantees are: surety bonds; public official bonds; appeal bonds,
judicial bonds; contract and performance bonds; license & permit bonds; and financial
bonds, e.g., bankers blanket bond.
IRMI online glossary of terms available at http://www.irmi.com.
49

2. Non-insurance Transfer through Contractual Arrangements
a. Contractual terms clarifying, limiting, or transferring liability.
b. Indemnification and/or hold harmless agreements.
i. For example, an owner hires a contractor to do work. The contract provides that if
anyone is injured as a result of the contractors work, the contractor will hold the owner
harmless and indemnify the owner for any financial loss. Thus, if a third party sues the
owner, it is the contractors responsibility to pay the loss.
3.2
Principles of Insurance
An insurance policy is a legal contract. In order for a contract to exist, four elements must be present: offer and acceptance (an agreement); consideration (money/premium); competent parties; and a
legal purpose.
3.2.1
Key Concepts
1. Interpretation: Insurance contracts are generally viewed as contracts of adhesion, meaning

that one party draws up the contract, and the other party adheres to it. In such cases, ambiguities are usually interpreted against the party that wrote the contract. Another principle of
interpretation provides that if there is a conflict between the parties, the reasonable expectations of the parties can be used to resolve the dispute.
2. Indemnification: Insurance contracts are designed to indemnify the insured. That is, they
will restore the insured only to the extent of his or her loss.
3. Subrogation: Subrogation is the right of the insurer to recover from a third party who caused
the insurer to pay the loss.
4. Good faith: Insurance contracts must be entered into with the utmost good faith. Good faith
means to deal with honesty and sincerity. Courts penalties are severe when they detect bad
faith on the part of either the insurer or the insured.
5. Representations: Generally, in the purchase of insurance, the prospective insured must complete an application in which it makes affirmative representations. Such representations are
usually written, but may be oral and made with the intention of securing insurance.
6. Misrepresentations: False statements relied upon by the insurer in issuing coverage. Such
false statements need to be material in nature in order for the insurer to void coverage.
7. Warranty: Statements or promises contained in the insurance contract that would void coverage if untrue.
8. Concealment: The failure to divulge facts, or to remain silent when questioned as to key
facts.
9. Fraud: Deliberate deceit with intent to take financial advantage of another.
50

10. Estoppel: This concept prohibits an insurer from citing its standard policy defenses if:
(a)afalse representation is made by the agent or company; (b) it is relied upon by the insured;
and (c) it causes the insured to be financially harmed or prejudiced.
11. Affordable coverage: Such coverage that is available for a reasonable premium.
12. Law of large numbers/predictable loss: This theory states that the larger the number of
homogeneous occurrences, the more predictable future losses will become.
13. Adverse selection: The tendency of poorer risks to seek insurancethat is, those who
believe they are more likely to suffer a particular loss are more likely to seek insurance for it
as well.
3.2.2
Elements of Insurability
1. Pure risk: A category of risk in which loss or maintenance of the status quo are the only
possible outcomes; there is no beneficial result or possibility of a gain. Pure risk is related to
events that are beyond the risk-takers control. Speculative risks, on the other hand, allow for
the possibility of a gain, a loss, or the maintenance of the status quo. An example is gambling.
The gambler has an opportunity (or chance) to win, lose, or draw (break even). For a risk to
be insurable it must be accidental, fortuitous. Therefore, only pure risks are insured through
conventional insurance markets.
2. Insurable interest: The insured must have an ownership interest in or control of the property
at the time of the loss.
3. Definable loss: A definable loss is one in which there is the ability to determine the time and
amount of the loss.
4. Unexpected loss: A loss that is accidental and fortuitous (in the sense of occurring by chance,
not in the sense of luck).
3.3
Insurance CompanyTypes
There are two major types of insurance companies: private and governmental. Private insurance
companies are those owned and operated by private citizens that issue most coverage types, but they
exclude risks that are considered uninsurable such as unemployment, flood, etc. Government-owned
and operated insurance companies generally write coverage that is not underwritten by the private
sector such as unemployment, flood, etc. In addition, government-owned and operated insurance
companies compete with private insurers in limited lines such as workers compensation in monopolistic states. Private insurance companies can take one of several forms: stock companies, mutual
companies, or fraternal or benevolent societies. Stock companies are simply those that are owned
by stockholders. Mutual companies are owned by policyholders and share their profits in the form
of dividends to policyholders. Fraternal or benevolent societies provide formal insurance plans for
life and health insurance products for their members and are exempt from federal and state taxes and
certain laws. Reciprocals are unincorporated associations whose members (subscribers) insure one
another. An attorney-in-fact manages such organizations. Finally, Lloyds is a group of individuals who
share in the making of insurance contracts. Individuals directly accept risks for personal profit or loss.
51

All insurance companies typically have the following departments or functions: sales and marketing;
underwriting; accounting; investment; legal; claims; policy issuance and administration; audit; loss
control/risk management; actuarial and statistics; agency; and reinsurance.
3.3.1
Agents vs. Brokers
Agents are individuals, partnerships, or corporations authorized by an insurance company to select

risks, collect premiums, and countersign policies. An agent represents the insurance company. Brokers
are individuals, partnerships, or corporations who act or aid in any manner in obtaining insurance
for another for a fee or commission. Brokers represent the insured. Both agents and brokers must be
licensed. They are deemed to have a fiduciary duty to exercise their professional responsibility and
to conduct their insurance business in accordance with the law and in an ethical manner. Brokers and
agents have a duty to engage in careful assessment of the risks that are being underwritten, recommend
proper coverage with a financially secure insurance company, follow company guidelines, maintain
quality notes and records, and keep abreast of new products and coverages.
3.3.2
Approved vs. Non-Approved Insurance Companies
Insurance companies are generally considered to be approved or non-approved. Approved companies are licensed to conduct insurance business in a particular state. The companies are then considered
admitted and must file rating schedules and coverage plans with the state department of insurance.
Admitted carriers also participate in the states guaranty fund. State guaranty funds protect insureds
(albeit limited in financial payments) in case the insurer becomes insolvent or is unable to meet its
financial obligations. Non-admitted carriers are generally referred to as surplus lines carriers. Surplus
lines carriers may legally operate within a state and are typically used for hard-to-place risks. Surplus
lines carriers do not participate in state guaranty funds. Such companies also have great flexibility in
their rating schedules and coverage forms and do not have to file them with the state department of
insurance.
3.3.3
Financial Ratings and Standards for Insurance Companies
As mentioned previously, it is important that the insurance company providing coverage for an
institutions risks be financially stable. There are a number of companies that monitor the financial stability of the insurance industry and regularly publish reports. They are: A.M. Best Company, Standard
& Poors, Moodys, security committees of major brokerage companies, state insurance departments,
National Association of Insurance Commissioners (NAIC)which has no regulatory authority but
promulgates uniform standards for insurance company operations and financial operating ratiosand
Insurance Service Organization (ISO). Monitoring the ratings of an institutions insurance companies
should be done on an annual basis or more often if an insurer financial stability is called into question
or the ratings have been downgraded by one of the major rating agencies. Insurers are rated both on
their stability and their size; generally the larger the company, the more capacity it has, enabling it to
write larger risks. An unstable company, however large, is a risky proposition.
52
3.3.4
Certificates of Insurance
It is often necessary to provide proof of insurance to outside third parties. This is done through
a mechanism called a certificate of insurance. Insurers (or their authorized delegates) issue them on
behalf of and at the request of their insured. Programs of self-insurance will often issue a memorandum of coverage letter as proof of coverage when so requested.
3.4
The Insurance Transaction
The insurance transaction involves a number of steps in a process that can take anywhere
from several days to several months and includes: the selection of a broker and/or consultant, the
application/submission for insurance, selection of prospective insurance carriers, the underwriting
transaction, the evaluation of insurance proposals, the execution of the insurance contract, and finally,
planning for the next renewal.
3.4.1
Selection of Broker and or Consultant
The broker/consultant assists and advises throughout the entire process. Your broker should have
a special knowledge of you and your facility, the healthcare industry, the marketplace and insurance in
general. In addition, the broker should have the resources to deal with all or most aspects of your insurance program, and a service philosophy that is based on integrity, forming a partnership based on solid
information. Organizations, while not required, can utilize the services of an insurance consultant to
perform some of the typical broker services such as, assistance with coverage specifications, coverage
comparison, placement evaluation. They can also draft request for proposals (RFPs) and assist with
broker selection.
3.4.2
Application/Submission for Insurance
The application for insurance contains required information regarding the insured, its operations,
and the risk that is being underwritten. In addition, the submission will outline the requested program structures, various options and coverage specifications. Other required information includes a
historical perspective of the organizations insurance programs, an organizational chart, a summary
of exposures (generally for the preceding 10 years), loss experience (for 10 years) with analyses, the
last three years financial statements, a description of the applicants risk management program, and a
description of the claims management program with particular emphasis on reserving practices. The
application and attachments provide an opportunity for the prospective insured to tell its story in a way
that provides a level of comfort to the prospective insurance company. Several prospective insurance
companies are rewarding insureds with up-front premium discounts for implementing proactive risk
management/patient safety initiatives. When telling its story, the prospective insured is well served to
emphasize those initiatives as such programs could translate into premium savings as well as making
the risk more acceptable to underwrite.
53

3.4.3
Selection of Carriers for Bidding Purposes
There are numerous criteria that could be used to select a group of carriers to bid on the prospective
risk: (1) the portfolio of insurance products (that is, the coverages available); (2) the financial strength
of the company; (3) the companys claims paying philosophy; (4) the companys risk management and
loss control services; (5) the companys longevity in the marketplace; (6) the companys reputation;
(7) the quality of the companys policy administration services; (8) the companys flexibility to meet
current and future needs; (9) the companys management stability; and (10) the companys admitted/
surplus lines status by state. It may be unrealistic to expect to find a single insurer who can provide all
lines of insurance desired as carriers tend to specialize in certain lines.
3.4.4
The Underwriting TransactionArt or Science?
Underwriting is the process by which the insurability of the risk is determined, at what amount of
coverage, and for what price. The goal of underwriting is to allow the insurance company to provide
its products and services at a profit to the insurer. The underwriting process involves selecting risks
that are consistent with the companys line of business, assuring that the risks can be spread, avoiding
adverse selection, and designing a premium structure that will yield underwriting profits. Underwriting also involves classifying risks and pricing them appropriately as well as designing products with
coverage terms and conditions that include selected limits and retentions.
3.4.5
Evaluation of Insurance Proposals
The first question to be asked in evaluating insurance proposals is whether the proposal addresses
the risks? Does the proposal meet your objectives regarding price and coverage? It is helpful to compare (in an easy-to-read chart format) the current in-place program with options from proposed carriers
in terms of the following items: limits, coverage, exposures, losses, exclusions, service experience and
personnel, financial rating of the carriers, overall cost and financial security requirements, and conditions required by the insurer. Other considerations by which insurance proposals should be evaluated
include: the context of the market conditions, minimum requirements of regulatory authorities, bond
covenants, contracts, etc. Finally, you need to ask if the proposal will accommodate your long-term
risk financing goals.
3.4.6
Execution of the Insurance Contract
When an order for insurance coverage is placed, the insurance company or authorized agent will
issue a binder which outlines key terms of the coverage, provides evidence of insurance, and is limited
in time. The binder obligates (binds) the insurer to the terms described in the binder. The insurance
company will then issue a policy with all the specific coverage information included and will issue
certificates of insurance to appropriate parties as instructed by the insured. Concurrent with placing
coverage, the insured and insurer will determine the process and procedures for identifying, notifying the carrier and managing claims, risk management services to be delivered, and identifying any
insurance changes particularly where coverage is diminished or eliminated. Finally, the risk manager
needs to communicate the new insurance coverage details to the institution and all interested parties.
54

Arrangements will also be made for building inspections (in the case of property insurance), audits
(for various financial lines of coverage), and premium financing if so requested. Continuing communication between insured and insurer is necessary to maintain appropriate coverage for changing risks.
3.4.7
Planning for Program Renewal
The best time to plan for the next renewal is when you finish the current renewal. This is the time
when issues and concerns are uppermost in mind. In addition, planning should include monitoring
the current insurance program and underwriting markets for continued financial stability, evaluating
service providers (such as brokers, third party administrators managing claims, and defense counsel),
maintaining a log of risk management improvements, internal and external benchmarking, and tracking changes in the risk profile.
3.5
Claims-Made vs. Occurrence Coverage
Occurrence coverage provides coverage for a claim that occurred during the policy period regardless of when the claim is reported to the insurance company. Claims-made coverage provides coverage
for a claim that occurred after the inception or retroactive coverage date of the policy and is reported
to the insurance company while the policy or any replacement policy is still in effect. The retroactive
date defines the beginning of the coverage period for the claims-made policy. This date is retained
on an indefinite basis if the insured remains with the same carrier. The retroactive date will usually
predate the effective date on the policy in order to provide seamless coverage and mitigate any coverage gaps. If an insured changes claims-made carriers, the original retroactive date can be maintained
or an extended reporting endorsement can be purchased from the exiting carrier, in which case a new
retroactive date is then established with the new insurance carrier. The extended reporting endorsement may be referred to as the discovery provision, as tail coverage, or as an extended reporting period
(ERP). This endorsement is attached to the exiting policy and extends the reporting period past the
expiration of the policy. It covers events that occurred while claims-made coverage was in place and
that would have been covered had the old policy been continued. In making a decision to purchase
coverage for an extended reporting period, the following issues should be considered: (1) the availability of such coverage; (2) the length of the reporting period; (3) cost of tail; and (4) cost and provisions
for reinstatement.
Most medical professional and general liability policies are claims-made; however, some self-insurance trusts and captive insurance companies provide occurrence-based coverage. Thus, understanding
the implications of each of these types of coverages is important.
3.6
LimitsTerms and Conditions, Sublimits, Scheduled Losses, etc.
The policy limit represents the maximum amount the insurer will pay for losses. The per claim
limit applies to a specific loss. The aggregate limit applies to all losses within a policy term (usually
a year). Therefore, policy limits of $1 million/$3 million mean the insurer will pay a maximum of
$1million for any one claim, and a maximum of $3 million for all claims, of whatever size (up to
$1 million), taken together. There are also primary limits and excess limits, which simply refer to
55

those limits applicable to a primary layer of coverage and those limits applicable to excess layers of
coverage. The primary layer is the policy that pays first and can include deductibles. The primary
layer is considered closer to the risk insured and sometimes called the working layer. This layer has a
higher frequency of losses than does the excess or umbrella layers and is therefore more predictable
and easier to price. In addition, an organization may have purchased umbrella coverage, the purpose of
which is to provide coverage when underlying per claims limits have been paid or coverage may drop
down and pay when the aggregate limits are exhausted by the payment of claims. Umbrella coverage
provides coverage excess of multiple lines of insurance such as automobile liability, medical professional liability, directors and officers, etc.) and can afford coverage against some claims not covered in
the primary layer subject to a self-insured retention. An insurance program may also provide for sublimits for specific exposures, which are limits within the overall policy, not in addition to the policy
limit. For example, a policy may have a limit of $1 million but a sub-limit for property damage of only
$50,000. Thus if there is a covered loss involving property damage, the most that the carrier will pay
for that loss is $50,000. There may also be shared limits where several entities will be covered by just
one limit. Blanket limits apply to two or more classes of risk or locations and thus helps prevent being
underinsured. Scheduled limits provide for specific limits either by location or by risks that have been
specifically rated in the policy. Scheduled limits are often used for fine arts, jewelry, or rare books.
Finally, policies may provide for variable limitsthat is, the amount of the limit changes due to inflation or as a result of some other predetermined reason.
3.6.1
Deductible vs. RetentionThe Effect on Limits
A deductible is defined as that portion of an otherwise insured loss that is borne by the insured. A
retention, on the other hand, is defined as that portion of a loss assumed by the insured, in the form of
self insurance. To illustrate the difference, consider a deductible policy with a $1 million policy limit
and a $100,000 per claim deductible. If a $1 million claim occurs, the insurance carrier is responsible
for paying the full amount of the claim and recovering the deductible from the insured. Thus, the
total amount of insurance available is $900,000. Coverage through a self-insured retention (SIR) is
in addition to the coverage limit purchased. SIRs are popular with insureds because of the ability of
the insured to manage the claim within that layer of coverage. Purchased insurance is excess of the
SIR and increases the amount of coverage available to pay a covered claim. If the insured purchases a
$1million policy and has a $100,000 SIR, the coverage available for a covered loss is $1.1 million.
3.6.2
Other Concepts related to Limits
It is important to understand whether expense costs (i.e., defense counsel, expert witness fees,
etc.) are considered within the limit (also known as cost inclusive) or outside the limit (also known as
cost exclusive) and how they will affect premium costs as well as funding requirements. When expense
costs are within the limit of liability, coverage limits will erode faster and excess or umbrella policies
will drop down and respond quicker. It is not hard to understand why policies written with expense cost
included within the limit will be cheaper on a primary basis but more expensive on an excess basis.
Consider for a moment a birth injury case, one of the most expensive claims to defend: under policies
where expense costs are within the policy limit, coverage could be exhausted through the payment of
56

defense costs, expert witnesses, etc., leaving no money to pay a judgment or to negotiate a settlement
within the primary layer, requiring the excess layer to respond. The primary insurers obligation is
over after paying the per claim limit of liability When expense costs are outside the limit of liability,
the carrier not only has the obligation to pay per claims policy limit but also has the obligation to pay
the expense costs. Cost exclusive policies are more expensive on a primary basis because the insurer
pays both the limit and the expense costs, while the excess policies can be less expensive because they
will not have to respond until the limits are exhausted through the an indemnity payment.
Tracking claims and remaining aggregate limits is an important responsibility with regard to excess
carriers. It is very important to keep excess carriers informed so they respond when losses reach their
level. In addition, claims need to be tracked by the type of limitclaims-made vs. occurrence. When
a tail policy is purchased at the expiration of coverage from a claims-made insurer, the insured will
need to know if the limit is a new limit or is simply treated as an extension of the last years remaining
limits. Another concern is how the deductible or retention is treated with regard to the aggregate. In
other words, does the deductible or retention erode the aggregate so that the coverage limit is lessened?
Generally, insurance companies price coverage at a rate per million dollars of coverage; however, the
rate generally changes per incremental amount of coverage. Thus, an insured may be able to purchase
additional millions of coverage for far less than the first $1 million of coverage. In other words, the
second $1 million of coverage is cheaper than the first and the second $10 million similarly cheaper
than the first $10 million. Finally, it is critical to assure that there is consistency of terms as they apply
to primary and excess layers so that there are no gaps in coverage. Excess carriers are often asked to
write following form coverage, following the form of the primary (or lower) layers of insurance.
3.6.3
Premium Determination and Rating
Insurance companies determine premiums based on several rating schemes. Two of the more
common procedures are manual rating and loss (or experience) rating. In manual rating, an insurance
company uses the premium rate specified in an insurers or rating bureaus manual for a particular line
of insurance. Loss rating is a method of adjusting the premium for an insured based on the insureds
own loss experience compared to the loss experience of insureds facing the same exposure. Most captive insurance companies use loss rating.
3.7
The Insurance Policy
The main sections of an insurance policy can be described by the acronym DDICEE and are as
follows:
1. The Declarations Page, also called the dec page, specifies the type of policy and coverage,
the policy number and policy forms, the policy period, the name and address of the insured,
the broker or agent, the limits and deductibles/retentions, the effective/retroactive dates of
coverage, the type of business, the policy premium, and a listing of the endorsements or
extensions of coverage.
2. Definitions define specific terms in the policy that are usually bolded to signify that they have
specialized meanings. The definitions section of the policy is designed to clarify coverage
57

terms and conditions. However, be aware that definitions can be spread throughout the policy
and can be often be found in the section to which they pertain.
3. The Insuring Agreement is the contractual heart of the policy. It states whether the coverage
is on an occurrence or claims-made basis and outlines the duty to defend, which has two
separate and distinct parts: (a) to investigate and defend claims; and (b) to indemnify the
insured for actual losses incurred (including adverse judgments). Any doubts related to the
insurers duty to defend must be resolved in favor of the insured. It is important to refer to
the definitions section of the policy to understand who the insured is, what constitutes a
medical incident, and how a claim is defined. The named insured is identified on the declarations page and has full rights and responsibilities under the policy. Additional insureds may
be added by endorsement to the policy, not on the declarations gage. Additional insureds are
entitled to defense and indemnification but do not have any rights regarding policy or coverage administration.
4. Conditions outline the rules, duties, provisions, and obligations of the insured and insurer.
Some common conditions include cancellation, policy territory, assignment, arbitration,
liberalization, subrogation, other insurance, inspections and surveys, and non-renewal. Additional conditions include examination of insured books and records (which is also a Medicare
requirement), changes to the policy or waiver of rights, payment of premium and return of
premium, claims reporting requirements/duties after a loss, and concealment, misrepresentation, and fraud. In addition, look for additional language to be added to policies to comply
with mandatory insurer reporting required under Section 111 of the Medicare, Medicaid and
SCHIP Extension Act of 2007 (MMSEA).2
5. Exclusions eliminate coverage for specific occurrences that are deemed uninsurable or not
contemplated for coverage under the policy. Exclusions will vary significantly by line of
coverage. Some common exclusions include damages resulting from war, pollution, asbestos,
nuclear power, and fraudulent, criminal, or dishonest acts.
6. Endorsements are used to change or add to a policys original terms and conditions. They
may be included at the time the policy is issued or later. They can broaden, limit, restrict or
explain coverage and are typically used to add or delete coverage or insured status. There are
standard endorsements prepared by Insurance Service Office (ISO) that are commonly used
by many insurers; however, there are also manuscript endorsements that are drafted by the
insurer (or by the insured or its broker) to apply to a specific situation.
MMSEA adds new reporting requirements for group health plan arrangements (GHP) and for liability insurance (including self-insurance), no-fault insurance, and workers compensation laws or plans to report the identity of a Medicare
beneficiary whose illness, injury, incident, or accident was at issue as well as such other information specified by the Secretary to enable an appropriate determination concerning coordination of benefits, including any applicable recovery claim.
See 42 U.S.C. 1395y(b)(7) and (8). A specific website has been created by HHS/CMS for mandatory insurer reporting
and can be accessed at http://www.cms.hhs.gov/MandatoryInsRep/01_Overview.asp#TopOfPage.
2
58
3.8
Insurance Policies by Line of Coverage
An insurance policy will describe in detail the specific risks that are covered. Below is a nonexhaustive list of the many different types of insurance coverage that healthcare institutions might
consider depending on their various exposures.
3.8.1
Aircraft (Non-Owned) Liability
Non-owned aircraft liability insurance provides coverage for bodily injury and property damage
caused by an accident involving a non-owned helicopter using the helipad or an accident involving
non-owned aircraft for which the insured is responsible. Losses from aircraft accidents are excluded
from normal general liability and property insurance, so this coverage is needed if, for example, the
insured operates a helipad.
3.8.2
Boiler and Machinery Coverage
Boiler and machinery insurance provides protection for explosion of boilers and other pressure
vessels and accidental damage to equipment. It also covers resulting damage to other property, including property in the care of the insured, for which the insured is liable. Boiler and machinery insurance
may be included in blanket property insurance.
3.8.3
Commercial Automobile Coverage
Commercial automobile insurance protects against loss arising out of the ownership, maintenance, and use of automobiles and their equipment including those that are owned, hired, or borrowed,
and those that are not owned but for which the insured has responsibility, such as the personal car of
an employee used to run a company errand. In this last instance, the liability coverage provided for
these vehicles is excess over the coverage the vehicle owner may have. The excess coverage does not
apply to the employee individually unless the coverage is endorsed to cover employees as additional
insureds. Automobile liability is usually written on a combined bodily injury and property damage
limit. Automobile physical damage is written on an actual cash value basis for comprehensive loss
(fire, theft, windstorm, hail) and collision. Collision is always written subject to a deductible. There
are special automobile exposures in healthcare given the following: personal use of company cars
(permission for such use can be granted); employees as additional insureds (remember, the employees
policy will respond first); and personal use of non-owned automobiles (for which one should have
drive other car coverage and personal umbrella coverage). Note, too, that coverage does not apply
to physical damage to employees automobiles, even if they are used in business. Garage insurance,
not automobile insurance, applies to losses to vehicles in employer-operated garages and parking lots.
Additional exposures involve ambulances used for emergency transport and other patient transport as
well as auxiliary and volunteer exposures.
59

3.8.4
Commercial General Liability
Commercial general liability protects against financial loss resulting from bodily injury and property damage from the insureds liability to third parties arising out of the premises the insured owns
or occupies, operations, products, and completed operations, advertising, personal injury liability, and
liability the insured assumes under contract, subject to the exclusions of the policy. The coverage is
usually rated based on square footage and/or receipts. The most common general liability exposures
include liability arising out of contracts, visitors, product liability, libel, slander, false imprisonment,
defamation of character, and sexual abuse by non-professional employees. Because of potential coverage gaps, it is recommended that general liability insurance be purchased from the same insurer that
provides the organizations professional liability. The biggest reason for this is that most commercial
general liability policies will exclude coverage for bodily injury for any person who is in the insureds
building or on the insureds premises for the purpose of receiving any type of medical evaluation, care,
or treatment. Thus, coverage for such injury to patients needs to be covered under a medical professional liability insurance policy. Having one company provide both coverages eliminates the potential
for disputes.
3.8.5
Directors and Officers (D&O) Liability
D&O insurance protects directors, trustees, officers, and other key executives as identified in
the policy from personal liability for wrongful acts (misstatements, misleading statements, acts,
omissions, neglect, or breach of duty) and insures that the organization is covered for its obligation to
indemnify its officers, directors, trustees, and key executives. Under this coverage, the insurer shall
pay on behalf of the Company all losses for which the company grants indemnification to the insured
persons and which the insured persons have become legally obligated to pay on account of any claim
for a wrongful act. There are three coverage parts: Insuring Agreement A provides individual coverage
to the director (trustee), officer or key executive when the corporation (e.g., a hospital) cannot provide
indemnification. Insuring Agreement B provides corporate reimbursement when directors, trustee,
officers, and key executives can be indemnified. Insuring Agreement C, if purchased, provides entity
coverage for loss from covered wrongful acts that it is legally responsible to pay. Healthcare exposures
include committee membership (peer reviewloss or denial of privileges) compliance issues, antitrust,
wrongful termination (including committee decisions and routine personnel activities), sex and age
discrimination (failure to supervise employees accused of misconduct), diligence (alleged waste or
neglect of assets, failure to manage), breach of loyalty (conflict of interest), and contractual issues with
outside stakeholders.
3.8.6
Employment Practices Liability
Employment practices liability (EPL) insurance is designed to cover employment discrimination,

sexual harassment, negligent hiring and selection, and wrongful termination. The insureds include the
corporation, directors and officers, and employees. This type of coverage can be included in directors
and officers insurance or written as a separate policy.
60
3.8.7
Fiduciary Liability
Fiduciary liability insurance covers breach of fiduciary responsibility under common law or ERISA
for directors and administrators of an organizations pension plan and health & welfare funds.
3.8.8
Fidelity Coverage
Fidelity insurance, also referred to as commercial crime coverage, provides coverage for several
different types of crimes: (1) dishonesty of employees; (2) forgery or alteration; (3) theft of money
and securities; (4) funds transfer fraud coverage; and (5) computer fraud. Coverage can be endorsed to
cover other risks as well such as kidnapping, ransom, and extortion coverage. One way to remember the
major coverages is to remember the 3 Ds representing dishonesty, disappearance, and destruction.
3.8.9
Garage/Garagekeepers Liability (Parking Garage Exposure)
A general liability policy covers loss to third parties resulting from premises exposure of parking areas but excludes losses to property in your care, custody, and control. A garagekeepers legal
liability policy provides coverage for physical damage to automobiles in your care, custody, and control for which you are legally liable. Valet services can result in automobile physical damage exposures
not covered in any other form of coverage.
3.8.10
Helipad Premises Liability
Helipad premises liability covers bodily injury and physical damage arising out of the use, ownership, or operation of a helipad including slips and falls that occur during the loading and unloading of
patients and bodily injury of bystanders and property damage to others. A separate policy is needed for
this coverage since it is explicitly excluded under the commercial general liability policy. This coverage can be combined with non-owned aircraft coverage.
3.8.11
Managed Care Liability
Managed care delivery mechanisms take a variety of forms: preferred provider organizations
(PPO) plans that contract with providers for discounted fees or for payments based on a fee schedule; health maintenance organizations (HMO) group practices, staff models, or independent networks
that provide comprehensive care for a fixed price paid in advance of rendering services; independent
practice associations (IPA) organizations that contract with a managed care plan to deliver services in
return for a single capitation rate. The IPA in turn contracts with the individual providers to provide
the services either on a capitation basis or on a fee-for-service basis. A physician-hospital organization (PHO) is a legal or informal organization that bonds hospitals and their attending medical staff.
Frequently, such organizations are developed for the purpose of contracting with managed care plans.
Point of service plans (POS) or open ended HMOs (OEHMO) are managed care programs that allow
the patient to select a point of service between full benefits within a network or reduced benefits for
care outside the network. A primary care physician is used to facilitate services. Moreover, finally,
there are provider sponsored organizations (PSOs) which operate the PHO. Delivering care in this
manner brings some unique exposures (in addition to direct professional liability) that include: vicariEnterprise Risk Management for Healthcare Entities, First Edition
61

ous professional liability; liability for improper design or administration of the cost controls; breach
of contract or bad faith; ERISA; antitrust; denial of benefits or services; discrimination; advertising
injury; violation of state insurance laws; invasion of privacy; insolvency/bankruptcy; improper credentialing; fraud and abuse.
There are two types of managed care insurance policies: (1) direct, for those providing medical
services (the staff model HMO and employed physicians); and 2) vicarious, for those facilitating the
delivery of healthcare services (IPA model HMO, PPO, PHO, MSO, foundation model).
There is also a product called managed care errors and omissions that provides business errors
and omissions coverage for damages because of personal injury in the performance of professional
services including utilization review, peer review, claims processing, enrollment, and marketing of
services. This coverage is usually written on a claims-made basis. Managed care D&O liability coverage is frequently purchased with managed care errors and omissions. Some standard exclusions
include: punitive damages, anti-trust, ERISA claims, and coverage for TPA operations.
3.8.12
Professional Liability (Medical)
Medical professional liability insurance provides coverage for claims arising from providing
or failing to provide professional medical services. Professional medical services means any act or
omission in furnishing of healthcare services by or at the direction of a licensed professional, including furnishing food, medications, or appliances, the postmortem handling of bodies, or service by
any persons as members of a formal accreditation review board. While medical professional liability
policies vary greatly from carrier to carrier, most provide coverage for the following individuals and
entities: the corporate entity (including its auxiliary), board of directors or trustees, members of committees, employees, students, volunteer workers, member of religious organizations, and others at the
request of the insured, i.e., certain physicians, dentists, etc. Most medical professional liability policies
also contain specific exclusions: absolute or total pollution (typically excludes coverage in cases of
bodily injury that would not have occurred in whole or part but for the actual, alleged or threatened
discharge, dispersal, seepage, migration, release, or escape of pollutants at any time, physical and
sexual abuse, intentional/criminal acts, fines and penalties, occupational disease or injury, impaired
physicians, asbestos removal, punitive damages, and the loading and unloading of vehicles or aircraft.
In comparing one medical professional liability policy to another, the following issues should be
addressed: coverage type, named insured provision, retroactive dates, limits, defense costs, the claims
trigger, employee/physician coverage, extended discovery provisions (tail coverage), claims reporting
provisions, other insurance clauses, exclusions, and the coverage territory.
In reviewing physicians professional liability insurance, consider some key issues such as: coverage for ancillary exposures, death, disability, and retirement provisions, entity coverage, consent
to settle provisions, changes in specialty provisions, occurrence vs. claims-made coverage, and the
slotting of positions (mainly for group programs, employed physicians or residency programs where
rotation is frequent and the group of insured is large).
62
3.8.13
Property Coverage
Property insurance policies cover an organizations buildings, contents, attached equipment,

building service equipment, and interruption of business activities at the site. Most hospitals are considered highly protected risks since they are operated 24 hours a day and are generally managed with a
sensitivity toward loss prevention. Such risks are generally entitled to lower premiums. Most property
policies are written on an all risk basis, which provides coverage for any and all accidental loss except
those specifically excluded versus coverage for specific perils identified in the policy. Thus, the carrier
is required to prove that a loss is not covered, rather than the insured proving that it is. The blanket
limit concept in a property policy allows coverage limits to extend over several buildings or locations
and can include property that may move from one location to another. Another important feature to
consider is to purchase property insurance written on a replacement cost basis so that losses will be
fully covered rather than reimbursed on an actual cash basis. Property insurance may have co-insurance
requirements that require the organization to carry insurance equal to a percentage (such as 90%) of
the value of the property insured. Property insurance could be written on an agreed value basis where
the insurer and insured agree on the value to be paid for a loss in an annual statement of values. There
are a number of common extensions of property insurance such as automatic coverage for new entities
or locations, errors and omissions, service interruptionutility interruption, debris removal, transit,
accounts receivablesums that become uncollectible, EDP (electronic data processing), valuable
papers, and contingent business interruption. Earth movement (earthquake), flood, and wind damage
coverage may be particularly important depending on the entitys location and may require negotiation, and/or additional premium or may actually require the purchase of separate coverage.
3.8.14
Time Element Coverages (Business Interruption/Extra Expense)
Time element coverage is probably the most misunderstood coverage, and time element losses are
certainly the hardest claims to negotiate. Business interruption and extra expense coverage replace lost
earnings in an amount needed to cover an organizations continuing expenses and lost profits, where
the lost earnings arise from a covered event such as a fire or natural disaster. Continuing expenses
include: debt service, payroll for key personnel, insurance, contractual obligations, advertising, and
publicity. Business interruption insurance also may apply to managed care contracts.
3.8.15
Workers Compensation
Workers compensation provides virtually unlimited medical benefits to victims of workplace

accidents or illnesses. It also replaces a portion of the employees lost wagesknown as time loss.
Workers compensation pays whatever benefits are prescribed by the applicable state statute (Part A
Coverage). Employers liability protects employers from suits brought by injured employees to recover
money damages separate and distinct form claims for workers compensation benefits (Part B). Each
states division of workers compensation governs workers compensation. There are a number of what
are referred to as monopolistic states (i.e., West Virginia, Puerto Rico, Washington, and Ohio) which
require coverage to be purchased from a state managed fund but allow in some cases for employers to
self-insure.
63

3.9
Self Insurance
Self insurance is a risk management technique in which a calculated amount of money is set aside
to compensate for a potential future loss. If self insurance is approached seriously, money is set aside
using actuarial information and the law of large numbers so that the monies set aside (similar to an
insurance premium) are enough to cover the future uncertain loss. It is the funding of potential losses
that distinguishes being self insured from being uninsured.
Self insurance is possible for any risk that is predictable and measurable enough in the aggregate
to be able to estimate the amount that needs to be set aside to pay for future uncertain losses. For a risk
to be insurable, it must represent a future, uncertain event over which the insured has no control. In
addition, it must be possible to rate or price the risk. If the insurable event is one in a large number
of similar risks, the aggregate risk can be estimated according to the law of large numbers and the
probability of that event occurring in the future so that it can be quantified. Normally, catastrophic
risks such as earthquakes are not self insured as they are highly unpredictable and high in loss-value.
However, if the commercial market does not provide appropriate coverage at reasonable cost, it is not
uncommon for an organization to self insure a part of the risk.
The concept of self insurance is that by retaining certain risks and paying the resulting claims or
losses from designated funds, the overall process is cheaper than buying commercial insurance.
3.9.1
Underlying Principles
There are a number of principles underlying the concept of self insurance:

1. Do not risk a lot to save a little.
2. Self insure the predictable layer of loss. Risk transfer the unpredictable or catastrophic layers
of loss.
3. Understand the institutions risk-taking philosophy or risk appetite. Define clearly the risks
the institution is willing to take vs. what it can afford to take.
4. Have sound and effective risk management systems in place:
a. risk identification, reporting, and communications (RMIS);
b. loss control;
c. claim handling and defense;
d. physicians vested in the process; and
e. control over most or all program elements.
5. Ensure the support of senior management and ensure the board of directors will be involved
and committed.
6. Make a long-term commitment and keep a long-term perspective.
7. Adopt prudent and conservative funding.
8. Remember that self insurance is not the cure-all for poor loss experience.
64
3.9.2
Methods of Implementation
There are several methods of implementing self insurance programs:

1. Large deductibles or self insured retentions (see previous discussion).
2. Retrospectively rated programs. The premium is determined or finalized based on losses
incurred during the policy year or term. Minimum and maximum premiums may apply and
there may be collateral requirements.
3. Quota share arrangements. These programs require that the insured share in a predetermined
portion of the loss with the insurer over a primary layer of coverage.
4. Trusts (see previous discussion).
5. Captive insurance companies are closely held insurance companies whose insurance business
is primarily supplied and controlled by its owners and in which the original insureds are the
principal beneficiaries. Captives can be organized as follows:
a. Ownership: single owner, multiple owners (association, industrial insured, mutual, and/or
risk retention group), stock/mutual (assessable or non-assessable).
b. Domicile: onshore (in the United States) or offshore (not in the United States).
c. Structure: direct or reinsurance, mono-line (e.g., professional and general liability
insurance only), fronted (by a commercial carrier) or multi-line, primary, excess, and
reinsurance.
d. Type of business: only the insureds risks, or also including third parties; also what lines
of coverage will be included.
3.10
Captives vs. Trusts
Generally, a captive program needs to be considered as an alternative to a trust because a trust

fund is a less flexible vehicle for accommodating risk management and financing needs for the future.
Whenever an organization is considering self-insurance, there are a number of preliminary steps that
need to be taken: first, an organization has to understand its risk bearing capacity, which will involve a
formalized review of the institutions financial statements and an understanding of the organizations
appetite for risk and then have an actuarial study done of its losses. In addition, the organization needs
to identify and compare various program costs and develop an internal allocation methodology. In
addition to this quantitative analysis, a qualitative analysis should be done. This involves a comparison
of coverage terms and conditions, the flexibility to accommodate profit vs. not-for-profit entities, third
party business, multiple lines of coverage/integrated programs, future programs, the level of control
over claims and defense and settlement, and the internal resources to manage the program specifically,
the sophistication of the risk management program. Exhibits 1 and 2 compare some key issues including costs.
Finally, other program cost components and considerations include the following: the financial
security requirements (letter of credit or capitalization); cost of handling claims and risk management/
loss control programs; cost of risk management information systems; policy administration costs; the
cost of consultants: actuarial, legal, brokerage, program management, and investment advisors; taxes:
65

state, federal income tax, domicile, excise; Medicare reimbursement guidelines; internal management
time; travel and meetings; and finally education. Tax issues will depend on the for-profit or tax-exempt
status of the owner and the domicile selection and include deductibility of premium, controlled foreign
corporation status, passive foreign investment company status, withholding tax issues, federal excise
tax, state premium taxes, engaging in a U.S. trade or business for federal income tax purposes, and
branch profits taxes.
3.11
Commentary
An organization that has adopted an enterprise risk management focus must first identify
its loss exposures and then treat such exposures through control, finance, and/or transfer.
Using an exposure analysis tool allows a thorough review of possible exposures. Healthcare
entities face very few risks that risk management (risk finance, loss prevention, and claims
management) cannot control. Thorough risk analysis is necessary: understanding plant and
equipment, operations, human resources, and business relationships is critical.
Healthcare lawyers need to understand the risk tolerance of an organization. It is this, sometimes intangible, aspect of an organization that will determine in large part how risk is treated.
An organization that has a well-informed governance structure, solid senior management,
and skilled risk management expertise (whether internal or external) will be far more likely to
use alternative risk financing mechanisms than an organization that is lacking in one or more
of these critical components.
Insurance agents, brokers, consultants, actuaries, investment managers, captive managers, and others can provide a needed measure of external expertise. However, the selection
process is critical. It is important to obtain background information on the experience and
expertise of such external resources, compare and contrast their strengths and weaknesses,
and obtain references.
Since significant healthcare exposures such as medical professional liability are more likely
subject to claims-made coverage, it is critical to understand retroactive dates and the nuances
of tail coverage under an extended reporting endorsement. It is also important to understand
the limits of coverage and how deductibles and/or retentions serve to increase or decrease
limits. Likewise, whether defense costs are inside or outside the limit can have a significant
impact on the dollars available to pay claims and premium costs.
The interpretation of an insurance policy is dependent upon careful reading and understanding of its essential partsthe declarations, the insuring agreement, the exclusions, the
conditions, the definitions, and the endorsements, and how they interact. Of particular significance are the definitions of the insured or named insured, additional insured, and additional
named insured.
There is a commercial insurance policy for almost every exposure. Captive insurance companies, whether single-owner or group-owned, issue policies of coverage similar to commercial
policies. Understanding the scope of coverage as well as the significant exclusions can aid
in evaluating an organizations risk financing program. Likewise, if a self-insurance trust is
used, the trust document contains important coverage information.
66

While an organizations focus is generally on claims filed by third parties, understanding
coverage issues can prevent the unfortunate situation of a healthcare organization filing a
claim against its own.
Using various tools such as a schedule of insurance and an annual report on the Bests Rating of the healthcare organizations commercial carriers, as well as quarterly claims reports
will enable the healthcare attorney to monitor to some extent the effectiveness of the riskfinancing program.
3.12
Conclusion
When all is said and done, from an enterprise risk management perspective, it is most important
to evaluate the effectiveness of the risk-financing program selected. This can be done internally or
externally. That is, an organization can establish its own benchmarks and track them over time, i.e.,
losses per occupied bed or admissions or losses per $100 of payroll. Alternatively, an organization
can use external cost of risk surveys, specific studies, or research papers. Whatever measure is used,
the point is that evaluation is a necessary component of a comprehensive enterprise risk management
programs risk-financing component.
67

References
Colaizzo, D.A., Introduction to Risk Financing, in R.L. Carroll (ed.), Risk Management Handbook
for Healthcare Organizations, 5th Edition, Vol. 1, Chapter 15, San Francisco: Jossey-Bass, 2006.
Colaizzo, D.A., Cost of Risk, in R.L. Carroll (ed.), Risk Management Handbook for Healthcare
Organizations, 5th Edition. Vol. 3, Chapter 11, San Francisco: Jossey-Bass, 2006.
Commercial Liability Insurance and Risk Management, 5th edition, American Institute for Chartered
Property Casualty Underwriters, (CPCU 4, Vol. 1), Malvern, PA: 2001.
Luthardt, C.M., Property and Liability Insurance Principles, 3rd edition, New York, NY: Insurance
Institute of America, 1999.
Luthardt, C.M. and Wiening, E.A., Property and Liability Insurance Principles, Malvern, PA: American Institute for Chartered Property Casualty Underwriters, 2005.
Malecki, D.S. and Flitner, A.L., Commercial Liability Insurance and Risk Management, New York,
NY: Insurance Institute of America, 1998.
Norrick, B.R., Jones T.M, Hermes T.M., Risk Financing Techniques, in R.L. Carroll (ed.), Risk
Management Handbook for Healthcare Organizations, 5th Edition, Vol. 3, Chapter 12, San Francisco:
Jossey-Bass, 2006.
Nyce, C.M., Foundations of Risk Management and Insurance, 2nd edition, Malvern, PA: American
Institute for Chartered Property Casualty Underwriters, 2006.
Rubin, H.W., Dictionary of Insurance Terms, 5th edition. Hauppauge, NY: Barrons Educational Series,
2008.
Trupin, J. and Flitner A.L., Commercial Property Insurance and Risk Management, 6th edition,
Malvern, PA: American Institute for Chartered Property Casualty Underwriters, 2001.
Webb, B.L., Flitner, A.L, and Trupin, J., Commercial Insurance (INS 23), 3rd edition, New York, NY:
Insurance Institute of America, 1996.
Wiening, E.A., Foundations of Risk Management and Insurance, 3rd edition, Malvern, PA: American
Institute for Chartered Property Casualty Underwriters, 2002.
Willis, K. and Hart, J., Insurance: Basic Principles and Coverages, in R.L. Carroll (ed.), Risk
Management Handbook for Healthcare Organizations, 5th Edition. Vol. 1, Chapter 16, San Francisco:
Jossey-Bass, 2006.
68
Exhibit 1
Captives vs. Trusts: Comparison of Key Issues
Issue
Structure and Reporting
Requirements
Third Party Business
Captives
Separate corporate entity
Comply with reporting requirements
of IRS, domicile regulations, etc.
Can accommodate directly or
through a fronting arrangement
Lines of Coverage
Can accommodate most lines
For-Profit Subsidiaries
Can accommodate
Reinsurance Markets
Investments
Repatriation of Funds to
Parent
Risk Management Program
Greater flexibility to access

Less restrictive
Yes, through dividends or loans
Flexibility to Accommodate
Changing Health Care
Environment
Use of Surplus
Ease of Development and
Implementation
Perceived as formalized and highly

structured
Yes
Greater flexibility to use for other
lines
Complex. Requires the services
of professionals such as actuaries,
accounts, attorneys, insurance and
risk management professionals, etc.
Trusts
Simply a funding mechanism operated by a Trustee
Minimal reporting, if any
Typically cannot accommodate this business, as it
would be subject to state
insurance regulations
Very limited as subject to
state regulations
Inclusion could jeopardize
tax-exempt status
Cannot access directly
More restrictive
More difficult
Perceived as formalized
and structured, but to a
lesser degree
Limited
Less flexible
Less complex and considered easy to develop,
implement, and manage
69

Exhibit 2
Captives vs. Trusts: Cost Comparison
Issue
Capitalization
Mandatory Surplus
Requirements
Start-up Costs
Captive Management/
Trustee Fees
Domicile Fees and Taxes
Federal Income Taxes
Excise Taxes
Letter of Credit
Travel and Domicile
Legal Fees
Actuarial and Audits
70
Captives
Required
Yes
Trusts
Typically not required
Generally none
Yes
Yes
Yes
Yes
Yes
Yes, but can be exempt for not-for-profits
Yes, but can be exempt
Tied to capitalization and/or required
for fronting arrangements
Yes
Yes
Yes
None
Typically none
None
None
Generally not applicable
Yes
Yes
Claims Management: A Tool for Enterprise RiskManagement
4
Claims Management: A Tool for Enterprise
RiskManagement
Mary S. Schaefer, RN, M.Ed, ARM, JD
Corporate Director of Risk Management, Covenant Health Systems, Inc.
4.1
Introduction
Most health lawyers are familiar with the basics of claims management but may not understand
how a cutting-edge claims management program can support an organizations movement to enterprise
risk management. Each element of effective claims management protects a healthcare organizations
reputation and financial assets. Further, while the majority of claims impacting a healthcare organization arise from medical professional and general liability, the claim management program described
below is applicable to all disputes arising from the enterprises activities.
4.1.1
Elements of an Effective Claims Management Program
identifying and reporting potentially compensable events;

conducting timely investigations of those events;
providing an effective administrative process to monitor the life-span of a case;
selecting effective counsel who can support the organizations strategy;
selecting credible experts;
establishing sound reserving policies;
providing a principled system that resolves disputes fairly;
managing the complexities of pre-trial preparation and discovery; and
defending appropriate cases in court.
4.2
Implementing a System to Identify and Report Disputes
A robust mechanism to report and review all potential disputes or events is a key component of
any ERM program. One subset of these events is potentially compensable eventsevents involving a
serious patient injury that may generate a claim for monetary damages. Other reportable events may
include those that dont cause serious injury, but which carry significant reputation or regulatory significance such as discharging an infant for a short time to the wrong family. Timely reporting of these
71

events is critical to all claim management programs, as it permits thorough investigation before the
event has public or legal consequences. The investigation supports the eventual defense of the claim1
but also allows the organization to control communication about the event and supports timely process improvements to prevent similar events. Staff cooperation in reporting requires not only a good
working relationship between the manager who will handle the issue (often the risk manager) and
the hospital staff but also a wide-spread institutional culture that promotes reporting as an important
component of process improvement and loss control.
4.2.1
Reporting Adverse Events
Most risk management programs have reporting mechanisms in place, including computerized
event reporting, which allow the institutional risk manager to review and evaluate all patient-care
related events reported by staff. Larger health systems may also employ a corporate director of risk
management who is responsible for overseeing the entire risk management program. In that case, the
hospital risk manager will also submit a notice of significant events to the corporate office. Organizations should also determine who can receive reports of other claims or disputes, such as a medical staff
or contracting issue, and manage those. Leaving dispute management to individual departments can
create risk due to their failure to manage the conflict effectively.
Criteria for reporting events should be clear and disseminated to all healthcare providers and staff.
In developing the criteria, the institution should consider all relevant outside reporting programs, such
as those based on the National Quality Forums Serious Reportable Events (Never Events).2 Other
redflag warnings of an impending claim should be included in the reporting system:
1. Any threats of legal action by a patient or family member and any request for medical records
by an attorney.
2. Quality Improvement data collected within an organization from generic screening criteria
and other medical staff sources.
3. Complaints to the billing office about medical care.
4. Complaints voiced to volunteer services or patient advocates.
5. Escalating tension in physician relationships.
6. Product failures.
4.2.2
Protection of Peer Review Documents from Disclosure
Peer review and quality improvement programs can identify reportable events and reduce many
risks for healthcare organizations, but they also generate data and documents that plaintiffs, the press
or regulators can use to the detriment of the entity. Because peer review and quality improvement protection of documents varies by state, incident or adverse event reports need to be maintained according
to the governing state protective statutes. Some statutes extend protection to information and records
For brevitys sake, this chapter will refer to claims but may also encompass the management of adverse publicity
or regulatory concerns. Many of the suggestions could also apply to conflicts in which the healthcare organization is the
aggrieved party, such as contract disputes or construction cases.
2
National Quality Forum, Serious Reportable Events in Healthcare 2006 Update, A Consensus Report, 2007.
1
72

produced by risk management and quality assurance programs, including incident reports, if the document exists primarily to improve the quality of care.3 Healthcare organizations need to develop strict
policies and procedures that reflect the constraints of the applicable peer review statutes as interpreted
by relevant courts. The following steps may help to maximize full protection from legal discovery:
Stamp quality improvement documentsthose generated to improve quality of careasconfidential and prepared at the request of peer review or quality assurance committee.
Develop clear protocols governing access to peer review material and use it only for peer
review.
Include on the documents the healthcare entitys by-law provision that recognizes confidentiality of peer review activities and prohibits unauthorized disclosure of peer review
information.
Some courts have held that incident reports are discoverable if there is a showing of need and
undue hardship by an opposing party requesting the document.4 In addition, some state peer review
statutes only protect documents generated by a peer review committee and not the reports submitted
independently to the committee.5
Institutions applying an enterprise risk approach will evaluate the risks of disclosure against
all the potential benefits of strong peer review and process improvement programs. Also, disclosure
may bring the most benefit to the organization, as when hospitals publicly disclose significant errors.
However, in those situations the organization must protect the confidentiality of patients and other
providers.
4.2.3
Documentation Surrounding an Adverse Event
Whenever a significant risk event occurs, documentation is critical. It often forms the centerpiece
for litigation and for dealing with regulatory concerns. The organization must educate all staff to
record only objective and factual accounts as soon as possible after the event. Documentation prepared
outside of the time immediately after events take place may appear self-serving and may actually compromise the healthcare organization. Reports should include only pertinent facts about the event. Staff
should reserve opinions about events or actions for protected conversations and records, such as an
attorney investigation or quality assurance meeting. For example, a nurse who records in an incident
report or in the medical record that the patient fell because of a delay in answering a call light could
harm the defense of the resulting claim. Her conclusion about the cause is an opinion which may not
be reflective of what had actually occurred. For example, a quality follow-up investigation reveals that
the patient contributed to his own fall by refusing to use the call light as instructed.
Business records such as medical records should never refer to a confidential investigation or
document. Such references disclose the existence of confidential information and they arguably
Lucinda Glinn, Navigating Provider Protections for Quality of Care ReportsFrom Peer Review Statutes to Common
Law Privileges, Hospitals and Health Systems Practice Group 9, AHLA, Spring 2007, at 16.
4
Mary Frances Grabowski and Paul Sanders, Shielding Documents From Prying Eyes, at 45, AHLA, Long Term Care
and The Law, February 23, 2005, Coronado, CA.
5
Id.
3
73

incorporate the confidential documents into the non-confidential source, making it discoverable. For
example, a medical record entry that refers to an incident report (e.g. patient condition assessed with
results per incident report) could potentially result in a finding that the report had thus become part
of the medical record, which is discoverable. Relevant factual information in the confidential material
(for example, physical assessments or reviews of physical conditions) should be reproduced in the
discoverable documents, such as the medical record, so there is no need for cross-reference.
4.2.4
Medical Device Issues
Medical device injuries can be caused by simple devices such as defective syringes or heating pads
as well as by complex equipment, including pace-makers, surgical tools, or kidney dialysis machines.
Recently, medical devices have also generated interest due to potential fraud in efforts to market them.
Other risk issues arise surround recalls by the manufacturer.
Whenever an equipment or device-related injury occurs (including property or financial losses,
for example, if an autoclave explodes), the item, its packaging, and all related disposables should be
preserved for safe keeping. The equipment should not be returned to the manufacturer. The unaltered
equipment must be independently evaluated with guidance by counsel. If the manufacturer insists on
inspecting the equipment, counsel should be involved in designing that process, and the device should
not leave the custody of the healthcare organization. If a device causes death or serious injury, the
federal Safe Medical Devices Act of 19906 requires that hospitals and nursing homes report file reports
with the Food and Drug Administration and/or the device manufacturer, if known.
4.2.5
General Liability Events
A general liability incident involves accidents, injuries, property loss, or damage that occur on
an entitys property or as a result of the general negligence of its agents or employees elsewhere.
Examples include visitor falls, theft of patient personal property, or property damage to third parties. One must carefully distinguish general liability events from professional liability, as the legal
consequences often differ. Tort reform provisions or a different statute of limitations might apply to a
general liability claim, and a different insurance program may cover it. Sometimes they can be hard
to distinguish when an injury occurs in a healthcare setting. For example, a fall in a patient room is
generally considered a professional liability event if the patient falls, but general liability if a visitor is
injured. Automobile claims, in which an employee causes an accident, are a subset of general liability
that often has a third set of insurance considerations.7
Like any injury, general liability situations require prompt and thorough investigation, including
a physical inspection of the area and interviews of the victim and any witnesses. Staff completing an
incident report should be instructed to include information on whether warning signs were posted
(e.g., if the floor was wet or waxed prior to a fall.) Photographs should be taken, if relevant, before any
repairs are completed. Obtain the names, addresses, and phone numbers of any witnesses.
PL 101-629, Safe Medical Devices Act of 1990. Some events, primarily those causing death, must be reported to the
FDA; others only to the manufacturer.
7
Chapter 3 contains a more detailed discussion of insurance issues.
6
74
4.2.6
Directors and Officers Liability
Directors and officers exercise governance functions within a healthcare entity, including oversight of institutional policies, implementation of entity strategies, and obedience to the organizations
mission. In that role, directors and officers (and sometimes the healthcare entity itself) may be liable
for violations of law or injuries arising from employment decisions, medical staff credentialing and
privileging processes, and corporate financial transactions. Relevant statutes and regulations include
anti-discrimination laws, the Stark laws, anti-kickback laws, the False Claims Act, and other antitrust
provisions.8 Strong risk management programs in those substantive areas will reduce the risk of claims
against the directors and officers. Other departments such as Internal Audit and Human Resources may
also be involved in those loss prevention efforts.
4.3
Timely Investigations of Potentially Compensable Events and Claims
Whatever the basis for a dispute (general liability, professional medical liability, employment
practices, anti-trust, contract), a claim should be handled as a claim. Claim investigations should not
be confused with a hospitals internal quality or compliance review, but should be conducted separately. Early event investigations are critical to claims management in order to capture the statements
of all-important witnesses and to identify and protect relevant documents. As memories fade with
time, salient details about an event or claim can be lost, and this can affect the future defense of a case.
The earlier an investigation is launched into a potential claim, the less likely key evidence such as
x-rays, medical equipment, medical records, or business documents will get lost or thrown away.
An early investigation also allows the healthcare organization to understand any underlying contractual or process problems that led to the claim or dispute and to address those issues at the earliest
possible time.
Employees who are involved in an adverse event or claim should be advised not to discuss any
details of the case with colleagues or other treating clinicians. Such casual conversations could be
subject to discovery or used as evidence. Discussions about an event or claim should only take place
within the institutional peer review process or with assigned claim staff and defense counsel. Business
disputes, including medical staff issues, also deserve extreme caution regarding communication and
documentation processes.
Cooperation of the organizations employees with the assigned claim representative, defense
counsel or other designated agent, and assistance in the internal investigation of the adverse incidents
is critical. The risk manager or involved department manager can help to identify all involved personnel. The event file should include the current name, address, and telephone number of each person
with information or who is likely to be drawn into the matter by other parties. It is also useful to
include their department or work location, and to note whether the individual is full-time, part-time,
or contractual. All documentation regarding the investigation of a potential lawsuit is confidential and
privileged if handled by appropriate personnel under state law.
The American Health Lawyers Association has a number of resources available for further study of the substantive law
and loss prevention in these areas. Several of the chapters in this Handbook also address these issues in more detail.
75

Individual interviews give each person a chance to share his or her own knowledge of the event,
avoiding any group think that comes from having several interviews take place together. Often,
employees are nervous about meeting with claim representatives or lawyers, and it can be helpful to
have a designated individual, often the risk manager, present to reassure them.
4.4
Tracking Claims, Events, and Disputes
Potential suits can first present through early reports of an event or a disagreement, or they may
first present as lawsuits. Since the lifespan of a case can extend over a period of three to four years,
healthcare institutions need an effective way to track and monitor all investigative reports, claim reports
from defense counsel, expert opinions, pleadings, and discovery in all open cases. Most claim professionals use a diary system to review recent developments and to track scheduled depositions, panel
hearings, and trial dates. Software systems can be very valuable in monitoring a number of cases.
4.4.1
Events or Disputes Without Claim Activity (Potentially Compensable Events)
A complete investigation should precede closing the file for any reported event, particularly if
the matter involves serious injury or presents the potential for significant loss or business disruption.
Without statements from all identified key witnesses and sequestration of key documents, it will be
much more difficult to defend the case later should the matter evolve into a claim or suit.
4.4.2
Claims and Suits
Matters that first arise as a claim or suit also require an immediate investigation but should also
trigger prompt consideration of the best way to manage the conflict. If prompt settlement seems wise,
then departments or entities that will suffer financial impact must contribute to the development of a
strategy, as the settlement will affect their budget, and their staff will likely have to support the ongoing lawsuit if one occurs. If prompt resolution seems unwise or unlikely, then the organization will
need to begin preparations for a lawsuit.
4.4.3
Lawsuit
Lawsuits generally bring long, expensive, and painful experiences for all involved. The risks from
a suit extend beyond the courtroom, and managing those risks requires activity well beyond counsels
office or the courtroom.
1. Guidance to Individuals Named in a Lawsuit: A lawsuit is a frightening and stressful experience for most people. An effective claims management program needs to provide handholding
and guidance for the hospital employees or physicians named as defendants in a lawsuit. The
claims professional and defense counsel should offer the following constructive guidance
during the initial process:
a. Early cooperation with the assigned legal team is essential. Named parties should be
instructed to seek or take advice from assigned defense counsel. The full legal team will
be comprised of the assigned claim professional or in-house manager, risk manager,
76

and experienced counsel. The team will work proactively in managing all aspects of the
lawsuit, including investigations, obtaining experts, and preparing the written interrogatories and depositions.
b. It is usually helpful to have a designated person within the organization who facilitates
contacts for outside counsel. Often this will be the risk manager or an in-house attorney.
This individual can help to assure thorough, consistent responses to discovery and can
dramatically reduce legal fees by doing initial legwork for outside counsel.
c. A physician defendant may be asked by defense counsel to gather all pertinent medical
records and discuss with counsel perceived weaknesses in the record or to highlight portions of the record that would support a defense.
d. Named defendants (and, ideally, key witnesses) should not discuss the case with coworkers, friends, or colleagues. Under no circumstances should a defendant commence
an independent investigation. Communications with assigned counsel are protected
under the attorney-client privilege, but there is no legal protection for information shared
with third parties.
e. Once counsel represents the opposing party, representatives of the healthcare organization should not contact the other party directly to discuss an event. While face-to-face
communication can still take place, contact should occur through the attorney.
f. Parties should have no written or oral communication with opposing counsel. Only
assigned counsel or the assigned claim representative should be involved with communications with the other partys attorney. In patient-injury situations, healthcare providers
often arrange for disclosure or early resolution discussions. Generally, the same rules
apply for those discussions; though it is appropriate for the attorneys to let the parties
talk to each other where feasible in these meetings.
g. Defendants must safeguard relevant documents and records to minimize the potential for
loss, destruction, or alteration of those records. Alteration of key records can make a case
indefensible. Anyone who falsifies a document or record will lose all credibility in front
of a jury. Alterations can be detected with ultraviolet light and high-resolution scanners.
h. Organizations should resist the temptation to give their side of the story to the media.
Only a trained, designated spokesperson should ever speak with the news media. Most
organizations have media policies that comply with the Health Insurance Portability
and Accountability Act (HIPAA) privacy regulations and state privacy laws. A trained
spokesperson can respond effectively to a range of different scenarios. The organization
and counsel should carefully consider the benefit of being the first to disclose harmful
information, which may allow them to control how it is presented.
4.4.4
Medical Professional Liability Screening Panels
Some states mandate hearings by medical professional liability panels or tribunals to screen out
cases lacking in merit. Panel rules and structure vary by state, as do the results of an adverse finding
by the panel. Usually, these panels will weigh the credibility of evidence against the defendant healthEnterprise Risk Management for Healthcare Entities, First Edition
77

care provider. In some state panels, only a unanimous finding is subsequently admissible at trial. The
organizations claim process should account for any special requirements that arise from the existence
of such a process in the relevant state.
4.5
Selection of Defense Counsel
Because insurance models have changed dramatically over the past several years, defense counsel
must be able to adapt to the needs of very different clients. Litigation philosophies can vary significantly among healthcare systems and even among traditional professional liability insurance carriers.
Some healthcare organizations settle disputes more frequently and forego the expense of costly discovery and trial. Others take a more aggressive stance, preferring to take the majority of their cases
to trial. A one-size-fits-all mentality no longer applies to the needs of todays healthcare clients. It
behooves defense counsel, then, to understand the underlying values and beliefs of the healthcare
organizations they represent. And healthcare organizations need to select counsel with appropriate
aptitudes to support their preferences.
Professional liability carriers and healthcare systems have a pre-approved panel of defense counsel who are available to defend their insured physicians, hospitals, and employees. Generally, only
experienced attorneys who have built a solid track record as successful trial advocates are included in
these panels. Healthcare systems that include acute care and long-term care services need a cadre of
attorneys with expertise in both of these arenas. Defense counsel should work closely with the claims
professional, the hospital risk manager, and corporate risk management, if any, in managing the case.
Desirable criteria when selecting defense counsel include:
1. Attorneys who will try cases must be skillful and adept players in the courtroom.
2. In some cases, it might make more financial sense to recommend settlement when a case
turns, for example after the disappointing deposition of a named defendant.9 The ideal
defense counsel will identify cases that either bear undue risk or present good opportunities
for settlement early in the life of the case.10 Early resolution of cases not only saves the client
defense costs, but appropriate settlement recommendations instill trust and confidence in the
attorney.
3. As disclosure of unanticipated outcomes and early resolution become more widely accepted
on both sides of professional liability cases, healthcare organizations might consider assigning some cases to attorneys who focus their practice on early resolution. Sometimes the
personality and skill set required for non-litigated resolutions differs from the gladiator
approach that can serve trial counsel so well. An interesting conceptual model that reflects
this approach can be found in collaborative law. Most often practiced in family law settings,
this form of divided representation can also benefit clients in some personal injury situations.11 Generally, the parties agree to each engage a collaborative attorney, whose only goal
Id.
Id.
11
See www.collaborativelaw.com and www.twotracklawyers.com.
9
10
78

is settlement of the case. If the parties cannot settle, then different attorneys represent them
for trial.
4. Counsel should adhere to litigation guidelines established by the healthcare organization
and/or its insurer. Most claim management programs strictly monitor and enforce these
guidelines, which cover reporting procedures, litigation strategy, and billing procedures.
They generally require initial evaluation reports and subsequent periodic claim status updates
until the matter is closed. Timely reports are critical to the claims-monitoring process because
they evaluate strengths, weaknesses, liability and damages at every stage of the case. Insurance carriers and clients do not like to be blind-sided by unexpected news, especially that a
winnable case now, for example, has newfound weaknesses or that a cases value has tripled
just before the trial date.12
5. The litigation team consists of defense counsel, claim professional, and the hospital risk manager or other internal support person. Each of these parties has a distinct role but all share a
mutual goal of reaching the best possible outcome for the case.
4.6
Obtaining Experts
Medical professional liability claims, construction claims, antitrust claims, and many other disputes require support from experts. They can lend technical support to counsel during the case, as
well. The experts must have access to all relevant information. Following the expert review, the claim
management team should meet with the expert to discuss the experts opinion and to assess whether
the expert would be a good candidate to testify at trial. Expert witnesses must be able to articulate
medical and technical concepts and standards clearly. They are often crucial to a determination about
whether or not to attempt early resolution of a dispute and, for that reason, all decision makers should
be involved in assessing the experts qualifications and input.
Because the outcome of a jury trial depends as much on the experts ability to connect with the
jury as it does on the actual facts, effective reserving will always consider the parties strength in this
area. Though often expensive, strong experts have an incredible impact on the ultimate value of a
case.
4.7
Establishing Sound Reserving Policies
A claim reserve is an estimate of how much dispute will cost and represents money that is set aside
for the eventual possible payment of a claim and defense costs.13 If the healthcare organization is the
claimant, it must also account financially for the potential costs and recovery related to a case. A sound
reserving policy is critical to an effective claims management program. A claim management program
may establish reserves at any stage where an event seems likely to generate expenses or loss.
Robert Blasio, The Seven Best Practices of Highly Effective Medical Liability Defense Attorneys, www.westernlitigation.com/Litigation_Spotlight_6_06.asp.
13
Chapter 3 contains further discussion of risk financing alternatives which will affect the manner in which the reserves
impact the financial status of the organization.
12
79

Both under-reserving and over-reserving can have a deleterious effect on the financial well being
of an organization. Under-reserving of claims, in which a companys potential liabilities are understated, can potentially contribute to a companys insolvency if other financial sources must be tapped
in order to pay for its claim obligations.14 On the other hand, over-reserving places too high a value on
claims and understates a companys financial strength. Overstating reserves affects financial reporting
and could invite tax audits resulting in penalties.15 Over-reserving can also tie up capital unnecessarily,
reducing the organizations ability to put its assets where they can have the most benefit.
Setting reserves for individual claims involves the application of subjective criteria based on the
potential loss exposures value and probability.16 This task is usually assigned to the claims committee
or claims manager.
Reserves are also reviewed more globally by statistical or actuarial analysis, usually in order to
establish a funding level for captives or trust funds or to support proper financial accounting for other
potential losses. An actuarial analysis will also take into account claims that have been incurred (the
event has happened) but are not yet reported, referred to as IBNR exposures. Examples of IBNR
claims include cases in which the injury or loss may not be yet be evident or any claim the potential
defendant does not know about. Experts calculate IBNR by looking at an organizations past experience and industry losses for similar organizations and then projecting likely claim frequency and
severity for past events. Since the IBNR figure represents future loss payments, loss reserves are set
aside for these claims.17 Actuaries also calculate the expected losses for future periods to determine
proper premiums or funding levels going forward.
4.7.1
Criteria Used to Establish Reserves
Criteria for setting reserves for future substantive loss payments (settlements or jury awards) and
estimated claim expenses for any dispute may include:
type and severity of injury or loss;
expert opinions;
presence or absence of co-defendants and the amount of available insurance for all potential
defendants;
all parties attorneys skill and experience;
venue or jurisdiction;
usual philosophy and behavior of the judge;
specific statutes such as strict liability, caps on damages or multiple damage awards;
the parties actual economic losses; and
the parties appearance, credibility and presentation.
Robert Prahl, Setting Realistic Reserves-Projecting the Companys Future Obligations, http://www.aaisonline.com/
articles/RealisticResv.html.
15
Id.
16
Id.
17
Id.
14
80

Claim managers should review and amend reserves periodically, especially if something changes
in the factors driving potential claim outcomes. Realistic reserves will reflect the ultimate exposure for
loss and expenses as soon as those can be established and as the case evolves thereafter.
4.7.2
Reporting to Excess and Umbrella Insurance Carriers
Most organizations purchase excess and/or umbrella insurance policies to provide coverage in
high severity cases where the amount of loss exceeds the primary layer of insurance. These policies
also protect against a high aggregate total of losses. Excess coverage enables the insured to limit its
loss exposure over particular self-insured or primary insurance programs; umbrella coverage typically
provides coverage over a wider range of underlying programs. Both provide stability to an organizations financial position by protecting against volatility in losses.18
The insured has an obligation under the notice provisions of these policies to provide timely
notification of potential claims, asserted claims, and suits filed. To avoid a denial by the carrier, the
organization or claim manager must make sure the program satisfies all of its carriers reporting requirements. Generally, excess and umbrella carriers require timely notice of only high exposure events and
claims that could potentially reach the excess layer. In the professional liability context, this would
include serious obstetrical injuries, unexpected deaths, and severe neurological injuries. Coverage
triggered by aggregate losses may also require reporting on the total reserves and losses on all claims.
It is also important to apprise the excess carrier of all significant claim developments; some excess
carriers require defense counsel to copy them on all important correspondence and reports. The excess
carrier may conduct an onsite audit of the insureds processes to confirm that they generate adequate
investigations or proper reserves. In addition, the excess carrier may review the insureds loss control
plan and its ability to mitigate future losses.
4.8
Fair Resolution of Claims and Suits
Settlement of a claim or lawsuit is contingent on several factors. First, the decision should rest
on the principle of fairness to all parties. Disputes identified for settlement should always be resolved
as quickly as possible. The organization needs to balance the potential savings generated by a quick
settlement against the potential public impression that it fears publicity or litigation, a perception
that will encourage more claims. A strong program will consistently strive for fair settlements where
appropriate but avoid overpaying or last minute settlements, which can suggest a fear of litigation.
When insurers, either captive or commercial, refuse to settle cases in the face of a reasonable
demand, they risk liability for bad faith refusal to pay. Under many state statutes, a bad faith finding
will allow punitive damages or a statutory multiple of actual damages.
See Chapter 3 for further discussion of commercial risk financing opportunities for high-level exposure.
18
81

4.8.1
Alternative Dispute Resolution (ADR)
Once a party decides to settle a dispute, settlement may require only a simple negotiation process
between the parties and their counsel. But some cases may require the assistance of alternative dispute
resolution (ADR) processes. ADR has growing support as an alternative to jury trials for resolving
healthcare-oriented disputes. There are major benefits to both sides in using ADR. The proceedings are
private and confidential, ADR can reduce legal costs, and cases are often resolved more quickly. The
absence of a jury can also reduce the potential volatility of outcomes.
The most common forms of ADR include mediation and arbitration. Both utilize a neutral third
party, often retired judges and attorneys who receive special training. Any party to the dispute may
initiate an ADR process.
1. Mediation: In mediation, one or more selected neutrals will facilitate a negotiated settlement. Mediation allows the parties to disclose facts and discuss the case in a confidential and
safe environment. Often, mediation offers their first chance to discuss issues face-to-face.
Mediation does not result in a finding; if the parties are unable to agree on a resolution, the
claim or suit will continue.
2. Arbitration: Arbitration is an adjudication in which the parties select a trained individual
to decide their case in a private process.19 Arbitration works well in complex cases or where
the inflammatory nature of the case argues against a public trial. The parties in dispute voluntarily enter into a written contract to arbitrate. Although less formal than a trial, it results
in an enforceable final decision and is usually not subject to an appeal on the merits, only
for a failure of the arbitrator to follow the selected procedures. Parties to any agreement can
voluntarily require that resulting disputes will be resolved through arbitration. Benefits of this
approach include reduced legal costs, a speedier resolution to disputes, avoiding run-away
jury awards, and preserving the parties reputations by maintaining confidentiality.
Some healthcare providers and insurers encourage or require patients and clients to sign binding
arbitration clauses. This can raise a number of legal issues in different settings, especially if the facts
raise doubts about the voluntary nature of both parties agreement to arbitrate.20
4.8.2
Special Considerations Regarding Settlements and Indemnity Payments
1. Early Offers of Settlement: The early investigation and assessment of any dispute may lead
to consideration of prompt, early resolution. In professional liability situations, early offers
and settlements help manage defense costs but also provide resources to allow the injured
party to manage expenses, especially for serious injuries. The parties also benefit by avoiding adverse publicity. Evaluations of early offer programs in professional liability settings
have demonstrated benefits to the patients, who receive compensation earlier.21 Though most
Id. at 7.
Many of the decisions regarding arbitration clauses arise in health insurance and long-term care agreements. TheAmerican Health Lawyers Association has a number of resources on both of those issues.
21
Joni Hersch et al., Evaluation of Early Offer Reform of Medical Malpractice Claims: Final Report, U.S. Department
of Health and Human Services, June 2006.
19
20
82

developed in professional liability setting, the early resolution process can offer the same
advantages in other contexts.
2. Hold Harmless and Indemnity Clauses in Contracts: To minimize the inadvertent assumption of another partys liability risk, hold harmless and indemnity clauses should be included
in all contracts with vendors, contractors, and subcontractors. Though technically a contracting tool and not a claim management tool, these clauses can have a tremendous impact on
the claim management process. They offer the most protection to parties defending vicarious
liability claims, which assert liability only for the negligent acts of another. Generally, the
indemnified party can be reimbursed for all costs incurred as a result of the claim, including
costs of judgments, settlements, and legal fees.
3. Structured Settlements: Structured settlements offer benefits to both parties when they need
to create a predictable stream of payments; they offer a secure and often tax-free income
stream. Where the plaintiff may lack experience in managing large funds or where there
is any risk of mismanagement of settlement proceeds, structured settlements offer future
security.

Structured settlements involve the purchase of an annuity contract, bonds, or another secure
investment vehicle to provide periodic payments for the life of the subject (usually the
plaintiff) or for a designated period of time.22 If the parties use an annuity contract, then the
defendant buys a contract that pays benefits to the plaintiff or into a trust. If bonds or other
interest-bearing assets form the basis of the settlement, they are held in trust for the benefit of
the plaintiff. When a case involves a disputed life expectancy, as might occur with a severely
disabled child, the defendant can often purchase an annuity at a discount yet still provide
lifelong payments to provide for the plaintiffs needs.
4. Medicare and Medicaid LiensThe Governments Right to Recover: The Centers for
Medicare and Medicaid Services (CMS) added new reporting requirements under Section
111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007. These reporting rules do
not eliminate any existing statutory provisions or regulations but are designed to ensure payment of all Medicare liens associated with medical payments in personal injury cases. CMS
now require the reporting of any settlements, judgments, awards or other payments made to
or on behalf of a Medicare Beneficiary by liability insurers, including self-insurance, no fault,
and workers compensation.

Under the Medicare Secondary Payer Act, the Centers for Medicare Services may recover an
amount equal to the Medicare payment for injuries involved in the claim.23 Medicare need not
notify parties of the potential lien.
Paul Scott, Economic Issues: Analysis and Cross-Exam About Economic Evaluation: Present Value of Future Payments, Structured Settlements, Periodic Payments, and Annuities, DRI Medical Liability and Healthcare Law Seminar,
March 16, Phoenix, AZ, at 152.
23
42 CFR 411.24(c); see also Glenn E Bradford and Melinda M. Ward, The Medicare Super Lien Revisited, Vol 56
J. MO Bar No.1, 2000, accessed at http://www.mobar.org/journal/2000/janfeb/bradford.htm.
22
83

Individuals eligible for Medicaid assign their rights to third party payments to the states
Medicaid agency.24 The U.S. Supreme Court has ruled that states cannot assert a lien that
exceeds the plaintiffs compensation for medical payments 25
5. National Practitioner Data BankReporting Requirements: The Healthcare Quality

Improvement Act of 1986 created the National Practitioner Data Bank (NPDB). Among
other things, the Act requires insurers and self-insurers to report payment of any professional
liability claims on behalf of physicians, dentists and other licensed health care practitioners.26
The Act affects claim management in several ways. Also, the law only requires reports on
settlements following a written demand for payment. If the case settles before the claimant
ever submits a written demand, then the settlement payer need not report it. And, if the parties
enter a high-low settlement (an agreement that the plaintiff will receive at least a minimum
threshold amount but not more than a capped figure on the high end), the resulting payment
is not reportable if the jury returns a verdict in favor of the physician.
4.9
Pre-Trial Preparation and Discovery
Inadequate management of pre-trial discovery can generate its own risk for healthcare organizations. Incomplete or inaccurate information provided to litigation opponents often undermines the
most valid litigation strategies. The entity must provide appropriate resources for the review and production of information to the other side. By the same token, a party must diligently assess its own
position to avoid a very public and unnecessary embarrassment if its case goes badly. Several areas
deserve special discussion.
4.9.1
Electronic Data Discovery
New federal rules have highlighted this issue by stating clearly that all electronically stored information is subject to the same rules as other documents and things. Chapter 28 of this handbook
contains an in-depth discussion of the risk management issues created by the electronic storage of
data.
4.9.2
Mock Trials and Focus Groups
Focus groups and mock trials can provide valuable information for the evaluation of a case. In a
focus group, participants hear a modified case presentation. A consultant then guides a group discussion, designed to expose the groups response to designated aspects of the case. Though focus group
participants differ from actual juries, they can provide an opportunity for attorneys to test potential
themes for the case, to learn how best to prepare witnesses, and to obtain critical feedback on exhibits
or graphics designed for used in court.27 Online focus groups are less expensive and require less time
to achieve results.
Centers for Medicare and Medicaid Services, Third Party Liability, www.cms.hhs.gov/ThirdPartyLiability.
Arkansas Department of Health and Human Services, et al. v Ahlborn, 126 S. Ct.1752, 2006.
26
U.S. Department of Health and Human Services, Health Resources and Services Administration, National Practitioner
Data Bank, http://bhpr.hrsa.gov/dqa/.
27
Linda Crawford, Focus Groups: What They Can Do for You and What They Cannot, DRI Medical Liability and Healthcare Law Seminar, March 16, Phoenix, AZ, at 43.
24
25
84

Mock trials follow a formal mini-trial format; they cost more and take more time. Mock trials provide the most value in cases with high severity or complex issues, as they allow attorneys to observe
the interaction and group dynamics of the jurors. New technology allows moment-to-moment feedback on particular portions of the presentation.
4.10
Taking the Case to Trial: Issues and Strategies
4.10.1
Communicating Effectively to a Jury
Jury consultants have observed that many jurors walk away from professional liability trials confused.28 Lengthy trials and complex testimony in any case (not just professional liability) can contribute
to a jurys lack of understanding. This confusion can affect the outcome of a trial. To counter this
problem, defense counsel should use visual aids such as charts, graphs, x-rays, and physical models
that help clarify the case.29 Recently, computer technology has created the chance to present stunning
visual aids to understanding. Though expensive, these aids can be very convincing and enable the jury
to understand the organizations point of view clearly.30
A partys communication style before a jury can have a critical impact on the outcome of a case.
Time and resources invested in preparing key witnesses will generate tremendous benefits.
Jurors emotional response to a case often drives jury awards. Juries with a high level of sympathy
to the plaintiff and high anger for the defendant are more likely to award higher compensatory and
punitive damages.31 Often, large healthcare organizations find themselves litigating against injured
patients, terminated employees, physicians arguing that their career is ruined, or ancillary medical
providers who claim they were forced out of business. In any of those settings, counsel for either side
must acknowledge the potential importance of juror empathy and anger.
4.10.2
High-Low Agreements
A high-low agreement is a binding contract executed prior to trial by the insurer or self-insured
defendant and the plaintiff. It locks in upper and lower payment limits, which apply regardless of a
jurys eventual findings. These agreements can limit the defendant or insurers exposure in cases with
potential for a high verdict or for a jury verdict that could exceed the insureds policy limits. Plaintiff
attorneys also gain by ensuring that their clients will obtain the low amount even if the jury finds for
the defense.
4.11
Commentary
From an enterprise risk management perspective, poor claim management practices and
decisions can have a damaging ripple effect across the entire healthcare organization. An
under-reserved high-severity case endangers the financial well being of an organization and
30
31
28
29
Linda S. Crawford, A Clear Look at Jury Confusion, Medical Malpractice Law and Strategy, October 1997, at 4.
Id.
Id.
Robert D. Minick and Dorothy K. Kagehiro, Anger Management in the Courtroom, 46, For the Defense, 13, 2004.
85

can adversely affect its future performance. The failure to settle disputes efficiently raises
defense costs. Inappropriate aversion to trials may lead to panic settlements, making the
organization a target for claims. The publicity surrounding any suit can severely affect a
healthcare organizations reputation, including loss of trust and standing within the community. Internally, the stress of unresolved conflicts and lawsuits can adversely affect the job
performance and productivity of employees and medical staff. The time and energy devoted
to litigation affects all levels of an organization, from those who find and copy records to
executives and clinical staff who give depositions and trial testimony.
Claims management models are changing as more healthcare entities choose to self-insure
and move away from traditional professional liability insurance companies. Insurance carriers
provide claims management, risk control, and underwriting in exchange for an annual premium. Although these services are valuable and comprehensive in scope, the carrier controls
claims services, limiting the healthcare entitys control and its ability to utilize a hands-on
approach to claims. Self-funded programs such as captives or other alternative risk financing
vehicles will often facilitate a proactive and creative approach to claims management while
possibly lowering insurance costs. A healthcare entity that manages its claims in-house or
through a claims administrator it employs will have more control over the day-to-day claim
operations and selection of defense counsel. Even the most straightforward insurance company does not share the exact needs and goals of the insured.
Reducing the cost of risk across the enterprise requires healthcare entities to place a heavy
emphasis on system-wide retrospection and reflection about disputes. How do all of the entitys operations contribute to generating the disputes, and how can the organization invest its
financial and human capital to reduce the risks highlighted by claims and suits? What wisdom
can past cases provide about the causes of disputes and missed opportunities to avoid them?
How can knowledge gained from lawsuits support ongoing patient safety efforts? The claim
portfolio can provide a rich supply of information on opportunities for improvement.
The claims system must remain flexible and adaptable to new methods and to changing community expectations, such as the current focus on error disclosure, especially as healthcare
entities move to a more patient-centered care model. Knowledge and understanding about
conflict management are evolving quickly as are the realities of healthcare generallywhat
worked well yesterday will not work tomorrow.
4.12
Conclusion
A full assessment of enterprise risks must include consideration of risks resulting from ineffective
claim practices that can be costly to an organization. Methodologies to evaluate and maximize the
effectiveness of a claims program should include internal assessments and external independent audits
to support needed improvement. Routine self-audits should review the effectiveness of counsel and the
outcomes of claim assessment and decision-making processes. Routine outside audits should evaluate
the performance of contracted third party claim administrators or in-house claims management, as
well as the adequacy of claim reserves. Most important, the organization must examine its own role
in losses and not blame juries, plaintiff attorneys or other outside parties or processes for a failure to
improve its claim results.
86
ContractsAn ERM Approach
5
Peggy Nakamura, RN, MBA, DFASHRM, CPHRM
Assistant Vice President, Chief Risk Officer, and Associate Counsel, Adventist Health
5.1
Introduction
A comprehensive, well-defined, and multi-faceted contract review process is an integral part of

any enterprise risk management (ERM) program. While all attorneys have education in contract law,
in-house and outside counsel for healthcare organizations must operationalize this legal knowledge
in a unique fashion in order to be successful. Taking an ERM approach to establishing or refining a
contract review process can lead to greater success.
Every attorney knows that a well-written contract serves to confirm the understanding between the
parties and avoid future disagreements about terms, conditions, and definitions critical to the relationship. In an ERM environment, it is important to identify the nature of the contractual exposures facing
the healthcare entity and to offer suggestions for minimizing those exposures. But understanding the
roles and functions of key individuals in the organization beyond that of the CFO, CEO, or contracts
manager is also essential.
The purpose of this chapter is to integrate contract review elements with healthcare operations
while utilizing ERM processes and techniques.
5.2
Contract Review
To begin the process, an individual or department should be responsible for maintaining, and
revising as necessary, a current listing of all subsidiaries, affiliates, joint ventures or other legal partnerships into which the organization has entered. The listing should identify the correct legal names
and incorporation dates, as well as the existence of any dbas (doing business as) and their basic legal
structure. Utilizing this list as a part of the review process is critical when ascertaining that the correct
legal name is used in the contract.
Associated with this important element is the identification of the proper signatory to the contract.
An effective loss control technique is to implement an enterprise-wide policy specifying who, by position or title, has signing authority and the applicable category or type of contract. Attachment 1 is a
sample policy, Contract Review, Execution and File Maintenance, that can be used for this purpose. In
addition, healthcare organizations often have what is referred to as a Table of Authorities which lists
signature authority by dollar amount/type of contract/position.
87

For instance, most significant contracts for construction, capital asset acquisitions, or joint venture
arrangements are authorized and approved by the organizations governing body and signed by the
CEO or CFO. However, in the interests of greater efficiency and organizational knowledge, should
other officers of the organization be authorized to sign contracts? Who can sign equipment purchasing
or leasing, maintenance and repair, clinical affiliation, or supplemental staffing contracts? An important distinction exists between those individuals in the organization who, by virtue of their role or job
function, are best suited to review and/or negotiate key terms and those who have signing authority on
behalf of the organization. To be effective, the contract policy should be approved by the governing
body and contain sufficient detail so as to be successfully implemented throughout the enterprise.
The ERM approach to contract review includes:
1. Bringing together a multi-disciplinary group of representatives from, at a minimum, clinical
staffing, patient financial services, materiel management, radiology, laboratory, home care,
compliance, information systems, physician relations, managed care, contract management, and
risk management. This group should identify the types and variety of contracts they encounter
in their respective roles and other departments or functions affected by the particular contract.
2. The group should prioritize with legal counsel the risks and benefits associated with standard
contract provisions, such as insurance requirements, indemnification provisions, financial
conditions, limitations of liability, warranties, and termination clauses.
3. An important but frequently overlooked aspect of limitation of liability provisions is the
disconnect between value of the contract and the full liability potential being limited. For
example, the total value of a contract for security services and personnel might be $120,000
per year or $10,000 per month. If the maximum liability potential for the security vendor
is limited to no more than the prior 12 months contract price, the entity purchasing the
security services may unknowingly become the deep pocket for any claims exceeding this
amount.
4. Preferred (best), acceptable, and deal-breaker language for the various contract provisions
should be developed with legal counsel. A checklist of important provisions to review should
accompany the preferred provisions.
5. Senior management and, ultimately, the governing board, should approve the lists and work
product of the group, contract language suggestions, and the policy detailing the review process and signature authority.
6. Attachment 2 is an example of a transmittal memorandum that can be used to convey the
status of the contract review among key individuals.
5.3
Contract File Management
Given the myriad of departments and individuals involved in contract review, it is essential to
have an efficient system for managing the renewal and review process and categorizing the type of
contract being considered and the individuals involved. A comprehensive contract-file management
system, whether manual or software driven, can facilitate the process and assure senior management
the review is timely and comprehensive.
88

There are essential elements to a successful system:
1. Group contracts into general categories, such as management services, home health, maintenance and repair, temporary staffing, consulting services, professional services, leases,
construction, purchase agreements, clinical affiliation, transfer agreements, physician-related,
managed care, and pending mergers or acquisitions.
2. Within each file, contracts should be listed by contracting party name, term, anniversary
date, affected departments, responsible department or individual reviewing/negotiating the
contract, and whether HIPAA Business Associate requirements apply.
3. The contract file should contain requested documentation regarding insurance coverages,
such as certificates of coverage and additional-insured endorsements.
4. A diary system should alert the responsible department or individual well in advance of
any anniversary renewal or termination date. Regardless of the manual or software contract
management system selected, at a minimum it should allow for adequate time to involve the
necessary parties in reviewing the terms of the existing contract and suggesting improvements in performance expectations.
5. The location of each category of contracts should also be included in the system description.
For instance, it is usually impractical to designate one individual or department as filing and
maintaining all original signed contracts for the organization. Instead, contracts should be
maintained in appropriate departments and reflected in the policy as to location.
6. From an ERM perspective, every contract should be reviewed by an individual knowledgeable about the organizations risk appetite and risk financing approach. Before the contract is
signed and added to the system, the appropriateness of the insurance requirements, indemnification, and any limitation of liability provisions must be reviewed and verified.
7. Any departments affected by the contract relationship should be listed in the system and
included in the renewal process.
8. Attachments 3, 4, 5, 6, and 7 are tools that can be used in the ERM environment to facilitate
timely and efficient contract review.
5.4
Critical Contract Provisions
While all distinct provisions are arguably of major importance to contract performance, in the
ERM environment certain areas require special attention. In particular, insurance requirements, indemnification/hold harmless provisions, and any limitations of liability are potential areas of increased risk
to the organization and may be undetected unless proper loss control measures are implemented.
5.4.1
Identifying the Parties
In the introductory clause of most contracts, the individuals and/or entities are identified. A common problem in boilerplate contracts is the failure to use the full name of the contracting individuals
or the legal name under which the entity is registered or incorporated in its home jurisdiction. Without
correction, this oversight can lead to significant problems in aligning insurance coverages and contract
requirements. The legal name and the covered entity/individual for insurance coverages must be the same
so as to avoid disputes in any subsequent claims or litigation involving the subject of the contract.
89

5.4.2
Insurance Requirements
From the organizations perspective, contracts requiring the organization to procure various types of
insurance must be aligned with the risk transfer or risk financing vehicle utilized for any particular risk.
For instance, an organization may choose to have a self-insurance program for professional and
general liability risks but select a commercial insurance policy (risk transfer) for property losses or
directors and officers liability. Why does this distinction matter?
In contract insurance requirements, typical language requires the organization provide evidence
of an insurance policy with a rated or qualified insurance carrier in the state in which the contract will
be performed. A self-insured organization, regardless of funding the self-insurance vehicle, is not an
insurance company and is not governed by the states insurance regulations. Therefore, any references
to commercial insurance policies must be modified to reflect programs of self-insurance whenever
applicable so as to avoid a material breach of the contract terms. The contract must accurately reflect
the type of risk financing vehicle used by the contracting parties for each required line of coverage.
Depending on the scope and type of contract, the required coverages might include:

general and professional liability;
workers compensation;
automobile liability;
fidelity/crime;
property;
directors and officers liability.
5.4.3
Indemnification/Hold Harmless
Indemnification provisions are among the most challenging to understand for nonlawyers, and yet
they can result in severe financial consequences if the reviewing party does not understand the indemnitors scope of responsibility and the reasonableness of the risk assumption. Indemnity provisions are
very prevalent in healthcare contracts and represent a contractural risk transfer worthy of attention.
Any manager or executive reviewing this method of risk transfer should have a basic understanding of
the legal framework underlying the indemnification provision and the liabilities assumed upon execution of the contract. Therefore, in-house counsel is well-advised to establish systems for additional
review of indemnification provisions before the contract is executed and when nonlawyers are a part
of the contract review process.
A few ERM-based considerations for in-house and outside counsel include:
90
Does the assumption of risk fit within the various commercial insurance or self-insurance
programs for the organization?
Does the commercial insurance policy or self-insurance document permit or allow liability
assumed by contract?
What is the risk appetite of the organization if coverage is not available or the limits of coverage are inadequate?

Contractual liability insurance is now a standard element in many commercial general liability
policies, and covers the most common type of indemnification provisions in commercial contracts: the
indemnitor indemnifies the indemnitee for bodily injury and property damage related to underlying
contract services. It is incumbent on the legal reviewer of the contract to integrate insurance coverages
and any state law considerations or restrictions in the review process.
5.4.4
Evidence of Insurance
As a practical matter, any contract imposing insurance requirements on the contracting parties
should also include a provision requiring the insured party to provide evidence that the insurance
(orself-insurance) coverage is in place. The required evidence might range from a simple certificate
of insurance to providing copies of the actual insurance policies (rarely done). Regardless, the policy
period, named insured party(ies), type of coverage, and policy limits should be apparent on the document and reviewed for compliance with contract insurance requirements.
5.4.5
Notice of Cancellation
In the event an insurer cancels the insurance policy during the term of the contract, a notice
of cancellation provision typically requires the insurer to provide advance notice of cancellation or
material change in coverage to the certificate holder (i.e., healthcare entity). The insurers providing
certificates of coverage must agree to this notification provision in advance, and it should be reflected
on the certificate document. An example of a Notice of Cancellation provision is:
All certificates of coverage shall provide for 30 days written notice to Healthcare Entity prior
to the cancellation or material change of any insurance referred to herein.
5.4.6
Limitation of Liability
A limitation of liability provision in healthcare is often found in architecture, construction, supplier, manufacturing, and software vendor contracts. Limiting the contracting partys ultimate liability
to a predetermined amount (often tied to contract price) essentially transfers the liability exposure
beyond that level to the organization.
From an ERM perspective, limitation of liability in lesser-value contracts can significantly impact
the risk assumption profile of the organization, often without detection. Particular attention should be
given whenever the limitation of liability provision affects errors and omissions, professional acts,
breach of contract, breach of security, personal injury, and property damage.
5.4.7
Waivers of Subrogation
Subrogation is the substitution of another person in the place of the original creditor, or party
entitled to the legal rights or claims. If the insured party has waived subrogation rights or released
the offending party prior to a loss (via contract) the insurers (or self-insurers) rights of subrogation
against the culpable party are eliminated.
91

In the healthcare environment, waivers of subrogation occur frequently in leases, construction
contracts, and contract services such as security, environmental and nutritional services, on-site equipment maintenance, and repair. Most often the waiver of subrogation relates to property damage or
workers compensation situations.
Critical issues to consider are:

Will the commercial insurer, or self-insurance program, permit a waiver of subrogation rights?
Who is responsible to contact the appropriate parties and retain the documentation?
If the contract includes insurance costs as a part of the contractor's pricing, is it prudent for
the organization to waive subrogation rights in situations involving the contractor's insurer?
5.5
Specific Issues in Healthcare Contracts
There are a number of healthcare contracts that might not rise to the attention of legal counsel and
yet deserve thoughtful attention in an ERM environment.
5.5.1
Clinical Affiliations
Among specific considerations are:

Will the sponsoring educational institution provide coverage for the students/residents health
plan and professional liability? If not, does the student have personal health and professional
liability policies?
Which party (sponsoring educational institution or receiving organization) covers the workers compensation liability for the student/resident? If neither party covers this exposure, is
this clearly stated in the contract?
The structure and scope of student/resident supervision should be clearly specified. The receiving organization always retains administrative and clinical responsibility for any patient care
provided on its premises and regular staff cannot be replaced by students/residents.
Students/residents are to abide by the organizations policies and procedures, and may be
removed from the facility at the organizations discretion for any misconduct.
The contract should specify whether the sponsoring institution is responsible for completing
the background criminal screening required by state or federal law.
5.5.2
Independent Contractors
Temporary or independent contractors present unique challenges because they often work in single departments as a result of close working relationships with department managers. As a result, the
performance expectations might be captured in an informal document or less-than-complete contract.
Obviously, this business relationship can pose additional risk to the organization if contract review
principles and processes are not applied to the situation.
92

Additional considerations are:

The organization should not assume responsibility for the contractors negligence, property
damage, personal injury, or compliance with laws, statutes, regulations, or accreditation
requirements as they affect the contract services.
Responsibility for the safe handling and disposal of hazardous materials or medical waste
rests with the organization or individual producing such materials, unless noted in the contract to the contrary.
Performance expectations must be clear, objective, and quantifiable. Vague or general statements should be avoided.
5.5.3
Supplemental Staffing Agencies
One of the most critical contract elements involves the responsibility of the agency to ensure
the competency and qualifications of the staff it sends to the organization. The agency, at a minimum, should perform initial licensure or certification verification, criminal background checks, and
an applicable competency evaluation. In addition, the agency should provide adequate health, workers
compensation, and professional liability coverage for its employees, and indemnify the organization
for their employees negligent acts.
5.5.4
Equipment Purchases
In the ERM environment, it is important to consider:

What warranties does the vendor supply, how are the warranties negated, and how does this
fit with the organizations insurance or self-insurance coverages?
Who, how, and where will the service and maintenance be provided?
Who in the organization can authorize equipment purchases and who monitors the purchase
and service or maintenance contracts?
5.6

Commentary
Most significant contracts for construction, capital asset acquisitions, or joint venture arrangements are authorized and approved by the organizations governing body and signed by the
CEO or CFO. However, in the interests of greater efficiency and organizational knowledge,
should other officers of the organization be authorized to sign contracts? Who can sign equipment purchasing or leasing, maintenance and repair, clinical affiliation, or supplemental
staffing contracts? An important distinction exists between those individuals in the organization who, by virtue of their role or job function, are best suited to review and/or negotiate key
terms and those who have signing authority on behalf of the organization. To be effective,
the contract review policy should be approved by the governing body and contain sufficient
detail so as to be successfully implemented throughout the enterprise.
93

Healthcare lawyers should incorporate ERM principles in the contract review process. For
instance, middle and upper management in all departments of the organization are involved
at some level with contracts: relationships, maintenance, monitoring, negotiations, or review.
Involving key individuals in the process and educating staff about contract terms is an opportunity for healthcare attorneys to add value and contribute to an organizations success.
Major risk exposures exist in what might appear to be small or insignificant contracts. From
an ERM standpoint, the logical approach is to involve multiple disciplines, departments,
and involved individuals as a contract review process is developed and implemented in the
organization.
5.7
Conclusion
Healthcare contracts come in many shapes and sizes, varying degrees of complexity, use of boilerplate language and unnecessary legalese. The ERM approach can assist with a thoughtful and careful
review of contract language by those individuals most involved in the subject matter which leads
to an enhanced identification of risk for the enterprise and a more appropriate assumption of risk. No
one attorney or executive can manage the myriad of contracts and contractual relationships without an
infrastructure in place. Utilizing ERM concepts in the contracting process is one positive approach to
creating such an infrastructure and minimizing the inadvertent assumption of risk.
References
Contractual Risk Transfer, Strategies for Contract Indemnity and Insurance Provisions, International Risk Management Institute, Inc., 2007.
Operations and Risk Management, Contract Review and Execution Policy CRE-1, AHLAs Guide to
Healthcare Legal Forms, Agreements, and Policies, First Edition, American Health Lawyers Association, 2008.
Attachments
Attachment 1Policy: Contract Review, Execution and File Maintenance
Attachment 2Contract Transmittal
Attachment 3Annual Evaluation of Service Provided by Contract
Attachment 4Contract Review Worksheet
Attachment 5Components of Contract Review
Attachment 6Contract Review and File Maintenance
Attachment 7Heath Care Contracts: Key Issues
94
Attachment 1 Policy: Contract Review, Execution and File Maintenance

POLICY SUMMARY/INTENT:
The process of contract review and contract maintenance is an organized, coordinated process
involving affected department managers, responsible directors, and system-wide executives. Contracts
are a necessary and important component of healthcare business relationships and require diligent and
thorough review prior to execution and filing.
DEFINITIONS:
1. Contract: An agreement between two or more persons (entities, organizations, corporations)
that creates an obligation to do or not to do a particular thing. A contract may also be titled:
agreement, lease, memorandum of understanding, letter agreement, and purchase order.
2. Corporate Compliance Program, Contract, and Approval Guidelines: Entitys policies
and procedures regarding compliance with laws governing financial relationships and referrals between affiliates and physicians or other sources of patient referrals or other business.
AFFECTED DEPARTMENT/SERVICES:
1. All system-wide facilities.
POLICY: COMPLIANCEKEY ELEMENTS
Policy:
1. It is the policy of this facility to comply with the Corporate Compliance Program Contract
and Approval Guidelines in their entirety.
2. It is the policy of this facility to commit to writing all lease, purchase, affiliation, professional
service, consulting, independent contractor, and vendor agreements with third parties and to
have responsible administrative personnel review critical terms and conditions before signing
by a corporate officer.
3. It is the policy of this facility to maintain all fully executed original contracts in a secure,
identified location.
PROCEDURE: COMPLIANCEKEY ELEMENTS
Procedure:
1. The department manager or designated contract manager shall review the proposed contract
as supplied by the third party or discuss the critical provisions related to the particular type of
contractual relationship under consideration. All questionable or problematic areas shall be
highlighted. Any remaining questions shall be referred to legal counsel.
2. After the above issues have been resolved, the contract will be referred to the appropriate
corporate officer for signature.
95

3. As soon as the necessary signatures have been obtained from all contracting parties, a copy
shall be retained in the affected department managers files and the original sent to the
designated office for the facility. Contracts shall be retained for the life of the contract plus
six years.
4. The designated office will maintain, in a secure filing cabinet, a sequenced list of all contracts,
leases, and agreements. The list shall contain: the name of the contracting party, effective
date, expiration date, and category of contract.
5. Responsible department managers shall maintain a tickler file in order to review and renegotiate contracts at least 90 days prior to expiration. During the respective contract periods, key
issues and concerns should be referred to the responsible department manager for consideration during renegotiations.
96
Attachment 2 Contract Transmittal Memorandum

To:

From:

Date:
Administrative Member/Entity Officer
Contract Reviewer
Subject:

The contract named above has been reviewed and requires:
Yes
No
Officer Signature:
Further Negotiation:
Additional Legal Input:
Certificates of Insurance:
Other:

Based upon this contract review, the following managers/departments should receive specific contract
terms:
Manager:
Dept:
Manager:
Dept:
Manager:
Dept:

c: Contract File
Contract Review
Other
97

Attachment 3 Annual Evaluation of Service Provided By Contract
(Patient Care or Other Outsourced Service)
CONTRACT:
INVOLVED DEPARTMENT(S):
DATE OF EVALUATION:
REVIEWER:
REQUIRED ELEMENT/ISSUE
YES
NO
N/A
COMMENTS
Insurance: The service has maintained

and provided current information about
coverage for the contract service and all
providers under the service (Professional,
General and Workers Comp).
The service has provided and maintained
current information on each provider
including:
Curriculum Vitae/Resume
License/Certification/Registration
Evidence of annual updates on OSHA
requirement, infection control, etc.
Other certificates required by
position(s) are currently maintained.
Please specify:
______________________________
______________________________
The contract service has maintained current, comprehensive, and appropriate
policies and procedures that cover the full
scope of services provided.
Information submitted by the contract
service shows that the competency of
all contract service providers has been
evaluated and the basis upon which the
evaluation was conducted.
Human Resources has verified that the
performance evaluation exists.
98
REQUIRED ELEMENT/ISSUE
YES
NO
N/A
COMMENTS
The system meets Entity standards.

Provider-specific monitoring and
evaluation results were included in the
performance evaluation process.
Managers of units where contract
services are provided contributed
information that was used in the performance evaluation process.
*Contract service providers have received
required education regarding bloodborne
pathogens.
**Contract service providers have received
other annual education updates as appropriate to the services provided.
***Contract service has provided information, as required by hospitals performance
improvement program, in regard to quality control and quality improvement
activities.
*
If appropriate, contract service providers may participate in Entity-provided annual updates or education provided by
contract service will be reviewed by Infection Control Practitioner to assure that Entity standards are met.
** If appropriate, information to be reviewed by individual responsible for Entity education program to assure the Entity
standards are met and providers are given necessary education to perform their functions.
*** If appropriate, information to be provided by individual who is responsible for oversight of performance improvement activities.
OVERALL EVALUATION OF CONTRACT SERVICE:

Contract to be renewed without changes.
Forward to:
Contract to be renewed with changes (see above).
Contract not to be renewed.
Reviewers Signature:
Date:
99

Attachment 4 Contract Review Worksheet
Reviewer:
Date:
Contract:

Description:
Services to Be Provided:

Facility/Entity Departments Affected:

Primary:
Secondary:
Terms: Contract Period:
100
From:
To:
Termination/Notice:
Insurance Requirements:
Performance Description:
Outstanding Issues/Questions:

Enclosures:
Contract
Corporate RM Review
Legal Opinion
Correspondence
Attachment 5 Components Of Contract Review

ISSUE
YES
NO
COMMENTS
IDENTIFICATION OF THE PARTIES

1. Are all of the parties to the contract identified and are the legal names used?
EFFECTIVE/EXECUTION DATE
1. Can you identify the date the contract terms
go into effect and the date it is signed?
TERM
1. Is the length of the contract specified?
2. Does it renew automatically with mutual
party agreement?
TERMINATION
1. Is the termination without cause?
2. Is it possible to cancel/terminate the contract
for failure to perform?
INSURANCE/LIABILITY ISSUES
1. Are the insurance requirements written to
permit self-insurance programs?
2. Are the types of insurance applicable to the
business relationship?
a. Comprehensive General Liability
b. Professional Liability/E & O
c. Workers Compensation
d. Property
e. Business Auto
f. Bonds
3. Does the contract require that the contracting party (contractor) provide insurance?
4. Are the types of insurance specified and, if so,
are the specified types appropriate to the contract services to be provided?
5. Are the required limits of insurance coverage
specified and, if so, are the limits appropriate
to the potential liability exposure?
101
ISSUE
YES
NO
COMMENTS
6. Does the contract require that the contracting party provide evidence of insurance or
a certificate of insurance for each insurance
required?
7. Does the contract require that the entity be
notified of material change or cancellation
of the contracting partys coverage?
8. Does the contract give the entity the right to
cancel the contract in the event of insufficient
or lack of appropriate insurance coverage as
required?
9. Does the contract specify that the insurance
requirement will outlive the term of the
contract?
10. Is there an appropriate indemnification/
hold harmless clause based on which party
has control or ownership of the liability
exposure?
INDEMNIFICATION/HOLD HARMLESS
1. Is the indemnification mutual?
2. Are the parties assuming liability for only
their own negligent acts?
PERFORMANCE OF THE PARTIES
1. Is there a full description of each partys
obligations and responsibilities?
2. Are the financial arrangements understandable and reasonable?
AMENDMENTS/EXHIBITS
1. Are all reference documents (amendments
or exhibits) attached?
GOVERNING LAW
1. Is the state in which the contract terms are
implemented or executed the governing law?
CONTRACT SIGNATORIES
1. Are the names, signatures, and titles of the
parties represented on the signature page?
102
Attachment 6 Contract Review and File Maintenance

Type of Contract
Original to:
Duplicate to:
Business Associate
Construction
Consulting
Corporate Compliance
Equipment Maintenance
Equipment Purchase
Independent Contractor
Leases
Managed Care
Professional Services
Service Agreements
Student Affiliation
Supplemental Staffing
Transfer Agreements
103

Attachment 7 Healthcare Contracts: Key Issues
Yes/No/
Comment
Contract Type
Issue
Clinical Affiliations
1. Which organization (sponsoring educational

institution or healthcare entity) covers the
students:
health plan;
professional liability;
required training in hazardous materials,
blood borne pathogens, HIPAA?
2. Is the supervision of the student by the sponsoring institution clearly specified?
3. Which organization performs the background
criminal screening on the student?
4. Students must abide by the organizations policies and procedures and can be immediately
removed for violation of policy.
Independent Contractors
Which party assumes responsibility for:

contractors negligence;
property damage;
personal injury;
compliance with laws, statutes, regulations
or accreditation requirements?
Does the contractor assume responsibility for:
professional and general liability;
workers compensation liability;
health plan;
federal- or state-mandated training (i.e.,
haz mat)?
Are performance
objective?
expectations
clear
and
Do you understand when and how the contractor

breaches the performance?
104
Contract Type
Equipment Purchases
Issue
Yes/No/
Comment
1. If the contract includes warranties:

What, when, and how do the warranties
apply?
How are the warranties negated or affected?
How do the warranties fit with the organizations self-insurance or insurance
coverages?
2. How will maintenance or servicing of the
equipment occur?
When and how will the equipment be
serviced?
Does the organization pay for out-of-state
travel?
Can the organization use internal or local
resources for servicing
Is the organization committed to a longterm service contract beyond the life of the
equipment?
3. Who in the organization:
Authorizes equipment purchases and servicing contracts?
Maintains and monitors the contracts?
105
Contract Type
Supplemental Staffing
Agencies
Issue
Yes/No/
Comment
Does the agency:

Ensure competency and qualifications of
staff?
Perform criminal background screening?
Ensure health status equivalent to organizations employee requirements?
Provide workers compensation and professional liability coverage for staff
Indemnify organization for agency staff
negligence?
Train staff as required?
Can the organization:
Remove the individual if a patient safety
or other major policy/procedure violation
occurs?
Terminate the contract if the agency fails to
perform?
Identify agency staff who should no longer
be sent on assignment to the organization?
106
Financial Challenges
6
Richard L. Clarke, DHA, FHFMA
President and CEO, Healthcare Financial Management Association (HFMA)
6.1
Introduction
A fundamental tenet of effective enterprise risk management (ERM) is to provide value for an
organizations stakeholders (owners, investors, customers, employees, and communities) within an
uncertain and changing environment and to deal effectively with potential future events that create
that uncertainty. The importance of ERM was highlighted in May 2008 when one of the major credit
rating agencies announced that it would enhance its rating process for nonfinancial companies through
an ERM review.1
The aim of healthcare financial managers is to ensure resources are available that enable their
organizations to provide high-quality and safe healthcare services that are valued by their stakeholders
today and in the future. To provide this value, governing boards and management teams must understand the challenges and risks inherent in an uncertain and changing environment.
Financial management in this environment involves a strategic focus as healthcare organizations
experience increasing financial challenges. Examples of those more strategic functions include creating competitive strategy and helping link clinical and financial operations to improve volume, strategic
position, efficiency, payment, and clinical outcomes; a perfect fit with ERM processes.
In all of these activities, uncertainty and change are ever present. And with increasing uncertainty
and change, ERM becomes more vital. In the finance risk domain, issues include payment system
changes and compliance with Medicare/Medicaid regulations, diminished capital access because of
unstable credit markets and a weakening economy, revenue risks from the need to serve a growing
number of uninsured patients, andfor not-for-profit organizationscoping with ongoing challenges
to tax-exempt status.
Standard & Poors, Enterprise Risk Management: Standard & Poors To Apply Enterprise Risk Analysis to Corporate
Ratings, May 7, 2008.
107
The best way to understand the risks associated with healthcare finance is to review the key business challenges and drivers confronting healthcare organizations and to identify the risks inherent in
each.2 Those challenges can be grouped into four areas familiar to business management:

volume;
cost;
pricing/payment; and
capital.
6.2
Volume
For hospitals, inpatient admissions and outpatient visits have been growing slowlyat a rate of
less than 1% over the past five years. However, over that same time, the volume of nonhospital outpatient healthcare services has grown much more rapidly.
For example, while hospital inpatient surgery volume between 2001 and 2005 remained static,
total outpatient surgery volume (in hospital and nonhospital settings combined) grew 25%.3 Similarly, hospitals have been losing ground in the percentage of outpatient surgeries, with the percentage
performed in hospital-based facilities falling almost 10% compared with the percentage performed
in nonhospital facilities over the past five years.4 And although volumes for some primary care and
medical specialties have increased, payment rates have not kept pace with cost increases. In this case,
more volume does not increase profitability.
Many factors drive this shifting from inpatient to outpatient visits and from hospital to nonhospital venues. Poor economic conditions drive down elective and non-urgent services, population
changes impact volume, and competitive forces increasingly are a factor.
Competition is driven in part by a payment system that gives nonhospital providers a competitive
advantage in that they are able to focus on the most profitable services while hospitals face a higher
cost structure to support essential but unprofitable, mission-related services (such as burn units or
inpatient psychiatric units). The current payment system also attracts equity capital investors (including physicians) who see opportunities in the inequities of the current payment system. Competition is
particularly strong in services such as orthopedics and cardiology, and it is coming from physicians
and investor-owned companies, sometimes in partnership. Frequently, traditional hospitals are fighting
for market share with imaging centers, surgicenters, ambulatory care centers, urgent care centers
inshort, facilities without beds.
Healthcare finance leaders surveyed by the Healthcare Financial Management Association (HFMA)
cite physician integration as the most significant issue to affect hospital volume over the next several
2
The information about healthcare business challenges is adapted from HFMAs Healthcare Finance Outlook: 20082013,
Westchester, IL: Healthcare Financial Management Association, 2007.
3
Avalere Health analysis of Verispans Diagnostic Imaging Center Profiling Solution, 2004, and American Hospital
Association Annual Survey data for community hospitals, 19812004.
4
Verispans Diagnostic Imaging Center Profiling Solution, 2004.
108
years. A related issuethe movement toward nonhospital treatment facilities, such as retail settings
ranked as the second most significant factor that will influence hospital volume. (See Exhibit 1.)
To enhance their volume, hospitals and physicians are seeking integration opportunities to align
incentives, enhance market share, and develop stronger negotiating positions. In some settings, this
integration is relatively loose, using directorships, stipends, management contracts, gainsharing, and
leasing to link hospitals and physicians. In other settings, the integration is much tighter, using integrated delivery systems and various joint venture models.
Risk issues related to declining volume include coverage of fixed and overhead costs. That is,
as volume drops, the fixed cost per unit of service increases since there are fewer encounters over
which to spread fixed cost, such as depreciation, interest, and general overhead. Increasing volume
also carries risk. If the increased volume produces revenue per unit of service that does not cover the
increased variable or marginal cost per unit, then overall profitability declines. Finally, strategies to
impact volume (either up or down) carry a variety of risks. These range from community and government reaction to service elimination that reduces unprofitable volume to investment risks related to
strategies to increase volume.
6.3
Cost
The most significant components of cost are well known to healthcare finance executives: laborand
supplies. For most provider organizations, these costs represent anywhere from 50 to 80% of operating
costs. Labor costs are driven by factors such as nursing and other shortages, as well as rapidly rising
benefit costs. Supply costs are driven largely by the use of high-cost physician-preference items. When
looking at healthcare expenses in terms of inflation, the greatest increases for hospitals over the next
three years are likely to be seen in the areas of professional liability insurance, food, energy, equipment, and supplies.5
The dimension of the problem with rising costs can be seen from a finding by Moodys Investors
Service that in FY06 expense growth outpaced revenue growth for the first time in many years. That
gap narrowed in FY07, but expense growth remains an issue.
Healthcare finance leaders surveyed by HFMA found that the issue with the greatest influence on
hospital costs over the next three to five years is accelerating regulatory requirements. The factor listed
as second most significant was increases in cost of supplies and pharmaceuticals. (See Exhibit 2.)
To address cost issues, hospitals are working aggressively to enhance efficiency and productivity to ensure that human resources are used effectively. On the supply side, efforts focus on engaging
physicians in the process of purchasing supplies to help control use of expensive physician-preference
items. Other joint administration-clinician efforts focus on enhancing efficiency in clinical processes.
Cost issues represent an important challenge for healthcare organizations. Inappropriate costcutting efforts such as inadequate staffing, utilization of excessive temporary staffing or poorly trained
R-C Healthcare Management Hospital Inflation Data, 2nd Quarter, 2007, proprietary information from R-C Healthcare.
Used with permission.
5
109
staff, deferred maintenance and capital replacement, and inappropriate or inadequate supply levels
may increase risks related to care delivery. Overstaffing due to poor staffing management protocols,
inadequate capital planning, or poor supply-chain management also carries risks, including reduced
profitability and liquidity. The human capital risk domain is particularly affected by cost issues and
highlights the importance of involving human resources while making strategic decisions for the
organization.
6.4
Pricing/Payment
Healthcare payment and pricing systems are fraught with illogic and unfairness, creating problems for all healthcare stakeholders.
Nearly half of hospital payment derives from Medicare, Medicaid, and other government health
programs. And although these programs represent a smaller percentage of payment for most physicians, they are still significant. Due to federal and state budget constraints, government payment is
falling increasingly short of covering the costs of treating their beneficiaries. Indeed, Medicares future
is tenuous without a significant increase in government funding or a reduction in spending. Recent
estimates suggest that the trust fund for Medicare Part A could be insolvent as early as 2016.
According to healthcare finance leaders surveyed by HFMA, stagnant or declining Medicare and
Medicaid payment rates, guided by federal budget pressures, will be the most significant factor affecting healthcare payment and pricing over the next three to five years. (See Exhibit 3.)
Although providers continue to institute cost-control measures, they cannot make up the payment
shortfall. As such, the cost of these shortfalls is generally passed through to consumers. One estimate
shows private payors pay $1.22 for every dollar of hospital costs as a result of this cost-shift hydraulic, sometimes described as a hidden tax on healthcare purchasers.6
As healthcare costs continue to escalate faster than overall inflation, many employers are responding by eliminating employee health benefits or shifting more of the burden of payment to consumers
in the form of higher deductibles and copayments. These actions lead hospitals to face the additional
burden of uncompensated care associated with caring for uninsured and underinsured patients and, in
many cases, lead to further need to cost shift.
A particularly troublesome consequence of cost shifting is that, over time, hospital prices may
lose their relationship to rational benchmarks, such as cost, value, or market demand. Consumers are
the big losers in this situation, finding it virtually impossible to determine what their financial obligations will be for services, while hospital staff find it challenging to educate their communities about
the complex mechanisms that result in their pricing.
Many healthcare organizations are also grappling with rising levels of nonpayment for services
provided. These problems result in part from the trend toward reduced employee health benefits or
higher copayments and deductibles noted earlier, compounded by the economic effects of the recession
Allen Dobson, Joan DaVanzo, and Namrata Sen, The Cost-Shift Payment Hydraulic: Foundation, History, and Implications, Health Affairs 25, January/February 2006, 2233.
6
110
that began in 2007. Effective management of increasing bad debt levels requires a multi-disciplinary
effort within the organization, including patient financial service, case management, and risk management staff.
On the positive side, federal and commercial payors are making strides to link healthcare payment to actual achievement of quality processes and outcomes. And stakeholders are slowly coming
together to seek consensus on a better payment and pricing system.
As noted earlier, inadequate payment per unit of service is a key concern. And uncertainties
related to major payor sources such as Medicare and Medicaid increases both short-term operating
risks as well as longer-term strategic risks. Pricing concerns expressed by the public and policy makers
increase the risk of increased price regulation and hence reduced pricing flexibility. This increases the
uncertainty of producing the level of revenue per unit of service to cover increasing costs of providing
that unit of service.
6.5
Capital
Capital spending for healthcare organizations, especially hospitals, is driven by factors such as the
need to update or replace aging facilities, prepare for an aging population, and acquire new medical
technology. Hospitals have taken on significant amounts of debt to support increases in capital spending. Much of this capital investment is for replacement, modification, and in some cases, expansion of
facilities as well as investments in medical and business information technologies.
After years of relatively easy access, that situation is changing. Rising costs and payment challenges are eroding the margins for many healthcare organizations, and with that comes erosion of
credit quality. Exhibit 4 illustrates the growing gap between hospitals that are more creditworthy
and those that are less. In 1990, 5% of the credits rated by Moodys Investors Service were Aa rated,
65%were A rated, and 27% were Baa rated. By July 2007, the curve had attened, with 16% Aa rated,
44% A rated, and a larger 30% Baa rated. Late in 2008, several ratings agencies lowered their outlook
on both not-for-profit and for-profit hospital sectors to negative from stable and indicated that they
expect a rise in rating downgrades over 2009.
Experts predict that the cost of capital will go up in the next three to five years (see Exhibit 5)
because of concerns the rating agencies have over the medium term and the current turmoil in the
credit markets. This rising cost could well coincide with slowing growth in payment and volume for
healthcare organizations. The result could be a significant challenge to their profitability and ability to
finance their future endeavors. For example, financing of physician alignment strategies such as joint
ventures may prove significantly more difficult. Both hospitals and physician groups may need to
consider other compensation-based strategies to achieve alignment goals.
Profitable healthcare organizations will continue to have access to capital at relatively lower costs,
but they too are seeing the cost of capital increase. Unprofitable organizations will struggle even more
to keep up. The gap between the haves and have-nots can only accelerate as quality becomes more of
a differentiating strategy. Although the rising tide of the mid-2000s lifted most boats, that tide quickly
ebbed amid financial market turmoil and the economic downturn. While healthcare organizations at
111
the top may continue to have access to capital, those in the middle tier may see their margins reduced,
and those at the bottom may see their margins drop to a negative level.
Capital finance issues such as capital demand (capital expenditures for facilities and equipment)
and capital access (cash from operations, equity, debt, contributions, grants) carry enormous risks.
Increased capital expenditures increase the fixed cost profile of an enterprise, which reduces flexibility
in times of uncertainty and requires new revenue streams to support increased cash flow demands.
Additionally, structuring of debt portfolios with both variable and fixed interest rate debt instruments carries credit market risks that are driven by national and global financial market dynamics.
Recent turmoil in the credit markets demonstrate how the risk profile of the enterprise can change
outside of managements control based on its debt structure. Too much variable debt increases volatility, but too little significantly increases the cost of capital.
Finally, capital issues also relate to the enterprises investment portfolios that are influenced by
many of the same market forces. Accounting and financial reporting requirements to mark investments
to market demonstrate the swings in asset values that can occur when financial markets rise and fall.
These accounting requirements also create a reporting risk as markets move up and down. Highly
variable debt portfolios and highly speculative investment portfolios can quickly change the financial
position of an enterprise.
6.6
112
Commentary
The organization must have a clear vision of its fiscal policies that is well known to all
stakeholders. Some organizations will struggle to survive and maintain market share, while
others will not only maintain sound operations but realize revenue growth. Knowing where
the organization is in this cycle is critical.
Financial risks must be comprehensively identified in the context of enterprise risk management in order for the organization to appropriately prioritize its goals and objectives.
While many risks are not amenable to traditional risk transfer arrangements such as the purchase of commercial insurance coverage, use of techniques such as risk avoidance or loss
control should be considered in the overall context of managing financial risk.
The ability for the organization to be fiscally prudent in todays economy requires clear strategic direction by an engaged board of directors and implementation tactics by competent
leadership.
The increased responsibility of the board of directors combined with heightened scrutiny
by regulators requires that board members, individually and collectively, be informed about
healthcare operations that may impact the financial performance of the organization and that
they are knowledgeable about current market and external financial trends. A thoughtful ERM
approach, considering the finance risk domain, can enhance the fiscal rewards and reduce the
risks to the organization.
6.7
Conclusion
Understanding the business drivers of volume, cost, pricing/payment, and capital is critical in
evaluating the risk profile of a healthcare organization. These drivers are directly associated with
key financial risks, including the ability to raise and maintain access to capital, contracting issues,
and risk-financing treatments such as insurance and self-insurance. The strategies that are developed
must operate within the mission, vision, and objectives of the enterprise. In addition, management
and governance must consider the events that may impact the organizations risk profile. Few risks
exist in isolation. Risks associated with areas such as operations, human capital, legal and regulatory,
and technology may ultimately become a financial risk to the organization. Effective enterprise risk
management is a critical adjunct to successful financial management.
Exhibit 1 Most Significant Factors Related to Hospital Volume: 2008-2013
Exhibit 2 Most Significant Factors Affecting Hospital Costs, 2008-2013
113
Exhibit 3 Most Significant Factors Affecting Hospital Prices/Payment: 2008-2013
Exhibit 4 Shift in Credit Quality, 1990-2007
Source: Moodys Investors Service, Inc. and/or its affiliates. Reprinted with permission. All rights reserved.
114
Exhibit 5 Most Significant Factors Affecting Hospital Capital: 2008-2013
115
Financial Stewardship
7
Elizabeth M. Mills, Esq.
Senior Counsel, Proskauer Rose LLP
7.1
Introduction
In 2006, approximately 59% of the hospitals in the United States were operated by organizations
exempt from federal income tax because they are described in Section 501(c)(3) of the Internal Revenue
Code (Code). Of the remainder, 23% were operated by governmental units and 18% were operated by
for-profit entities.1 Nationally, in 2005 approximately 41,000 health-related organizations were Section
501(c)(3) tax-exempt organizations.2 This chapter is principally directed toward tax-exempt3 healthcare
organizations, although Section 7.5 on Use of Property Financed with Tax-Exempt Bonds and portions of Section 7.3 Tax Reporting and Payment Issues will be of interest to governmental entities,
and portions of Section 7.4 Corporate Oversight of Financial Affairs will be of interest to for-profit
healthcare organizations.
This chapter first explains the significance of maintaining tax exemption, the risks to tax exemption,
and how tax exemptions can be managed. The next section summarizes public reporting requirements
for tax-exempt healthcare organizations as well as employment tax issues and risks. Attention is then
focused on the current focus from many sources on governance as it relates to financial management
of the health organization. Finally, there is a brief summary of the risks when property financed by taxexempt bonds is not used in compliance with applicable requirements and how those requirements can
be met.
7.2
Maintaining Tax Exemption
7.2.1
Significance of Tax Exemption
Tax exemption provides substantial financial and non-financial benefits to healthcare organizations. Primary benefits are:

The organization does not pay federal or, usually, state income tax on its net income, except
to the extent it is derived from activities that are unrelated to exempt purposes (such as pharmacy or equipment sales to non-patients).
American Hospital Association, Fast Facts on US Hospitals, http://www.aha.org/aha/resource-center/Statistics-andStudies/fast-facts.html. Excludes federal hospitals.
2
Blackwood, Wing, and Pollak, The Nonprofit Sector in Brief: Facts and Figures from the Nonprofit Almanac 2008,
accessible at http://nccsdataweb.urban.org/kbfiles/797/Almanac2008publicCharities.pdf.
3
When used in this chapter, tax-exempt organization or exempt organization means an organization described in
Section 501(c)(3) of the Code unless another section or another type of tax exemption is indicated.
1
117

The organization is eligible to use the proceeds of tax-exempt bonds, thereby reducing financing expenses. See Section 7.5 on Use of Property Financed by Tax-Exempt Bonds.
The organization is eligible to receive charitable contributions that are deductible by donors.
Perhaps less today than in the past, the organization enjoys the halo effect associated with
charitable organizations.
Tax-exempt organizations must generally be recognized by the Internal Revenue Service (IRS) as
having that status, either through applying to the IRS for recognition of exemption or through inclusion in a group exemption ruling (such the group ruling issued to Catholic organizations).4 The IRS
may revoke an organizations tax exemption following an audit, which may be prompted in one or
more of the following ways:

a complaint from the public;
a news report concerning the organization that piques the IRSs interest;
a compliance check or questionnaire on certain areas (such as executive compensation)

issued to selected types of organizations by the IRS; or
the IRSs selection criteria for auditing tax-exempt organizations (which may include assets,
income, type of activity, and other factors).
If the IRS revokes an organizations tax exemption, one immediate consequence can be that the
organizations tax-exempt bonds become taxable (that is, the interest on the bonds is no longer tax-free
to the holder). This is usually an event of default on the bonds, which may accelerate the organizations
debt and cause it to be immediately due and payable. Although a tax-exempt organization can challenge an IRS-proposed revocation of tax exemption both in administrative proceedings and in court,
a formal notice of proposed revocation is usually viewed as a material event that must be disclosed
to the markets. This disclosure can adversely affect the interest rate on the organizations outstanding
bonds if they are variable-rate or need to be remarketed, as well as adversely affecting public opinion.
Thus, revocation of tax exemption or even proposed revocation of tax exemption is usually not an
acceptable outcome for organizations using tax-exempt debt. The alternative, if the IRS has concerns
about whether the organization is operating consistent with tax exemption, is to conclude the audit
with a closing agreement between the IRS and the organization which lays out specific actions that the
organization will take and provides that the organization remains tax-exempt.
In addition, tax-exempt healthcare organizations are frequently eligible for exemption from property tax on their property and sales tax on their purchases. Property and sales tax exemptions are often
more important financially to healthcare organizations than exemption from tax on income; property
and sales taxes must be paid regardless of the organizations profitability, while income taxes need be
paid only if there is taxable income. Property and sales tax are governed by state and local law and
are not generally tied to federal income tax exemption. However, an organization that loses its federal
Organizations that are exempt from income tax under other subsections of the Code, such as Section 501(c)(4) social
welfare organizations or Section 501(c)(6) professional and trade associations, are not required by law to obtain recognition from the IRS of their tax-exempt status, although most do. Some types of 501(c)(3) organizations, such as churches
and very small organizations, are not required to obtain recognition of their status pursuant to Section 508 of the Code.
4
118
income tax exemption is likely to be scrutinized by state and local taxing authorities for continued
compliance with property and sales tax exemption requirements, and an organization that does not
meet federal standards may not meet the (frequently) more stringent requirements for property or sales
tax exemption. For current issues in property tax exemption challenges, see Section 7.2.5 on Property
Tax Exemption below.
For these reasons, maintaining tax-exempt status is of utmost importance to exempt organizations. The next parts of this section summarize the requirements for maintaining tax exemption.
7.2.2
Standards for Tax-Exempt Status
Tax-exempt organizations must be organized and operated for exempt (charitable, educational,
scientific, or religious) purposes.
Being organized for exempt purposes means that the articles of incorporation (not the corporate
bylaws) of the organization (or other organizing document if not a corporation):

must state purposes that are exempt purposes;

may not state purposes that are not exempt purposes;
must provide that the organization will not intervene in an election for public office;
must provide that the organization will engage in lobbying only as an insubstantial part of its
activities (the distinction between political activity and lobbying is described below); and
must provide that, upon dissolution, the assets of the organization must be dedicated to exempt
purposesusually by transferring them to other tax-exempt organizations.5
In addition, if the tax-exempt organization is not a private foundation because it is a supporting

organization described in Section 509(a)(3) of the Code,6 the articles of incorporation must include
language specifying that the purpose of the organization is to carry out the purposes of, support, or benefit specified public charities. When amendments to articles of incorporation or equivalent documents
are made, care should be taken that required provisions are not dropped or impermissible provisions
added inadvertently.
Being operated for exempt purposes means that the following three requirements must be met:

The organization must operate primarily to achieve exempt purposes. If a substantial part
of the organizations activities is to achieve non-exempt purposes, it may not be eligible
for exemption. This criterion is frequently measured by the percentage of the organizations
activities (as measured by expenses, revenues, board time, employee time, or other relevant
factor) that are devoted to exempt as opposed to non-exempt purposes (for example, carrying on a business unrelated to exempt purposes), although there is not a simple formula or
numerical cutoff.
Treas. Reg. Section 1.501(c)(3)-1(b).

Every Section 501(c)(3) tax-exempt organization is classified as a private foundation under Section 509 unless it is
excluded from private foundation status because it qualifies as an organization described in Section 509(a)(1), (2), or (3) of
the Code. Qualification can be based on the nature of activities, the amount of support derived from contributions or payments
from the general public, or the organizations relationship to other organizations falling within the first two categories.
5
6
119

The organization must not permit its net earnings to inure to the benefit of any private
shareholder or individual7 (inurement). The IRS, regulations, and courts interpret net earnings to mean the income or assets of the organization as well as its profits, and interpret
private shareholder or individual to mean a person with a personal and private interest in
the activities of the organizationbasically insiders such as directors and officers.8 Thus,
a tax-exempt organization may not provide an equity-type interest (such as a right to receive
profits) to a non-exempt person or organization and may not engage in transactions with
insiders that result in the exempt organization receiving less than fair market value.
The organization must serve public, rather than private, intereststhat is, it must not confer benefits on individuals or other persons (even disinterested persons) other than benefits
created as an incident to achieving exempt purposes.9 Thus, an exempt organization can be
disqualified for tax exemption because its activities benefit individuals even though those
individuals are not in control of the organization and even though the organization does not
engage in prohibited inurement.
The potential for violation of these standards can arise in many aspects of healthcare operations,
including: relationships with employed physicians; relationships, such as leases, service contracts, and
recruitment, with independent medical staff physicians; joint ventures with physicians or other nonexempt entities; compensation relationships with external managers and service providers; executive
compensation; financial relationships between the exempt organization or its affiliates and its directors
or officers; reimbursement of employees expenses when such reimbursement may be viewed as for
political contributions made by the individuals; and use of the exempt organizations resources in support of a political candidate. Many of these risks, particularly in physician and service relationships
and joint ventures, can be addressed through review in the contracting or transaction process. Risks
associated with executive compensation can be addressed through implementation of rebuttable presumption of reasonableness procedures referenced in Section 7.4. Risk associated with financial
relationships with directors or officers can be addressed through the rebuttable presumption of reasonableness procedures and conflict of interest procedures for transactions with interested persons.
Finally, risks associated with political campaign activity that may be attributed to the exempt organization can be addressed through systemwide policies and education detailing political campaign
behavior that is prohibited, as well as direction to accounts payable and expense reimbursement staff
to question transactions that have the appearance of involvement in political activities.
7.2.3
Other Consequences of Violating Tax-Exempt Status Requirements
In addition to or instead of loss of tax exemption, the IRS can impose penalties (technically, excise
taxes) on the violating exempt organization or those who have benefited from the violation. The penalties of broadest applicability are the so-called intermediate sanctions, or taxes on excess benefit
transactions, contained in Section 4958 of the Code. Under these provisions, a disqualifiedperson
Code Section 501(c)(3).
Treas. Reg. 1.501(a)-1(c); General Counsels Memorandum 39862 (December 2, 1991); United Cancer Council Inc. v.
Commissioner, 165 F.3d 1173 (7th Cir. 1999).
9
American Campaign Academy v. Commissioner, 92 T.C. 1053 (1989).
7
8
120
(a person who is in a position to exercise substantial influence over the organization, such as a director
or officer) who engages in an economic transaction with an exempt organization in which the exempt
organization receives less than fair market value consideration is subject to a penalty of 25% of the
excess benefit amount. The disqualified person must also correct or undo the offending transaction.
Directors and officers who knowingly approve the excess benefit transaction (whether or not they
individually benefit from it) are also subject to a tax, up to $20,000 in the aggregate. Exempt organizations must report on the Form 990 whether they have engaged in an excess benefit transaction during
the reporting year and whether they have discovered in the reporting year an excess benefit transaction
that occurred in a previous year, as well as the details of the transaction. Thus, the exempt organization
must self-report an excess benefit transaction to the IRS and indirectly to the public.
The key to whether a transaction with an insider is an excess benefit transaction is whether the
transaction is at fair market value. The intermediate sanctions regulations provide a process that, if
followed, provides the exempt organization and the insider a rebuttable presumption that the transaction is reasonable.10 This rebuttable presumption means that if the IRS believes a transaction is an
excess benefit transaction, it is the IRSs burden to prove that the transaction was not at fair market
valuea reversal of the usual situation, in which it is the taxpayers burden to prove it is entitled to
exemption. The rebuttable presumption requires that a compensation amount or a transaction (such as
sale of property) be 1) approved in advance by a disinterested committee or board that has 2) obtained
and relied upon appropriate data as to comparability prior to making its determination and 3) has
concurrently documented the basis for its determination.11 While the presumption of fair market value
does not apply if any element of the requirements is not met, satisfying as many of the rebuttable presumption requirements as possible is still desirable and helpful in demonstrating that the transaction
is in fact at fair market value. The risk of engaging in an excess benefit transaction, then, can be managed by executive compensation and conflict of interest policies that require compensation changes
or special benefit adjustments for executive employees, as well as financial transactions between the
organization and directors, officers, and other potentially disqualified persons, be approved through a
process that meets the rebuttable presumption of reasonableness.
Another penalty that can be imposed is on an exempt organizations expenditures for political
activity. For exemption purposes, political activity means activity that relates to influencing the outcome of an election for public office. As noted above, Section 501(c)(3) strictly prohibits exempt
organizations from engaging in any political activity. No de minimis amount is permitted. Section4955
provides that the IRS may impose a tax equal to 10% of the amount of the political expenditure on an
exempt organization making such expenditures. This is a tool for the IRS to use, short of revoking tax
exemption, to address isolated or inadvertent expenditures. As in the case of intermediate sanctions,
the organization must disclose on the Form 990 whether it has engaged in any political expenditures.
An exempt organization may participate in lobbying activities (attempting to influence legislation), but only as an insubstantial part of its activities. The statutory standard of insubstantial is,
of course, vague. Many exempt organizations are eligible to make a Section 501(h) election under
Treas. Reg. Section 53.4958-6. The regulations make clear that if the rebuttable presumption is not satisfied, no inference should be drawn that the transaction is at other than fair market value.
11
Id.
10
121
which the dollar amount of permissible lobbying expenditures is determined by a formula based on
the organizations expenditures. If an electing organization spends more than the permitted amount on
lobbying activities, the organization is subject to an excise tax on the excess expenditure.12 Because
exempt healthcare organizations, particularly hospitals, have extensive exempt activities, lobbying
activities typically do not exceed permitted levels, either under the 501(h) election or under the general
insubstantial standard. However, to prevent inadvertent violations, it is desirable to have corporate
policies limiting lobbying activities to an insubstantial portion of the organizations activities and
specifying who within the organization may engage in or direct such activities, so that the extent of
lobbying efforts is known and can be reported as required.
7.2.4
Tax Exemption for Healthcare Organizations
The IRS has interpreted these standards as they apply to hospitals in Revenue Ruling 69-545.13
Revenue Ruling 69-545 concludes that the following factors indicate that a hospital operates for the
charitable purpose of promoting the health of the public (the community benefit standard):

The hospital has a board of directors made up of community leaders, rather than physicians
and other persons interested in the operation of the hospital.
The hospital has an open medical staff (that is, medical staff membership is available to qualified physicians in the community, rather than to a few physicians who control the hospital).
The hospital has an emergency room that treats all in need of emergency services regardless
of ability to pay.
The hospital accepts Medicare and Medicaid patients and other patients who can afford to
pay for their care.
The criterion of a community board has been adapted to modern multi-corporate systems by IRS
interpretation that an organization controlled by an exempt organization with a community board
satisfies this criterion.14 Entities that deliver healthcare services but that are not hospitals or residential facilities are subject to the same community benefit standard, modified as appropriate for their
activities.15
Notably, these criteria, which were articulated shortly after the establishment of the Medicare
and Medicaid programs, do not include the provision of non-emergency services without charge to
those unable to pay. Since that time, it has become evident that these programs have not provided the
anticipated access to care. The IRS, the Senate Finance Committee, other administrative and legislative bodies, and class action plaintiffs attorneys have examined exempt hospitals provision of free
Code Section 4911.

1969-2 C.B. 117, amplified by Rev. Rul. 83-157, 1983-2 C.B 94.
14
Internal Revenue Manual Exhibit 7.20.4-9.
15
Id. Nursing homes and homes for the elderly or disabled have slightly different standards for exemption that focus
on affordability and maintaining those who become unable to pay to the extent of the organizations financial ability.
Rev.Rul. 72-124, 1972-1 C.B. 145; Rev. Rul. 79-18, 1979-1 C.B. 194.
12
13
122
care to those unable to pay and questioned whether exempt hospitals in fact operate differently from
for-profit hospitals.16
The recent revisions to the Form 990 discussed in Section 7.3 Tax Reporting and Payment Issues
(the information return filed by exempt organizations) require substantial, very specifically defined
reporting on exempt hospitals charity care policies, amount of charity care provided, amounts of other
types of community benefit provided, and billing and collection practices. Information on the Form 990
is available to the public. Many states also have enacted statutes addressing exempt hospitals provision
of charity care, including community benefit reporting requirements, hospital billing practices requirements, limitations on collection practices, and in some cases requirements that a certain amount of
charity care be provided. A compilation of information from the American Health Lawyers Association,
the Healthcare Financial Management Association, the Catholic Health Association, and VHA concerning community benefit, charity care, and the Form 990 is available at http://www.990forhospitals.org/.
If they have not already done so, exempt healthcare organizations should review their charity care
policies and procedures, in preparation for completing the new Form 990 if for no other reason. In this
area, the manner of implementation is even more important than the policy; the best policy is worthless
if it is not applied correctly and a needy patient is denied care or unfairly pressed for payment. This
review can include:

The charity care policy itself: what criteria a patient must meet to qualify, how income and
assets are determined, whether there is a limit based on patients income on the total amount
the patient may be asked to pay, and how exceptions may be made and documented.
Implementation of charity care program: timely response and follow-up to applications,

standard and consistent responses to patient requests for information, convenient business
hours, files and statistics maintained concerning applications and action thereon.
Collection practices: the organization has clear written standards and practices to be used in
collection activities, interest-free payment plans are available, wage garnishments and body
attachments are not used in ordinary circumstances, legal action is taken only when there is
evidence of patient income or assets available to make payment, outside collection agencies are
required to adhere to the organizations practices, patient accounts are reviewed prior to collection agency assignment to confirm that financial assistance was offered if the patient is eligible,
specified collection actions require review and approval at specified institutional levels.
Employee training: detailed and updated training materials for patient accounts personnel
are maintained, training on charity care policies is provided to all appropriate administrative
and clinical staff.
Public disclosure of charity care policies and procedures: policies are clear and understandable (taking into account languages of communities served), availability of financial
assistance is indicated on bills, policies are communicated to the community and to patients.
Staff Discussion Draft of Potential Non-profit Hospital Reforms, Senate Committee on Finance, July 17, 2007, available
at http://finance.senate.gov/press/Gpress/2007/prg071907a.pdf; Hospital Compliance Project Interim Report (Summary
of Reported Data), Exempt Organizations function of IRS Tax Exempt and Government Entities, 2007, available at
http://www.irs.gov/pub/irs-tege/eo_interim_hospital_report_072007.pdf.
16
123
7.2.5
Property Tax Exemption
If healthcare organizations property is subject to property taxes, this can be a significant financial
impact, particularly since property taxes are not dependent on the income generated by the property
that is, they must be paid whether the facility is making money or not. Generally, property is exempt
from property tax if it is owned by a charitable organization and used for charitable purposes.17 State
and local governments periodically challenge the tax-exempt status of hospital property, with a flurry of
such attacks in the 1980s in Utah, Pennsylvania, and Vermont, among other states. Recently, appellate
courts in Illinois have upheld the denial of property tax exemption for hospitals and community health
centers, and the Provena case is now before the Illinois Supreme Court.18 The rationale set forth in the
Provena decision is that the organization owning the property is not an institution of public charity
and the property is not used exclusively for charitable purposes, the statutory standard, because: only
a small amount of the care providedunder 1%was charity care; it provided discounts to patients
unable to pay in part and then sued them for nonpayment of the remaining balance; its operating income
was derived almost entirely from charges; and its primary activity was to sell medical services in the
same manner as a for-profit hospital. The appellate court rejected the hospitals efforts to demonstrate
community benefit. This focus on charity care dollars and collection practices is in line with current
efforts in Congress and the IRS to refine the community benefit standard for income tax exemption.
As described above, it also means that healthcare organizations that bill and collect for services should
have internal controls over sending accounts to collection and over initiating lawsuits for payment to
limit such actions to situations in which there is some reason to believe that the patient has the ability
to pay. A few instances of perceived unfair collection treatment of poor patients, if picked up by the
media, can trigger IRS attention, property tax exemption review, and Congressional inquiries.
7.3
Tax Reporting and Payment Issues
As mentioned in Section 7.2.4, the IRS has redesigned the Form 990, or annual information
return, that must be filed by most tax-exempt organizations,19 to require reporting of substantially more
and more detailed informationparticularly about governance issues (as discussed in Section7.4 on
Corporate Oversight of Financial Affairs below), community benefit provided by hospitals, and
tax-exempt bond use. One reason the Form 990 revision has received so much attention is that exempt
organizations must make their Forms 990 available to the public for three years following the date the
return was due.20 In addition, the IRS provides filed Forms 990 for display on Guidestar.org. Thus,
information disclosed on the Form 990 is almost immediately available to the public, the press, and
government investigators. (The only exception to the requirements for public disclosure is that the
list of donors to the organization attached to Form 990 as Schedule B need not be disclosed.) Exempt
Some states tax real property only, while others tax both real and personal property.
Provena Covenant Medical Center and Provena Hospitals v. Illinois Department of Revenue, No. 4-07-0763, Ill. App.
(4th Dist.) August 26, 2008; Community Health Care, Inc. v. Illinois Department of Revenue, 307 Ill. Dec. 519 (3d App.
Dist. 2006).
19
Private foundations (see note 6, supra) file a different form that was not revised and have always had to file that form
regardless of level of financial activity.
20
Code Section 6104(d). The organization must also make its exemption application filed with the IRS available to the
public; if the organization received exemption before 1987, it must make the application available only if it had a copy in
its possession in 1987.
17
18
124
organizations that have more than $1,000 in gross income subject to unrelated business income tax
must also file a Form 990-T to report taxable income and pay any tax due. Effective for returns filed
after August17, 2006, Section 501(c)(3) organizations must also make their Forms 990-T available
to the public. Smaller organizations that are eligible to file a Form 990-EZ rather than a Form 990
must make that form available under the same rules. More information on the requirements for making returns available to the public is available in IRS Publication 4221-PC and on the IRS web site at
http://www.irs.gov/charities/index.html. Of particular note is the requirement that a copy be available
for inspection on a walk-in basis during normal business hours; this means that a person must be designated to have these documents. Persons who ask for access to these documents and do not receive it
can complain immediately to the IRS, and the IRS takes these complaints very seriously.
Until recently, small exempt organizationsthose with $25,000 or less in annual gross receipts
did not have to make an annual filing with the IRS. In addition, there was not a specific provision that
exemption was endangered by failure to file. Beginning for tax years ending on or after December 31,
2007, all exempt organizations that do not have to file Form 990 or Form 990-EZ must complete an
online filing with the IRS providing basic information such as name and address. An organization that
is a supporting organization described in Section 509(a)(3) of the Code must also now file a Form990
regardless of the level of its financial activity.21 Importantly, an organization that fails to make the
required filing for three consecutive years now loses its tax-exempt status effective as of the date the
last missed filing was due, and exemption cannot be restored retroactively unless the organization
shows reasonable cause for the failure to file.22 Loss of exempt status for an affiliate in a healthcare
system that occupies tax-exempt bond-financed property can have particularly severe unintended consequences, so this new provision makes vigilance in filing particularly important.
If an exempt organizations unrelated business activities will generate a tax liability on the
Form 990-T of $500 or more, the organization must pay estimated taxes in the same way as taxable corporations. Further, while many states automatically treat organizations that are exempt from
income tax at the federal level as similarly exempt at the state level, many states require that exempt
organizations with a federal unrelated business income tax liability also file a state unrelated business
income tax return and pay state income tax on that income. This state filing is sometimes overlooked,
and interest and penalties for failure to file for several years can be costly.
As organizations eligible to receive tax-deductible charitable contributions, exempt healthcare
organizations must also comply with the requirements for providing substantiation to donors for
quidpro quo contributionsthat is, contributions in which the donor receives something of value in
return, such as the right to attend a benefit dinner. In this situation, the donor may deduct as a charitable contribution only the amount contributed in excess of the fair market value of the item received.
Inaddition, donors who contribute $250 or more to a charity may not deduct the contribution unless
they receive substantiation of the contribution from the charity. The exempt organization is not technically required to provide this substantiation to the donor but usually does so to prevent unhappy
donors. These substantiation requirements are set forth in more detail in IRS Publication 1771.
Code Section 6033(l).
Code Section 6033(j).
21
22
125
Like other employers, exempt organizations that have employees must withhold and pay federal
and state employment taxes and file employment tax returns. Penalties for failure to withhold or failure
to pay can be significant.23 In addition, the organization should confirm that individuals it is paying
and treating as independent contractors (as opposed to employees) actually qualify as independent
contractors. Determining whether individuals paid by the organization are employees as opposed to
independent contractors is important because if the organization treats individuals as independent
contractors and does not withhold or pay employment taxes, the IRS may reclassify the individual
as an employee and look to the employer for taxes, interest, and possibly penalties. In healthcare
organization audits, the IRS usually asserts the position that physicians performing medical director
or other administrative services on a part-time basis should be treated as employees of the healthcare
organization, rather than independent contractors.
Finally, while exempt organizations are often able to obtain exemption from state and local sales
taxes on items they purchase, they frequently are liable for withholding and paying sales taxes on
items they sell. Again, failure to register as a sales tax collector and to pay these taxes can result in
significant taxes and penalties.
In summary, particularly in a multi-corporate healthcare system, each entity may have multiple
filing obligations. The legal and finance functions should work together to make sure that filing
requirements are known and complied with. One system is to maintain a master entity list indicating
each entitys characteristics (e.g., type of entity, tax identification number, sales tax exemption status)
and filing requirements so that no type of filing for any of the entities is overlooked. This is especially
important now that an organization that fails to file its required IRS information return can lose its
tax exemption.
7.4
Corporate Oversight of Financial Affairs
Like the board of directors of a for-profit corporation, the members of the board of directors of
a not-for-profit corporation (whether they are called directors, trustees, or some other name) have a
fiduciary duty to exercise due care in overseeing the affairs of the corporation. This includes oversight
of the corporations financial affairs. In general, the standard of care for not-for-profit corporation
directors24 is the same as for directors of for-profit corporationsthe prudent man standard, which
requires that directors discharge their duties in good faith and with the degree of diligence, care, and
skill which ordinarily prudent men would exercise under similar circumstances in like positions.
This section summarizes the views of the Panel on the Nonprofit Sector and the IRS on how this
duty applies to the activities of an exempt organization board in being the stewards of the corporations
financesoverseeing investment management, executive compensation, accounting and recordkeeping, tax reporting, and other matters. In 2007, the Panel on the Nonprofit Sector published Principles
for Good Governance and Ethical Practice: A Guide for Charities and Foundations,25 which lists
See Verret v. United States, 103 AFTR 2d 2009-1189 (5th Cir. 2009), which upheld a finding under unusual facts that a
hospital board chair and manager was personally responsible for more than $400,000 in taxes withheld but not paid over.
24
Trustees of a trust are generally held to a higher standard of care; trusts are not discussed in this section.
25
Available at http://www.nonprofitpanel.org/Report/index.html.
23
126
33principles (the Panel Principles). In February, 2008, the IRS posted its own list of good governance
practices, Governance and Related Topics501(c)(3) Organizations26 (the IRS Practices).
With respect to investment management, Panel Principle 22 states in part:
The board of a charitable organization must institute policies and procedures to ensure that the
organization (and, if applicable, its subsidiaries) manages and invests its funds responsibly, in
accordance with all legal requirements.
IRS Practice 4.C. states:
The governing body...may be required either by state law or by the organizational documents
to oversee or approve major investments made by the organization. Increasingly, charities
are investing in joint ventures, for-profit entities, and complicated and sophisticated financial
products or investments that require financial and investment expertise and, in some cases,
the advice of outside investment advisors. The [IRS] encourages charities that make such
investments to adopt written policies and procedures requiring the charity to evaluate its
participation in these investments and to take steps to safeguard the organizations assets and
exempt status if they could be affected by the investment arrangement. The [IRS] reviews
compensation arrangements with investment advisors to see that they comply with federal
tax law.
The revised Form 990 asks whether an organization has adopted procedures and policies regarding participation in a joint venture or similar arrangement with a taxable entity; it does not specifically
ask about investment policies.
The National Conference of Commissioners on Uniform State Laws adopted a Uniform Prudent
Management of Institutional Funds Act (UPMIFA) in 2006.27 UPMIFA is intended to replace the
Uniform Management of Institutional Funds Act, adopted in 1972 and eventually enacted in 47 jurisdictions. UPMIFA updates the previous act by incorporating the rules of the Uniform Prudent Investor
Act, which was promulgated in 1994 and has been enacted in 43 jurisdictions. UPMIFA requires those
investing and managing the funds of a charity to:

act in good faith and in compliance with the prudent man standard;
incur only reasonable costs in investing and managing funds;
in managing and investing funds, consider general economic conditions, the possible effect
of inflation or deflation, the expected tax consequences (if any) of investment decisions or
strategies, the expected total return from income and the appreciation of investments, other
resources of the institution, and the needs of the institution to make distributions and to preserve capital;
make decisions about each asset in the context of the portfolio of investments as part of an
overall investment strategy;
Available at http://www.irs.gov/pub/irs-tege/governance_practices.pdf.
Available at http://www.nccusl.org.
26
27
127

diversify investments unless special circumstances dictate otherwise;
dispose of unsuitable assets; and
develop an investment strategy appropriate for the charity.
These standards were not set forth in the previous act.

With respect to executive compensation, the need to pay no more than reasonable compensation to
insiders and the rebuttable presumption of reasonableness procedure were discussed above in Section
7.2.3 Other Consequences of Violating Tax-Exempt Status Requirements. Overseeing executive
compensation is also part of financial stewardship. Panel Principle 8 states:
A charitable organization must have a governing body that is responsible for reviewing and
approving the organizations mission and strategic direction, annual budget and key financial
transactions, compensation practices and policies, and governance policies.
IRS Practice 4.A. states:
A charity may not pay more than reasonable compensation for services rendered. Although
the [Code] does not require charities to follow a particular process in determining the amount
of compensation to pay, the compensation of officers, directors, trustees, key employees, and
others in a position to exercise substantial influence over the affairs of the charity should
be determined by persons who are knowledgeable in compensation matters and who have
no financial interest in the determination....The [IRS] encourages a charity to rely on the
rebuttable presumption test ... when determining compensation of its executives....The [IRS]
has observed significant errors or omissions in the reporting of executive compensation
on the IRS Form 990 and other information returns (e.g., Form W-2 and employment tax
returns). Organizations should take steps to ensure accurate and complete compensation
reporting on these forms, and to also ensure that appropriate income and employment taxes
are withheld and deposited with the [IRS]. Executive compensation continues to be a focus
point in [theIRSs] examination program.
The revised Form 990 asks whether the process used to determine the compensation of an organizations top management official and other officers and key employees included a review and approval
by independent persons, comparability data, and contemporaneous substantiation of the deliberation
and decisionthe elements of the rebuttable presumption of reasonableness.
Spurred by the Sarbanes-Oxley requirements for publicly held companies, todays good governance practices generally indicate that an exempt organization should have an audit committee of the
board of directors made up of disinterested persons and that the audit committee should oversee the
outside auditor. Most healthcare organizations of any size will obtain audited financial statements, for
compliance with bond covenants if for no other reason.
128
Panel Principle 21 states:
A charitable organization must keep complete, current, and accurate financial records. Its
board should receive and review timely reports of the organizations financial activities and
should have a qualified, independent financial expert audit or review these statements annually
in a manner appropriate to the organizations size and scale of operations.
IRS Practice 5.A. states:
[E]ven if an audit is not required, a charity with substantial assets or revenue should consider
obtaining an audit of its financial statements by an independent auditor. The board may
establish an independent audit committee to select and oversee an independent auditor. An
audit committee generally is responsible for selecting the independent auditor and reviewing
its performance, with a focus on whether the auditor has the competence and independence
to conduct the audit engagement, the overall quality of the audit, and, in particular, the
independence and competence of the key personnel on the audit engagement teams.
Form 990 asks whether organizations financial statements were compiled or reviewed by an
independent accountant, audited by an independent accountant, and subject to oversight by a committee within the organization. The instructions indicate that if the reporting organization is included in a
consolidated audited financial statementusually the case in a multi-corporate healthcare system
the organization should respond no to these questions but it may explain that it is included in a
consolidated audit.
The board of directors also has a duty to see that the corporation maintains financial and other
important records. Panel Principle 5 states:
A charitable organization should establish and implement policies and procedures to protect
and preserve the organizations important documents and business records.
IRS Practice 4.F. states:
The [IRS] encourages charities to adopt a written policy establishing standards for document
integrity, retention, and destruction. The document retention policy should include guidelines
for handling electronic files. The policy should cover backup procedures, archiving of
documents, and regular check-ups of the reliability of the system....Charities are required by
the [IRS] to keep books and records that are relevant to its tax exemption.
The revised Form 990 asks whether the organization has a written document retention and destruction policy.
Financial stewardship in todays environment also includes transparency to the public and other
constituencies. Panel Principle 7 states in part:
A charitable organization should make information about its operations, including its
governance, finances, programs and activities, widely available to the public.
129
IRS Practice 6 states:
By making full and accurate information about its mission, activities, finance, and governance
publicly available, a charity encourages transparency and accountability to its constituents.
The revised Form 990 asks how the organization makes its Form 1023, Forms 990 and 990-T,
governing documents, conflict of interest policy, and financial statements available to the public.
The revised form also asks whether the Form 990 was provided to the organizations board before
it was filed and asks for a description of the process, if any, used by the organization to review the
Form990.
Finally, while the issue may not be as commonplace for exempt healthcare organizations as it is
for other types of exempt organizations, an exempt organization should consider adopting a gift acceptance policy outlining the types of gifts (real property, partial interests, closely held stock, etc.) that
it will and will not accept and the types of conditions on property (for example, a restriction on sale)
that it considers acceptable. Gifts can carry potential liabilities; for example, gifts of real property can
present exposure to environmental issues. A gift acceptance policy can outline the types of information that must be presented (e.g., an environmental study) before a gift is accepted. Along these lines,
PanelPrinciple 30 states:
A charitable organization should adopt clear policies, based on its specific exempt purpose,
to determine whether accepting a gift would compromise its ethics, financial circumstances,
program focus or other interests.
7.5
Use of Property Financed by Tax-Exempt Bonds
A primary benefit of tax exemption for healthcare organizations is the ability to use the proceeds
of tax-exempt bonds. Tax-exempt bonds enjoy tax-favored status because the proceeds from these
governmentally issued bonds are used for the benefit of tax-exempt organizations or governmental
units. (The governmental issuer of the bonds may be a state or local health facilities authority, acounty,
acity, or other governmental unit; the issuer then lends the bond proceeds to the tax-exempt organization, or to the governmental user if it cannot issue the bonds itself.) The holders of these bonds are not
subject to income tax on the bond interest and the exempt organizations or governmental units enjoy
the corresponding benefit of lower interest. In exchange for this benefit, however, the use of the borrowed monies and the facilities they fund are subject to many restrictions. If these restrictions are not
observed, the result can be that the bondholders are taxed on the income they receive and the bonds
are in defaulta disastrous outcome. Further, the IRS has increased its enforcement of these restrictions in recent years, conducting compliance surveys and audits of bond users to determine whether
restrictions are being observed and whether appropriate records of the use of bond-financed property
are being kept.28 The revised Form 990 also requires, for reporting years starting on or after January 1,
2009, detailed information on the use of proceeds of each post-2002 outstanding bond issue.
See, e.g., the September 2008 report of the Tax-Exempt Bonds function of the IRS Tax Exempt and Government
Entities division on its tax-exempt charitable financings compliance project at http://www.irs.gov/taxexemptbond/
article/0,,id=186653,00.html.
28
130
Thus, it is essential that the use of bond proceeds and bond-financed property be continually
monitored to prevent issues or, if problems have already occurred, to correct them as soon as possible.
Even though the governmental issuer is viewed as the taxpayer by the IRS, bond documents typically place responsibility for compliance with tax rules on the exempt organization or governmental
entity using the proceeds.29 If potential bad use is detected before it occurs, remedial action, such as
using bond proceeds for an alternative purpose or redeeming bonds, can be taken to avoid bad use.30 If
bad use has already occurred, voluntary compliance steps, resulting in a closing agreement and, usually, some payment, can be taken with the IRS.31 Use of bond-financed property and bond proceeds is
typically reviewed by bond counsel during a financing or refinancing. However, if a problem is discovered at that point and the IRS must get involved in a voluntary compliance agreement, the financing
can be delayed or derailed.
A primary restriction affecting ongoing compliance for bond-financed facilities throughout the
life of the bonds is that only a small portion of the facilities can be used by a private person or used
by a tax-exempt person in an unrelated trade or business. Such use is bad use. If bad use limits are
exceeded, the bonds may no longer be tax-exempt. For bonds issued for the benefit of tax-exempt organizations, the limit is generally that no more than three percent of the proceeds of an issue can be used in
a bad use if the permitted 2% of proceeds is used to fund the costs of bond issuance (ifless than 2% is
used for costs of issuance, the remainder increases permitted bad use). In addition, for bonds issued for
the benefit of tax-exempt organizations, bond-financed property must be owned by an exempt organization. For bonds issued for governmental facilities, the limit on bad use is generally 10%.
The percentage of bad use is measured for the facilities financed by each bond issue and over the
life of each bondin other words, it is measured on a bond issue by bond issue basis. One question
that frequently arises is how to determine which property is bond-financed and by which bond issue.
This can be very difficult to track because a single bond issue may fund the purchase of many items of
equipment as well as work on various parts of the physical plant. Also, recordkeeping can be difficult
because of the length of time (often up to 30 years) that bond issues are outstanding. The money borrowed in each bond issue is traced to the expenditures made with that money or with the bond issue
that the new bond issue is refinancing. Thoughtful allocations at the time of expenditure can prevent
future confusion or unnecessary restrictions. Responsibility for maintaining records of bond-financed
property and allocations should be clearly assigned to a position in the organization so that these
records can be preserved despite reorganizations or changes in personnel.
The following generally create bad use:

Bond-financed property is leased to non-exempt persons (such as physicians in private

practice).
29
The bondholders who are not taxed on their interest income are technically the taxpayers; however, the IRS attempts to
resolve violations without taxing bondholders and instead works with the issuer. Notice 2008-31, 2008-11 IRB 592.
30
Remedial action provisions are in Treas. Reg. Sections 1.141-12 and 1.145-2.
31
Rev. Proc. 97-15, 1997-1 C.B. 635, sets forth in IRS formal closing agreement program. Notice 2008-31, 2008-11 IRB 592
describes the IRSs tax-exempt bond voluntary closing agreement program.
131

An exempt organization uses bond-financed property to conduct an unrelated trade or business (such as reference laboratory services).
A service contract involving bond-financed property does not comply with the requirements
of Revenue Procedure 97-13,32 which sets forth IRS safe harbors for avoiding bad use. Aservice contract includes independent contractor and management arrangements but does not
include janitorial, billing, or equipment maintenance contracts.
Arrangements under which physicians receive no compensation from the hospital, but
instead provide services for which the physicians bill patients directly, may be service contracts which need to comply with Rev. Proc. 97-13, usually as per-unit fee
arrangements.
A service contract must generally meet the following requirements to comply with Rev. Proc.
97-13:

Compensation cannot be based on profits of the bond-financed facility, and cannot be calculated using both revenues and expenses of the facility.
The entity providing the services to the bond-financed facility cannot be a non-Section 501(c)(3)
entity controlled by or under common control with the facility. For example, a service contract with taxable subsidiary or Section 501(c)(4) affiliate in a multi-corporate system cannot
comply with Rev. Proc. 97-13.
Board and officer overlap between the service provider and the facility is limited.
The contracts term and compensation provisions must fall within one of several categories.
(Reimbursement paid to the service provider for expenses paid by the service provider to
unrelated parties is not treated as compensation for these purposes.)
All of the compensation for services is based on a per-unit fee or a combination of a
per-unit fee and a fixed fee. The term of the contract does not exceed three years. The
contract is terminable by the facility on reasonable notice, without penalty or cause, at
the end of the second year of the contract term.
At least 50% of the compensation for services for each year during the term of the contract is based on a fee. The term of the contract does not exceed five years. The contract
is terminable by the facility on reasonable notice, without penalty or cause, at the end of
the third year of the contract term.
At least 80% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
10years or 80% of the useful life of the financed property.
At least 95% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
15years or 80% of the useful life of the financed property.
In addition, in limited circumstances a two-year contract with a one-year termination

provision may have a percentage of fees or expenses compensation arrangement.
1997-1 C.B. 632, modified by Rev. Proc. 2001-39, 201-2 C.B. 38.
32
132
As with the issues discussed at the end of Section 7.2.2 Standards for Tax-Exempt Status, the
key to compliance with these requirements is through the contracting process. Contracts for the lease
of property, sale of property, affiliations, joint ventures, and similar transactions should be reviewed
before the transaction is completed to determine whether bond-financed property is involved and, ifso,
whether remedial action is necessary. Contracts for services, whether they are for medical director,
hospital-based department, interpretation, physician independent contractor, dietary, or management
services, should be reviewed to confirming either that they meet Rev. Proc. 97-13 requirements or that
they do not involve bond-financed property.
7.6
Commentary
The matters discussed in this chapter fall primarily into the financial risk domain and, to some
extent, the legal and regulatory risk domain. It is rare that taking risk in financial stewardship produces
a competitive advantage. Further, while the risk frequency may be low, the risk severity is catastrophic.
Fortunately, for most healthcare organizations, risk reduction efforts frequently discover substantial
low-hanging fruit:

Board-level policies and procedures should be reviewed and amended or adopted as necessary. These policies should include:
investment management and participation in joint ventures;

conflict of interest;
transactions involving insiders and implementation of rebuttable presumption of
reasonableness procedures for such transactions;
patient financial policies (charity care, collections);

executive compensation philosophy and procedures, including implementation of
rebuttable presumption of reasonableness procedures;
expense reimbursement policies and procedures;

prohibited political activities;
lobbying activities; and
document retention and whistleblower policies.

The financial management oversight function should include:
implementing of procedures and recordkeeping for patient intake, billing and collection
that demonstrate compliance with the board-adopted policies and procedures, including
staff training and documentation thereof;
maintaining of a master list of legal entities and their tax and filing status so that filing
requirements can be met and tax-exempt status preserved;
133
tracking of use of tax-exempt bond proceeds and monitoring of bad use amounts; and
providing direction to accounts payable and expense reimbursement staff to question
suspicious transactions.
Finally, the legal and contract management function should include review of proposed contracts and transactions for:
potential excess benefit transactions, so that rebuttable presumption of reasonableness

procedures can be followed;
transactions that may provide private benefit, so that the need for such transactions can
be documented; and
compliance as necessary with the restrictions on use of tax-exempt bond-financed

property.
7.7
Conclusion
Healthcare organizations, particularly tax-exempt organizations, are certain to receive greater

scrutiny in the coming years from the IRS, the public, Congress, and others. Tax-exempt organizations
are now required to disclose significantly more operational information to the IRS and the public than
before. Information that must be disclosed includes:

governance policies;
details on executive compensation and methods of determining compensation;
transactions with insiders;
specific use of tax-exempt bond proceeds; and
charity care, collection, and community benefit policies, procedures, and results.
The same factors will be considered in whether property tax exemption should be maintained.
Inaddition to specific disclosures, the IRS will be attentive to tax-exempt boards oversight of financial
investments. Because of the potentially catastrophic financial consequences (including bond defaults)
of actual or threatened loss of tax exemption, and extensive disclosure requirements (making discovery of issues likely), the issues addressed in this chapter are a significant source of risk to tax-exempt
healthcare organizations but can be readily addressed.
134
Part III
Hazards
Energy Management as an ERM Process
8
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health
8.1
Introduction
An energy management initiative is not the first thing that comes to mind when healthcare organizations consider various enterprise risk management (ERM) opportunities. While discussions
regarding energy management no doubt routinely occur within healthcare organizations, especially in
a time of rapidly increasing energy costs, the literature reports few examples of healthcare institutions
that have approached the issue through an ERM framework. However, when traditional risk management competencies of risk identification and loss control, claims management, and risk financing are
applied to issues related to unchecked energy demand in the face of spiraling energy costs, an effective
enterprise-wide energy management strategy may result.
8.2
Energy costs are a significant budgetary item for large healthcare organizations, particularly for
hospitals. Hospitals typically operate within large physical plants on multi-building campuses in which
air temperature and humidity levels must be maintained within relatively narrow limits for the comfort
and safety of visitors and staff and the effective operation of equipment. They have constant ingress
and egress that make indoor climate control more difficult. They utilize large amounts of heated water
that must be available on demand and house large and complex medical equipment, such as MRIs and
CT scanners that require vast amounts of power to operate.
The costs of electrical power in the U.S. have risen over 133% in the past five years.1 Price
increases have also been seen for natural gas.2 In addition, the increased public focus in recent years on
global warming, climate change, and the consequences of failing to adopt a greener approach to construction, plant maintenance, and waste management has forced healthcare organizations, like other
large institutions, to step up their energy management efforts. Given the new criticality of effectively
managing skyrocketing energy costs while contributing to global sustainability through increased
corporate responsibility for reducing carbon emissions and preserving limited energy resources, the
energy management field is ripe for consideration from an ERM perspective.
U.S. Department of Labor, Bureau of Labor Statistics, Consumer Price Index Summary (Washington, DC: GPO, June 2008).
U.S. Department of Labor, Bureau of Labor Statistics, Producer Price Index Summary (Washington, DC: GPO, June 2008).
1
2
137

At its core, enterprise risk management employs traditional risk management competencies
related to risk identification and loss control, claims management, and risk financing to non-fortuitous
and therefore uninsurable potential causes of loss. It expands the notion of risks amenable to the
deployment of risk management interventions to a variety of business, operational, financial, political,
and other risks previously not examined and addressed within the risk management framework. The
energy management issues impacting healthcare institutions can be examined along these lines as part
of a comprehensive enterprise-wide initiative.
8.3
Energy Management and Loss Prevention
Opportunities for effective loss prevention abound in the area of energy management. Most such
efforts revolve around energy conservation programs aimed at reducing the organizations overall
energy usage and shifting energy demands to off-peak periods when energy costs may be less.3
Good conservation practices begin prior to breaking ground for new healthcare buildings. Organizations seeking to reduce energy costs can work with their planning and construction management
personnel as well as outside architects, engineering firms, and contractors to ensure new buildings
and major renovations incorporate green building techniques and adhere to principles articulated in
programs such as Energy Star4 and LEED.5 Purchase decisions for major patient care and other equipment can include consideration of energy efficiency.
External consultants can be employed to perform energy audits of existing buildings to identify
opportunities to improve energy efficiency through replacement or enhancement of existing roofing
systems, window glazing systems and heating, ventilation, and air conditioning (HVAC) equipment.
While capital available for the systematic replacement of such equipment tends to be limited in most
healthcare organizations, where such projects must constantly compete for dollars with technology
up-grades and remodeling of patient care areas, entities committed to an energy conservation strategy
can create a multi-year energy enhancement capital improvement plan to ensure that, over time, the
organization moves in a more energy efficient direction.
Most electrical utility providers offer variable rates for power used during different times of the
day, particularly in hotter months during which strains on the energy system peak in the late afternoon
and early evening period when temperatures reach their daily highs and air cooling demands are at their
highest. An operational review to identify high-energy demand activities that can be deferred from peak
energy periods to off-peak times will typically yield additional savings in overall energy costs.
8.4
Energy Management and Claims
Claims management activities related to risk management traditionally focus on selecting and
monitoring counsel, setting reserves, negotiating settlements, and performing other duties related to
defending various liability and workers compensation claims brought against the healthcare organi Texas Electric Choice Education Program. www.PowerToChoose.org (2007).
www.EnergyStar.gov (2008).
5
U.S. Green Building Council, Leadership in Energy and Environmental Design Green Building Rating System,
www.usgbc.org (2008).
3
4
138

zation and handling first-party property and auto claims on behalf of the organization. In the energy
management process, claims management activities revolve around assisting the healthcare organization in pursuing claims it may have against utilities providers.
Most healthcare organizations of any size have multiple utility meters that track the organizations
usage of electrical power and natural gas. In the case of large multi-location healthcare providers, the
corporate real estate portfolio often includes hundreds of discrete address locations, each with one or
more utility meters, so the total number of meters can number in the thousands for a single organization. The meters pertaining to a given entity are constantly changing as the organization buys or leases
new space and sells or terminates leases at other locations. Given this scenario, it is no wonder that
utility bills may not always track with the organizations responsibilities for bill payment.
Outside consultants are available to assist the larger healthcare entity with developing a utility bill
audit process. While a single hospital or clinic may have a manageable number of bills to review, large
healthcare corporations usually need to avail themselves of the services of a consultant to review bills
to ensure that charges for utilities provided at closed, sold, or leased out locations are not included on
the organizations bills. While one might think that such billing errors are the exception to the rule,
they are, in fact, surprisingly common and well worth auditing. Given the multi-million dollar annual
energy costs experienced by many large healthcare providers, even a modest 12% savings which
result from identifying locations for which the organization is paying for utility costs in error may
result in hundreds of thousands of dollars in savings.
For not-for-profit healthcare providers, another aspect of bill review involves looking for the
inclusion of various taxes on utility bills for which the organization may legitimately claim exemption.
While jurisdictions may vary somewhat in the degree to which not-for-profit providers are exempt
from taxes on utilities usage, if a large hospital is found to have been paying unnecessary taxes over a
significant period of time, six-figure refunds may be possible.
8.5
Energy Management and Risk Financing
When dealing with energy management, risk financing looks at the various financial models and
tools available to a healthcare organization to contain energy costs. Given the governmental deregulation of utilities,6 organizations in many parts of the United States now have the option to select from
multiple suppliers of energy when purchasing power for their operating needs. Terms and conditions,
prices and billing options may vary among various suppliers so, when consumer choice is an option,
healthcare entities may elicit proposals from various vendors to determine which best serve their
needs. Again, utilizing the services of an energy management consultant may be helpful. Rate plans,
budget billing options, and service terms may be somewhat complex and confusing, and it is often
useful to employ the services of a firm specializing in making distinctions among various providers in
determining the best fit for a given healthcare organization.
Daniel H. Cole and Pete Z. Grossman, The End of a Natural Monopoly: Deregulation and Competition in the Electric
Power Industry, Boston, MA: JAI Press, 2003.
6
139

Employing hedging strategies is also a potentially useful tool in managing energy costs over time.
Like the prices of many other commodities, utility prices may, under some circumstances, be locked
in via futures contracts. If the healthcare organization, typically with the help of an experienced energy
management consultant, anticipates that the prices of electrical power or natural gas are going to rise
over time, it may be able to lock in a set rate by contract to cover future operating periods. Of course,
if prices actually fall during the contract period, the organization will be forced to pay the higher rate.
However, in the recent era of rapidly escalating utilities prices, many entities have enjoyed significant
savings due to the execution of hedging strategies in prior periods.
8.6
Conclusion
Taking a comprehensive approach to energy management is still a new concept to most healthcare
organizations. While most have had various conservation and efficiency efforts in place for some time,
looking at the issue strategically as an enterprise risk has not been widely adopted. However, as energy
costs continue to rise and assume greater prominence in an entitys overall operating budget, there may
be a future trend toward adoption of an ERM framework to better address organization needs.
140
An Enterprise Risk: Pandemic Influenza
9
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company
9.1
Introduction
There has been much speculation about the emergence of a global influenza pandemic. An influenza pandemic is defined as a global outbreak of disease that occurs when a new influenza A virus
appears or emerges in the human population, causes serious illness, and then spreads easily from
person to person worldwide. Such viruses often occur first in other species (e.g., birds or pigs), subsequently infecting humans with direct contact to infected animals. A pandemic ensues once the virus
adapts to allow sustained human-to-human transmission. Pandemic influenza is distinguished from
seasonal influenza by its transmissibility: whereas most people have some immunity to seasonal influenza, humans have little natural immunity to pandemic influenza. Furthermore, the disease caused by
pandemic influenza may also be graver than that caused by the seasonal flu. Although estimates differ
slightly, influenza pandemics appear to occur roughly three times per century. The first pandemic was
reported around 490 BC.
The recent emergence of the H1N1 virus makes it clear that proactively identifying a virus with
pandemic potential is very difficult. Furthermore, novel flu viruses often result in multiple waves of
illness that arrive a few months apart. The severity of the illness my be different in each wave.
Just as the timing of a pandemic cannot be precisely predicted, neither can its severity. However,
modeling studies suggest that the impact of a pandemic on the United States could be substantial. In
the absence of any control measures such as vaccination or drugs, it has been estimated that a medium-level pandemic in the United States could cause 89,000 to 207,000 deaths, 314,000 to 734,000
hospitalizations, 18 to 42 million outpatient visits, and another 20 to 47 million illnesses. Between
15% and 35% of the U.S. population could be affected by an influenza pandemic, and the economic
impact of could range between $71.3 and $166.5 billion.1 There is currently no vaccine for the avian
flu, and antiviral treatments are in scarce supply in the United States.2
Centers for Disease Control and Prevention, Emerging Infectious Diseases: The Economic Impact of Pandemic Influenza in the United StatesPriorities for Intervention, Vol. 5, No. 5, SeptemberOctober, 1999.
2
Centers for Disease Control and Prevention, March 2006. Note: Vaccines prevent the flu while antivirals are generally
used to cure disease (if used in early stages). Antivirals can be used as a prophylaxis if large quantities are available.
1
141

Therefore, even a moderate influenza pandemic would be expected to lead to the following
outcomes:

significant absenteeism due to a rise in morbidity and mortality;
ensuing production and supply chain interruptions;
shifts in consumer preferences leading to decreased demand for some products and increased
demand for others; and
increases in benefits costs.
Such outcomes will result in direct and significant impact on all types of business, including
healthcare. Furthermore, because pandemic will affect multiple risk domains (operations, human capital, finance, etc.), mitigation planning will require multi-disciplinary involvement. The assertion that
pandemic is a highly probable event with severe expected impact affecting multiple risk domains
qualifies it as a meaningful enterprise risk worthy of serious consideration.
9.1.1
Healthcare Facilities Will Be on the Front Line
The healthcare system itself will be forced to confront such challenges in the face of dramatically
increased demand for services. This situation is exacerbated by the fact that hospitals are themselves
a high-risk environment for contracting pandemic flu. For these reasons, healthcare facilities have an
urgent need to engage in rigorous pandemic planning if they are to fulfill effectively their missions
during a pandemic outbreak. Facilities should consider the following scenarios:
1. Surging demand: Whereas many businesses may experience a decline in demand for their
products, healthcare facilities will be faced with an unprecedented surge in demand for services
and must prepare accordingly. The CDC offers software that allows hospitals to put in population and hospital bed statistics to provide information about the range of hospital admissions
and total deaths. For example, a metropolitan area with over 4 million people could expect to
have nearly 14,000 hospital admissions over an eight-week timeframe, with over 2,500 deaths
due to influenza. Calculations can be made using a range of factors, from number of people
and hospital beds as well as the expected duration (6, 8 or 12 weeks) to the attack rate
(15%,25%, 35%). To work with this software, go to http://www.cdc.gov/flu/tools/flusurge/.
2. Employee fear of contracting pandemic flu at work: In addition to staying home due
to illness or the need to care for ill family members, employees in all lines of work may
fear coming into contact with their co-workers and contracting the virus. This fear may be
particularly great among healthcare personnel who know they will come into contact with
many infected people. This scenario is exacerbated by the fact that sufficient vaccines and
antivirals are unlikely to be availableeven to healthcare workersduring the early waves
of a pandemic. This environment of high absenteeism in the face of surging demand threatens
to impact quality of care materially.
3. Supply chain interruptions: The impact on the overall workforce will also mean interruptions in the supply chain, creating shortages of critical equipment and drugs and reducing
efficacy of care. As people throughout the world become sick, all businesses will be affected,
142

resulting in interruptions to critical healthcare supply chains from laundry services to pharmaceutical supplies to food service.
4. Difficulty in maintaining infection control: Influenza strains that cause pandemics are by
nature, extremely infectious. Such infectivity is compounded by the fact that humans have
little immunity to new flu strains. Failure to control infection during a pandemic may lead
to unnecessary threats to human health and even claims of professional liability. Healthcare
facilities may need to review and revise infection control strategies to control the spread of
disease effectively during a pandemic.
5. Effect on benefit plans: As noted above, even a mild pandemic will produce a large increase
in the frequency of illness and subsequent demand for medical care. Such an increase will
impact employer-sponsored healthcare plans. Healthcare workers may also claim workers
compensation benefits if they suspect that they have been infected at work. The financial
impact of pandemic on benefit plans must be carefully considered, particularly if the healthcare facility participates in self-insurance or alternative risk strategies.
In order to consider the financial and legal ramifications of pandemic on the healthcare facility,
one must consider the facilitys duty to and relationships with its patients, workforce, community, and
suppliers and how these covenants may change in the event of pandemic. The purpose of this chapter
is to begin to explore these relationships and to raise issues to be considered by healthcare facilities as
they consider material risks to the healthcare enterprise.
9.2
Duty to Patients
9.2.1
Providing a Safe Environment
The primary mission of the healthcare facility is to provide safe and constructive care to its patients.
Not only is this an ethical duty, but a legal requirement, as well. For example state and federal government regulations require hospitals to provide a safe environment.3 The infectiousness of pandemic,
however, threatens the very safety of the hospital environment. The healthcare facility must make
every effort to mitigate this risk and, for this reason, an infection control program that consciously
addresses pandemic must be in place.
Because influenza is primarily spread through human-to-human contact, the pandemic infection
control procedures should, first and foremost, address the provision of adequate numbers of disease free
staff and/or volunteers. As mentioned above, healthcare workers will be in short supply and hospitals
will be pressured to reorient workers and stretch capacity however possible. For this reason, hospitals
need to understand which local, state, and federal agencies may have control in coordinating various
medical personnel during a pandemic and how this may affect a healthcare facilitys workforce.
More traditional infection control procedures must also be revisited and refreshed, including:

promotion of respiratory etiquette and hand washing among patients, staff, and visitors;
See, e.g., Murillo v. Good Samaritan Hospital, 99 Cal. App. 3d 50, 5657 (1999), imposing on hospitals duty to provide
safe environment in which to diagnose and treat patients.
143

provision of Personal Protective Equipment (PPE) and masks for patients, staff, and visitors;
appropriate disinfection of surfaces;
air filtration; and
disinfection of equipment.
CDC and others have published guidelines for infection control in the event of a pandemic, and
healthcare institutions should be diligent about documenting any change in policy. Furthermore, to the
extent possible, patients entering the healthcare facility during a pandemic should understand the additional risk. To this end, care providers should consider whether current informed consent and release
provisions are adequate or require revision.
As healthcare facilities consider stretching their workforce through use of volunteers, retired health
professionals, and out-of-state health professionals, they must also consider the legal ramifications of
such strategies including: licensure requirements, provision of workers compensation, professional
and general liability coverage, and proof of adequate training.
The use of volunteer services gives rise to several legal issues. Facilities should examine minimum
wage and overtime laws to determine whether they apply to volunteers. The Fair Labor Standards Act
defines volunteer rather broadly for purposes of wage and hour laws. A person who performs activities
without a promise or expectation of compensation for his or her personal pleasure falls outside the Fair
Labor Standards Act.4
State labor codes may, however, have a more narrow definition of volunteer for purposes of wage
and hour laws.5 In addition, healthcare facilities should analyze the applicable state workers compensation laws to determine what coverage, if any, is extended to volunteers.
Another consideration is the possibility that volunteers will expose themselves to liability by
offering their services. The potential liability exposure may discourage volunteers. Hospitals should
strategize how best to limit the liability exposure of volunteers. To address this concern during
Hurricane Katrina, one commentator reports that medical personnel were appointed as temporary
uncompensated federal employees. They were thus classified as employees of the United States and
qualified for the protections of the Federal Tort Claims Act (28 U.S.C. 2671 et seq.).6
Walling v. Portland Terminal Co., 330 U.S. 148, 152 (1947).

California law defines volunteer very narrowly. A person is a volunteer and not an employee subject to minimum
wage and overtime provisions only if he or she intends to donate his or her services to religious, charitable, or similar
nonprofit corporations without contemplation of pay and for public service, religious, or humanitarian objectives. (See
Division Labor Standards Enforcements 2002 Update of the DLSEs Enforcement Policies and Interpretations Manual
43.6.5-43.6.7 O.L. 1988-10.27.)
6
Public Health Emergency Legal Preparedness: Legal Practitioner Perspectives, Demetrios L. Kouzoukas, Journal of
Law, Medicine & Ethics.
4
144
9.2.2
Isolation and Quarantine
States and counties may impose isolation and quarantine during a pandemic. Isolation refers to
the separation of persons who have specific infectious illness from those who are healthy. Quarantine
refers to the separation and restriction of movement of persons who, while not yet ill, have been
exposed to an infectious agent and therefore may become infectious.
Many levels of government have basic authority to compel isolation of sick people to protect the
public. States and local jurisdictions have primary responsibility for isolation and quarantine within
their borders, whereas the federal government has responsibility for preventing the introduction of
communicable diseases from foreign countries. A states authority to compel isolation and quarantine
within its borders is derived from its inherent police power. As a result of this authority, individual
states are responsible for isolation and quarantine practices within their state.
State and local regulations vary significantly and, whereas some states have codified new and
detailed provisions, others rely on old statutes that may be very broad in scope.7 Furthermore, in
some jurisdictions, state law governs the local public health departments whereas elsewhere, local
authorities may have greater responsibility. States may also look to the Model State Emergency Health
Powers Act for guidance.8 This Act is described in greater detail below. Many states have incorporated
various provisions of the Act.9
In addition to understanding the direct impact of isolation and quarantine on their own facility,
healthcare facilities should understand the laws of quarantine across state, tribal and country
borders and how quarantine may restrict trade and travel in their region, and how this may
affect the supply of critical staff and supplies. Furthermore, facilities should consider the fact
that they may be deemed isolation and/or quarantine facilities with legally restricted ingress
and egress, and prepare accordingly.
9.2.3
Security Considerations
The security of the facility and access to patients and supplies should also be revisited. In the
event that they are not deemed quarantine facilities, policies should be developed to govern visitor
access in the event of a pandemic and such policies should consider the treatment of anxious family
members and loved ones, with respect to the law. Healthcare facilities should give careful consideration to access requirements for parents of sick children, as well as dealing with practical scenarios,
e.g., how to handle children whose single parent and sole caregiver is under hospital care.
Healthcare facilities are likely to receive, house, and distribute items such as vaccines and anti
virals. Vaccine is unlikely to be available at all in the early days of a pandemic, and it is estimated that
antivirals will be in short supply. Because such items will be in high demand, it is critical to establish
See http://www.healthyamericans.org/reports/bioterror04/Quarantine.pdf for a summary of state quarantine and isolation laws.
8
See http://www.publichealthlaw.net/MSEHPA/MSEHPA2.pdf.
9
For a summary of state activity, see the MSEHPA State Legislative Activity Table at http://www.publichealthlaw.net/MSEHPA/MSEHPA%20Leg%20Activity.pdf and the MSEHPA State Legislative Surveillance Table at
http://www.publichealthlaw.net/MSEHPA/MSEHPA%20Surveillance.pdf.
7
145

a hierarchy of eligibility in advance of a pandemic event. Such criteria should first consider healthcare
staff, volunteers, first responders, and patients. Because supplies are likely to become more available
during the course of the pandemic, processes should be constructed that allow for adjustments in the
priority list.
However, beyond this, facilities should also bear in mind that they may have a role administering vaccine/antivirals to the community. In preparation for such a role, facilities should be concerned
about how and with whom they will communicate at the federal, state, and local level to fulfill this
role. Providers should determine whether the vaccine is mandatory. The Public Health Services Act
includes broad language that may permit the Secretary of Health and Human Services to require mandatory vaccinations. That act permits the Secretary to make and enforce such regulations as in his
judgment are necessary to prevent the introduction, transmission, or spread of communicable diseases
from foreign countries into the States or possessions, or from one State or possession into any other
State or possession. 10
Many states have legislation requiring mandatory vaccinations of school-aged children. In addition, some states provide for mandatory vaccination in the event of a public health emergency or
outbreak of a communicable disease.11 States often provide exemptions to the mandatory vaccine laws
for religious, philosophical, or medical reasons. Care providers should familiarize themselves with the
applicable laws. In addition, facilities should consider whether the vaccine may be administered by
non-licensed volunteers and whether providers or volunteers are liable for any problems arising from
the administration of vaccines.
Pandemic will undoubtedly cause much fear and uncertainty in the community, and such sentiments may generate public disorder. Because healthcare facilities will house and potentially restrict
access to both ill, loved ones, and precious medical supplies, they may find themselves at the center of
the chaos and even targets of violence. For these reasons, facilities need to understand that a plan for
maintaining public order is required, and should be familiar with protocols for requesting assistance
from local, state, and federal governments and the National Guard. A plan for secure storage for vaccines and antivirals should also be established as should a protocol for securing needed supplies from
state and federal government.
9.2.3
Ethical Considerations
As implied above, some communities have begun difficult ethical discussions about the priority
of care provision during a pandemic. In addition to concern about who should have access to early
doses of vaccine and antivirals, much of this discussion has been focused around the hierarchy of
eligibility for ventilator care. Certain groups (including the very elderly and the chronically ill) have
been deemed by some communities to be lower priority for ventilator care in times of shortage. See,
42 U.S.C. 264.
CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws, Angie A. Welborn, updated January18, 2005, Order Code RS21414.
10
11
146

for example, Allocation of Ventilators in an Influenza Pandemic by the New York State Department of
Health and Task Force on Life & the Law.12
An effective system for triaging patients during a pandemic (e.g., severe illness treated in hospitals; milder illness in less equipped facilities) is practical and necessary but also gives rise to legal
concerns, including claims of discrimination and possible wrongful death actions. Hospitals should
endeavor to mitigate the effects of possible claims by developing and implementing a triage plan for
access to ventilator services. Priority for treatment should be determined only on the basis of clinical
need. The plan should include clear criteria for making triage determinations and guidelines for implementation. Allocation of an insufficient supply of ventilators is likely to cause death in patients who
would otherwise survive if given access to a ventilator. For that reason it is suggested that a neutral
third party healthcare professional direct the triage process rather than those medical professionals
tasked with care of the patients who require the use of a ventilator.13 The triage policy should ensure
fair allocation of the limited resource and access based on objective clinical factors.
9.2.4
Discharge
In an environment of scarce beds, facilities will be compelled to discharge patients as soon as

possible. Discharging patients too soon (e.g., while still infectious) could result in additional disease
in the community, potentially resulting in liability for the hospital. Discharge policies must address
when it is safe to release pandemic patients considering that different types of people may be infectious for different periods of time (e.g., children may be infectious for longer periods). Such policies
must also identify the locations to which the hospital will discharge a patient (e.g., if patient is still
ill, are there others at home to care for him/her; when is step-down care appropriate, etc.) Even in a
mild pandemic, there will be excess mortality, which prompts considerations regarding disposition of
remains. During the 1918 flu, more than 12,000 people died within a single month in Philadelphia.
Improper storage and burial added another layer of public health and infection concern to an already
daunting situation. Disposition of remains may be exacerbated in hospitals if survivors fear claiming
deceased flu victims.
9.3
Duty to Workforce
As always, the facility must ensure that its own employees are protected from infection to the
maximum extent possible. The Occupational Safety and Health Act (OSHA) requires employers
to provide a safe workplace free of hazards likely to cause death or serious physical harm to its
employees.14 OSHA permits the Secretary of Labor to impose temporary emergency standards if he
http://www.health.state.ny.us/diseases/communicable/influenza/pandemic/ventilators/docs/ventilator_guidance.pdf.
The Pandemic Ventilator Project whose goal is to attempt to construct a ventilator design for use in a Flu Pandemic that
can be made from readily available materials at the last minute also maintains a website which discusses the moral and
ethical dilemmas of limited ventilator access. See http://www.penvent.blogspot.com.
13
Ethical and Legal Considerations in Mitigating Pandemic Disease: Workshop Summary, Stanley M. Lemon, Margaret
A. Hamburg, P. Frederick Sparling, Eileen R. Choffnes, and Alison Mack, 2007.
14
29 U.S.C. 654.
12
147

or she determines employees may be exposed to grave danger from physically harmful agents or new
hazards.15
Facilities may wish to consult OSHAs guide on pandemic preparedness.16 OSHA anticipates
employers will develop and implement pandemic plans that minimize the risk of infection to employees, provide employees with PPE, limit employee contact with infected persons, make sick leave
available to infected employees, and educate and train employees about protective clothing and equipment and alternate duties which they may be asked to assume. OSHA also recommends reducing
contact among employees by permitting people to work from home, when possible, and using email
or video rather than face-to-face meetings.
If vaccines and/or antivirals are available, critical healthcare personnel should receive priority
access. In the absence of such effective medical prophylaxis, hospitals may be forced to employ more
practical (and less reliable) methods to protect staff from infection. Such mechanisms could include
using as few personnel as possible to care for flu patients by using cohort units to isolate pandemic
patients and using (to the extent possible) staff who have recovered or who are sick with the flu but
well enough to work. Whatever strategy the facility decides to pursue, it should conduct an analysis of
state labor code statutes to ensure that it will satisfy the minimum workplace safety requirements.17
Policies should also be developed that provide guidance to managers about what to do when an
employee appears sick. Healthcare facility managers should decide if and when an employee who
appears sick should be denied work within the healthcare facility and how this will affect compensation and terms of employment for various classes of employees (e.g., salaried, hourly, contract,
union). In addition to crafting such guidelines for employees, hospitals should also consider how
and when physicians who appear sick will be denied work in the hospital. Guidelines should include
referral criteria for apparently sick employees that provide instructions on where such individuals will
be referred, including criteria for admission, home care, or outside referral. Lastly, facilities should
consider procedures for rudimentary contact tracing if an infected employee is known to have been at
work while infectious.
Regardless of effective infection control within the healthcare facility, absenteeism will be high
due to disease, fear,and other care-giving obligations. Facility leadership must determine how they will
compensate various staff members for different types of absence during a pandemic. For example:

If a full-time staff member stays home from work because he/she fears becoming infected,
will his/her salary be continued?
If an employee is compelled to work (in order to guarantee salary continuance) and becomes
infected, what are the legal ramifications?
What is the policy towards salary continuance for hourly staff?
29 U.S.C. 655(c).
Guidance on Preparing Workplaces for an Influenza Pandemic, OSHA Publication No. 3327-02N 2007,
http://www.osha.gov/Publications/influenza_pandemic.html.
17
Hospitals in California, for example, should consult the California Division of Occupational Safety and Health, which
promulgates additional regulations in addition to OSHA. See 8 Cal. Code of Regs., Chapter 3.2.
15
16
148

If salary continuance policy towards exempt and hourly employees differs, will this be considered discrimination?
How will overtime be paid? Does the facility have adequate reserves to meet estimated overtime requirements?18
If employees are asked to shelter-in-place at the facility for several days or weeks, how will
they be compensated for this additional service?
Are compensation policies in compliance with the Fair Labor Standards Act19 and any applicable state labor codes relating to compensation/meal and rest periods? 20
In the case of employees who do become ill, the hospital must consider how sick leave, vacation,
disability and workers compensation will respond. Considerations might include prioritizing sick
leave, disability, and vacation leave and determining how disability will be triggered. In determining
those circumstances in which sick leave will be paid, hospitals should create a policy that encourages
infected and potentially infected employees to stay home so as to reduce the possibility they may
infect other employees. Facilities should also consult with their disability insurers to discuss whether
the insurer would require proof of illness as a trigger for disability payments and if such proof is likely
to be available during a pandemic.
An analysis of vacation and sick leave should include examination of the Family Medical Leave
Act (FMLA)21 and any applicable state leave acts.22 FMLA permits employers to require the use of
paid leave (i.e., vacation and sick leave) in lieu of FMLA leave.23 State leave statutes should be examined to determine if they provide greater protections than FMLA.
In a healthcare environment, some employees are likely to contract flu in the workplace. For this
reason, employers must consider how workers compensation coverage will respond. Questions to
ponder include:
Does your institutions workers compensation cover pandemic flu?
If the institution is self-insured for any portion of its professional, general, or workers compensation programs, are its reserves adequate?
When will coverage be triggered?
Will exposure be considered a workplace injury covered by workers compensation?
Should the physician panel be suspended/expanded?
State overtime laws vary widely. Some states provide exemptions to overtime regulations for healthcare emergencies.
See, e.g., 8 Cal. Code of Regs. 11040.
19
29 U.S.C. 206 and 207.
20
Hospitals should pay particular attention to their states labor code provisions regarding meal and rest periods. Failure
to provide adequate meal and rest periods may lead to extensive penalties. See, e.g., California Labor Code 226.7 and
512 and 8 Cal. Code of Regs. 11040 and 11051.
21
29 U.S.C. 2601.
22
California, for example, has adopted the Family Rights Act which permits an employee to take leave to care for a sick
family member. California Government Code 12945.2 and 2 Cal Code of Regs. 7297.5. See also California Labor Code
233.
23
29 U.S.C. 2612; 29 CFR 825.207.
18
149

Are there reasonable accommodation requirements for return to the workplace after a pandemic exposure?
Is there adequate coverage for psychiatric claims that may arise due to stress of working in
the pandemic environment?24
Will exhaustion from overwork be considered a compensable workplace injury?
A facilitys workers compensation exposure will be largely determined by the manner in which
the state interprets its workers compensation laws. If the laws provide for a liberal application of the
remedy, as most do, it is quite likely that pandemic related exposures will be covered by workers
compensation. Furthermore, if a hospital is self-insured for any portion of workers compensation,
professional, or general liability, it must consider whether its own reserves are adequate. One of the
key issues in this analysis will be the applicable statutes defining covered injuries (i.e., those defining
injuries that arise out of or in the course of employment).25
One should also pay special attention to the reasonable accommodation issue. Although FMLA
contains no reasonable accommodation requirement for an employee returning to work after FMLA
leave, the regulations caution that ADA may govern reasonable accommodation requirements.26 State
law may also affect the employers obligation to make a reasonable accommodation. In California, the
Family Rights Act does not include a reasonable accommodation requirement, but the Fair Employment and Housing Act does.27
Finally, when is termination appropriate and legally acceptable? Are the employees subject to
employment contracts or collective bargaining agreements that limit the employers ability to terminate? Are the employees subject to at will employment arrangements? How long must an employer
continue salary for an employee who repeatedly refuses to report to work but is not ill? What are
the legal ramifications of compelling an employee to report to work in an environment where
he/she is at high risk for contracting the flu? Do the applicable statutes require reinstatement of employees? Is an employee entitled to reinstatement to his or her former position? FMLA requires that an
employee returning from leave be returned to the same position the employee held when the leave
commenced or to an equivalent position with equivalent benefits, pay and other terms and conditions
of employment.28 State law may also contain reinstatement requirements.29
While causation is likely to be a question with respect to any psychiatric claims, these claims should be anticipated in
light of most states liberal construction of workers compensation laws.
25
The relevant provisions for California may be found at section 3600 of the California Labor Code. California requires
that the injury be proximately, although not exclusively, caused by employment. The employment need only contribute
to the injury to make satisfy the proximate cause requirement. California Comp. & Fire Co. v. Workmens Compensation
Appeals Board, 68 Cal. 2d 157 (1968). New York also applies a liberal construction in favor of the employee. New York
Workers Compensation Law 2(7) and 10. Absent substantial contrary evidence, the injury will be presumed to have
occurred in the course of employment. Johannesen v. New York City Department of Housing Preservation and Development, 84 NY 2d 129 (1994).
26
29 CFR 825.214.
27
See California Gov. Code 12940 and Neisendorf v. Levi Strauss & Co., 14 Cal. App. 4th 509 (2006).
28
29 C.F.R 825.214.
29
See 2 Cal. Code of Regs. 7297.2, requiring employer guarantee to reinstate employee to same or comparable position
upon return from Family Rights Act leave. That regulation also sets forth certain defenses to the guarantee.
24
150

Relationships with labor unions should be re-examined in preparation for pandemic. Healthcare
facilities should consider how such an event might affect various provision in collective bargaining
agreements, such as overtime stipulations, benefit specifications, and seniority (e.g., how will seniority be affected if an healthcare worker is absent from work for several weeks?). Facilities should also
determine whether they will be obligated to continue paying into union funds (vacation, retirement,
disability, etc.) during a pandemic.
It is important to consider the effects of a diminished workforce on the healthcare facilitys ability
to comply with state and federal regulations and other legal obligations. Examples include nurse ratios,
HIPPA regulations, collective bargaining agreements, environmental issues and lease provisions that
could trigger a facility shut-down.
Illness rates are likely to vary between communities during a pandemic and, as a result, hospitals (particularly hospital systems) may need to redeploy staff and contract employees. As facilities
accommodate surging demand, they will likely utilize alternative and sometimes non-traditional care
facilities (e.g., dentist offices, high school gymnasiums, etc.). To prepare for such eventualities, hospitals should determine:
whether there are policies in place that limit redeployment of employees;
how redeployment may affect compensation (Will labor laws obligate hospital to pay for
travel time? Do collective bargaining agreements or employment agreements provide for
some type of hardship pay?);
implications for licensing (e.g., if out-of-state professionals are used) and attendant implications for liability exposure;
whether the hospital can compel staff to work at a different hospital and if this could be associated with different or increased liability;
how this temporary arrangement is memorialized from a legal standpoint (Has the facility
drafted a pandemic policy that permits it to temporarily reassign employees to work off site,
to work an alternate schedule, or to receive a different pay rate? Will the facility ask employees to sign an acknowledgement of any temporary changes in their employment arrangement?
If so, will these agreements preserve applicable at will employment status? To what position
and on what terms must a hospital reinstate an employee working under a temporary arrangement if he or she took FMLA leave?).
Although it is unlikely, it is possible that some hospitals may be faced with temporary closure.
Healthcare facilities should understand federal and state notice provisions30 and consider what scenarios are sufficient to trigger such a shutdown and a construct a shutdown game plan. Items to be
consider include: continuation of salary and benefits during a shutdown and if so, for how long; and
availability of holidays, sick days, and vacation time for payment during such an event. Here again,
knowledge of the terms of any applicable collective bargaining and employment agreements and state
A shutdown may trigger the federal notice provisions set forth in the Worker Adjustment and Retraining Notification
(WARN) Act at 29 U.S.C. 2101 et seq.
30
151

law is crucial. In addition, one should ensure the hospital has maintained adequate reserves to meet
this eventuality.
9.4
Duty to the Community
Healthcare facilities, and hospitals in particular, will have an especially unique responsibility
to their communities in the case of a pandemic. They will be looked to not only for lifesaving care
but also for information, leadership, and guidance in a time of chaos. Therefore, it is incumbent on
hospitals to obtain comprehensive knowledge of the local, state, and federal (e.g., CDC) officials with
whom they will coordinate during a pandemic and create a plan for communication with these individuals and their alternates. In addition to assisting in coordinating planning care efforts with county
and state health departments and other hospitals, these government entities will likely control the
access and flow of, not only vaccine and antiviral resources, but also information about the evolving
characteristics and movement of the disease. For this reason, appropriate coordination is essential to
preserving maximum availability and continuity of care.
Facilities must also consider how they will communicate with their communities. Items to be
considered in advance of a pandemic include:
designating a spokesperson for the media and public;
key messages you would like the public to hear and understand;
medium of communications;
how priority groups for vaccine and antivirals will be explained; and
how facilities will organize and communicate vaccination campaign efforts.
Many states are likely to look to the Model State Emergency Health Powers Act, which was drafted
in the wake of September 11. The Model Act provides broad authority for the states governor to:
declare a public health emergency;
grant the public health authority the ability to exercise emergency powers with respect to the
licensing and appointment of health personnel;
authorize state and local officials to use and appropriate property for patient care;
allow officials to destroy contaminated facilities or materials;
empower officials to provide care, testing, and treatment;
provide the public health authority with the ability to prioritize and ration healthcare
supplies;
mobilize organized militia into service of the state;
grant emergency access to individual health information under specified circumstances;
permit separation of affected individuals from the population at large (isolation and quarantine); and
provide various immunities with respect to liability to the state itself and those assisting the
state during a public health emergency.
152

Healthcare leaders should strive to understand this Act, specifically: what constitutes a public
health emergency, their obligations should the Act be adopted, and the impact it will have on their
facilities (e.g., ramifications of government appropriation of the hospital) and the civil rights of patients
and employees.
9.5
Other Key Relationships
This chapter addresses the duty of the healthcare facility to its various constituents in the case of
a pandemic. Other key relationships, such as those with suppliers, should also be taken into account.
Healthcare facilities should consider requesting pandemic preparation plans from key suppliers,
reviewing contracts to determine remedies for failure to supply (e.g., will pandemic be considered
force majeure?), and ensuring that the hospital is not dependent on sole-source provision for essential
products and services.
9.6
Conclusion
Although many enterprise risks are specific to an individual entity or geography, pandemic is a
material risk faced by all healthcare facilities. The severity of the event will be unprecedented and the
impact complex, as absenteeism disrupts all aspects of facility operations. Despite this extraordinary
level of hardship, the hospital will be obliged to provide the safest possible environment for patients
and staff. In addition, the facility has a special responsibility to provide information and leadership to
the public. These duties should be addressed by developing comprehensive pandemic plans that take
into account the facilitys ethical and legal obligations to patients, workforce and community. Such
planning should also strive to protect the organizational well-being of the facility during a pandemic
by carefully considering the financial and legal ramifications of various courses of action.
153

Compendium of Pandemic Policy Resources
Safety of Facility

Murillo v. Good Samaritan Hospital, 99 Cal. App. 3d 50, 5657 (1999)
Volunteers

Walling v. Portland Terminal Co., 330 U.S. 148, 152 (1947)
Division of Labor Standards Enforcements 2002 Update of the DLSEs Enforcement Policies and Interpretations Manual 43.6.5-43.6.7 O.L. 1988-10.27
Isolation and Quarantine

Public Health Emergency Legal Preparedness: Legal Practitioner Perspectives; Demetrios

L. Kouzoukas Journal of Law, Medicine & Ethics
http://www.healthyamericans.org/reports/bioterror04/Quarantine.pdf
http://www.publichealthlaw.net/MSEHPA/MSEHPA2.pdf
MSEHPA State Legislative Activity Table: http://www.publichealthlaw.net/MSEHPA/

MSEHPA%20Leg%20Activity.pdf
MSEHPA State Legislative Surveillance Table: http://www.publichealthlaw.net/MSEHPA/

MSEHPA%20Surveillance.pdf
Mandatory Vaccination

42 U.S.C. 264
CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws,
Angie A. Welborn, Updated January 18, 2005 Order Code RS21414
Resource Allocation

http://www.health.state.ny.us/diseases/communicable/influenza/pandemic/ventilators/docs/
ventilator_guidance.pdf
Ethical and Legal Considerations in Mitigating Pandemic Disease: Workshop Summary,

Stanley M. Lemon, Margaret A. Hamburg, P. Frederick Sparling, Eileen R. Choffnes, and
Alison Mack, 2007
Employee Safety
154
29 U.S.C. 654
29 U.S.C. 655(c)
8 Cal. Code of Regs. Chapter 3.2
Compensation, Meal, and Rest Periods

8 Cal. Code of Regs. 11040
29 U.S.C. 206 and 207
California Labor Code 226.7 and 512
8 Cal. Code of Regs. 11040 and 11051
Leave

29 U.S.C. 2601
California Government Code 12945.2
2 Cal Code of Regs. 7297.5
California Labor Code 233
Workers Compensation

29 U.S.C. 2612
29 CFR 825.207
California Comp. & Fire Co. v. Workmens Compensation Appeals Board, 68 Cal. 2d 157
(1968)
Accommodation

New York Workers Compensation Law 2(7) and 10
Johannesen v. New York City Department of Housing Preservation and Development,

84 NY 2d 129 (1994)
Reinstatement

29 CFR 825.214
California Gov. Code 12940
Neisendorf v. Levi Strauss & Co., 14 Cal. App. 4th 509 (2006)
29 C.F.R 825.214
2 Cal. Code of Regs. 7297.2
Facility Closure

Worker Adjustment and Retraining Notification (WARN) Act at 29 U.S.C. 2101 et seq.
155
Environmental Compliance in the Context ofERM
10
Environmental Compliance in the Context
ofERM
Nicola A. Nelson, Esq.
Richard S. Porter, Esq.
Hinshaw & Culbertson LLP
10.1
Introduction
The United States Environmental Protection Agency (EPA or the Agency) rigorously applies
environmental statutes and regulations to healthcare facilities, and history has shown that the Agency
does not hesitate to impose stiff penalties for violations of its regulatory requirements. Environmental
contaminants associated with healthcare facilities include mercury, dioxin, and other persistent, bioaccumulative toxics (PBTs). In addition, hospitals are recognized as generating hazardous wastes such
as antineoplastic chemicals, solvents, formaldehyde, photographic chemicals, radionuclides, waste
anesthetic gases, and chemotherapy agents, as well as more common waste materials such as batteries,
light bulbs, and pesticides.
In response to Agency concerns about the environmental risks associated with healthcare facilities, EPA Region 2 launched a compliance initiative in 2002 that targeted facilities in New York, New
Jersey, Puerto Rico, and the Virgin Islands. That initiative offered incentives for self-auditing and
disclosure and warned of the Agencys intent to step up healthcare facility enforcement actions. This
well-publicized decision to target healthcare facilities delivers an unmistakable warning: environmental compliance is a vital component of an organizations enterprise risk management strategy.
Organizations must, therefore, be proactive in developing and updating their environmental compliance programs, and must be prepared for the possibility of an environmental inspection at any time.
To effectively manage risk in the context of the ever-changing, ever-expanding web of environmental
laws and regulations, organizations must arm themselves with detailed knowledge, enlisting the aid
of environmental law professionals to formulate policies and protocols that address the organizations
legal duties and areas of vulnerability.
It is vital for the organization to recognize that environmental considerations must not be compartmentalized and relegated solely to the development of policies dealing with the discharge of wastes
and refuse. Rather, a responsible organization will recognize that environmental considerations play a
role in almost every aspect of an organizations operations. Contract review, for example, should rouEnterprise Risk Management for Healthcare Entities, First Edition
157

tinely include an evaluation of potential environmental risk. Such risk is not limited solely to contracts
relating to the disposal or handling of wastes. Rather, environmental risk comes into play in a variety
of contracts, including those relating to an organizations role as landlord or as a buyer or seller of
real estate. The responsible organization will therefore limit its liability by ensuring that appropriate,
protective contract provisions are included in its contracts.
Additionally, environmental risk management necessitates the consideration of liabilities arising
in the context of an organizations affiliate facilities, such as medical office buildings, clinics, physician practices, and freestanding outpatient units, with whom coordinated environmental policies and
protocols should be implemented. Similarly, purchasing decisions should incorporate the knowledge
that when choosing among different itemswhether those items are cleaning supplies, medical equipment, lighting, or building materialsthe cost of disposal, risk of injury, or potential for environmental
contamination is an inherent, hidden cost. In the event of unexpected spills, breakage, or accidental
destruction (e.g., fire), or simply the need to dispose of the product at the end of its useful life, that hidden cost has the potential to overshadow the purchase price. Clearly, then, responsible organizations
have a duty to take environmental risk management seriously and to formulate appropriate policies
and procedures, with the help of knowledgeable experts, that incorporate such policies and procedures
throughout their sphere of operations.
It is important to have at least a basic understanding of the framework of environmental regulation
in order to understand the organizations responsibilities and duties. Although federal environmental
laws and regulations are legion, among those with the greatest impact on healthcare facilities are: the
Clean Water Act (CWA); the Resource Conservation and Recovery Act (RCRA); the Emergency Planning and Community Right-to-Know Act (EPCRA); the Clean Air Act (CAA); the Toxic Substances
Control Act (TSCA); and the Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA). While this
chapter briefly describes each of these laws in the context of healthcare facilities, the complexity of
modern environmental regulation makes it impossible to fully address all relevant environmental mandates and prohibitions in the space available here. The reader is therefore cautioned to remember that
this chapter provides only a brief overview of some of the most significant laws and regulations.1 To
manage its environmental risk, an organization should utilize environmental professionals to design
a comprehensive, integrated compliance program, often referred to as an environmental management
system (EMS). The basic components of a good EMS are described and discussed below, and because
compliance inspections of healthcare facilities are inevitable, this chapter also offers an overview of
the self-audit and inspection process, describing what can be expected when an Agency inspector
shows up at the door.
The Appendix to this chapter includes a chart describing the record-keeping requirements for many of the relevant
laws and regulations discussed in the chapter, as well as some regulations that commonly apply to healthcare facilities
but are not specifically addressed in the chapter. An excellent source for additional information regarding environmental
issues of concern to healthcare facilities is the website of the Healthcare Environmental Resource Center (HERC) at
http://www.hercenter.org. For those seeking a truly comprehensive and detailed guide to environmental compliance, the
EPA makes available its 155-page Profile of the Healthcare Industry compliance manual, geared specifically toward those
in the healthcare field, at http://epa.gov/compliance/resources/publications/assistance/sectors/notebooks/health.pdf.
158
10.2
Environmental Laws that Affect Healthcare Facilities
10.2.1
Clean Water Act (CWA)
The Clean Water Act (CWA) is designed to protect the nations waters, which include both groundwater and navigable waterways.2 The CWA includes the national water quality standards program, a
permit program for the discharge and treatment of wastewater and stormwater, and a program designed
to prevent oil pollution.
The EPA defines water pollutants as any type of industrial, municipal, and agricultural waste discharged into water, including solid waste, incinerator residue, sewage, garbage chemical wastes,
biological materials, radioactive materials, heat, wrecked or discarded equipment and industrial,
municipal, and agricultural waste.3 Under the CWA, pollutants are classified as one of three types:
(1)toxic, (also known as priority), which includes dioxins, mercury, and ammonia; (2) conventional,
which includes biochemical oxygen demand (BOD) substances, total suspended solids (TSS), fecal
coliform, oil and grease, and pH; or (3) non-conventional, a catch-all category that includes any pollutant not identified as either conventional or priority.
Healthcare facilities may have a variety of wastewater sources, including sinks, drains, showers,
toilets, and tubs, as well as stormwater (which typically washes away dirt, debris, oil from parking lots,
pesticides, lawncare chemicals, and other pollutants). Unless a facility discharges wastewater directly
into a stream or river, it is categorized as an indirect discharger of wastewater. As an indirect discharger,
a facility is subject to all relevant wastewater regulations, including local sewer authority regulations,
and may be required to obtain an industrial user permit from the local municipal pretreatment program.
Municipal regulations usually prohibit the discharge of medical waste, and the CWA regulations prohibit
the discharge of fire or explosion hazards; corrosive discharges (with a pH of less than 5.0); discharge
of solid or viscous pollutants; heat discharge that would cause treatment plant influent to exceed 104
degrees F.; discharges that would create toxic gases, fumes, or vapors; and the discharge of other pollutants that could interfere with or pass through a treatment plant (for example, oil and grease).
A facility that uses or stores oil may be subject to the Spill Prevention Control Countermeasure
(SPCC) rule, and those with a total aboveground oil storage capacity of greater than 1,320 gallons,
or with a total underground storage capacity of greater than 42,000 gallons are subject to SPCC plan
requirements, which require the preparation and implementation of an SPCC plan to prevent the discharge of oil into navigable waters or adjoining shorelines.
In the context of the CWA, EPA inspectors are authorized to enter a facility to conduct an inspection to determine compliance. The most common areas of focus in a CWA compliance inspection are
wastewater discharges, stormwater discharges, and aboveground or underground storage containers.
Inspectors typically ask to review a facilitys permit for indirect discharge to the local municipality,
itsSPCC plans, its Phase II NPDES stormwater permits (for facilities in urban areas), and any NPDES
general permits for direct discharge into a water body.
EPA training materials concerning the CWA, as well as a link to the Act itself and the implementing regulations, are
available at http://www.epa.gov/watertrain/cwa.
3
USEPA NPDES website, http://cfpub.epa.gov/npdes/faqs.cfm (May 14, 2008).
2
159

The most common CWA violations at healthcare facilities include lack of a permit for wastewater
discharges, failure to be fully informed about local treatment plant sewer use regulations and prohibitions, inadequate secondary containment for storage tanks, improper disposal down floor drains, and
lack of a Spill Prevention, Control and Countermeasure Plan.
10.2.2
Resource Conservation and Recovery Act (RCRA)
The Resource Conservation and Recovery Act regulates facilities that generate, transport, treat,
store, or dispose of hazardous waste.4 Virtually all healthcare facilities are deemed hazardous waste
generators under RCRA, therefore compliance with RCRA and its implementing regulations represents a major area of concern for healthcare facilities.
Hazardous waste is classified as either listed (i.e., specifically identified hazardous substances,
including, for example, solvents and insecticides) or characteristic. Characteristic substances are those
with properties that EPA has identified as hazardous to human health or the environment, including
the characteristics of: (1) ignitability (substances that are flammable under certain conditions); (2)corrosivity (those that corrode metals or have a very high or low pH); (3) reactivity (those that readily
explode); and (4) toxicity (those that are known to be harmful or fatal if ingested, and are known to
leach into ground water, such as arsenic, lead, or mercury).
The RCRA regulations categorize facilities as Large Quantity Generators (LQGs), Small Quantity
Generators (SQGs), or Conditionally Exempt Small Quantity Generators (CESQGs), based on the
amount of waste they generate per month and the amount of waste stored onsite. These categories
determine the applicable regulatory requirements.
An EPA inspection for RCRA compliance is usually extensive and can take up to a week to
complete. Inspections typically focus on universal waste storage areas,5 used oil storage areas, vehicle
maintenance facilities, battery storage areas, transfer terminals, secondary containment structures, dispenser pumps and check valves, leak detection equipment, alarms, sight gauges, fill ports, catchment
basins, and cleanup equipment. Other areas that will be inspected include the facilitys laboratories,
pharmacy, and morgue.
An inspector will also review all required records relating to mandatory notifications of hazardous waste activity, hazardous waste manifests, manifest exception reports, biennial reports, inspection
logs, employee training documentation, the hazardous substance spill control and contingency plan,
material safety data sheets, spill records, the Spill Prevention Control and Countermeasure Plan, emergency plan documents, the placarding of hazardous waste and hazardous materials, permits, if any,
waste analysis plans, universal waste transportation/shipping records, records concerning underground
storage tanks (USTs), and all relevant permits.
The most common RCRA healthcare facility violations include a failure to comply with hazardous
waste generator regulations and related lack of documentation, failure to comply with UST regula The EPA handbook on understanding hazardous wastes is available for download at http://www.epa.gov/region02/
waste/public/sqg_pdf.pdf.
5
Universal waste includes batteries, pesticides, mercury-containing equipment, and lamps/bulbs. See 40 CFR Part 273.
4
160

tions, incorrect or inadequate hazardous waste labeling, failure to have waste batteries or fluorescent
lamps stored and labeled in proper universal waste containers, inadequate compliance with required
weekly inspections of hazardous wastes storage/satellite areas, open containers of hazardous wastes,
failure to have hazardous waste determinations on file for all wastes, failure to have procedures in
place to ensure spent aerosol containers are empty before disposal as solid waste, malfunctioning leak
detection systems on USTs, disposal of hazardous wastes down a drain, improper management of
expired pharmaceuticals, lack of a contingency plan, inadequate training for employees in hazardous
waste management, and failure to ensure hazardous waste meets land disposal restrictions.
10.2.3
Emergency Planning and Community Right To Know ActEPCRA
The Emergency Planning and Community Right to Know Act (EPCRA) is designed to promote
emergency planning and preparedness.6 It mandates emergency planning, the notification of state and
local government with respect to the presence of certain chemicals, and the reporting of hazardous
substance releases. Emergency planning requirements apply to any facility that has any chemical designated as extremely hazardous (for example, liquid oxygen) at or above its planning threshold quantity,
and require that such facilities notify the State Emergency Response Commissioner (SERC) and Local
Emergency Planning Committee (LEPC) within 60 days of receiving or producing an extremely hazardous substance. EPCRA also requires that such facilities provide the LEPC with a representative to
participate in the emergency planning process. Reportable releases of a hazardous substance require an
emergency notification and written follow-up notice. Annual inventory reports are mandatory.
Typical records reviewed by an inspector evaluating EPCRA compliance include the facilitys
proof that required timely notifications were made for environmental releases of hazardous substances,
the facilitys emergency response plan, MSDS information, and inventory reporting forms.
The most common EPCRA healthcare facility violations include a failure to report accidental
chemical releases and emissions data to local authorities, and the storage of chemicals (e.g., heating oil
and gasoline) onsite above threshold amounts.
10.2.4
Clean Air Act (CAA)
The Clean Air Act (CAA) is designed to protect and preserve air quality.7 In the context of healthcare facilities, the EPA is most concerned with a healthcare facilitys air conditioning and refrigeration
systems, boilers, medical waste incinerators, and with the presence of asbestos. All are subject to
federal emissions, monitoring, and recordkeeping regulations, which are strictly enforced. Facilities
that are deemed a major source of hazardous air pollutants (HAP) (10 or more tons per year of a single
HAP or 25 tons per year of combined HAPs), must obtain a Title V operating permit. Application
for a permit typically requires submission of information concerning emissions, control devices, and
general processes at the facility. Such permits limit emissions, and require monitoring, recordkeeping,
and reporting.
Detailed information on EPCRA is available from the EPA at http://www.epa.gov/Compliance/civil/epcra.
Although the CAA is federal legislation and establishes federal standards, state and local regulations may also apply,
and enforcement of the CAA generally occurs at the state or local level. The CAA and accompanying regulations may be
viewed online at http://www.epa.gov/air/caa.
6
7
161

Additional CAA regulations govern refrigerants, and prohibit venting of refrigerant, impose
service requirements, and require equipment certification, leak repair, proper disposal, and recordkeeping.
The most common CAA healthcare facility violations include a failure to use properly trained and
accredited asbestos personnel, failure to notify EPA of asbestos removal projects and keep required
records, failure to properly dispose of asbestos debris, failure to maintain CFC leak rate records for
chillers and AC units, failure to have EPA certified technicians for CFC-containing air conditioning
and refrigeration systems, failure to get boilers permitted with the relevant state agency, and failure to
apply for a necessary Title V operating permit.
10.2.5
Toxic Substances Control Act (TSCA)
The Toxic Substances Control Act (TSCA) is designed to facilitate the collection of data to evaluate, mitigate, and control risks posed by the manufacture, processing, and use of chemicals.8 The TSCA
regulations most relevant to healthcare facilities are the lead hazard reduction regulations (relevant in
renovations that may involve pre-existing lead-based paint); hexavalent chromium regulations (relevant with respect to water treatment in cooling towers); and polychlorinated biphenyls (PCB) hazard
reduction regulations (relevant in renovations, particularly those involving pre-1979 materials and
equipment that may contain PCBs). Other important regulations are those governing the use and disposal of asbestos, including the Asbestos Hazard Emergency Response Act (AHERA), which requires
the development of management plans and specifies work practices and engineering controls for the
removal and handling of asbestos.
The most common TSCA healthcare facility violations include failure to properly address lead
paint in buildings and lack of knowledge of a lead hazard.
10.2.6
Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA)
The Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) regulates the distribution, sale,
and use of pesticides, including insecticides, herbicides, fungicides, rodenticides, and antimicrobials.9
The Act mandates that virtually all pesticides sold in the United States be registered by the EPA. Registration includes the classification of pesticides as unclassified, general use, or restricted use. Those
with the potential for causing unreasonable adverse effects on the environment may only be applied
by, or under the direct supervision of, a certified applicator. It should be remembered that a facilitys
sterilants, disinfectants, and sanitizers generally fall within the definition of antimicrobials, which are
regulated under FIFRA. The law mandates that labeling directions delineating the appropriate dilution,
specified contact times, and methods of application be followed.
A summary of TSCA rules and regulations can be viewed at http://www.epa.gov/lawsregs/laws/tsca.html. In addition,

the EPA maintains a TSCA Assistance Information Service, which answers questions and distributes guidance pertaining
to TSCA standards. The Service can be contacted via e-mail at tscahotline@epa.gov.
9
The EPA maintains a FIFRA compliance webpage at http://www.epa.gov/compliance/assistance/bystatute/fifra. In
addition to describing the scope of FIFRA, the webpage includes links to the Act itself, the regulations, and additional
resources. The EPA also maintains a webpage specifically devoted to antimicrobials at http://www.epa.gov/oppad001.
8
162

An inspection for compliance with FIFRA typically focuses on personal protection equipment,
pesticide application equipment, pesticide storage areas including storage containers, and cleaning
disinfectants and labels. Additionally, an inspector will review records of pesticides purchased, inventory records, pesticide application records, a description of the facilitys pest control programs, the
certification status of pesticide applicators, pesticide disposal manifests, contract files, and the recent
ventilator rating for the facilitys pesticide fume hood and pesticide mixing/storage areas.
EPA also regulates the disinfectants applied to surfaces (including both housekeeping and clinical
contact surfaces) in healthcare settings, and the regulations require users to follow label directions,
including safety precautions.
The most common FIFRA healthcare facility violations include misuse of a registered pesticide
product, use of an unregistered product, lack of proper records concerning pest control application
within the facility or on its grounds, and failure to report pesticide poisonings within the facility.
10.2.7
EPAs Integrated Data for Enforcement Analysis (IDEA)
The EPA compiles facility compliance data generated pursuant to the laws and regulations discussed above through the Integrated Date for Enforcement Analysis system (IDEA), which utilizes a
Master Source ID identification number to extract records and data from a variety of sources, to match
a facilitys Air, Water, Waste, Toxics/Pesticides/EPCRA, and enforcement records, and generate a list
of permit, inspection, and enforcement activity, resulting in a master list of records.10
Because the federal government maintains and tracks facility data and does not hesitate to punish organizations that fail to report and maintain mandatory records, the need for an organization to
engage in meticulous record-keeping is paramount. Maintenance of well-organized records not only
allows an organization to easily track its own compliance, it also enables the entity to prove compliance should the Agency assert that mandated records or reports are missing or were never filed.
10.3
Environmental Audits
The EPA has a self-policing audit policy designed to facilitate the discovery, disclosure, correction, and prevention of environmental violations. The auditing process minimizes the need for EPA
investigation enforcement actions, and offers the incentive of eliminating or drastically reducing the
penalties normally associated with violations.
The primary incentive of a healthcare facilitys environmental compliance is that any self discovered problem can be reported to the EPA without subjecting the facility to gravity-based penalties.
Gravity-based penalties are the portion of the penalty that is over and above the economic benefit of
noncompliance. In other words, gravity-based penalties are the punitive portion of the penalty.
The EPAs IDEA page allows users to query the IDEA database and obtain compliance monitoring, enforcement, and
demographic data online at http://www.epa.gov/compliance/data/systems/multimedia/idea.
10
163

In order for these gravity-based penalties to be completely eliminated, an environmental violation must be discovered as part of a formal audit policy, and each of the following conditions must be
met:
10.3.1
Systematic Discovery
The violation must be discovered through environmental auditing or implementation of a compliance management system.
10.3.2
Voluntary Discovery
The violation must not have been detected due to a legally required (rather than voluntary) monitoring, sampling, or auditing procedure.
10.3.3
Prompt Disclosure
The disclosure must be promptly made in writing to the EPA, generally within 21 days of discovery (or less if required by law). Disclosure becomes required when a facility, director, employee, or
agent has an objectively reasonable basis to believe the violation has or may have occurred.
10.3.4
Independent Discovery and Disclosure
The discovery of the violation must occur before the EPA or another regulator would likely have
identified it through its own investigation.
10.3.5
Correction and Remediation
The violation usually must be corrected within 60 days from the date of discovery (unless otherwise agreed to by the EPA).
10.3.6
Prevent Recurrence
The healthcare facility must take steps to ensure the violation will not recur.
10.3.7
Repeat Violations Ineligible
The healthcare facility must not have committed the same violation (or closely related violations)
within the past three years. If a healthcare institution owns several parcels of land or facilities, this
exclusion might be triggered even though the violations occur at different parcels or facilities. However, if a facility is newly acquired, the existence of a prior violation does not trigger this exclusion.
10.3.8
Certain Types of Violations are Ineligible
Violations resulting in serious actual harm, such as those that present imminent and substantial
danger to the public, and those that violate specific terms of an administrative order, judicial order, or
consent agreement, may not be eligible. While at first blush it might appear that this exception could
164

swallow the rule, in practice, the EPA has not attempted to use this exclusion to such a degree that it
would quell the incentive to perform a self-policing audit.
10.3.9
Cooperation
Finally, the healthcare facility disclosing the violation must cooperate with the EPA in investigating and remediating the environmental issue.
If a disclosing entity meets all of the above-referenced policy conditions except detection of the
violation through a systematic discovery process, then gravity-based penalties are reduced by 75%.
In other words, a complete reduction of gravity-based penalties is only available if the discovery was
part of an environmental audit or environmental management system. Likewise, the Agency will not
recommend criminal prosecution of a healthcare facility that has disclosed violations if all policy
conditions are met. However, for the organization to enjoy this benefit, the discovery of the violation
must have resulted from the adoption of an environmental management system or auditing process and
must have been discovered in good faith.
In general, the EPA will not request copies of audit reports, although it may request documentation
evidencing a facilitys compliance with the management system. There is also a modified audit policy
that applies to small businesses with fewer than 100 employees, and that provides longer periods of
time within which to make disclosures.
10.3.10
Inspections
If an EPA inspector knocks on a facilitys door, the organization must be prepared to deal with
that inspection to avoid substantial civil and even criminal penalties. Inspectors are authorized to
enter a facility to conduct an inspection to determine if a healthcare organization is complying with
all relevant environmental laws. The inspection usually involves an opening conference, a review of
records, interviews, a tour of the facility, and a closing conference. The inspection may also involve
taking samples of discharges, the copying of records, and the photographing of portions of the facility.
If violations are found, a written notification will be sent explaining the violations and Agency recommendations for correction.
The inspection will usually not be pre-arranged and will often be multi-faceted, relating to a
variety of environmental laws, including air, water, and waste. There may be one or more inspectors,
all of whom should be required to provide their name, identify their affiliation agency, and produce an
official, photographic identification card.
The opening conference may be a formal meeting, a brief discussion, or a plan for inspection. The
inspector may ask about facility operations, facility layout and processes, and management structure,
and will identify which records he or she will want to review. The environmental records (e.g., emissions data, hazardous and non-hazardous waste manifests, landfill receipts, clean air permits, NPDES
permits, etc.) should be organized and kept readily accessible. Inspectors will be looking for past
records of up to three to five years old. A chart depicting document retention requirements for healthcare facilities is included at the end of this chapter. It is likely that inspectors will request copies of the
165

records they review, and the facility should keep a list of each record copied by inspectors. Inspectors
will inquire about facility processes, waste generation, air emissions, permit requirements, infectious
medical waste treatments, and mishaps during the interview process. If an inspector collects samples,
the facility should request duplicates or split samples and generally must provide its own containers
and analytical services. As to photographs, if there are any proprietary processes at the facility (not
usually a concern in the healthcare industry), a request may be made that photographs not be taken, or
that they be kept confidential. Physician-patient and mental health privileges must always be protected.
At the closing session, the inspector should be asked to provide his or her general observations, and to
identify any problems observed. He or she may request additional information at that time as well.
To prepare for a possible inspection, a facility should designate the person or persons who will take
the lead in responding to the questions of inspectors, provide the necessary records, and accompany the
inspectors during their time at the facility. If a facility has developed an environmental management
system, its manager is usually the best candidate. That individual should have a designated backup
in case he or she is absent on the day of the surprise inspection. Facilities should implement a policy
requiring staff to contact the appropriate personnel, including the facilitys environmental attorneys,
if a surprise inspection occurs.
Part of the inspection policy should include a requirement that important environmental records
be kept in an accessible location. Facilities that engage in environmental audits or that have implemented an environmental management system will generally have a procedure in place that requires
the compilation and maintenance of organized records. Facilities should also keep a camera, preferably
digital, readily accessible to document the areas inspected. When communicating with the inspector, only necessary personnel should be present. During the pre-inspection conference, the inspector
should be asked why the inspection is taking place and whether there have been any complaints. At
the pre-inspection meeting, the environmental system manager should request that a closing conference be held at the end of the inspection to discuss the findings. Any and all questions and answers of
the inspector should be noted or recorded. Laying this groundwork increases the chance that a facility
will be given early notice of perceived deficits and perhaps an opportunity to explain or correct such
deficits and thereby avoid notices of violation.
10.3.10.1 Warrantless Inspections
If an inspection occurs without a warrant, the inspector should be followed at all times. If he or
she has any conversations with employees, take notes identifying the interviewee and the content of
the conversation. If documents are produced, be certain to keep a separate copy of every document
taken by the inspector. Personnel being interviewed by the inspector should be directed not to guess or
to assume the answer to an interview question. Rather, if the answer is unknown, the inspector should
be told that the interviewee does not know the answer at this time but will get back to the inspector on
that issue. Although it is a natural human reaction to try to paint the facility in the best light, if information proves to be false it could lead to civil or even criminal penalties for impeding the inspection.
The inspection report should not be signed by anyone unauthorized to do so. Again, at the closing
166

conference, questions should be asked as to what was found, whether any problems were identified,
and what the process will be going forward from this point.
10.3.10.2 Search Warrant Inspections
If the inspection is done with a search warrant, attorneys should be called immediately to review
the warrant and determine the scope of the search because the search is limited to the scope of the
warrant. An inspector should not be resisted or interfered with in any way; however, copies of what is
seized should be requested and, at a minimum, an inventory provided. Employees should be informed
that they have a right to speak with, or not to speak with, inspectors, and only authorized personnel should be made readily accessible to the inspectors. In addition to reviewing the warrant itself,
the affidavit supporting the warrant should be requested in order to determine what prompted the
investigation.
The question of whether to insist on a warrant is a discretionary matter that should be discussed
with the facilitys attorney. Someone should be available onsite to make a determination as to the facilitys degree of compliance so that an appropriate decision can be made as to whether a warrant should
be demanded. Far greater cooperation can be expected from the EPA if a warrant is not demanded,
particularly if it is truly a routine inspection.
10.4
The Significance for In-House Counsel, the Governing Board, and Executive
Leadership
A responsible healthcare organization must take appropriate steps to manage the risks associated
with environmental non-compliance. A failure to properly manage environmental concerns may lead
to contamination of land, air, or water; personal injury; civil or criminal penalties or proceedings; private lawsuits; and/or bad publicity. Clearly, the affected stakeholders include not only those within the
organization itself, but also those in the surrounding community, governmental agencies and entities,
and the natural environment. The potential risks may be quantifiable in the form of fines, penalties,
or loss of market share, or they may be non-quantifiable, such as hard-to-remediate environmental
degradation, physical injury to people or wildlife, or simply a loss of reputation or standing in the
community.
To manage these risks, healthcare organizations should focus their attention on regulatory compliance (i.e., loss prevention), since strict compliance not only minimizes the possibility that the
organization will be assessed fines or other penalties, it also generally provides a degree of assurance
that the organization will not create or contribute to environmental degradation. Due to the complexity
of environmental laws and regulations, which include state and local rules in addition to the federal
rules discussed in this chapter, in-house counsel and other members of the organizations leadership
team must commit to the creation and adoption of a systematic environmental plan so that nothing is
left to chance.
167

10.5
The Key to Success: Environmental Management Systems (EMS)
To manage the risk associated with potential environmental contamination and regulatory noncompliance, a healthcare organization should utilize the expertise of environmental professionals to
conduct an assessment of the organizations legal duties and responsibilities, as well as its areas of
vulnerability, and to develop a comprehensive system of protocols to ensure compliance and thereby
minimize risk. Such an assessment can then be used to develop an Environmental Management System
(EMS), which will identify and rank the organizations institutional objectives and most significant
environmental issues, and formulate a system to utilize records to track compliance, indentify of problems, and implement solutions. Although the EPA maintains a webpage with a how-to guide and
links for information that can be useful in developing an EMS,11 creation of an EMS without professional assistance can engender a false sense of security, and the notion of a do-it-yourself plan should
be viewed with great skepticism by an organization committed to the responsible management of risk.
Nevertheless, it is important for those responsible for managing an organizations environmental risk
to understand and recognize the components of a well-designed plan.
As the Environmental Protection Act explains, an EMS plan should be based on what it terms the
Plan, Do, Check, Act model. The Plan aspect of the model is self-explanatory, denoting the planning
phase in which an organization identifies its environmental responsibilities and vulnerabilities, and formulates its goals. The Do aspect of the EMS model involves implementation of the goals identified in the
planning stage. The models Check component refers to ongoing monitoring and corrective action, and
the Act component acknowledges the need to continually review, modify, and update the EMS plan.
The foundation of a good EMS plan will rest upon the development of a matrix of environmental
legal requirements, incorporating those imposed by the CAA, CWA, RCRA EPCRA, FIFRA, and
TSCA, as well as any relevant state or local laws and regulations. An EMS plan should also incorporate the organizations aspirational goals, such as increasing recycling and reducing waste. The matrix
should be updated regularly and should include a written procedure that describes the method that will
be used to stay current on changing regulations, the method to be used for measuring institutional performance against the matrix, and the procedures to be used for tracking problems with non-compliance
to ensure proper follow-up. It should create mandatory checklists that must be completed, and should
specify that the plan is to be audited annually, at which time the auditor(s) will assess whether problems that have been identified were corrected in a timely fashion.
An EMS plans written procedures should require the reporting of violations when mandated by
law and should create a list of performance-based objectives, such as maintaining compliance with
all applicable environmental regulations and submitting all necessary paperwork on time. It should
require the continual updating of objectives and targets and should specify a procedure for communicating updates to staff. It should require the development of written emergency response procedures
that are to be tested annually and updated where accidents reveal a problem with existing procedures.
As previously noted, record-keeping is the key element in an effective environmental compliance
program, therefore, it is important that here, too, records of all tests conducted, and any changes implemented, be carefully maintained.
http://www.epa.gov/ems/info/index.htm.
11
168

Finally, an effective EMS plan should mandate that all employees are trained in EMS awareness
and compliance, including periodic re-training to reinforce compliance. Newsletters, emails, and/or
bulletin boards may form a useful component of the ongoing training process. An EMS internal auditing team should be designated and trained, and an EMS manager should be appointed to oversee and
be responsible for the programs success, although reliance on a manager must be balanced, and accurate documentation must be maintained in an orderly fashion to preserve institutional memory so that
when existing staff, including the manager, leave, there is no loss in functional capacity. A properly
conceived and implemented EMS plan that is audited and updated annually is the lynchpin to managing environmental risks.
The following checklist offers a helpful way to evaluate the effectiveness of the organizations
EMS plan. Ask whether the plan:

identifies the organizations goals?
articulates the organizations legal duties and responsibilities under federal, state, and local
law?
identifies areas of vulnerability (including a list of special vulnerabilities, including those

associated with affiliate sites and facilities)?
provides protocols to ensure environmental compliance, including:
written record-keeping procedures that identify those responsible for records

maintenance?
the designation of individuals responsible for reporting incidents to authorities, and a
requirement that every reportable incident be documented?
a mandatory follow-up system to track action after environmental incidents?
written emergency response procedures?
a procedure for tracking changes to relevant regulations?
a mandatory annual audit system?
a mandatory employee training system to ensure employees know and understand what is
required, emphasizing the organizations zero-tolerance policy toward non-compliance?
A plan that meets these objectives, and has been developed with the help of a knowledgeable
environmental professional, offers a systematic way for an organization to evaluate and manage its
environmental risks and, as noted above, may provide an additional benefit by mitigating penalties if
regulators find a violation.
169

10.6
Commentary
Environmental risks should be evaluated in the context of the entire organization, recognizing
the potential interplay with occupational risk, the risk that may arise from contracts with third
parties, and other exposures.
Given the far-reaching implications of environmental impairment, environmental risk assessments should be part of the due diligence required in any acquisition or consolidation of
healthcare organizations.
Underground storage tanks, aboveground storage tanks, asbestos removal, and removal of
hazardous waste (particularly via onsite medical waste incinerators) have presented the most
time-consuming issues from the healthcare enterprise risk management perspective. The
issues involve not only loss prevention and reduction but the possibility of handling the
exposures (risk financing) through environmental impairment liability insurance or through
contracting (risk transfer) with third parties (such as hazardous waste removal companies) to
assume the risk of exposure.
Note that commercial general liability polices have excluded coverage for contamination
and pollution except when sudden and accidental. And, while there are some specialty lines
insurers who provide environmental impairment liability coverage (including clean-up costs),
the best approach to dealing with such exposures is to develop good loss prevention programs
(compliance programs) as outlined above.
10.7
Conclusion
Both regulatory non-compliance and environmental contamination can present grave risks to a
healthcare organization, and can give rise to repercussions that may include: the imposition of substantial fines; the creation of unsafe conditions for employees, patients, and the neighboring community;
the initiation of lawsuits; the generation of poor publicity; and loss of business.
As with most risks, the key to success lies in taking an aggressive, proactive approach, including
the periodic assessment of the organizations areas of vulnerability. Notwithstanding the complexity
of environmental regulation and the dangers of regulatory non-compliance, and the substantial risk
of environmental contamination that is inherent in the industry, a healthcare organization that establishes and implements detailed protocols, maintains a commitment to meticulous record-keeping, and
engages in an ongoing self-audit process can effectively manage its environmental risk.
170
Appendix
Recordkeeping Requirements for Many of the Relevant
Environmental Regulations Discussed In Chapter12
REGULATION
40 CFR 60.7
40 CFR 70.6
SUBJECT
MATTER
Air - New Source
Performance
Standards
(NSPS)
Air - Title V
permits
TYPES OF RECORDS
RETENTION
PERIOD
Records documenting: start-up, shut- 2 years
down, or malfunction of pollution control equipment; periods when continuous
monitoring systems or devices have been
inoperative; performance testing measurements; continuous monitoring system
performance evaluations and calibration
checks; emissions records and reports;
maintenance of equipment
Records required by the operating permit; 5 years
records documenting date, location, and
time of sampling or measurements and
operating conditions at time of sampling;
records identifying the entity performing the analysis, the method or analytical
techniques used in performing the analysis, the date analysis was performed, and
the results of the analysis.
Requirements can change over time, so practitioners are cautioned to periodically review the relevant regulations for
changes.
12
171
REGULATION
40 CFR 82.166
SUBJECT
MATTER
Air - Ozonedepleting Class
I and Class II
Refrigerants
TYPES OF RECORDS
RETENTION
PERIOD
As to appliances containing 50+ pounds 3 years
of refrigerant: servicing records showing
service dates, type of service performed
and quantity of any refrigerants added.
Owners that add their own refrigerant
must keep dated records of refrigerant
purchased and added.
Certified technicians must keep cop-
40 CFR 82.166
29 CFR
1910.1001
172
ies of their certificates at their place of

business
Air - Refrigerant Records identifying rate of leak, method 3 years
used to determine leak rate and measure
leaks
refrigerant charge, date when leak was
discovered, site of leak, and type of repair
work performed. If repair is delayed for
more than 30 days, records must show
reason for delay and when repair will be
completed. Follow-up testing records
must show date and type of testing, plans
for retrofitting/retirement, and date EPA
was notified of retrofit/retirement plans.
Asbestos
Records documenting presence, location For duration
- Asbestos
and quantity of ACM
of ownership
Containing
and transfer to
Material (ACM)
subsequent owners
REGULATION
40 CFR 61.150
SUBJECT
TYPES OF RECORDS
RETENTION
MATTER
PERIOD
Asbestos - Waste Shipment records concerning all asbes- 2 years
disposal for
tos-containing waste material transported
demolition and off site, with records to include:
renovations
Name, address, and telephone number of
the waste generator
Name and address of local, state or EPA
Regional office responsible for administering the asbestos NESHAP program
Approximate quantity in cubic yards
Name and telephone number of the disposal site operator
Name & physical location of the disposal site
Date transported
Name, address and phone of transporter
40 CFR
262.20(e)
Hazardous
Waste (Small
Quantity
Generators)
Certification that contents being transported are fully and accurately described
by proper shipping name and classified,
packed, marked and labeled, and are in
proper condition for transport by highway per international and governmental
regulations.
Copies of reclamation agreements.
3 years after
termination or
expiration of the
agreement
173
REGULATION
SUBJECT
MATTER
40 CFR 262.40(a) Hazardous
40 CFR 262.44(a) Waste
TYPES OF RECORDS
Manifests.
40 CFR 262.40(c) Hazardous

40 CFR 262.44(a) Waste
Records of test results, analyses, and other

hazardous waste determinations.
40 CFR 262.44(b) Hazardous

Waste
Exception reports.
RETENTION
PERIOD
3 years from
date waste was
accepted by initial
transporter
3 years from date
waste was sent to
on-site or off-site
treatment, storage,
or disposal facility
(TSDF)
3 years from the
due date of the
report
3 years after
facility ceases
using or storing
PCBs
40 CFR 761.180 PCBs Annual Facilities that use or store PCBs: annual
records/log
records and annual log of disposition of
PCBs and PCB items, including all manifests generated or received by the facility;
Certificates of Disposal received by the
facility; inspection and cleanup records;
annual logs that provide all information
required under the regulations.
40 CFR 60.58c Medical Waste Records for emission control equipment 5 years
HMIWI records that identify data gaps in the recording
of emissions data or operating parameters, an explanation for the event, and
steps taken to correct the problem. Must
also identify dates, times, and duration
of malfunctions, the type of corrective
action taken, and dates when emissions or
operating parameters exceeded relevant
limits, as well as results of compliance
testing (initial and annual). Training and
qualification records also required.
174
REGULATION
SUBJECT
MATTER
40 CFR 171.11(c) Pesticides Certified RUP
7 USC 110
applicators
7 USC 136i-1
40 CFR 372.10
40 CFR 372.22
40 CFR 372.25
40 CFR 704.11
40 CFR 280.34
TYPES OF RECORDS
RETENTION
PERIOD
RUP records identifying names and 2 years
addresses of those for whom pesticides
were applied; pests targeted; date, time
and site of application; specific crop or
commodity; brand name; EPA registration number; amount of pesticide applied;
concentration of active ingredients; treatment area size; name and certification
number of person applying or supervising the application; and detailed information concerning pesticide disposal
(type, amount, method, and location of
disposal).
Toxic chemical Toxic chemical release forms and all sup- 3 years (5 years
release (Section porting documentation (including exemp- recommended, to
313 SARA Title tions, calculations, monitoring, testing, match the statute
III)
releases, receipts or manifests, estimates of limitations for
of treatment efficiencies, ranges of influ- EPCRA)
ent concentration to the treatment, the
sequential nature of treatment steps, and
actual operating data to support the treatment efficiency estimate for each toxic
chemical).
USTs - General Records of corrosion experts analysis of Through closure
records
site corrosion potential if no corrosion of the UST and 3
protection equipment is used; opera- years thereafter
tion of corrosion protection equipment;
UST system repairs, recent compliance
with release detection requirements; and
results of site investigation conducted at
permanent closure
175
REGULATION
40 CFR 280.45
SUBJECT
MATTER
USTs - Release
detection
TYPES OF RECORDS
RETENTION
PERIOD
Records documenting all written perfor- Performance
mance claims concerning release detec- claims: 5 years
tion systems and justification or testing
Tests (other than
provided by manufacturer or installer;
results of sampling, testing, or monitor- tank tightness): 1
ing; reports of all calibration, mainte- year;
nance, and repair of on-site release detec- Tank tightness:
tion equipment; manufacturers schedules retain until the next
of required calibration and maintenance. test is done
Maintenance: 1
year
Schedules:5 years
40 CFR 280.74 USTs - Closure Closure compliance records must be 3 years
maintained by owners and operators who post- closure
took UST system out of service, or by
current owners and operators of UST system site. May be mailed to implementing
agency if records cannot be maintained at
the closed facility.
40 CFR 280.111 USTs - Financial Evidence of financial assurance mecha- Until closure, or
responsibility
nisms used to demonstrate financial after corrective
responsibility- to be maintained at UST action is completed
site or operators place of work.
Hazard
29 CFR
Material safety date sheets; inventory of MSDS must be
Communication hazardous chemicals; container product kept as long as the
1910.1200(g)
Standard
warning labels; written employee train- chemical is used at
ing policies.
the location
176
REGULATION
29 CFR
1910.1020
40 CFR 112.3
SUBJECT
MATTER
Hazard
Communication
Standard
- Employee
exposure and
monitoring
records
Wastewater Spill Prevention,
TYPES OF RECORDS
RETENTION
PERIOD
Records of employee exposure and 30 years
monitoring, including medical surveillance information and efforts at exposure
reduction. Employees have legal right of
access to records, including after separation from employment.
SPCC Plan must be maintained at the

facility if it is normally attended at least
Control, and
8 hours per day - otherwise at the nearest
Countermeasure field office.
40 CFR 112.7(e) Wastewater Inspection and test records; facility-speSPCC Plan
cific written procedures.
40 CFR 122.21 Wastewater Discharge monitoring reports (DMRs),
NPDES storm
sampling records, and records of all data
water and
used to complete permit applications.
wastewater
discharge permits
40 CFR 122.21 Wastewater Sewage sludge use and disposal records.
NPDES storm
water and
wastewater
discharge permits
Wastewater
40 CFR
Reports submitted to the POTW.
- POTWs
403.12(o)(3)
Throughout facility
lifetime
3 years
3 years
5 years
3 years
177
Part IV
Human Capital
Minimizing Risk in the Employment Relationship
11
Deborah Martin Norcross, Esq.
MartinNorcross LLC
11.1
Introduction
Not that long ago, there was little need for enterprise risk management professionals to be educated about, or involved in, the human resources function. Unhappy employees did not file many
claims. When they did file, their disputes typically were investigated under a few federal laws by
administrative agencies rather than in the courts. Jury trials were not available for the most part, and
large awards were rare.
That landscape has changed dramatically. New and expanded employee rights laws have proliferated on the federal, state, and local levels. Employment disputes have become common in both federal
and state courts, often requiring lengthy and expensive discovery and motion practice. Defense costs
often exceed $100,000 for even the most uncomplicated individual case. Jury trials are routine, and
recovery of substantial awards, including punitive damages, by successful plaintiff-employees is common. Accordingly, the enterprise risk management professional cannot afford to leave to others the
responsibility of managing the risks attendant to the employment relationship.
The following discussion will be a useful guide for healthcare attorneys to understanding how
organizations assess and deal with their employment liability risks from an enterprise risk management perspective.
11.2
Regulation of the Employment Relationship
A complete description of the laws governing the employment relationship is beyond the scope
of this discussion. Federal laws that apply to most employers include: Title VII of the Civil Rights
Act of 1964 (prohibiting discrimination because of race, color, religion, sex, and national origin); the
Age Discrimination in Employment Act (prohibiting discrimination against employees who are 40 or
over); the Americans with Disabilities Act (prohibiting discrimination against qualified persons with
disabilities); the Family and Medical Leave Act (providing eligible employees with the right to unpaid
leaves of absence to care for a newborn or adopted child, certain family members, or the employees
own serious health condition); the Uniformed Services Employment and Reemployment Act (providing a broad array of protections for members of the military services); the National Labor Relations
Act (offering protections to employees engaged in union activities); the Fair Labor Standards Act
181

(governing hours of work, minimum wages, and overtime); and the Consolidated Omnibus Budget
Reconciliation Act (COBRA) (requiring certain employers to offer continued insurance coverage following separation under enumerated circumstancessome employers are required to subsidize the
cost of COBRA coverage, but may be entitled to recover that cost under the American Recovery and
Reinvestment Act of 2009). The Genetic Information Nondiscrimination Act (GINA), which takes
effect on November 21, 2009, generally prohibits employers from acquiring genetic information on
their employees.
In addition to these and other federal laws, most states and many cities have enacted their own
separateand often more stringentlaws regulating the employment relationship. Further complicating matters, every jurisdiction has a body of common law, legal requirements developed by courts
through case law. Separately and in combination, these laws apply to virtually every aspect of the
employment relationship and can pose litigation and liability traps for the uninitiated employer. To
navigate this seemingly unruly maze of regulation, the organization should have the following basic
information on hand:

Know what laws regulate employers in the organizations state and city. This information can be obtained from many sources, including the Human Resources department,
employment law counsel, the local department of labor or EEOC office, or from various trade
associations. If the organization utilizes outside employment counsel or consultants, ask them
to provide this information; most will do so without charge.
Know which laws apply to the organization. Most laws apply only to employers with
minimum numbers of employees; the number varies by statute and also may vary by how
employee is defined. Some laws exempt certain types of businesses, most often certain religious entities.
Know how to determine which employees are covered. Even if the organization is subject to a statute, all of its employees may not be covered. Sometimes a statute protects only
employees who have worked for an organization for a minimum length of time or who have
worked a minimum number of hours over a given period.
11.3
Managing the Stages of the Employment Relationship
Employment law obligations arise even before an individual is hired and can continue long after
an employee leaves the organization. Enterprise risk management principles encourage the risk management professional to work closely with Human Resources to set best practices and then provide an
auditing function on either a regular or spot-check basis. To do this effectively, an organization must be
familiar with the specific risks attendant to each stage of the employment relationship and how to avoid
them. The following are practical suggestions for managing these stages and their attendant risks:
182
11.3.1
Recruiting and Hiring
11.3.1.1
Job Descriptions
Make sure there is a written job description for each position in the organization. At a minimum,
job descriptions should include: (1) the positions duties and responsibilities, differentiating between
essential and non-essential functions; (2) the pay range for the position; and (3)the minimum criteria
(education, experience, etc.) necessary for the position. Care must be taken not to impose criteria that
are not necessary for successful performance of the positions duties.
11.3.1.2
Applications
Every applicant should be required to complete and sign an employment application. Application
forms should be reviewed to be sure that they are non-discriminatory, both on their face and in their
impact. For example, an application not only should refrain from asking for an applicants age but also
should not request information that would reveal age, such when the applicant graduated from high
school. Applications should recite the organizations employment-at-will and drug testing (if applicable) policies, and should contain release languageimmediately above the applicants signature
linepermitting background and reference checks and releasing the organization from liability.
11.3.1.3
Recruiting Sources
Employers can face discrimination claims and lawsuits if they fail to include all protected categories (members of minority groups, women, persons with disabilities, etc.) in their recruiting efforts,
no matter how inadvertently. Make sure the organization provides information about job openings to
organizations that serve minorities, women, and persons with disabilities, and communicates its nondiscriminatory hiring policies clearly and regularly.
11.3.1.4
Interviews
Untrained interviewers create enormous risks. Using an enterprise risk management approach, the
Human Resources department ensures that anyone with interviewing responsibilities knows whatand
what notto ask. A written list of interview questions or topics that is reviewed before the interview
can go a long way toward minimizing the risk attendant to the interview process.
11.3.1.5
Reference Checking and Background Checks
Many organizations request references from applicants, but then do not check them. To the extent
permitted in the state where the organization is located, obtain the applicants consent (see Section
11.3.1.2, Applications, above) and check all references. Under some state laws, both requesting and
responding employers are protected from lawsuits based on reference requests. A healthcare organization also should consider conducting (or retaining an outside firm to conduct) a criminal background
check. Keep in mind, however, that an organization can refuse to hire an applicant only if a criminal
background check reveals a conviction (contrasted with an arrest that did not result in conviction) that
is job-related.
183

11.3.1.6
Restrictive Covenants
Make sure applicants are asked to identify any restrictions they may have (such as non-compete,
non-solicitation, or similar agreements) with a prior employer. It is not uncommon for hiring employers to be sued for facilitating an employees violation of a pre-existing restrictive covenant.
11.3.2
The Ongoing Relationship
11.3.2.1
Orientation and Training
New employees should be given a general orientation into the organizations policies and procedures, especially its problem resolution programs. Provide employees with copies of any existing
employee handbooks, codes of conduct, etc. Make sure the organization obtains a written, signed
receipt from employees acknowledging receipt of whatever has been provided to them and keeps
a sign-in sheet for all training sessions. If the organization makes policies and procedures available
only on an intranet, require employees to sign a statement acknowledging that they understand how
to access those policies and procedures. These suggestions are designed to prevent an employee from
later claiming that he or she was unaware of the policies and procedures.
11.3.2.2
Supervision
Employees with extraordinary technical skills or professional capabilities are not necessarily adept
at managing people. This often-ignored fact has led many employers to the courtroom. Organizations
that employ enterprise risk management principles should provide management training to all new
supervisors and managers. Consider establishing short-term mentoring relationships by pairing a new
supervisor or manager with a respected, experienced managerial veteran to provide support and catch/
correct problems early. Managerial performance should be evaluated as a critical component of every
supervisors performance evaluation.
11.3.2.3
Performance Evaluations
Every organization should evaluate every employees performance on some regular basis, most
typically once a year. Make sure the organization not only promises regular performance appraisals in
its policies but also actually ensures that they are done. Regularly conducted reviews force employees
and supervisors to communicate and can help identify potential problem areas and allow for early
intervention and correction. Additionally, regular performance evaluations can be invaluable when
defending against employment-related claims and in making difficult decisions when implementing
reductions in staff.
11.3.2.4
Leaves of Absence and Workers Compensation
There is a complex interrelationship among state workers compensation laws, federal and state
mandated leaves of absence programs, and the American with Disabilities Act and its state counterparts. All aspects of this relationship must be analyzed whenever a workplace injury causes a serious
condition that may (or may not) qualify as a protected disability. Workers compensation claims must
184

be processed accurately and timely. Employees must be notified of their leave rights promptly, and
reasonable accommodations must be offered if needed and possible without undue hardship to the
organization.
Axiomatically, the best way to minimize the organizations exposure is to reduce injuries in the
first instance. In this effort, effective safety programs and a functioning multi-disciplinary safety
committee are a must. Safety and hazardous materials manuals must be readily accessible. The organization must understand, communicate, and comply with OSHA and state safety regulations. And most
importantly, regular training must be provided across the organization.
11.3.2.5
Counseling and Discipline
Whether it is called progressive discipline, problem resolution, colleague counseling, or something

else, every organization should have a systematic method of addressing performance and behavioral
deficiencies. That method should be specific and in writing, should be communicated clearly to the
organizations workforce, should be followed as closely as possible, and should require detailed documentation. Perhaps conversely, the organization must also reserve the discretion to deviate from
proscribed procedures when appropriate or necessary. Managers and supervisors often dislike confronting employees about poor performance or unacceptable behavior, and avoid doing it if they can.
Such avoidance creates risk for the organization and, ultimately, is unfair to employees, who may
not realize how their performance is being perceived or how those perceptions may impact future
employment. Managing the counseling and discipline function should be part of the organizations
management training, especially in the training provided to new managers.
A typical progressive system provides for: (1) oral counseling; (2) written warning; (3) suspension; and (4) termination. In all instances, the organization must provide that it can impose any or all
of these stepsincluding terminationin whatever order and without first imposing a lower step, if it
deems it appropriate. Whatever system the organization has adopted, it must be followed consistently,
and the required documentation must be prepared, submitted, and retained.
11.3.2.6
Complaint Procedures
Every organization must have a procedure through which employees can raise complaints and
concerns, especially relating to matters such as perceived harassment (sexual or otherwise) or suspicions of other unlawful activity. In addition to the organization having such a policy in place, it
must also provide adequate safeguards to protect a reporting employee from any sort of retribution.
Although complaints should be handled as discretely as possible, a reporting employee cannot be
promised absolute confidentiality, which might impede a thorough investigation. Similarly, once a
complaint is received, it cannot be ignored even if the reporting employee asks that no action be
taken. Once a report is received, the organization is on notice that a potential problem exists. Failure
to act under those circumstances can create strict liability, severely limiting the organizations defense
options in the event of legal action.
185

11.3.3
Professional Staff Turnover and Shortages
Many reasons are offered for the current shortage of both physicians and trained nursesburnout,
medical school admission caps, shrinking reimbursement rates, insurance company demands, concerns over being sued, and even changing generational lifestyle expectations. Whatever the causes, it
cannot be escaped that the supply of trained professional staff is limited.
Long-term solutions to the problem will be multi-faceted, and likely will be highly influenced by
both legislative and political developments. In the shorter term, however, organizations can best meet
this crisis by, first and foremost, doing what it can to attract and retain quality professional staff. This
can include, for example, replacing autocratic top-down leadership with more participatory practices;
providing better continuing education support; offering mini-sabbatical or other lifestyle enhancing
programs; and ensuring that its professionals know, through regular internal and community-wide
communication vehicles, that both they and their input are recognized and valued. Organizations that
build reputations for being both supportive and collaborative not only have a better chance of retaining
professional staff but also in making their organizations more attractive from a recruiting standpoint.
11.3.4
Ending the Relationship
Deciding to terminate an employee is perhaps the most difficult of all employer-employee interactions. It certainly is the stage of the employment relationship that most often leads to lawsuits. Proper
preparation, including adopting and following the practices and procedures described earlier in this
discussion, can minimize both the stress inherent in the termination process as well as the organizations exposure to costly and time-consuming litigation.
The two most common situations that lead to involuntary dismissals are the individual discharge
and the elimination of a position or positions.
11.3.4.1
Individual Terminations
Before discharging an employee, the organization should make certain that: (1) its policies and
procedures have been followed; (2) the steps taken before the decision to terminate was made are
properly documented; and (3) the decision to terminate this employee is consistent with the manner
in which the organization has treated other similarly situated employees. If the employee is a party to
an employment contract with the organization, it is important to make certain that the organizations
actions are consistent with the terms of the contract.
11.3.4.2
Reductions-in-Force
A reduction-in-force generally occurs when the number of employees in the employers overall
workforce (or within a work unit) is reduced to a lower number. It also can occur through the elimination of a specific position, function, or title. Any organization contemplating a workforce reduction
should consult with an employment lawyer who is familiar with the laws and regulations in the organizations industry and geographic location. The following process can help prepare for that consultation
and minimize legal exposure after a reduction:
186

Decide which positions (not which individuals) will be affected by the reduction.
Decide how many employees (again, not yet which individuals) within each position to
eliminate.
Identify objective, business-based, non-discriminatory criteria for selecting which employees

in the identified positions to terminate. Appropriate criteria can include, for example, length
of service or performance evaluations. Avoid criteria such as wage rates, which can lead to
the selection of a disproportionate number of older workers.
Create a list of employees to be terminated.
Evaluate selections to be certain no problematic patterns emerge and investigate any areas of
concern. It can be useful to have an objective committee review all selections as part of this
process.
11.3.4.3
Separation Agreements
Separation agreements (sometimes called severance agreements) can be useful in minimizing an

organizations exposure to termination lawsuits. They can be used in individual and group terminations alike. Essentially, an organization uses a separation agreement to obtain an employees waiver
of his or her right to sue the organization in exchange for something of value (usually although not
always some form of severance compensation). Legal counsel should review any proposed separation
agreement, especially because some states require specific provisions to ensure enforceability. Certain
provisions, however, are necessary in all jurisdictions. For example:

Employees must be given adequate time to consider signing the agreement. Employees who
are age 40 and over must receive at least 21 days in an individual discharge; 45 days in a
group termination or reduction-in-force. Employees who are under 40 must receive only a
reasonable period of time to consider and sign the agreement.
Employees must be advised, in writing, of their right to consult with an attorney before
signing.
Employees who are age 40 and over are entitled to revoke the agreement for seven days after
they sign it. Younger employees have no revocation rights.
In the context of a group termination or reduction-in-force, terminating employees who are

age 40 or over must be provided with detailed information regarding the criteria used and
the titles and ages of both the persons being terminated and the persons being retained. This
process should not be undertaken without an attorneys assistance or review.
11.4
Handling Challenges to Employment Decisions
Employment lawsuits can be, and are, filed in both federal and state courts. No matter where they
are filed, employment cases often assert both federal law and state law claims. If an organization is
served with a complaint, it likely goes without saying that employment counsel should be contacted
without delay. If the organization maintains commercial employment practices liability insurance, the
carrier should be notified immediately. If, on the other hand, the organization insures this risk through
its own risk financing mechanism, appropriate individuals within the organization should be advised.
187

The following explains the EEOC charge investigation process. State and local agency procedures usually are similar, but should be checked to insure compliance with any unique requirements.
Before an employee can bring an action based on federal anti-discrimination laws, in most cases
he or she must first have filed an administrative charge with the designated federal agency, usually the
Equal Employment Opportunity Commission (EEOC). Many, but not all, states also require the filing
of an administrative charge as a condition precedent to civil litigation. It is beneficial to understand the
agency investigatory process, since a successful defense at the administrative level often discourages
employees from initiating much more time-consuming and expensive civil litigation.
11.4.1
Intake
To initiate a charge, the employee is required to complete an intake form, describing the acts the
employee contends constitute unlawful discrimination. Intake can be, and usually is, undertaken without a lawyer. Agency personnel assist employees in completing the charge forms and in articulating
their complaint.
11.4.2
Service on Employer and Requests for Information
A charge of discrimination is prepared by the EEOC and mailed to the employer. The employer
will be asked to submit a statement of its position in response to the allegations contained in the charge.
The employer may also be asked to provide specified data. The EEOC will set a deadline by which the
employer must respond. These documents may be sent to human resources, the employees supervisor,
the risk management department, or to some other department, depending on what information the
employee has provided to the EEOC. It is important that whoever receives the initial communication
make certain it gets to the individual with responsibility for responding without delay.
11.4.3
Determination and Notice of Right to Sue
The EEOC investigation may go on for a while. The EEOC may ask for additional documents and
may seek to conduct interviews. The agency has the authority to conduct fact-finding conferences but
rarely exercises that authority. When it completes its investigation, the EEOC will issue a determination, holding either that there is no cause to believe discrimination occurred, or that there is cause.
188
A no-cause determination ends the matter at the EEOC level. With the no-cause determination, the EEOC also will issue a Notice of Right to Sue. The employee has 90 days following
receipt of the Notice of Right to Sue to file a complaint in civil court.
If the EEOC finds cause, it will initiate a conciliation. Essentially, the EEOC will try to get
the employee and the employer to come to an agreed upon resolution. While the conciliation
process is similar to a settlement negotiation, unlike most settlements, conciliated resolutions
are not confidential. If conciliation fails, the EEOC either will file a civil action on behalf of
the employee or issue a Notice of Right to Sue permitting the employee to file suit on his or
her own behalf. The EEOC does not have the authority to order an employer to pay any sum
or take any action. Some state and local agencies do have the authority to conduct public

hearings, where judgments and awards can be entered. It therefore is critical to be familiar
with the local regulations and to consult with an employment attorney whenever a charge of
discrimination is received.
11.5
Commentary
Managing exposure to the panoply of employment laws and regulations can only begin
with a comprehensive understanding of what mandates apply to the organization. There are
multiple sources from which this information can be obtained, including internal human
resources and risk management personnel, in-house or outside labor counsel, and various
trade associations.
Healthcare lawyers need to appreciate that the consequence of non-compliance, no matter how
inadvertent, can be significant. Employment lawsuits are costly to defend, require substantial
investments of time by leadership personnel and co-workers, can be lead to large awards of
both compensatory and punitive damages, and can damage the organizations reputation,
making it more difficult to attract high-quality professionals in an already critical recruiting
environment.
Organizations need to facilitate frequent and open collaboration among its various departments regarding all phases of the employment relationship. The turf wars of the past, such as
those that sometimes occurred between human resources and risk management, or between
risk and the legal department, must be excised. Employment law exposure today is multifaceted; minimizing its risk can only be done effectively when all members of the leadership
team meet the Three Cs: Communicate, Consult, and Collaborate.
Healthcare lawyers also can assist their organizations by exploring litigation-avoidance techniques. The regular use of employment and separation agreements can minimize the number
and scope of employment lawsuits. Implementing alternative dispute resolution procedures,
such as internal appeal processes, mediation, arbitration, etc., also can be extremely useful.
11.6
Conclusion
This discussion obviously has not been able to cover every employment-related risk management
challenge faced by healthcare organizations. It should, however, provide a useful starting place and a
practical guide for managing an organizations employment practices risks. Enterprise risk management
experience shows that these risks can be significantly minimized when all related professionalsrisk
management, human resources, senior operational management, and legal counsel (whether in-house
or outside)make reduction of employment-related loss prevention a priority and work collaboratively to achieve that goal.
189
What to Expect and What to Do When OSHA Comes Knocking
12
What to Expect and What to Do When OSHA
Comes Knocking
Steven O. Grubbs, Esq.
Amanda J. Flanagan, Esq.
Sheehy, Ware & Pappas, P.C.
12.1
Introduction
Congress enacted the Occupational Safety and Health Act of 1970 (the Act) after recognizing the
need for comprehensive job safety and health legislation. Not only were there a startling number of
work related injuries and deaths, but the injuries and illnesses arising in the workplace substantially
hindered interstate commerce because of lost production, lost wages, medical expenses, and disability
compensation payments. Currently, an estimated 6 million workplaces and 90 million employees from
every state, the District of Columbia, Puerto Rico, and all American territories are covered by the
Act. However, the Act does not apply to working conditions of employees over whom other state and
federal agencies exercise statutory authority to prescribe or enforce standard or regulations affecting
occupation safety or health.
The Acts primary purpose is to assure so far as possible every working man and woman in the
Nation safe and healthful working conditions and to preserve our human resources.1 In order to achieve
that purpose, the Department of Labor created the Occupational Health and Safety Administration
(OSHA). It is OSHAs responsibility to ensure that each employer keep its place of employment free of
recognized hazards that are likely to cause death or serious harm. In order to accomplish this purpose,
OSHA may conduct unannounced inspections, issue citations for violations, and assess monetary penalties ranging from $1 to $70,000 per violation. OSHA has recently made headlines for multimillion
dollar fines given to the most egregious of violators. In addition to monetary fines, the United States
Justice Department recently joined forces with OSHA to provide for criminal prosecution of the most
flagrant workplace safety violators.2 In assessing penalties, OSHA will consider the good faith of the
employer, the gravity of the violation, the employers past history of compliance, and the size of the
employer. In addition, the immediate consequence of receiving a monetary or criminal penalty, OSHA
citations may also affect future litigation arising from the workplace accident or death.
OSH Act Sec. 2(b).

New York Times, With Little Fanfare, a New Effort to Prosecute Employers that Flout Safety Laws, May 2, 2005.
1
2
191

General counsel should be aware that the healthcare industry remains one of a handful of industries targeted by OSHA for intensified safety and health inspections from year to year.3 In fact, nursing
and personal care facilities made up the highest concentration of worksites on the targeted inspection
list in the past couple of years. According to recent directives, OSHA inspections are to focus on
healthcare-related hazards such as patient handling, exposure to blood and other potentially infectious
materials, exposure to tuberculosis, and slips, trips, and falls. Given this targeted focus on the healthcare industry by OSHA and the United States Justice Department, healthcare administrators, their risk
managers, and general counsel must equip themselves to handle an increase in OSHA inspections.
This chapter will provide the healthcare general counsel a practical, hands-on guide to understanding OSHA, the risks of noncompliance, and how to effectively manage an OSHA inspectionincluding
a discussion of a healthcare facilitys rights during an inspection, what to expect following an inspection, and a discussion of some of the more pragmatic issues involved in appealing an OSHA finding.
12.2
The OSHA Process
12.2.1
OHSA Standards
While explanation of the several thousand standards applicable to the healthcare industry exceeds
the scope of this chapter, a brief discussion of key OSHA standards may be useful. An employer must
comply with specific occupational safety and health standards promulgated under the Act. OSHA
standards are grouped under four broad industry categories: General Industry, Construction, Maritime
and Longshoring, and Agricultural. An employer must comply with the specific standards that apply
to its place of employment for which it has employees exposed to the hazard. OSHA has the burden
to prove by a preponderance of the evidence that the standard applies, that the employer was out of
compliance, and that there were employees exposed to the hazard. OSHA standards have been drafted
for literal compliance, and employers are expected to comply with them in every detail regardless of
an employers use of its own safety methods4 or an employees substantial experience.5 Further, an
employer must protect its employees even when they are in the process of abating a hazard.6
In addition to the responsibility to comply with specific standards, section 5(a)(1) of the Act
guards against hazards where no specific standard applies. Employers have a general duty to provide
a place of employment that is free of recognized hazards (the so-called general duty clause). This
works as a catchall provision. If an employee is injured, but there is no applicable specific standard,
OSHA may complain that the employer failed to provide a workplace free from recognized hazards.
Section 5(a)(1) is improper where a specific standard is appropriate. To prove a violation of section5(a)(1), OSHA must establish that the employer failed to render its workplace free of a hazard
that was recognized by the employer or its industry, and that was causing or likely to cause death or
serious physical harm. In addition, OSHA must demonstrate the feasibility and likely utility of spe OSHA Targeted Inspection Plan for 2005, at p. 12, August 9, 2005, http://www.osha.gov/pls/oshaweb/owadisp.
show_document?p_table=NEWS_RELEASES&p_id=11530.
4
Sierra Constr. Corp., 6 OSHC 1278, 1978 OSHD 22,506,
5
Cornell & Co., 5 OSHC 1018, 197677 OSHD 21,532,
6
H.S. Holtze Constr. Co., 7 OSHC 1773, 1979 OSHD 23,925, affirmed in part, reversed in part, H.S. Holtze Constr. Co.
v. Marshall, 627 F. 2d 149 (8th Cir. 1980).
3
192

cific abatement measures. Importantly, an employer may violate section 5(a)(1) even when there is
no actual occurrence.7 Likewise, the occurrence of an accident, by itself, does not prove the existence
of a violation.8
12.2.2
The Three Most Important OSHA Standards in Healthcare
OSHA maintains a list of the most frequently cited OSHA standards in the healthcare industry.9
This list may be found at www.osha.gov. Many healthcare employers are surprised to see that most of
the standards cited are not really healthcare related but are relevant to all industries. Medical services
and first aid, for instance, ranked only ninth on the list, behind wiring methods, lock out-tag out, and
exit routes.10 The following discussion will begin by highlighting the three most widely cited violations in the healthcare industry
12.2.2.1
Bloodborne Pathogens
The OSHA Bloodborne Pathogen Standard is the most frequently cited standard in healthcare.11
This requires employers to protect employees from exposure to blood or other potentially infectious
materials that may contain bloodborne pathogens.12 There are many bloodborne pathogens, but the
main infections that pose the greatest risk to workers are the human immunodeficiency virus (HIV),
Hepatitis B virus (HBV), and Hepatitis C virus (HCV). The Bloodborne Pathogens Standard applies
to employers who have employees with occupational exposure to blood or other potentially infectious
materials, even if no actual exposure incidents have occurred.13 In 2001, OSHA added an additional
requirement regarding the protection of employees from needlesticks. Every healthcare employer is
required use engineering and work practice controls to eliminate or minimize employee exposure to
bloodborne pathogens. Further, healthcare employers are mandated to keep a sharps injury log for
the recording of percutaneous injuries from contaminated sharps. Finally, healthcare employers are
required to adopt an exposure control plan.14
The exposure control plan requires the healthcare employer to adopt technology that eliminates or
reduces exposure to bloodborne pathogens.15 For instance, the plan must reference how the employees have been trained in self sheathing needles, and where to dispose of the sharps.16 Next, the plan
requires employees to document annually and implement appropriate commercially available and
effective safer medical devices designed to eliminate or minimize occupational exposure.17 Finally,
in the identification, evaluation, and selection of effective engineering and work practice controls, the
plan must have a requirement to solicit input from non-managerial employees responsible for direct
Titanium Metals Corp. of America v. Usery, 579 F. 2d 536, 542 (9th Cir. 1978).
Id.
9
http://www.osha.gov/pls/imis/citedstandard.sic?p_esize=&p_state=FEFederal&p_sic=80.
10
Id.
11
Id.
12
29 CFR 1910.1030.
13
Id.
14
Id.
15
Id.
16
Id.
17
Id.
7
8
193

patient care, who are potentially exposed to injuries from contaminated sharps.18 This solicitation must
also be documented in the exposure control plan.19
12.2.2.2 Hazard Communications
While applicable to all employers, this standard is the second most cited standard for the healthcare industry.20 The Hazard Communication (Haz-Comm) Standard requires that the hazards of all
chemicals used in a place of employment are evaluated, and that information concerning its hazards
is transmitted to employees.21 This transmittal of information is to be accomplished by means of a
comprehensive hazard communication program which must include training on container labeling and
material safety data sheets (MSDS).22 Laboratory facilities that ship hazardous chemicals are considered to be either a chemical manufacturer or a distributor under this rule and, thus, must ensure that
any containers of hazardous chemicals leaving the laboratory are correctly labeled.23
Every chemical used in the workplace needs to have an accompanying MSDS. Each MSDS spells
out the properties of a specific chemical used in the workplace, including the symptoms of exposure,
ingestion, or inhalation, for example. Employers are also required to maintain copies of all material safety data sheets that are received with incoming shipments in sealed containers of hazardous
chemicals, obtain a material safety data sheet as soon as possible for sealed containers of hazardous
chemicals received without a MSDS if an employee requests the material safety data sheet, and ensure
that the material safety data sheets are readily accessible during each work shift to employees when
they are in their work area. Moreover, employers are charged with training employees as to where to
find this information.
Many employers are caught off guard by this standard because, as a general rule, if it is not water,
OSHA will likely consider it a hazardous chemical and require the employer to maintain a MSDS.
Take, for example, Clorox (chlorine) and Windex (ammonia). Alone, these chemicals are fairly inert,
and common sense tells you not to ingest them or get them on your skin. However, MSDSs note that,
if used together, these chemicals combine to create a toxic and carcinogenic mixture of chloramine and
hydrazine that can be lethal if inhaled. This is precisely the type of accident Hazard Communication
programs seek to prevent, and it is easy to see why OSHA takes this so seriously. Many employers fail to enact a comprehensive Haz-Comm program to address every single chemical used in the
workplace.
12.2.2.3 Recordkeeping Violations
Employers who have more than 10 employees in the entire company are required to keep records
of all recordable injuries and illnesses. The forms used to keep track of these records are called the
OSHA Form 300 and the OSHA Form 301. The Form 300 is a log used by the employer for recording
20
21
22
23
18
19
Id.
Id.
http://www.osha.gov/pls/imis/citedstandard.sic?p_esize=&p_state=FEFederal&p_sic=80.
29 CFR 1910.1200.
Id.
Id.
194

and classifying work-related injuries and illnesses and for noting the extent of medical care provided.24
When an incident occurs, this form is used to record specific details about how it happened. The OSHA
Form 301, also known as the Injury and Illness Incident report, is a form used for each work-related
incident or accident.25 This form must be filled out by the injured worker within seven days of the
report of the incident or accident and must be kept for five years. Employees have the right to review
unredacted copies of these logs at any time upon reasonable notice.
Employers making a good faith effort to fully comply with these recordkeeping requirements are
generally given some slack. It is the employer who declines to comply or plays games with the definition of work-related who receives citations. Further, the fact that healthcare employers were cited
160 times implies that many in the healthcare industry have a lot to learn about complying with this
standard.
It is important for the healthcare employer to keep in mind the fact that, even though there is no
specific regulation concerning a workplace hazard, the general duty clause nevertheless requires the
employer to provide a safe workplace. One recent example concerned a file cabinet drawer that would
not stay closed. After several complaints by the employee who kept running into it went unaddressed,
the employee complained to OSHA. OSHA cited the employer under the general duty clause for failing to provide a safe workplace, even though there is not a specific standard that says file drawers must
be able to close.
12.2.3
What Triggers an Inspection?
Under the Act, OSHA is authorized to conduct workplace inspections and investigations to determine whether employers are complying with standards issued by the agency for a safe and healthful
workplace.26 Workplace investigations and inspections are conducted by OSHA compliance officers.
These officers do not typically provide an advance warning of the investigation/inspection. Rather,
their typical modus operandi is to simply arrive unannounced. An OSHA inspection is usually triggered by one of a several events, discussed in the following sections.
12.2.3.1
Targeted Inspection
First, an inspection may be triggered by a targeted inspection. As demonstrated above, the

Department of Labor may target a particular industry (i.e., healthcare) that it believes constitutes a disproportionate safety and health risk to employees as compared to other industries. For those industries,
OSHA randomly selects several employers within that industrys Standard Industrial Classification
(SIC) or North American Industry Classification System (NAICS) codes. OSHA compliance officers
then drive to those establishments to perform an inspection without warning or prior notification to
the employer. Compliance with the Needlestick Prevention Act, under OSHAs bloodborne pathogen
standard, is on their list of targeted areas of enforcement.27
26
27
24
25
29 CFR 1904.29.
Id.
OSH Act Sec. 8
29 CFR 1910.1030.
195

12.2.3.2 Random Inspection
Not all inspections are targeted inspections. Many inspections are performed on employers from
which SIC or NAICS codes are chosen at random. Therefore, even if an employers given industry is
not targeted by OSHA, that employer may still be selected for an inspection.
12.2.3.3 Employee and/or Third Party Complaints
Employee complaints about specific safety and health issues may also trigger an OSHA inspection. In those instances, OSHA will anonymously evaluate that employees complaint for its validity.28
Not surprisingly, the filing of OSHA complaints is a favorite harassment technique of disgruntled
employees and ex-employees. Furthermore, interested third parties (e.g., a physician or family member of an employee) may also make complaints.29 Also not surprisingly, such third-party complaints
open the door for harassment by disgruntled competitors.
12.2.3.4 Occupational Fatality or Multiple Hospitalizations
Perhaps the clearest indicator that an employer will be visited by an OSHA compliance officer is
if the employer experiences an occupationally related fatality or has three or more employees hospitalized as a result of an injury or exposure related to their employment.30 It is important to recognize that,
in these two situations, the employer has an obligation to report the incident to OSHA, in person or by
phone, within eight hours of the incident.31 Once reported, OSHA is obligated to visit the employers
facility within 24 hours. Failing to timely report the incident creates exposure to additional fines and,
in the event of subsequent litigation, plaintiff lawyers invariably use these types of citations to demonstrate a covering up of relevant evidence. For these reasons, it is imperative that a reportable incident
be reported within the eight-hour deadline.
12.2.3.5 Negative Workplace Media Exposure
The last event that will trigger an OSHA inspection is negative workplace exposure in the media.32
OSHA is a political entity that answers to the public. Therefore, OSHA administrators are compelled
to address any concerns that receive press coverageeven if there is no immediate public health or
safety concern. For instance, if the media reports that your medical office building has experienced a
gas leak necessitating the evacuation of a significant portion of your facility, an OSHA visit should be
expected.
Id. at Sec. 8(f).

Id.
30
OSHA Field Inspection Reference Manual at Ch. II-B-2.
31
OSHAs 24-hour hotline number is 1-800-321-6742. As will be discussed later, it is extremely important to be as brief
and factual as possible. Your conversation and/or report to OSHA will be recorded and transcribed and a copy placed in
the investigators file.
32
OSHA Field Inspection Reference Manual at Ch. II-B-2.
28
29
196
12.2.4
What Can I Do to Prepare for an Inspection?
In general, OSHA relies on the element of surprise and does not give advance warning of an
inspection. In fact, OSHA is authorized to issue criminal penalties to anyone who gives an employer
advance notice of an inspection.33 An astute risk manager will act prospectively to make preparations
ahead of time for what to do in the event that a compliance officer arrives.
12.2.4.1
OSHA Posters
The first preparation to be made is to order the official employee rights poster from OSHAs website (DOL Poster PackageID# 5049) and post it in areas where nurses and other healthcare workers
congregate.34 If the medical center has a high number of employees who, for example, speak and/or
read Spanish to the exclusion of English, it would be advisable to order the Spanish version as well
(DOL Poster PackageID# 5052). Although it may sound ridiculous, healthcare employers have been
cited for failing to post the required posters.
12.2.4.2 Company OSH Officer and Action Plan
The next preparation item is to establish a healthcare facility Occupational Safety and Health
Officer (the Facility OSH Officer), and implement an Action Plan for execution when an inspection
occurs. Many times this officer is the General Counsel or outside attorney. The responsibilities of the
Facility OSH Officer are to assure that the Action Plan is carried out in the event of an inspection. He
or she should preemptively determine which standards and regulations apply to the healthcare facility,
and make sure all required written programs are up to date.
12.2.4.3 Updated OSHA Policies
There are a few programs that OSHA requires for almost every facility, including hazard communication, lock-out-tag-out, and fall protection.35 For the healthcare industry, several policies are
also on the short list of must-haves, including but not limited to bloodborne pathogens and needle
stick prevention, as noted above.36 Because OSHA will likely request a copy of those policies and seek
assurances that employees are trained in them, healthcare employers need to be sure their policies
are up-to-date with OSHAs requirements and that those policies are appropriately communicated to
employees.
12.2.4.4 Housekeeping
It is also a good idea for employers to do some housekeeping. If there are activities at the worksite
that regularly create an impression of disarray, extra time should be taken to make sure those areas
are clean and orderly if an OSHA visit is anticipated. For instance, if there is a janitorial closet that
OSH Act Sec. 17(f) authorizes up to $1,000 penalty and up to six months imprisonment, or both, for giving advance
notice of an inspection.
34
Look for the posters that apply to your business at http://www.osha.gov/pls/publications/pubindex.list#posters1.
See generally 29 CFR 1910 and 29 CFR 1926.
35
See generally 29 CFR 1910 and 29 CFR 1926.
36
Id.
33
197

always seems to be cluttered, care should be taken to have the area cleaned up, remove chemicals off
the floor, and to secure access to the material safety data sheets that would apply to each chemical. As
noted above, the second most cited standard for the healthcare industry involves employers who fail
to have the required MSDS information for relatively benign chemicals such as WD-40, Go-Jo hand
cleanser, Clorox, and ammonia.37
12.2.4.5 Accurate OSHA Recordkeeping
Employers should also make sure that OSHA-required recordkeeping is up-to-date and readily
accessible. Further, OSHA records of workplace injuries (i.e., OSHA 300, 300a, and 301 logs) should
be updated monthly and kept in the same office as the employee personnel files, and annually posted
in accordance with the OSHA regulations. As has been discussed, this is the third most cited violation
of OSHA standards in the healthcare industry.
12.2.4.6 OSHA and HIPAAPrivacy Concern Cases
There is significant confusion among government and industry alike as to how to reconcile the
duties of HIPAA and the obligations under the Act. General Counsel should also be aware of the
potential for liability with respect to privacy concerns that can arise when OSHA records are originated, maintained, and disclosed to others. Briefly, the Health Insurance Portability and Availability
Act of 1996 (HIPAA) was enacted to protect the unauthorized disclosure of personally-identifiable
health information that pertains to a consumer of healthcare services.38 The conundrum is that by
complying with OSHA and following its injury and illness recording, reporting, and posting requirements, concerns often arise among General Counsel as to whether or not compliance with OSHA
will then create liability under HIPAA. On the one hand, an employer is required to publicly post
a list of all workplace injuries, and list the employee name and the nature of the injury, days off of
work, and lost time due to injury. Employees have a right to inspect the OSHA 300 and 301 logs at
any time, many of which could contain sensitive, personally identifiable protected health information. However, the U.S. Department of Health and Human Services commands that the healthcare
employer must protect the disclosure of protected health information of its employees under HIPAA.
Who winsOSHA or HIPAA?
In an August 2, 2004 OSHA Standards Interpretation Letter, OSHA weighed in on this potential
conflict of duties and concluded that HIPAAs privacy requirements do not necessarily require employers to remove personally-identifiable information from the OSHA 300 log for all employees.39 OSHA
reasoned that even if such a record falls within the scope of HIPAAs protection, a HIPAA exception
applies.40 The U.S. Department of Health and Human Services has not released any comment on the
matter.
This is a recurring concern of OSHA.

See 45 CFR 164.500 et seq.
39
A copy of the letter can be found at: http://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=
INTERPRETATIONS&p_id=24898
40
See 29 CFR 1904.
37
38
198

The HIPAA exception relied on by OSHA provides that [a] covered entity may use or disclose
protected health information to the extent that such use or disclosure is required by law and the use
or disclosure complies with and is limited to the relevant requirements of such law.41 However,
when applying the HIPAA exception, OSHA cited 29 CFR 1904.35(b)(2)(iv), which requires that
employees, former employees, and employee representatives have access to the complete OSHA log,
including employee names, except for privacy concern cases. Therefore, at least in the eyes of OSHA,
the inclusion of personally identifiable information on the OSHA 300 log would not be a violation of
HIPAA so long as the subject entry is not a privacy concern case.
Fortunately, OSHA provides further guidance as to what constitutes a privacy concern case and
the extent to which personally identifiable information can be disclosed under various circumstances.42
OSHA defines a privacy concern case as a case involving:
(1) an injury or illness to an intimate body part or the reproductive system;
(2) an injury or illness resulting from a sexual assault;
(3) mental illness;
(4) HIV infection, hepatitis, or tuberculosis;
(5) needlestick injuries and cuts from sharp objects that are contaminated with another persons
blood or other potentially infection material; and
(6) other illnesses, if the employee voluntarily requests that his or her name not be entered on the
log.43
Therefore, if the workplace injury qualifies as a privacy concern case, the employer should not
enter the employees name on the OSHA 300 Log. Instead, the employer should enter privacy case
in the employee name blank and keep a separate, confidential list of the case numbers and employee
names for its privacy concern cases.44
Additionally, if such measures are taken and the employer reasonably believes that the remaining
information will still identify the particular privacy concern employee, OSHA will allow the employer
some liberty in describing the injury or illness so as not to identify the employee through the details of
the injury. For example, OSHA suggests that an injury to a reproductive organ be described as a lower
abdominal injury.45 However, OSHA does warn that the employer must enter enough information to
identify the cause of the incident and the general severity of the injury or illness.46
Because disclosure of OSHA forms 300 and 301 are typically limited to government representatives, employees, former employees, or authorized representatives, employers may only disclose those
forms to other persons if the employer removes or redacts the employees names and other personally
identifying informationirrespective of whether or not the case is a privacy case. The only excep
43
44
45
46
41
42
45 CFR 164.512(a).
See 29 CFR 1904.29(b)(6)(10)
See id. at 1904.29(b)(7)(9).
See id at 1904.29(b)(6).
See id at 1904.29(b)(9).
See id.
199

tions to this rule is if the disclosure is made: (1) to an auditor or consultant hired by the employer to
evaluate the safety and health program; (2) to the extent necessary for processing a claim for workers compensation or other insurance benefits; or (3) to a public health authority or law enforcement
agency for uses and disclosures for which consent, an authorization, or opportunity to agree or object
is not required under HIPAA.47
12.2.5
Inspections and Investigations
The first visit to the place of employment by the OSHA compliance officer is a fact-finding mission. At this stage, OSHA typically knows very little about the situation and is only there to do a
big-picture investigation called a walk around. An employer and any employee representative have
the right to accompany an OSHA representative on his walk around.48 The corporate attorney should
accompany the OSHA compliance officer at all times. If an employee complaint is the reason for the
inspection, the healthcare employer will be given a copy of the employee complaint with the name of
the complainant redacted.
OSHA may or may not provide a warrant for this inspection. OSHA is allowed to seek an ex parte
(without notifying you) warrant to inspect your facility, without having any probable cause that a violation of the act was committed.49 Without a warrant, however, OSHA is prohibited from conducting
an inspection in the absence of consent. Be advised that in cases of a workplace fatality or other emergency situation, OSHA has nearly unlimited right of access and a warrant is generally not required.50
Nevertheless, remember that any items in plain view of the compliance officer are fair game in
the inspection. Therefore, if you grant access to a part of the healthcare facility, anything he observes
enroute to that part of the facility is open to inspection. It is not uncommon to take the compliance
officer on a circuitous route to the area of concern, so as not to take the officer past other areas of
concern (like the aforementioned janitors closet).
12.2.5.1
Employee InterviewsNon-Managerial
Following the facility inspection, the compliance officer will likely ask to interview employees.
Although a compliance officer generally has the right to private interviews with rank-and-file nonmanagerial employees, an employer is not obligated to produce an employee for an interview during
regular work hours if it creates a risk of injury to other workers or unduly disrupts the provision of
healthcare.51 However, reasonable arrangements can be made to produce the employee for interviews
after work hours or on the next regularly scheduled break. The prevailing wisdom is that neither the
healthcare representative nor the medical center attorney can participate in this interviewalthough
employees may ask that their own attorney or their employee representative (in union situations)
See id. at 1904.29(b)(10).
OSH Act Sec. 8(e).
49
See Marshall v. Barlows Inc., 436 U.S. 307, 98 S.Ct. 1816, 56 L.Ed.2d 305 (1978); see also Rockford Drop Forge Co.
v. Donovan, 672 F.2d 626 (7th Cir. 1982.).
50
For a more thorough discussion of warrants for an OSHA inspection, see Marshall v. Barlows, Inc., 436 U.S. 307
(1978.)
51
See Urick Foundry Co. v. Donovan, 542 F.Supp. 82 (W.D. Pa 1982); see also National Engineering & Contracting Co.,
v. OSHA, 928 F2d 762 (6th Cir. 1991).
47
48
200

accompany them. Importantly, no employee may be discharged or in any other manner discriminated
against for filing a complaint, testifying, or exercising any other right during an OSHA inspection.52
Controlling employee disclosures to OSHA during his or her interview is perhaps the strongest
weapon a healthcare employer possesses in managing an OSHA investigation. It is crucial for the
healthcare facility OSH officer to meet with each employee prior to their interview to go over witness
strategies. If possible, this should be conducted by the company attorney.
In those instances where OSHA agrees to allow the employee to have an attorney present, OSHA
will generally object to allowing the employee to utilize the employers attorney who has been provided at no cost to the employee. It is OSHAs view that such an attorney may have a conflict of
interest in representing the employer and the employee. In difficult situations where, in the judgment
of the employer, it is determined that a particular employee must be assisted during their interview,
one technique an employer may utilize is to have the employee sign a waiver of any conflict of interest
and presenting it to the compliance officer.
After obtaining the waiver, the healthcare facility-provided attorney may insist on attending the
interview with the employee. There is support that OSHA must allow the interview under these circumstances.53 This, once again, may be viewed as a hostile act, so it is advised to use this method only
when absolutely necessary. OSHA may decline to interview the employee at that time and come back
with a subpoena for the employees testimony. However, the conflict waiver should still apply.
12.2.5.2 Employee InterviewsManagerial
Managerial employees have the right to have a company representative or its attorney present during interviews.54 Managerial employees are generally defined as those employees who have the right
to bind the healthcare facility by their statements. However, in practice, a broader definition is often
applied such that any employee who has the right to hire and fire, is a supervisor to one or more other
employees, or is considered a foreman, may be considered a manager. Because of the right to have a
representative present during interviews, a broad construction of managerial is advisable. Legal counsels role in these interviews is to try to force the compliance officer to ask clear, nonleading questions
and to make sure the witness understands the question prior to answering. Because OSHA compliance
officers are not trained litigators, they are prone to asking leading, vague, overly broad, and speculative questions that tend to cause problems later.
12.2.5.3 Environmental Sampling
OSHA also has the right to conduct environmental sampling of the healthcare facility.55 Environmental sampling can include air monitoring, noise level evaluation, radiation exposure, chemical
exposure, and soil sampling, to name a few. The employer is advised to conduct sampling of its own
See 29 CFR 1977.
See Reich v. Muth, 34 F.3d 240, 244 (4th Cir. 1994) (upholding the right of an employee to voluntarily choose counsel
prior to an interview with OSHA regardless of the fact attorney represents both employer and employee); see also Dole v.
Bailey, 14 OSHC 1534, 1990 O.S.H.D. P28898, 1990 U.S. Dist. LEXIS 10512 (N.D. Tex. 1990).
54
OSHA Field Inspection Reference Manual at Ch. II A(4)(d)(4).
55
Id., at Ch. II A(4)(c).
52
53
201

in conjunction with the OSHA team to assure accuracy. Compliance officers will generally agree to
advance notice of a sampling team coming to the facility in order to allow the employer to retain a
sampling team of their own choosing to conduct side-by-side testing. Courts are split as to whether
OSHA has the right to require an employee to wear sampling devices, like radiation badges, during an
inspection.56
12.2.6
The Closing Conference
At the conclusion of the onsite investigation, OSHA will conduct a closing conference. The purpose of the closing conference is to signify the formal end of the investigation and to review the
Departments findings with the employer. At this point, the compliance officer has a good understanding of what the citations will contain.57 It affords the healthcare facility and its legal counsel an
opportunity to visit with the compliance officer to discuss his or her potential findings before a citation
is issued.
Since anything stated during that closing conference is still fair game to be used against the
healthcare facility, the closing conference is best treated as a listening exercise rather than a free flow
exchange of ideas. OSHA sometimes uses the closing conference as a method to fish for what the
employers response to an issue will be before writing the citations so they can craft the citation around
the employers defenses. It is sometimes worthwhile to press the compliance officer for all information
collected that justifies a particular area of concern; however, this is sometimes futile.
It is also helpful to ask the compliance officer if there are any matters that should be corrected
by the employer. If so, the employer can begin taking steps to abate the hazard before the citation is
issued. Although the employer is not under any obligation to correct any issues prior to the issuance of
citations, OSHA will give the employer a deadline to comply at the time the citation is issued. Because
this abatement deadline can sometimes be brief, an employer will benefit by having additional time to
comply.
Another helpful item to obtain at the closing conference is a receipt from the officer itemizing
all the materials provided to him or her during the course of the investigation. Such a receipt helps
to assure that there is no misunderstanding about whether something was or was not provided to
OSHA.
Once the closing conference is completed, the OSHA compliance officer will return to his or
her office and begin drafting the citation(s). It is unlikely that a compliance officer will return to the
healthcare facility to conduct any additional investigation. The Act requires that citations should be
issued with reasonable promptness and imposes a deadline of six months following the occurrence
of any violation.58 It is not unusual for two or three months to elapse after the closing conference
before citations are received in the mail.
56
See Marshall v. Wollaston Alloys, Inc., 479 F.Supp. 1102 (D.Mass. 1979), affirmed, 695 F.2d 1 (1st Cir. 1982); compare Donovan v. Metal Bank of America, Inc., 516 F.Supp. 674 (E.D. Pa. 1981), appeal dismissed as moot 700 F.2d 910
(3dCir. 1983).
57
Although the Area Director reserves the right to change or supplement the recommendations of the compliance officer.
58 See OSH Act Sec. 9(a), (c).
202
12.2.6
I Was Just Served with CitationsNow What?
Because deadlines begin to run on upon receipt of the citations, it is crucial that the healthcare
facilitys General Counsel be immediately notified when citations are received. The facility should
notify the mail room or any other person in charge of circulating the mail that any materials received
from OSHA should be immediately delivered to the person managing the inspection. Once citations
are received, an employer has only 15 working days to contest the citations before they become a
final and unappealable order from the Department of Labor. Hence, the date the citations are received
should be noted in the file and 15 working days from that date should be noted on the calendar.
Once a healthcare organization receives citations, it has essentially three options. First, the
employer can simply agree to the citations as issued, and write a check to cover any associated fine.
This is not recommended. The second option is to file a Notice of Contest and challenge OSHA in
court to prove the allegations asserted in the citations.59 It is strongly recommended that an employer
retain competent counsel should it choose this alternative. Although OSHA will do its best to convince
you to go forward without a lawyer, the fact remains that the employer will be in litigation and there
are traps for the unwary. The next option is to set up an informal conference. No matter what option an
employer ultimately utilizes, an informal conference with OSHA should always be sought.
12.2.6.1
Informal conferences
An informal conference is exactly what it sounds likean informal meeting with the OSHA
office that issued the citations. At the informal conference, the healthcare facility representative can sit
down with the local field office area director or his or her assistant area director and discuss ways to
resolve the citations without resorting to litigation. Typically, the area director will begin by discussing
the many variables present in an OSHA citation. In addition to the monetary penalties, OSHA citations
contain a gravity determinationOther than Serious, Serious, Willful, Repeat, and even Criminal.
The next variable in the citation is the language of the citation itself. This language can be negotiated in the same manner as the penalty amounts and the gravity. Many times, the language of the
citation is much more damaging to the employer than the dollar amount or the gravity.
The usual set of citations contains some fluff that OSHA uses during negotiations. In other words,
OSHA will cite a healthcare facility for some matters they know will not pass muster on appeal just to
give themselves some bargaining material. If a healthcare facility goes into the informal conference
with a realistic expectation of a workable solution, the healthcare facility will more than likely be able
to resolve the dispute at the informal conference. Generally, more than 90% of citations are resolved
at the informal conference level.
Perhaps the most important reason for resolving a claim at the informal conference is that, if the
healthcare facility is concerned about subsequent litigation resulting from the OSHA investigation, the
healthcare facility can request language in the settlement agreement that will give its attorney more
ammunition to argue against the admissibility of the citations in any subsequent civil action. While
such language by no means guarantees the inadmissibility of OSHA citations, it will give the healthcare
See OSH Act Sec. 10(a).
59
203

facilitys lawyer more to work with. If the employer litigates the citations with OSHA and a finding is
made against the employers interest or if the employer simply pays the citations without obtaining an
agreement, then the admissibility of the citations in subsequent civil litigation is nearly certain.
If an agreement cannot be reached in the informal conference, the healthcare facility must file
its Notice of Contest within 15 business days of the original receipt of the citations. Therefore, when
scheduling an informal conference, it is important to do so with enough time remaining on the contest
deadline to allow for continued negotiation after the conference is over and, if still unsuccessful, allow
for time to file a Notice of Contest. It is recommended that at least five business days be saved for this
continued negotiation period.
12.2.6.2 Abatement date
Citations will also contain an abatement date. This is the date by which the citation must be
corrected. The general rule is that the abatement date should be a sufficient amount of time for the
employer to evaluate the violation, formulate a plan of correction, and implement those plans.60 In
some instances, it may be impossible for an employer to fix the problem by the date requested. If
so, the employer may request an extension via a formal written letter. OSHA will typically grant an
extension up to the deadline to file a Notice of Contest. If that is still not enough time, the employer
may file their notice of contest, which will suspend the abatement date until there is a final order of the
Occupational Safety and Health Review Commission.61 Employers who do not abate the violation by
the abatement date risk additional citations.
OSHA is generally willing to extend the abatement date for good reasons. However, if OSHA is
unwilling, a healthcare facility may file a Petition to Modify Abatement (PMA) with OSHA. This is,
once again, one of those filings that only should be pursued with the assistance of an attorney. Detailed
discussions of the procedures for filing a PMA exceed the scope of this chapter, but take note of the
fact that the procedure exists if needed.
12.2.6.3 Filing Your Notice of Contest
If OSHA is unwilling to negotiate a workable solution with a healthcare facility at the informal
conference and the facilitys deadline is running out, the facility should file its Notice of Contest. Once
again, it is imperative that the healthcare facility enlist the assistance of its attorney at this stage of the
process. There is a fair degree of success resolving claims at the litigation level that were believed to
be incapable of being settled at the local level. The introduction of an attorney often helps to remove
personality conflicts from the equation, particularly in contentious situations where OSHA and the
healthcare facility clashed in the inspection. Of the 10% of cases that are appealed to the litigation
level, experience shows that 80% of those can be resolved in lawyer-to-lawyer communications. For
the remaining 20%, the healthcare facility will be served with a lawsuit by OSHA, and the facility will
be required to file an answer.
See Matthews & Fritts, Inc., 2 OSHC 1149, 197475 OSHD 18,455.
See Reich v. Manganas, 70 F.3d 434 (6th Cir. 1995).
60
61
204
12.3
Significance for In-House Counsel, the Governing Board, and Executive Leadership
Like death and taxes, at some point a visit from OSHA is a near certainty. The when and the why
is less certain. Therefore, when OSHA arrives unannounced, it is important to be prepared and know
your rights and responsibilities. It is also crucial for any in-house counsel, governing board, and executive leadership to keep in mind the big picture throughout the inspection and investigative process.
The consequences of a healthcare facilitys actions or inactions from the inspection to the issuance of
citation may affect future litigation. For example, simply paying the $5,000 fine without contesting
the citation or attempting to negotiate the citation language may end up costing tens of thousands of
dollars in any subsequent litigation. The ultimate goal is to reduce the impact of any citation issued and
to minimize the citations effect on future litigation.
12.4
Commentary
Know and understand the OSHA standards applicable to your facility. There are many
thirdparty safety and health compliance experts who can assist you with this.
Like any good boy scout, always be prepared. While, a healthcare facility may not know
when an OSHA official may arrive, it canand shouldprepare for it. For example, posting
the official employee rights poster from OSHAs website in both English and Spanish in areas
where workers congregate, and establishing a facility Occupational Safety and Health Officer
to implement and oversee an Action Plan for execution when an inspection occurs, are two
important ways to prepare. Also, make sure the healthcare facilitys OSHA recordkeeping
is up to date and its health and safety plan has been fully implemented. From a compliance
standpoint, it is worse to have a policy that is never or incompletely implemented, or worse,
implemented but not followed, than not having one at all. If a healthcare facility makes the
effort to have a comprehensive safety and health plan, the facility must follow your plan.
See the big picture. Actions that any healthcare administrator, risk manager or general counsel takes during an OSHA investigation will not only affect the outcome of the investigation,
but may also affect future litigation. For example, while OSHA citations are technically inadmissible hearsay, plaintiffs attorneys have circumvented this rule by allowing their expert
to review the citation and later testify about it. A citation that cites the healthcare facility
for having a willful disregard for safety will be powerful evidence in a subsequent gross
negligence case where the plaintiffs burden is to show that the healthcare facility willfully
disregarded the safety of the employee.
Set the tone from the beginning. When an OSHA compliance officer arrives, do not treat it
as an adversarial process. Avoid actions such as demanding a warrant or refusing to provide
employees or documents in a timely manner. These actions may be perceived by the compliance officer as hostile, and may diminish your chances of later resolving any issues or
obtaining favorable citation language.
Handle the warrant issue with care. OSHA will perceive a denial of entry and a demand for a
warrant as a hostile act and will assume the healthcare facility is hiding something by hindering access. Rest assured their inspection will be more comprehensive when they return with a
205

warrant. However, requiring a warrant can force OSHA to more narrowly define the scope of
their inspection and document request. Or, more importantly, requesting a warrant may buy
the employer time to get ready for the inspection. Generally, however, the better approach
is to informally negotiate the scope of the inspection, including documents to be produced,
witnesses to be interviewed, and parts of the facility to be produced for inspection.

Negotiation is a valuable weapon in your arsenal. From the scope of the inspection to the
language in the citation, negotiating with the OSHA compliance officer may reduce the consequences of a citation or future litigation.
Do not inadvertently give OSHA additional ammunition to use against the healthcare facility. Because OSHA may issue citations for any violation seen while on the premises, avoid
inspection routes that would take the officer past any other areas of concern.
It is good to have a single point of contact. As more people become involved, information
becomes fragmented, and no single person will have the complete story. Therefore, only one
person should have principal communication with OSHA. That person could be the healthcare facilitys attorney or risk manager. Whoever he or she is, that person should be charged
with the exclusive responsibility of (1) providing written documents to OSHA and (2) knowing exactly what was said to OSHA, what was given to OSHA, and what OSHA has seen.
Remember, OSHA is listening. It is important to understand that the healthcare facilitys representative is on the record even at informal times such as the walk around. Stray comments
can and will be used by the compliance officer if it is relevant to his investigation. While it is
always important to be polite, the less that is said, the better.
12.5
Conclusion
OSHA is concerned about worker safety and it does its best to do its job fairly and apply the
standards uniformly. Unfortunately, the unprepared healthcare facility representative can be taken
advantage of if he or she is not ready for the inevitable OSHA visit. With careful planning, a healthcare
facility may assert some control over the process and reduce its exposure to significant OSHA fines
and subsequent litigation difficulties and, most importantly, foster a safer workplace.
206
Part V
Legal & Regulatory
Concerns
Adverse Event Reporting: Reporting for Patient Safety and Public Health
13
Adverse Event Reporting: Reporting for Patient
Safety and Public Health
Kathryn K. Wire, JD, MBA, FASHRM
Principal, Kathryn Wire Risk Strategies
13.1
Introduction
Since the 1999 Institute of Medicine report To Err Is Human1 spotlighted the significant role of
adverse events in healthcare, federal and state legislatures and agencies have moved to increase the
reporting and analysis of those events. The IOM expanded its call for improved healthcare outcomes,
including quality and safety reporting, in Patient Safety: Achieving a New Standard of Care (2004).2
Progress toward these goals has occurred in small steps, but it remains slow.
The number of adverse event reporting structures has increased since 1999, but they vary greatly.
On a state level, Oregon is the one state that has a voluntary adverse event reporting system; all the
remaining states that have adverse event reporting systems require providers to follow a proscribed list
of adverse events for which reporting is required primarily on the part of hospitals. The most prominent example of voluntary reporting is to Patient Safety Organizations enabled through the passage
of the federal Patient Safety and Quality Improvement Act of 2005. It is difficult to address mandatory adverse event reporting without considering the myriad other reporting programs that sometimes
overlap both the event reporting systems and each other. Quality reporting as an example, while theoretically voluntary, can take on some of the aspects of adverse event reporting and can have significant
implications on reimbursement and accreditation.
13.2
An Overview of Programs
Adverse event reporting systems take different forms and cover different issues. This chapter cannot realistically describe them in detail, but some specific programs warrant identification here.
1. A number of states encourage or require specific reports of adverse events,3 but they differ
on the specific occurrences that providers must report. Most draw heavily from the National
Accessible free online at http://www.nap.edu/openbook.php?isbn=0309068371.
Accessible free online at http://books.nap.edu/openbook.php?isbn=0309090776.
3
A Review of Current State-Level Adverse Medical Event Reporting Practices: Toward National Standards, Megan K.
Beckett, et al., Rand Health (2006). The National Academy for State Health Policy maintains an online list of state reporting statutes at http://www.nashp.org/_docdisp_page.cfm?LID=2A789909-5310-11D6-BCF000A0CC558925.
1
2
209
Quality Forum (NQF) list of 28 Serious Reportable Events or Never Events.4 See Appendix
for a list of those events.
2. In October 2008, the federal government implemented the Non-Payment for Hospital-Acquired Conditions, or CMS HAC, program that identifies events through billing codes and
dictates reimbursement consequences when the events occur, another form of event reporting.5 Using submitted billing codes, CMS is accumulating data on adverse outcomes with
every submission of a Medicare bill. The program can track a number of adverse outcomes;
CMS will deny reimbursement for care arising from some of them. It is anticipated that the
current list of 10 hospital-acquired conditions6 will continue to expand and be announced
with the yearly fiscal changes to the Centers for Medicare and Medicaid Inpatient Prospective
Payment System (CMS IPPS).
3. The 2005 Patient Safety and Quality Improvement Act encourages reporting for patient safety,
but even under the act, all reporting remains voluntary, and a very heterogeneous group of
organizations will receive and process the information. PSQIA is discussed in more detail
below.
4. CMS, unquestionably, does not want to be a primary payer when other forms of insurance
are available. To that extent and to add additional strength to the Medicare Secondary Payer
(MSP) statutes, the Medicare, Medicaid, and SCHIP Extension Act of 2007 was passed in
December 2007.7 Section 111 refers specifically to reporting obligations by liability insurers
including self-insured plans to report on behalf of Medicare beneficiaries dollars paid for certain adverse events. This in essence makes for a federal mandatory reporting requirement.
5. Section 5001(a) of the Deficit Redution Act (DRA) sets out new requirements for the Report-
ing Hospital Quality Data for Annual Payment Update (RHQDAPU) program. RHQDAPU
builds on the ongoing voluntary Hospital Quality Initiative (HQI). Hospitals are required
to report quality measures of process, structure, outcomes, patients perspectives on care,
efficiency, and cost of care that relate to services furnished in inpatient settings on the CMS
website. Currently, hospitals must report 30 quality measures to receive a full payment update
in FY 2009. By law, CMS must reduce payments to hospitals that do not successfully report
quality measures.
See www.qualityforum.org.
See Rules and discussion of CMS program regarding non-payment for hospital-acquired conditions at Federal Register
Vol. 73 No. 161, pp. 48471-91, accessible at http://edocket.access.gpo.gov/2008/pdf/E8-17914.pdf
6
The 10 conditions are : (1) foreign object retained after surgery; (2) air embolism; (3) blood incompatibility; (4) pressure ulcers stage III and IV; (5) trauma related to falls and other hospital associated incidents; (6) catheter-associated
urinary track infections (UTI); (7) vascular-catheter associated infections; (8) Surgical site infectionsMediastinitis after a
coronary artery bypass graft, certain orthopedic surgeries, bariatric surgery for obesity; (9) manifestations of poor Glycemic control; and (10) deep vein thrombosis (DVT) and pulmonary embolism (PE).
7
Mandatory Insurer Reporting Requirements of Section 111 of the Medicare, Medicaid and SCHIP Act of 2007 (MMSEA)
(Pub. L. 110173); Use: Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007 (Pub. L. 110173) amends
the Medicare Secondary Payer (MSP) provisions of the Social Security Act (42 U.S.C. 1395y(b)). For more information,
visit http://www.cms.hhs.gov/MandatoryInsRep/.
4
5
210
13.2.1
Non-Reporting Penalty
While most healthcare facilities will report to one or more of these systems, they may also report
to managed care organizations, voluntary non-governmental groups, and their own health system
management.
13.3
An Overview of Reporting Processes
With this hodge-podge, it helps to consider the characteristics of different reporting systems that
most strongly influence their potential impact on organizational risk.
1. Adverse event reporting (mandatory or voluntary) relies on the submission, aggregation,
and analysis of information about specified undesirable outcomes from hospitals, in order
to design improved processes and support patient safety. The state programs that gather data
on never events are examples. Some report the data by facility, others do not. Some use
public health data to put the numbers in context noting, for example, the statewide number of
wrong-site surgeries as a percentage of total procedures. Generally, they view the events as
rare enough that they do not calculate rates for each facility.
2. Other programs center on universal outcome reporting, in which the agency gathers data on
all of the facilitys outcomes (denominator) and then assesses the proportion of undesirable
outcomes (numerator), to calculate a rate of failure or, conversely, of success. Facility mortality and infection rates fall in this category. This data is gathered from a variety of sources,
some administrative and some based on clinical record review.
3. CMSs HAC program represents another form of outcome reporting, pulling statistics from
billed diagnoses. It sorts through administrative (billing) data that indicates whether a defined
outcome occurred by tracking submitted diagnosis codes on the bills.
4. Other programs gather data on process compliance; they focus on whether recommended
processes take place, but dont directly track individual cases or outcomes. For example,
CMS and the Joint Commission collect data through the National Hospital Quality Measures on process points like administration of pre-operative antibiotics or aspirin for patients
with a possible heart attack.8 Process reporting should be combined with some form of outcome measurement to determine whether improving process compliance actually improves
outcomes.
The discussion below describes the more prevalent models and then discusses the potential risk to
the enterprise that can arise from either participation or non-participation in the programs.
National Hospital Quality Measures, see http://www.jointcommission.org/PerformanceMeasurement/Performance

Measurement/.
211
The Patient Safety and Quality Improvement Act of 2005
and Patient Safety Organizations9
Amid the background pressure to devise a comprehensive reporting system for adverse events, the
federal Patient Safety and Quality Improvement Act of 2005 (PSQIA or Patient Safety Act) became
law. Final rules for implementing the PSQIA were published November 21, 2008.10 The Patient Safety
Act establishes a framework by which doctors, hospitals, and other healthcare providers may voluntarily report information on a privileged and confidential basis regarding patient safety events and
quality of care.11
The federal law removes one disincentive to reporting, as it protects patient safety activities from
discovery. Since reporting to a PSO is voluntary, it does little to address the IOMs goals of universal
reporting. As stated in the Federal Register on August 29, 2008, the Patient Safety Act requires PSOs,
to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner in order to permit valid comparisons of similar cases among similar providers. One
of the goals of the legislation is to allow aggregation of sufficient data to identify and address underlying causal factors of patient safety problems. In order to facilitate standardized data collection, the
Secretary of DHHS requested the Agency for Healthcare Research and Quality (AHRQ) to coordinate
the development of Common Formats for patient safety events. The Common Formats Version 0.1
Beta was released by AHRQ on August 29, 2008.12 Soliciting comments from the public, providers,
and PSOs will help AHRQ (assisted by the NQF) to revise future versions of the Common Formats.
AHRQ plans on publishing a revised version within six to nine months from its first Beta Version then
yearly thereafter,
This section does not offer a definitive discussion of the Patient Safety Act and its processes.
Rather, it will provide enough information to discuss the potential impact of PSO-related activities in
an enterprise risk environment.13
The Patient Safety Act centers on Patient Safety Organizations (PSOs), which will gather data
from healthcare providers.14 Figure 1 describes the flow of information under the Act. The data can
consist of adverse event reports or other patient-safety-related information. A PSO can analyze its own
data and can collaborate with other PSOs to analyze a broader base of information. The Patient Safety
Act protects data reported to and processed by the PSO, as well as PSO activities, from discovery and
most other forms of involuntary disclosure. A PSOs ultimate work product (free of identifiers) has no
protection. Aggregated data about patient safety issues will be available to PSO members, collaborating PSOs, and, possibly, to the public.
James M. Barclay and Ruden McCloskey contributed research and editorial assistance for this section.
Final Rule PSO Legislation, Federal Register, Friday, November 21, 2008, Vol. 73, No. 226, Rules and Regulations,
pages 7073170814. See: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf.
11
Federal Register, Vol. 73, No. 169, Friday, August 29, 2008, Notices.
12
The Common Formats can be accessed electronically at the following website of the Department of Health and Human
Services at http://www.pso.ahrq.gov/index.html.
13
The PSQIA assigns enforcement of the law to the AHRQ, which has an extensive website about the law, regulations, and the current status of implementation at http://www.pso.ahrq.gov/index.html. The Office of Civil Rights
has enforcement responsibility for the confidentiality provisions, and their website with information is accessible at
http://www.hhs.gov/ocr/psqia/.
14
The term provider encompasses nearly all types of healthcare providers. PSQIA 921(8). In that sense, the PSQIA
provides much broader protection to safety processes than many state quality and peer review statutes.
9
10
212
Figure 1
2008, James M. Barclay, Ruden McClosky,

used with permission.
Healthcare providers that contract with a PSO, then gather and report their data also known as
Patient Safety Work Product (PSWP) via a Patient Safety Evaluation System (PSES), are protected
from disclosing that data. The regulations define the confidential data-gathering process narrowly, so
providers should use caution when counting on the confidentiality of their programs.
In summary, the Act outlines a program with these characteristics:

Healthcare providers gather information about adverse events (or other patient-safety-related information) and transmit it to one or more PSOs. They can choose which PSO, if any,
to use.
A Patient Safety Evaluation System (PSES) is the collection, management, or analysis of

information for reporting to or by a PSO.
213

PSOs collect, aggregate, and analyze (via their PSES) the information reported by healthcare
providers. The Act assumes that by analyzing patient safety information, PSOs will be able
to identify patterns of failure and propose measures to eliminate patient safety risks and
improve care. PSOs can share data among themselves.
PSWP receives federal privilege and confidentiality protection. PSWP is the information
assembled and reported by providers to a PSO or developed by a PSO as part of its Patient
Safety Activities (PSAs).
Any information gathered for purposes other than reporting it to a PSO is not protected under
the Act, though it may be under state law.
Consent of all identified providers to a disclosure of PSWP can waive the confidentiality of
that information.
The Patient Safety Act preempts state law that is less protective of data disclosure but interferes neither with state law that provides greater protections nor with state law regarding
information that does not qualify as PSWP.
A provider may not take an adverse employment action against an individual who reports
patient safety concerns to the provider or directly to a PSO in good faith. 15
Protected PSWP cannot ordinarily be used in state, federal, or local civil or criminal actions
or administrative disciplinary proceedings. However, it can be used in criminal proceedings
if an in camera review determines that the PSWP (1) contains evidence of a criminal act,
(2) is material to the proceeding, and (3) is not reasonably available from any other source.
Courts can use PSWP to provide equitable relief in certain whistleblower actions. In short,
the PSQIA will not shield evidence of criminal or retaliatory behavior.
The government can assess monetary penalties for violations of confidentiality or privilege
protections.
A network of patient safety databases will provide interactive, evidence-based management

resources for providers, PSOs, and other entities for use in analyzing trends and patterns of
patient safety events. The network will employ common reporting formats and will promote
interoperability among reporting systems. (Neither the law nor the regulations provide guidance or support for the development of the network.)
PSOs are business associates and patient safety activities under the Act are healthcare operations for HIPAA purposes.
13.4
Mandatory State Reporting
A growing number of states require that providers report adverse events to a state agency. Many
state reporting programs create active patient safety agencies to process and publish the information.
Most also provide protection against disclosure of non-aggregated data, though some states publish
Adverse employment action, as defined in 922(e)(2) of the Act, includes loss of employment, failure to promote an
individual, failure to provide any other employment-related benefit for which the individual would otherwise be eligible,
or an adverse evaluation or decision made in relation to accrediting, certifying, credentialing, or licensing the individual.
15
214
the events naming the institution.16, 17, 18 These programs differ from the federal structure in two ways.
First, they require reports while the federal law favors a voluntary system. Second, all reports go to one
agency. (State agencies that receive mandatory reports may also quality as PSOs). Under the Patient
Safety Act, a provider can report to any PSO, multiple PSOs or, in some cases, create its own. Some
state programs publicly report data by provider.
13.4.1
Joint Commission Sentinel Events
The Joint Commission has a well-established program requiring that providers report sentinel
events. The reporting process is complex and, in some cases, the provider need only demonstrate when
asked that it fully investigated the event with a root cause analysis. The Joint Commission gathers the
reports and issues periodic Sentinel Event Alerts based on its findings.19 As of December 2008, the
Joint Commission had issued 42 Sentinel Event Alerts on a variety of patient safety topics affecting
providers.
13.4.2
Other Quality and Safety Reporting Programs
Several other programs gather reports regarding specific safety issues such as equipment malfunctions, medication errors, and adverse events from drugs. These programs generally protect
non-aggregated data from disclosure. MedWatch, the FDA safety information and adverse event-reporting program, gathers mandatory and voluntary reports about the safety of medications and medical
devices. The program also directs that some reports go to the manufacturers of the item, to be aggregated there and reported to the government.20

The Medication Errors Reporting (MER) Program implemented by the U.S. Pharmacopeia
(USP) created a reporting program which became the national model for healthcare providers
and patient to report medical errors on a confidential basis. The Institute for Safe Medication Practices (ISMP) has been a partner with USP since 1991 and has now taken over this
program. ISMP will continue to use these reports to affect changes in products and practice
both nationally and internationally. ISMP is a designated PSO which support the move of the
MER program from USP to ISMP.21
Another program which has seen recent change is MEDMARX. Previously managed and
maintained by U.S. Pharmacopeia, it has now been transferred to Quantros, a healthcare
technology company recently named as a PSO, to create a more robust database of medica-
Pennsylvania has one of the oldest and most active state organizations; further information is available at
http://www.psa.state.pa.us/psa/site/default.asp. Information about the Indiana Patient Safety Center can be accessed at
http://www.indianapatientsafety.org/. Both agencies report on their event reporting activities each year and issue safety
bulletins periodically when they believe a pattern of events requires attention.
17
See Hospital Adverse Event Reporting: Review of State Statutes and Administrative Rules (2006), at
http://www.nahdo.org/documents/25StateAdverseEventReportingRequirements.pdf. This report lists all state programs
and summarizes their requirements and also refers to some web resources for further information.
18
http://www.in.gov/isdh/23433.htm.
19
http://www.jointcommission.org/SentinelEvents/.
20
http://www.fda.gov/medwatch/What.htm.
21
For reporting or additional information, contact ISMP at www.ismp.org or 1-800-324-5723.
16
215
tion and other medical errors, and to deliver the output to a larger base of providers through
an improved user interface.22

Effective May 7, 2001, the FDA requires that hospitals and blood centers maintain a method
to report, investigate, and track errors and accidents. The Medical Event Reporting System for
Transfusion Medicine (MERS-TM), a web-based system, meets that requirement. MERS-TM
was developed under a grant by the Heart, Lung and Blood Institute and is maintained by
its developers at Columbia University. MERS-TM is an event reporting system developed
for transfusion services and blood centers to collect, classify, and analyze events that could
potentially compromise transfusion safety.23
13.5
Reporting and Risk
The reporting of clinical data, whether mandatory or voluntary, carries some risks that can affect
the various ERM domains. Some connections are very clear while others are more subtle and require
investigation. ERM leaders must seriously consider both the myriad consequences of any reporting
system, and how those effects might appear in their organization. Reporting system variables will
substantially define the potential risks a reporting program presents for an organization. Questions to
answer include:

Will the data be publicly available, with or without identifiers?
Is the information risk adjusted?
Are comparisons reflective of the organizations current environment?
For negative or poor outcomes, what strategies and solutions are in place to prevent future
reoccurrence?
How accurate is your reporting process?
To what extent does the reporting process divert resources needed elsewhere in your
organization?
Table 1 outlines some of the likely risks of reporting programs, and associated steps an organization can take to reduce those risks.
13.6
Conclusion
Many healthcare providers dive into the reporting process blindly, assuming that the activity is
necessary and that it will benefit the organization. Because reporting requires substantial time and
energy, an ERM analysis will help determine the initial wisdom of participation, provide for the necessary resources to do it well, and allow for redirection if necessary. By assessing the risks, costs, and
benefits of reporting, the organization will knowingly engage in the process, understanding its goals
in participating. By watching how the reporting process works, the organization can redirect resources
In the interest of public health and to assist practitioners and patients, USP will post its five years of MEDMARX data
and eight annual reports on www.usp.org for free, ensuring full access to this clinically important information. All queries
about MEDMARX should be addressed to Quantros (www.quantros.com).
23
For more information, go to http://www.mers-tm.org/about.html.
22
216
and adapt its reporting efforts over time. By evaluating the results, it can know where to direct its
efforts in clinical improvement.
Participation in any reporting process must be weighed against competing uses for resources,
based on an analysis of all domains. How will the effort affect regulatory and legal compliance? How
will it affect the organizations financial picture? In what ways will it change the human resource picture, both by using human capital and influencing the organizations relationship with its employees?
Is the organization ready to make the necessary changes that results may require? How will the act of
reporting and the results of reporting impact the organizations reputation and relationships in all of its
various communities, including the medical staff?
If reporting is mandatory, some of these questions are not relevant. However, the entity can still
determine its own best response to possible reporting outcomes. Does it really want to be best? What
is the upside of being bestwhat will it really bring? What are the costs? What are the true downsides
of poor results?
Reporting, like any other organization activity, can support or detract from an organizations strategic goals. The ultimate result will depend on whether leadership examines reporting options like any
other business decision and then implements its conclusions effectively.
Table 1
RISK CONCERNS
1. Inaccurate reports cause risk in three areas:
The provider will have a false picture
of its patient safety needs and misdirect
resources.
The entire reporting system (e.g., a PSO
and its clients) may misdirect resources
based on bad information.
If aggregated data are published, then
the audience of those reports will have
a false picture of either individual providers or the safety of the healthcare
systems.
RISK SOLUTIONS
Because reporting is a relatively new phenomenon, providers lack standardized methodologies
for gathering or testing data internally. This can
lead to wide variations in the accuracy of reports.
When developing procedures to gather and report
data, concurrently establish protocols for data
review and testing to accomplish the following
checks:
Inspect the systems for generating data.
Are the sources likely to be accurate? Are
the systems comprehensive?
Compare the data to itself (over time and
between clinical areas) for consistency.
Use a gut check: does it look and sound
right?
How does the organization compare to
others, and does that comparison make
sense?
217
RISK CONCERNS
RISK SOLUTIONS
2. Any reporting structure that involves incen- Keep any direct consequences of reporting in
tives or punishment can encourage participants context by looking at the following questions:
to game the system. This leads to dysfunctional
What is the provider getting by meeting
results and potentially could impact patient care.
the goal? What is it giving up?
For example, the publication of mortality rates
may discourage providers from taking the sick What unintended shifts in clinical proest patients. Alternatively, it might discourage
cesses and/or outcomes have resulted (or
physicians from offering non-aggressive comare likely to result) from the incentives?
fort care for the sickest patients.
Can the link between the incentives and
the unintended result be broken?
How do the potential unintended consequences balance against the gain from the
reporting incentives?
Educate employees and physicians about the
downside of unintended consequences.
3. Issues subject to reporting tend to get more
attention, and that can divert valuable resources
from other provider needs. Mandatory reporting
systems do not usually address issues based on
individual assessments of providers. So unique
concerns not covered by the reporting systems
may be ignored for lack of capital and human
support.
Utilize an ERM framework to rank the risk of nonreporting or of ignoring reported issues against
the opportunity cost of directing resources to the
issues highlighted by outside programs with the
following questions:
What does the provider lose with noncompliance or gain with compliance?
Look at governance, regulatory, financial,
reputation, liability/legal, and human
resources implications.
How do those findings fit into the organizations strategic goals?
What other applications of those resources
will be abandoned?
Who will do the work? Is there new staff,
or will existing staff add this to their
responsibilities? Will it require new technology or additional staff? Is the diversion
of human and financial capital justified in
light of other strategic goals?
Can the content and structure of reporting be altered by reevaluating PSO
relationships?
218
RISK CONCERNS
RISK SOLUTIONS
4. Providers that do not improve will suffer dis- Several steps need to occur in the face of a persisproportionately. Ongoing data collection will tent failure to improve:
demonstrate their mounting failure to keep up
Analyze the benefits and risks of meetwith others who improve, as the move to transing the expectations (process outlined
parency puts more data out to consumers. The
above). Is continuing with this reporting
failure to improve can arise from a number of
and evaluation process mandatory? If not,
causes:
is it a good idea?
Insufficient resources to address the
Consider allocating the financial and
problem without compromising other
human capital for the difficult process of
strategic goals.
generating behavior change.
Inability or unwillingness to change
behavior to improve care, a purely local
effort unrelated to the reporting process
or the proposed solutions.
If the approach to improvement is just

wrong, others should experience the same
problem and generate a wide response and
changes to the recommended solution.
Incorrect approaches to improvement.
Any failure to improve should result from

a conscious decision, not from incomplete planning from poor implementation
of the process.
Behavior change often requires intense work at
the front line, working with the staff that delivers
care. It does not come from education or punishment. A number of leadership initiatives address
this issue, and management should choose one that
meets the particular needs of the organization.
5. The ever-expanding variety of reporting programs has generated a plethora of data-gathering

activities. They measure very different things,
in different ways. This consumes tremendous
amounts of time and energy (discussed above)
and can produce apparently inconsistent results.
For example, a facility might track pressure
ulcers through event reports and report on the
number of pressure ulcers that appear through
the billing codes. Those numbers might differ,
because the pressure ulcer will only appear in
the billing if the physician identified it as a primary or secondary diagnosis.
Using an ERM ranking approach, examine the

reporting options, including the realistic cost of
each, the benefits of reporting, the risk related
to poor data-gathering, and the opportunity cost
resulting from any steps to reconcile the data.
This should include an intense review of similar
or overlapping programs to look for opportunities for efficiency.
If two or more programs touch the same source
information, confirm that the resulting data do
not conflict, or if they do conflict, that there is a
reason. Are they necessary and/or desirable?
219
RISK CONCERNS
RISK SOLUTIONS
6. Public reporting of negative findings can lead Make sure that all relevant departments learn
to a loss of trust.
of the likely publication of unfavorable results
so systems like public relations, marketing, and
physician relations can prepare. Be ready to talk
about the efforts to improve. This requires the
organization to study and understand the data
before reporting it.
7. Efforts to improve reported results can lead to
the inappropriate use of medical treatments such
as antibiotics. For example, efforts to encourage
early administration of antibiotics for patients
with possible pneumonia resulted in overtreatment with those drugs.
Any new clinical initiative, including those for

patient safety, should include ongoing review of
related care to look for changes, both negative and
positive. After this assessment, decide whether
the benefits justify any negative outcomes.
8. Reports may mislead consumers if the under- Accuracy of data should be a priority.
lying data are not accurate or appropriately
The risk adjustment process often falls outside
risk-adjusted.
of the providers control. Address it through
Caution: If the provider knowingly incorporates audience education. If the risk adjustment is just
inaccurate reports into marketing materials, the wrong, examine the organizations data that sets
affected consumers could seek recovery under the risk adjustment. Is accurate information going
consumer protection laws which allow for into case mix calculations?
greater recoveries, attorney fees, or recovery in
Providers need to accept that no reporting or
the absence of physical injury.
measuring system is perfect.
9. An increase in the number of events reported
often indicates greater cooperation with a patient
safety program. Higher numbers also may lead
to an inaccurate perception of poor care.
The entity publishing the data should explain

that the programs success depends on complete
reporting, and that increasing numbers reflect
improved compliance with the reporting requirements. For example, Indianas report on its 2007
Medical Error Reporting System data reflects
that the state expected increased numbers, and
that consumers should not judge providers based
on those numbers.
The provider can also educate the audience,
stressing its efforts to learn and improve. Positive
patient satisfaction results and great patient experiences will balance the community perception.
220
RISK CONCERNS
RISK SOLUTIONS
10. Many laws protect whistleblowers who Good personnel records that include ongoing
report information to a PSO or state agency evaluations of competency and compliance with
from retaliatory treatment, including discharge. employee regulations can protect a provider
that takes action against a whistle blowing
employee.
Effective and trusted internal contact points
for concerned employees can deflect employee
reports to outside agencies. However, the
employer cannot mandate that employees report
internally first.
11. Information gathered and analyzed in antici- State quality and peer review statutes may propation of reporting may be discoverable, even if vide protection, and the organization should
consider those provisions when designing reportthe actual information reported is not.
ing structures.
Reported events may be published.
The PSQIA regulations do not protect information unless it is reported.
The ERM analysis should include consideration
of both the upside and downside of reporting,
as well as evaluating whether the information is
likely to be discoverable in another form, making
this threat less important. For example, if a plaintiff could ask for the facilitys infection rate and
get that information, then the protection of the
process that develops that figure is less important. Can the organization use its participation in
a quality or safety program as a positive thing?
221
AppendixNational Quality Forum 2006 Serious Reportable Events
Surgical Events
1. Surgery performed on the wrong body part.
2. Surgery performed on the wrong patient.
3. Wrong surgical procedure performed on a patient.
4. Unintended retention of a foreign object in a patient after surgery or other procedure.
5. Intraoperative or immediately post-operative death in an ASA Class 1 patient.
Product or Device Events
6. Patient death or serious disability associated with the use of contaminated drugs, devices, or
biologics provided by the healthcare facility.
7. Patient death or serious disability associated with the use or function of a device in patient
care, in which the device is used or functions other than as intended.
8. Patient death or serious disability associated with intravascular air embolism that occurs
while being cared for in a healthcare facility.
Patient Protection Events
9. Infant discharged to the wrong person.
10. Patient death or serious disability associated with patient elopement (disappearance).
11. Patient suicide, or attempted suicide resulting in serious disability, while being cared for in a
healthcare facility.
Care Management Events
12. Patient death or serious disability associated with a medication error (e.g., errors involving
the wrong drug, wrong dose, wrong patient, wrong time, wrong rate, wrong preparation, or
wrong route of administration).
13. Patient death or serious disability associated with a hemolytic reaction due to the administration of ABO/HLA-incompatible blood or blood products.
14. Maternal death or serious disability associated with labor or delivery in a low-risk pregnancy
15. Patient death or serious disability associated with hypoglycemia, the onset of which occurs
while the patient is being cared for in a healthcare facility.
16. Death or serious disability associated with failure to identify and treat hyperbilirubinemia in
neonates.
17. Stage 3 or 4 pressure ulcers acquired after admission to a healthcare facility.
18. Patient death or serious disability due to spinal manipulative therapy.
19. Artificial insemination with the wrong donor sperm or wrong egg.
222
Environmental Events
20. Patient death or serious disability associated with an electric shock or elective cardioversion
21. Any incident in which a line designated for oxygen or other gas to be delivered to a patient
contains the wrong gas or is contaminated by toxic substances.
22. Patient death or serious disability associated with a burn incurred from any source while
being cared for in a healthcare facility.
23. Patient death or serious disability associated with a fall while being cared for in a healthcare
facility.
24. Patient death or serious disability associated with the use of restraints or bedrails while being
cared for in a healthcare facility.
Criminal Events
25. Any instance of care ordered by or provided by someone impersonating a physician, nurse,
pharmacist, or other licensed healthcare provider.
26. Abduction of a patient of any age.
27. Sexual assault on a patient within or on the grounds of the healthcare facility.
28. Death or significant injury of a patient or staff member resulting from a physical assault
(i.e., battery) that occurs within or on the grounds of the healthcare facility.
223
Human Research and IRBs
14
Fay A. Rozovsky, JD, MPH
14.1
Introduction
Clinical research is a major factor in healthcare organizations, from large teaching hospitals to
medical group practices and home health organizations. Human research spans the gamut, from investigational drugs and devices to behavioral studies. For healthcare organizations, being the venue for
sponsored research can result in a significant source of revenue. It can also expose healthcare entities
to an array of liability risk.
In many ways the ability to control clinical research risk exposure turns on the effectiveness of the
institutional review board (IRB) and research office. Due diligence in reviewing research protocols,
rigorous review of sponsor agreements, ongoing vigilance and oversight of research trials and billing
are important measure to thwart potential risk exposure.
Successful human research and IRB activity demands input from healthcare counsel for a healthcare entity. Understanding potential liability exposures and mechanisms to control it make human
research ripe for the application of enterprise risk management.
14.2
Overview of Human Research Requirements
In the United States, human research is governed by both federal and state requirements. At the
federal level, some 19 federal departments and agencies follow what is termed the Common Rule,1
a set of consistent regulatory requirements that are found in the Code of Federal Regulations. Thus if
one views consent requirements for clinical trials overseen or sponsored by the Department of Energy,
the language would be the same in a corresponding section of the CFR for the Department of Health
and Human Services. One major exception is the Food and Drug Administration (FDA), which has
some variations, particularly in the area of consent to participation in clinical research trials.2
See, generally, 44 CFR 46 et seq.

See, generally, 21 CFR 50.20.
1
2
225

At the state level there is an array of legislative and regulatory requirements on human research
trials. California,3 New York,4 and Virginia5 have the most detailed state laws on human research.
Other states have taken a different approach, including provisions addressing participation in clinical
trials in legislation governing long term care residents,6 prisoners,7 and those with substance abuse
challenges.8 Other state laws address fetal research.9
The point is that in the United States there is no one law that addresses the conduct of human
research trials. For legal counsel, a threshold consideration is to determine which laws are applicable
to clinical research in the healthcare entity.
14.3
Federal Regulatory Infrastructure
Using the Department of Health and Human Services regulations as a model for others under the
Common Rule, one can see the logic of the rules governing human research. The regulations identify
what are considered exempted activities10 and those that require review by an Institutional Review
Board.11 The regulations are quite specific, too, about the membership of the IRB and the obligations
of this group in reviewing protocols with a view to safeguarding the rights and welfare of research
subjects.12 Thus, the IRB is obliged to review study design with a view to approval of research trials,13
consent requirements and documentation,14 and, in appropriate cases, take action to either suspend or
terminate a protocol.15
A duly constituted IRB must give written assurances that it will comply with the federal policy on
human research.16 The Federalwide Assurance (FWA) for human research tracks the core principles
found in the Common Rule. The Office of Human Research Protections (OHRP) has created forms to
complete for the written assurance.17
The Federalwide Assurance (FWA) is the only type of new assurance of compliance accepted
and approved by OHRP for institutions engaged in non-exempt human subjects research conducted or
supported by HHS. Under an FWA, an institution commits to HHS that it will comply with the requirements set forth in 45 CFR part 46, as well as the Terms of Assurance.
FWAs also are approved by OHRP for federalwide use, which means that other federal departments and agencies that have adopted the Federal Policy for the Protection of Human Subjects (also
3
4
12
13
14
15
16
17
10
11
Cal. Health & Safety Code 24170; Cal. Penal Code 3500 et seq.
NY Pub. Health Law 2440 et seq.
Va. Code 32.1-162.16 et seq.
See, e.g., Md. Health Code Ann. 19-344.
Ariz. Re. Stat. Ann.31-321 et seq.
Okla. Stat. Ann. 63 2-101.
See, e.g., Ind. Code Ann. 16-34-2-6 and Neb. Rev. Stat. 28-342.
45 CFR 46.101(b).
Id.
45 CFR 46.103.
45 CFR 46,111.
45 CFR 46.117; for FDA consent requirements, see 21 CFR 50.25.
42.CFR 46.113.
42 CFR 46.103.
See the form at http://hhs/gov/ohrp/humansubjects/assurance/filasurt.htm.
226

known as the Common Rule) may rely on the FWA for the research that they conduct or support.
Institutions engaging in research conducted or supported by non-HHS federal departments or agencies
should consult with the sponsoring department or agency for guidance regarding whether the FWA is
appropriate for the research in question. There are two versions of the FWA and the Terms of Assurance, one of each for domestic (U.S.) institutions and for international (non-U.S.) institutions.18
The FWA19 is a key component of regulatory compliance. The Office of Human Research Protections Division of Compliance Oversight (DCO) conducts evaluations and responds to allegations
of noncompliance. On its website OHRP publishes information about significant findings of noncompliance.20 It also offers a variety of guidance documents that can be used to avoid regulatory
problems.21
For healthcare counsel conversant with the Conditions of Participation and State Operations
Manual, the FWA and OHRP compliance guidance is an analog in the area of clinical research. As
healthcare counsel would use the COP standards and Interpretive Guidelines to achieve regulatory
compliance, the same approach can be used with the OHPR material.
Beyond the OHRP, other federal requirements should be kept in mind. Of particular import are
provisions involving clinical trials and Medicare. In a National Coverage Decision (NCD), Medicare
has delineated what it will and what it will not consider a covered service or item.22 From a practical
perspective, the NCD requires careful legal review and discussion with those responsible for coding
and billing to make certain that items and services are attributed correctly to Medicare, private payors,
and clinical trial sponsors. Taking such a step is important to avoid allegations of fraud and abuse
related to human research trials.
14.4
Sponsored Research Trials
Federal, state, and international legal requirements are but one side of a much more complex legal
context for clinical trials. To a large extent, sponsor agreements dictate the scope and dimensions of
human research. Subject recruitment, retention, and termination of subjects from a trial, conflict of
interest, access to data, record retention, suspension of research, payment, information sharing with
data safety monitoring boards (DSMBs), liability, and insurance are just some of the topics often
addressed in sponsor agreements. The terminology and phraseology used may often dictate the scope
of sponsor risk-taking and risk-shifting to healthcare facilities. As such, legal counsel should review
carefully the terms and conditions of a sponsor agreement with a view to diffusing needless liability
risk exposure.
20
21
22
18
19
From: the Office of Human Research Protections, http://www.hhs.gov/ohrp/FWAfaq.html#q5.

Id.
To view this information, go to www.hhs.gov.ohrp/compliance/findings.pdf.
To view these documents, go to www.hhs.gov/ohrp/policy/index.htm#topics.
For a good Q&A on the topic, see http://cms.hhs.gov/determinationprocess/downloads/id210qa.pdf.
227

Consider the following risk exposures in a sponsor agreement:
Record retention. The agreement sets a limitation period that is inconsistent with the healthcare
organizations policy on electronic or paper based records. The timeframe used may also be inconsistent with the healthcare facilitys e-Discovery rules.
Record access. The agreement severely limits access to data by the principal investigator or the
healthcare organization. In doing so, the agreement attempts to label information often necessary for
legal or regulatory purposes as intellectual property. In other situations, the sponsor may insist on
access to patient level identifiable information to an extent not contemplated by the healthcare organizations HIPAA Privacy acknowledgment signed by a patient or surrogate.
Vague Definitions. A common problem found in many sponsor agreements is the lack of precision in key definitions. For example, a clause may state that the sponsor agrees to hold harmless and
indemnify the healthcare organization for any injuries to research subjects directly related to the use
of the test article or device, provided, however, that the test article or device was used in a manner
outlined in the study protocol. On the face of it, the clause appears quite straightforward. However,
what is the meaning of the phrase, directly related to when a patient experiences an adverse outcome
while also receiving treatment with a drug approved for therapeutic use? How would one be able to
establish that the injury was directly the result of the test article and not either a synergistic effect of
the combined therapy and test article or the test article alone?
Insurance Coverages. The contract may give the appearance of having appropriate insurance
coverages. However, if it does not address cyber risk or identity theft, and the healthcare organization has not contemplated such exposures in its insurance portfolio, how will it address such liability
exposure?
Principal Investigator Continuity. The sponsor agreement permits the substitution of another individual for the principal investigator, typically within a specified timeframe. However, the language
states, approved by the sponsor. However, it does not speak to the healthcare entity having a voice
in the selection or approval process.
Notification Provision. The contract requires the healthcare facility or principal investigator to
report adverse outcomes or deaths, but there is no reciprocal provision for the sponsor. Absent such
a provision, the healthcare organization and principal investigator may continue with the trial even
though serious adverse events have taken place at other venues that would warrant the local IRB to
consider suspending the trial.
Changes to the Research Protocol or Agreement. The sponsor may reserve the right to modify
the protocol or the numbers of participants in a trial in the study agreement. Absent the IRB knowing
about such changes, the study design may be modified to an extent that is not acceptable in terms of
the rights or welfare of subjects. Similarly, if the sponsor changes the formula for payment, there can
be considerable gaps in cash flow.
228
14.5
IRBs and the Research Office
A healthcare organization may or may not have its own IRB. Often a research protocol may be
approved by an IRB situated elsewhere. Under agreements, the local healthcare organization agrees
to participate in the trial, following the provisions of the research protocol. At other times the local
healthcare organization may have its own IRB and that body will review the protocol. In such a multicenter trial the opportunity is ripe for disputes about consent provisions between IRBs. Yet in other
situations a CRO or clinical review organization may be involved as the IRB.
Separate from the IRB what is often seen in healthcare facilities is a Research Office. Staffed
with individuals responsible for sponsored trials, clinical trials contracts, and daily administration, the
opportunity is great for high quality programs that detect early on the potential for regulatory noncompliance and billing issues. Many Research Offices include a Chief Research Officer or Director of
Research with compliance training.
The IRB often has a full-time administrator who is skilled at managing the work of the institutional review board. Training and certification programs exist for IRB personnel, including the CIP
program from PRIM&R.23 Other training programs including education materials are made available
by OHRP24 and propriety courses.25
At the IRB level, hands-on training is required for members. This includes orientation and regular
updates. The same kind of approach is prudent for principal investigators and their staff.
Training regimens should extend to senior management of the healthcare organization and the
board of directors or trustees. It should not be assumed that an IRBs approval is sufficient. With good
training, the board should know the types of questions to ask when providing final approval for a major
research project to be rolled out at the healthcare organization. At the senior management level, the
CFO, CNO, CMO, and risk management should be conversant with what is anticipated in the research
trial. In this way, coding, billing, insurance coverages, and staffing needs can be anticipated for the
human research investigation. Getting to this stage, however, requires rigorous review by legal counsel of the legal dimensions of the research project.
14.6
Why an Enterprise Risk Management Model
Human research involves clinical, financial, regulatory, liability, and fiduciary responsibilities.
Although the IRB may act on delegated authority of the board of directors of a healthcare entity, it
is the healthcare organization that is ultimately responsible for acting on the recommendations of the
Institutional Review Board. Negligent review or oversight can trigger liability for the organization.
Similarly, approval of an imprudent study resulting in losses for the organization can impact the liability of the board and officers of the organization in terms of their fiduciary responsibility as the good
Information on the Certification for Institutional Review Board (IRB) Professionals can be found at www.primr.og/
Certification.aspx?id=2068ekmensel=c580fa7b_48_80_btnlink.
24
See http://www.hhs.gov/ohrp/educational/index.html#materials.
25
See, e.g., Research Compliance & Research Integrity, www.hccs.com/research.html.
23
229

stewards of the healthcare entity. Given these issues, a comprehensive risk framework would be very
useful for addressing successful human research and IRB activity.
A case example illustrates this point.
T.M. Provenci, M.D., had a long track record in clinical research. He was also respected as an
interventional cardiologist. Dr. Provenci landed a three-year study to test a new medication
to prevent restenosis following angioplasty. The study involved a double-blind, randomized
protocol requiring the enrollment of a minimum of 5,000 qualified subjects between the age of
55 and 72 years of age who had not previously undergone any revascularization procedures.
The study required local IRB approval. The sponsorship agreement did not contain any hold
harmless or indemnification provision. It did not make clear that the study was part of an
international study that originated in Australia and that the choice of law was Australian
federal requirements. The latter information was in an attachment B referenced in the main
document but not appended to the master sponsorship agreement. Dr. Provenci assured the
IRB Administrators assistant that the attachment was just routine information.
Dr. Provenci was in a rush to get the IRB to approve the study. The hospital CMO also
wanted the study approved quickly. Unbeknownst to the IRB, the CMO held stock in the
pharmaceutical company that was sponsoring the study. Although the CMO did not sit on the
IRB, he reminded the IRB Chair of the importance of the research for the hospital.
The IRB approved the study. Dr. Provenci and his research coordinator began a vigorous
campaign to enroll patients in the study. The Director of Research was on extended leave
and his administrative assistant did the best she could to provide oversight. She dutifully
reviewed the reports submitted by Dr. Provenci that described in a succinct manner how
research subjects were enrolled in accordance with the study protocol.
During the course of the three-year study, Dr. Provenci accepted a visiting lectureship in
Toronto. He was out of the country for 12 months. However, the study coordinator continued
to submit claims under the grant indicating that at all times Dr. Provenci was providing direct
supervision of the study.
An internal auditor pinpointed discrepancies in coding and billing for some 25 patients who
were also enrolled in the Provenci study. Many of the questions involved double-billing
for electrocardiograms, lab studies, and diagnostic imaging. The amount in dispute was
$250,500. When the internal auditor called to speak with Dr. Provenci, she learned that he
was unavailable.
Using the tip of the iceberg approach, the internal auditor delved more deeply into the
study. She found that there were glaring errors in research subject enrollment practices. Over
34% of participants were outside the age parameters specific in the study plan and 15% had
undergone a previous revascularization procedure that should have been a disqualification
factor.
230

About the same time, the risk manager took receipt of a formal claim alleging negligent
informed consent involving an angioplasty patient. The patient asserted that he had not been
properly informed of the alternatives to the experimental treatment and that had he received
this information, he would have chosen established therapy. The risk manager opened a claims
file and reviewed the situation. He found the claimant was a research subject in Dr. Provencis
study. When he attempted to speak with Dr. Provenci, the risk management learned that he
was out of the country.
Three other claims occurred in short order involving the study, all with the same allegation.
The risk manager spoke with the research office coordinator and obtained a copy of the
sponsorship agreement. The risk manager discovered the absence of boilerplate language for
hold harmless and indemnification that was supposed to be standard in all research agreements
at the facility.
About the same time, the research office received a registered letter from the sponsor
questioning a number of invoices submitted under the study. The sponsor had done an audit
of the local files and found many of the same issues identified by the internal auditor. The
letter concluded, We believe that there are glaring deficiencies in the conduct of the study. An
attempt to meet with Dr. Provenci during the site visit was unsuccessful. It was learned that
he was on a visiting lectureship and was not expected to return for three months. However,
the invoices submitted for the research trial indicate that he is providing on-site supervision.
We believe that these invoices have been submitted in a fraudulent manner and in accordance
with clause 3.2.5 of our sponsorship agreement hereby terminate Dr. Provenci and the hospital
from further participation in the study. Further pursuant to clause 5.7.8, we are withholding
any further payments and demand the return of the amounts paid to satisfy claims 308, 309,
and 310 in the amount of $79,670.00.
Dr. Provenci was summoned to return to the hospital to account for what had transpired. His
actions were considered to constitute professional misconduct and his appointment to the
medical staff was terminated. Because Dr. Provencis medical professional insurance did
not cover clinical research related events, the hospital decided to settle the four claims. The
decision was based on a desire to contain what could be very expensive claims and onerous
publicity.
A whistleblower complaint was filed with the Office of Human Research Protection alleging
impropriety in the conduct of clinical research at the facility. Among the allegations were
claims that the IRB did not exercise appropriate oversight, that safeguards were not in place
to monitor subject enrollment and consent, and there was evidence of conflict of interest
that had not been addressed in the institution. At the same time, state Medicaid launched
an investigation into alleged fraudulent billing for services it said were to be satisfied by
the research sponsor. The hospital entered into a corrective action agreement that involved
a major overall of the research office, the IRB, and the termination of the CMO. It also
remitted more than $35,000.00 in payment to the state Medicaid program and it entered into
231

a corporate integrity agreement that required development of a rigid firewall in billing
research sponsors and the state Medicaid program.
This is a fictitious case illustration. However, it demonstrates the type of complexity that can arise
in legal exposures stemming from clinical research. It illustrates, too, the importance of an enterprise
risk management approach to clinical trials and the work of the IRB.
The case study reflects a number of enterprise risk exposures, including the following:
Regulatory Risks. The case involved non-compliance with respect to human research review and
oversight and Medicaid fraud.
Legal Risks. Compliance issues were plentiful in the case study giving rise to legal issues. Breach
of contract and allegations of negligence were also issues found in the case study.
Operational Risks. The case study revealed serious concerns in terms of qualified personnel to
handle research and oversight. Process issues involving billing and coding were evident. That the
CMO had a financial conflict of interest was not well-elucidated. However, he used his position to try
to exert influence on the IRB. This is an ethical issue and a matter that involves operational integrity
risks. Further, the lack of adherence to a consistent process in IRB review, oversight, and research
oversight played a role in the case study.
Financial Risks. The failure to review carefully the sponsorship trial agreement led to a gap in
possible insurance coverage that may have helped to address the costs of the claims filed by four
research subjects. The case study revealed an absence of good financial management in terms of
billing and coding mechanisms. The legal fees associated with responding to negligence claims, the
whistleblower matter and the Medicaid investigation could involve serious financial risk exposure for
the healthcare facility.
Contractual Risks. The contract had major flaws, including insurance coverage provisions and the
ability to cure defects, a mechanism often found in agreements. Moreover, the contract lacked the
ability to substitute a new person to serve as principal investigator when there were concerns about
Dr. Provenci.
Reputational Risks. The losses associated with the claims, and the investigations had the potential
to give rise to serious adverse publicity. Bad press coverage could serve as a deterrent to other sponsors involving the healthcare entity in clinical research trials. Further, the community may question the
integrity of the institution in the aftermath of alleged research improprieties.
Staffing Risks. The lack of qualified personnel was evident in the management of the research office.
When a key administrative person is absent for a period of time there needs to be a business continuity
plan that anticipates filling the position on a temporary basis by someone with appropriate credentials
and experience. The failure to do so can lead to the type of issues that emerged in the case study.
In an enterprise risk management program, healthcare counsel has considerable responsibility
and the need for good communication systems. In human research trials and IRB administration the
232

healthcare counsel can help establish parameters for an enterprise risk management program that
encompasses a number of factors. Rather than wait for a problem to emerge that triggers legal involvement, healthcare counsel can facilitate development of enterprise-wide practices and systems to
forestall the types of situation that emerged in the case study.
14.7
An Enterprise Risk Management Systems Checklist for Human Research and

IRB Administration
The following checklist provides a framework for an ERM approach to human research and IRB
administration. Central to such an approach is a collaborative effort among leadership, clinical research
professionals, risk management, billing, and the healthcare counsel.
the institution has a current FWA;
the institution has a template for reviewing and negotiating sponsor research agreements;

there is a training program with demonstrated competencies for principal investigators and
research staff;
there is a training program with demonstrated competencies for members of the IRB;
there is a training program with demonstrated competencies for personnel in the Research
Office;
there is a practice routine for identifying and partitioning billing and coding for clinical
research;
there is an internal audit process used on a regular basis to evaluate compliance with coding
and billing in clinical research;
there is a current policy and procedure that addresses administrative aspects of the IRB and
Research Office;
the IRB reviews research protocols consistent with applicable federal and state
requirements;
oversight mechanisms evaluate;
subject enrollment;
subject remuneration practices;
consent practices with all types of research subjects;
assent with minor research subjects;
consent documentation practices;
expedited review;
exempted work activity;
emergency use (See FDA regulations26);
See 21 CFR 50.3.
26
233

emergency research (See FDA guidance27 and state law28);
conflict of interest provisions;
early termination of study;
disenrollment from a study;
adverse event identification;
adverse event reporting;
mandatory reporting to sponsors;
mandatory reporting to medical examiner or coroner;
monthly checks of the Office of Scientific Misconduct list;
monthly checks of federal debarment lists (Medicare and Medicaid);
management of insured research subjects;
a policy and procedure for disclosure of adverse and unanticipated outcomes of clinical
research;
use of root cause analysis to evaluate research studies resulting in serious injury or death;
there is a linkage with the corporate compliance program zero tolerance process to address
identified issues of scientific misconduct and fraud and abuse;
there is a regular review of insurance coverages for clinical research including but not limited
to:
liability;
property;
business interruption;
key person;
cyber risk;
identity theft;
intellectual property theft; infringement;
insurance specifications for international research.
Checklists aside, there are some specific measures for healthcare counsel to consider in helping
to give shape to an enterprise risk approach to clinical research and the work of the IRB. A threshold
initiative calls for legal counsel to identify the statutes and regulations that apply to research trials.
Identifying applicable law is fairly straightforward when a protocol involves competent adults
within the confines of the jurisdiction in which the research is to take place. However, it is quite another
Guidance for Clinical Investigators, Institutional Review Boards and Sponsors, Exception from Informed Consent
Requirements for Emergency Research, 71 Fed. Register 51,198 et seq. (August 29, 2006).
28
See, e.g., R.I. Gen. Laws 23-17-19.1.
27
234

matter when research involves a multicenter or multinational protocol. On an international level, it
is important to note that many countries have laws that govern human research trials. The international provisions may address privacy requirements and research protocol review standards. It may also
involve specific insurance requirements that must be met before embarking on a clinical trial.29
With a host of laws potentially applicable to a research trial, healthcare counsel can foster a practical yet comprehensive legal review that helps resolve the impact of these disparate laws governing
research. Similarly, legal counsel can help synthesize solutions to contractual requirements that are
inconsistent with applicable law and the legal philosophy of the healthcare organization with regard
to research trials Seen in this way, handling these legal considerations can help solidify a strong enterprise risk management for clinical research.
14.8
Conclusion
Human research is an important aspect of the healthcare industry. It provides the context for
important innovations in clinical care and it offers the potential of a strong, consistent revenue stream
for a healthcare organization.
Human research trials also involve the unknown and risks abound to potential research subjects. It
is imperative that appropriate mechanisms are in place to safeguard the well-being of human subjects
and the integrity of the research process.
Enterprise risk management offers a context for addressing the range of risks associated with
human research trials and the work of the IRB. Pivotal to success is the involvement of legal counsel in
all segments of the ERM model for such endeavors. To this end, a useful list of resources can be found
in this chapter to help start the process toward an ERM model for clinical research.
F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to Regulatory Compliance,
San Francisco: Jossey-Bass, 2003.
29
235

Resources
236
E.A. Bankert and R.J. Amdur, Institutional Review Board: Management and Function, Second Edition. Boston: Jones and Bartlett, 2006.
P. Brent and L. W. Vernaglia, Editors, Clinical Research Compliance Manual: An Administrative Guide. New York, 2007.
R. Carroll, Editor, Risk Management Handbook for Health Care Organizations, Fifth Edition. San Francisco: Jossey-Bass, 2006.
ECRI, Healthcare Risk Control. ECRI Institute.
F.A. Rozovsky, Consent to Treatment: A Practical Guide, Fourth Edition. New York: Aspen
Publishers (2007 with 2008 supplement).
F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to
Regulatory Compliance. San Francisco: Jossey-Bass, 2003.
F.A. Rozovsky and J.L. Conley, Health Care Organizations Risk Management: Forms,
Checklists & Guidelines, Second Edition. New York: Aspen Publishers, 2007 (with 2008
supplement).
Listing of Federal Departments and Agencies participant in the Common Rule:

Agency for International Development
Central Intelligence Agency
Consumer Product Safety Commission
Department of Agriculture
Department of Commerce
Department of Defense
Department of Education
Department of Energy
Department of Health and Human Services
Department of Homeland Security
Department of Housing and Urban Development
Department of Justice
Department of Veterans Affairs
Department of Transportation
Environmental Protection Agency
International Development Cooperation Agency
National Aeronautics and Space Administration
National Science Foundation
Social Security Administration

Mandatory Disclosure of Adverse Events toPatient/Family
15
Mandatory Disclosure of Adverse Events
toPatient/Family
Peter J. Hoffman, Esq.
Eileen Lampe, Esq.
Joseph V. Conroy IV, Esq.
Eckert Seamans Cherin & Mellott, LLC
Joan D. Plump, Esq.
Attorney at Law
15.1
Introduction
In 1999, the Institute of Medicine (IOM) released a landmark report, To Err is Human, which
revealed that medical injury was causing many deaths and called on the healthcare community to make
reduction of medical errors a priority. Since then, medical errors and tort reform have received a great
deal of attention and many changes have occurred in how healthcare organizations think about and
deal with adverse events.1
One essential change has been that now, after an adverse event, providers are encouraged and
often required to share information about what went wrong and why. Sometimes details relating to the
event must be reported so they can be studied, with the hope that organizations and people may truly
be able to learn from mistakes. Additionally, both to promote patient safety and in an attempt to help
contain skyrocketing medical professional liability costs, healthcare organizations and providers may
be required to disclose the occurrence of a adverse event to the affected patient, and perhaps to the
patients family.
Obviously, it is important for a healthcare organization to be aware of when disclosure of adverse
events is required. The people within those organizations also should understand why disclosure is a
beneficial practice for everyone involved, and how best to go about it. This chapter will deal briefly
with these subjects.
The American Society of Healthcare Risk Management (ASHRM) defines an adverse event as an injury that was caused
by medical management rather than the patients underlying disease. It may or may not result from a medical error. Medical
management includes all aspects of healthcare, not just actions and decisions of physicians and nurse.
237

15.2
When Disclosure is Necessary
Disclosure may be required by the Joint Commission, state law, insuring provisions, and organizational policies and procedures, just to name a few. This section will briefly discuss some of these
requirements.
15.2.1
The Joint Commissions Requirement
The Joint Commission requires that patients, and when appropriate, their families be informed
about the outcomes of care, treatment, and services that have been provided, including unanticipated
outcomes.2 One element of performance under this standard is that, at a minimum, patients, and
where appropriate the family, be informed about unanticipated outcomes of care, treatment, and
services that relate to sentinel events considered reviewable by the Joint Commission.3 The list of
sentinel events considered reviewable by the Joint Commission includes the following:

any patient death, paralysis, coma or other major permanent loss of function associated with
a medication error;
an operation on the wrong side of a patients body;
any maternal death related to the birth process;
a hemolytic transfusion reaction involving major blood group incompatibilities; and
a foreign body, such as a sponge or forceps, left in a patient after surgery.4
15.2.2
State Law
Disclosure of adverse events or unanticipated outcomes also may be required by state law. As
of 2008, at least 12 states, i.e, California, Connecticut, Florida, Maryland, Nevada, New Jersey, New
York (only facilities licensed by the N.Y. Dept. of Mental Health), Oregon, Pennsylvania, South Carolina (Ambulatory Surgery Centers only), Tennessee, Vermont, and Washington, had statutes requiring
mandatory notification to patients of adverse events.5 Other states may well adopt similar laws as the
evidence supporting the practice of disclosure grows. Currently, many other states have laws that
exclude expressions of sympathy after an adverse event being from being used as proof of negligence,
but do not also require that adverse events be disclosed.6
2
JCAHO Standard RI.2.90, Comprehensive Accreditation Manual for Hospitals: The Official Handbook; Refreshed
Core, January 2007.
3
Id., Standard RI.2.90; EP2.
4
Id.
5
California (HospitalsIn Person), Cal. H & S Code 1279.1(c); Florida (Different Requirements for Hospitals and Physicians), Fla. Stat. 395.1051 and 456.0575; Maryland (Hospitals Only), COMAR 10.07.06.14 11(F); Nevada (Hospitals
and Physicians), Nev. Rev. Stat. 439.855; New Jersey (Hospitals and Physicians), N.J. Stat. 26:2H-12.25; New York
(Only Facilities licensed by Department of Mental Hygiene), 14 NYCRR, 624.6; Oregon (Hospitals and Physicians),
Oregon Law 2003, Section 4, Chapter 686; Pennsylvania (HospitalsIn Writing), 40 P.S. 1303.308(b); South Carolina
(Ambulatory Surgery Centers Only), S.C. Code of Regs. 61-91-601(C); Tennessee (Hospitals and Physicians), TCA
68-11-211(d)(1); Vermont (HospitalsIn Person), 18 V.S.A. Chapter 43A 1915(1)(D); Washington (Hospitals and
Physicians), RCW 70.41.3805.
6
Id.
238

The specific circumstances in which disclosure of an adverse event is required, as well as details
of how and when disclosure must be accomplished, vary among the states that currently have mandatory disclosure laws. It is critical, that attorneys working within an organization or advising healthcare
organizations are familiar with state specific statutory or regulatory requirements regarding the disclosure of adverse events are providers and risk managers also must be aware of applicable disclosure
requirements. In some states, such as Pennsylvania, there are also reporting requirements with respect
to adverse events.7 The appropriate people in the organization must be aware of these requirements as
well. It is possible that some day soon there also will be a federal law requiring disclosure. Two U.S.
senators recently proposed such legislation as one element in a comprehensive tort reform plan.8
15.2.3
Insurance Provisions
The prohibition of insurance companies not allowing healthcare providers to disclose and apologize is quickly giving way to a more patient-centered approach. In some instances, disclosure of adverse
events, along with an apology, is strongly encouraged under medical professional liability policies. For
example, the Colorado Physicians Insurance Company (COPIC) has formalized an apology process
that authorizes payment of up to $30,000 in expense restitution to affected patients.9 Under this program, which began in 2000 and which COPIC has entitled 3R for Recognize, Respond, and Resolve,
insured doctors are encouraged to continue the physician-patient relationship honest based on honest,
open communication and attend education on disclosure. Others medical professional liability insurers
have different types of programs to encourage disclosure of medical errors and adverse events.
15.2.4
Institutional Requirement or Policy
It may also be the policy or a requirement of the healthcare facility that adverse events must be
disclosed to the patient and family. Such a requirement is becoming more common as the patient safety
culture expands. Two notable examples of healthcare systems in which disclosure is required are The
University of Michigan Health System (UMHS) and the Veterans Health Administration. In 2001,
UMHS began a new approach to claims management that included altering staff and institutional
behaviors that forced patients to resort to courts for satisfaction as the only alternative.10 Its disclosure policy is based on three principles, which are made public to staff members, the local bar and the
courts. These principles are:
1. UMHS will compensate quickly and fairly when inappropriate medical care causes injury;
2. UMHS will defend medically appropriate care vigorously;
3. UMHS will reduce patient injuries, and therefore claims, by learning from mistakes.11
40 P.S. 1303.308(a)
See Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med.
2006; 354:22052208.
9
Roberts, R., The Art of Apology: When and How to Seek Forgiveness, American Academy of Family Physicians (2007),
at www.aafp.org/fpm.
10
Boothman, R., Transparency: The Benefits of an Open and Honest Dialogue, presentation at University HealthSystem
Consortium in Oak Brook, IL, September 22, 2005.
11
Welti, M.K., Disclosure of Medical Adverse Events: A Study of the University of Michigan Health System Model, at
http://www.massbar.org/for-attorneys/publications/section-review/2007/v9-n1.
7
8
239

Since implementing its program and disclosure policy, UMHS has seen a drastic reduction in the
number of open claims and suits, and the average time from the opening of a claim to resolution has
been reduced significantly as well. UMHS has seen its litigation costs decree by two-thirds. It has
reinvested a portion of these savings into its patient safety reporting system.12 Similarly, VA hospitals
have adopted a policy of consistent disclosure of medical errors, along with early offers of compensation
to injured patients. The results in this program have been comparable to those at UMHS.13
In the patient safety culture, an adverse event is seen as opportunity to identify and learn from
a possible error or failing within a system, and thereby improve the quality of care. People involved
in patient safety generally believe it is important for care providers to work in an environment where
free exchange of information among providers, and between providers and patients, is encouraged or
required. There also is increasing awareness that disclosure may help prevent litigation by improving
the relationship and trust between the patient and care providers and by reducing patient anger and
frustration. The effects of programs such as those at UMHS and the VA provide strong anecdotal evidence in support of this theory.
15.2.5
Professional Ethics
Ethical standards applicable to physicians also require disclosure in limited circumstances. For
example, The AMA Code of Ethics requires disclosure when a patient suffers significant medical
complications that may have resulted for the physicians mistake or judgment.14 Also, The American
College of Physicians (ACP) Ethics Manual provides that doctors should tell their patients about procedural or judgment errors if that information is material to the patients well-being.15
15.2.6
Moral Requirement
Finally, there is a strong feeling among some people and groups within the healthcare community
that disclosure of adverse events is necessary because it is the right thing to do; it is honest. Moreover,
it is how most people would want to be treated themselves, and how most people would want their
loved ones treated. Providers and others who share this philosophy often believe that a hospital and
its physicians and staff should avoid contributing to an adversarial relationship with patients through
incomplete communication and, consequently, should share all relevant information about care with
patients, including when and how adverse events occur.
As all the above discussion and examples demonstrate, disclosure of adverse events may be mandated by one or more law, standard, policy or philosophy that applies to the organization. Even if
disclosure is not mandated, the organization may believe that disclosure is in the institutions, the care
providers, and the patients best interests.
12
Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med. 2006;
354:22052208.
13
Id.
14
Wei, Doctors, Apologies, and the Law, 40 J. Health L. 107, 107149 (2007).
15
Id.
240

The remaining portion of this chapter will assume that it has been decided, for whatever reason,
that adverse events at the organization will be disclosed to patients and their families. It is important
that all healthcare providers involved in the disclosure process within the organization understand the
basis for this decision, the objectives hoped to be achieved and, how disclosure should best be made.
It is also useful for those involved to understand the history and tradition of nondisclosure, as this
knowledge helps to illuminate why some providers are resistant to any requirement for or policy of
disclosure and how such resistance may be overcome.
15.3
Barriers to Disclosure
Traditionally, there have been significant barriers to disclosure of adverse events to patients and
their families. One significant barrier has been a culture of blame in which the unrealistic expectation of perfection on the part of physicians, the punishment of practitioners and institutions for errors
or bad outcomes, the habit of fingerpointing, fear of loss of reputation or license, a tolerance for
errors as long as they are not caught, and fear of legal liability have all played a part. In this culture of
blame, there is little emphasis on relationships between healthcare providers and patients that involve
listening and full disclosure. This way of operating has existed for a long time for a variety of reasons,
including constraints on time and resources, lack of support from hospital administration for any other
way, fear of increased litigation, lack of scientific data to suggest a better way, and support for the
system within medical schools. As a result of all these factors, this way of operating became ingrained
in the medical culture.
Another formidable barrier to the disclosure of adverse events is the emotional challenge of disclosing and possibly apologizing for an error or bad outcome. This barrier is compounded by the fact
that many physicians do not have strong communication skills, as well as by a pervasive lack of awareness among providers of how silence or lack of information after an adverse event impacts patients and
their families. These barriers can sometimes be overcome when an organization adopts a consistent
practice of disclosing adverse events and provides education, training, and support to help providers
understand why, when, and how to talk with patients about adverse events.
15.3.1
How Patients and Providers Experience Adverse Events
To understand why disclosure is both important and also difficult, it is helpful to realize that both
patients and healthcare providers typically experience powerful emotions in reaction to an adverse
event, particularly if the event was caused by a medical error. The patient and family, as well as the
physician or other providers involved, are all likely to feel sadness, anger, anxiety, vulnerability and
worry. Partly because of these strong emotions, everyone involved needs emotional support and providers also need guidance in how to prevent an unfortunate situation from escalating. The involved
provider will likely feel shame, guilt, a sense of failure, grief, and job stress. Consequently, is important for the provider to be able to talk about the event with other providers and to have help in planning
and executing the disclosure conversation with the patient and family. The patient and family may feel
powerless and that their trust in the doctor has been violated. These feelings naturally will be compounded if the physician fails to acknowledge the adverse outcome and any error that caused it, and if
241

the patient is not provided with information about how and why the adverse event occurred. This may
include the provider accepting responsibility for the medical error that created the adverse event.
15.4
How to Disclose
The law in some states, such as Pennsylvania, requires a hospital to give patients written notice
when an adverse event occurs.16 Such a requirement technically could be fulfilled simply by handing
or sending the patient a piece of paper that states an adverse event occurred, without offering any
additional information or an opportunity for questions or discussion. Disclosure by this method is
not likely to provide any benefit to either the patient or the physician and hospital. When disclosure
is mandated or done as a matter of policy, it is preferable for the disclosure to take place in person
through a conversations with knowledgeable providers present; offering an opportunity for the patient
and family members to ask questions and receive immediate answers. Disclosing an adverse outcome
without giving the patient sufficient information and a chance to ask questions is a practice that should
be avoided.
15.4.1
Preparing for Disclosure of an Adverse Event or Medical Error
If adverse events are going to be disclosed to patients and their families as a matter of course at
the organization, it is important that each disclosure conversation is planned carefully and that those
involved receive guidance and assistance. Before any disclosure, those responsible for planning the
conversation should consider the following issues:

Who should attend?
Who should speak?
When should the conversation occur?
What should be said and how should it be said regarding:
known facts and circumstances;

continuing investigation and follow-up;
ongoing care;
responsibility, if determined;
compensation?
What will the patient and family want to hear and to know?
What are the needs and concerns of the providers involved?
Whether an apology is appropriate and should be given?
What next steps should be taken?
In deciding who should attend and speak, it is important to think about who has the best relationship with the patient; who has the best information about what happened; who knows the most about
40 P.S. 1303.308(b). This statute requires written notice to be provided within seven days of the occurrence or discovery of the event.
16
242

the patients prognosis and any further treatment needed; who knows the most about how much further
treatment may cost and who will pay for it, and what can and will be done in the way of further investigation. Another important consideration is who is emotionally best able to participate. Sometimes
it may be preferable to not involve a provider who is unable to be empathetic or express concern.
Be aware, though, that patients usually expect and want to hear from the physician most involved.
Organizational and provider attendance should not overwhelm the patient and their family. Only those
that have a defined role and or critical information should attend. Current thinking, extends the list of
attendee to now include nursing, as they maintain a consistent relationship with the patient and support
care continuity.
As for where and when the disclosure should occur, it is generally best for the conversation to
take place as soon as possible. Some states that require disclosure, also dictate the time frame in which
disclosure must be made. It is critical that this time frame be know by all those involved in disclosure
at the organization and that it is met. It is important that the conversation to be planned to allow sufficient time for a complete conversation, including questions and expressions of emotion. Disclosure
should happen in a place where the patient, family, and providers have privacy and can be physically
comfortable.
With respect to the substance of the conversation, what patients want after a medical error or
adverse event is to know what happened, and why; what the implications are for their health; how any
problem that caused the adverse event will be corrected and, importantly, how future similar events
will be prevented. Patients also want to be assured that they will not suffer financially because of any
error. If the adverse event was, in fact, caused by an error, most patients want an apology and responsibility accepted. Whatever the cause of the adverse outcome, patients typically want some emotional
support from their physician.17 It is important to note that disclosure together with a full apology,
where appropriate, has been shown to decrease the likelihood of litigation, facilitate settlement and
improve the patients perception of the adverse event.18 A full apology includes recognition of the error
that has occurred, an admission of fault and acceptance of responsibility, and an expression of regret
or remorse.19 In contrast, a partial apology, an expression of sympathy without acceptance of responsibility, has been shown to have minimal, if any, beneficial effect, especially where fault is known or
obvious or where the injury is severe.20
Ruddell, Jane, Effective Patient-Physician Communication: Strengthening Relationships, Improving Patient Safety,
Limiting Liability, Lebanon, PA: Westcott Professional Publications, p. 45, 2005.
18
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-82; see also, Pelt, JL,
Faldmo, LP. Physician error and disclosure, Clin Obstet Gynecol. 2008;51(4):700-8; Straumanis, JP, Disclosure of medical error: Is it worth the risk?, Pediatr. Crit. Care Med. 2007; 8(2 Suppl):S38-S43; Mazor, KM, Reed, GW, Yood, RA,
Fischer MA, Baril, J, Gurwitz, JH, Disclosure of medical errors: what factors influence how patients respond?, J. Gen.
Intern. Med. 2006;21(7):704-10; Robbennolt, JK. Apologies and Legal Settlement: An Empirical Examination, Mich. Law
Rev, 2003-2004; 102:406-516; Wu, AW, Handling hospital errors: is disclosure the best defense?, Ann. Intern. Med. 1999;
131(12):963-7.
19
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-382, 376.
20
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-82; see also, Pelt, JL,
Faldmo, LP. Physician error and disclosure, Clin Obstet Gynecol. 2008;51(4):700-8; Straumanis, JP, Disclosure of medical error: Is it worth the risk?, Pediatr. Crit. Care Med. 2007; 8(2 Suppl):S38-S43; Mazor, KM, Reed, GW, Yood, RA,
Fischer MA, Baril, J, Gurwitz, JH, Disclosure of medical errors: what factors influence how patients respond?, J. Gen.
Intern. Med. 2006;21(7):704-10; Robbennolt, JK. Apologies and Legal Settlement: An Empirical Examination, Mich. Law
17
243

The disclosure conversation should also include an explanation of whatever plans there are for
gathering additional information. Someone should ask the patient and family what they think about
these plans and if they have additional suggestions. The patient and family should also be given a
telephone number for any follow-up questions they may have. Most often disclosure does not involve
just a single meeting, but rather several sequential conversations.
15.4.2
RememberIts About the Relationship
Sometimes when disclosure of adverse events is considered, the thought is that the disclosure
and an apology will serve as a remedy sufficient to protect the physician and the organization. When
considering and planning for disclosure conversations, it is important to remember that such disclosure and any attendant apology do not happen in a vacuum.21 They occur in the context of the whole
relationship between the patient and the providers. Disclosure conversations will be most effective
and helpful if the patient and the physician already have a history of speaking honestly and listening
to each other. Given this fact, it is advisable for all providers to establish a good relationship in which
the patient and all providers always communicate openly and honestly. This may improve patient care.
Moreover, the quality of the doctor-patient relationship is believed by many to be a primary factor in
determining if a patient will sue after an adverse event.
15.4.3
Communication and Conflict Resolution Skills Important in Disclosure Conversations
At any healthcare facility in which disclosure of adverse events is mandatory or supported, it

is advisable for those who participate in such conversations to be trained in and practice good communication and conflict resolution skills. The institution should make resources available to support
disclosure and good communication including; identification of providers proficient in disclosure conversations and other resource personnel such as in-house/corporate counsel and the risk manager,
books, websites, seminars, and conferences.
Three communication skills that are crucial in the context of disclosure are active listening, talking
openly, and inviting participation. Active listening encourages other people to speak and communicates to them that you are hearing what they say. To listen actively, you should:

Be aware of body languageno hand on the door knob as though you want to leave the
room!
Make eye contact (if culturally appropriate).

Ask clarifying questions.
Identify and respond to interest (needs, concerns) not positions (demands, assertions).
Reflect what others have said.
Acknowledge feelings expressed.

Rev, 2003-2004; 102:406-516; Wu, AW, Handling hospital errors: is disclosure the best defense?, Ann. Intern. Med. 1999;
131(12):963-7.
21
See Kramer, S, Boothman R,, Sorry Doesnt Work Alone, at www.sorryworks.net/article31.phtml.
244

Talking openly is a companion skill to active listening and will help build trust. In a disclosure
conversation, talking openly should include giving the patient and any family present the basic information known at the time in understandable terms. Do not guess about what happened or why it
happened. Describe what additional questions need to be answered still. If known, describing how the
adverse event occurred. If appropriate, apologize authentically, accepting responsibility. Finally, it is
important that providers acknowledge and express their own feelings.
The final crucial skill in a disclosure conversation is inviting participation. This can be done by
answering questions as they arise, not interrupting, and asking the patient and the family what information they have previously been told or know about what happened. It is also important that you
specifically request questions. Rather than asking do you have questions?, say what questions do
you have?
Other behavior that can also improve the disclosure process includes:

Providers should speak and pace the conversation slower than normal whereby patients are
better able to absorb the information.
Providers should sit down with the patient and family and avoid configurations (the across
the desk) that further promotes them versus us.
Providers should use easy-to-understand terms, eliminating medical terminology, jargon, and
acronyms.
Providers should have all beepers, cell phones, BlackBerrys, PDAs, etc. turned off or on
vibrate only during the meeting. If necessary, medical coverage for providers in attendance
should be obtained for the meeting so that they are not distracted and can concentration on
the conversation at hand.
Providers in attendance should ask questions rather than assume they have all the answers.
Often, the patient and family will not know what questions to ask and will need prompting.
Providers should be aware that emotions will cloud everyones ability to process and absorb
information, therefore all important information should be repeated.
Finally, there are several things any hospital staff member or provider should not to do in a disclosure conversation. The list of what not to do includes:

assuming you know how the patient or other speaker feels;
anticipating what the speaker is going to say;
wishing the speaker would get to the point;
becoming defensive when you feel criticized;
being inflexible, anxious to follow your own agenda;
failing to concentrate, wandering from the conversation;
being trapped in role assumptions.
245

Of course, even with education, training, and practice, not all providers will be good at managing
and/or participating in disclosure conversations. They are, by their very nature, difficult conversations.
Nevertheless, education, training, and practice are important and should be provided.
15.5
Commentary
Increasingly, common requirements for mandatory disclosure mean that practicing in-house
counsel should be knowledgeable about what requirements are applicable, and will likely be
called upon to help implement and guide when and how mandatory disclosure is provided.
It is important to remember that reluctant and grudgingly given disclosure will offer far less
than maximum benefits to patients and the organization. Partial, inadequate or ill-prepared
disclosure conversations may actually harm ongoing patient-provider relationships and hamper continuing care. It is best if the organization is one in which disclosure occurs fairly
naturally because the prevailing philosophy is one of respect for patients and their right to be
informed about and participate in their own care.
Obviously, failing to disclose adverse events when required may subject the organization to
fines or penalties that are included in any legislation, regulation, or other source requiring
disclosure. Failing to foster an environment in which disclosure is just one aspect of a culture
of patient safety and transparency may negatively impact the quality of care and could also
subject the organization to increased liability.
Education and support for all care providers is needed to help any organization create an
environment of openness and honesty, in which disclosure of adverse events will be the norm
and will occur in a manner that will be beneficial to patients and the organization.
The governing board and executive leadership of any organization are the people best suited
to adopt, promote, and spread a philosophy and practice of transparency. They must support
and encourage the culture of patient safety before reluctant practitioners within an organization will be able to accept a shift from the traditional and harmful fallacy of physician
infallibility and from the old paradigm of non-disclosure of any adverse event.
15.6
Conclusion
If disclosure of adverse events is not currently practiced within your organization, it may become
so shortly. This change may come about because of statutes, standards, regulations or voluntary changes
in organizational culture that support the delivery of care that is patient centered. As more people
working in and with healthcare become familiar with and knowledgeable about patient safety philosophy and practices, disclosure may become the norm. The culture of blame appears to be evolving into
a culture of learning, in which transparency and honest communicationwhich necessarily require
disclosure of all adverse eventsare essential elements. This basic shift in how healthcare organizations think about and deal with adverse events involves everyone within the organization. Each person
within the organization has an obligation to support a culture that embraces patient-centered care. The
hope is that this cultural shift can benefit all involved, both providers and patients.
246
Resources
Berlinger, Nancy, After Harm, Baltimore: The Johns Hopkins University Press, 2005.
Leape L, ed. When Things Go Wrong: Responding to Adverse Events. Burlington, MA: Massachusetts
Coalition for the Prevention of Wedical Errors, 2006.
Liebman, Carol and Chris S. Hyman, Medical Error Disclosure, Mediation Skills & Malpractice
Litigation. www.medliabilitypa.org, 2005.
Mazur, K.M., Simon, S.R., Yood, R.A., Martinson, B.C., Guinter, M.J., Reed, G.W., and Gurwitz,
J.H., Health Plan Members Views about Disclosure of Medical Errors. Ann Intern Med. 2004;
140:40918.
Robbennolt, J.K., Apologies and Legal Settlement: An Empirical Examination. Mich Law Rev.
20032004; 102:406516.
Ruddell, Jane, Effective Patient-Physician Communication: Strengthening Relationships, Improving
Patient Safety, Limiting Liability. Lebanon, PA: Westcott Professional Publications, 2005.
Sorry Works! Coalition, http://www.sorryworks.net, 2005.
Stone, Douglas, Patton, Bruce, and Heen, Sheila, Difficult Conversations. New York: Viking, 1999.
Weiler, Paul, Hiatt, H.H., Newhouse, J.P., Johnson, W.G., Brennan, T.A., and Leape, L.L., A Measure
of Malpractice Cambridge, MA: Harvard University Press, 1993.
When Things Go Wrong: Responding to Adverse Events; A Consensus Statement of the Harvard
Hospitals, at www.macoalition.org, 2006.
Wu, A.W., Handling Hospital Errors: Is Disclosure the Best Defense? Ann Intern Med 1999;
131:9702.
Zimmerman, R., Doctors New Tool to Fight Lawsuits: Saying Im Sorry, Wall Street Journal,
18May 2004:A1.
247
Compliance and Enterprise Risk Management
16
John R. Evancho, JD
Senior Vice President and Chief Compliance Officer, OSF Healthcare
16.1
Introduction
This chapter describes the essential elements of a well-functioning corporate compliance program
for the healthcare industry. Reference is made both to the guidance provided under federal law as
well as best practices that have developed in the industry. By its very nature, an effective corporate
compliance program supports and enhances enterprise risk management (ERM). Just as ERM is a
comprehensive approach for health care organizations to analyze risk opportunities, to proactively
assess strategic and operational impact, and to effectively manage the response to achieve the organizations objectives, corporate compliance programs are designed to prevent, detect, and remedy
violations of the lawa critical component of ERM
Federal Sentencing Guidelines,1 produced by the United States Sentencing Commission an independent agency in the judicial branch, established in turn, by the Sentencing Reform Act of 1984,2
established a uniform approach to sentencing defendants in federal court. In 1991, the Guidelines were
extended to organizations found guilty of violating federal law.3 The Guidelines specify the steps that
an organization should take both before and after a criminal offense has occurred, steps that may well
serve to reduce the organizations culpability and, therefore, the fines or other penalties imposed on
the organization. These measures, which are designed to prevent, detect, and remedy violations of the
law, are the hallmarks of an effective corporate compliance program.4
Since 1998, the Office of Inspector General (OIG) of the federal Department of Health and Human
Services (HHS) has issued guidance, based, in part, on the Federal Sentencing Guidelines, with respect
to the elements of a compliance program for use by various types of healthcare providers. These comments are based, in turn, on the 1998 OIG Compliance Program Guidance (CPG) for Hospitals5 and
the 2005 Supplemental CPG for Hospitals.6 The 1998 guidance notes that it encompasses principles
United States Sentencing Commission, Guidelines Manual [hereinafter USSC], 8B2.1 (2004).
Title II of the Comprehensive Crime Control Act of 1984, 18 USC 4106.
3
USSC 8A1.1.
4
USSC 8B2.1(a).
5
63 Federal Register [hereinafter 63 FR] 89878998 (February 23, 1998).
6
70 Federal Register [hereinafter 70 FR] 48584876 (January 31, 2005). The 2005 guidance, on page 4858, specifically identifies itself as a document [that] may serve as a benchmark or comparison against which to measure ongoing
efforts.
1
2
249

that are applicable to hospitals as well as a wider variety of organizations that provide healthcare services to beneficiaries of Medicare, Medicaid and all other Federal healthcare programs.7
16.1.1
Preliminary Points
Two important preliminary notes: first, the organizations governing authority8 and high-level
personnel9 must be interested and involved in the corporate compliance program. As the 1998 CPG
points out, Adopting and implementing an effective compliance program requires a substantial commitment of time, energy, and resources by senior management and the hospitals governing body.10 In
order for the directors and the senior leaders to be effective in their compliance roles, they should be
actively involved in the creation of the compliance program. The board of directors must be educated
about potential liability throughout the organization. A formal compliance orientation program for
new board members and new senior leaders and an ongoing education process for the board and the
senior leadership team, as a whole, should be in place.
The board and the leadership of the organization must create a culture that values the prevention,
detection, and resolution of compliance problems. The 2005 CPG states that the hospital should
endeavor to develop a culture that values compliance from the top down and fosters compliance from
the bottom up. Such an organizational culture is the foundation of an effective compliance program.11
The board and the senior management team must set the tone through ongoing support for the compliance program and must establish the expectation that all employees comply with applicable laws
and regulations and internal policies. The board should communicate, in a formal, consistent and
unequivocal manner, its commitment to compliance throughout the organization.12 The 1998 OIG
guidance makes clear that, as a first step, a good faith and meaningful commitment on the part of the
hospital administration, especially the governing body and the CEO, will substantially contribute to
the programs successful implementation.13
The board should determine compliance metrics and regularly review the organizations progress
against the measures, just as it does with financial targets and results. As the 1998 OIG CPG notes,
The existence of benchmarks that demonstrate implementation and achievements are essential to any
effective compliance program.14 The board must take steps to ensure that the organizations policies
and compensation structures do not create undue pressure to pursue profit over compliance. Also, the
board must allocate adequate resources to the compliance program.15
The second preliminary point: a written corporate compliance plan, issued under the CEOs auspices, needs to be drafted and disseminated. The plan outlines the key aspects of the compliance
program and specifies the consequences of noncompliance. It identifies and addresses the organiza 63 FR 8987.
Defined in USSC 8B2.1.
9
Defined in USSC 8A1.1.
10
63 FR 8988.
11
70 FR 4874.
12
USSC 8B2.1(b)(2)(A) and (B).
13
63 FR 8989.
14
63 FR 8988.
15
USSC 8B2.1(2)(C).
7
8
250

tions principal compliance risks and potential (or actual) weaknesses in its internal systems. The plan
establishes structures, processes, and controls in the reimbursement and payment areas, including
procedures for monitoring billing and coding error rates, the number of overpayments and underpayments, and the results of internal and external audits. It should provide for regular self-assessments and
ongoing improvements to the existing compliance program.
The compliance plan is intended to be a living document, which employees throughout the organization consult regularly for direction in making decisions, providing care, and doing business. The
plan should include reference to the organizations mission and core values. It should be readily available to all employees, physicians, and members of the board of directors. It should be written in plain
and concise language, so that every employee understands what the law demands and what is expected
in terms of his or her conduct. It is often helpful to provide examples of scenarios with compliance
implications, including situations that employees commonly face. It should be a document separate
from the organizations policies and procedures and distinct from the employee handbook. The plan
should be reviewed regularly and updated as often as is needed.
The objective is to have the corporate compliance program, as it is outlined in the compliance
plan, serve as the central organization-wide mechanism for supplying useful information to employees
about federal and state statutes and regulations and for providing practical guidance to them about the
steps that they must take (or avoid taking) and what they must do when missteps occur. The compliance
program should guide each employees decisions and actions and those of the organization, as a whole,
and must become part of the fabric of the organizations governance and day-to-day operations.
16.2
Elements of an Effective Corporate Compliance Program
As mentioned, the Federal Sentencing Guidelines and the CPG set forth the specific elements of
an effective corporate compliance program: They include the following elements:
1. developing and disseminating written policies and procedures;
2. designating a compliance officer and a compliance committee;
3. conducting effective training and education;
4. developing effective lines of communication;
5. enforcing standards through well-publicized disciplinary guidelines;
6. auditing and monitoring; and
7. responding to detected offenses and developing corrective action initiatives.
These specific elements are discussed in greater detail below.
16.2.1
Developing and Disseminating Written Policies and Procedures
A healthcare organization should create and distribute both an enterprise-wide code of conduct
and more specific policies. The code of conduct is to be disseminated to all employees. Unlike the
more detailed policies, the code should be relatively brief and should cover general principles that are
251

applicable to all employees. The code is intended to reflect the organizations spirit and culture and
address the providers mission, values, and fundamental principles. The code should summarize the
organizations legal and ethical standards and emphasize its commitment to compliance with federal
and state laws and regulations.
The code of conduct should be approved by the board of directors and be supported by the officers
and senior leaders of the organization. It should be issued with a letter or other communication from
the CEO that endorses the code of conduct and emphasizes the obligation on the part of all employees
to comply with the code. In its 1998 CPG, the OIG made clear that it strongly encourages high-level
involvement by the hospitals governing body, chief executive officer, chief operating officer, general
counsel, and chief financial officer, as well as other medical personnel, as appropriate, in the development of standards of conduct. Such involvement should help communicate a strong and explicit
statement of compliance goals and standards.16 The code should be reviewed annually and revised
when needed (to reflect new regulatory requirements, for example).
Every employee should receive training on the code during annual compliance education programs, and new employees should be introduced to the code at orientation. It should be clear and easily
understandable and should be translated into various languages as the workforce requires. Penalties
for failure to comply with the code should be developed and communicated to all employees, who
should understand clearly the consequences of noncompliance. Yearly, employees should acknowledge in writing (or by means of an online verification tool) that they have received and reviewed the
code. The importance of complying with the code of code of conduct, as well as the concrete steps
that employees have taken to demonstrate their compliance with the code should be discussed as part
of the periodic performance appraisal process. Also, the code should stipulate that physicians and
other healthcare providers are required to follow the ethical standards of their respective professional
associations. The standards contained in the code should be made binding on nonemployed physicians
and other providers, vendors and suppliers, and other third parties.
The code of conduct should be highly visible within the organizations facilities and should be
promoted by means of posters, computer screensavers, Intranet messages, and other reminders. The
code, however, must be more than a plaque. It must be a living, breathing guide for employees at all
levels of the organization. So that they understand the importance of the code of conduct and its impact
on their day-to-day work, the format of the code should lend itself to operational decision-making,
and the code should be discussed regularly during employee meetings as a tool for setting direction,
making decisions, and taking action.
The code of conduct should mention the need to comply with the organizations compliance
policies and procedures, which, like the code itself, must be living documents that are integral to
the organizations day-to-day operations. The goal of policy development is the establishment of
bright-line rules that help employees carry out their job functions in a manner that complies with the
requirements of the federal healthcare programs and that furthers the mission and values of the organization. Therefore, compliance policies need to be clearly written and easy to understand. They should
63 FR 89898990.
16
252

be comprehensive, realistic, and capable of being fully applied. They also need to be well-organized
and readily accessible to employees. (Publishing the policies on the organizations Intranet site makes
version control easier than does printing the policies on paper.)
Some compliance policies should be provided to all employees, while others should be shared
only with the employees who are affected by the policies. Employees should be trained on the policies
and procedures based on the work that they do and the area in which they work, and employees should
sign a statement attesting to the fact that they have been trained on and understand the policies, at least
the most important ones.
Compliance policies should be reviewed and revised every three years or as required by regulatory
changes. A tool for developing (and implementing) policies and procedures is often helpful, including
a template or sample policy. The template should include a schedule for reviewing and updating the
policy. Changes should be communicated to employees.
As is the case with the code of conduct, policies should be discussed regularly with employees,
and compliance with policies should be an aspect of the performance appraisal process. Disciplinary
measures for noncompliance with the organizations policies should be developed and enforced. Like
the code, relevant policies should be imposed on nonemployed physicians, vendors, and other third
parties.
Although the need for some compliance policies is obvious, the need for others may be identified only through an audit or other investigation. That is, the results of an audit may reveal a gap in
existing policies or procedures and may also help in prioritizing the specific areas of risk that need to
be addressed through policy development and implementation. After compliance policies have been
drafted and disseminated, audits should be conducted to determine compliance with the policies and
to verify that risks have been addressed and that there have been fewer errors in the areas in which the
policies have been implemented.
The OIG guidance stipulates that policies and procedures should focus especially on areas of
particular concern to the OIG, including problems or issues that the OIG has uncovered through audits
and investigations. The latter includes: improper coding and billing; violations of the antikickback and
Stark physician self-referral laws; and failure to comply with the patient antidumping requirements
of the Emergency Medical Treatment and Active Labor Act (EMTALA). The CPG places particular
emphasis on the proper preparation and submission of claims.
Policies should also concentrate on areas of compliance risk identified by the healthcare organization itself. A compliance risk assessment tool is often helpful in identifying risks, gaps, and weaknesses.
The assessment may take the form of audits, questionnaires, interviews, site visits (or some combination). Note, these assessment tools are similar to those used in the overall ERM assessment of
opportunity risk. The assessment tool should be re-evaluated on a regular basis and should include an
analysis of compliance with the requirements of the federal healthcare programs, the CPGs, the annual
OIG work plans, the OIG special advisory bulletins, and the OIG special fraud alerts. Based on the
assessment results, including the findings of analyses based on data from claims and cases, risks are
253

rated and prioritized, and a coordinated remediation plan is put in place. Compliance policies are then
updated, and training on the policies is conducted.
Finally, compliance policies should be reviewed and approved by the organizations board of
directors, and the boards approval should be tracked and recorded on the policies. The policies should
be developed under the direction and supervision of the chief compliance officer and the compliance
committee.
16.2.2
Designating a Compliance Officer and a Compliance Committee
The board of directors of the healthcare organization should appoint a well-qualified corporate
compliance officer and should stipulate that the compliance officer be a member of senior management and report to the president, CEO, or chairperson of the board. The compliance area should
be independent of the legal and finance departments. According to the 1998 CPG, [f]ree standing
compliance functions help to ensure independent and objective legal reviews and financial analyses
of the institutions compliance efforts and activities. By separating the compliance function from the
key management positions of general counsel or chief hospital financial officer (where the size and
structure of the hospital make this a feasible option), a system of checks and balances is established to
more effectively achieve the goals of the compliance program.17 The compliance officer should also
have direct access to the board of directors or other governing body. In fact, the compliance officer
should present periodic reports to the board on the scope, direction, and implementation of the compliance plan. The compliance officer should have the authority to conduct independent investigations on
matters of compliance and should be provided with access to the individuals, documents, and other
sources that are needed to pursue the investigation. He or she should have the independent authority
to retain outside legal counsel.
The corporate compliance officer is responsible for properly organizing the compliance department and must see that the department has a clear, well-crafted mission. The department must receive
sufficient resources, including necessary staff and sufficient budget, as well as the needed authority
and autonomy. The compliance officer should strive to maintain good working relationships with other
areas, while remaining objective about their state of compliance.
Put broadly, the corporate compliance officer serves as the focal point of compliance activities
across the organization. The compliance officers overarching responsibility is to coordinate the development, implementation, and oversight of the compliance program, including periodic updating of
the program. The compliance officer should not be regarded, however, as the one individual who is
responsible for the organizations complying with federal and state laws and regulations and internal
policies and procedures. In an important sense, every employee is accountable for compliance, just as
they are for ERM. In healthcare systems consisting of more than one hospital or other operating units,
the compliance officers coordinating role is expanded. As the 1998 CPG notes, For multi-hospital
organizations, the OIG encourages coordination with each hospital owned by the corporation or foun-
63 FR 8993.
17
254

dation through the use of a headquarters compliance officer, communicating with parallel positions in
each facility, or regional office, as appropriate.18
The compliance officer is advised and supported by a compliance committee. Corporate compliance committee members should be active, visible, and vocal advocates of the compliance program.
They should receive compliance training when they join the committee and regularly thereafter. The
training program should include the elements of the compliance program, as well as developments in
the healthcare industry and trends in enforcement. Compliance committee members should include
members of senior management and representatives of a variety of functions, such as legal, finance,
risk management, audit, coding and billing, human resources, utilization review, social work, and discharge planning. It is often beneficial to have a physician representative on the compliance committee.
In integrated healthcare systems consisting of multiple hospitals, each facility should be represented
by its own compliance officer.
The importance of the corporate compliance committee cannot be overstated. Compliance committee members must exhibit a commitment to compliance that becomes part of the overall operating
structure and daily routine of the healthcare organization. The compliance officer should look to committee members to uncover specific areas of risk. As risks are identified, committee members should
work with the compliance officer to develop or revise policies and procedures, to provide needed
training, and to implement internal controls and follow-up measures. Committee members should
work with the compliance officer to develop a system that solicits, evaluates, and responds effectively
to complaints or reports of compliance-related gaps or problems. What is expected of compliance
committee members should be set forth in a committee charter and in their position descriptions. Committee members should be evaluated on their demonstrated commitment and competence with respect
to compliance. It is appropriate for the compliance officer to provide written feedback as part of the
annual performance appraisal process.
16.2.3
Conducting Effective Training and Education
The underlying purpose of compliance education is to train members of the board of directors,
employees, volunteers, contractors and others who function on behalf of the healthcare organization,
so that they are fully capable of carrying out their responsibilities in compliance with federal and state
laws and regulations and the organizations standards and policies. Compliance education should be
included in every new employees orientation program. Training should be delivered at least annually
and should be provided more often for employees in positions or areas identified as highrisk. A policy
should be developed that specifies the frequency of training and mandates attendance. Participation in
compliance education programs should be tracked, and completion of compliance training should be
noted in an employees annual performance appraisal. Incentives may be offered to employees who
are actively involved in compliance education. Conversely, sanctions should be imposed, according
to the established policy, on employees who fail to attend training programs, and employees should
clearly understand the consequences for noncompliance with the training requirements.
Id.
18
255

Compliance education programs need to be interesting and engaging. There is no reason why,
without compromising the seriousness of compliance matters, compliance training cannot be enjoyable, with a game show format, for example, complete with prizes for the winners. A variety of formats
for delivering training should be used, from in-person programs to web-based sessions, taking into
account the material and the audience. (It is helpful to have compliance education programs and materials developed with adult learning theories in mind.) Many healthcare organizations find, for example,
that in-person education is well-suited to physicians. (continuing education units (CEUs) should be
offered, as appropriate.) The programs should build on previous programs so that employees gain
a deeper understanding of compliance requirements with each program they attend. In general, the
frequency, length, format, and content of training should be carefully considered in order to maximize
the effectiveness of any compliance education program.
Trainers, whether dedicated compliance educators or others who have participated in train-thetrainer sessions, should thoroughly understand the materials and clearly communicate the information.
Training materials should be clear (translated into other languages as dictated by the needs of the
workforce), concise, relevant, and practical. The education programs themselves may be formal and
require relatively more time, or the training may be informal and rather brief. It is often the case that
concise, to-the-point, and issue-specific refresher programs are as effective as more structured, broadbased training.
Managers should provide a good example by participating actively in compliance education programs and should expect and encourage employees (and manage their schedules and workloads) to do
the same. Managers should be conversant with the compliance requirements related to their areas and
responsibilities, and they should be aware that they are expected to serve as the front lines of compliance education, both formal and informal.
Compliance education falls into two broad categories: first, general training aimed at raising
employees awareness of the impact of federal and state laws and regulations on the healthcare organizations activities, and second, specific training focused on the impact of particular government
requirements on certain job functions. (In most cases, it is helpful to modify at least portions of general
compliance training programs to reflect particular employees functions and to provide examples specific to their roles.) Examples of more general training topics include privacy and information security,
coding and billing (and documentation), and fraud and abuse. All employees should be trained on the
requirements of the organizations compliance plan, including the affirmative duty on the part of every
employee to report misconduct. All employees should receive a copy of the code of conduct and should
be educated on the expected standards of behavior. Employees should be trained on the organizations
compliance policies that are broadly applicable. Employees should also understand the major areas of
risk within the organization and know what steps to take to prevent or mitigate the risks.
In addition, employees should receive compliance education specific to their roles and functions.
They should understand thoroughly the ways in which particular laws and regulations affect their
work. They should also be familiar with the organizations policies that apply to their jobs and be in
the habit of referring to the policies in making decisions and taking action. Employees involved in
sales and related functions, for example, should be trained in marketing practices that are in line with
256

the current requirements of the federal healthcare programs. Also, although all employees should
understand the importance of properly billing federal healthcare programs and private payors, it is
essential that in-depth training on correct coding and billing be presented regularly to employees in
the organizations billing department and that ongoing education on appropriate documentation be
provided to physicians and other healthcare practitioners.
All employees should be kept up-to-date on the changes in the organizations policies and government requirements, including recent Center for Medicare and Medicaid Services (CMS), OIG,
and other agency guidance and advisories. The content of compliance education programs should
be reviewed on an ongoing basis and revised to reflect changes in the requirements of the federal
healthcare programs and in the policies developed and the services offered by the healthcare organization. This updating requires, in turn, that a process be put in place to monitor changes in rules and
regulations.
The compliance officer should be involved in developing the curriculum for both general and
specific compliance training programs and is responsible for overseeing compliance education. The
compliance officer should make certain that all levels of the organization, beginning with the board of
directors, are dedicating the necessary amount of time to taking the appropriate training at established
intervals. (It is especially important that members of the organizations board of directors or other governing body understand the requirements and expectations with respect to governance and fraud and
abuse.) Employees of the organizations vendors, such as third-party medical billing companies, should
also be required to participate in compliance training sponsored or approved by the organization.
When designing compliance education programs, the compliance officer should take into account
the results of recent audits and investigations. Any trends from compliance hotline logs and other
reported compliance problems should be incorporated into the training. Discussions that the compliance officer has had with various employees may also alert him or her to areas that need to be
addressed through compliance education.
The effectiveness of the training and the level of employees understanding should be gauged
through tests administered to participants. (One of the most useful functions of online education programs is the ability to record and track test results.) This data, in turn, should be shared with managers,
senior leaders, and the organizations board of directors, as the information may point to gaps in
employees awareness and understanding of government requirements and internal policies, as well
as other compliance concerns.
16.2.4
Developing Effective Lines of Communication
A key objective of any corporate compliance program is to create and sustain a culture within the
healthcare organization that actively promotes compliance with federal and state laws and regulations
and internal policies and that, in turn, encourages employees at all levels of the organization to be
firmly committed to compliance. That commitment entails open communication of actual or potential
gaps in compliance, without fear of retaliation.
257

One important tool for employees to use in bringing to light suspected misconduct is a compliance
hotline. This tool is not intended to supplant direct access on the part of employees to the compliance
officer (who, at any rate, should maintain an open door policy) or to undercut the internal reporting
structure of the organization. In fact, employees should be encouraged to report illegal or inappropriate
behavior directly to their supervisors, and managers should take steps to demonstrate their openness to
being informed of compliance problems and their willingness to follow up on these reports.
In the end, some employees prefer to report compliance concerns using the compliance hotline.
The organization, therefore, should establish an anonymous hotline or a similar means, such as an
e-mail reporting mechanism, for employees, medical staff members, patients, visitors, and contractors
to use in reporting compliance issues. Confidentiality should be stressed. Callers should be assured
that the corporate compliance department will protect their anonymity to the extent possible. Callers
should be warned, however, that intervening events, such as the need for a government investigation,
may lead to discovery and disclosure of their identity. A step taken by many organizations to address
callers concerns that their identity will become known is to engage a third-party vendor to administer
the hotline, to take and record calls and to provide telephonic responses to callers.
With respect to the compliance hotline, confidentiality and non-retaliation policies should be
developed and distributed by the organization and should be understood clearly by all employees,
especially by managers. (The policies should stipulate that reporting misconduct through the hotline
does not insulate a wrongdoer from disciplinary action.) Managers should be aware of the sanctions
imposed for retaliating against employees who have recourse to the hotline.
The nature and purpose of the compliance hotline should be widely publicized throughout the
organization by means of posters, employee newsletters, computer screensavers, and compliance and
other Intranet sites. The hotline number should be posted in common work areas and should be readily
available to all employees and contractors. Employees at all levels of the organization should understand how to use the hotline to report compliance problems or raise compliance questions. They should
be surveyed regularly to evaluate their knowledge of the existence and purpose of the hotline and, just
as important, their confidence in the integrity of the reporting process and the resulting follow up.
Every issue brought to the attention of the organization through the compliance hotline should be
investigated, and the necessary corrective steps should be taken. Allegations of serious misconduct,
improper coding and billing, for example, should be pursued vigorously. It is the responsibility of the
compliance officer to see that all reported compliance issues are investigated. The compliance officer
himself or herself may conduct especially significant or sensitive inquiries. A compliance problem presented by a caller should be regarded by the compliance officer and everyone else involved in resolving
the matter not as a burden (although many investigations are complicated and time-consuming), but,
instead, as an opportunity to uncover, to analyze, and to learn.
Investigations should be completed according to the timetables established by the compliance
hotline policy. Different timeframes may apply to different types of reported compliance problems.
When employees initially call the compliance hotline, they should be informed that they may call back
on or after a specified date to learn of the status of the investigation of the matter that they are report258

ing. Presuming that the investigation is complete, the caller is to be informed when he or she calls back
of the nature of the inquiry and the results of the investigation, including what the organization has
done or will do to resolve the matter. In the event that more time is needed to complete the investigation, the caller is to be told of the status of the investigation and the expected completion date.
A complete log of open and closed hotline calls should be maintained by the compliance officer.
The steps taken to investigate and follow up on the calls should be documented. The compliance officer should guarantee that each investigation is conducted timely and that effective measures are put in
place to address any bona fide issues reported. The compliance officer should periodically analyze the
logs to determine the overall timeliness and thoroughness of responses and should regularly report the
results of the analysis to the organizations board of directors or other governing body. The compliance officer should present to the board not simply statistics, but some sense of the nature or flavor
of the calls, especially calls that point to the same compliance issues. The board should address, in
particular, recurring compliance gaps and compliance problems in need of organization-wide remedial
measures.
16.2.5
Enforcing Standards through Well-Publicized Disciplinary Guidelines
An important aspect of fostering a culture that promotes and supports compliant and ethical conduct is the fair and consistent enforcement of disciplinary standards in instances in which behavior
does not measure up to the requirements of federal and state laws and regulations or internal policies.
Consistency means that standards and penalties are applied evenly and fairly to employees across the
organization, from senior executives to managers, to employees, to members of the medical staff. Fairness implies that the penalties imposed on employees are commensurate, generally speaking, with the
relative degrees of their misconduct.
The policy should define the degrees of disciplinary actions that are to be taken in particular
circumstances, actions that include verbal and written warnings, financial penalties, termination of
employment, and suspension or revocation of clinical privileges. The policy should also establish
the processes for handling misconduct (keeping in mind that misconduct may take the form of either
commission or omission, the latter including the failure to take appropriate action either to stop wrongdoing or to report misconduct) and imposing discipline. The policy should identify the roles of those
responsible for taking appropriate steps in various cases, namely, senior leaders, supervisors, and
medical staff officers. Managers should be trained in the various aspects of the discipline policy and
process, including the importance of documentation at each stage, and they should be held accountable for failing to discipline employees appropriately, timely, and effectivelyand in compliance with
applicable laws and standards and internal policies and procedures. Supervisors are also responsible
for seeing to it that follow-up steps by or with respect to one or more employees are actually taken.
Periodically, the discipline policy should be reviewed with an eye to its fairness, generally, and
to the consistent application of its enforcement across the organization. The review should also look
at the effectiveness of the policy in deterring misconduct. In the area of employee discipline, the
compliance officer should work with the organizations human resources (HR) department in a wellcoordinated way, with respect both to assessing the policy itself and to handling specific instances of
259

misconduct. The compliance and HR functions should work together to publicize the standards of
conduct throughout the organization and to make certain that the standards are readily available to and
understood by all employees.
Another aspect of enforcing standards of behavior is avoiding hiring, retaining, or contracting
with individuals who have been sanctioned for misconduct previously. Background investigations and
credit checks should be conducted in advance on all employees, vendors, and medical staff members.
These individuals should also be screened beforehand and routinely (at least annually) thereafter against
the government sanctions lists, including the OIGs List of Excluded Individuals/Entities (LEIE) and
the General Services Administrations Excluded Parties Listing System. (Many hospital credentialing
and privileging software programs offer the built-in capacity to sweep such government databases.)
The organization should have in place a policy calling for the nonemployment (or refusal to contract
with a supplier or grant privileges to a physician or other healthcare practitioner) of any individual
who has been convicted recently of a crime or excluded from participation in a federal healthcare
program. In the event that such an individual has already been hired (or retained or privileged), his
or her employment (or engagement or privileges) must, as a general rule, be terminated. Applications
for employment and credentialing and privileging, as well as the questionnaires offered to prospective
vendors should specifically require applicants to disclose any criminal convictions or exclusions from
the federal healthcare programs.
16.2.6
Auditing and Monitoring
In the context of an effective compliance program, monitoring refers to reviews that are repeated
on a regular basis during the normal course of the operations of the healthcare organization. One
way in which monitoring may be used is to verify that the follow-up steps contained in a corrective
action plan have actually been taken and have had a demonstrable impact on operating procedures and
results. Auditing, typically, is a more formal process conducted by individuals who are independent
of the department or function that is the subject of audit. Audits may be conducted by internal (to the
organization, but outside of the area under review) or external auditors. Although monitoring and
auditing are often performed in response to a detected or suspected compliance problem, such reviews
should also be done on a proactive basis to strengthen operations and ferret out compliance gaps
before they become a major problem.
As such, the organization should develop a detailed audit plan and should reevaluate the plan
every year. The plan should include the frequency and timing of audits, as well as the needed reporting
and staffing. The plan should consider the findings of audits from prior years and should focus on risk
areas identified through earlier audits and on high-volume services provided by the organization. Audit
results should also be used to assess the need for particular compliance training programs.
The audit plan should require ongoing monitoring of compliance with federal and state laws and
regulations, the requirements of the federal healthcare programs, the findings of previous audits and
internal policies and procedures. This review may be performed by managers in some instances and
by designated auditors in other cases. The audit plan should include a frequent and thorough assessment of the billing systems that is directed at verifying the accuracy of claims submitted to the federal
260

healthcare programs and to private payors and at determining the rate and root cause of detected coding
and billing errors, including inaccuracies in cost reporting and gaps in clinical documentation. If the
error rates do not decrease from one audit to another, then further investigations should be conducted
to uncover hidden deficiencies.
Audits should also focus on the specific policies that have been the subject of particular attention on the part of the organizations Medicare fiscal intermediary or carrier or the focus of recent
enforcement action by the OIG or other government agency. The audit plan should also address the
organizations compliance with Stark and antikickback prohibitions, as well as areas highlighted in
the annual OIG work plan. The ongoing effectiveness of the organizations compliance program itself,
including each element of the program, should be reviewed at least annually.
The audit plan should clearly establish the role of the auditors. As mentioned, auditors, whether
employees or contractors, should be independent of the areas under review. They should be well-qualified, with the requisite certifications. Auditors, including employees in the internal audit department,
should be made available to conduct both scheduled and unscheduled audits.
Audit results should be shared in short order with senior management and with the audit or compliance committee of the organizations board of directors or other governing body. The committee
should approve the standard audit approach, including sampling technique, data collection and analysis,
reporting and corrective action. Audit processes may include onsite visits, mock surveys, interviews,
questionnaires, and document reviews. Exit interviews with departing employees may prove to be
a rich source of information about actual or perceived compliance problems, so compliance-related
questions should be included in the exit interview process.
An organization-wide audit database should be developed and monitored on an ongoing basis
with an eye to emerging trends. Corrective action steps needed and taken should be included in the
database. The database should capture detailed information about the return of overpayments to the
fiscal intermediary or private payor, including the reasons for the overpayments. The database should
also make note of which audits are being or have been conducted under any legal privilege and legal
counsel should be consulted before any audit is undertaken to determine the appropriateness of asserting the privilege.
16.2.7
Responding to Detected Offenses and Developing Corrective Action Initiatives
A consistent approach to addressing detected violations of law and other compliance deficiencies
is essential. Investigations should be initiated as soon as compliance problems are uncovered and
should be conducted with a sense of urgency. At the same time, investigations should be thorough and
well documented at every step. Documentation should include a summary of the deficiency, a description of the way in which the problem was discovered, an outline of the investigative process, a list of
the documents reviewed, a list of the employees and other persons interviewed, copies of the interview
tools that were used and the interview notes that were made, changes in policies and procedures that
were implemented, recommendations that were made, disciplinary actions and other remedial steps
261

that were taken. A policy and procedure for conducting (and documenting) investigations should be
created.
The nature and outcome of compliance investigations should be reported regularly to the organizations board of directors or other governing body. The need for corrective action should be discussed
with the board, which should direct that adequate resources be dedicated to the process. The corrective
action plans themselves should be based on a thorough review of the root causes of the deficiencies
that are identified. The questions of when, how, and where in the organization the problems arose must
be asked and answered. On a related note, the issues of how far back in time the investigation needs to
go and how broad a scope it needs to have should be addressed.
A corrective action plan also needs to be workableand actually implemented. A periodic review
of the progress being made in putting the plan into action should be undertaken. The review should
confirm that the causes of the violation (and the violation itself) have been eliminated. More broadly,
the organizations investigative processes should be evaluated from time to time.
Even before an investigation is begun, the necessary steps should be taken to prevent continuing
harm and the destruction of documents or other evidence. The employees responsible for the investigation need to be adequately trained on the organizations policies governing the process, including
documentation, reports, and corrective action plans. It may be helpful to form a response team, including auditors and the compliance officer. Consideration should also be given to the need for outside
attorneys, independent auditors, or healthcare experts to assist in the investigation. Legal counsel
should be consulted beforehand to determine the appropriateness of handling the investigation under
the attorney-client or other privilege.
The compliance officer, at the direction of legal counsel, may need to report to government authorities the results of an investigation that uncovers misconduct, including the impact of the wrongdoing
on the federal healthcare programs and any affected enrollees in the programs. The compliance officer
should see to it that overpayments are returned promptly to the fiscal intermediary, together with the
necessary documentation and a thorough explanation of the need for the refund.
16.3
262
Commentary
The compliance function focuses on identifying compliance risk through the use of risk
assessment tools similar to those used in the enterprise risk management function. However,
compliance risk is only one category or component of an organizations ERM assessment of
opportunity risk.
Compliance focuses on adherence to various laws and regulations in order to eliminate risk.
And, while ERM is concerned with liability risk that may flow from a lack of adherence to
various laws and regulations, it is also concerned with the broader range of opportunity risks
generated through clinical operations, financial operations, human resources, strategic operations, technological issues, and natural disasters/hazards.
The nature of compliance is such that every employee to a greater or lesser extent has responsibility for the compliance function. So, too, every employee shares in managing a healthcare

facilitys opportunity risks. Hence the importance of ongoing training for employees on both
compliance and risk management.

ERM and compliance share another critical element of success: open communication. Effective compliance programs depend on information that can be communicated through formal
(e.g., hotlines) or informal channels. Likewise, ERMs success depends on open communication of actual or potential incidents either through formal incident reporting systems or
informal conversations in hallways or over the phone.
A final characteristic of both ERM and compliance programs is that in order to be successful,
a healthcare organization must build and maintain a just culture. That is, a learning culture
that (1) places high value on communication; (2) has a well-established system of sharedaccountability; and (3) provides a safe haven in which errors may be reported without the fear
of disciplinary action for events in which there was no intent to harm.
16.4
Conclusion
Two brief points by way of conclusion: First, there is no one-size-fits-all approach to compliance.
As the 2005 OIG CPG acknowledges, [b]uilding and sustaining a successful compliance program
rarely follows the same formula from organization to organization.19 What is more important than
conforming to a defined model is the overall effectiveness of the program in meeting the specific
compliance needs of the healthcare organization. The 2005 guidance indicates that the OIG strongly
encourages hospitals to identify and focus their compliance efforts on those areas of potential concern
or risk that are most relevant to their individual organizations.20
Second, an effective compliance program should contribute to the fundamental purpose and
mission of the hospital and healthcare organization. The 1998 CPG sees compliance as a dynamic
process that helps to ensure that hospitals and other healthcare providers are better able to fulfill their
commitment to ethical behavior,21 or, as the 2005 CPG puts it, to honest and responsible corporate
conduct.22 Of course, the immediate goal of the OIG guidance is to assist hospitals and their agents
and subproviders develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of Federal, State and private health plans.23 More
broadly, the overarching outcome, as envisioned in the 1998 CPG, is a program that is regarded by
each employee and everyone else involved in providing or supporting care as an effective means to
advance the prevention of fraud, abuse, and waste in these healthcare plans while at the same time
furthering the fundamental mission of all hospitals, which is to provide quality care to patients,24 to
which the 2005 guidance adds as objectives enhancing healthcare providers operations and reducing the overall cost of healthcare services.25
21
22
23
24
25
19
20
70 FR 4874.
70 FR 4859.
63 FR 8998.
70 FR 4859.
63 FR 8987.
63 FR 89878988.
70 FR 4859.
263
Part VI
Operations
Consent to Treatment: An ERM Perspective
17
Fay A. Rozovsky, MPH, DFASHRM, Esq.
17.1
Introduction
Consent to treatment is a fundamental patients right issue intrinsic across the continuum of
care. A topic that is the subject of federal and state legislation, regulation, case law and accreditation
standards, consent to treatment is also a topic of ongoing concern for counsel in an enterprise risk
management (ERM) healthcare organization.
This chapter addresses the basic requirements and exceptions in consent to treatment. A case
study demonstrates the enterprise risk management opportunities involved in consent matters. Practical ERM style risk management strategies are discussed, including measures to facilitate disclosure
communication involving adverse and unanticipated outcomes of care.
17.2
The Key Elements for Consent to Treatment
Although there are notable differences from one jurisdiction to another, the core elements of an
effective consent process are quite similar. These include the following elements:

a description of the indications for a test or treatment;
an explanation of what is involved in the test or treatment;
a description of the probable benefits and probable risks associated with recommended tests
or treatment;
a discussion of alternative tests or treatment and the associated probable benefits and probable risks linked to these options; and
a description of the likely consequences of declining either recommended or alternate tests or

treatment.
The discussion is one that is carried out between the caregiver and patient. The caregiver maybe a
physician, a dentist, psychologist, podiatric practitioner, or a physicians assistant or nurse practitioner
who, under the terms of relevant scope of practice legislation may be authorized to carry out such tests
or treatment.
267

Adults are presumed to have the requisite legal capability and mental capacity to make a treatment decision. These presumptions may not apply in some situations. For example, a patient may
have a court-appointed guardian empowered to make treatment choices. Likewise, a patient may have
executed a mental healthcare advance directive authorizing a spouse to make treatment decisions on
his behalf when a healthcare professional determines that the patient is clinically unable to engage in
a consent process.
Consent discussions should be geared to the comprehension ability of the patient or surrogate
decision maker. Descriptions of benefits and risks that rely upon sophisticated medical terminology or
a strong working knowledge of statistics may serve to vitiate the consent process because the patient
could not understand the information provided by the caregiver. This comprehension issue extends to
ancillary aids used in the consent communication process, including complex diagrams, brochures,
and video media. Written and visual material should meet health literacy standards just as verbal communication must be understandable for the patient or surrogate decision maker.
Patients should have the opportunity to synthesize information and to pose questions. Responses
provided should be in terms understandable to the patient.
17.2
Exceptions to the Rules of Consent
There are a number of recognized exceptions to the rules of consent. These include the
following:
268
EmergenciesA true emergency is a situation that involves a life- or health-threatening

event that requires immediate treatment. The patient is unable to participate in a consent
process, and the urgency of the situation precludes communicating with someone who by law
is authorized to make treatment decisions on behalf of the individual. In this circumstance,
the law implies that if the patient was able to participate in a valid consent process, he or she
would readily agree to the care required to address the emergency. Care is limited to those
diagnostic and therapeutic interventions to address the emergency.
Impracticality of ConsentSimilar to the emergency situation, a patient presents with a lifeor health-threatening event that requires immediate care. As with the emergency exception,
time is of the essence. The difference is that in the impracticality exception the patient is
capable of participating in the consent process. The urgent nature of the situation precludes a
full-blown consent process. The caregiver asks the patient for relevant medication and medical history information and provides a brief description of what will be done to address the
life- or health-threatening event. The exception fits such situations as a patient who presents
in anaphylactic shock due to a snake bite, a food allergy, or a stroke in progress. The caregiver
uses the information provided by the patient to hone the care plan. Treatment is limited to
those diagnostic and therapeutic interventions that are necessary to address the life- or healththreatening event.

Therapeutic PrivilegeA patient who is at high risk for psychogenic, emotional, or physiologic injury may require a diagnostic or therapeutic intervention. Based on the patients
mental health, the caregiver is reluctant to impart some information required under the rules
of consent. The concern is that discussion of this information may cause harm. In such a
situation, the caregiver may wish to invoke the therapeutic privilege exception. To do so, it
is important to obtain a behavioral health consultation from someone not otherwise involved
in the care of the patient. If the behavioral specialist concurs with the attending caregiver,
he or she would then document his or her professional opinion, including what information
should be avoided in the consent discussion. The attending practitioner would then complete
the consent process absent the information that is considered likely to cause harm. A notation in the medical record would document what information was withheld and the rationale
for doing so. At a later time, the information withheld may be shared with the patient. This
exception is used rarely as it is at variance with the underlying principles of consent: individual choice making and autonomy.
Compulsory TreatmentPatients may be compelled to submit to treatment in some situations.

Compulsory care may be the product of a court order or a consequence of the application of
public health legislation designed to address infectious disease transmission. The right to
agree to or to decline treatment may be revoked in this situation. However, it would not
apply to noncompulsory treatment situations. Even in the midst of compulsory treatment, it
is useful for the caregiver to obtain relevant medical history and medication information from
the patient in order to avoid unnecessary risk exposure. For example, if the drug of choice
is a derivative of penicillin and the patient is severely allergy to the medication, an effective
dialogue may elicit the risk factor and enable the caregiver to select a suitable medication
alternative.
When A Patient Refused to be InformedSometimes a patient is agreeable to undergoing a

recommended test or therapeutic intervention. However, they decline to be informed about
the test or procedure, probable benefits and risks, and treatment alternatives. The patient
just says do it. For the caregiver, this can be fraught with risk exposure, particularly if the
patient must be awake or take a participatory role in the test or treatment. Concerned that the
person could react adversely not knowing what to expect, the caregiver may be hesitant to
proceed without a full consent discussion. Caregivers might try to ascertain why the patient
does not want to engage in a discourse. If the patient persists, the caregiver may decline to
proceed out of a concern for patient safety and well being. The caregiver should not abandon
the patient; rather, he or she should make a good faith effort to help the patient find another
caregiver who is willing to accept the patient without a full consent discussion.
17.4
Clinical Research
Some 19 federal departments and agencies follow a consistent set of regulations with respect to
human research. Termed the Common Rule, the regulations include very specific requirements with
respect to consent and participation in human research. A good illustration of the general requirements
for consent can be found at 45 CFR 46.116 and, for consent documentation, at 45 CFR 46.117.
269

Consent requirements for vulnerable populations can be found in various subparts of the regulation.
For example, children are addressed in a specific subpart in which principal investigators follow a
consent process with a parent or guardian and obtain research subject assent for many pediatric
participants.1
The Food and Drug Administration (FDA) regulations do vary somewhat from the consent provisions found in the Common Rule.2 Since many healthcare organizations are clinical research sites
for investigational drugs and medical devices, it is important to become familiar with these consent
provisions.
Federal requirement also recognize an emergency exception for otherwise detailed consent requirements. These are found in regulations promulgated by the FDA3 and through a waiver that was issued
by the Department of Health and Human Services.4 From a practical perspective, this consentless
human research tracks many of the elements of the therapeutic emergency exception, but there are
notable differences. In particular, the IRB must approve use of the protocol and make the community
aware that the protocol will be used in the area.
Virginia,5 California,6 and New York7 have a number of laws governing human clinical trials.
These laws and the related regulations address consent to treatment. In doing so, many of the provisions look quite similar to those found in the federal rules.
Other state laws reflect a tableau of laws governing specific types of research. Rhode Island,
for example, has enacted a consentless human research requirement.8 Others have focused on fetal
research9 and the right of a person receiving care under a mental health advance directive to participate
in clinical research.10
For counsel, there are some important considerations. First, it is important to know the relevant
laws in the jurisdiction governing consent and research. Second, if one determines that the research is
part of a multicenter trial, to find out if the IRB approval for the research encompasses applicable state
law. Third, it is important to make certain that federal rules for consent have been applied correctly
with regard to the research trial.
17.5
Information Flow in the Consent ProcessAn Enterprise Risk Exposure
One of the important aspects of the consent process is communication of information necessary
for the patient or surrogate to make a treatment choice. Traditionally, the information conveyed came
by way of a conversation with the caregiver. He or she might supply ancillary details in an information
See 45 CFR 46.408.
See 21 CFR 50.20; 50.25 and 50.27.
See, for example, 21 CFR 102(d).
See 45 CFR 46.101(i) and 60 Federal Register 143, July 26, 1995.
Va. Code 32.1-162.16 et seq.
Cal Health & Safety Code 24170 et seq. and Cal. Penal Code 35.000 et seq.
NY Pub. Health Law 2440 et seq.
R.I. Gen. Laws 23-17-19.1.
See, e.g., Minn. Stat. Ann. 145.422.
10
See Pa. Stat. Ann. Title 20 5808.
1
2
270

sheet or brochure. Over a period of time, other information tools have entered the picture, including
videotapes, DVDs, trusted websites, and interactive online or computer-based programs.
Another aspect of tradition has eroded in the consent process. As was noted earlier, the traditional
perspective was that the consent process took place between a caregiver and a patient. Today, other
healthcare professionals may play a role in the information-giving process. Nurses, physicians assistants, nurse practitioners, and others may impart relevant information and asked questions designed to
illicit medical history information. Once in hand, the information can be used to hone recommended
and alternate forms of care.
While in days past there may have been concern that a doctor did not provide sufficient information, today the concern is more about inconsistent and too much data provided to the patient or
surrogate. The result may be a consent process that is flawed by misinformation.
Information overload is a genuine reason for concern. Ready access to questionable information
on the Internet may prove overwhelming and conflicting. A patient may not like what he or she heard
the doctor suggest as the recommended form of treatment. To corroborate the doctors recommendation the patient conducts an Internet search and findsto his or her delighta host of other options
not discussed by the doctor. Missing is a balanced perspective in which the caregiver discusses his or
her information with the patient. Present now is a level of distrust between the patient and doctor. The
patient may think, why was the doctor not forthcoming? Why was I not given information about these
treatment options? Does this doctor know his or her field? Is the doctor clinically competent? Should
I look elsewhere for a different doctor? Should I trust this person?
From an enterprise risk perspective, the Internet introduces a new risk factor in the consent
process. In essence, data available on questionable websites or in a host of healthcare blogs becomes
an interloper in the consent process. With healthcare professionals unable to control this input, the
Internet data can diminish and disparage the quality of the caregiver-patient relationship and the
consent process.
It is an enterprise issue because it triggers a number of risk opportunities. These include:

legal/regulatory risk exposure;
staff competencies risk exposure;
operational risk exposure;
reputational risk exposure; and
professional licensure risk exposure.
17.6
Consent Documentation
Some type of documentation is necessary to substantiate completion of the consent process. In

some states there is a specific legislative requirement for a consent form. Indeed, some procedure-specific consent forms can be found in state legislation. In other instances, federal requirements mandate
271

a written informed consent. Thus under the Conditions of Participation for Hospitals in Medicare and
Medicaid, such a requirement can be found in the standard for surgical services.
Consent forms can be viewed as falling in three or four categories. The first is the so-called
longform consent in which the caregiver delineates copious amounts of information from the discussion with the patient. The second, the short form consent indicates that the caregiver has completed
the consent process and that the patient or surrogate agrees to a specific type of care. A third form is
procedure-specific and is often rather detailed in terms of the content. The last form, a checklist-style
consent, enables the caregiver to follow the elements of the consent process delineated in the tool.
Once completed, signed, and dated, it serves as written evidence of a completed consent process.
Beyond forms, another option is for the caregiver to write a concurrent entry in the progress
notes that describes the consent process. Simply writing risks and rewards explained is not written
evidence of a consent process. More detail is required.
From an enterprise risk perspective, consent documentation is important to substantiate statutory
and regulatory compliance. It is also the basis for coding and billing of claims information with regard
to government and private sector health plans. A slipshod consent document raises the risk vulnerability in defending claims for lack of informed consent. For individual caregivers, under the terms
of many state licensure laws, the absence of an appropriate consent process may serve as evidence of
unprofessional conduct, an allegation that has repercussions well beyond health professional liability.
Even from a patient safety perspective, consent documentation can be used to avoid wrong site, wrong
procedure, wrong patient interventions, especially as a tool in the time-out process. Hence, consent
documentation merits close scrutiny in an enterprise risk management process. That good documentation is in place does not diminish the need for effective communication and dialogue in the consent
process.
17.7
Risk Exposures in a Consent ERM Model
Although many believe that consent risk exposure involves negligence and claims based on the
intentional tort of battery, there are other legal vulnerabilities. These include the following legal risk
exposures:
272
Breach of contract claimsallegations that the caregiver guaranteed a specific result or that
a healthcare organization failed to meet the terms and conditions of a general consent admission agreement.
Deceptive trade practice claimsalleged violations of state legislated consumer protection

laws, especially where statutory provisions do not exempt such actions against healthcare
facilities or providers.
Misrepresentationa claim based on a purposeful misstatement of material or significant

information that a reasonable person would want to know in order to make a treatment
choice.
Frauda claim based on fraudulent disclosure of material or significant information that a

reasonable person would want to know in order to make a treatment choice.

Professional license proceedingslicensure proceedings based on allegations that a caregiver

acted in an unprofessional manner in the way in which he or she disclosed, misrepresented, or
failed to disclose information necessary for patient decision making and treatment.
Reputational risk and concomitant risk of loss of market sharea caregiver and a healthcare
organization may see a diminished market share as a result of adverse publicity stemming
from reputational harm. Such harm may flow from allegations of negligent consent, battery,
deceptive practices, fraud, misrepresentation, or allegations of professional misconduct in
patient information management.
The following case study demonstrates some of these points.

17.8
Case Example
Dr. T.R. Enden, a renowned specialist in minimally invasive back surgery, had a wonderful reputation as a caring, compassionate, skilled surgery. Employed by Englet Hospital, Dr. Enden helped
build the minimally invasive surgery program at the healthcare organization.
Dr. Enden saw Julia Stewart in the hospital clinic. Ms. Stewart had sustained a herniated disk as
the result of a number of falls on the ski slopes. In her day, Ms. Stewart had won a number of championships and she was known today as an aggressive downhill racer on the senior ski circuit. She came to
Dr. Enden when conservative treatment and medication management failed to address her problem.
Ms. Stewart had a good discussion with Dr. Enden. He explained the probable benefits and risks
of the minimally invasive procedure. He described as well treatment alternatives and related benefit
and risk information. Ms. Stewart reviewed a DVD about the procedure, and she received a pamphlet
and an information sheet about the operation. Dr. Enden encouraged her to give it some thought and to
discuss with her husband whether this was the right approach to treat her back problem.
When she went home, Ms. Stewart reviewed the literature provided by Dr. Enden. She noted
discrepancies about benefits and risks between the brochure, the information sheet, and with what she
recalled from the DVD. Ms. Stewart discussed her concerns with her husband and he encouraged her
to perform a web search. Ms. Stewart found a number of scientific articles, blog entries, and newspaper reports. She learned that the procedure had a much lower success rate than that described to her by
Dr. Enden. She also learned that there were new noninvasive procedures available for her condition
that Dr. Enden had not discussed with her. However, she also found laudatory comments from patients
about Dr. Enden.
Conflicted and aching badly, she called the doctors clinic. Dr. Enden was not available, and her
call was transferred to Tim Langton, a nurse practitioner in the clinic. After listening to Ms. Stewarts
concerns, Mr. Langton said, I understand what you are saying. Dr. Enden follows the most current
research in the field to guide his treatment recommendations. I would not put a lot of stock in those
blogs and those avant-garde websites. All I can tell you he is the best. If it was me, I would have him
do my surgery. Let us know if you have any questions.
273

Ms. Stewart decided to go ahead with Dr. Enden doing the minimally invasive procedure at the
hospital day surgery department. Three weeks before the procedure, Ms. Stewart underwent a preoperative history and physical (H&P) at her primary care providers office. The preoperative report
was sent to the hospital day surgery department. Ten days before the scheduled operation, Ms. Stewart
had a tooth abscess that required a complete extraction. One week before the procedure, she developed
an infection in the gum area and jaw surrounding the extraction site. The dentist told Ms. Stewart that
this was a common problem and that a course of antibiotic therapy would clear up the problem.
On the morning of the operation, a nurse practitioner completed the H&P review process. She
asked Ms. Stewart what she was having done, who was performing the procedure, and whether she
had seen her doctor since the H&P had been completed at the office. She checked off all the answers
on a form.
The procedure was uneventful. Ms. Stewart went home with discharge instructions and an appointment for a follow-up visit in 10 days. Two days later, however, Ms. Stewart had a temperature of 102 F
and shaking chills. Dr. Enden was at a conference upstate. The on-call physician for the clinic told
Ms. Stewart to go the hospital urgent care for an assessment. The nurse who took her history was
alarmed, especially since she learned that no one knew about the preoperative abscess and jaw infection. Ms. Stewart was admitted to the hospital and treated for a systemic infection. Another infection
had developed at the site of the operation. Although the systemic infection was resolved, the surgical
site wound required an open procedure. Ultimately, Ms. Stewart required months of antibiotic therapy
administered via a port-a-cath. She endured a long period of pain before she felt better.
This is a hypothetical situation, but it demonstrates a variety of risk exposures appropriate for an
enterprise risk management approach to consent to treatment.
Consider the following risk opportunities in the case study:
274
Legal/Regulatory Risk ExposureThere were numerous legal and regulatory risks in this
case study. The consent process was not consistent with recognized standards of care. The
physicians assistant may have exceeded the scope of his practice in the way in which he
interceded in the consent process. The intake H&P assessment on the day of surgery was not
in accordance with CMS requirements. If it can be established, Ms. Stewart may have a good
claim for misrepresentation, deceit, and fraud with respect to the success rate data provided
to her by Dr. Enden. In addition, if she decided to file a complaint with the accrediting body
for the hospital, there may be standards non-compliance regarding patient consent and intake
requirements. A formal patient grievance and complaint to the state agency or CMS could
trigger an onsite review. In each instance, there is apt to be substantial legal fees and staff
time involved in responding to the legal or regulatory action.
Operational Risk ExposureThe operational risk here involved a flawed H&P intake assessment. The questions posed to Ms. Stewart were quite general. There was no effort made to
expand the scope of inquiry to encompass encounters with other healthcare providers since
the office-based pre-operative assessment. This operational issue may be the most obvious
part of a much deeper issue, including inadequate training or demonstrated competencies for
those credentialed by the medical staff of the hospital to fulfill the H&P screening process.

Staff Competencies Risk ExposureThe lack of familiarity with questions to pose during
the H&P update process suggest a need to examine carefully how credentialed personnel are
trained for this function. If it is determined that staff are assumed to know how to fulfill this
responsibility but lack the ability to do so, it is a staff competencies risk exposure.
Reputational Risk ExposureAny publicity associated with healthcare-acquired infection

and litigation can diminish the reputation of a healthcare organization. When a prominent
surgeon is involved and a headline reads, Well-Known Doctor Did Not Tell All to Patient,
the consequence could be reduced market share. When the healthcare organization and physician are together as employer and employee, it can be a difficult reputational risk exposure to
address. In essence, one would not want to try to shift the light of circumspection from one
to the other. For example, if the hospital did try to dissociate itself from the situation, it could
send a negative signal to other employed staff physicians.
Professional Licensure Risk ExposureIf, in the course of a consent process, a physician

provides misleading information, it may form the basis for a claim of unprofessional conduct.
As noted previously in the discussion of Operational Risk Exposure, when the physicians
assistant interceded in the consent process, it may have constituted a violation of his scope of
practice. In either case, there could be professional licensure risk exposure.
17.9
ERM Treatment of Consent Risk Exposures
Consent to treatment is not simply a clinical risk exposure. As seen in the case study earlier, flawed
consent practices can involve staff competencies, operational issues, and both legal and regulatory risk
exposures. In some instances, a flawed consent process can trigger reputational risk issues, too.
From an enterprise risk perspective, legal counsel has a pivotal role and responsibility with regard
to effective consent practices. Other key stakeholders in the organization also have accountabilities
for consent practices. Together, legal counsel, clinical leadership, and management might want to
consider the following enterprise risk management strategies in the context of consent to treatment:

Evaluate current consent policies and procedures and practices. Conduct a gap analysis
to identify variations from what is expected under applicable state and federal law and hospital policy.
Evaluate current medical staff bylaws and rules and regulations of the medical staff. Conduct a gap analysis to identify variations from what is expected under the medical staff bylaws
and rules and regulation in terms of consent and H&P screening requirements.
Take Corrective Action. Remove any ambiguity and confusing or conflicting information
to eliminate any misunderstandings from current policy, procedure, and practice routines.
Encourage similar action with respect to the medical staff bylaws and rules and regulations.
Evaluate current consent documentation. Working with colleagues in clinical leadership,

review a sampling of current consent documentation for diagnostic and surgical procedures.
Determine if there is variability and risk exposure that merits focused review.
275

Consider interoperable consent information. Working with senior management and clinical
leadership, consider a process for making consistent and interoperable information provided
to patients in consent forms, information sheets, trusted websites, interactive computer programs, and brochures.
Offer practical consent education. Provide medical staff members with educational opportunities regarding consent to treatment. Include such programming topics as the following:
role and responsibility for the consent process;
assessing patient capacity to participate in the consent process;
how to accommodate patients with specific communication needs;
how to share information in an understandable manner;
managing multimedia information; and
how to document consent to treatment.
Consider consent screening in the H&P process. Work with clinical leadership to design
and implement a systemic approach for verifying patient understanding and readiness for
scheduled, elective procedures. Recognize that this would include a series of straightforward
rule in/rule out questions. Discrepancy situations would constitute a rule out until differences
can be resolved. Discrepancies would include:
17.10
patient stating he or she is having a different procedure;

patient stating that he or she has not prepped for the procedure; and
information that there has been an intervening health event that merits further review
prior to proceeding with the scheduled elective diagnostic or surgical intervention.
Setting the Context for Patient Communication
Patients and their family members are often recipients of conflicting information in the caregiving process. The delivery of contradictory information is not intentional; rather, it is a consequence
of interaction with a myriad of healthcare professionals and administrative personnel.
Contradictory information can pose difficulties in terms of a persons understanding of the indications for treatment, clinical status, and outcomes of care. Sometimes too, patients and family members
contribute to this problem. Not accepting from the physician information about treatment, the prospective outcome, or actual results, patients and family members may seek out more details from a nurse,
a physicians assistant, or a trusted advisor in the healthcare field. As noted earlier, sometimes the
Internet is used for this purpose.
Contradictory information can jeopardize the caregiver-patient relationship. Distrust can impede
the free flow of important information. When an adverse or unanticipated outcome occurs, the prospect for poor patient communication can be accentuated.
276

From an enterprise risk management perspective there are some fundamental considerations to
put in place as part of the physician-patient relationship for effective communication. These fundamental considerations include the following:

View the consent process as the intravenous of communication. Encourage caregivers to

recognize that consent to treatment is tantamount to starting a regular intravenous line.11 How
well it is set up and maintained is indicative of the ability to use this communication conduit
to impart important informationincluding disclosure of adverse or unanticipated outcomes
of care.
View the consent process as a volume switch for controlling expectations. Encourage
caregivers to review regularly patient expectations about treatment and outcomes. Using
the consent process as the conduit for establishing effective communication is the first step.
The next step is to adjust expectations. In essence, consent becomes a volume switch on
the patients boom box of expectations.12 This concept is important, especially with patients
experiencing chronic illnesses. It is equally useful with patients who are terminally ill. By the
same token, those with a very poor sense of wellness and survival may benefit from a discussion to help increase expectations.
Adopt a one-voice approach to patient communication. Encourage healthcare facility

clinical and office reception staff to refer questions or concerns about the consent process to
the attending caregiver. Avoid conjecture, speculation, or opinion rendering as this could lead
to misunderstanding and diminished patient communication. Recognizing that questions may
be posed along any point in the continuum of care, the response should be the same: You
know, that is a good question. Let me help you get in contact with your caregiver who can
answer your question.
Each of these points is important as it forms the context for what is often a very challenging communication: disclosure of adverse and unanticipated outcomes of care.
17.11
Disclosure of Adverse and Unanticipated Outcomes
In July 2001, the Joint Commission implemented a standard that called for a discussion of the
outcomes of care with patients, and when appropriate, with their families.13 Here the term outcomes
included unanticipated outcomes of care.
Although the Joint Commission may have helped formalize the need for discussion of adverse
and unanticipated outcomes of care, it was and remains the logical conclusion of the physician-patient
communication continuum that was initiated with the consent process. Most never questioned that
caregivers would happily share good news with patients. However, as the Joint Commission standard
implied, caregivers were loathe to share adverse information. Whether it was fear that such informa F.A. Rozovsky, Consent To Treatment: A Practical Guide, Fourth Edition. New York: Aspen Publishers, 2007 (with
annual supplementation).
12
Id.
13
R.I.1.2.2., Comprehensive Accreditation Manual for Hospitals. Oakbrook Terrace, Illinois: Joint Commission on
Accreditation of Healthcare Organizations, 2001.
11
277

tion would lead to litigation or be perceived as an admission of liability or fault, caregivers were and
often remain reluctant to engage in a discussion of adverse and unanticipated outcomes of care.14
Since 2001, many states have enacted laws that encourage or require so-called disclosure discussions. Some bar as evidence in legal proceedings the fact that the caregiver had such a discussion with
the patient.15 Others define the discussion as one that does not constitute an admission of fault or an
admission against interest.16 National associations have offered practical guidance on the subject that
merits close review by counsel, including a white paper17 and a monograph on the subject.18
Although still a subject of controversy with some questioning the value of disclosure and some
arguing that disclosure may foster rather than thwart litigation,19 communication of adverse outcome
information has become part of the fabric of healthcare in many settings.
Sometimes called the disclosure process and, in other instances the apology, it requires careful
planning and skill. As Kadzielski and Barton have suggested, an effective disclosure and apology
process reflects respect for the patient and the basis for healing.20 It necessitates good communication
skills and a framework for ongoing discussion. Such a process can be encapsulated in a well-designed
policy and procedure.21 The one suggested by Kadzielski and Barton reflects a sweeping approach
consistent with an enterprise risk management approach to the topic.22
Questions to consider in developing an enterprise risk management framework for disclosure and
apology include the following:

What factual information should be gathered for the first discussion?

What information should be related back to risk factors discussed during the consent
process?
When should the initial discussion take place?
Where should it be held?
How should potential security issues be addressed?
Who will speak with the patient and/or family?
Who will be asked to participate along with the patient and family?
Will the patient or family need a language interpreter?
What will be discussed in the initial session?
J.R Woods and F.A. Rozovsky, What Do I Say? San Francisco: Jossey-Bass, 2003.
See e.g., Conn. Gen. Stat. Ann. 52-184d.
16
See e.g., Colorado Revised Statute 13-25-135.
17
Perspective on Disclosure of Unanticipated Outcome Information, American Society for Healthcare Risk Management, July 2001.
18
See Risk Management Pearls on Disclosure of Adverse Events, American Society for Healthcare Risk Management,
July 2006.
19
For an interesting set of insights on the topic, see Popp, P.L., How Will Disclosure Affect Future Litigation? ASHRM
Journal of Healthcare Risk Management, Vol. 23, No. 1: 59, 2003; and Gallagher, T.H. et al., Patients and Physicians
Attitudes Regarding the Disclosure of Medical Errors, JAMA. 289(8): 10011007, 2003.
20
See Kadzielski, M. and Barton, E., Tell Me Now and Tell Me Later: Disclosure and Reporting of Medical Errors,
AHLA Annual Conference, June 2007, Concurrent Session Paper.
21
Id. See sample disclosure policy from this session paper.
22
Id.
14
15
278

What questions should be asked of the patient and family?

What social service and religious support systems should be made available to the patient
and family?
How and where should the initial discussion be documented?
Who should manage follow-up conversations, including those by telephone?
How should difficult cases be managed, including those that involve ongoing investigations
by law enforcement and requests to bring legal counsel to discussion sessions?
Should there be access to a bioethics consult as part of the disclosure process?
What counseling and support mechanisms should be put in place for caregivers involved in
the unanticipated or adverse outcome?
How should questions of compensation be addressed during the disclosure communication
process?
How will disclosed information be shared with other key stakeholders in the organization
including the board, senior management, compliance counsel, and those responsible for managing formal patient grievances and complaints?
How will requests for write-offs be addressed in the disclosure process?
What information, if any, should be made available to staff, especially with regard to
highprofile cases or cases in the press involving an unanticipated or adverse outcome?
How should media inquiries be addressed?
Will lessons learned from the disclosure process be incorporated into medical staff
education?
Should legal counsel be involved in the disclosure process? If so, what should be the role of
legal counsel?
Should the risk manager be involved in the disclosure process? If so, what should be the role
of the risk manager?
The list of questions points to a number of risk exposure opportunities often seen in enterprise risk
management: staffing competencies, legal/regulatory matters, media/reputational risk, and operational
issues. The potential for litigation, regulatory review, accreditation action, and adverse media reports
points to the need for a coordinated effort.
17.12
Role of Legal Counsel in an ERM Framework for Disclosure
Legal counsel should take a leadership role in shaping a disclosure process that addresses a variety of risk issues that could emanate from discussion of and apology for unanticipated and adverse
outcomes of care. In this role, legal counsel can help facilitate policy and process design, taking into
consideration such issues as:

policy design consistent with applicable state evidentiary laws;
policy design consistent with requirements under applicable professional liability insurance
and captive management provisions;
policy design with respect to collective labor agreements;
279

policy design with respect to the medical staff bylaws and rules and regulations of the medical staff;
development of a mandatory reporting matrix under applicable federal and state law;
notice provisions with all levels of insurance carriers, captive managers, and third party
administratorsa process that can be completed collaboratively with the risk management
professional; and
coordination among various legal counsel, including compliance, accreditation, contract, and
defense counsel.
17.13
Conclusion
Consent communication and disclosure of unanticipated and adverse outcomes are integral components of a thoughtful enterprise risk management model in the healthcare field. Good communication
can help identify problems prior to treatment, leading to the potential for alternate care plans or the
caregiver putting in place strategies to lessen the risk of injury. Although patients may be angry and
upset about an unanticipated or adverse outcome, having a factual explanation may lessen the risk of
litigation.
In the nonemergent care setting, consent is the initiator of the communication process. Along the
way, that process can be used to provide clinical updates and adjust expectations of care. When used
effectively, consent sets a framework for disclosure of unanticipated and adverse outcomes, too. The
greater context for the communication process is enterprise risk management, a deliberate, thoughtful
recognition of potential risk opportunities coupled with strategies for eliminating, preventing, reducing, and transferring identified loss exposures. Seen in this way, consent to treatment and discussion
of adverse outcomes can help augment comprehensive efforts to achieve quality safe, effective, and
efficient patient care.
280
Peer Review and Credentialing in an Era ofEnterprise Risk Management
18
Peer Review and Credentialing in an Era
ofEnterprise Risk Management
Mark A. Kadzielski, Esq.1
Fulbright & Jaworski, L.L.P
18.1
Introduction
Peer review and credentialing are areas in which significant liabilities exist for healthcare organizations. Accordingly, astute legal counsel should periodically review a facilitys bylaws and policies
on peer review and credentialing, and keeps abreast of current developments in health law. The maintenance of state of the art bylaws and credentialing policies and procedures by a healthcare facility is
among the most effective preemptive risk management tools available.
Although health facilities have little, if any, control over the practice of medicine, they can exercise
substantial control over the qualifications and competence of practitioners and allied health professionals (AHPs) who are allowed to provide care to the facilities patients. In this era of increased healthcare
grading and transparency, effective peer review and proper credentialing are necessary for facilities
to improve utilization patterns and quality outcomes. The concomitant costs and inconveniences are
clearly outweighed by the benefits.
This chapter discusses aspects of peer review and credentialing for both practitioners andAHPs,
including sources of potential liability, federal and state requirements, and accreditation standards.
18.2
Practitioner Credentialing
Credentialing is the process by which healthcare organizations review a practitioners licensure,

certification, references, and other professional information pertaining to his or her qualifications and
ability to provide healthcare services. It entails a decision by a healthcare delivery system that determines whether the applicant is qualified to provide healthcare services for that organization.
Credentialing involves granting medical staff membership to practitioners and/or granting them
clinical privileges, two diverse concepts that require the analysis of different criteria. Accordingly,
Mark A. Kadzielski is the partner-in-charge of the West Coast Health Law practice at Fulbright & Jaworski L.L.P. in
Los Angeles. Portions of this chapter have been published in a chapter on credentialing written by Mr. Kadzielski in The
Risk Management Handbook for Healthcare Organizations, and in Health Care Credentialing: A Guide to Innovative
Practices, which he coauthored with Fay Rozovsky and Christine Giles.
1
281

healthcare delivery systems should clearly differentiate between them. Membership provides practitioners with a voice in the governance of the healthcare delivery system, while clinical privileges provide
practitioners with the opportunity to provide clinical services.
From a risk management perspective, granting privileges is more critical than granting membership
alone, since significant potential liability accompanies the ability to perform surgical or nonsurgical procedures. But, as set forth in this chapter, such liability may be minimized by competent risk
management. Likewise, medical staff membership without clinical privileges can be an effective risk
management tool for healthcare organizations.
The Joint Commission defines credentialing as the collection, verification, and assessment of
information regarding three critical parameters: current licensure; education and relevant training; and
experience, ability, and current competence to perform the requested privilege(s).2 The Joint Commission further provides that: Experience, ability, and current competence in performing the requested
privilege(s) is verified by peers knowledgeable about the applicants professional performance. This
process may include an assessment for proficiency in six areas of General Competencies adapted
from the Accreditation Council for Graduate Medical Education (ACGME) and the American Board of
Medical Specialties (ABMS) joint initiative.3 The National Committee for Quality Assurance(NCQA),
The Joint Commission, Hospital Accreditation Standards, Introduction to Standard MS 06.01.03, Oakbrook Terrace,
IL: 2009.
3
Id. These six areas are:
Patient care: Practitioners are expected to provide patient care that is compassionate, appropriate, and effective for the
promotion of health, prevention of illness, treatment of disease, and care at the end of life.
Medical/Clinical Knowledge: Practitioners are expected to demonstrate knowledge of established and evolving biomedical, clinical, and social sciences, and the application of their knowledge to patient care and the education of others.
Practice-Based Learning and Improvement: Practitioners are expected to be able to use scientific evidence and methods
to investigate, evaluate, and improve patient care practices.
Interpersonal and Communication Skills: Practitioners are expected to demonstrate interpersonal and communication
skills that enable them to establish and maintain professional relationships with patients, families, and other members of
healthcare teams.
Professionalism: Practitioners are expected to demonstrate behaviors that reflect a commitment to continuous professional
development, ethical practice, an understanding and sensitivity to diversity, and a responsible attitude toward their patients,
their profession, and society.
Systems-Based Practice: Practitioners are expected to demonstrate both an understanding of the contexts and systems in
which healthcare is provided, and the ability to apply this knowledge to improve and optimize healthcare.
2
Integrating these concepts into the standards allows the organized medical staff to conduct a more comprehensive evaluation of a practitioners professional practice.
The second new concept is Focused Professional Practice Evaluation. This concept allows the organized medical
staff to focus evaluation on a specific aspect of a practitioners performance. This process is used in the following two
circumstances:

When a practitioner has the credentials to suggest competence, but additional information or a period of evaluation is needed to confirm competence in the organizations setting.

If questions arise regarding a practitioners professional practice during the course of the Ongoing Professional
Practice Evaluation.
The third new concept is the Ongoing Professional Practice Evaluation. Traditionally, the credentialing and privileging
process has been a procedural, cyclical process in which practitioners are evaluated when privileges are initially granted,
and every two years thereafter. The process outlined in these credentialing and privileging standards is designed to continuously evaluate a practitioners performance. The process requires the medical staff to conduct an ongoing evaluation
of each practitioners professional performance. This process not only allows any potential problems with a practitioners
282

a private, not-for-profit organization which assesses and reports on the quality of managed care plans,
requires that practitioners have verified credentials, including a valid license to practice medicine,
education and training, malpractice history and work history.4
Proper peer review and credentialing must be tailored to fit the specific needs of each healthcare
organization, whether a hospital, a managed care organization (MCO), an integrated delivery system
(IDS), an independent practice association (IPA), or some other type of delivery system. Tailoring can
be accomplished by including peer review and credentialing processes in bylaws, rules and regulations, and policies and procedures, as applicable. However, facilities should not attempt to cut costs
by blindly adopting another organizations bylaws, rules and regulations, or policies and procedures
to their own operations. This practice can result in the application of inappropriate and inconsistent
policies that can negatively affect accreditation status and the quality of care provided.
Peer review and credentialing standards ensure the uniform treatment of all staff members being
considered for appointment and reappointment and provide the individual staff member with a fair,
known, and systematic information collection process. Further, strict adherence to a clearly delineated
peer review and credentialing system can protect a facility in disputes. Healthcare institutions should
not fall prey to the mistaken belief that only large organizations with plentiful resources can afford to
scrutinize applicants credentials carefully and discipline errant practitioners in a uniform and systematic manner. No organization, large or small, should underestimate the importance of the peer review
and credentialing functions.
18.2.1
Federal Law on Credentialing and Peer Review
Enterprise risk management strives to stay current with federal and state laws concerning peer
review, credentialing and accreditation standards specific to the healthcare delivery system in which
they will be applied. For example, on the federal level, the Medicare Conditions of Participation for
Hospitals provide that [t]he medical staff must examine credentials of candidates for medical staff
membership5 They also require the periodic appraisals of the members of the medical staff.6 The
Medicare Conditions of Participation for Long Term Care Facilities provide that [p]rofessional program staff must be licensed, certified, or registered, as applicable, to provide professional services by
the State in which he or she practices.7 The Conditions of Participation for Home Health Agencies
provide that [p]ersonnel practices are supported by appropriate, written personnel policies. Personnel records include qualifications and licensure that are kept current.8 The Medicare Conditions of
Participation for Comprehensive Outpatient Rehabilitation Facilities provide that [p]ersonnel that
provide service must be licensed, certified, or registered in accordance with applicable State and local
performance to be identified and resolved as soon as possible, but also fosters a more efficient, evidence-based privilege
renewal process.
Joint Commission Hospital Accreditation Standards, MS.06.01.01.
The second and third new concepts should be included in Medical Staff Bylaws and/or policies and procedures to be compliant with Joint Commission standards.
4
National Committee for Quality Assurance. Standards for Health Plan Accreditation [hereinafter NCQA Standards for
Accreditation], CR3, Washington, DC: 2009.
5
42 CFR 482.22(a)(2).
6
42 CFR 482.22.
7
42 CFR 483.430(b)(5).
8
42 CFR 484.14(e).
283

laws.9 Medicare also prescribes similar Conditions of Participation for Critical Access Hospitals,10
and for Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services.11
18.2.2
The Health Care Quality Improvement Act of 1986 (HCQIA)
The HCQIA has played a significant role in the development of current peer review and credentialing practices. If a healthcare entity complies with certain credentialing procedures, HCQIA affords
monetary immunity, under both state and federal law, for claims arising out of such credentialing activities. There can be serious consequences for conducting a peer review that does not comply with the
requirements of HCQIA. For example, in 2004, a Texas federal court jury awarded a Dallas cardiologist
$366 million after determining that the hospital and the physicians who had participated in his summary
suspension were not immune from damages under HCQIA.12 The judgment was reversed by the U.S.
Court of Appeals for the Fifth Circuit in 2008. Nonetheless, the jurys verdict serves as an important
warning of the serious consequences for failing to conduct peer review in compliance with HCQIA.
HCQIA, perhaps more than any other body of law, has substantially shaped current peer review
and credentialing practices. The financial liability of not complying with HCQIA can be detrimental
42 CFR 485.54(b).
42 CFR 485.604.
11
42 CFR 485.705.
12
In Poliner v. Texas Health System, the jury, after the trial judge had determined the defendants were not entitled to
complete immunity under HCQIA, found them liable for breach of contract, defamation, interference with contractual relations, and intentional infliction of emotional distress arising out of the summary suspension of Dr. Lawrence Poliner. The
facts of this case are that on May 12, 1998, a patient presented to the emergency room of Presbyterian Hospital of Dallas
complaining of chest pains. Dr. Poliner, an interventional cardiologist, performed a procedure to open the patients artery.
However, he made a diagnostic mistake and missed the patients blocked artery. The patient latter suffered postprocedure
complications, and there were problems contacting Dr. Poliner afterwards. This patients case and other cases were brought
to the attention of Dr. James Knochel, the chairman of the hospitals Internal Medicine Department. The cases were also
submitted for review to the Internal Medicine Advisory Committee, also chaired by Dr. Knochel. Dr. Knochel, in consultation with other physicians at the hospital, decided to seek a temporary restriction of Dr. Poliners cath lab privileges in
order to allow for an investigation pursuant to the Medical Staff Bylaws. After a conversation with Dr. Knochel, Dr. Poliner
agreed to the temporary abeyance of his privileges and an ad hoc committee was appointed to review a sample of his
cases. This temporary abeyance lasted 29 days. Upon review of the cases, the ad hoc committee formally unanimously
agreed that Dr. Poliners cath lab and echocardiography privileges should be suspended, which they were. Dr. Poliner
requested a hearing pursuant to the Medical Staff Bylaws. The Hearing Committee concluded the suspension should be
upheld, but that Dr. Poliners privileges should be reinstated with conditions.
Thereafter, Dr. Poliner filed a lawsuit in federal court claiming that these events defamed him and constituted antitrust and
deceptive trade practices. The U.S. District Judge granted the defendants motions for summary judgment under HCQIA as
to the formal summary suspension, holding that the immunities applied to the facts of this case. However, the judge allowed
the case to go forward to a jury trial with regard to the initial 29-day temporary abeyance. The jury awarded Dr.Poliner
$366 million in damages. On March 27, 2006, the U.S. District Judge upheld the jurys finding but ordered the parties to
mediation to determine the proper amount of damages. Thereafter, on September 18, 2006, the judge granted the motions
of the hospital and one of the doctors to reduce the amount of damages to $22.5 million. Poliner v. Texas Health System,
No. Civ. A.3:00-CV-1007-P (N.D. Tex. 2006). On appeal. the Fifth Circuit set aside this judgment completely. Poliner v.
Texas Health Systems, 537 F.3d 368 (5th Cir. 2008). The appeals court held that immunity under HCQIA precluded any
monetary recovery. In reversing the judgment, the court adopted an objective standard for finding a reasonable belief that
the action was in furtherance of quality healthcare, as required for statutory immunity.
The recent case of Johnson v. Christus Spohn is also instructive regarding how important it is for organizations to properly
handle credentialing practitioners in light of the fact that there is no immunity under HCQIA for federal claims involving
racial discrimination. Johnson v. Christus Spohn, 2008 U.S. Dist. LEXIS 10058 (S.D. Tex. 2008). The reality is that it is
quite simple for a plaintiff to allege racial discrimination even in the absence of facts that suggest such discrimination.
9
10
284

to hospitals, managed care organizations, and the individuals who participate in the peer review and
credentialing process. As a result, peer review and credentialing programs must be structured in such
a manner as to ensure HCQIA compliance.
18.2.3
The Impetus for the Enactment of HCQIA
Before the U.S. Congress enacted HCQIA in 1986, physicians were hesitant to participate in
peer review and credentialing activities because of the threat of litigation brought by reviewed and/or
disciplined physicians. One influential jury award of $2.2 million in damages, in the case of Patrick
v. Burget,13 in part spawned the enactment of HCQIA. Briefly, as set out in the Ninth Circuit Court
of Appeals opinion, in 1972, the Astoria Clinic, a multispecialty clinic in the small community of
Astoria, Oregon, employed Dr. Timothy Patrick as a general surgeon.14 In 1973, Dr. Patrick rejected a
partnership offer from Astoria Clinic and opened his own clinic.15 Physicians from the Astoria Clinic
subsequently participated in a peer review investigation of Dr. Patricks treatment of patients whose
care he had provided at the only acute care hospital in Astoria.16 Dr. Patrick sued these physicians and
the Astoria Clinic and successfully argued that the physicians were motivated by anticompetitive factors. The Oregon federal court jury found that their actions violated federal antitrust laws.17
In Johnson, Dr. Tone Johnson, an African-American physician with a general family practice in Corpus Christi, Texas,
and his wholly-owned professional corporation sued Christus Spohn Health System Corporation and 20 individual physicians who participated in the peer review process that resulted in the summary suspension of his clinical privileges and
the later termination of his clinical privileges to practice at several of its hospitals. In this case, the court granted summary
judgment to the defendants on all claims, other than racial discrimination, based on immunities provided by HCQIA and
Texas law. Then the court considered Dr. Johnsons allegation of race-based discrimination and found it largely consists
of questionable personal opinions and speculation with little evidentiary support. For example, Dr. Johnson alleged that the
Medical Executive Committee was all white and/or consider themselves to be white. In reality, all of the parties agreed
that the Medical Executive Committee included several Hispanic and Indian doctors. The court stated [n]otwithstanding
Dr.Johnsons curious remarks, the racial composition of the Medical Executive Committee fails to support an inference of
discrimination because, even assuming the Medical Executive Committee were made up of all white doctors or doctors
who consider themselves to be white, Dr. Johnson fails to show any actions on their part indicating a racial basis against
Dr. Johnson. As a result, the court granted the motion for summary judgment in its entirety.
In a similar case, Johnson v. Willapa Harbor Hospital, the U.S. District Court for the Western District of Washington ruled
that a hospital was entitled to summary judgment in another African American doctors action alleging discrimination, and
other state law claims with regard to the hospitals denial of his application for reappointment to the medical staff. Johnson
v. Willapa Harb. Hosp., No. 07-5336 (W.D. Wash. Oct. 16, 2008). The district court granted the hospitals motion for summary judgment on all claims. Specifically regarding the discrimination claim, the held that Dr. Antoine Johnson provided
no evidence that could give rise to unlawful discrimination.
In an interesting twist on Johnson v. Christus Spohn and Johnson v. Willapa Harbor Hospital, in Johnson v. Riverside
Healthcare System LP, Dr. Christopher Johnson filed a complaint alleging discrimination pursuant to federal law and
state law (Californias Unrue Civil Rights Act) after he was not reappointed to the medical staff at Riverside Community
Hospital after his privileges lapsed. Johnson v. Riverside Healthcare System LP, No,. 06-55280, (9th Cir., July 23, 2008).
Dr.Johnson, who designated himself as African American and bisexual, claimed that he had been harassed due to his
race and sexual orientation. Dr. Johnson treated patients at the hospital pursuant to a professional services agreement that
designated him as a contractor. The Ninth Circuit dismissed his state law discrimination claim holding that the state
law provides protections to consumers and customers but does not extend to situations involving employment. The court
determined that a contract physician working under the terms of a professional service agreement with a hospital was in a
position equivalent to that of an employee.
13
Patrick v. Burget, 800 F.2d 1498 (9th Cir. 1986), revd, 108 S. Ct. 1658 (1988).
14
Patrick, 800 F.2d 1498, 1502.
15
Id.
16
Patrick, 108 S. Ct. 1658, 1665.
17
42 U.S.C. 11101(5).
285

As a result of cases such as Patrick v. Burget, Congress feared that physicians would refuse to
participate in credentialing actions without protection from liability. At the same time, Congress was
concerned that without proper peer review, incompetent physicians would continue to be able to harm
patients. The result was the enactment of HCQIA, responding to an overriding national need to provide incentive and protection for physicians engaging in effective professional peer review.18
18.2.4
Overview of HCQIAs Immunity Provisions and Reporting Requirements
HCQIA has two parts. The first part sets forth what is necessary to receive immunity from monetary
damages as a result of a professional review action, and the second part authorizes the establishment
of a nationwide system for reporting adverse professional review actions, known as the National Practitioner Data Bank.
HCQIA provides immunity from monetary liability to healthcare entities and individuals who
participate in professional review actions, including credentialing determinations, which meet certain
procedural requirements.19 Healthcare entities include hospitals, health maintenance organizations
(HMOs), and group medical practices that provide healthcare services and follow a formal peer review
process for the purpose of furthering quality healthcare.20 Professional societies also may be healthcare
entities under HCQIA if they follow a formal peer review process for the purpose of furthering quality
healthcare.21 Professional review action means an action or recommendation taken in the conduct of
a professional review activity based on the competence or professional conduct of a physician, which
adversely affects or could adversely affect the health or welfare of a patient.22 In addition, persons
who provide information to a healthcare entity regarding the competence or professional conduct of
a physician also are immune from damages under federal and state law, unless the person knowingly
provided false information.23
In order to qualify for immunity under HCQIA, a healthcare entity must comply with certain
procedural safeguards when conducting peer review on and credentialing a physician (defined as an
M.D., D.O., or dentist).24 In general, in order to receive immunity, a peer review or credentialing action
regarding the professional competence or professional conduct of a physician must be taken:
in the reasonable belief that the action was in the furtherance of quality healthcare;
after a reasonable effort to obtain the facts of the matter;
after adequate notice and hearing procedures are afforded to the physician or after such other
procedures as are fair to the physician under the circumstances; and
20
21
22
23
24
18
19
42 U.S.C. 11111(a)(1).
42 U.S.C. 11151(4)(A) (i)(ii).
42 U.S.C. 11151(4)(A)(iii).
42 U.S.C. 11151(9).
42 U.S.C. 11111(a)(2).
42 U.S.C. 11151(8).
Id.
286

in the reasonable belief that the action was warranted by the facts known after such reasonable
effort to obtain the facts.25
More specifically, HCQIA states that a healthcare entity is deemed to have met the adequate
notice and hearing requirements above if the physician has been given notice of a proposed peer
review action that states the reason for the proposed action and informs the physician of the right to
request a hearing on the proposed action.26 If a physician requests a hearing, the physician must then
be given notice of the place, time, and date of the hearing as well as a list of witnesses expected to
testify at the hearing.27
Ultimately, the hearing must be held before (1) a finder of fact who may be an arbitrator mutually acceptable to the physician and the healthcare entity; (2) a hearing officer appointed by the entity
who is not in direct economic competition with the physician involved; or (3) a panel of individuals
appointed by the healthcare entity who are not in direct economic competition with the physician
involved.28 A panel of individuals may include a hearing officer who is responsible to oversee the
conduct of the hearing and ensure compliance with procedural standards. During the hearing, the
physician has theright to be represented by an attorney or other person of his or her choice, to have a
record made of the proceedings, to call and examine witnesses, to present evidence, and to submit a
written statement at the close of the hearing.29
18.2.5
The National Practitioner Data Bank
The second part of HCQIA resulted in the creation of the National Practitioner Data Bank (NPDB).
Congress determined there was a need for a national physician reporting system in order to restrict
the ability of incompetent physicians to move from state to state without disclosure or discovery of
the physicians previous damaging or incompetent performance.30 Prior to the NPDB, tracking such
incompetent itinerants had been difficult at best. The NPDB serves as an information clearinghouse to
collect and release certain information related to the professional competence and conduct of physicians, and in some cases additional practitioners, to qualified healthcare entities.
Hospitals and other healthcare entities, such as HMOs and PPOs, must report (1) professional
review actions related to professional competence or professional conduct that adversely affect the
clinical privileges of a physician for more than 30 days; and (2) a physicians voluntary surrender or
restriction of clinical privileges while under investigation for professional competence or conduct.31
Hospitals, unlike other healthcare entities such as HMOs and PPOs, must query the NPDB when
screening applicants for a medical staff appointment or expanding clinical privileges, and must subsequently screen healthcare practitioners every two years who serve on the medical staff or who have
27
28
29
30
31
25
26
42 U.S.C. 11112(a).
42 U.S.C. 11112(b)(1).
42 U.S.C. 11112(b)(2).
42 U.S.C. 11112(b)(3).
42 U.S.C. 11112(b)(3)(C).
42 U.S.C. 11101(2).
42 U.S.C. 11133.
287

clinical privileges.32 Other healthcare entities may query the database in support of professional review
activities.33 Such information from the NPDB will assist hospitals meet their corporate compliance
obligations.34
The NPDB contains adverse licensure action reports on practitioner and dentists (including revocations, suspensions, reprimands, censures, probations and surrenders for quality purposes); adverse
clinical privilege actions against practitioners and dentists; adverse professional society membership
actions against practitioners and dentists; and medical malpractice payments made on all healthcare
practitioners. Groups that have access to this data system include: (1) hospitals; (2) other healthcare
entities that conduct peer review and provide or arrange for care; (3) State Boards of Medical or
Dental examiners; (3) other healthcare practitioner State boards; and (4) practitioners conducting a
self-inquiry. Unauthorized release of information contained in the NPDB may result in a $10,000
fine for each individual and entity involved in the release. However, a hospital can be appointed as
an agent of another healthcare facility and then obtain such information on its behalf without violating federal law. Any such principal-agent relationship should be formally documented to avoid any
disputes between facilities and claims by practitioners about the unauthorized release of information.
Under such circumstances, an agent must submit a separate request for information for each entity on
whose behalf it is acting.
18.2.6
Healthcare Integrity and Protection Data Bank
Another federal data bank, the Healthcare Integrity and Protection Data Bank (HIPDB), was opened
in 1999. The HIPDB contains information regarding certain final adverse actions against healthcare
providers, suppliers, or practitioners. Federal law prohibits the release of information contained in the
HIPDB to anyone except Federal and State government agencies, health plans, and self queries from
healthcare suppliers, providers and practitioners.35 Therefore, hospitals do not have direct access to
the HIPDB. Final adverse actions include: (1) civil judgments against a healthcare provider, supplier,
or practitioner in Federal or State court related to the delivery of a healthcare item or service; (2)Federal or State criminal convictions against a healthcare provider, supplier, or practitioner related to the
delivery of a healthcare item or service; (3) actions by Federal or State agencies responsible for the
licensing and certification of healthcare providers, suppliers, or practitioners; (4) exclusion of a healthcare provider, supplier, or practitioner from participation in Federal or State healthcare programs; and
(5) any other adjudicated actions or decisions that the Secretary establishes by regulations. Settlements
in which no findings or admissions of liability have been made are excluded from reporting. However,
any final adverse action emanating from such settlements and consent judgments otherwise reportable
under the statute will be reported in the data bank. All final adverse actions are required to be reported
regardless of whether such actions are being appealed by the subject of the report.
42 U.S.C. 11135(a).
42 U.S.C. 11137(a).
34
45 CFR 60.13. See, generally, Kadzielski, A New Quality Challenge: Coordinating Credentialing and Corporate
Compliance, 14 Annals of Health Law 409 (Summer, 2005).
35
45 CFR 61.14.
32
33
288

In order to ensure that the NPDB and HIPDB contain all relevant information, federal law imposes
specific reporting requirements on entities that collect information on practitioners.36 Failure to report
such information can lead either to the imposition of severe monetary sanctions or to the withdrawal
of immunity under federal law for peer review activities.37 It is therefore crucial that any healthcare
entity required to report information to either the NPDB or HIPDB maintain policies and procedures
that ensure that reporting is timely made.
18.2.7
The Effect of the Americans with Disabilities Act on Current Credentialing Practices
Since it was first enacted into law, the Americans with Disabilities Act (ADA) has been the subject of much discussion with respect to healthcare organizations. It is useful to review what the law
requires with respect to care providers. Of equal import is the relationship of the ADA to the credentialing process.
18.2.8
Overview of the ADA
The purpose of the ADA is to protect a qualified person with a disability (defined as a person
who has a physical or mental impairment that substantially limits one or more major life activities, a
person who has a history or record of such an impairment, or a person perceived by others as having
such an impairment) from discrimination in the employment, public services, and public accommodations arenas.38 The ADA has shaped current credentialing practices regarding the types of initial and
recredentialing inquiries that healthcare entities can make about a healthcare practitioners possible
physical or mental disabilities. However, applicability of the ADA to the credentialing of non-employee
practitioners, such as practitioners who seek to serve on the medical staffs of hospitals or contract with
managed care organizations, remains uncertain.
Title I of the ADA is applicable to the employment setting and prohibits employers from discriminating against qualified individuals with disabilities who are capable of performing the essential job
in question with or without reasonable accommodation.39 Title II of the ADA applies to state and local
government activities40 and Title III addresses owners and operators of public accommodations.41 All
three ADA titles affect credentialing procedures.
Title I unequivocally applies to the employment of practitioners at hospitals and other healthcare
entities. However, uncertainty exists about whether or not Title I applies to non-employee healthcare
practitioners, such as medical staff physicians at hospitals and contracted practitioners with managed
care organizations.42 Although no courts have specifically held that Title I applies in such non-employee
45 CFR 60.4-9; 45 CFR 61.4-11.
45 CFR 60.7, 60.9; 45 CFR 61.9, 61.11.
38
42 U.S.C. 12101 et seq.
39
42 U.S.C. 12112.
40
42 U.S.C. 12182.
41
Id.
42
For a more in-depth examination of the ADAs Title I application to non-employee practitioners, see Jack S. Schroeder, Jr.,
Credentialing Strategies for a Changing Environment: Establishing and Operating an Effective Program, BNAs Health L. &
Bus. Series No. 1000, 1000:05060507.
36
37
289

situations, some courts have determined that similar antidiscrimination laws tied to employment apply
to non-employee situations.
Non-employee healthcare practitioners have been more successful in bringing ADA claims under
Titles II and III because the existence of an employment relationship is not material to these claims.
Title II of the ADA, which applies to public entities, including public hospitals, prohibits public entities
from discriminating against qualified individuals on the basis of a disability.43 Healthcare practitioners
have also challenged peer review actions on the basis of Title IIIs prohibition against discrimination
of persons with disabilities by operators of public accommodations. Title III provides that:
No individual shall be discriminated against on the basis of disability in the full and equal
enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any
place of public accommodation by any person who owns, leases (or leases to), or operates a
place of public accommodation.44
In Menkowitz v. Pottstown Memorial Medical Center, the U.S. Court of Appeals for the Third
Circuit held that Title III was applicable to a private hospitals denial of privileges to a physician after
he had been diagnosed with attention deficit disorder.45 However, the dissenting opinion in Menkowitz,
which has been cited by other courts, stated that Title IIIs purpose was intended to protect persons
who are customers or clients that patronize the place of public accommodation and was not intended
to protect healthcare practitioners.46
In a case subsequent to Menkowitz and with similar facts, a U.S. District Court in South Dakota
squarely rejected the premise that a practitioner can sue a hospital under Title III of the ADA. In
Wojewski v. Rapid City Regional Hospital, Dr. Wojewski, a cardiothoracic surgeon, had staff privileges at Rapid City Regional Hospital.47 In 1996, Dr. Wojewski requested and was granted a leave
of absence from the medical staff because of his exhibition of unusual behavior.48 Shortly thereafter,
Dr. Wojewski was diagnosed with bipolar disorder and sought treatment.49 The hospital reinstated his
privileges on the recommendations of four psychiatrists who informed the hospital that Dr. Wojewski
could safely treat patients. However, in 2003, the hospital suspended his privileges after Dr. Wojewski
had a manic episode during a surgical procedure. The court dismissed Dr. Wojewskis Title III claim
and concluded that he does not qualify as an individual for purposes of Title III because he is not a
client or customer of [the hospital].50 While the logic of the Wojewski decision is clear, given these
See Judice v. Hospital Serv. Dist. No. 1, 919 F. Supp. 978, 982 (E.D. La. 1996). Dr. Judice, a neurosurgeon who had
been previously suspended from a public hospital for alcoholism and had his privileges suspended by the Louisiana State
Board of Medical Examiners, sued the public hospital for violation of Title II of the ADA. The court dismissed the hospitals claim that Title II did not apply because Dr. Judice was not a traditional employee of the hospital and allowed the
lawsuit to continue.
44
42 U.S.C. 12182(a).
45
Menkowitz v. Pottstown, 154 F.3d 113, 117 (3d Cir. 1998); But see Wojewski v. Rapid City Regl Hosp., 394 F. Supp.
2d 1134 (D.S.D. 2005).
46
Menkowitz, 154 F.3d 113, 12627.
47
Wojewski, 394 F. Supp. 2d 1134, 1137.
48
Id.
49
Id.
50
Id.
43
290

two judicial interpretations, it remains debatable, outside of Title IIs application to public hospitals,
whether or not the ADA applies to the credentialing of non-employee practitioners.
18.2.9
Impact of the ADA on Current Credentialing Practices
Despite the uncertainty of the ADAs application to the credentialing of non-employee practitioners, many concepts set forth in the ADA have served to shape the scope of credentialing inquiries.
The ADA regards mental illness, alcoholism, and past drug use as disabilities. However, such conditions may have a direct impact on patient safety and the practitioners ability to provide healthcare
services. Healthcare entities, therefore, have a need to request such information.
Until the courts or government agencies provide healthcare entities with more guidance concerning the scope and applicability of the ADA, the true impact of the ADA on credentialing practices
remains largely uncertain.
18.2.10
The Effect of Section 504 of the Rehabilitation Act of 1973
Section 504 of the Rehabilitation Act of 1973 is similar to the ADA in that it protects qualified disabled individuals from discrimination. The law provides that no otherwise qualified individual with a
disability shall be excluded from the participation in, denied the benefits of, or be subject to discrimination under any program or activity receiving Federal financial assistance.51 The nondiscrimination
requirements of the law apply to employers and organizations that receive financial assistance from
any federal department or agency. Therefore, Section 504 presumably applies to any healthcare facility participating in either Medicare or Medicaid. Where healthcare providers credential and employ
practitioners, Section 504 mandates nondiscrimination in the hiring process.
In the Menkowitz case, discussed above, the court held that Dr. Menkowitz (a non-employee of the
hospital) could continue his claim against the hospital based upon a violation of Section 504.52 However, in Wojewski, also discussed above, the court dismissed Dr. Wojewskis Section 504 claim on the
rationale that Section 504 was designed to prohibit discrimination in an employment relationship and,
therefore, did not apply to Dr. Wojewskis relationship with the hospital as a member of its medical
staff.53 The Wojewski court specifically distinguished the holding on this issue by the Menkowitz court.
Because Wojewski is a more recent interpretation, healthcare providers who do not employ practitioners or their medical staffs may take some comfort from this conclusion. However, as with the ADA,
the issue of whether Section 504 applies in the context of credentialing non-employee healthcare
practitioners remains debatable.
18.2.11
State Law on Credentialing
To varying degrees, most states supplement federal statutory credentialing provisions with their
own legislative pronouncements on credentialing. Through the enactment of regulations, many states
require a healthcare facility to credential its practitioners before granting clinical privileges. For
42 U.S.C. 794(a).
Menkowitz, 154 F.3d 113, 123.
53
Wojewski, 394 F. Supp. 2d 1134, 1142.
51
52
291

example, in California, all members of the medical staff [are] required to demonstrate their ability to
perform surgical and/or other procedures competently and to the satisfaction of an appropriate committee at the time of application for appointment to the staff and at least every two years thereafter.54
Further, the doctrine of corporate liability for negligent credentialing, a state law tort theory, necessitates implementing and maintaining written credentialing policies and procedures.
18.2.12
Accreditation Standards
Accreditation standards require that practitioners be credentialed prior to being granted privileges
to practice medicine at a facility. Apart from state law and the Medicare Conditions of Participation
for Hospitals, a governing bodys responsibility for credentialing practitioners who practice within
its hospital is established by accrediting bodies such as the Joint Commission. The Joint Commission
standards require that the mechanisms for appointment or reappointment to the medical staff and the
initial granting and renewal or revision of clinical privileges be fully documented in the medical staff
bylaws, rules and regulations, and policies.55
Outside the hospital context, similar standards exist for MCOs and ambulatory surgery centers
(ASCs) through accrediting bodies such as the NCQA and the Accreditation Association for Ambulatory Health Care (AAAHC), as well as a number of others. For example, the NCQA requires that
[t]he managed care organization document the mechanism for the credentialing and re-credentialing
of MDs, DOs, DDSs, DPMs, DCs, and other licensed independent practitioners with whom it contracts or employs who treat members outside the inpatient setting and who fall within its scope of
authority and action.56
18.2.13
Internet Credentialing
With the advent of the Internet, new opportunities are available for facilities in their ongoing
efforts to credential practitioners. Online databases, such as the Office of Inspector Generals (OIG)
List of Excluded Individuals/Entities (LEIE) and web sites maintained by state licensing authorities,
provide additional information regarding practitioners to the public, including consumers and individuals not otherwise entitled to similar information maintained by the National Practitioner Data Bank
(NPDB) or the Healthcare Integrity and Protection Data Bank. The existence of these databases may
also establish a new standard of care regarding the frequency of checking whether practitioners have
been disciplined. The OIG may impose a Civil Monetary Penalty of up to $10,000 for each item or
services furnished by an individual excluded from participation in a federal healthcare program (e.g.,
Medicare, Medicaid, etc.) on any individual or entity which contracts with the excluded individual. For
liability to be imposed, the provider submitting the claims for healthcare items or services furnished by
an excluded individual must either know or should know that the person was excluded.57 Thus, the
OIG urges health care providers and entities to check the OIG List of Excluded Individuals/Entities
56
57
54
55
Title 22 California Code of Regulations Section 7070170703.

The Joint Commission, Hospital Accreditation Standards, MS. 01.01.01.
NCQA Standards for Accreditation, CR1.
42 CFR 1003.102(a)(2).
292

on the OIG web site (www.hhs.gov/oig) prior to hiring or contracting with individuals or entities.58
Providers should also periodically check the OIG web site for determining the participation/exclusion
status of current employees and contractors. Although the OIG does not expressly state how often
providers should check the web site, one may infer the appropriate frequency from the fact that the
OIG updates the LEIE monthly.
18.3
Documentation of Credentialing Criteria
Key to the uniform application of credentialing criteria is documentation of the criteria in a

facilitys governance documents, such as the bylaws, rules and regulations, and policies, procedures,
and protocols. Each of these documents serves a different function. Generally, the bylaws provide
an organizations basic framework. In the hospital context, medical staff bylaws delineate the staffs
responsibilities, the basic framework for committees and members, the process by which staff members are disciplined, and the delegation of functions. The rules and regulations provide additional
details on operational aspects of performing the responsibilities assigned by the bylaws. At a minimum,
documentation of, and adherence to, written credentialing criteria delineated in governance documents
invalidates the argument that a facility randomly and discriminatorily applies its credentialing criteria.
A healthcare organizations policies, procedures, and protocols contain the detailed rules and regulations that govern day-to-day operations. These documents can contain as much detailed information as
is deemed necessary. In fact, it is advisable in many circumstances that they contain the most detailed
information available in order to guide the medical staff and ensure consistency in the day-to-day
decision-making of the organizations practitioners.
Written credentialing criteria should be directly related to patient care and based on objective factors such as education, experience, and current competence rather than on arbitrary distinctions based
on title. If distinctions are to be made between the types of services that can be provided by two groups
of practitioners (for example, radiologists and emergency department practitioners, orthopedists and
podiatrists, or psychiatrists and psychologists), they should derive from objective criteria and the
standard of care in the community to avoid the appearance of discrimination based solely on profession. Properly developed and documented credentialing criteria that are applied appropriately should
withstand the strictest scrutiny.
In addition, written credentialing criteria should be facility-specific and based upon such factors
as a facilitys license capacity and availability of equipment, personnel, and services. Practitioners
should not be granted privileges to perform procedures that exceed the facilitys financial and personnel resources. Drafters and reviewers of credentialing criteria should be cognizant of the health
facilitys assets and limitations when reviewing the credentialing criteria.
Documentation of credentialing criteria should not be done haphazardly, at the last minute, or after
the fact. Credentialing criteria must be reviewed by committees and/or bodies that are responsible for
establishing those criteria, such as a credentialing committee, an executive committee, and the hospital
governing body. To minimize legal liabilities, it is vital for leadership such as the executive committee
and the governing body to provide oversight and input, as well as final approval of such criteria.
64 Fed. Reg. 52791, 52793 (September 30, 1999) (OIG Special Advisory Bulletin).
58
293

18.4
Potential Liabilities Related To Credentialing
Hospital counsel must be vigilant in advocating the establishment and maintenance of written
policies and procedures. Healthcare facilities that credential practitioners may be liable to those very
same practitioners for discrimination; restraint of trade; economic credentialing; violation of the facilitys bylaws, rules and regulations, and policies and procedures; and a plethora of other actions or
inactions. Effective risk management must be wary of not only the acts or omissions for which a
facility may be liable to practitioners who exercise privileges there, but also the potential liabilities a
facility may have to patients, their families, estates, and/or legal representatives.
Early implementation of written policies and procedures or protocols can be accomplished only
when legal counsel and risk managers keep abreast of the rapidly evolving healthcare sector and are
able to identify potential liabilities before they occur. Failure to perceive potential liability issues
early will result in a lack of written policies and procedures and the absence of a uniform and sound
approach to risk issues, thus increasing the risk of litigation. Effective implementation of policies to
minimize the legal risk associated with no longer novel causes of action such as negligent credentialing and economic credentialing should be undertaken.
18.4.1
Negligent Credentialing
Traditionally, there was no institutional liability for the negligence of individual providers. However, beginning in 1965 with Darling v. Charleston Community Memorial Hospital, various state courts
began recognizing a new doctrine called hospital corporate liability.59 In Darling, the Supreme Court
of Illinois held that the hospital had an independent duty to ensure that high-quality care was rendered
at its facility, and held the hospital accountable for negligently screening the competency of its medical staff. The vast majority of states have adopted some form of the hospital corporate liability theory
thereby providing some legal relief for the tort of negligent credentialing.60
Healthcare facilities and providers should not be surprised to see the doctrine of corporate liability
extended to MCOs, IPAs, and IDSs in the near future.61 Like hospitals, courts will likely conclude that
such entities have a duty to credential and recredential affiliated practitioners and monitor the quality
of care provided by affiliated practitioners. And if healthcare delivery systems credential practitioners,
such systems have a duty to credential them thoroughly and properly. If an MCO, IPA, or IDS breaches
its duty to provide high-quality care to a patient by failing to screen out incompetent practitioners or
take appropriate measures against practitioners who are providing substandard medical care, the entity
may be negligent based on a theory of corporate liability.
211 N.E.2d 253 (Ill. 1965). See Kadzielski, A New Quality Challenge: Coordinating Credentialing and Corporate
Compliance, 14 Annals of Health Law 409 (Summer, 2005).
60
See Kadzielski, Provider Deselection and Decapitation in a Changing Healthcare Environment, 41 St. Louis L.J. 891
(Summer, 1997), and cases cited at note 12, supra. In California, the theory of corporate liability for negligent credentialing
was established in Elam v. College Park Hospital, 132 Cal.App.3d 332 (1982).
61
In McClellan v. Health Maintenance Organization, 604 A.2d 1053, allocatur denied, 616 A.2d 985 (Pa. 1992), the
court held that an HMO may be held liable under the theory of ostensible corporate liability for failing to select and retain
only competent individuals.
59
294

The nexus between the healthcare delivery system and the medical care provided may be based on
a healthcare systems advertising claims. Advertising campaigns used by healthcare entities to attract
new consumers generally contain representations regarding the qualifications of affiliated practitioners
and the high quality of care that patients can expect from a particular plans practitioners. Representations regarding the quality of care to be provided by practitioners affiliated with MCOs, IPAs, and
IDSs are much more direct than the implied representations attributed by courts to hospitals upon
which corporate liability was based in the 1960s. Thus, based on the same theoretical underpinnings,
liability may be easily extended to MCOs, IPAs, and IDSs.62
Moreover, we may see corporate liability further extended to management services organizations
(MSOs) and other independent contractors that credential practitioners on behalf of a hospital, MCO,
IPA, or IDS. Legal counsel to MSOs must be aware of such potential liability and should advocate the
institution and maintenance of uniform written credentialing procedures if the facility has contracted
for, or is entrusted with, credentialing functions.
18.4.2
Economic Credentialing
Currently, economic credentialing is a bone of contention between some practitioners and healthcare institutions. The term economic credentialing has been used to denote a credentialing, selection,
or termination action based, at least in part, on economic considerations. The current absence of a
definitive determination by state legislatures, courts, and professional associations on the parameters
of using economic criteria in credentialing decisions and the legal and medical communities failure to
provide an acceptable definition of the term may render the use of economic criteria a double-edged
sword with costly consequences.
In simple terms, economic credentialing is the use, in the credentialing of a practitioner, of data
that indicate his or her effect on the financial success of a facility. This term also refers to the use of
data that reflect the proportion of indigent patients admitted or treated by a particular practitioner at
a facility. The economic factors generally relate to a practitioners utilization of healthcare resources
and a providers profits for the facility resulting from his or her payer mix, market share, charges, and
collections.
Apart from the position (or lack thereof) of professional associations, the legislatures, and the
courts on economic credentialing, the economic pressures on healthcare systems make it probable that
economic factors will continue to be used in credentialing decisions. To minimize potential liability,
risk managers and legal counsel should be familiar with Medicares position on the use of economic
credentialing by hospitals. The Medicare Conditions of Participation for Hospitals provide that
[t]he governing body must [e]nsure that under no circumstances is the accordance of staff membership or professional privileges in the hospital dependent solely upon certification, fellowship, or
In Petrovich v. Share Health Plan, 188 Ill.2d 17 (1999), the Illinois Supreme Court considered portions of the health
plans member handbook that referred to the comprehensive high quality services purportedly provided by plan physicians to hold that an HMO could be held vicariously liable under an apparent authority theory for the malpractice of its
independent contractor physicians. See also Villazon v. Prudential Health Care Plan, 843 So.2d 842, 854 (Fla. 2003),
where the Florida Supreme Court held that the totality of the evidence led to the conclusion that the HMO had the right
to control the means by which plan physicians rendered medical care to enrollees.
62
295

membership in a specialty body or society.63 Accordingly, if economic criteria are to be used in
hospital credentialing decisions, they should not be the sole basis for terminating or granting medical
staff privileges. If this does occur, there is a possibility of not merely civil liability but also potential
administrative penalties that the Centers for Medicare and Medicaid Services can impose, such as
exclusion from the Medicare program.
Using economic criteria in a uniform, reasonable manner to educate practitioners and to identify
the links between economic factors and quality of care may minimize potential liability. For example,
disclosure of reasons for refusal to grant privileges or for termination of privileges may diminish the
legal liability associated with economic credentialing. Educating practitioners about the efficient use
of healthcare resources is helpful in this regard. One such approach is to use practitioner profiling
of cost, quality, and utilization data. Sharing profiled information with practitioners allows them to
change their approach to a more cost-effective one while preserving the quality of care. Furthermore,
challenges to economic credentialing may hinge on inclusion of these procedures in written governance documents such as the bylaws, especially in states where bylaws are deemed to be a contract
between facility and practitioner. Economic credentialing is more fully discussed in Chapter 19.
18.4.3
Disclosure of Individual Providers Quality Outcome Information
Driven by the need to compete in a changing healthcare market, many different entities, such as
managed care plans, payers, and employers, may seek quality outcome information from a healthcare
delivery system. The quantifiable nature of such information renders it an effective marketing tool
that can be easily disseminated to the public, which can then compare individual providers and make
informed choices about the quality of the providers associated with a managed care plan. Quality
outcome information also allows employers to easily ascertain which managed care plan will be the
best one for its employees.
However, legal and regulatory constraints are often imposed on healthcare delivery systems that
can result in the nondisclosure of information or the limitation of the types of information that can
be disclosed. The entities to whom quality outcome information can be disclosed should be independently determined by each healthcare facility with the assistance of its legal counsel, which will play
a crucial role in maneuvering the facility through the quagmire of legal and regulatory provisions. By
creating written protocols and guidelines for disclosure, the risk manager can assist the organization in
handling such highly sensitive and confidential information.
First, such protocols should be based on applicable state lawif it exists. Second, facilities should
determine whether quality outcome information is protected from discovery. Statutory privileges
accorded to peer review information may protect quality outcome information if such information is
discussed and analyzed in the peer review process for peer review purposes. Whether a facility is willing to disclose such information should be dependent, in part, on whether the information is protected
by state law. Third, if a facilitys written policy permits the release of such information, the facility
should obtain written authorization from practitioners allowing its release. Preferably, such release
42 CFR 482.12(a)(7).
63
296

should be obtained upon the practitioners membership in the organization rather than at the time that
such information is requested.
Depending on the scope of payers requests, facilities may want to consider disclosing quality
outcome informationprovided that patient and practitioner anonymity are maintained. Disclosure
of provider-specific quality outcome information, however is plagued with peril. The provider whose
quality outcome information is released may have some legal rights. The wrongful disclosure of provider-specific quality outcome information may embroil a facility in costly litigation. Accordingly,
quality outcome information should be released only in accordance with a written policy based on
applicable state law and reviewed by the appropriate facility departments and individuals.
18.4.4
Violation of the ADA and/or the Rehabilitation Act
As noted earlier, the impact of the ADA and Section 504 of the Rehabilitation Act on the credentialing of healthcare practitioners remains unclear. The ADA prohibits discrimination based on the
physical or mental status of an individual.64 Section 504 of the Rehabilitation Act similarly prevents
discrimination based on the physical or mental status of an individual in any program or activity
receiving federal financial assistance, and thus Section 504 presumably applies to any healthcare facility participating in either Medicare or Medicaid.65
Courts have begun to address the applicability of the ADA to credentialing decisions at private
hospitals and/or other nonpublic healthcare facilities. In Menkowitz v. Pottstown Meml Med. Ctr., the
Third Circuit held that both the ADA and Section 504 of the Rehabilitation Act prohibits disability
discrimination against a medical doctor with staff privileges at a hospital. In Menkowitz, a practitioner
claimed he had been discharged in violation of the ADA and Section 504 of the Rehabilitation Act
when his clinical privileges were summarily suspended after he disclosed to the Medical Staff that
he had been diagnosed with attention deficit disorder. However, the Eighth Circuit upheld summary
judgment to a hospital being sued for violations of the ADA and the Rehabilitation Act by a cardiac
surgeon with severe manic-depressive disorder. The court held that a member of the Medical Staff was
an independent contractor who was not entitled to claim the benefits of either federal law, and directly
disagreed with the Menkowitz ruling.66 And, in 2008, the District Court for the Middle District of Pennsylvania granted an unusual judgment notwithstanding a jury verdict, overturning a $250,000 award
to a bipolar orthopedic surgeon, finding that he was a direct threat to patient safety.67 Obviously, this
issue is far from clearly resolved.
Facilities are granted broad discretion to collect and verify different types of information in the credentialing process. According to the Joint Commission, each facility must independently determine the
applicability of the ADA to its medical staff.68 Thus, a facility has the discretion to determine whether it
will require information pertaining to the physical or mental condition of the medical staff applicant.
42 U.S.C. 1210112213.
29 U.S.C. 794.
66
Menkowitz v. Pottstown Meml Med. Ctr., 154 F.3d 113, 123-24 (3d Cir. 1998) and Wojewski v. Rapid City Regional
Hospital, 2005 WL 1397000 (D.S.D. 2005).
67
Hass v. Wyoming Valley Health Care System, 553 F. Supp. 2d 390 (M.D. Pa. 2008).
68
The Joint Commission, Hospital Accreditation Standards (MS. 11.01.01).
64
65
297

The NCQA similarly gives MCOs the following guidance on questioning applicants regarding
their physical and mental health status: A practitioner completes an application for membership.
The application includes a current and signed attestation and addresses: reasons for any inability to
perform the essential functions of the position, with or without accommodation; [and the] lack of present illegal drug use69 The NCQA further provides that [t]he exact statement or inquiry may vary
depending on applicable legal requirements such as the Americans with Disabilities Act.70
However, the Joint Commission and the NCQA provide little guidance on the issue of the applicability of the ADA.71 Whether the ADA is applicable to healthcare facilities, and exactly when a facility
can inquire about applicants mental and physical health status, will remain unclear until the ADAs
applicability to the credentialing process is further clarified by legislative or judicial intervention.
For guidance, facilities may want to review the Equal Employment Opportunity Commission
(EEOC) enforcement guidelines on ADA applicability. Although these guidelines do not provide guidance on ADA applicability to healthcare facilities, they may be useful in determining what types of
health status questions can be posed to applicants and when.
Based on accreditation standards and the EEOC enforcement guidelines, it appears reasonable
to request information from practitioners regarding their physical and mental ability to perform the
clinical privileges requested in connection with their application to the facility. However, ideally the
information should be considered only after the applicant has otherwise been approved for medical
staff membership and/or clinical privileges in order to avoid the inference that an adverse decision
was based solely on the disclosed disability. If the practitioner discloses a disability covered under the
ADA (or Section 504 of the Rehabilitation Act), the facility should assess whether reasonable accommodation would allow the practitioner to exercise clinical privileges and/or perform medical staff
duties consistent with the standards imposed upon non-disabled practitioners. The facility should also
carefully consider the manner in which questions regarding physical and mental ability are phrased. As
a result, all policy documents and applications addressing health status inquiries should be reviewed
by legal counsel.
18.4.5
Information Sharing and the Contractual Allocation of Risk in the Healthcare Enterprise
The proliferation of IDSs and the continuing consolidation of healthcare facilities raise issues of
information sharing between affiliated healthcare facilities. The development of credentialing policies
and procedures for practitioners and AHPs, as well as the actual credentialing of healthcare providers,
is costly and time-consuming. Healthcare facilities can decrease the time spent on such activities and
the associated costs, as well as eliminate duplication, by engaging in information sharing. Nevertheless, although information sharing is efficient and cost-effective if executed correctly, there are some
accreditation limitations and legal concerns that must be considered when determining the extent of
information sharing and the protection and use of the shared information.
NCQA Standards for Accreditation (CR 4).

NCQA Standards for Accreditation (CR 4 & footnote).
71
Id. and the Joint Commission, Hospital Accreditation Standards (MS. 11.01.01).
69
70
298

Initially, analyzing and implementing an information-sharing system will require a commitment
of significant time and resources. If such a system is to be implemented, it should be documented in a
written agreement. Also, bylaws, rules and regulations, and appointment and reappointment applications of all participating facilities should be reviewed and amended to reflect the information-sharing
system and to ensure a certain degree of consistency between facilities. Confidentiality agreements
also should be executed and enforced between facilities and their peer review members, and issues
pertaining to the release of patient-identifiable medical information, fraud and abuse, National Practitioner Data Bank and Healthcare Integrity and Protection Data Bank issues should be analyzed. Proper
implementation of an information system can be efficiently accomplished with the assistance of risk
management personnel who can identify and analyze facility-specific risk issues that may arise before,
during, and after implementation of an information-sharing system.
18.4.6
Contractual Provisions for the Confidentiality of Information
Sharing confidential peer review information poses questions regarding the discoverability of this
sensitive information. Some states, including California, protect peer review documents of licensed
health facilities such as hospitals and federally certified ASCs. Based on a states definition of a healthcare facility and the concomitant protections that may be available, myriad healthcare entities, ranging
from hospitals to MCOs and ASCs, can share information.
Notwithstanding the statutory protections afforded peer review documents, facilities should
be wary of sharing confidential peer review information because any subsequent disclosure of peer
review committee records could result in a loss of this protection. Clearly, providing an entity with
confidential information makes it harder to control its dissemination. The risk of such disclosure and
the possible loss of statutory protection, if it is available, can be reduced if healthcare facilities enter
into written agreements limiting the sharing of such information for the purpose of peer review. Moreover, contract provisions should prohibit the further release of such information, identify the parties
entitled to review it, identify the method in which it should be maintained, and delineate a facilitys
liability for failing to comply.
Facilities engaged in information sharing can mitigate the risk of voluntary disclosure of peer
review information by executing confidentiality agreements between not only the healthcare facilities,
but also each healthcare facility and each of its peer review committee members. To avoid dissemination of additional information, facilities also should consider removing identifying information on
practitioners (other than the practitioner under consideration) and patients names from shared peer
review documents.
18.4.7
Obtaining Appropriate Releases
Practitioners who are damaged professionally by an unauthorized release of confidential peer

review information may have some legal rights. To avoid any such risk, facilities should require
providers to sign a release specifically authorizing the sharing of credentialing information between
facilities. Execution of such a release is particularly important because it serves as documentation
of authorization, notifies the practitioner of the conditions for release of information, and provides
299

a facility with a certain degree of immunity from liability. In addition, the facilitys bylaws should
contain a provision that infers consent to release such information from an application for clinical
privileges or medical staff membership.
18.4.8
Negligent Referrals: Lessons from the Kadlec Case
Fear of potential defamation litigation has been a stumbling block for many healthcare facilities asked to provide an honest, candid letter of reference to another healthcare facility on behalf
of a credentialed clinician. The concern is particularly significant when the healthcare facility possesses evidence that would likely deter the other healthcare organization from credentialing the care
provider.
Traditionally, rather than provide candid, detailed information, many healthcare facilities have
responded to such requests by offering an affirmation that the care provider had a staff appointment.
Such a reference would include dates of staff appointment and privileges delineation. However, no indepth information would be provided in response to a request for details about quality, concerns about
competency, or professionalism.
A 2005 lower federal court case in Louisiana sent shock waves among those responsible for handling medical staff credentialing issues. Although the Fifth Circuit Court of Appeals in 2008 overturned
the lower courts ruling with respect to the duty to disclose negative information, the case may still
be the sentinel indicator of change in such practices.72 In the initial underlying lawsuit in Washington
State, an anesthesiologist and a healthcare facility were sued for medical malpractice after Kim Jones,
a patient the doctor attended during surgery, was left with extensive brain damage. In the lawsuit, it
was claimed that Ms. Jones was injured due to gross negligence on the part of the anesthesiologist
and the fact that during the surgery the anesthesiologist was drug impaired. The defendants reached a
settlement with the plaintiff for $7.5 million.73
When it was conducting the credentialing process for the anesthesiologist, the Washington hospital had asked for information from references. One reference was from a Louisiana hospital where the
anesthesiologist had held privileges. The reference request asked for information about the physicians
current competence to perform anesthesia services. It had also asked its counterpart in Louisiana to
provide a candid assessment of the doctors training, continuing clinical performance, skill, and judgment, interpersonal skills and ability to perform the privileges request.74 The Washington hospital
provided a questionnaire for the Louisiana facility to complete for this purpose.
The response from the Louisiana healthcare facility indicated that the doctor had been an active
member of the medical staff in anesthesiology from March 1977 to September 2001. The letter also
Kadlec Med. Ctr. v. Lakeview Anesthesia Assocs., 2005 U.S. Dist. LEXIS 10328 (E.D. La. May 19, 2005). The ruling
involved a motion for summary judgment filed by the defendants, a medical group and a hospital in Louisiana. Thereafter,
there were additional decisions involving other motions. On May 26, 2006, a jury awarded more than $4 million in the
case for fraud and negligent misrepresentation. See C.M. Ostrom, Lawsuit Won Over Doctors Undisclosed Drug Problem,
Seattle Times, June 7, 2006. The Fifth Circuit later clarified this situation and absolved the hospital from any liability while
upholding the liability of all other defendants. 527 F.3d 412 (2008), cert. denied 129 S.Ct. 631 (2008).
73
Kadlec, 2005 U.S. Dist. LEXIS 10328 (E.D. La. May 19, 2005).
74
Id.
72
300

indicated that the limited amount of details furnished to the Washington facility was due to the large
volume of inquiries received in the office.75 Moreover, the Louisiana healthcare facility did not complete the questionnaire. Similar information was furnished to the Washington State Department of
Health and Staff Care, a locum tenens organization. The Washington hospital also received positive
letters of recommendation from two physician shareholders in the Louisiana anesthesia group that
had employed the anesthesiologist. One letter stated the anesthesiologist was an excellent clinician
and that he would be an asset to any anesthesia service. The other physicians letter stated he recommended him highly.
During the course of the discovery process, the Washington hospital and its insurer learned some
troubling information about the anesthesiologist. They found out that Lakeview Anesthesia Associates, whose members had provided references for the anesthesiologist, had terminated him for cause.
The Washington hospital and its insurer, which had funded the settlement of the underlying
malpractice lawsuit, then filed a lawsuit in federal district court in Louisiana against the Louisiana
healthcare facility, the anesthesiology group, and the individual shareholders of the anesthesiology
group. The lawsuit involved claims of intentional misrepresentation, negligent misrepresentation,
strict responsibility misrepresentation, and negligence. The claims were premised on the omission of
material information in the letters regarding the anesthesiologists term at the Louisiana healthcare
facility and his employment at the anesthesiology group.
Apparently during the last year he was on staff at the Louisiana facility, an audit of the anesthesiologists records of narcotics revealed that he had not documented withdrawals of the drug Demerol.
In another instance, the anesthesiologist had not responded to pages during a 24-hour period. Personnel at the facility found the anesthesiologist seated in a chair. He appeared to be sedated. Suspicious
that he was engaged in diverting Demerol, the Louisiana anesthesiology group fired the doctor. The
anesthesiology group provided the anesthesiologist with a termination letter, which explained that he
was fired for cause. The letter stated: [You have been fired for cause because] you have reported
to work in an impaired state. Your impaired condition has prevented you from properly performing
your duties and puts our patients at risk. (The positive referral letters from the anesthesiology groups
shareholders were dated a mere 68 days after the termination letter). Subsequently, the doctors medical staff privileges at the Louisiana hospital were allowed to expire without any formal action taken
against his privileges.
The Louisiana hospital filed a motion for summary judgment, claiming that the case failed to state
a genuine issue of material fact and that it could not be held culpable for negligence or misrepresentation with respect to the letter about the anesthesiologist.76
Focusing on the duty to disclose, the court said the Louisiana healthcare facility had a vested
pecuniary interest both in omitting the type of information at issue and answering inquiries of the
type77 made by the Washington hospital. For its part, the Louisiana facility recognized that it held
Id.
Id.
77
Id.
75
76
301

back furnishing information because of a fear of liability from the anesthesiologist for defamation.
The court noted that the Louisiana healthcare facility had a pecuniary interest when responding to
credentialing inquiries. Should a facility decide not to respond to these sort of inquiries, it could
have difficulty recruiting and retaining physicians. Doctors might want to avoid working at a medical
facility that was unresponsive to requests for employment information, potentially foreclosing the
possibility that those doctors could gain future employment elsewhere.78
The court took into consideration public policy as well. It pointed to the need to disclose information related to a doctors adverse employment history that risks death or bodily injury to future
patients.79 The court took the perspective that the two facilities were in a special relationship designed
to further communication between healthcare providers so that future patients could be protected.
Thus, if and when a hospital chooses to respond to an employment referral questionnaire, public
policy should encourage a hospital to disclose the sort of information at issue.80
The court found that a genuine issue of material fact was present regarding the materiality of
information not relayed to the Washington medical center. Indeed the hospital furnished evidence that it
had relied on the letter from the Louisiana healthcare facility in credentialing the anesthesiologist.81
The court rejected the assertion of the Louisiana healthcare facility that the Washington hospital had not furnished proof of intent to deceive. The plaintiff offered information that during the
same time period when similar requests were made from other hospitals regarding physicians with an
unblemished record, the Louisiana facility provided much more than a generic response. In fact, in
these instances the Louisiana response was to the effect that there is no information of a derogatory
nature contained in Dr. [X]s file.82 Based on this information the court found that there was a genuine
issue of material fact regarding the Louisiana hospitals intent to deceive the Washington hospital.
Ultimately, the case went to trial and a jury found for the Washington facility.83 The jury found that
the Louisiana hospital and the anesthesia groups shareholders made both intentional and negligent misrepresentations to Kadlec Medical Center, which were the proximate cause of the plaintiffs damages.
After the jury verdict was announced on May 26, 2006, the federal trial judge, the Hon. Lance M.
Africk, stated:
What happened to Kim Jones was a tragedy, but it was a preventable tragedy. What happened
to Kim Jones should not have happened. When Lakeview Regional Medical Center and the
doctors wrote and responded the way they did, I am certain that they never envisioned what
would happen to Kim Jones. The fact is that it did. We all go home tonight, and this verdict
will be appealed as these parties argue over responsibility for the money paid Kim Jones
and her family. But as that continues to be argued, Kim Jones remains unresponsive in a
vegetative state, and her family has suffered a horrible loss.
80
81
82
83
78
79
Id.
Id.
Id.
Further, the court determined that a genuine issue of material fact existed with regard to causation. Id.
Id.
C.M. Ostrom, Lawsuit Won Over Doctors Undisclosed Drug Problem, Seattle Times, June 7, 2006.
302

What happened to Kim Jones and her family should never happen to a member of your
family. When it comes to something as important as the physician who will be administering
anesthesia in an operating room, it appears to me that we have the right to know if that
physician previously had his privileges revoked by a hospital. We should have the right to
know that a physician was terminated from his previous practice because of drug-related
issues and other misconduct.
We have a right to know that the credentialing process is being properly performed. Prior to
going into surgery, Kim Jones could not have been less concerned about the large volumes
of requests that [either hospital] had. She was concerned about her health, about her safety
and getting back to her family. She was entitled to rely upon the hospitals promise that
patient safety was number one, and that prior to credentialing a physician, the hospital would
act in her interest and do everything it could to hire qualified and non-impaired physicians.
Your verdict is important because it will generate discussion about what occurred in this case,
why it occurred and what can be done to prevent it from ever happening again. Now that
your verdict has been made public, what happened during this credentialing process, whether
intentional or negligent, will be publicly debated.
It is this Courts hope that Congress will investigate the health care credentialing process and
related matters. For example, as a non-expert, it appears to me that there needs to be some
uniformity regarding the credentialing process and the questions that must be answered. There
must be some way of making certain that relevant information regarding the physicians
competence makes its way into a file which is accessible to those who need the credentialing
information. Kim Jones deserved no less. It is too late for her, but it is not too late for the rest
of us. Has society become so afraid of lawsuits that we are willing to hide from the truth
in matters affecting life and death? As we sit here, Kim Jones lies in a hospital bed unable to
testify or attend these proceedings. She did not have a vote, but you did. And you have carried
her message. I commend you for that.84
Judge Africks poignant comments illuminate the harm that can come to patients when a healthcare organization is caught between trying to avoid a potential defamation lawsuit from a physician
and yet responsibly respond to a request for information. The Kadlec case clearly demonstrates that a
healthcare organization is at risk for negligent or false referrals in the credentialing process. The public
policy stressed by the court was the need to safeguard patient safety.
The Louisiana facility subsequently appealed the decision to the U.S. Court of Appeals for the
Fifth Circuit. Regarding the Louisiana facilitys duty to disclose negative information, the Fifth Circuit
court overturned the district courts findings regarding the duty to disclose information and held that
the Louisiana facility did not have an affirmative duty to disclose the anesthesiologists drug problem
pursuant to Louisiana law.85
Kadlec, 2005 U.S. Dist. LEXIS 10328 (E.D. La. May 19, 2005) (jury verdict and courts comments before the Honorable Lance M. Africk, United States District Judge, May 26, 2006).
85
Kadlec Medical Center v. Lakeview Anesthesia Associates, 527 F.3d 412 (May 8, 2008), cert. denied 129 S.Ct. 631
(2008).
84
303

The Fifth Circuit reached a different conclusion with respect to intentional misrepresentation
regarding the letters from the anesthesiology groups shareholders. Due to the glowing recommendations contained in both letters, the court held that the letters were false on their face and materially
misleading. Because the letters were false and misleading the defendants incurred a duty to cure the
statements in the letters by disclosing to the Washington hospital that the anesthesiologist had been
fired for on the job drug use. As a result, the court held the lower court had properly instructed the
jury to find for the Washington hospital on their intentional and negligent misrepresentation claims if
the jury concluded that the defendants letters to Kadlec Medical Center were intentionally and negligently misleading.
Despite the fact that the Fifth Circuit found the Louisiana hospital had no duty to disclose the physicians drug problem, healthcare organizations must still carefully consider their credentialing policies
and procedures regarding the exchange of information in light of the Kadlec case. Suggested guidelines for exchanging information as provided by the Massachusetts Medical Law Report include:
1. Avoid informal communication. Outside of the [formal credentialing context], sharing disciplinary information risks liability. Informal communications, especially with regard to
pending corrective actions, increase the risk of spreading inaccurate information, and could
jeopardize the peer review practice.
2. Confirm the authorization to provide information. Credentialing applications generally include
an applicants written authorization to release information. A responding [organization]
should confirm that authorization, including that it encompasses the requested information.
([Organizations] should also review their own applications to ensure that authorization is
adequately expansive.) Any disclosure must always be made in good faith, without malice,
and should be as limited as possible, while still being complete.
3. Respond in writing. Written responses provide a record of the request and its content. Oral
communications can be misheard, and, if litigation arises, will be difficult to remember
exactly. Email should be avoided, as it is often not carefully considered, as it can be circulated
broadly and is discoverable.
4. Stick to the questions and the facts. Any information exchanged should be based solely on
the facts. Information regarding a completed disciplinary action should mirror the mandatory
disclosure made to the National Practitioner Data Bank. If an appropriate request is made
regarding pending claims, the disclosure should include only the nature of the claims, whether
the physician is challenging them through the [organizations] corrective action procedures,
and should include only those specific claims (and not additional suspicions, lingering frustrations, or past annoyances). A request for information is not an invitation for an information
dump. A complete credentialing file or peer review materials should not be forwarded.
5. Carefully choose your words; plan ahead. Remember that the career of the physician, as
well as the health of patients, may be affected by the information provided. If the conclusion
is to disclose negative information, consider seeking legal advice as to what information is
required and how it should be presented.86
http://www.namss.org/government/February_Update/dcpagefebruaryupdate.cfm.
86
304

A healthcare organization requesting information from another organization should be on the
lookout for certain red flags. For example, an organization should be wary of a practitioners reluctance to sign a release. An organization should also be prepared to obtain additional information if a
response is incomplete or inadequate in any way.
In contemporary healthcare, there is much discussion about the need for transparency in various
relationships. Transparency is seen as a way of building trust and confidence between care providers
and facilities on the one hand and patients and payers on the other. Disclosure of pricing information,
disclosure of unanticipated and adverse outcomes of care, and disclosure of performance data all come
within the rubric of transparency. The credentialing practices discussed above and their importance,
as highlighted by Kadlec, aid in promoting transparency between organizations and ultimately in
improving patient care.
The Health Care Quality Improvement Act of 1986 was designed to create a zone in which peer
review could take place. The idea behind the law was to encourage frank and candid review without
fear of recrimination. Many states passed laws to broaden the goal. Even with these laws, however, fear
that disgruntled care providers would sue for defamation based on candid assessments shared during
the credentialing process has been a deterrent. The costs associated with defending such claims
however baseless these lawsuits may becan be daunting. The costs go beyond the fees of lawyers
and experts to encompass the damage to relationships and morale.
Notwithstanding these concerns, the Kadlec case points to the need for change in contemporary
credentialing practices. Transparency and honesty are critical. Expectations must be set in the medical
staff bylaws and the credentialing process so that care providers recognize that submitting an application has consequences in terms of honest, candid, and frank assessments. As long as these evaluations
are done in good faith and without malice, the facility and peer assessments should be protected from
liability. Adopting such change comes through support of the medical staff and senior leadership.
18.5
Commentary
Several steps can be taken to reduce the risk of liability associated with peer review and
credentialing. Developing an organization-wide risk management plan that addresses how
the healthcare entity allows practitioners to practice should eliminate a substantial degree of
inconsistency and minimize liability. A risk management plan should be based on a states
licensure laws, state and federal regulations, and the facilitys needs.
In addition healthcare organizations must institute and maintain standard bylaws, policies
and protocols that provide systematic guidance to administrators, surveyors, practitioners,
and other entities and individuals who are entrusted with critically important peer review and
credentialing functions.
Too often, in todays extremely competitive healthcare market, decision makers fail to take
necessary actions in accordance with their facilitys written bylaws, policies and protocols
or make exceptions for practitioners who are well respected in the community or who have
been on the hospital staff for many years. However, such a practice is hazardous, not only to
305

patients, but also to the facilitys licensure. Uneven application of rules and policies is likely to
result in legal liability. Facilities should be careful not to implement policies, procedures, and
protocols with which the staff cannot or will not comply. Implementation of written standards
that are not strictly followed may expose facilities to liability for failure to comply with their
own standards.
18.6
Conclusion
Peer review and credentialing pose several potential sources of liability for the healthcare organization. Discrimination, restraint of trade, negligent credentialing, failure to check whether the
practitioner has been excluded from participation in federal healthcare programs, and wrongful disclosure of peer review and quality outcome information are among the most serious.
Enterprise risk management plays a significant role in minimizing those sources of potential
liability. By documenting, and ensuring adherence to, the healthcare organizations peer review and
credentialing policies and procedures, and periodically reviewing them, legal counsel can minimize
potential liabilities associated with this process. Also, the ongoing and rapid changes in healthcare
are bringing changes in potential sources of liability. By staying familiar with current developments
in healthcare, astute legal counsel will be better able to foresee new areas of potential liability and
address them early.
306
Economic Credentialing: A Balancing of Risks
19
Yvonne K. Puig, Esq.
Mark Faccenda, Esq.
Fulbright & Jaworski L.L.P.
19.1
Introduction
Economic credentialing, sometimes known as conflict credentialing, is the result of ever increasing competition among the myriad players in the healthcare market. For every innovative business
model undertaken by a hospital or physician, there has been an equal and opposite attempt to limit
moves to gain market share or improve reimbursement. What hospitals once used to weed out less
cost-efficient physicians from the ranks of those with hospital privileges has become a bargaining chip
between increasingly equal participants in the grab for healthcare dollars. As the economic environment that has lead to increased economic credentialing continues to evolve, managing future risks
associated with economic credentialing will require hospitals and physicians alike to carefully monitor
and adjust to evolving legal approaches towards this practice.
Generally speaking, economic credentialing refers to the consideration of financial indicators
when hospitals grant (or deny) physicians staff membership or privileges. Historically, economic
credentialing was employed to remove or prohibit certain physicians from practicing at a particular
hospital. Targeted physicians typically had higher costs of treatment resulting from longer average
lengths of stay, higher infection rates, and increased test utilization. In an effort to reduce costs that
detracted from the hospital bottom line, those physicians whose care failed to satisfy specified financial benchmarks lost their rights to practice at the relevant hospital.
The physician-hospital relationship has been historically symbiotic and mutually beneficial. The
hospital benefited through reimbursement for inpatient services performed by the physician; the physician had no-cost access to inpatient facilities in which to practice. Eventually, however, physicians
became healthcare entity owners rather than mere practitioners, and hospitals began to recognize
physicians as competitors as well as partners. As physicians invested in specialty-specific healthcare
facilities, conflict credentialing was born. A hospital adopting a conflict credentialing policy seeks to
limit the privileges of a physician having financial interest in a competing healthcare entity, such as an
ambulatory surgical center or specialty hospital.
307

The U.S. Government Accountability Office (GAO) documented the trend towards the use of the
specialty hospital in its 2003 report entitled Specialty Hospitals: Geographic Location, Services Provided, and Financial Performance. Specialty hospitals, which tend to focus on patients with specific
medical conditions or who need surgical procedures, represent a small but growing segment of the
health care industry In contrast to earlier forms of specialty hospitals, this new genre is characterized by hospitals that are often for-profit and frequently owned, in part, by some of the physicians who
work in them.1
Proponents of economic credentialing or conflict credentialing cite their potential to improve
outcomes. Economic credentialing gives incentive for the performance of care that is simultaneously
more efficient and of higher quality. Conflict credentialing permits a hospital to retain base levels of
services that become safer and less costly once performed in threshold quantities. Proponents also
assert that the influx of specialty-specific facilities has lead to the departure of high-revenue, lowcomplication cases from the general hospital. Hospitals generally rely on such cases to average out
losses assumed from providing treatment to more complex or less profitable cases that such hospitals
are obligated to take. General hospitals are concerned that specialty hospitals may concentrate on
the most profitable procedures and serve patients that have fewer complicating conditionsleaving
general hospitals with a sicker, higher-cost patient population. [General hospitals] contend that this
practice of drawing away a more favorable selection of patients makes it more financially difficult
to fulfill their broad mission to serve all of a communitys needs, including charity care, emergency
services, and stand-by capacity to respond to communitywide disasters.2
Opponents of economic credentialing note that concentration on reimbursement over delivery of
care runs counter to the charitable mission of many nonprofit hospitals employing the practice. Opponents point out that conflict credentialing limits the use of innovative healthcare facilities that often
deliver services at lower cost and with better outcomes than if performed in a general hospital. Advocates of these newer specialty hospitals contend that the focused mission and dedicated resources of
specialty hospitals allow physicians to treat more patients needing the same specialty services than
they could in general hospitals and that, through such specialization and economies of scale, the potential exists to improve quality and reduce costs.3
Critics of specialty-specific facilities have also raised concerns that physician ownership of specialty hospitals creates financial incentives that could inappropriately affect physicians clinical and
referral behavior.4
State and federal courts, state legislatures, healthcare-centric advocacy groups, and federal agencies have all attempted to reconcile the benefits and risks posed by economic credentialing, with
varying results. To date, there has been no consensus approach regarding the appropriateness of its
use. While all parties concerned agree that improved health outcomes is the ultimate goal, the role that
economic credentialing should play in the accomplishment of this goal remains in dispute. Perhaps
1
Government Accountability Office, Specialty Hospitals: Geographic Location, Services Provided, and Financial
Performance, GAO 04-167, 1, Oct. 2003.
2
Id.
3
Id.
4
Id.
308

the only hard-and-fast truths regarding economic credentialing are that hospitals and physician groups
alike should be proactive in monitoring their local competitive environments, regularly assess and
update policies and bylaws to meet future challenges and faithfully adhere to those policies.
19.2
Background
19.2.1
American Medical Association
The American Medical Association (AMA) defines economic credentialing as the use of economic criteria unrelated to quality of care or professional competence in determining a physicians
qualifications for initial or continuing hospital medical staff membership or privileges.5 The AMA
avers that current economic trends have led to credentialing decisions [based] on the level of a
physicians referrals to that hospital.6 While AMA opposes the use of economic criteria unrelated to
patient care to grant privileges, it acknowledges that [s]ome hospitals have established conflict of
interest policies or loyalty oaths to ensure that physicians who own, have financial interests in or
have leadership positions with healthcare entities or refer patients to competing healthcare entities
are refused staff privileges.7
AMA identifies another subset of economic credentialingthe grant of privileges to practice in
a hospital in exchange for physician assurance to not refer elsewhere. This may or may not be used in
conjunction with exclusive contractingthe grant of privileges to a certain group of physicians and to
the exclusion of other physicians of the same specialty or competing specialties. Exclusive credentialing refers to any policy adopted by a hospital that effectively requires physicians on staff to refer
only to that hospital by prohibiting its staff physicians from referring to other facilities.8
The AMA has asserted that [e]xclusive credentialing violates the federal Medicare and Medicaid
anti-kickback law, 42 U.S.C. 1320a-7b(b), in that prohibiting physicians from referring patients
to competing institutions is indistinguishable from an affirmative requirement to make referrals.9
AMAs position on exclusive credentialing is that the practice [harms] federal healthcare programs
by requiring that treatment be rendered in a more costly hospital setting [and] harms the health care
marketplace in that it has a chilling effect on new development of surgery centers, specialty hospitals,
or other innovations in health care delivery that have the potential to save the program money.10
American Medical Association, AMA Policy H-230.975. Available at http://www.ama-assn.org/ama/pub/physicianresources/legal-topics/medical-staff-topics/economic-credentialing.shtml.

6
Available at http://www.ama-assn.org/ama/pub/physician-resources/legal-topics/medical-staff-topics/economic-credentialing.shtml.
7
Id.
8
Letter from Michael D. Maves, M.D., M.B.A., for the American Medical Association, to Janet Rehnquist, Office of
Inspector General, Department of Health and Human Services, 2, Feb. 6, 2003. Available at http://www.ama-assn.org/
ama1/pub/upload/mm/395/sept_ltr_oig.pdf.
9
Id.
10
Id. at 4.
5
309

19.2.2
American Hospital Association
The American Hospital Association (AHA) posits that the credentialing process is ultimately the
responsibility and domain of the hospital board of trustees; however, this responsibility is often delegated to the medical staff, in whole or in part. This responsibility has been delegated by the hospital
board, based on acceptance of the notion that professional peers have the knowledge and capability
to assess practitioners education and experience, and how they will influence their professional judgment and activity, subject to final decision making by the hospital board.11 AHA adopts the words of
the Wisconcsin Supreme Court in acknowledging the boards ultimate responsibility as well as power;
thedelegation of the responsibility to investigate and evaluate the professional competence of applicants for clinical privileges does not relieve the governing body of its duty to appoint only qualified
physicians and surgeons to its medical staff and periodically monitor and review their competency.12
Accordingly, AHA advocates that boards of trustees be granted discretion in establishing credentialing criteria. Because the board is concerned with the operation of the hospital as a whole, AHA
asserts that it is not only appropriate, but obligatory, that the credentialing process consider financial
as well as clinical concerns. A hospital board has the ultimate authority to make financial decisions
concerning the hospital.13 It is AHAs position that [n]ot only does existing case law support the
proposition that hospital boards are vested with the authority and responsibility to make financial
decisions for the hospitals, cases also support the concept that a governing bodys decision to close
the medical staff for particular procedures based on economic considerations is a valid exercise of the
boards authority to manage the business affairs of the hospital.14
Furthermore, AHA advocates that board decisions relating to credentialing, even based on economic factors, not be subject to judicial review.15 The ultimate authority over staffing decisions is
with the board of trustees, and a majority of courts also favors non-judicial review of decisions of
the board.16 The rule is well established that a private hospital has a right to exclude any physician
from practicing therein. The action of hospital authorities in refusing to appoint a physician or surgeon
to its medical staff, or declining to renew an appointment that has expired, or excluding any physician
or surgeon from practicing in the hospital, is not subject to judicial review.17
Looking to the future, AHA acknowledges that cost and outcomes data may be increasingly difficult to distinguish. However, the distinction may be immaterial as cost and quality are not necessarily
mutually exclusive. Rather, AHA argues that study of cost indicators is necessary for the delivery of
quality outcomes. The line between quality and business considerations in establishing and imple-
Brief for Mahan v. Avera St. Lukes as Amicae Curiae supporting Defendant/Appellant, Mahan v. Avera St. Lukes, 621
N.W. 2d 150, (S.D. 2001). Available at http://www.aha.org/aha/advocacy/legal/991130-amicus-brief.html.
12
Id., (quoting Johnson v. Misericordia Cmty Hosp., 301 N.W. 2d 156, 174 (Wis. 1981)).
13
14
Id.
15
Id.
16
Id. (quoting Shulman v. Wash. Hosp. Ctr., 222 F.Supp. 59, 63 (D.D.C. 1963)).
17
Id.
11
310

menting privileging and performance standards for providers may become blurred in the decision
making by hospitals and other provider entities.18
19.2.3
Joint Commission
The Joint Commission adopts a neutral stance in the economic credentialing debate; it neither
requires nor prohibits the analysis of financial data in determining privilege status. The Joint Commission directs an organization to collect information regarding current license status, training,
experience, competence, and ability to perform the requested privilege in the course of making a
physician credentialing decision.19
19.3
Government Accountability Office
As indicated above, GAO has tracked the healthcare industrys progression towards the use of
more specialty-specific facilities. GAOs determinations, however, may be inconclusive as to whether
the trend should be encouraged or stifled. Generally, GAOs findings confirm that specialty hospitals
treat less complicated cases with greater efficiency. Not surprisingly, GAO documented that specialty
hospitals shouldered less burden with respect to the delivery of undesirable cases. Our April 2003
study found that 21 out of 25 specialty hospitals treated a lower percentage of patients who were
severely ill compared with patients in the same diagnosis categories treated at general hospitals in the
same urban areas.20 Relative to general hospitals, specialty hospitals, as a group, were much less
likely to have emergency departments, treated smaller percentages of Medicaid patients, and derived
a smaller share of their revenues from inpatient services.21
Financially, it is difficult to determine whether specialty hospitals perform better through the creation of efficiencies or through the avoidance of complicated cases. In some cases, GAOs data failed
to demonstrate any cost-efficiency at all. Specialty hospitals tended to perform better than general
hospitals when revenues and costs from all lines of business and all payers were included. When the
focus was limited to Medicare inpatient business only, specialty hospitals appeared to perform about
as well as general hospitals.22
19.4
Office of Inspector General
In 2002, AMA requested that the U.S. Department of Health and Human Services Office of
Inspector General (OIG) issue guidance regarding the possible application of the federal anti-kickback
statute to certain practices in connection with the granting of hospital staff privileges.23 Specifically,
AMA requested guidance regarding conflict and exclusive credentialing. According to the AMA, an
increasing number of hospitals are refusing to grant staff privileges to physicians who (1) own or
19
The Joint Commission, Hospital Accreditation Standards, MS 06.01.03.
20
Government Accountability Office, Specialty Hospitals: Geographic Location, Services Provided, and Financial
Performance, GAO 04-167, 78, Oct. 2003.
21
Id. at 4.
22
Id. at 5.
23
67 Fed. Reg. 72,894, 72,895, Dec. 9, 2002.
18
311

have other financial interests in, or leadership positions with, competing healthcare entities, (2) refer
to competing health care entities, or (3) fail to admit some specified percentage of their patients to the
hospital.24 In addition, OIG acknowledged that [t]here may be other examples of restrictive credentialing not discussed in AMAs guidance request.25
In soliciting comments pertaining to anti-kickback implications of physician credentialing, OIG
asked the following questions: (1) Are hospital staff privileges remuneration? (2) What are the implications of a hospitals denial of privileges to a physician who competes with the hospital? (3)Should
the exercise of discretion by the privilege-granting hospital affect the analysis under the anti-kickback
statute? (4) Can privileges ever be conditioned on referrals, other than minimums necessary for clinical proficiency? (5) What is the effect of credentialing restrictions that apply only to members of a
group practice?26
In its comments to OIG, AMA adopted the position that [m]edical staff and clinical privileges are
a thing of value to physicians, as the ability to admit patients to a hospital is essential to most practice
areas When a hospital effectively requires physicians to refer patients to it by prohibiting referrals to
other facilities as a condition to granting or renewing privileges, it follows that the hospital is offering
remuneration (privileges) with the intent to induce referrals.27 Conversely, AHAs comments reflected
the position that staff privileges do not involve the transfer of something of value from a hospital to
a physician. This principle provides the legal basis for the historic distinction between staff privileges
and those hospital-physician arrangements that the OIG has found may implicate the anti-kickback
law. Hospital privileges simply constitute permission to provide medical or other patient care services
in the granting institution.28
OIG addressed the issue in its 2005 publication entitled OIG Supplemental Compliance Program
Guidance for Hospitals but drew no broad conclusions as to whether a hospitals grant of privileges
may be considered remuneration. Instead, OIG found that [c]ertain medical staff credentialing practices may implicate the anti-kickback statute. For example, conditioning privileges on a particular
number of referrals or requiring the performance of a particular number of procedures, beyond volumes necessary to ensure clinical proficiency, potentially raise substantial risks under the statute.29
On the other hand, OIG gave definitive support to exclusive credentialing arrangements stating that
a credentialing policy that categorically refuses privileges to physicians with significant conflicts of
interest would not appear to implicate the statute in most situations.30
Id.
Id.
26
67 Fed. Reg. at 72,895-96.
27
Letter from Michael D. Maves, M.D., M.B.A., for the American Medical Association, to Janet Rehnquist, Office of
Inspector General, Department of Health and Human Services, 3, Feb. 6, 2003. Available at http://www.ama-assn.org/
ama1/pub/upload/mm/395/sept_ltr_oig.pdf.
28
Letter from Rick Pollack, for the American Hospital Association, to Janet Rehnquist, Office of Inspector General,
Department of Health and Human Services, Feb. 5, 2003. Available at http://www.aha.org/aha/letter/2003/030205-cl-oig71-n.html.
29
OIG Supplemental Compliance Program Guidance for Hospitals, 70 Fed. Reg. 4,858, 4,869, Jan. 31, 2005.
30
Id.
24
25
312

Subsequently, OIG considered an anti-kickback safe harbor for certain practices related to economic credentialing of physicians by hospitals. In response to mixed comments, OIG neglected to
adopt the suggested safe harbor. For the time being, OIG is considering the matter resolved; [t]his
issue was addressed in the OIG Supplemental Compliance Guidance for Hospitals issued in 2005.
Comments previously received in response to a solicitation for public comments on this subject variously suggested issuance of different types of guidance; some comments requested that OIG take no
action.31 However, OIG has asserted that it will continue to consider generally the issues raised by
economic credentialing.32
19.5
Statutory Provisions
There has been no consistent approach to statutory resolution of the economic credentialing debate.
Of states passing legislation addressing the issue, some have favored express grants of power and
discretion to the hospital board and others have imposed express prohibitions on the use of economic
considerations in determining privilege status. To date, it has been difficult to ascertain a trend, if any,
in how future state legislatures will address the issue. Going forward, legislative efforts are not likely
to enforce sweeping prohibitions on all forms of economic credentialing. While active legislation may
be successful at limiting certain kinds of credentialing practices, such as conflict credentialing or the
inappropriate use of economic data, the vanishing line between cost and quality concerns ensures
that, in one form or another, hospitals will be able to consider a physicians bottom line in determining
privilege status.
For example, Illinois has adopted a credentialing statute defining economic credentialing as
theuse of economic criteria unrelated to quality of care or professional competency in determining
an individuals qualifications for initial or continuing medical staff membership or privileges.33 In the
interest of providing for the protection of the public health, Illinois limits the use of economic criteria
for the purposes of making physician credentialing decisions. The credentialing statute provides that
the citizens of Illinois are not served by the inappropriate use of economic criteria in determining an
individuals qualifications for initial or continuing medical staff membership or privileges as the use
of such criteria may deprive the citizens of Illinois access to a choice of the health care providers.34
Illinois requires that the physician credentialing process includes safeguards such as fair hearings and
Hospital Licensing Board oversight.35
The Texas Health and Safety Code provides for more explicit prohibition on conflict credentialing. A hospital, by contract or otherwise, may not refuse or fail to grant or renew staff privileges, or
condition staff privileges, based in whole or in part on the fact that the physician or a partner, associate, or employee of the physician is providing medical or health care services at a different hospital or
hospital system.36 Further, [a] hospital may not contract to limit a physicians participation or staff
Office of Inspector Gen., U.S. Dept of Health & Human Servs., OIG Semi-Annual Report for April 1, 2007September
30, 2007, 73, Dec. 1, 2007. Available at http://oig.hhs.gov/publications/docs/semiannual/2007/SemiannualFinal2007.pdf.
32
Id.
33
210 Ill. Comp. Stat. 85/2(b)(3).
34
85/2(b).
35
85/2(b)(3).
36
Tex. Health & Safety Code 241.1015(b).
31
313

privileges or the participation or staff privileges of a partner, associate, or employee of the physician at
a different hospital or hospital system.37 However, a hospital is entitled to limit medical staff membership or privileges provided that any such plan to do so is unrelated to a physicians professional or
business relationships.38
Other states grant boards of trustees tremendous leeway in fabricating credentialing policy. Indiana stipulates that [t]he governing board of the hospital is the supreme authority in the hospital and is
responsible for [t]he appointment, reappointment, and assignment of privileges to members of the
medical staff, with the advice and recommendations of the medical staff, consistent with the individual
training, experience, and other qualifications of the medical staff.39
Likewise, Virginia only deems improper denials of privilege for reasons unrelated to standards
of patient care, patient welfare, violation of the rules and regulations of the institution or staff, the
objectives or efficient operations of the institution, or the character or competency of the applicant, or
misconduct in any hospital.40 By permitting consideration of efficient operations, Virginia supports
broad authority for a hospital board to engage in economic credentialing.
19.6
Case Law
Jefferson Parish Hospital District No. 2 v. Hyde is considered to be the first instance of a court
addressing the merits of economic credentialing. In that case, the Supreme Court rejected antitrust
claims to uphold an exclusive contract to provide anesthesiology services.41 While courts have considered economic credentialing matters for the past 25 years under antitrust, tort, and contract theories, it
is difficult to predict an overall trend towards the appropriateness of economic credentialing. The two
most recent decisions have gone separate ways, supporting policies favoring integrity of the physicianpatient relationship and board discretion, respectively. These approaches to the economic credentialing
issue as resolved by various state courts are addressed below.
19.6.1
Arkansas
In Baptist Health v. Murphy, the Supreme Court of Arkansas addressed a dispute between a nonprofit hospital (Baptist) and cardiologists owning an indirect interest in a specialty hospital.42 The
hospitals board of trustees had adopted an economic conflict of interest policy that denied initial or
renewed professional staff appointments or clinical privileges at any Baptist hospital to any practitioner who, directly or indirectly, acquires or holds an ownership or investment interest in a competing
hospital.43 The Baptist Health court found sufficient evidence to support a claim for tortious interference with a business relationship, recognizing that patients have chronic cardiac problems requiring periodic treatments and, as a consequence, the relationship between appellees and their patients
39
40
41
42
43
37
38
241.1015(c).
241.1015(e)(1).
Ind. Code 16-21-2-5(2).
Va. Code Ann. 32.1-134.1.
Jefferson Parish Hosp. Dist. v. Hyde, 466 U.S. 2 (1984).
Baptist Health v. Murphy, 365 Ark. 115 (2006).
Id. at 119.
314

is generally on a long-term basis. Further, the circuit court noted that many of these doctor-patient
relationships would be severed if appellees were not allowed privileges at Baptist.44 The economic
conflict of interest policy in dispute would necessarily terminate patient-physician relationships, especially relevant for those patients seeking long term cardiac care. In fact, the Baptist Health court
recognized that the economic conflict of interest policy was adopted with the intention of forming a
relationship with the Plaintiffs patients, potential patients, and referring physicians who were required
to use its facilities by establishing relationships with cardiologists other than the Plaintiffs.45
However, the Baptist Health court did not uphold a claim that restriction of physician access to the
hospital through the economic conflict of interest policy was a violation of federal anti-kickback law.
While the Policy creates a disincentive for appellees to maintain ownership in a competing hospital,
we do not agree that it creates a disincentive for them to refer their patients to facilities other than
Baptist. Based on the record before us, we do not believe that appellees have established that Baptists
conduct constitutes a violation of the anti-kickback statutes.46
The court also rejected Baptists assertion that hospital board decisions concerning medical staff
eligibility be subject to a traditional rule of non-review.47 The court rejected the approach that a
private hospital may insulate itself from suit when, as here, there is a finding that the hospitals conduct
has violated state law.48
Subsequently, an Arkansas trial court issued a permanent injunction prohibiting Baptist from denying physician privileges under its economic conflict of interest policy.49 The trial court likewise found
that Baptist intended to interfere with patient-physician relationships.50 Baptist Health knew that the
natural and probable consequence of passing the Economic Credentialing Policy was the exclusion of
the plaintiffs from its staff. The Court finds that Baptist intended that result. Baptist Health also knew
that a natural and probable consequence of adopting the Economic Credentialing Policy would be
interference with the relationships between patients and physicians. Again, Baptist Health intended
this result.51
The court found Baptists denial of privileges to be contrary to public policies supporting the
patient-physician relationship and supporting marketplace competition and investment in innovation.52
The court also noted that the denial of privileges ran counter to Baptists own mission as a charitable
nonprofit corporation to operate for the benefit of the community.53
46
47
48
49
50
51
52
53
44
45
Id. at 124.
Id.
Id. at 127.
Id. at 129.
Id. at 130.
Murphy v. Baptist Health, No. CV 2004-2002, slip op. (Ark. Cir. Ct., Feb. 27, 2009).
Id. at 6.
Id. at 7.
Id. at 11, 13.
Id. at 14.
315

19.6.2
Missouri
The Missouri Supreme Court, in a decision relating to the revocation of physician privileges in
a fashion inconsistent with hospital bylaw requirements, refrained from [imposing] judicial review
on the merits of a hospitals staffing decisions, [acting] only to ensure substantial compliance with the
hospitals bylaws.54 Egan featured a credentialing decision based, in part, on ex parte peer testimony,
a procedural departure from bylaw requirements that decisions be based solely on information presented at an evidentiary hearing.
The Egan court noted that under Missouri law, a private hospitals decisions regarding staff
privileges are not subject to judicial oversight.55 However, the Egan court recognized that the adoption of Mo. Code Regs. Ann. tit. 19, 30-20.021(2)(C)1-5 required a limited departure from the
rule against judicial review. The statute states in relevant part that the bylaws of the medical staff
shall include the procedure to be used in processing applications for medical staff membership and the
criteria for granting initial or continuing medical staff appointments and for granting initial, renewed
or revised clinical privileges [and] shall provide for hearing and appeal procedures.56 The court
thus permitted the physician an injunction compelling the hospital to substantially comply with its
own bylaws before privileges may be revoked [g]iven the clear expression of public policy from the
regulation, and consistent with the overwhelming weight of authority.57
19.6.3
Alabama
In Radiation Therapy, P.C. v. Providence Hospital, the Supreme Court of Alabama upheld a
hospitals decision to transfer ownership of its oncology center to a separate entity to be run as an
office-based program. One major factor the board considered in deciding to transfer the program,
including medical and support personnel and assets, to [the new entity] was the federal Medicare
regulations adopted in 2001, which provided for more generous reimbursement of charges in an officebased practice than in a hospital-based practice.58 At a fair-hearing panel, the hospital indicated that
the boards decision to transfer was a business decision based on quality-of-care concerns and a need
to integrate cancer-care services.59 The physicians countered that the boards decision was motivated by the unsubstantiated belief that [the physicians] were not providing sufficient coverage at the
hospital.60 The fair-hearing panel found that the transfer adversely affected the clinical privileges of
[the physicians].61
The physicians asserted that the board considered criteria unrelated to quality of care.62 The
medical-staff bylaws provide that the decision of the fair-hearing panel is subject to review by the
board. According to the bylaws, the boards review of the panels decision, however, is limited to
56
57
58
59
60
61
62
54
55
Egan v. St. Anthonys, 244 S.W. 3d 169, 174 (Mo. 2008).

Egan, 244 S.W. 3d at 171, (citing Cowan v. Gibson, 392 S.W.2d 307, 309 (Mo. 1965)).
Egan, 244 S.W. 3d at 173, (quoting Mo. Code Regs. Ann. tit. 19, 30-20.021(2)(C)1-5) (emphasis in original).
Egan, 244 S.W. 3d at 174.
Radiation Therapy, P.C. v. Providence Hosp., 906 So.2d 904, 908-09 (Ala. 2005).
Id. at 909
Id.
Id.
Id. at 911.
316

criteria related to the quality of care.63 The court recognized that the resolution adopted by the
board affirmatively states that its decision to transfer the oncology program was based upon careful
consideration of the criteria related to overall quality of care contained in the testimony, exhibits and
other materials considered by the Fair Hearing Panel.64
19.6.4
South Dakota
The Supreme Court of South Dakota considered a case in which a hospital, in response to the
loss of operating room income, closed its medical staff for physicians requesting privileges to perform
certain spinal procedures and to perform orthopedic surgery.65 In South Dakota, a hospitals bylaws
constitute a binding contract between the hospital and the hospital staff members. It is also well settled
that when such bylaws are approved and accepted by the governing board they become an enforceable
contract between the hospital and its physicians.66
However, the Mahan court recognized that medical staff bylaws, derived from the power granted
under a hospitals corporate bylaws, only control items expressly addressed therein.67 Further, the
Mahan court stated that although some of the business decisions made by a board of directors may
affect the medical staff, merely because a decision of the [board of trustees] affects the staff does not
give the staff authority to overrule a valid business decision made by the [board of trustees]. Allowing
the staff this amount of administrative authority would effectively cripple the [board of trustees].68
19.7
65
66
67
68
63
64
Commentary
Hospitals and physicians alike need to be wary of economic trends in their respective service
areas and adjust their approaches to economic credentialing accordingly. Each should monitor
gaps in service delivery or reimbursement that could lead to the development of competitive
physician-owned specialty hospitals or ancillary facilities.
Hospital boards of trustees and medical staff boards should each ensure that their respective
bylaws contemplate economic credentialing and the extent to which economic indicators are
to play a role in the credentialing process. When economic factors are used in the credentialing process, those factors should be expressed as cost applies to quality. While courts have
split as to the appropriateness of credentialing based solely on competitive or economic considerations, combined cost-quality decisions are generally more readily accepted.
Id.
Id. at 912 (emphasis appearing in opinion).
Mahan v. Avera St. Lukes, 621 N.W. 2d 150, 153 (S.D. 2001).
Id. at 15354, (citing Read v. McKennan Hosp., 610 N.W.2d 782, 785 (S.D. 2000).
Id. at 155.
Id. at 158.
317

As bylaws and policies are revised to reflect the changing competitive environment, adhere
faithfully to those documents. In cases where boards have been granted discretion in adopting economic credentialing policies, disputes arise from the failure to apply the standards
adopted correctly.
Monitor local legal standards as they apply to economic credentialing. While states will continue to address the issue, opinions continue to diverge across jurisdictions.
19.8
Conclusion
If past history can be any guide, competition among physicians and hospitals will continue to
increase into the future. Because, in many cases, there is no clear understanding of what constitutes a
business decision as distinct from a medical decision, there will be many opportunities for hospitals
and physicians alike to assert that economic credentialing has granted one party inappropriate leverage over the other. Unfortunately, we can no more achieve a consensus on what constitutes economic
credentialing than we can conclude whether it is beneficial or not. Because the courts and state legislatures have split in their approaches to addressing this issue, the future lies wide open. If anything can
be drawn from historical approaches to the issue, however, it is that economic credentialing will likely
remain a viable business tactic, if for no other reason than a lack of clarity on what to prohibit.
318
Healthcare-Associated Infections
20
Emily Rhinehart, RN, MPH, CIC, CPHQ
AIU Holdings, Inc.
20.1
Introduction
Healthcare-associated infections (HAI) are the focus of increased interest and scrutiny from
government agencies such as Centers for Medicare and Medicaid (CMS), private healthcare benefit
insurers, legislative bodies, and patient safety organizations. Some have opined that this increased
attention to this particular adverse outcome may lead to increasing liability and medical professional
liability claims. The history of the study of hospital-associated infections and the discipline of infection prevention and control may provide some insights into the current focus as well as some caveats
and practical advice for healthcare attorneys.
20.2
Background and History of Prevention and Infection Control in the US
The discipline of hospital-based infection control began in the 1950s with the infection control
sisters in English hospitals and the occurrence of staphylococcal outbreaks in newborn nurseries.
The discipline became more organized through the 1960s with the interest and support of infectious
disease specialists and microbiologists and in 1972 the professional association, the Association for
Practitioners in Infection Control (APIC) was founded. (APIC is now the Association for Professionals in Infection Control and Epidemiology.) Over the past three to four decades Infection Control
Professionals (ICPs now referred to Infection Preventionists or IPs) have been supported by APIC,
the Centers for Disease Control and Prevention (CDC), the Society for Healthcare Epidemiology of
America (SHEA) and the American Society for Microbiology to develop and enhance this discipline
to its current status. While most hospital-based IPs are nurses, the field of infection prevention and
control is multi-disciplinary and in addition to nursing professionals includes physicians, microbiologists, epidemiologists, and public health professionals. Contributors from all of these disciplines have
brought infection surveillance, prevention, and control to its current prominence in healthcare with
focus on a specific adverse outcome - healthcare-associated infection.
When compared to other adverse outcomes that risk managers and legal counsel concern themselves about such as falls, medication errors, birth-related injuries, and the myriad of other events,
healthcare-associated infection are the most studied. In 1970 the CDC initiated the National Nosocomial Infection Surveillance system (NNIS) to study the occurrence of hospital-acquired (nosocomial)
infection. Through this project the CDC developed and standardized definitions and methods for
319
surveillance. Hospitals voluntarily participated in NNIS with 62 charter hospitals performing hospitalwide surveillance.1 By 2000, over 300 hospitals were providing data on selected sites of infection
and populations to NNIS for analysis. In addition to publishing the analysis of NNIS data,2 CDC also
published the definitions and methods for surveillance, allowing non-NNIS participants to perform
surveillance in their hospitals for comparison to the published NNIS results in order to benchmark
performance.3 No other adverse healthcare event has the benefit of this standardized, epidemiologic
approach.
In addition to sponsoring NNIS, in 1981 CDC began to publish evidence-based guidelines for the
prevention of healthcare-associated infections. Since the first Guideline for Prevention of Catheterrelated Urinary Tract Infection,4 other guidelines have addressed prevention of surgical site infection,5
healthcare-acquired pneumonia,6 and intravenous catheter-associated infections.7 Additional guidelines
address practices related to hand hygiene,8 environmental control,9 and prevention of occupational
infection in healthcare personnel.10 Most recently, the 1996 Isolation Guideline11 was revised and
resulted in two publications: Management of Multidrug-resistant Organisms in Healthcare Settings
2006 and Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings 2007.12
Infection prevention and control has also benefited from the published data and experience of IPs
and hospital epidemiologists to create a growing body of evidence for the prevention and control of
healthcare-associated infection. Many outbreaks have been described including the epidemiology and
analysis of risk variables, as well as a description of control measures and their effectiveness. There
are also studies of endemic infections that elucidate specific risk factors for various sites of infection
(e.g.,exposure to medical devices and critical care units) as well as prevention and control measures to
Monitoring Hospital-Acquired Infections to Promote Patient Safety United States, 1990-1999 MMWR March 03,
2000/49(08); 149-153.
2
CDC NNIS System. National Nosocomial Infections Surveillance (NNIS) system report, data summary from January
1992 through June 2004. Am J Infect Control 2004; 32:470-85.
3
Emori, I., Culver, D., & Horan, T. National Nosocomial Infections Surveillance System (NNIS): Description of surveillance methods. Am J Infect Control 1991; 19: 259267.
4
Wong, E.S. (1983). Guideline for prevention of catheter-associated urinary tract infections. Am J Infect Control 1983;
11, 2831.
5
Mangram AJ, Horan TC, Pearson ML, Silver LC, Jarvis WR, the Hospital Infection Control Practices Advisory Committee. Guideline for the prevention of surgical site infection, 1999. Infect Control Hosp Epidemiol 1999; Am J Infect
Control 1999; 20:247-280.
6
Tablan, OC, Anderson, LJ, Besser, R, Bridges, C, Hajjeh, R. Guidelines for Preventing Healthcare- associated Pneumonia, 2003. MMWR 2004; 53(RR03): 1-36.
7
OGrady, NP, Mary Alexander, M, Patchen ED, et. al. Guidelines for the Prevention of Intravascular Catheter-Related
Infections. MMWR 2002; 51(No. RR-10): 1 29.
8
Boyce, JM, Pittet, D. Guideline for Hand Hygiene in Health-Care Settings: Recommendations of the Healthcare Infection Control Practices Advisory Committee MMWR 2002;51(No. RR-16): 1 45.
9
Sehulster LM, Chinn RYW, Arduino MJ, et. al. Guidelines for environmental infection control in health-care facilities:
recommendations of CDC and the Healthcare Infection Control Practices Advisory Committee (HICPAC). MMWR 2003;
52 (No. RR-10): 148.
10
Bolyard, EA, Tablan, OC, Williams, WW, et. al. Guideline for infection control in healthcare personnel, 1998. Am J
Infect Control 1998;6:289-354.
11
Garner J. Guideline for isolation precautions in hospitals. Infect Control Hosp Epidemiol 1996;17:53-80.
12
Siegel JD, Rhinehart E, Jackson M, et. al. Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings, 2007. Available at: http://www.cdc.gov/ncidod/dhqp/pdf/isolation2007.pdf (accessed
05/23/08)
1
320
protect at risk patients from infection. While there are many published articles in the medical literature
describing complications and adverse outcomes, the infection control data and evidence for prevention
and control is unparalleled.
Based upon this knowledge and the published experience in successfully preventing healthcareassociated infections,13,14 CMS has determined since some of these infections are preventable, they
will not reimburse hospitals for care related to these infections.15 In addition to several other iatrogenic conditions and beginning in October 2008, CMS will not provide reimbursement for the care of
catheter-associated urinary tract infection, catheter-associated bloodstream infection, or medianstinitis
surgical site infection related to open heart surgery. The list will be expanded in 2009 adding other
types of surgical site infection, ventilator-associated pneumonia, Staphylococcus aureus bloodstream
infection, and Clostridium difficile associated disease.16 Other private insurers have also determined
that they will not provide reimbursement for care of these infections unless they were present upon
admission to the hospital.17
This focus has drawn the attention of plaintiff attorneys as a preventable adverse outcome that
may be the basis for increasing lawsuits and claims of medical professional liability. Such claims may
be brought against the individual physicians as well as hospitals.
20.3
Epidemiology of Healthcare-Associated Infections
The incidence of healthcare-associated infection is most studied and documented in hospital settings; there is limited data from long-term care18 as well as data describing HAIs in hemodialysis
patients.19 The usual incidence (i.e., endemic occurrence) of HAIs related to other settings such as
home care, ambulatory clinics, and ambulatory surgery centers has not been studied. Experience in
these settings is most often found in the reports of outbreaks of infections.20, 21
Berenholtz, SM, Pronovost, PJ, Lipsett PA, et. al. Eliminating catheter-related bloodstream infections in the intensive
care unit. Crit Car Med 2004:32(10):2014-2020.
14
Resar R, Pronovost P, Haraden C, et. al. Using a bundle approach to improve ventilator care processes and reduce
ventilator-associated pneumonia. Jt Comm J Qual Patient Saf 2005;31(5):243-248.
15
Federal Register. 72(162): 47130-48175, August 27, 2007.
16
CMS Proposes to Expand Quality Program for Hospital Inpatient Services in FY 2009. Available at: http://www.cms.
hhs.gov/AcuteInpatientPPS/IPPS/itemdetail.asp?filterType=none&filterByDID=0&sortByDID=4&sortOrder=descendin
g&itemID=CMS1209719&intNumPerPage=10 (accessed 05/23/08)
17
Promoting Patient Safety: CIGNA to Stop Reimbursing Hospitals for Never Events and Avoidable Hospital Conditions (press release April 17, 2008). Available at http://newsroom.cigna.com/article_display.cfm?article_id=888. (accessed
5/24/08)
18
Tsan L, Davis C, Langberg R, et. al. Prevalence of nursing home-associated infections in the Department of Veterans
Affairs nursing home care units. Am J Infect Control. 2008;36(3):173-179.
19
Klevens RM, Edwards JR, Andrus ML, et al. Dialysis Surveillance Report: National Healthcare Safety Network
(NHSN)-data summary for 2006. Semin Dial. Jan-Feb 2008;21(1):24-8.
20
Acute Hepatitis C Virus Infections Attributed to Unsafe Injection Practices at an Endoscopy Clinic Nevada, 2007.
MMWR 2007;57(19);513-517.
21
Do, AN, Banerjee, R, Barnett B, Jarvis W. (1999) Bloodstream infection associated with needleless device use and the
importance of infection control practices in home health care setting. Journal of Infectious Diseases 179:442-4428.
13
321
In 2007, authors from CDC published Estimating Health Care-associated Infections and Deaths
in US Hospitals, 200222 based upon data from NNIS and extrapolating data from other sources. This
much quoted paper estimates that 1.7 million patients acquired HAIs as the result of hospital care that
year. By their calculations, the authors estimate that these infections were related to 99,000 deaths,
making HAI the leading cause of death in the US. While acknowledging the limitations of the report
based upon its methodology, the authors emphasize the sobering need for improved infection surveillance, prevention, and control efforts.
Most if not all US hospitals perform some type of HAI surveillance since it is required for accreditation by the Joint Commission. The priorities for surveillance are based upon the risk and frequency
of infection, as well as the potential for prevention and control. Cases of potential HAI may be initially
identified by the IP through discussion with nurses, physicians, and other providers as well as review
of culture results and other laboratory data used for screening. Once a patient meets screening criteria,
the IP abstracts the prescribed surveillance data from the medical record in order to assess the infection
in each patient as well as prepare to aggregate the data into a periodic report (usually monthly). HAI
data is tracked and trended in an ongoing fashion to identify increases over previous periods as well as
identify newly emerging risks related to new procedures or newly emerging organisms. Surveillance
data may also detect clusters or outbreaks of HAI.
Surveillance data is principally organized by infection site (e.g., urinary tract, pneumonia, surgical site infection, etc.), location of care (e.g., ICU) or surgical service for surgical site infections, and
causative organism (e.g., S. aureus, E. coli, K. pneumonia, etc.). Rates of infection for the selected
period of surveillance are calculated in order to compare the current incidence with previous periods of
surveillance. Rates may also be compared to external benchmarks such as NNIS or to published data.
In 2002, urinary tract infections (UTI) were the most frequent HAI, contributing 32% of all infections. Surgical site infection (SSI) was the second most prevalent at 22% followed by pneumonia
(15%) and bloodstream infection (14%). All other sites of HAI account for the remaining 17%; this
would include infections such as skin and soft tissue infections, central nervous system infections and
eye infections, as well as other miscellaneous, less frequent sites of HAI. As the authors point out, SSI
is likely underestimated with the surveillance for this type of infection highly challenged since surgical
site infections frequently do not become evident until after discharge given the significant reduction
in post-operative length of stay in the past decade. Thus, SSI is underreported and under recognized
by most hospital-based surveillance programs. Not surprisingly, many of the HAIs occur in the ICU
population including 11% of SSIs and 25% of bloodstream infections. In critical care patients, pneumonia was the site most frequently associated with death.
IPs have calculated rates of infection within their hospitals for many years, stratifying data by site
of infection as described above as well as by relationship to device exposure. Thus, rates of catheterassociated UTI are calculated using catheter days as the denominator. NNIS reports the rate of UTI as
Klevens RM, Edwards JR, Richards CL Jr, Horan TC, Gaynes RP, Pollock DA, Cardo DM. Estimating health careassociated infections and deaths in U.S. hospitals, 2002. Public Health Rep. 2007 Mar-Apr;122(2):160-6.
22
322
3.0 to 6.7 per 1,000 urinary catheter days in ICU patients.23 Catheter-associated bloodstream infections
are estimated to occur in ICU patients at 5.3 infections per 1,000 catheter days.24 Risk and incidence for
ventilator-associated pneumonia (VAP) appears to vary by length of intubation, underlying illness and
need for ventilator support; the longer a patient is intubated requiring ventilator support, the greater
the risk for developing VAP. Patients undergoing mechanical ventilation for more than 48hours have a
10% to 20% risk of developing VAP. 25 NNIS reports the cumulative incidence of VAP in ICU patients
to range from 2.9 to 15.2 cases per 1,000 ventilator days.26
The risk and incidence of surgical site infections is a bit more complicated and may involve
the stratification of risk using several methods and indices. The fundamental risk is described in a
strategy to apply a wound classification, based upon the intrinsic contamination of the surgical site.27
SeeTable1. Early studies using this stratification to predict the risk of SSI continue to be used as general benchmarks for risk. In their seminal study of 1980 which summarized 10 years of surveillance,
Cruse and Foord estimated the rate of SSI for clean wounds at 1.5%, clean contaminated wounds
at 7.7%, contaminated wounds at 15.2%, and dirty wounds at 40%.28 Eventually, CDC published
comparison rates based upon NNIS data describing the incidence of clean wounds at 2.1%, clean contaminated wounds at 3.3%, contaminated wounds at 6.4%, and dirty wounds at 7.1%.29 Many studies
involving various types of surgeries and populations have been published since to provide many more
reference data for the risk of SSI in specific types of surgery.
In addition to the site of infection, descriptive analysis of HAIs includes the type of organisms
causing each infection, expanded to describe the overall etiology of HAI at the specific site. For
example, UTI is most frequently caused by gram negative bacteria found in the bowel (e.g., E. coli,
Enterobacter sp.). While most community-acquired pneumonia is caused by gram positive organisms
such as Staph sp. and Strep sp., VAP is more commonly caused by gram negative organisms including Pseudomonas aurugenosa, Enterobacter sp., and Klebsiella sp. According to NNIS, nosocomial
pneumonia is caused by gram negative organisms 64% of the time.30 In contrast, catheter-associated
bloodstream infection is most often caused by gram positive organisms such as S. aureus, S. epidermidis, and Enterococcus sp.31 Organisms causing SSI may vary by site of operation, however gram
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1992 through June
2004, issued October 2004. Am J Infect Control 2004;32:470-85.
24
25
Crnich, CJ, Safdar N, Maki D. The role of the intensive care unit environment in the pathogenesis and prevention of
ventilator-associated pneumonia. Respir Care. 2005 Jun;50(6):813-36; discussion 836-8.
26
27
National Academy of Sciences National Research Counsel. Postoperative wound infections: the influence of ultraviolet
irradiation of the operating room and of various other factors. Ann Surg 1964; 160(suppl 2):1 132.
28
Cruse PJE, Foord R. The epidemiology of wound infection. A 10 year prospective study of 62,939 wounds. Surg Clin
North Am 1980;60:27-40.
29
Culver DH, Horan TC, Gaynes RP, et. al. Surgical wound infection rates by wound class, operative procedure and
patient risk index. Am J Med 1991;91 (suppl 3B):152-157.
30
Richards MJ, Edwards JR, Culver DH., et. al. Nosocomial infections in medical intensive care units in the US. Crit
Care Med 1999;27:887-892.
31
National Nosocomial Infections Surveillance (NNIS) System Report, data summary from January 1990 through May
1999, issued June 1999. Am J Infect Control 1999;27:520-532.
23
323
positive organisms such as S. epidermidis and S. aureus predominate. In surgeries involving the lower
gastrointestinal tract, gram negative organisms from normal bowel flora can cause wound infections
and other abdominal infections as a post operative complication.
The epidemiology and causative organisms of HAIs has changed in the past decade due to the
significant increase in multidrug-resistant organisms (MDRO) such as methcillin-resistant S. aureus
(MRSA) and vancomycin-resistant enterococcus (VRE). MDROs are defined as bacteria that are resistant to one or more classes of antibiotics. They are usually named for one representative class of
antibiotics to which they are resistant (e.g., methcillin as a type of penicillin). However, MDROs are
usually resistant to most of the antibiotics that may be available for treatment.
First reported in 1968, MRSA has been around for several decades. However, its prevalence
has increased over time and public interest has increased significantly. In the early 1990s, MRSA
accounted for approximately 20-25% of all Staph aureus isolates from hospitalized patients.32 By
2003, 59.5% of the Staph aureus isolates from ICUs in hospitals participating in NNIS were methcillin-resistant.33MRSA is predominantly seen in lower respiratory tract infections and surgical site
infections, but also causes bacteremia and cardiovascular infections. Further review of MRSA in hospitalized patients in 1999-2005 reveals that hospital patients with MRSA increased 119%.34 By site
of infection, MRSA bloodstream infection increased from 41% to 54%; MRSA pneumonia increased
from 52% to 58% and other sites saw increases from 41% to 60%. These sites include infections coded
as cellulitis and abcess as well as surgical site infections. These rates are estimates based upon data
from the National Hospital Discharge Survey (NHDS), then extrapolated to all hospital discharges
for the period. Others have published data describing the increases in community-associated MRSA,
warning that its impact on hospitalized patients is increasingly evident and complicates efforts to
identify, prevent, and control MRSA in hospitals.35
Many variables have contributed to the increasing prevalence of MDROs including overuse of
antibiotics, higher acuity of hospitalized patients and prolonged length of stay, staffing shortages,
insufficient attention to hand hygiene, lack of compliance with isolation precautions, and insufficient
cleaning and disinfection of the hospital environment and equipment.
HAIs also occur in clusters and outbreaks of infection that are usually detected because they are
caused by the same infecting organism in a specific group of patients. This might include patients in
the same ICU or other patient care unit or those undergoing the same invasive procedure or surgery. IPs
are continuously in contact with the microbiology laboratory that serves as the sentinel for detecting
unusual increases as early as possible. Microbiologists may also detect new or unique microorganisms
as they are identified and tested against antibiotics. The trigger for an outbreak investigation may vary
Boyce JM, Jackson MM, Pugliese G, Batt MD, Fleming D, Garner JS, Hartstein AI, Kauffman CA, Simmons M, Weinstein R, et al. Methicillin-resistant Staphylococcus aureus (MRSA): a briefing for acute care hospitals and nursing facilities.
The AHA Technical Panel on Infections within Hospitals. Infect Control Hosp Epidemiol. 1994 Feb;15(2):105-15.
33
See supra note 2.
34
Klein E, Smith DL, Laxminarayan R. Hospitalizations and deaths caused by methicillin-resistant Staphylococcus aureus,
United States, 19992005. Emerg Infect Dis. 2007 Dec. Available from http://www.cdc.gov/EID/content/13/12/1840.htm
35
Klevens RM, Morrison MA, Nadle J. et. al. Invasive methcillin-resistant Staphylococcus aureus infections in the
United States. JAMA 2007;298(15):1763-1771.
32
324
but in general the IP and hospital epidemiologist would initiate some type of investigation if the incidence of HAI in a particular group of patients (e.g., patients undergoing open heart surgery) appeared
to be greater than seen historically. For example, a hospital may know that its baseline rate of SSI in
cardiothoracic surgery is 1.8% historically and then sees an increase to 3% in one month, the surveillance data would be carefully examined to determine if a more robust investigation was warranted.
As mentioned, outbreaks of nosocomial infection may occur after specific types of surgery36 or
in specific patient care units.37 Occasionally, hospitalized patients become infected after exposure to a
healthcare worker with a communicable disease38 or to a common source that is contaminated with a
pathogenic organism.39 A full scale outbreak investigation is required to determine the cause or source
of the outbreak so that appropriate control strategies can be put into place to prevent further infections.
If the hospital staff cannot determine the cause of the outbreak and it continues, consideration should
be given to obtaining external assistance from the state health department or from the CDC Epidemic
Intelligence Service.
US hospitals have had infection prevention and control programs since the early 1970s. Program
responsibilities, resources, and organization have been guided by APIC and the Joint Commission
standards for Surveillance, Prevention and Control of Infection. The American Hospital Association
was also proactive in infection control in the 1970s and 1980s. In addition to performing surveillance
for HAIs, IPs are also responsible for implementing and monitoring prevention and control measure to
reduce the risk of infection in patients, staff, volunteers, and visitors. IPs continuously review patient
care procedures in all departments to assure the appropriate actions and processes for infection prevention are in place. The responsibility is broad in scope including basic strategies such as hand hygiene
(i.e., frequency, type of agent, etc.) to more technical strategies such as the appropriate cleaning and
reprocessing of reusable devices and instruments such as endoscopes. The IP is often the go to person for resources related to cleaning and disinfection of the hospital environment to sterilization and
disinfection of patient care devices and equipment. Similar to the role of the healthcare risk management professional, the IP is very knowledgeable of the operations of most departments and functions
involved in patient care.
One of the major documents within the Infection Control Program is the policy and procedure
for isolation precautions. Using the CDC guidelines for isolation40 and management of MDROs for
guidance, IPs organize and author the institutional procedures and then provide ongoing education and
consultation for their application.
Cooper MP, Lessa F, Brems B, Shoulson R, York S, Peterson A, Noble-Wang J, Duffy R, McDonald LC. Outbreak of
Enterococcus gallinarum infections after total knee arthroplasty. Infect Control Hosp Epidemiol. 2008 Apr;29(4):361-3.
37
Maragakis LL, Winkler A, Tucker MG, Cosgrove SE, Ross T, Lawson E, Carroll KC, Perl TM. Outbreak of Multidrug-Resistant Serratia marcescens Infection in a Neonatal Intensive Care Unit. Infect Control Hosp Epidemiol. 2008
May;29(5):418-23.
38
Bryant KA, Humbaugh K, Brothers K, Wright J, Pascual FB, Moran J, Murphy TV.
Measures to control an outbreak of pertussis in a neonatal intermediate care nursery after exposure to a healthcare worker.
Infect Control Hosp Epidemiol. 2006 Jun;27(6):541-5.
39
Matrician L, Ange G, Burns S, Fanning WL, Kioski C, Cage GD, Komatsu KK. Outbreak of nosocomial Burkholderia
cepacia infection and colonization associated with intrinsically contaminated mouthwash. Infect Control Hosp Epidemiol.
2000 Nov;21(11):739-741.
40
See supra note 12.
36
325
The Infection Control department is also frequently responsible for occupational health issues
related to prevention of infectious diseases among staff, volunteers, and visitors. In addition to teaching
staff about isolation procedures to prevent exposures to patients with known or suspected communicable illnesses, IPs may also develop immunization programs to prevent infection should exposure
occur (e.g., hepatitis B and influenza). IPs investigate reported exposures to communicable diseases
and take action as appropriate to prevent illness in the exposed individual (e.g., providing prophylactic
antibiotics), monitor exposed individuals for the development of the illness, and then may have to
exclude healthcare workers from patient care duties to avoid exposing others.41 These activities contribute to the mitigation of workers compensation claims.
The discipline of infection prevention and control has been challenged by many developments
in the past several decades including new diseases such as HIV/AIDS and Legionnaires disease to
the more current shifts in the epidemiology of HAI and the increase in MRSA and other MDROs. It
appears that even greater challenges may be on the horizon as the healthcare industry and the society as
a whole focus increased scrutiny on patient safety and preventable adverse outcomes in healthcare.
20.4
Impact of HAIs on Healthcare Professional Liability
Although HAIs are frequent adverse outcomes related to hospitalization, there is little case law
to demonstrate the actual liability exposure or frequency of claims directly related to HAIs. When
searching for jury verdicts and settlements, one finds few citations. When searching the medical literature, there are also few peer review articles describing the incidence of HAIs in medical professional
liability claims. One study conducted by the American College of Surgeons42 analyzed 460 closed
claims to evaluate the nature of the claimants injury and the contributory factors relating to the quality of care. The most common claims involved injury to the bile duct (12%), bowel (9%), and blood
vessels (9%). However, infections were also prevalent with 6% of patients experiencing SSIs and 14%
with infections at other sites. It is not clear in the analysis which specific injury was the primary cause
for filing the claim.
Another study which focused specifically on medical professional liability claims due to HAIs in
Philadelphia describes the analysis of 154 cases.43 The vast majority involved SSIs in clean surgical
wounds (75%) with orthopedics representing the largest number of cases followed by general surgery
and cardiac surgery. MRSA (n=45) and Staph epidermidis (n=27) were the most prevalent organisms
causing infection. Interestingly, the authors report that 72% of the cases were either settled or withdrawn. Those that went to litigation resulted in a plaintiff verdict 60% of the time. Although this is a
small sample from a single venue, one wonders if the lack of citations for jury verdicts and evidence
of medical professional liability claims brought primarily on the basis of HAI are more often than not
settled prior to litigation.
See supra note 10.

Griffen FD, Stephens LS, Alexander JB, et. al. The American College of Surgeons Closed Claims Study: New Insights
for Improving Care. J Am Coll Surg. 2007 Apr;204(4):561-9.
43
Guinan JL, McGuckin M, Shubin A, Tighe J. A descriptive review of malpractice claims for health care-acquired infections in Philadelphia. Am J Infect Control. 2005 Jun;33(5):310-2.
41
42
326
While these articles focus on claims brought against individual physicians, hospitals are also at
risk for medical professional liability claims related to HAIs. This may be more common when there
is a significantly high incidence of infection among a specific patient population. In 2004, a Tenetowned hospital in Palm Beach Gardens, Florida settled 106 individual lawsuits with plaintiffs who
experienced infection following open heart surgery, including 20 deaths. The total settlement was
$31million.44 Twenty individual claims were brought against Jewish Hospital in Louisville, Kentucky
in 2004, all related to HAIs caused by MRSA. Plaintiffs were represented by the same attorney who
contended that the infections which occurred between 2002 and 2004 were due to gross negligence on
the part of the hospital.45
With the increased attention to HAIs and recent actions by CMS to deny payment of these potentially preventable complications, some healthcare attorneys predict that there will be an increase in
medical professional liability claims related to HAIs.46 This potential threat is also evidenced by the
increasing number of plaintiff websites that encourage patients and families to have their case reviewed
if they have experienced an adverse medical event including a healthcare-associated infection. Many
also discuss MRSA and imply that some negligence may have occurred if a patient has experienced an
infection with this specific organism.
More publically available data on HAIs may also contribute to this potential trend. In the past
several years, many states have enacted legislation to require public reporting of HAIs in some form.
Most of the states (22 at the time of this writing) require public reporting of aggregate rates of infections while others (2 at the time of this writing) require confidential reporting of rates to the state.47
Another half dozen states have various laws related to the reporting or screening and identification
of patients with MRSA.48 At the federal level, both the Senate and the House have introduced bills to
improve the prevention and detection of MRSA.49
The professional infection control organizations as well as CDC recognize the motivation for such
action to inform and protect the public. However, they have responded to these legislative mandates
in order to call attention to the potential perils of both types of legislation. While the definitions and
methods for HAI surveillance are well standardized, as described above, they were not developed with
the intention of public reporting of the data. Thus, in its 2005 paper Guidance on Public Reporting
of Healthcare-Associated Infections: Recommendations of the Healthcare Infection Control Practices
Advisory Committee (HICPAC),50 the committee provides guidelines on selection of reportable met Singer G. Tenet paying $31 million to settle suits. South Florida Sun-Sentinel. December 24, 2004.
http://us.f501.mail.yahoo.com/ym/ShowLetter?Msgld=8844_856326_6515_1156_48780_0_5. (accessed 05/24/08)
45
Riley J., 20 Lawsuits target Jewish Hospital over Infections. Courier-Journal.
http://www.courier-journal.com/localnews/2004/07/01ky/A1-jewish0701-10720.html. (Accessed 5/24/08)
46
Brown C, Mitchell KN, Scott KP. Litigation Impact of Never Events. Health Lawyers News (February 2008)
47
Summary of state activity on Hospital-acquired infections. (January 2008) Consumers Union. www.consumersunion.
org/campaigns/stophospitalinfections/learn.html (accessed 05/30/08).
48
http://www.apic.org/scriptcontent/custom/dyncontent/legislation/index. cfm?section=government_advocacy (accessed
05/30/08).
49
Congressional Legislation 110th concerning hospital infection reporting and antibiotic resistant infection detection
and prevention. (January 2008) Consumers Union. www.consumersunion.org/campaigns/stophospitalinfections/learn.
html (accessed 05/30/08).
50
Linda McKibben, MD,a Teresa Horan, MPH,b Jerome I. Tokars, the Healthcare Infection Control Practices Advisory Committee. Guidance on Public Reporting of Healthcare-Associated Infections: Recommendations of the Healthcare
44
327
rics (process and outcome) appropriate for the type of facility as well as recommendations to improve
the reliability of the data. A stronger response was published by APIC and SHEA to the increasing
frequency of legislation related to MRSA detection and prevention.51 In this joint publication, the
organizations express their concerns over governmental mandates for the widespread use of active
surveillance cultures for detection of MRSA and other MRDOs, pointing out the lack of standard
methods, expense and stress on limited resources and the preference for a more targeted, planned
approach based upon a risk assessment within each organization.
More concern of litigation may arise from the identification of certain HAIs as never events,
suggesting that they are fully preventable. As described above, CMS has identified several HAIs (catheter-associated urinary tract infection, catheter-associated bloodstream infection, and medianstinitis
surgical site infection) for which hospitals will not receive reimbursement for care beginning in October
2008.52 This list expands in 2009 to include other types of surgical site infection, ventilator-associated
pneumonia, Staphylococcus aureus bloodstream infection, and Clostridium difficile associated disease.53 Commentary is emerging at the time of this writing regarding the rule changes by CMS54 and no
doubt the debate will continue. The concern expressed in a recent commentary regarding the increase
in liability exposure related to these conditions is that the plaintiffs bar will argue that these events are
preventableas declared by CMS.
20.5
Role of Legal Counsel
While the surveillance, prevention, and control of HAIs is the primary responsibility of the infection prevention and control department, risk managers and legal counsel need to be aware of the
external expectations, standards, and requirements in order to support infection prevention and control
efforts and avoid potential accusations of negligence when HAIs occur. Failure to comply with these
standards may lead to increased liability exposure and come to bear in light of a medical professional
liability claim. Thus, legal counsel can protect organizational assets by helping to assure infection prevention and control programs are comprehensive in their compliance with current standards of care.
They should also assure that surveillance programs are sufficiently robust to monitor trends in HAI as
well as identify newly emerging problems.55
Infection Control Practices Advisory Committee AJIC 2005: 33(4); 217-226.

51
Weber SG, Huang SS, Oriola S. et. al. Legislative Mandates for Use of Active Surveillance Cultures to Screen for
Methicillin-Resistant Staphylococcus aureus and Vancomycin-Resistant Enterococci: Position Statement From the Joint
SHEA and APIC Task Force. Am J Infect Control. 2007 Mar;35(2):73-85.
52
See supra note 15.
53
See supra note 16.
54
Pronovost PJ, Goeschel CA, Wachter RM. The wisdom and justice of not paying for preventable complications
JAMA. 2008 May 14;299(18):2197-9.
55
See supra note 47.
328
20.6
Compliance with Published Guidelines
As outlined above, strategies for prevention and control of HAIs are found primarily in the CDC
guidelines. Legal counsel should be aware of the external guidelines from CDC and other professional
organizations that may be viewed as the standard of care in medical professional liability litigation.
Thus, review and compliance with the various guidelines is critical.
Application of the recommended practices within the CDC IV guideline56 was significantly
enhanced by the Institute for Healthcare Improvement (IHI) through their 100K Lives Campaign.57
The approach to bundle insertion and care procedures for central IV lines has become the standard
approach with evidence that it prevents CA BSI.58 Prevention of VAP using the IHI bundle has had
similar success and adoption, thus becoming a standard of care.59 APIC has published a resource document for control of MRSA60 that enhances the MDRO guideline.
Efforts to prevent SSIs have been significantly enhanced through a national quality improvement
project called the Surgical Care Improvement Project or SCIP. Modeled on an initial project by the
Veterans Administration, other organizations including state-based Quality Improvement Organizations
and the American College of Surgeons adopted several evidence-based measures for prevention of SSI
as well as other surgical complications (e.g., adverse cardiac events and deep vein thrombosis).61 The
infection prevention strategies in SCIP include: (1) selection of the appropriate prophylactic antibiotic
and (2) administration within one hour prior to the initiation of surgery; (3) discontinuing antibiotics within 24 hours of surgery; (4) removing hair from the surgical site using clippers, not razors;
(5)monitoring and controlling serum glucose in cardiac surgery patients; and (6) returning patients
undergoing colon surgery to normothermia immediately post-operatively.
Once the practices from CDC guidelines and other sources to improve quality of care are incorporated into patient care procedures, the healthcare organization must educate staff (including attending
physicians and trainees) regarding the specific requirements of each procedure (e.g., use of a surgical
drape for the insertion of a central venous line). Education should be documented including a content
outline as well as a record of attendees. Subsequently, staff compliance with the procedures should be
monitored to ensure conformity. If compliance is not 100%, action must be taken to remove any barriers for compliance and assure ongoing, 100% compliance. If lack of compliance is based on behavior,
non-compliant individuals must be confronted and expectations for compliance made clear. The IP
will continue to monitor the outcomes of care (HAI) through routine surveillance and analysis of the
data.
See supra note 7.

Institute for Healthcare Improvement 100K Lives Campaign - Implement the Central Line Bundle. http://www.ihi.
org/IHI/Topics/Criticalcare/IntensiveCare/Changes/ImplementtheCentralLineBundle (accessed 06/05/08)
58
See supra note 13.
59
See supra note 14.
60
Association for Professionals in Infection Control & Epidemiology. Guide to the elimination of Methicillin-resistant
Staphylococcus aureus transmission in Hospital Settings. 2007 Washington DC.
61
Surgical Care Improvement Project. www.medqic.org/dcs/ContentServer?siteVersion=textOnly&pringView=yes&pa
genation Accessed 06/05/08.
56
57
329
While this approach may seem overwhelming, a comprehensive approach involving Infection
prevention and Control, clinical staff, and the support of administrative leadership is necessary to
assure that current evidence-based practices are incorporated into organizational practice and such
practices are monitored. If a medical professional liability claim is brought in light of a CA BSI, VAP
or other HAI, lack of evidence of these types of efforts may weaken defense.
In addition to compliance with specific patient care practices, compliance with hand hygiene is
also a critical component of prevention and control of HAIs. The issue of hand hygiene has been challenging since its importance was recognized in the mid 1800s by Semmelweis in his efforts to prevent
puerperal fever. Many papers from the past two to three decades have confirmed the extreme lack of
compliance with prescribed hand hygiene procedures and frequency as outlined in the CDC guideline
on hand hygiene.62 With increased public awareness of HAI, visible and consistent hand hygiene practice is critical. Legal counsel can support this effort by assuring that staff have been properly educated
about the importance of hand hygiene and that compliance is monitored. As outlined above, if compliance is not 100%, barriers must be removed and a clear expectation for compliance by all staff must
be communicated by organizational leadership.
Legal counsel can also assure that all deliberations and actions related to prevention and control
efforts are documented in committee minutes, policies and procedures, and other appropriate methods.
If compliance with national guidelines is not implemented, discussion and rationale for an alternative approach should be well documented in minutes or other documents. Most hospitals continue to
maintain an Infection Control Committee; this would seem a logical body in which to conduct these
reviews and discussions and make recommendations to higher-level committees which oversee patient
safety.
20.7
Review of Surveillance Results
In the past, surveillance of HAI was performed in a routine manner, data was reported to the Infection Control Committee and filed, and assuming that if the incidence of infection had not changed and
the rates were consistent with those reported by NNIS, no follow-up action was necessary. The current
environment and increased focus on HAIs mandates a more proactive approach not only in anticipation of public reporting, but to assure preventable infections are not occurring. Thus, the incidence
of infection at each site must be examined and analyzed to determine if there were breaches in the
process of care that may have contributed to the adverse outcome. Such analysis and discussion should
be documented in committee minutes. Any potential breaches should be investigated with results
subsequently documented, including actions to assure strict compliance with appropriate prevention
strategies. Legal counsel should provide guidance in determining if these discussions should be protected and then how to do so.
As surveillance results related to SSIs are reviewed and analyzed, in addition to the CDC guidelines recommendations for the prevention of SSIs,63 compliance with the various components of SCIP
should also be examined, especially if infections are occurring. If they have not been fully adopted,
See supra note 8.
See supra note 5.
62
63
330
legal counsel can be instrumental in gaining commitment from the chief of surgery and the surgical
departments in adopting SCIP. Many IPs are currently monitoring compliance with SCIP measures as
part of their surgical site infection surveillance. As mentioned above, failure to comply with national
patient care standards such as those identified in SCIP may put hospitals at increased risk. The healthcare organization may be the target of professional liability claims if it is not fulfilling its duty to assure
quality care. Failure to adopt and monitor strategies such as those incorporated in the SCIP project can
lead to a poor defense should lawsuits be brought against individual physicians or against the hospital
for failure to monitor and prevent these occurrences.
Data reviewed by the Infection Control Committee relating to SSIs may or may not include surgeon-specific rates. Such data would usually not be reviewed by the committee unless there was a
significant difference in inter-surgeon rates. Legal council should work with the Infection Control
Committee chair (usually a physician) to assure such data is reviewed in a setting that provides protection for peer review.
20.8
Public Reporting of Surveillance Data
Public reporting of HAIs should not be undertaken without full understanding of the requirements for such reporting as well as an intelligent organizational approach when planning compliance
with such reporting. Legal counsels role in this challenge is critical and requires that first he or she
understand the recommended methods for HAI surveillance and assure the methods are appropriately
applied to assure reliable data. This may require the assistance and assessment by external experts who
are more familiar with the methods and application of definitions of infection as proposed by NNIS.
Once the internal process is viewed as satisfactory, the external requirements for state reporting must
be reviewed and analyzed to assure compliance and to avoid provision of inappropriate or unnecessary
data. While hospitals must be compliant with the required reporting, legal counsel can guide and direct
the IP regarding the provision of the information as required. An internal review of the data should
be initiated prior to any release to the state agency; such a process should include legal counsel not
only to assure compliance, but to alert them to any data that demonstrates rates of infection that may
appear to be adverse to the organization. Risk reduction strategies to decrease infection rates should be
discussed and implemented at this time if the organization has not already done so.
20.9
Outbreak Investigation
Identification of significant increases in infection rates or the occurrence of unusual infections

does not usually occur as the result of reviewing surveillance data. More often, the IP, hospital epidemiologist, or a keen microbiologist will notice something out of the ordinary. It may be the occurrence
of an unusual organism in clinical cultures (one never seen before or an unusual epidemiology), an
increase in multidrug-resistant organisms, or a significant increase in the incidence of a specific HAI
in a particular population (e.g., ICU patients) caused by a commonly seen organism. Whatever the
scenario, the IP and hospital epidemiologist will review the findings and variables to determine if an
investigation should be conducted. Initially, the IP may obtain culture reports for the past several from
the lab to determine if additional cases have occurred but were unrecognized. Such data also serves to
provide an historic baseline if one does not exist. There are no definitive rules that would be applied
331
to trigger an outbreak investigation. However, most IPs would initiate an investigation based upon
the occurrence of a single finding of an unusual organism in a clinical culture (either a rare or unusual
organism or an unusual sensitivity pattern) or an increase in the incidence of a specific HAI (e.g., surgical wound infections in a specific type of surgery, bacteremia in a patient population). The increased
incidence does not have to be statistically significant (that can take too long to determine and will be
part of the analysis of the outbreak, if appropriate).
When an investigation is initiated, even preliminarily, the IP should document discussions of
the situation with the hospital epidemiologist, risk management professional, and other administrative and clinical staff in memos and/or reports. Decisions for additional investigative activities (e.g.,
surveillance cultures) as well as prevention and control activities (e.g., information about the increase
in infections to clinical staff with reinforcement of the importance of hand hygiene) should also be
documented. Legal counsel can assist the IP in providing guidance regarding the level of detail and
format in which to record these discussions and activities. Such documentation not only facilitates
communication within the organization, but memorializes discussions and actions should a lawsuit be
filed and information beyond that found in the patients medical record is needed.
Outbreaks can occur from a variety of causes. Some are caused by a single reservoir of contamination such as contaminated antiseptics or problems in processing endoscopes. In most cases, infectious
organisms are spread from one patient to another via the hands of healthcare staff. This may occur
more frequently in an ICU setting where the patients have more indwelling devices and patients are
not in single rooms. Inadequate hand washing sinks or poor compliance with hand hygiene by healthcare staff may also contribute to transmission. Rarely, outbreaks are related to a single human carrier
who transmits the infectious agent to patients (e.g., S. aureus). Occasionally, IPs will note an increase
in SSIs from a single surgeon. In such a scenario, the investigation would focus on the peri-operative
care including selection and administration of prophylactic antibiotics, as well as other facets of surgical care. In these circumstances the same type of documentation should be maintained as in any other
outbreak investigation. However, such investigations and their documentation should be conducted to
assure peer review protection. Legal counsel should assist the IP as well as the medical staff leadership
to assure this protection.
20.10
Governing Board and Executive Leadership
Governing bodies and senior executives of hospitals are responsible for the quality of care provided, including prevention and control of healthcare-associated infections. In the past they have relied
upon the IPs and hospital epidemiologists to manage the infection prevention and control program.
However, the stakes have been raised with the recent CMS rule changes, public reporting of infection rates, and the overall increasing public interest in HAIs including MRSA. Failure to give proper
attention to these issues can result in lost revenue as well as damage to reputation, should an outbreak
of infection occur and be reported in the press or an individual infection resulting in a medical professional liability claim occur. The former event can result in an investigation by state authorities,
resulting in a public record which can be accessed by plaintiffs attorneys as well as the general public.
Court records and testimony from individual litigation can also be accessed.
332
Board members and senior management should all be educated about the current events around
healthcare-associated infections. They should also be aware of the organizations own infection prevention and control efforts as well as results of surveillance. This can be accomplished through regular
reporting and review of surveillance data through the Boards quality or patient safety committee.
Some initial education regarding infection prevention, control and surveillance of HAIs may be helpful to provide a baseline of understanding. Provision of external benchmark data such as NNIS data
may also be helpful. Healthcare organizations in states with requirements to report infection data will
be under additional scrutiny; thus the Board must be brought up to speed on the state requirements as
well as the healthcare organizations own data that will be reported and made public. Legal counsel
can be very helpful in adding to the information provided by the IP and providing direction and advice
on reporting of data as well as documenting internal review and efforts to reduce risk.
20.11
Commentary
Infection Control (IC) professionals have worked for over four decades to develop standardized
surveillance systems for HAIs. This effort has resulted in significant data as benchmarks for all sites
of infection and the related risk factors. In addition, the discipline has developed evidence-based best
practices to minimize and prevent HAIs. Infection surveillance, prevention and control programs are
the model for patient safety. Thus, infection prevention and control has become a focus of legislative
and regulatory bodies as well as private healthcare insurers; many predict that plaintiffs attorneys
will be next to focus on this ostensibly preventable adverse outcome of healthcare. In their continuing
effort to avoid liability and protect the assets or their organization, legal counsel must also focus on the
structure and processes to prevent HAIs.
Such a focus should lead legal counsel to:

Become educated on the current incidence of HAI in their organization with a focus on surgical site infection and the incidence of infection at all sites in the ICU populations;
Identify clinical areas or populations where surveillance data indicates opportunities for
reducing risk and the incidence of infection, in collaboration with IC professionals and those
responsible for patient safety;
Become knowledgeable about current policies and procedures for the prevention of HAI and
the compliance with current best practices;
Identify areas of non-compliance and determine if changes are necessary and practical,
with special focus on prevention of SSIs and selection and administration for prophylactic
antibiotics;
Determine what public reporting is currently required or anticipated, along with specific
requirements in order to guide IPs in preparation and submission of reports;
Become a member of the infection control team to assure awareness of special incidents
involving actual or potential HAIs and any investigations of unusual infections;
Offer support to the infection prevention and control function to assure appropriate and sufficient resources;
333

Provide guidance regarding the protection of infection control information and data for quality assurance and peer review purposes; and
Supply information and guidance related to infection control as a key component of

patient safety and enterprise risk management to senior management and the organization
governance.
20.12
Conclusion
As should be evident from the discussion above, the infection prevention and control function
is complex, reaching into all aspects of the organization. Hospital administrators and boards have
relied upon the diligence of the IPs and Infection Control Committee chairs to ensure that the patient
care procedures are compliant with currently published best practices. Joint Commission standards
for Infection Surveillance, Prevention, and Control set organizational requirements for leadership
accountability and organizational support and oversight of the function. In most organizations most of
the time, leadership assumes the prevention and control of HAIs is continuing successfully. However,
if there is an event that brings actual or potential professional liability then the leadership engages
more proactively to determine if there is a problem and if additional actions are necessary to address it.
Such an approach is no longer adequate nor practical. Governing bodies, senior management, clinical
leaders, and medical staff leaders must be more proactive in assuring the surveillance, prevention, and
control of HAIs is being conducted in a robust manner with the appropriate resources. This includes
sufficient staff to perform the function with adequate resources (e.g., computer software for surveillance, administrative assistance for obtaining surveillance data) as well as opportunities for education
to assure that staff are aware of current issues and standards of care. It also includes adequate laboratory
support as well as appropriate microbiology and serologic laboratory resources. More sophisticated
laboratory resources such as pulse-field gel electrophoresis that may be useful in an outbreak investigation should be made available from reference laboratories or state labs.
Legal counsel and the risk management function should be proactive in assuring the infection
control function is adequate and appropriate to organizational needs. Occasionally, a sentinel event
will involve a death or adverse outcome related to an HAI. The IP should be intimately involved in the
root cause analysis of such events. Along with clinical staff, the IP can assist in determining if there
was any deviance from the expected behavior or care in prevention of infections.
There is a strong parallel to be drawn between risk management and infection control in that each
function may be lead by a professional who is trained and certified in the specific discipline. However,
neither professional can fully implement or manage their specific function without the understanding,
cooperation, and support of the leadership, including legal counsel.
334
Table 1 Classification of Surgical Wounds
Wound Class
Description
Class I or
A normally sterile space. No
Clean wound
inflammation encountered. Wound
primarily closed and drained, if necessary, with closed drains.
Space where normal flora is
Class II or
Clean-contam- encountered.
inated wound A minor break in surgical asepsis in
a Class I surgery would become a
Class II.
Class III or
contaminated
wound
Class IV or
dirty and
infected
wounds
Open, fresh, contaminated wounds,

often the result of trauma. Gross
spillage from the gastrointestinal
tract or entry into the genitourinary
tract or biliary tract in the presence
of infected urine or bile. A major
break in surgical asepsis can also put
a wound into this class.
Wounds which are infected with
purulent drainage and devitalized
tissue.
Examples
Orthopedic, neurologic, cardiovascular
surgeries
Predicted
Incidence of
infection30
2.1%
Surgery of the
respiratory, urinary,
gastrointestinal
or genital tracts
under controlled
conditions.
Traumatic surgery
such as orthopedic
or neurosurgery.
3.3%
Surgery to drain
abdominal sepsis;
amputation of an
infected, necrotic
limb.
7.1%
6.4%
335
The Patient Experience, Transparency, and ERM
21
Terie Zimmerman, RN, BSN, JD, ARM, CPHRM, DFASHRM
VP Chief Quality, Risk and Patient Safety Officer, Community Mercy Health Partners
21.1
Introduction
This chapter will provide an overview of the application of Enterprise Risk Management
(ERM) principles to patient safety and quality. ERM is a technique applied across multiple settings
within an organization to identify risks and apply effective risk management strategies to limit the
repercussions that those risks present.1 Patients and the healthcare workers and providers within its
walls are the healthcare organizations greatest assets.
In applying ERM principles to the context of patient safety, healthcare attorneys must be aware
of the potential injury facing consumers seeking treatment within their facilities, and the work currently
being done to offset that exposure. Whether labeled as patient safety, clinical effectiveness, quality,
performance improvement, or something else, improving the quality and safety of providing patient
care is the goal of healthcare providers and organizations. This chapter will provide an overview of
patient safety and performance improvement tactics being used to offset the exposures of healthcareacquired patient injuries and the roles and responsibilities of governance, leadership, management,
and frontline staff in assuring patients receive safe care within the healthcare system.
21.2
IOM Reports Impact on Healthcare
Patient safety, a highly passionate topic due to the fact that a poor outcome means that someone
was or could have been injured or killed while receiving medical treatment, has become a sub-specialty in many healthcare settings. The development of patient safety departments and officers is a
direct result of the awareness that a number of accidental medical injuries are routinely sustained by
patients while receiving healthcare.
In 1999, the Institute of Medicine (IOM) report, To Err is Human: Building a Safer Health System
was released quantifying the staggering number of deaths related to healthcare delivery.2 This report
focused the nations attention on the fact that anywhere from 44,000 to 98,000 preventable deaths
1
Carroll, Roberta , ed., Risk Management Handbook for Healthcare Organizations, Vol. I, 5th ed. (2006), Jossey-Bass,
Inc., San Francisco, CA.
2
Kohn L, Corrigan J, Donaldson M, eds. To Err Is Human: Building a Safer Health System. Washington, DC: Committee
on Quality of Healthcare in America, Institute of Medicine: National Academy Press, (2000; accessed December 17, 2008).
http://www.iom.edu/File.aspx?ID=4117>
337

occurred annually, of which 7,000 were related to medication error alone. As a direct result of this
knowledge, regulators, legislators, healthcare professionals and providers, insurers, consumers and
others became actively engaged in seeking solutions to the problem of providing quality healthcare
services in a safe environment.
In Crossing the Quality Chasm, the 2001 IOM report, six aims for a quality healthcare system were
revealed. Patient safety is listed as one of those six aims. Dr. Albert Wachter in his book, Understanding Patient Safety, notes that safety is depicted as one of the six components3 (Figure 1) in essence
making safety a subset of quality. He goes on to describe that over time, quality metrics were generally chosen by the senior clinicians or the healthcare organizations themselves. Wachter also states that
clinical measurements are now being driven by more than two generations of clinical evidence. 4
The following discussion will focus on many of the initiatives and strategies that have been or are
being introduced at a national level to help the healthcare attorney better understand what the practice
of patient safety entails and what role they play in it.
21.3
Highest Opportunity Areas for Patient Safety Improvement
Over the past 10 years or so, an awareness has also developed that not all patient safety and quality improvement opportunities are created equal. Healthcare improvement opportunities identified
as low hanging fruit, are adverse patient care events that occur with predictable frequency. These
would include pressure ulcers developed during acute inpatient experiences, medication errors, falls,
hospital acquired pneumonia and other hospital acquired infections, wrong site/wrong patient surgery,
Wachter, Robert M. Wachter, Understanding Patient Safety 27 (2008).
Id.
3
4
338

objects unintentionally retained after surgery, and others. If improvements in care delivery are made
and sustained in just these areas, a great impact on healthcare safety would be achieved and hundreds
of thousands of injuries could be minimized or avoided.
Disincentivizing events that should not occur during patient care is one way that payors are
attempting to control their occurrence. For example, in 2006, the National Quality Forum (NQF)
published a list of Never Events outlining adverse events that should not occur to a patient throughout
the course of hospitalization. These Never Events have been endorsed by the Leap Frog Group5,6 and
adopted by many third party payors as non-reimbursable to the provider. In addition, third party payors
such as Medicare are no longer reimbursing acute care hospitals for certain Hospital Acquired Conditions (HACs). As of October 1, 2008, 10 categories of HACs had been selected for the HAC payment
provision.7 It is anticipated that additions will be made to this list each year, resulting in significant
reimbursement implications for HACs in acute care hospitals.
21.4
Call for Transparency
Along with the awareness of the occurrence of medical mistakes and accidents, a budding awareness of the lack of available healthcare information has also developed. This has resulted in a call
for transparency in American healthcare. Transparency is the desire of the public to have access to
billing and accounting information (how much was billed, what were the hospital costs and what was
charged to other patients with different insurance coverageor none at all) as well as quality performance metrics. Many organizations are calling for greater transparency in healthcare in addition to
consumers, government regulators, and government agencies. Michael O. Leavitt, Secretary of the
Department of Health and Human Services, has championed transparency by stating that people
deserve to know, indeed have a right to know, what their healthcare costs and how good it is. Patients
should be able to go to an Internet site, type in the name of the common medical procedure and see
the facilities in their area that provide it. They should also be able to see information about quality,
examine a general rating of the facility or learn useful information like the number of patients who
undergo that procedure in the facility each year.8
As a result of the request for transparency in healthcare, reporting measures on quality metrics,
patient satisfaction data, financial and accounting data, and other information has become widely
available.
The National Quality Forum. The National Quality Forum Updates Endorsement of Serious Reportable Events in
Healthcare. (2006; accessed December 17, 2008). http://www.qualityforum.org/pdf/news/prSeriousReportableEvents1015-06.pdf.
6
The Leap Frog Group. Position Statement on Never Events (2006; accessed on December 17, 2008.) http://www.leapfroggroup.org/for_hospitals/leapfrog_hospital_quality_and_safety_survey_copy/never_events.
7
Centers for Medicare Medicaid Services (2008). Medicare Program; Proposed Changes to the Hospital Inpatient Prospective Payment Systems and Fiscal Year 2008 Rates Release of Publication (2008; accessed December 17, 2008). http://
www.cms.hhs.gov/AcuteInpatientPPS/downloads/CMS-1533-P.pdf.
8
Leavitt, M, Transparency in Healthcare a Priority (2006; accessed December 17, 2008). http://hill6.thehill.com/healthcare-may-2006/transparency-in-healthcare-a-priority-2006-05-10.html.
5
339

Full disclosure to patients and families after an adverse medical accident and complete informed
consent processes are also key components of achieving transparency in the world of healthcare.
These related topics as well as others are developed more fully in other chapters of this book.
An additional aspect of transparency is that of storytelling. The impact that a medical accident
involving error has on patients and caregivers is rarely truly understood. One way of teaching about
the impact of errors and the importance of learning to avoid them is through the use of storytelling.
Healthcare organizations are beginning to tell their own stories. These stories are being told by the
actual caregivers involved in the incidents or by the patients and families that experienced the injury.
This is a highly effective manner of teaching but in some instances may create legal exposures that did
not previously exist. The potential of organizational exposure, however, should not prohibit the use of
storytelling to achieve its purpose of furthering patient safety efforts.
21.4.1
Patient and Family Involvement
Another component of open sharing of information is fully involving patients and their families
in their own healthcare experience. Ideally, patients and families should be considered the center of
the healthcare team. As the complexity of healthcare increases, staffing levels become stressed, and
healthcare reimbursement becomes leaner, the involvement of the patient and family in their own care
is becoming more important than ever. From a patient safety perspective, the patient and family can
be a strong line of defense in preventing a healthcare error from occurring. Additionally, consumer
involvement on committees that address quality and patient safety issues can provide a stream of
information not available from any other source. This type of first hand involvement by healthcare
consumers comes with its own risks and needs to be approached carefully. The waiver of certain
privileges and discovery of information not previously known to general consumers might create
challenging legal issues. But if approached thoughtfully and managed carefully, the value of unbiased
eyes seeing a medical process for the first time and sharing that experience with others can definitely
outweigh the risks that bringing in an outsider can pose.
For example, some organizations have begun to include patients in root cause analyses (RCA).
The RCA is a quality improvement process that is completed after an event that triggers the concern
that something contrary to standard practice has occurred and that requires a structured review by a
multidisciplinary committee. The purpose of the analysis is to identify the root causes that could have
contributed to the patients injury and to eliminate them from the involved healthcare system. Using
this type of process improvement technique, the patients and/or familys role would be to not only act
as a fact witness but to help the healthcare team identify variables that they were previously unaware
of and to assist the healthcare team to form an action plan geared at preventing a reoccurrence of the
adverse event.9 Additionally, patients and family members are being asked to sit on quality, patient
safety, and other committees to give them access to information previously limited to those affiliated
with the organization.
Spath, Patrice, ed., Engaging Patients as Safety Partners: A Guide for Reducing Errors and Improving Satisfaction 201227 (2008), Health Forum, Inc. Chicago, IL.
9
340

Another development is the formation of support groups for patients that have experienced trauma
from medical errors and the caregivers haunted by the injuries that they feel responsible for causing. Some of these organizations are starting to partner with healthcare providers and other national
organizations for the purposes of improving healthcare patient safety and quality and to support those
injured by medical accidents.10
The move towards transparency also includes enhancing the informed consent process prior to
providing medical care and treatment as well as informing the patient and/or family after a medical
accident has occurred.
While the concept of transparency and patient involvement in performance improvement activities
and on quality committees is welcomed in healthcare settings, it does not come without the creation
of risk exposures for organizations. In-house counsel need to be aware of these exposures and be
prepared to address them.
21.5
The Impact of National Initiatives (IHI, NPSF, NQF, AHRQ, Leap Frog)
Due to their awareness of the need for radical changes in the level of safety practiced while healthcare is being delivered, federal agencies, state agencies, certifying groups, private agencies, special
interest groups, and others are taking a strong interest in the topic. These groups include but are not
limited to: Centers for Medicare and Medicaid Services (CMS), Department of Defense (DOD), Institute for Healthcare Improvement (IHI), the Joint Commission (JC), the National Quality Forum (NQF),
the National Patient Safety Foundation (NPSF), the Agency for Healthcare Research and Quality
(AHRQ), the Leap Frog Group, and many others. This broad involvement has done much to promote
changes in technology, advances in patient safety, understanding of human factors, nationally-driven
initiatives, and other things that impact patient care. National and international initiatives are being
promoted that encourage providers to join the effort and practice certain patient safety practices that
are considered evidenced-based approaches to patient safety. Just two examples of these initiatives are
the IHI 5 Million Lives Campaign and the NQF Endorsed Safe Practices for Better Healthcare. These
initiatives, as well as others, can be credited for helping to shape many of the patient safety programs
and practices currently being practiced.11 The following topics are an example of some of the common
patient safety initiatives currently underway.
21.5.1
Challenge to Leadership
Healthcare senior leaders and governance bodies are now being called on to aggressively sponsor
patient safety and performance improvement initiatives. IHIs Board on Board Initiative, defines and
spreads the best-known leveraged processes for hospital Boards of Directors, so that they can become
Consumers Advancing Patient Safety (www.patientsafety.org), Medically Induced Trauma Support Services (http://
www.mitss.org/patients_families_home.html), Persons United Limiting Substandards and Errors in Healthcare (http://
www.pulseamerica.org), are a few examples of groups representing consumers injured by and concerned with medical
accidents and error.
11
Descriptions of the IHI - 5 Million Lives Campaign and the NQF Safe Practices are outlined in Appendix A and can be
accessed at http://www.ihi.org/IHI/Programs/Campaign/Campaign.htm?TabId=1 and http://216.122.138.39/publications/
reports/safe_practices_2006.asp.
10
341

far more effective in accelerating organizational progress toward safe care.12 This trend of calling
on leadership and board members to take ownership of their quality metrics, to constantly seek better
improvement, and to become actively involved in patient safety and quality improvement is a frequent
theme found throughout patient safety and quality literature today.
21.5.2
Executive Patient Safety WalkRounds
Patient Safety Leadership WalkRounds are described by Dr. Allen Frankel of IHI in the following manner: Senior leaders are encouraged to use weekly Patient Safety Leadership WalkRounds to
demonstrate their organizations commitment to building a culture of safety. WalkRounds are conducted in patient care departments (such as the emergency departments, operating rooms, radiology),
the pharmacy, and laboratories. They provide an informal method for leaders to talk with front-line
staff about safety issues in the organization and show their support for staff-reported errors.13 These
WalkRounds have a powerful effect on opening the lines of communication between leadership
and staff when performed well. Discussion topics might be as simple as staff identifying that white
emergency pull cords in the bathrooms hang against white walls so that patients cannot distinctly see
the cord to pull it in the case of an emergency. Conversely, issues can be as complex as staffing pattern
needs, technical malfunctions, and identification of processes and systems that do not work.
21.5.3
Team Training and Crew Resource Management
The healthcare environment is one of extreme complexity. While technical performance is critical
to sound medical practice, communication and decision making errors can still occur, especially in
chaotic environments. Experts in aviation have developed a method of safety training, Crew Resource
Management (CRM), whose core principles center around the performance of the entire aviation team
instead of solely around the pilots performance. Improvements in the safety record of commercial
aviation may be due, in part, to this training.14 The American Healthcare Research Quality (AHRQ)
has recommended that this model of training be applied to healthcare settings.15
21.5.4
Simulation Training
Simulation training is a method of training that has been used in naval, aviation, and many other
settings. Simulator training is now being used in healthcare situations such as maternal infant emergencies, code blue resuscitation techniques, and others. Simulator training allows healthcare providers to
practice high risk procedures under conditions that mirror those encountered during high risk patient
care situations without endangering the patient. It also allows healthcare providers to simulate rarely
occurring conditions that require accurate identification and immediate treatment response times. The
International Healthcare Institute, 5 Million Lives Campaign (2006; accessed December 17, 2008). http://www.ihi.org/
IHI/Programs/Campaign/Campaign.htm?TabId=1.
13
Patient Safety Leadership WalkRounds, Institute for Healthcare Improvement (accessed December 17, 2008). http://
www.ihi.org/IHI/Topics/PatientSafety/SafetyGeneral/Tools/Patient+Safety+Leadership+Walkrounds%E2%84%A2+(IHI
+Tool).htm.
14
1. Helmreich RL. On error management: lessons from aviation. BMJ 2000;320:781-5.
15
L. Pizzi, N. Goldfarb, D. Nash, Thomas Jefferson University School of Medicine and Office of Health Policy & Clinical Outcomes, Chapter 44, Crew Resource Management and its Applications in Medicine (accessed December 17, 2008).
<www.ahrq.gov/clinic/ptsafety/chap44.htm>.
12
342

simulation session may be as simple as using pig skin to practice suturing techniques or as complex as using computerized human dummies that provide both verbal and technical feedback to the
participants.
21.5.5
Problem Solving Approaches
The reimbursement model of healthcare as well as the changing environment of safety requires
that prior methods of problem solving and performance improvement be reconsidered. Healthcare
models are changing to those adapted from industry. Plan-Do-Study-Act (PDSA), Six Sigma and Lean
are examples of methods that use traditional performance improvement tools in a very specific manner. The end result is hoped to be that of eliminating waste (i.e., time, efforts, supplies, etc.), so that
processes can become much more effective, efficient, and safe.
21.5.6
Reimbursement Tactics
In the interest of accelerating the work being done around providing safe patient care, pay-forperformance and other payment strategies are being considered. CMS describes its efforts as follows:
The foundation of effective pay-for-performance initiatives is collaboration with providers and other
stakeholders, to ensure that valid quality measures are used, that providers arent being pulled in conflicting directions, and that providers have support for achieving actual improvement. Consequently,
to develop and implement these initiatives, CMS is collaborating with a wide range of other public
agencies and private organizations who have a common goal of improving quality and avoiding unnecessary healthcare costs, including the NQF, the JC, the National Committee for Quality Assurance
(NCQA), the AHRQ, the American Medical Association (AMA), and many other organizations.16
In some instances, healthcare organizations would actually receive higher compensation if a patient
had incurred an injury within its doors than if not. For example, consider a patient who has a surgical
procedure generally requiring a one or two day hospital stay. If that patient becomes infected with
a hospital-related organism that develops into a systemic infection, then the new diagnosis would
require additional medical care and resources. Under the previous payment methods the hospital most
likely would have received more money for the additional care required. Now, with certain exceptions
that are beyond the scope of this chapter, it will not.
21.5.7
Electronic Medical Records
Electronic medical records present many opportunities for improving the quality and clarity of
communication in healthcare. Ease of access, storage, and readability are just a few of the benefits
that electronic medical records provide. These benefits as well as other considerations are more fully
discussed in another section of this book.
Centers for Medicare Medicaid Services, Media Release, Pay for Performance (2005; accessed on December 17,
2008). http://www.cms.hhs.gov/apps/media/press/release.asp?counter=1343.
16
343

21.5.8
System Failures and Just Culture
Patient safety is the concept of keeping patients free of accidental harm while receiving healthcare. Errors causing harm to patients have long been considered personal failures on the part of the
healthcare professional. It was often thought that the person making the error was not paying attention,
they just did not care, or were sloppy in what they were doing. Over time, the accountability pendulum
has swung from holding just the caregiver responsible to releasing them from any responsibility. In
order for positive change to occur, it is now becoming recognized that both the individual healthcare
provider as well as the healthcare system must be held mutually accountable.
The 1999 IOM report describes the need for system change:
The initial reaction when an error occurs is to find and blame someone. However, even
apparently single events or errors are due most often to the convergence of multiple contributing
factors. Blaming an individual does not change these factors and the same error is likely to
recur. Preventing errors and improving safety for patients require a systems approach in order
to modify the conditions that contribute to errors. People working in healthcare are among the
most educated, and dedicated workforce in any industry. The problem is not bad people; the
problem is that the system needs to be made safer.17
While admitting that system failures are often the latent causes of medical accidents, the struggle
for healthcare organizations is to determine whether the system failure relieves the individual healthcare professional of any personal accountability for patient injury. James Reason, David Marx and
others have been pivotal in helping organizations address this concern. According to Marx, most injuries occur as a result of system and personal performance failures that both must be addressed after an
incident has occurred.18 In his Just Culture work, Marx describes four behavioral concepts that are
important in understanding the inter-relationship between discipline and patient safety: human error,
negligence, intentional rule violations, and reckless conduct.19 By using an algorithmic approach to
understanding what category the healthcare providers actions causing the patient injury (or potential
injury) falls under, an organization can determine whether or not disciplinary action should follow.20
A system approach to healthcare errors calls for recognition and support by the healthcare attorney. Each instance of potential or actual patient injury is case-specific and it may or may not be
appropriate to sanction a healthcare provider with customary remedial measures traditionally followed
in healthcare. (These include actions such as verbal warnings, write-ups, suspensions and/or firing
the involved employees.)
Institute of Medicine (1999). To Err Is Human: Building a Safer Health System 49 (1999; accessed on December 17,
2008). http://www.iom.edu/File.aspx?ID=4117.
18
See generally, Marx, David, Patient Safety and the Just Culture: A Primer for Healthcare Executives, (2001; accessed
December 17, 2008). http://dodpatientsafety.usuhs.mil/index.php?name=Downloads&req=getit&lid=724.
19
Id.
20
Id.
17
344
21.6
A Word about Patient Satisfaction21
Customer feedback is important for organizational growth. In a hospital organization, there are
many customers: the patient, the patients families and/or significant others, the hospitals employees
and medical staff. By actively listening to each of these constituents an organization can take its pulse,
celebrate its strengths, and work on its weaknesses. If an organization is successful at this, risk will be
reduced and patient volumes and market share will increase.
While this section will focus primarily on patient feedback, hospital success with patient feedback
is predicated on employee alignment and physician alignment.
21.6.1
What is measured?
Hospitals survey their patients using standardized surveys that assess access, personalized care,
comfort, nurse care, physician care, discharge, and overall ratings. The survey is used to determine
overall satisfaction and some level of excellence for each of these major categories. In addition to
these standardized surveys, Medicare now requires that a random sample of patients also receive the
Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) survey. Beginning
July 1, 2007, use of HCAHPS is required by the Centers for Medicare and Medicaid Services (CMS)
in order for general acute care hospitals to maintain eligibility for full reimbursement updates. Voluntary participation in HCAHPS began in October 2006. CMS initiated public reporting of those early
participants results in March 2008. The instrument asks patients to rate the frequency of events during
their care (never, sometimes, usually, and always). Public reporting will include the percent that the
patient response is always.
The HCAHPS survey is organized under the following headings: Your Care from Nurses; Your
Care from Doctors; Your Experiences in the Hospital; When You Left the Hospital; Overall Rating of
the Hospital; and About You.
The HCAHPS survey questions will be reported in similar domains: Communication with Doctors; Communication with Nurses; Responsiveness of Hospital Staff; Pain Control; Communication
about Medicines; Cleanliness and Quiet of the Physical Environment; and Discharge Information.
Press Ganey, one of the largest companies that provide patient satisfaction surveys to hospitals has
integrated the HCAHPS tool in their survey distribution and a random sample of patients may either
get a Press Ganey or HCAHPS survey, thus allowing hospitals to participate in the public reporting
initiative without disrupting ongoing performance improvement initiatives.
21.6.2
The Value of Listening
There is an overwhelming amount of data that hospitals collect. Patient satisfaction results from
a national vendor like Press Ganey or from Medicare via HCAPS are not necessarily easy to read,
understand, or intuitive. While administrators may understand the mean score, standard deviation,
The section on Patient Satisfaction was written by Maria Lain, MBA, Service Line Director for Womens Health &
Oncology, The Chester County Hospital, 701 E. Marshall Street, West Chester, PA 19380.
21
345

percentile rankings, and percent who say always, the results of surveys stem from care given at the
bedside and at the unit level. The challenge facing a hospital organization is translating multiple page
reports into bite size pieces for easy consumption at the unit level and using the data to celebrate,
evaluate, and/or improve.
Hospitals that employ local champions and develop work teams to disseminate the results and
facilitate understanding and change are more likely to see positive improvement in their scores.
21.6.3
Why Listen to the Patient
A complaint is a gift. Information about simple things like sockets in disrepair, surfaces that
are uneven, and furniture and equipment that are unstable frequently come out of comments that
patients make when they are surveyed. The ability to get this feedback can ultimately improve hospital
operations and make the environment safer. Press Ganey has conducted research that indicates there
is a strong relationship between a patients satisfaction and the likelihood of a lawsuit. Press Ganey
research and external studies show that providers focusing on patient satisfaction see reductions in
malpractice as a result.22 Regardless of the survey tool used, there are two key drivers that address
a patients perception and resulting satisfaction with their care: how well the nurse related to and
delivered care to the patient, and how well the entire operation was able to personalize its care for that
one patient. The author represents one of many hospitals that are in a risk retention group. When we
compare our exposure to that of others in the group, ours is lower. The hospital has focused on many
initiatives to address patient safetyits customer service initiative has placed it in the 99th percentile
in with a peer group. Service quality is driven at the local/unit level.
21.6.4
A Platform for Change
A model to build a platform for change at the local level may include as a first component a communication plan that begins to create interest. Initially it is important to post baseline information. It is
also good to learn from others. Below are recommended first steps.
Evaluate what is done at best practice hospitals
Post and trend patient satisfaction results monthly
The next phase is the more active phase for change, where staff is involved in the development,
recommendations, and implementation of change.
In order to be successful the following key principles are important and should be incorporated
into the work:
Commitment to Excellencewhat is this? The definition will be department derived.
Measuring important thingsidentify what is to be measured, establish reasonable goals, and
monitor the success.
http://www.pressganey.com/cs/research_and_analysis/patient_satisfaction/medical_practice_resources.
22
346

Building a culture around serviceinvolving employees will be critical as the local unit defines
the culture that fits with the values and philosophy of the organization. Confirming that each individual understands the hospitals vision, mission, and values is a good beginninghow each employee
owns these then begins to form a consistent and positive culture.
Creating and developing leadersthere are formal and informal leaders in the units, they will
need assistance, guidance, and recognition to be successful.
Focus on employee satisfactionThe unit wants not only satisfied employees, but it wants
engaged employees. Based on national surveys, the following have been identified as those areas that
are important to employees:
My performance is evaluated in a manner that makes me feel positive.
I have an opportunity to do what I do best every day.
Conflicts are managed in a way that results in positive solutions.
My opinions seem to matter to my manager.
I trust the hospitals management and leadership.
My manager listens to the employees in our department.
Communication between administration and employees has improved.
My manager recognizes employee contributions.
I trust my immediate manager.
The hospital has developed reasonable work-life policies.
Focus on the issues that are important to employees.
Build individual accountabilityOnce agreement is reached on the critical elements for accountability, create measures and reward mechanisms when achievement occurs.
Align behavior with goals and valuesAlthough organizational values are typically well
defined, they will need to be personalized. The goals that are set need to be specific to the individuals
in the unit. A potential concept is:
Choose your attitudethere is always a choice about the way you do your work, even if there
is not a choice about the work itself.
Playwork, working with others, working with patients, find time to enjoy.
Make someones day.
Be presentuse active listening skills, eye to eye, smiling, listening, and engaging.
347

Communicate at all levelsgiven multiple shifts, this will be a challenge, but it can be done.
Recognize and reward successwe all want to be thanked.
21.7
348
Commentary
In practicing the enterprise risk management approach it is important to understand the benefits and potential exposures that a robust patient safety or quality program brings with it. A
basic working knowledge of the guiding principles of patient safety will assist counsel to be
more effective in anticipating and understanding how to address any related legal concerns.
Be aware that the areas of greatest opportunities for organizational performance improvement can be readily identified by national data, as well as internal data, and understand that if
organizations fail to address and improve in those areas, patient safety and the financial well
being of the organization can be at risk.
Recognize that the lack of progress in quality improvement efforts can certainly be a risk
exposure if discovered by an opponent in litigation, a state or federal agency, a certifying
body, or others.
In addition to reporting the correct and appropriate data required by outside agencies, healthcare providers should also be aware of the extent of the information regarding the organization
that is made public on internet sites and other sources, and monitor those not only for accuracy but for the impact that the information can have on the organization as a whole.
In putting the principles of Just Culture into action, healthcare counsels guidance in assuring that the proper human resource policies are in place and that the organization follows the
policies fairly and consistently can serve not only to enhance patient safety efforts but also to
reduce the risk of exposure to loss from employment-related issues.
More and more healthcare systems are practicing transparency and open disclosure following medical accidents involving error. One thing that is important to anticipate is that the
response of the involved patient, his or her family, the media, and the public may be inflamed
due to the emotion and/or lack of understanding of the facts surrounding the event. Having
a plan in place to address those possibilities is important to maintaining the reputation of the
organization and its healthcare providers.
Many developments in quality and patient safety are resulting in the sharing of highly
confidential information with outside consultants, consumers, board members, and others.
Anticipate that HIPAA Business Associate Agreements, contracts, confidentiality statements,
special privacy training, and other requirements may be indicated in each instance. A consistent method of identifying what will be needed for tracking completion of documents and
training before the organization allows the information to be shared is recommended.
Data mining and data reporting rely heavily on highly complex information technology systems. The impact that multiple interfaces and different systems can have on data integrity is
important to understand. Organizations need to have monitoring systems in place to assure

that data delivery and integrity stay intact during this entire complex process and that the data
remains secure and confidential.

Leadership and Board involvement in Patient Safety and Quality initiatives is crucial. The
Board must be educated in the responsibilities that members have in this regard. The Board
must understand how to challenge and hold leadership accountable for meeting and exceeding benchmarks that were previously accepted as satisfactory. Todays constant challenge
is to successfully have healthcare organizations perform quality services and provide safe
patient care free from medical error and system failures. The governance boards must understand their role in assisting their organization to rise to that challenge.
21.8
Conclusion
Healthcare organizations are responding to the need to improve performance and to provide safe
patient care. In applying ERM principles to this area, one must understand how quality measures and
providing safe patient care can impact an organizations reputation and financial status. An organization must have established quality metrics in place that constantly monitor its performance. It is no
longer acceptable to consider success in terms of merely achieving the internal or external benchmark. For quality benchmarks, constant improvement is fast becoming the norm.
The call for transparency in healthcare organizations creates risk exposures beyond those previously experienced. Monitoring the organizations performance against quality metrics, understanding
the impact that those results will have, and anticipating that such information may become public is
a reality in todays constantly changing healthcare environment. Providing quality care and services
and safe patient care protects the most valuable assets of the organizationits patients, providers and
staff.
349

Resources
Atkins, P.M., Marshall, B.S., Javalgi, R.G. (1996). Happy employees lead to loyal patients. Survey of
nurses and patients shows a strong link between employee satisfaction and patient loyalty. J Healthcare Mark, 16(4), 14-23.
Burroughs, T. E., Davies, A. R., Cira, J. C., and Dunagan, W. C. (1999). Understanding patient willingness to recommend and return: A strategy for prioritizing improvement opportunities. The Joint
Commission Journal on Quality Improvement 25 (6):271-287.
Cydulka, R., Tamayo-Sarver, J., Gage, A., and Bagnoli, D. (2007). Patient satisfaction and the risk of
malpractice suits. Academic Emergency Medicine 14 (5):148.
Drain, M, Kaldenberg, D.O. (1999). Building patient loyalty and trust: the role of patient satisfaction.
Group Practice Journal, 48(9), 32-35.
Forrester, W.R., and Maute, M.F. (2001). The Impact of relationship satisfaction on attributions, emotions, and behaviors following service failure. Journal of Applied Business Research, 17(1),1.
Garman, A. N., Garcia, J., and Hargreaves, M. (2004). Patient satisfaction as a predictor of return-to
provider behavior: Analysis and assessment of financial implications. Quality Management in Health
Care 13 (1):75-80.
Harkey, J., and Vraciu, R. (1992). Quality of health care and financial performance: Is there a link?
Health Care Management Review 17 (4):55-63.
Hickson, G. B., Federspiel, C. F., Pichert, J.W., Miller, C. S., Gauld-Jaeger, J., and Bost, P. (2002).
Patient complaints and malpractice risk. JAMA 287 (22):2951-2957.
Kaiser Family Foundation (2007). Payments on medical malpractice claims, 2006-2007 [cited August
23, 2007]. Available from http://www.statehealthfacts.org/comparetable.jsp?ind=437&cat=8.
McAlexander, J.H., Kaldenberg, D.O., Koenig H.F. (1994). Service quality measurement. J Healthcare
Mark, 14(3), 34-40.
Nelson, E.C., Rust, R.T., Zahorik, A., Rose, R.L., Batalden, P., and Siemanski, B.A. (1992). Do patient
perceptions of quality relate to hospital financial performance? Journal of Health Care Marketing 12
(4):6-13.
Peltier, J.W. (2002). Patient loyalty that lasts a lifetime. Marketing Health Services, 22(2).
Phillips Jr., R.L., Bartholomew, L.A., Dovey, S.M., Fryer Jr., G.E., Miyoshi, T. J., and Green, L.
A. (2004). Learning from malpractice claims about negligent, adverse events in primary care in the
United States. Qual Saf Health Care 13 (2):121-6.
Press Ganey (2006). Making it right: Healthcare service recovery tools, techniques, and best practices. Marblehead, MA: HCPro.
350

Press, I. (1983). Cut litigation risk by managing suit-prompting factors. Hospital Risk Management 5
(1):1-4.
Press, I. (1984). The predisposition to file claims: The patients perspective. Law, Medicine, & Health
Care 12 (2):53-62.
Stelfox, H. T., Gandhi, T.K., Orav, E.J., and Gustafson, M.L. (2005). The relation of patient satisfaction with complaints against physicians and malpractice lawsuits. The American Journal of Medicine
118 (10):1126-1133.
Strasser, S & Davis, R.P. (1991). Measuring Patient Satisfaction for Improved Patient Service. Ann
Arbor, MI: Health Administration Press.
351

Appendix A
5 Million Lives Campaign
The Institute for Healthcare Improvement (IHI) is a not-for-profit organization leading the
improvement of healthcare. IHIs work is funded primarily through its own fee-based program offerings and services, and also through the support of foundations, companies, and individuals. The IHI has
partnered with organizations throughout the United States and challenged hospitals all over the nation
to employ the following techniques. The initial six items were part of the 100,000 Lives Campaign.
Once that campaign was completed, six more were added with the belief that if all 12 interventions
were successfully implemented across the nation, five million patients would be saved from medically
preventable injury and/or death.23
The IHI 5 Million Lives Campaign 12 Interventions

Deploy Rapid Response Teams at the first sign of patient decline
Deliver Reliable, Evidence-Based Care for Acute Myocardial Infarctionto prevent deaths
from heart attack
Prevent Adverse Drug Events (ADEs) by implementing medication reconciliation
Prevent Central Line Infections by implementing a series of interdependent, scientifically

grounded steps
Prevent Surgical Site Infections by reliably delivering the correct peri-operative antibiotics at the proper time
Prevent Ventilator-Associated Pneumonia by implementing a series of interdependent,

scientifically grounded steps
Six New interventions targeted at harm

Prevent Harm from High-Alert Medications starting with a focus on anticoagulants, sedatives, narcotics, and insulin
Reduce Surgical Complications by reliably implementing all of the changes in care recommended by SCIP, the Surgical Care Improvement Project (www.medqic.org/scip)
Prevent Pressure Ulcers by reliably using science-based guidelines for their prevention
Reduce Methicillin-Resistant Staphylococcus aureus (MRSA) infectionby reliably implementing scientifically proven infection control practices
Deliver Reliable, Evidence-Based Care for Congestive Heart Failure to avoid

readmissions
Get Boards on Board by defining and spreading the best-known leveraged processes for
hospital Boards of Directors, so that they can become far more effective in accelerating organizational progress toward safe care.
Institute of Healthcare Improvement, 5 Million Lives Campaign (2006; Accessed on December 17, 2008). http://www.
ihi.org/IHI/Programs/Campaign/Campaign.htm?TabId=1.
23
352

For more information on the International Healthcare Institute, 5 Million Lives Campaign (2006)
visit http://www.ihi.org/IHI/Programs/Campaign/Campaign.htm?TabId=1.
NQF-Endorsed Safe Practices for Better Healthcare
The National Quality Forum is a not-for-profit membership organization created to develop and
implement a national strategy for healthcare quality measurement and reporting. It is a group of leaders from both public and private groups that was created as a mechanism to promote national change24.
The NQF endorses the following 30 practices for providing safer patient care.
1. Create and sustain a healthcare culture of safety
Element 1: Leadership structures and systems must be established to ensure that there
is organization-wide awareness of patient safety performance gaps, that there is direct
accountability of leaders for those gaps, that an adequate investment is made in performance improvement abilities, and that those actions are taken to assure the safe care of
every patient served.
Element 2: Healthcare organizations must measure their culture, provide feedback to
the leadership and staff, and undertake interventions that will reduce patient safety risk.
Element 3: Healthcare organizations must establish a proactive, systematic, and organization-wide approach to developing team-based care through teamwork training, skill
building, and team led performance improvement interventions that reduce preventable
harm to patients.
Element 4: Healthcare organizations must systematically identify and mitigate patient
safety risks and hazards with an integrated approach in order to continuously drive
down preventable patient harm.
2. Ask each patient or legal surrogate to teach back in his or her own words key information
about the proposed treatments or procedures for which he or she is being asked to provide
informed consent.

3. Ensure that written documentation of the patients preferences for life-sustaining treatments
is prominently displayed in his or her chart.
4. Following serious unanticipated outcomes, including those that are clearly caused by systems
failures, the patient and, as appropriate, the family should receive timely, transparent, and
clear communication concerning what is known about the event.
5. Implement critical components of a well-designed nursing workforce that mutually reinforce
patient safeguards, including the following:
a nurse staffing plan with evidence that it is adequately resourced and actively managed
and that its effectiveness is regularly evaluated with respect to patient safety;
senior administrative nursing leaders, such as a chief nursing officer, as part of the hospital senior management team;
governance boards and senior administrative leaders that take accountability for reducing patient safety risks related to nurse staffing decisions and the provision of financial
National Quality Forum, About Us (2006; accessed on March 10, 2008). http://www.qualityforum.org.
24
353

resources for nursing services; and
the provision of budget resources to support nursing staff in the ongoing acquisition
and maintenance of professional knowledge and skills.
6. Ensure that non-nursing, direct care staffing levels are adequate, that the staff is competent,
and that they have had adequate orientation, training and education to perform their assigned
direct care duties.

7. All patients in general intensive care units (ICUs) (both adult and pediatric) should be managed by physicians who have specific training and certification in critical care medicine
(critical care certified).
8. Ensure that care information is transmitted and appropriately documented in a timely manner
and in a clearly understandable form to patients and to all of the patients healthcare providers/professionals, within and between care settings, who need that information in order to
provide continued care.
9. For verbal or telephone orders or for telephonic reporting of critical test results, verify the
complete order or test result by having the person who is receiving the information record and
read back the complete order or test result.
10. Implement standardized policies, processes, and systems to ensure the accurate labeling of
radiographs, laboratory specimens, or other diagnostic studies so that the right study is labeled
for the right patient at the right time.
11. A discharge plan must be prepared for each patient at the time of hospital discharge, and a
concise discharge summary must be prepared for and relayed to the clinical caregiver accepting responsibility for post-discharge care in a timely manner. Organizations must ensure that
there is confirmation of the receipt of the discharge information by the independent licensed
practitioner who will assume responsibility for care after discharge.
12. Implement a computerized prescriber order entry (CPOE) system built upon the requisite
foundation of re-engineered evidence-based care, an assurance of healthcare organization
staff and independent practitioner readiness, and an integrated information technology
infrastructure.
13. Standardize a list of do not use abbreviations, acronyms, symbols, and dose designations
that cannot be used throughout the organization.
14. The healthcare organization must develop, reconcile, and communicate an accurate medication list throughout the continuum of care.
15. Pharmacists should actively participate in medication management systems by, at a minimum,
working with other health professionals to select and maintain a formulary of medications
chosen for safety and effectiveness, being available for consultation with prescribers on medication ordering, interpretation and review of medication orders, preparation of medications,
assurance of the safe storage and availability of medications, dispensing of medications and
administration and monitoring of medications.
354

16. Standardize methods for the labeling and packaging of medications.
17. Identify all high alert drugs, and establish policies and processes to minimize the risks associated with the use of these drugs. At a minimum, such drugs should include intravenous
adrenergic agonists and antagonists, chemotherapy agents, anticoagulants and anti-thrombotics, concentrated parenteral electrolytes, general anesthetics, neuromuscular blockers, insulin
and oral hypoglycemics, and opiates.
18. Healthcare organizations should dispense medications, including parenterals, in unit-dose, or,
when appropriate, in unit-of-use form, whenever possible.
19. Action should be taken to prevent ventilator-associated pneumonia by implementing ventilator bundle intervention practices.
20. Adhere to effective methods of preventing central venous catheter-associated bloodstream
infections, and specify the requirements in explicit policies and procedures.
21. Prevent surgical site infections (SSIs) by implementing four components of care:
appropriate use of antibiotics;
appropriate hair removal;
maintenance of postoperative glucose control for patients undergoing major cardiac
surgery; and establishment of postoperative normothermia for patients undergoing colorectal surgery;
major cardiac surgery; and
establishment of postoperative.
22. Comply with current Centers for Disease Control and Prevention (CDC) Hand Hygiene
guidelines.
23. Annually, immunize healthcare workers and patients who should be immunized against
influenza.
24. For high-risk elective cardiac procedures or other specified care, patients should be clearly
informed of the likely reduced risk of an adverse outcome at treatment facilities that participate in clinical outcomes registries and that minimize the number of surgeons performing
those procedures with the strongest volume-outcomes relationship.
25. Implement the Universal Protocol for Preventing Wrong Site, Wrong Procedure, Wrong Person Surgery for all invasive procedures.
26. Evaluate each patient undergoing elective surgery for his or her risk of an acute ischemic perioperative cardiac event, and consider prophylactic treatment with beta blockers for patients
under certain conditions listed more fully in report.
27. Evaluate each patient upon admission, and regularly thereafter, for the risk of developing
pressure ulcers. This evaluation should be repeated at regular intervals during care. Clinically
appropriate preventive methods should be implemented consequent to this evaluation.
355

28. Evaluate each patient upon admission, and regularly thereafter, for the risk of developing
venous thromboembolism/deep vein thrombosis (VTE/DVT). Utilize clinically appropriate,
evidence-based methods of thromboprophylaxis.
29. Every patient on long-term oral anticoagulants should be monitored by a qualified health
professional using a careful strategy to ensure the appropriate intensity of supervision.
30. Utilize validated protocols to evaluate patients who are at risk for contrast media-induced
renal failure, and utilize a clinically appropriate method for reducing the risk of renal injury
based on the patients kidney function evaluation.
* See the report for applicable care settings for each practice, detailed specifications, and additional background, implementation, and reference at http://216.122.138.39/publications/reports/safe_practices_2006.asp.
356
Part VII
Strategic Issues
Public Relations, Marketing, and Advertising
22
Ellen Barron, Esq.1
Profit Management Group
22.1
Introduction
Today, there is much emphasis throughout corporate America, as well as among healthcare organizations promulgating greater accountability for patient safety, upon the principle of transparency.
This principle is based upon the belief that full disclosure of product safety and quality, financial
performance, and other similar information will enable consumers, whether potential investors or
potentials users of the products and services, to make better-informed decisions. Further, it is expected
that transparency in information-sharing will alleviate the likelihood of financial mismanagement,
decrease the potential for fraud, and act as a brake on the potential for unscrupulous or dishonest
behavior. The goal of transparency is to freely offer information that willin theoryenable investors
to make better decisions and to enable patients to select healthcare providers that offer safer care and
better outcomes. Excellence in public relations and marketing is the best strategy for assuring transparency and, in turn, support enterprise risk management efforts to minimize liability exposures from
these activities.
22.2
Image and Reputation
An organizations image and reputation are assets that have evolved over time and are not the
result of a one-time ad campaign, well-publicized adverse outcome, or special event. Rather, these
cumulative assets must be preserved and enhanced. A carefully crafted communications strategy will
serve this over-arching goal of asset preservation and enhancement, even in difficult circumstances,
if:

the communications strategy is proactive;
is based on solid understanding of patientsand communitieswants and needs;
places patientsand communitiesinterests first, above those of the healthcare organization;
assures that its communications and actions are consistent, both internally and externally;
understands that a healthcare organizations reputation is based on trust.
The Advertising section of this chapter was authored by Ellen L. Barton, J.D., CPCU.
359

In healthcare, a providers image and reputation are based upon an amalgam of information, much
of it non-fact-based. Although care performance data has been widely available in many states for
more than a decade, patients rarely use much of the data to inform their healthcare choices. Consumers
are most interested in physician-level information, rather than quality data on hospitals, health plans,
and other providers.2 In contrast to the widely anticipated use of this quantitative data, people tend to
select their personal healthcare provider and hospital through word-of-mouth. In other words, people
still tend to rely more on their personal physicians recommendation, the proximity of a care provider,
and other peoples perceptions about quality based on their personal experiences.3
Research has identified that such qualitative factors have a major impact not only selection of
providers, but on reputation. If an organization has a history of prior negative crises, negative prior
reputation, or is perceived not to treat people well, the reputational threat resulting from a crisis, such
as a well-publicized adverse medical outcome, is higher.4
22.3
The Brand Standard
Image and reputation are key elements of how consumers establish brand value. In recognition
that the brand is an organizational asset to be preserved and enhanced, communications strategies supporting enterprise risk management must support the brand standard. This means that the content
and the method of communication related to risk concerns must reinforce consumer trust and brand
value.
A major enterprise risk management (ERM) initiative that supports and is supported by Marketing in Public Relations is the Disclosure of Unanticipated Outcomes (see Chapter 15). Establishing
thoughtful policies and clearly articulating the expectations for disclosure provide this brand standard.
Education of all staff regarding the organizations policies and expectations is a critical success factor.
Assuring that disclosure communications adhere to the brand standard will help preserve trust.
22.4
Issues Most Likely to Test an Organizations Image and Reputation
Despite long-term efforts to build an open, honest, transparent, and value-added image and reputation, healthcare providers are tested by various crises that demand a carefully crafted communications
response. The principles of open, honest, and transparent are at no time more important than dealing
with the consequences of a negative event. In fact, one of the most frequently cited textbook arguments for addressing a crisis with transparency goes back to the 1982 Tylenol Crisis.
In this crisis, an individual tampered with the product packaging, inserted poison into a few
bottles, and caused seven consumer deaths. However, within months, the Tylenol Crisis was not
remembered for the damage done, but for the companys (McNeil Pharmaceutical, a division of J&J)
response: accepting responsibility for the problem (even though Tylenol had not caused the problem);
2
Fanjiang, Gary, MD, MBA; Ted Von Glahn; Hong Chang, Ph.D. et al. Journal of General Internal Medicine 22(10),
pp. 1463-66, October 2007.
3
Fanjiang et al.
4
Coombs, WT and SJ Holladay. Helping Crisis Managers Protect Reputational Assets: Initial Tests of the Situational
Crisis Communication Theory. Management Communication Quarterly, 16, pp. 165-186, 2002.
360

full disclosure by the CEO informing the public of the potential danger; immediate recall of all Tylenol
products, and their prompt removal from store shelves; credits to stores for their payments to purchase
this item; payment of medical expenses for those harmed; and significant (and costly) changes in product packaging that make it easy for consumers to determine whether there had been product tampering.
These new product safety standards are now widespread industry practice, and McNeils handling of
the crisis continues to be hailed as a standard for public relations professionals in many disciplines.
What can healthcare communicators learn from this lesson?
First, anticipate that negative events are likely to occur and proactively develop a plan to address
them. The organizations communications leaders are responsible for developing the crisis communications plan, with contributions from Risk Management, Legal Counsel, Operations, Medical leadership,
and others as the specific situation demands. The plan should then subsequently be reviewed and
approved by Senior Management and the Board. The proactive development of such a plan assures
thatin the event of a crisisno valuable time will be lost scrambling for information, obtaining
permissions, and trying to think through the best way to handle an issue. This is what enterprise risk
management is all aboutno matter the issue. Instead, the crisis communications plan is developed
over time, enabling a deliberate and thoughtful creation of a tool kit that is ready to be deployed, with
the assurance that input has been obtained from those who are able to make helpful contributions.
The plan should be updated periodically (at least once a year), including key contacts, so that it
retains its relevance as a ready-to-roll reference manual for action. (See Figure 1, Crisis Communications Plan Table of Contents.) The plan must be tested at least annually. It is extremely important
to convene the crisis management team periodically and role play the most likely risk situations,
including escalating of a risk after it is identified. Such training helps the team practice making decisions and developing communications strategies in a crisis situation.5
One very valuable part of the crisis communications plan is the preparation of templates that are
pre-approved. In the initial stages of a crisis, the templates become fill in the blanks statements that
enable information to be added as available. In addition to pre-approved templates, many organizations now have special Intranet sites and web sites that are prepared, held as dark until needed, and
then opened and promoted as live sites for continuously updated information as the crisis unfolds.
Such tools provide instant channels of communication, providing a quick start to getting ahead of the
communications curve and managing the message for multiple internal and external stakeholders.
Second, plan to calibrate the communications response to the need. The response should align
with the organizations real or perceived level of responsibility for creating the crisis situation. The
greater the level of responsibility, the more substantive and complete the communications response
must be.6 In a given year, there will be fewif anyadverse events that will trigger the need to implement a comprehensive crisis communications strategy. However, it is important to recognize that the
communications leaders are valuable organizational resources who can help assure that certain one-
Mitroff, I.I.; K. Harrington; and E. Gai. Thinking about the Unthinkable. Across the Board 33(8), pp. 44-48, 1996.
Op. cit., Coombs, WT and SJ Holladay.
5
6
361

on-one communications are handled with sensitivity and clarity. Communications leaders should take
a proactive role in developing and executing the communications strategy.
For example, communicators can help provide training of physicians, nurses, and other hands-on
caregivers in how to communicate bad news to patients and families; work with human resources
leaders to assure that policies and programs are clear and understandable; and help to assure that every
communication is consistent in tone. Enabling these internal stakeholders to understand their shared
role and responsibility in proactive patient communications is a critical success factor in maintaining
and enhancing an organizations image and reputation.
Third, anticipate the most likely negative events. All crises threaten to tarnish an organizations
reputation.7 For each type of negative event that may create a crisis, there may be errors of commission
or omission. For healthcare providers, these negative events typically can be characterized as:

Medical professional liability
Violation of the publics/patients trust
Public health issues
Disaster response
Major organizational change
Significant employee concerns
It is important to recognize that the fact-finding process necessary to address these potentially
harmful exposures to enterprise risk may identify multiple issues and concerns.
Medical Professional LiabilityIt is important to recognize that these concerns are reality-based.
Even in fairly small healthcare organizations, there may be more than 1,000 incident reports, indicating the potential for harm to a patient, filed each year. One large teaching hospital estimated that in the
first month of residency training, 140 residents committed more than 800 medication errors. Similarly,
it is not uncommon for 4 to 5% of all patients to experience some form of complication, adverse drug
reaction, or similar event, some of which may lead to permanent disability or even death. It is rare that
more than a very few of these events may trigger the need for a comprehensive communication.
However, it is almost axiomatic that when something significant goes wrong for a patient, more
bad things are almost sure to follow. In the event that an adverse outcome may have been caused by
an error, it is important that Risk Management be involved at the outset to characterize the level of
concern, identify underlying process and system breakdowns, and promptly reach out to communications leaders as needed for support.
Every single step of working effectively through this process is a communications opportunity.
(See Figure 2, Rules of Thumb for Positive Patient/Family Communication)
Violation of the publics/patients trustPatients have every right to believe and expect they
are safe and secure within the confines of a healthcare setting. This absolute need for safety includes
Dilenschneider, RL. The Corporate Communications Bible: Everything You Need to Know to Become a Public Relations Expert. New Millennium Press, 2000.
362

patients not feeling afraid that they might be injured while waiting for treatment; having their needs
for privacy and dignity undermined; or to be harmed in some way by hospital personnel.
Public HealthFrom time to time, a healthcare provider may face a concern related to its failure
to adequately safeguard public health in its own operations. One of the most frequent circumstances
of this failure is exposure of patients to pathogens, such as the HIV virus, Legionnaires Disease, TB,
or others. The handling of such events can either provide reassurance or create panic; therefore, it is
of vital importance to have accurate and complete information as the foundation for the enterprise risk
communications strategy.
Disaster ResponseHospitals are expected to provide adept and immediate responses to disasters,
ranging from natural disasters to major accidents. Frequently, such disaster response is characterized
by apparent chaos. The communications team serves as a stable, calming, information hub, receiving and sharing information with patients families; providing information to the media; and may
provide assistance in communicating with care teams at other hospitals.
Major Organizational ChangeChanges of leadership can be fraught with potential communications challenges, particularly if an executives departure is perceived to be involuntary and/or she or
he is disgruntled with the result of a re-organization. It is incumbent upon the Board and communications leaders to craft the key communications messages carefully so as not to adversely impact either
the organization or the departing executive.
Significant Employee ConcernEmployees should expect to be treated fairly and compassionately. Therefore, matters of significant concern to employeessuch as reductions in workforce,
changes in health benefits, or required departuresneed to be addressed with clarity and empathy,
as well as a high level of consistency over time. Employees are quite capable of identifying organizational lack of transparency or responsiveness. Any attempt to obfuscate matters generally has
a negative ripple effect, as disenchanted employees do not hesitate to share their unhappiness with
patients, family members, and members of the medical staff, thereby undermining the organizations
stated values and its organizational image. Likewise, reductions in staff require that the Communications team work closely with Risk Management staff in order to mitigate associated risks, such as an
increase in worker compensation claims.
Another group of employee concerns is associated with harm to employees resulting from breaches
of security and safety, workplace violence, and other similar causes. In all crises, but especially in these
circumstances, management must remember that employees are an important public.8 Employees need
to know what happened, what they should do and how the crisis will impact them.9
Argenti, P. Crisis Communication: Lessons from 9/11. Harvard Business Review, 80(12), pp. 103-109, 2002.
Business Roundtables Post 9/11 Crisis Communications Toolkit. The Business Roundtable, 2002. http://www.nfib.
com/object/3783593.html.
8
9
363

22.4.1
Preparing and Implementing the Communications StrategyKey Steps
Preparing a customized communications strategy requires a high level of teamwork. Strategy

development should be guided by three precepts:10

Be quick
Be accurate
Be consistent
The preparation of the strategy should follow these steps:

1. Risk Management convenes and briefs a small team (Legal, Medical, Operations, Communications and others)
2. Assignments for fact gathering are made
3. Team members gather facts and identifies any gaps or contradictory information
4. The team re-convenes as quickly as possible and shares information.
5. The team prepares an overall chronology of events.
6. Risk Management and Legal Counsel assess and characterize the level of organizational
risk
7. Given what is known at that time, the initial plan of communication with the patient and family is agreed upon and, if deemed appropriate, an initial statement is prepared. At this stage
of events, the provider is not seeking contact with the media, but should be prepared for an
inquiry.
8. The people who will be communicating with the patient and family are selected, briefed, and
coached regarding the appropriate approach, behavior, and content for the communications.
9. Patient/family communication is made; patient/family response is shared with the team.
10. Additional facts are researched (if needed) and an updated situation assessment is prepared.
11. The need for and scope of additional communications is determined.
12. If the problem warrants more widespread internal and/or external communications, preparation of the supportive information begins.
13. The team convenes to review the draft statement, recommended audiences, sequences and
timing; likely questions (FAQs) are raised and proposed responses developed.
14. The official spokesperson is briefed and coached while the selected audiences are being
notified.
15. During the discussion(s), the communications staff takes notes, determines whether the
likely questions are truly asked; assesses the prevailing attitude of the internal and/or external groups; and makes recommendations as to next steps.
Coombs, WT. Crisis Management and Communications. Institute for Public Relations, October 30, 2007.
http://www.instituteforpr.org/essential_knowledge/detail/crisis_management.
10
364

16. There is a team debriefing that immediately follows each public statement on the matter.
This debriefing identifies opportunities for improvement, clarifies next steps, and assures
there are no loose ends.
22.4.2
Media Relations
The communications goals with the media in every situation related to organizational risk are:

Provide prompt, open, and honest communications. This is essential in maintaining and
enhancing the communitys trust and supporting the brand standard.
Avoid/ameliorate negative publicitypublic relations and reputational risk.
Avoid subpoenas, suits, and settlementspreserve organizational assets.
From time to time, despite best efforts to the contrary, the organization may face media scrutiny.
For most healthcare leaders, media attention in a crisis is a source of great concern. What strategies are
the most effective in dealing with these situations?
First, recognize that the minute an e-mail is sent or an internal memo to leadership is distributed,
the matter is no longer confidential and, instead, is public information. Therefore, such communications should be minimal and carefully worded. View every communication as being in the public
domain.
Second, the media is not out to get you. It is only doing its job. The possibility of a major medical error or similar risk event is news. If the organization has taken care to develop positive media
relations, then it is somewhat likely to be treated more kindly if there is an adverse event.
Third, most reporters are inquisitive. It is part of the job description. They will ask leading questions. Remember: its their job. Dont convey anger, hostility, defensiveness, or evasion. Instead, give
yourself time to think. You are not obligated to respond to every question immediately. Respond to
pressing questions with an offer to investigate the matter and follow-up with the reporter.
Fourth, understand that reporters are working to a deadline, whether its the print time for the
newspaper or finalizing stories for a local newscast. Be respectful of the deadlines. If you cant respond
by deadline, say so. Dont allow yourself to be pressured into a premature response. However, if you
tell a reporter that you will get back to them within two hours, make sure you do iteven if it is to
provide an update as to the status of the request.
Fifth, remember that all your preparation will be reduced to a three minute or less sound bite on
a newscast. In a newspaper, a paragraph or two will very likely cover the providers position, while
interviews with the patient/patients family, industry experts, and other information will fill the rest
of the column. Message clarity, brevity, and consistency are importantwhat will be highlighted
can be unpredictable and often not what the organization might wish. Therefore, the organizational
spokesperson must stay on message.
Next, remember that very few risk events result in media attention. Even significant professional
liability cases that go to trial rarely result in any media coverage, while other topicssuch as an
365

announced reduction in the workforcerarely receive more than a short paragraph of external attention. Despite the relatively remote likelihood that media attention will occur, it is essential to be
prepared with a brief statement for ones hip pocket.
Last, a comment about no comment. This two-word phrase should be avoided if at all possible.
Nothing quite captures a reporters attention like this simple phrase: it conveys that there is a bigger
story and that the reporter should dig deeper. Its a much better strategy to say, In the interest of patient
privacy, we can only say that we will be conducting a thorough and complete review of this matter and
sharing the information with the patient/patients family. We take every concern very seriously and are
committed to providing quality care and excellent service. Even I dont have any information I can
comment upon at this time is a better response than the terse no comment.
The cardinal rules of effective media relations are to provide accurate, timely information in a
pleasant and factual manner. Work to minimize factors that undercut the message, including verbal
stalls (umm, ah, etc.) and distracting physical posturing, such as finger pointing, pacing, or waving of the arms. (See Figure 3: Media Relations Dos and Donts).
22.4.3
After the Crisis Restoring Reputation
Increased attributions of organizational responsibility, or blame, for the crisis result in a greater
likelihood of reputational harm and reduced likelihood of using the organizations services in the
future. Therefore, in addition to managing the crisis as effectively as possible, it is essential for the
organization to address post-crisis business as usual. The organization needs to continue providing
updates about the investigation of the crisis, corrective actions taken and recovery efforts to both external and internal stakeholders. Continued use of the intranet, along with text messages, broadcast voice
messages and e-mail, are all useful tools for employees, while the internet site may be kept live and
updated for an extended period as a media information source.
Returning to the fallout from the Tylenol Crisis, McNeil Pharmaceutical focused on reputational
repair as a primary strategy once the crisis had begun to dissipate. McNeil encouraged consumers
to purchase Tylenol again by developing tamper-proof packaging; offering coupons for significant
discounts with purchase; and training their sales force to educate the medical community about its
renewed emphasis upon product safety and value.
A healthcare provider may well want to consider similar tactics, such as community health education programs, advertorials regarding safety improvements purchased in the local newspaper or
other media, and using its web site for explaining its safety commitment in detail. In addition, the organizations leaders should educate its employees regarding their role in ongoing safety improvements
and how to respond constructively to patients and familys questions, as well as contribute positive
word-of-mouth out in the communities where they live. All of these actions will lay the groundwork
for reputational repair and image renewal.
366
22.5
And Now a Word about Advertising11
In an increasingly competitive environment, marketing and advertising have become the keys to
survival for many healthcare organizations. Changes brought about by market reform initiatives aimed
at controlling rising healthcare costs have left many providers aggressively competing for shrinking
healthcare dollars. The continuing trend among employers and managed care organizations to provide
patients with greater choices of providers has served to sharpen the competitive behaviors of many
providers. Like other core activities of healthcare organizations, marketing and advertising initiatives
have the potential to lead to increased risk and liability.
22.5.1
Potential Sources of Liability
There are several potential sources of rules, regulations, and laws applicable to hospital advertising that can lead to tort liability. Those sources are often intertwined and more than one may apply to
the advertisement. One major group of laws prohibits advertisers from competing unfairly by confusing the public as to the source of a product or by stealing a competitors ideas or works of authorship.
These federal laws relate to copyrights, patents, and trademarks. A second group of laws prohibits
false or misleading advertising. In addition, most states also have laws regulating advertising.
While federal and state laws are obvious sources of potential liability and the standards are relatively clear, a more troublesome and less predictable consequence of hospital advertising is legal action
by patients based on the content of the advertising. There are several different types of actions that
may result from advertisements: contract and estoppel claims; professional liability (although to date
no court has so held, it is conceivable that advertisements could constitute evidence of the applicable
standard of care or could even establish an agreement to provide a higher standard of care than that
applicable to similarly situated healthcare providers. For example, advertisements stating that an institution provides the highest-quality care may obligate that institution to provide the highest-quality
care rather than the standard that would be usual for such an institution; and ostensible agency.
Liability for making unjustified claims about quality of care or results of treatment is a relatively
rare phenomenon. By far the greatest exposure that healthcare organizations face as a result of their
advertising campaigns occurs when statements made in advertising create vicarious liability for the
acts of non-employed physicians. When these advertising claims have the effect of creating the public
perception that physicians associated with the healthcare organization are in fact agents of the healthcare organization, the healthcare organization assumes liability for their actions. That has been the
finding of several courts that have considered this issue.12
Advertising can, however, result in liability in other ways as well. The Pennsylvania Superior
Court established a new precedent in advertising liability in the case of McClellan v. HMO of Pennsylvania. The court overturned the trial courts dismissal and held that the plaintiff could pursue the
This section is based on Chapter 9, Advertising LiabilityA Growing Risk Management Concern, by Ellen L.
Barton, J.D., CPCU, and William M. Klimon, Esq., in Risk Management Handbook for Health Care Organizations, Vol.
III, 5th Edition, Jossey-Bass, San Francisco, 2006.
12
Pamperin v. Trinity Meml Hosp., 423 N.W.2d 848, 853 (Wis. 1988); Boyd v. Albert Einstein Med. Ctr., 547 A.2d 1229,
1232 n.6, 1234-35 (Pa. Super. Ct. 1988); Sword v. NKC Hosps., Inc., 714 N.E.2d 142, 145, 152-53 (Ind. 1999); Martell v.
St. Charles Hosp., 523 N.Y.S.2d 342, 349-52 (N.Y. Sup. Ct.1987).
11
367

argument that this HMO was liable under a theory of ostensible agency for the physicians negligence
because the HMO advertised that it carefully screened its physicians. But the court went one step further by allowing the plaintiff to argue that the HMO misrepresented the quality of its physicians.13
22.5.2
Regulatory Implications
In addition to civil liability in the form of tort claims by patients, healthcare organizations also
face potential federal regulatory liability for their advertising practices. The FTC, empowered by the
federal government to regulate advertising practices, as noted above, can take action against any entity
that it deems has engaged in false advertising. The FTC can impose fines as well as other sanctions
for violations of the statutes it is empowered to enforce.14 But, sanctions usually take the form of a
consent order to cease and desist, a settlement that requires the advertiser to stop the objectionable
advertising. Consent orders also frequently require the advertiser to maintain all documents relied
upon in making its claim as well as other relevant information. A consent order is not a finding of fact
and, unlike other types of settlements, is a matter of public record.15
Marketing and advertising initiatives are critical to a healthcare organizations survival and, like
other critical activities; they increase the risk of liability. As mentioned early in this chapter, marketing
and advertising initiatives also provide important services for patients: to educate consumers about
healthcare services and to inform them of the options available. But there may also be a tendency for
healthcare advertising to follow the trend of general advertising by making grandiose and exaggerated
claims. It is on these types of ads that some consumers may base their decision about where to go
for healthcare. The clear risk management lesson is that any information provided to the public (but
especially information about the credentials of the independent medical staff) must be accurate and the
responsibility for verification is with the entity that is disseminating the information.
Because of the questionable economic benefits of advertising and the potential liability that can
arise from it, healthcare institutions need to be particularly careful in their advertising. Healthcare risk
management professionals must approach advertising liability not as a necessary evil, but as a risk
associated with one of the organizations core functions that must be managed. As with other liability
exposures, advertising liability can be managed with a systematic approach to identification of risks
and appropriate intervention to reduce or eliminate these risks.
The following types of communications and strategies for their use will assist in minimizing
potential liability:

Use factual messages and update when necessary.
Be careful about using opinion messages. Be certain that there is substantiation for whatever
is claimed.
Consumer testimonials should be reflective of what a consumer could generally expect.
McClellan v. HMO of Pennsylvania, 604 A.2d 1053, 1056-58, 1060-61 (Pa. Super. Ct. 1992).
15 U.S.C. 45, 54 (2005).
15
In re NME Hosps., Inc., 115 F.T.C. 798 (1992) (consent order); In re Cancer Treatment Ctrs.
of America, Inc., 121 F.T.C. 692 (1996) (consent order).
13
14
368
22.6
Commentary
From an enterprise risk management perspective, marketing and advertising liability can be managed with a systematic approach to identification of risks and appropriate intervention to reduce or
eliminate these risks.

Become familiar with professional standards relating to healthcare marketing and advertising practices. The American Hospital Association and The American Marketing Association
have developed standards that cover all aspects of marketing and advertising.16 These documents provide standards and useful guidance that should be followed in designing advertising
campaign strategies.
Become familiar with the organizations marketing philosophy and planned advertising initiatives. This will provide the context for the decisions made and the priorities established in
connection with the organizations marketing plan.
Develop a partnership with the person responsible for the organizations marketing activities
and the risk management professional who is a resource for risk management implications of
advertising campaigns and marketing activities.
Develop a system for early review by both legal counsel and risk management of proposed
advertising initiativeswhether written in-house or by outside consultantsto identify
potential exposures.
Avoid any statements about success rates or specific outcomes of treatments.
Pay particular attention to advertising campaigns that may create the appearance of an
agency relationship with independent contractors, particularly emergency room physicians,
anesthesiologists, radiologists, pathologists, and other providers whom the patient does not
specifically select. Ensure that appropriate notations in the advertising campaign spell out the
nature of the relationship, and make sure that prominently posted signs and other notices to
patients reinforce this message.
Incorporate language into the consent for treatment forms that clearly indicates that the
patient understands that those providing treatment may not be employees of the healthcare
provider.
If the appearance of an agency relationship is inevitable or necessary in the advertising

campaign, develop indemnification language or other risk financing strategies to cover any
resulting additional exposures.
If the name of a specific physician or other provider is to be used in advertising, assume that
the organization will be held vicariously liable for the acts of that provider. Plan risk financing strategies accordingly.
Avoid any representations about the high quality of providers associated with the organization, and ensure that all providers are properly credentialed and insured.
American Marketing Association, Code of Ethics:Ethical Norms and Values for Marketers, http://www.marketingpower.com/content435.php#.
16
369

Work with the organizations corporate compliance officer to ensure that all advertising campaigns meet the organizations standard for corporate integrity.
Review the healthcare facilitys insurance program to assess what, if any, coverage would
apply to claims arising out of marketing and advertising. In addition to the professional liability coverage that would apply in situations in which the advertisement was used to create
a standard of care, the healthcare entity should maintain coverage for advertising injury.
Healthcare facilities in which staff or volunteers write their ads, as well as facilities that
hire advertising agencies, are generally covered under most advertising liability insurance.
In contracts with advertising agencies, however, indemnification or hold-harmless clauses
should be used to require the agency to be responsible for any liability caused by its actions.
22.7
Conclusion
No organization is immune from an adverse event. Planning, preparation, and anticipation are the
best ways to minimize damage to organizational reputation.
Each risk event is an opportunity to avert crisis. Both risk events and crises are learning experiences. Management should not only enable corrective action as required for future risk management
and crisis prevention, but should also analyze its crisis management effort, the effectiveness of its
communications strategies, and modify its crisis management and response systems as part of its commitment to continuous learning and improvement.
Legal counsel, in conjunction with risk management professionals can manage the increased
liability risks associated with the organizations marketing and advertising activities by adopting a systematic approach to the identification of these risks and implementing appropriate interventions. This
is best accomplished by developing and maintaining collaborative relationships with those responsible
for the organizations marketing activities. By becoming a resource to those involved in developing
marketing initiatives, the healthcare attorney becomes a valuable partner in the process and helps the
organization to avoid unnecessary risk while supporting organizational advancement.
370
Figure 1 Crisis Communications Plan Table of Contents

Roles and responsibilities chain of command
Designation of the authorized spokesperson
Sequence of internal and external communications
Relevant organizational policies
Key contact information
Specific scenarios and the plan for addressing each one
Include a decision tree that helps determine the gravity of the crisis and the scope of the
response
Communications templates
Process for activating Intranet and Internet communications tools
Date of crisis communications plan authorization and last modification
Figure 2 Rules of Thumb for Positive Patient/Family Communication

1. The attending physician/surgeon and another staff member meet with the patient/family.
2. Meet with the patient/family in a private setting.
3. Sit down! Appearing rushed or remaining standing while discussing a difficult patient care
matter undercuts the message.
4. Express concern and sympathy. This care response does not constitute an admission of
guilt or negligence. Say Im really sorry to tell you . (describe what happened and the
outcome briefly and clearly).
5. Dont use medical jargon or equivocal language.
6. Offer follow-up information and the opportunity to ask more questions.
7. Review the next steps in treatment options (if applicable) with the patient/family and determine how to proceed with treatment.
8. Follow-up to learn whether there are additional questions; provide updates (if applicable).
371

Figure 3 Media Relations Dos and Donts
DO:
DO protect patient privacy

DO take time to get the facts & chronology of events
DO give yourself time to consider the

best response to all questions
DO remain calm and measured in

communication
DO assure that all communications are truthful: open, honest and

transparent
DO respond to questions in person.
DO act as a responsible team member.
372
DONT:
DONT hesitate to ask questions until you
understand the facts, circumstances and
patients preferences

DONT hesitate to say you dont know the

answer to a question
DONT allow yourself to get pressured into a

premature communication or response
DONT act defensive or critical
DONT hide behind a no comment
DONT use a recorded message to respond to

media inquiries.
DONT act without team knowledge or

authorization.
ERM and Managed Care
23
Mary Mahoney, Esq.
Tufts Health Plan
23.1
Introduction
While there are standards common to many healthcare risk management programs, there is much
less consistency among risk management programs in managed care organizations (MCO). Why? One
possible reason is that, unlike hospitals that must meet The Joint Commission requirements specifically relating to risk management, MCO accreditation does not include risk management. There are
no standard risk management principles shared by MCOs as there are for hospitals. For MCOs, the
development of any integrated risk management program may be a new concept. What follows is
one view of how a managed care enterprise risk management program can be structured and how it
provides value to a managed care organization. This chapter will also describe additional steps to be
taken to further develop an enterprise risk management (ERM) program.
MCOs are not like hospitals. They do not have patients and, as a result, do not have incident
reports, experience sentinel events or never events, and usually are not subject to claims for medical professional liability. So, what are the risks that MCOs manage day in and day out and how can in
house and outside counsel help guide the MCO through those risks? This chapter will describe those
risks. It will not provide detailed analysis of each risk or how to avoid each specific risk since the
specifics of managed care liability are described in many other writings. It will, however, describe the
processes and systems that can be utilized to manage those risks when they do occur.
23.2
A Historical Perspective of Risk Management in a Managed Care

Organization
Many MCOs have risk management functions. Most were developed on concepts borrowed from
the hospital setting.
23.2.1
Medical Focus versus Financial Focus
Risk Management functions often focused on medical care provided to those to whom the MCO
provides healthcare coverage, or members. The MCO would typically have a risk manager who
would either respond, or coordinate a response to a high-risk situation. Since most MCOs moved
away from a staff model structure, the concern was not usually direct medical professional liabilEnterprise Risk Management for Healthcare Entities, First Edition
373

ity, but rather, adverse publicity or liability resulting from its medical management practices. Those
medical management practices may have included utilization management, case management, disease
management, prior authorization programs, and other programs designed to control medical costs and
provide coverage only when a service is medically necessary.
Generally, a risk management response would be activated when there was a denial of coverage
that rose to the level of potential public scrutiny. Over the past several decades, this has been the bulk
of the risk management focus in MCOs. These programs often lived entirely within a clinical department with poor coordination throughout the organization and without hitting the radar of those who
plan for the financial risks of the company. In some organizations, a committee met or convened to
discuss particular cases that warranted multi-departmental input to resolve. The work of these committees usually focused on the medical outcomesuch as coordinating care out of state for the member,
transferring the member from one facility to another. Even with committee input, the focus was not
enterprise-wide.
The finance area usually focused on risks related to pricing, reserves, insurance, and investments.
The individuals tasked with responsibility for these financial risks were generally in a different silo
than those focused on the medical risk. They were generally not alerted to medical risks and not
involved in day-to-day or long-range solutions. That has changed.
23.2.2
Current StateMore Comprehensive and Integrated
As MCOs have faced increased financial challenges, medical cost containment has been examined more closely. Clinical Services departments have become more responsible for the medical costs
of the MCOs members and are accountable for the savings flowing from their medical management
programs. As a result, clinical service staffs have become much more engaged in the financial challenges facing the organization. They have, in turn, invited more awareness and integration to the risk
management functions they perform.
At some MCOs, much of this coordination involves the legal department. Usually, there is a key
contact person for member risk management issues. That person ordinarily has contacts throughout the
organization to resolve issues. One approach is to move to decentralized management with centralized
communication. There may be a contact person or risk manager within the legal or another department. That role is responsible for coordinating issues that by their nature involve a higher level of
public scrutiny and that involve individuals in multiple areas within the company. The Risk Manager
does not necessarily manage these situations. Rather, he or she is responsible for assuring that a coordinated response is in place. There may be designated and trained individuals within most departments
in the company to manage risk. If the risk falls primarily within one of those departments, that person
has primary responsibility for coordinating a response and communicating with the rest of the team.
In addition, there may be designated lawyers who handle many varieties of risk managementmember
risk, financial risk, litigation risk, provider risk, public relations risk, regulatory or legislative risk, and
fraud. The risk manager would notify or involve a lawyer as necessary, or the lawyer can be contacted
by anyone else in the organization.
374
23.2.3
Next Generation
Risk management programs within MCOs have evolved and become more integrated. The next
step will be to introduce the concept of Enterprise Risk Management and create a robust program.
This involves taking the approach of decentralized management with coordinated communication to
the next level of being truly integrated with the financial risk management efforts within the company.
Many existing risk management mechanisms will fall under the umbrella of the ERM program.
There may, of course, be many varied approaches to risk management. For example, there could
be a medical cost containment program that qualifies and quantifies efforts throughout the company
that relate to decreasing medical costs per member. These include care management programs as
described earlier, but also include fraud prevention and recovery and actuarial services. The aforementioned member risk management program would also exist. In addition, there should be functions
within the finance areas to assess, quantify, and manage pure financial risks. This approach moves into
a new generation where these risks are centrally discussed, described, and quantified. This approach
allows an analysis of these risks and these programs, as well as a fresh look at risk to implement a more
global, or enterprise-wide risk management program.
23.3
What are the Risks?
Other chapters address how to structure an overall ERM program. In order to understand how to
coordinate an enterprise risk management program within an MCO, it is important to understand the
risks typically faced by MCOs that would be encompassed within such a program.
23.3.1
Pricing and Third Party Relationships
Pricing has traditionally been the biggest financial risk facing insurance organizations. Like insurers, MCOs must set a price before they are able to determine their costs because those costs are
incurred in the future and subject to many variables. Following is a description of the unique aspects
of pricing and third party risks in managed care.
23.3.1.1
PricingEmployer Group Clients
MCOs set premium prices and administrative fees before the year during which the premium or
fee will apply. MCOs now use actuarial services and predictive modeling to estimate as closely as
possible the likely medical costs they will face in any given year. These estimates are used to develop
a pricing structure that will allow for as much profit margin as sustainable in the given marketplace.
MCOs generally face intense pricing competition. As a result, premiums generally cannot be set in
such a way as to guarantee profitability. As a result, the pricing risk remains.
23.3.1.2
Other Third Party Relationships
An MCOs relationships with other third parties also greatly impact its financial risk portfolio.
375

23.3.1.2.1 Healthcare Providers
One of the unknown factors of great concern to a MCO is healthcare costs. Defining the relationship between the MCO and healthcare providers is one of the most important efforts in managing the
financial risk of the MCO.
Because MCOs on an insured basis accept premiums to cover all medical costs, financial management can be somewhat of a gamble. To reduce the risk associated with that, the MCO must do as good
a job as possible of estimating its medical costs. The variations of that risk depend on a number of
factors involving healthcare providers including the following:
1. Whether the provider is contracted
2. Whether the contract sets reasonable reimbursement levels
3. Whether the contract includes any form of financial risk sharing
4. Whether the MCO has market power sufficient to charge premiums that will cover provider
reimbursements
5. Whether an out of plan provider will be willing to accept usual and customary charges or
demand its own fee schedule
Whether the provider is equally driven to control healthcare costs has a tremendous impact on an
MCOs ability to manage cost.
23.3.1.2.2 The Insured Risk Pool
An MCOs risk pool may vary from year to year. The health status of the insured membership and its
utilization patterns that create the risk pool will greatly affect the financial risk of the organization.
23.3.1.2.3 Outsourcing
MCOs, like other organizations, now outsource many functions. These include care management,
disease management, information technology, customer service, claims review, and a myriad of other
functions. With the increased return on investment that outsourcing can bring, also comes risk. The
main risks to a MCO associated with outsourcing include privacy and security breaches, legal and
regulatory compliance challenges, meeting secondary contract requirements, satisfying accreditation
standards, and meeting necessary business performance standards.
23.3.2
Denials of Coverage
Whether through its utilization management, prior authorization, claims review, or appeals processes, denials of coverage have long been a significant risk facing MCOs. Denials of coverage are
often blamed for adverse medical outcomes (including death). Regardless of the medical outcome,
denials of coverage can result in intense, adverse publicity if the issue is currently a hot topic or if the
covered person presents with a particularly sympathetic situation.
376
23.3.3
Quality of Care
MCOs have established programs that set quality standards and monitor for quality of care issues.
Most MCOs in this era do not employ healthcare providers, but rather arrange for the provision of
healthcare services by contracting with a network of healthcare providers. In this scenario, MCOs do
not usually face claims for medical professional liability. They may, however, be held accountable for
the quality of care provided by that network.
23.3.4
Technology
As the technology used by MCOs becomes more robust and comprehensive, so too do the risks
of its use. With the added benefit of the internet and web, wireless technology, hand held devices
and healthcare networking come increased risks of privacy and security breaches. As MCOs become
more dependent on technology for business function, capacity and availability become increasingly
important. Some of the functions now performed by technology that were previously manual include
web enrollment, premium billing and payment, collection, claims adjudication, claims submission and
correction, claims funding, and utilization management. The increased dependence on these technologies for daily business function requires that MCOs be prepared in the event of systems failure or
obsolescence. IT upgrades can take years to plan and implement because of the complexities of information transfer, system compatibilities and capabilities, and building and testing requirements. The
MCO must stay ahead of the technology curve by planning and investing to maintain its competitive
technological edge.
23.3.5
Legal Compliance
Managed Care organizations are heavily regulated. It can be very challenging to keep up with
the myriad and complex laws and regulations that apply to various aspects of the business. Without
mentioning all of the laws and regulations that pose risk, a couple laws that pose potentially significant
financial risk are identified below.
In recent years, many healthcare institutions have consolidated and others have established alliances. Such an environment poses increased risk of antitrust violations. This can impact the MCO
negatively if it is the target of an investigation, but can also impact the MCO if a competitor or provider network gains market dominance.
The federal False Claims Act also presents an ongoing risk to any health plan engaged with the
federal government. The False Claims Act allows for whistleblower claims, whereby an ordinary
citizen, or relator, may file suit on behalf of the government against a government contractor for
submitting claims that are knowingly false or that the contractor should know are false, to the government for payment. These suits, called qui tam suits often result in significant damages awards.
The relator is often an employee or former employee of the contractor, resulting in the nickname of
whistleblower.
377

23.3.6
Issues as Employer
MCOs, like all other organizations, face additional risks as an employer. Actions for the negligence, vicarious liability, and violations of law of its employees often become the direct risk of the
MCO. Additionally, MCOs must follow all applicable labor, employment, and benefits laws as they
relate to their employees and contractors. Nonprofit MCOs must be particularly sensitive to the limitations of executive compensation and benefit plans that are available to nonprofit employers.
23.3.7
Marketing and Sales
The most significant risks posed by advertising, marketing, and sales are overstatement (of both
attributes and associations) and promising something that the MCO cannot deliver. These claims are
often made during a sale, in the Request for Proposal (RFP) process, or in print and media advertisements. The MCO can inadvertently find itself bound by a statement that it did not expect to meet,
may not be able to meet, or can meet only at a significantly increased cost. (See Chapter 22 for more
information on Marketing and Advertising Liability.)
23.3.8
Public Relations
The public relations risks faced by MCOs are huge. For a Health Maintenance Organization
(HMO) to keep a positive public image requires daily vigilance and a lot of relationship building
with opinion leaders. Any of the risk factors identified above can be magnified by media and public
attention because of public relations. The public relationships that often come into play include local
and national media outlets, newspapers, state and federal representatives, and activists groups (for
particular medical disorders, ethnic groups and healthcare reform).
23.3.9
Tax Exemption
An emerging and major risk faced by all nonprofit MCOs is the potential loss of tax-exempt status. Until recently, most nonprofit MCOs felt pretty secure in their tax-exempt status. Following the
recent decisions in the Vision Services Plan1 cases, however, MCOs may face additional scrutiny. A
MCO must ensure that all of its filings and public statements exhibit a mission that is consistent with
and supports its tax-exempt status.
In addition, in many states, nonprofit organizations are being subjected to additional reporting,
disclosure, and governance requirements, similar to Sarbanes-Oxley. While much in this area continues to evolve, it is an area to watch carefully as it is currently the focus of increased state and federal
attention.
Vision Service Plan, Inc. v. United States of America, 265 Fed. Appx. 650; 2008 U.S. App. LEXIS 2388; 2008-1 U.S.
Tax Cas. (CCH) P50,160; 101 A.F.T.R.2d (RIA) 656.
1
378
23.3.10
Disasters
Like most other U.S. business organizations, a disaster (natural or otherwise) poses huge risks to
both the financial solvency of MCOs as well as to its covered members. A MCO must perform a comprehensive assessment of the risks to the organization and its ability to provide access to healthcare
for its members if a disaster strikes. A MCO needs to use comprehensive, multi-disciplinary teams to
brainstorm and identify the risks to the operation of the organization and its business.
23.4
How to Manage the Risks
In addition to the general recommendations regarding implementing an ERM program contained

in other chapters, certain existing efforts tailored to meet the needs of a MCO will assist with the
success of that process. In order for an ERM program to succeed in yielding results, it must start at
the top of the organization. For a MCO, that means that the board of directors must buy in, adopt,
and stay involved in the program. The ERM program should be a lens through which the business is
viewed and through which business decisions are consistently made. While an ERM program is under
development, certain existing risk management efforts, systems and processes should be utilized to
manage risk.
23.4.1
Governance and Leadership
In order for an MCO to effectively manage risk, the board must be actively aware and engaged.
The board should require reporting on these efforts on a regular basis. The board is obligated to be
familiar with the risks facing the organization. The board should be advised of and educated about best
practices for governance. The board and the leadership team should also require that risk management
efforts and reporting within the MCO be multi-disciplinary.
The leadership team should foster an atmosphere of shared responsibility and cross-pollination. If
the leadership team establishes shared responsibility and reporting as a goal of the organization, then
the underlying efforts will take root and yield more fruitful results.
23.4.2
Medical Cost Containment
In todays marketplace, it is imperative for a MCO to have robust medical cost containment
programs. Over the past few years many MCOs have added to traditional utilization management
programs, such as case management, to add many additional and much more aggressive programs.
For each of these programs, predictive modeling is utilized to estimate savings. But, more importantly, each program is analyzed from an actuarial perspective to determine its return on investment.
These programs may include, among other things, health coaching, focused disease management,
prior authorization of targeted services based on evidence-based medicine, and fraud prevention and
recovery.
379

23.4.3
Financial Risk Management
Traditional financial risk management (including the use of insurance to transfer risk, review of
reserves, risk based capital, and investment portfolios) continues to play an important role in an overall
risk management program for a MCO. However, the financial risk management review is now more
inextricably linked with medical review of risk. With the increased usage of actuarial analysis, medical
risks are now assigned quantitative values and can be viewed against the financial portfolio for a truer
sense of the organizations actual global risk. The medical risks can now also be evaluated against and
side-by-side with financial and other operational risks so that the MCO can strategically focus its risk
mitigation efforts.
23.4.4
Key Staff
In order to successfully manage risk, the MCO must have identified staff that is responsible and
trained to perform these functions. A MCO should have some staff trained in risk management available to provide the following functions:
23.4.4.1 Rapid Response Team
A rapid response team is a multi-departmental team that is ready to convene on short notice when
a critical, time sensitive issue must be addressed. There can be one such team within an MCO or many
such teams charged with different types of risk scenarios (one for medical or member risk, one for
financial risk, one for disasters, etc.). All members of such a team must possess risk management skills
and training and should be familiar with the subject risk.
23.4.4.2 Dispute Resolution Contact, Risk Manager, or Ombusdperson
While a rapid response team can provide crucial input on a complex issue, often a risk arises that
requires rapid resolution when it would be impractical or unnecessary to convene such a team. In that
instance, a MCO should have a primary contact person or corporate risk manager available who can
competently handle the matter. It is imperative for that person to have excellent judgment and significant contacts and recognition throughout the company so that these sorts of issues will make their way
to him or her for resolution. Part of the risk managers role is building awareness of what risk is and his
or her role in mitigating risk. This can be done through trainings and meetings. It is also very important
for the risk manager to be closely linked with the executive team, government affairs, and public relations, as it is those areas that are most often contacted on high profile matters. For the risk manager to
succeed in this role the leadership team also needs to get behind the risk manager and let it be known
throughout the company (and with key external contacts) that he or she is acting with authority.
380
23.4.4.3 Lawyers and Contracts

23.4.4.3.1 Lawyers
The office of the general counsel plays a crucial role in risk management within a MCO. In most
MCOs, lawyers are involved in most aspects of the business. As a result, they are often able to see
trends and issues across spectrums sooner than those who work in one area. In house lawyers manage risk every day in their work. As a result, all lawyers within the general counsels office should
understand their role in the risk management structure of the organization as it pertains to their areas
of expertise. One lawyer should always be available for the rapid response team that covers issues that
straddle many areas of expertise. In that role, general risk management skills are necessary.
At the global level, the general counsel can play a significant role in encouraging the advancement
of the risk management program and promoting its use. The general counsel should advocate for the
implementation of business interventions that will minimize or quantify risk and work closely with the
chief financial officer to lead the organization on these efforts.
23.4.4.3.2 Contracts
Lawyers can also play a significant role in the use of contracts to share or transfer risk. To the
extent possible, lawyers should seek to mitigate the risk the company takes on or educate the business
team about how contracts impact the companys overall risk profile. For example, a current trend in
healthcare provider contracting is to pay for performance. When using such as reimbursement methodology, a lawyer should educate his or her clients as to how uncertain debt obligations create greater
financial risk for the organization. The lawyer can also educate the clients in the use of contracts to
provide some measure of business and financial stability. For example, longer-term contracts allow the
MCO to project anticipated income out over a longer period of time.
23.4.4.4 FinanceChief Financial Officer, Treasurer, Actuarial
The Chief Financial Officer (CFO) and Treasurer play key roles in risk management. Traditionally, the CFO has held responsibility for the financial risk of the company as it related to reserves,
risk based capital, and the investment portfolio. More recently, the role of the finance department
has expanded. Because of Sarbanes-Oxley and similar laws, many organizations have implemented
internal controls, particularly as to their finances. The internal audit team often has responsibility for
this function. Actuarial analysis has become increasingly important and it is utilized to take data on
risk from other areas and interpret that risk into quantifiable values so that it can be compared, apples
to apples, with other risk in the company. In the current economic environment, the treasurer may
face increased scrutiny as to the financial portfolio and must use the financial resources to match the
MCOs risk tolerance and capital needs. This coordination of information throughout the company
has allowed the CFO to have a much closer handle on the real global risk the company faces. The
CFO then uses this information to communicate with the board of directors and to mitigate that risk
through insurance, portfolio adjustment, planning, investing, and other strategies.
381

23.4.4.5 Compliance Team
A MCOs corporate compliance program should come under the umbrella of the corporate risk
management program. One purpose of the compliance program is to identify, assess, and mitigate
risks relating to compliance with laws and corporate policies. The compliance team should consist of
a senior compliance officer and/or a compliance officer and a cross-functional corporate compliance
committee who report to a subcommittee of the board of directors, usually in the form or an audit and
compliance committee. Internal audit can play a helpful role in advancing a corporate compliance
program.
23.4.4.6 Public Affairs
A MCOs public relations representative can play two roles in risk management. First, the public
relations area must be kept informed of risk-related issues that are percolating to the surface and could
become known outside the company, especially if those issues are of interest to the government or
the media. Second, a public relations representative can add helpful expertise to the risk management
discussion. In both instances, the public relations staff needs to be educated on the matter at hand and
be provided ample opportunity to work with the team to discuss mitigation strategies and communications plans.
23.4.4.7 Disaster Planning
MCOs should have mature disaster plans that encompass both technology systems failure and
other systemic failures that prevent or disrupt the MCO from conducting its business. The disaster
planning process should encompass business continuity planning (for smaller or shorter term disruptions), pandemic planning, and business recovery planning. Again, multi-departmental teamwork is
needed to identify the impact of a disaster on the businesswhat workflows will be interrupted, who
will be impacted, what the impact will be and what alternatives are available. The disaster plan should
also include prevention and mitigation strategies. Disaster planning should be considered part of the
overall corporate risk management program.
23.4.4.8 Credentialing, Quality of Care Committee
Last, but not leastcredentialing and quality of care efforts have long been the cornerstones of
managed care risk management. These functions continue to be a core function of the risk management program. Toward that end, MCOs engage in rigorous credentialing processes. MCOs also assess
their network adequacy against accessibility standards established by accrediting organizations with
the goal that all enrolled members living within the service area will have access to healthcare within
a reasonable driving distance.
382
23.5
Commentary
Risk Management in MCOs has evolved over the last several years from a silo approach
(medical risk versus financial risk) to a more integrated, corporate risk management approach.
While some MCOs have implemented ERM, most have not fully adopted this concept. The
question is how to get there from here.
Adoption of an enterprise approach to risk management must start at the top. Boards of directors of both for profit and nonprofit organizations are being held increasingly accountable for
the financial stability of the organization. An ERM program will provide the directors with a
better sense of the global risks facing the organization and how the organization is addressing
those risks.
The process of implementing ERM is described in detail in Chapter 2. For a MCO to implement ERM, the MCO will need to undertake a comprehensive assessment of its risks (financial,
medical, and operational) and its risk tolerance. The identified risks must be analyzed and
quantified. The MCO then needs to prioritize the risks for implementation and risk mitigation purposes. The MCO should consider implementing a new or modified risk management
structure to support the ERM program. While that may include naming a Chief Risk Officer,
it may be as simple as having all risk management programs report up to the same leader
or leaders. Some MCOs may consider ERM an umbrella that encompasses its existing risk
management efforts, and choose to focus their efforts on only a select number of programs
that monitor higher level risks. The ERM program should be led by the chief financial officer,
with guidance from the general counsel and should be required to report up to the board of
directors.
Through an enterprise risk management program, a MCO can get a better handle on its global
risk because better integration and better coordination will lead to better outcomes. An organization that knows its risks and has taken an integrated approach to mitigating those risks
can create a competitive advantage for itself in the marketplace. ERM can provide the structure for strategic decision-making that can result in that competitive advantage. By knowing
its risk, an MCO can act sooner to mitigate risks and perhaps get ahead of the competition in
positioning itself for future success.
23.6
Conclusion
There has been no standard approach to risk management in MCOs. The risk management approach
of MCOs has changed over time from a silo approach focused on medical and financial risk to a more
integrated approach where medical risk is considered part of the financial risk and analyzed side by
side. Most MCOs are considering implementing ERM, but many have not done so. To do so will
require adoption at the board and leadership level and deeper integration amongst risk management
efforts. Implementing ERM should position a MCO for strategic opportunities and should strengthen
a MCOs ability to withstand a significant risk event.
383
ERM in the Context of Mergers, Acquisitions, Divestitures, and Joint Ventures
24
ERM in the Context of Mergers, Acquisitions,
Divestitures, and Joint Ventures
Daniel G. Hale, Esq.
General Counsel, Trinity Health1
24.1
Introduction
Due diligence in the context of Mergers, Acquisitions, Divestitures or Joint Ventures (Strategic
Transactions) is one of the oldest and most frequently practiced form of enterprise risk management
(ERM). In their simplest terms, the aim of each process is to discover, understand, and quantify areas
of specific concern or threat to an organization in the broadest sense, and then to develop a strategy
for addressing those concerns. In the due diligence process, just as in the ERM process, those areas of
concern may be as broad or as narrow as the organization wishes; but in each case, it is important for
the organization to have a clear understanding of what it intends to do with the results of the process.
A sound due diligence process is designed to discover as much as possible about the other party or
parties to a forthcoming Strategic Transaction in order to make an informed judgment about whether
or not to proceed or how to change the anticipated terms to accommodate the risks identified.
24.2
Definitions
There is no universally agreed upon definition of the term due diligence in the context of Strategic Transactions. Blacks Law Dictionary says that due diligence means A prospective buyers
or brokers investigation and analysis of a target company, a piece of property, or a newly issued
security.2 Some have defined due diligence from the buyers perspective as meaning that level of
inquiry and investigation of the Target companys business, finances and operations necessary to provide the potential purchaser with adequate information about the business and affairs of the Target.3
Still others have defined due diligence from both the buyers and sellers perspective as the affirmative duty to ensure compliance with disclosure obligations and the investigation that is part of nearly
every corporate acquisition, whether out of an affirmative duty or a thought to a future defense.4
The author greatly acknowledges the assistance of Joshua Moore, Staff Attorney, Trinity Health.
Blacks Law Dictionary (8th ed. 2004).
3
McMillan, Michael K., Due Diligence In Health Care Mergers And Acquisitions, Commercial Law and Practice Course
Handbook Series, p. 783 (Practising Law Institute April-May 1996).
4
Katz, David A., Due Diligence In Acquisition Transactions, June, 2007 Practising Law Institute PLI Course Handbook,
Conducting Due Diligence 2003, 579-580.
1
2
385

24.2.1
Purpose of Due Diligence
No matter how it is defined, however, Strategic Transaction due diligence is consistent with the
ultimate purpose of ERM as defined by the Commission of Sponsoring Organizations of the Treadway
Commission:
Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.5
The description of the purpose of due diligence by one commentator is remarkably similar:
The purpose of due diligence in the context of a proposed acquisition transaction is to provide
the potential acquirer with sufficient information regarding the target company so that the acquirer may make a reasoned decision as to whether or not to pursue such a transaction and, if
the decision is made to pursue such a transaction, what the appropriate terms and price might
be. The decision made with respect to price must also consider potential liabilities, including
any post-transaction indemnification obligations.6
24.2.2
General Due Diligence Phases
While there is no universally accepted description of a due diligence process, due diligence can
be productively analyzed as having three distinct phases:
Phase I: Very preliminary inquiries directed to the other party or parties to a potential transaction
to determine if there are any deal killers that would make further efforts useless. Issues that could
arise in this Phase might include the loss of a license to operate essential services, banishment from
participation in Medicare, or similar concerns that might stop any interest in proceeding.
Phase II: This phase of due diligence is often the most extensive inquiry, leading to intense scrutiny of financial and operational issues. Issues that arise in this phase of due diligence might also
result in deal killers, but they are more likely to result in changes to essential terms of the Strategic
Transaction such as price, control, or other key transactional issues.
Phase III: After the inquiries in Phases I and II, Phase III is generally directed at essential information needed to bring the Strategic Transaction to a close. Matters such as licensing verification,
corporate good standing, and similar issues are most often Phase III concerns, although it is certainly
possible that an issue could arise that would jeopardize the transaction itself. Much of the information
gathered in Phase III is likely to be directed toward ensuring a smooth transition to the new business
model.
Enterprise Risk ManagementIntegrated Framework: Executive Summary, Comm. of Sponsoring Orgs. of the Treadway Commn (2004), available at http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf.
6
Katz, supra note 4, at 582.
5
386
24.3
Strategic Transactions and a Healthcare Organizations ERM Program
Strategic Transactions have the potential to greatly affect any organizations ERM program. For
the healthcare organization, the potential that a Strategic Transaction will affect its ERM program is
even greater based on the intense regulatory framework within which healthcare organizations operate. As a result, from the time that an organization begins contemplating a Strategic Transaction, the
organization must give consideration as to how the transaction may affect its ERM program. The due
diligence process is designed in large measure to discover those matters that need to be considered
from an overall ERM perspective and to ensure that those risks are not discovered after a Strategic
Transaction closes.
Typically, the first formal document that sets forth the parties early discussions is a letter of intent.
This document may or may not bind the parties to complete the transaction, but typically the parties
reserve the right to not complete the transaction pending satisfactory conclusion of the due diligence
process, regulatory approvals and final governance approval.7 Other issues, such as confidentiality
provisions and standstill agreements to preserve the status quo during negotiations, are also typically
addressed in the letter of intent. Because certain risks can still affect a healthcare organizations ERM
program at the letter of intent stage of a transaction, these risks should be considered at the early stages
of discussing and drafting a letter of intent.
24.4
Strategic Transactions: The Due Diligence Process
One of the most important aspects of a Strategic Transaction with another healthcare organization,
through which the healthcare organization acquires, merges or divests corporate interest, is the due
diligence process. Phase I of the due diligence process begins after each healthcare organization and
their boards and/or management teams have made a decision that a proposed transaction may be in the
best interests of each healthcare organization and have some formal agreement describing their intent
to explore the possible transaction. The finalization of the transaction is generally contingent on final
approval by the board and/or management after all phases of the due diligence process is complete and
both parties desire to proceed with the transaction.
The due diligence process gives a healthcare organization the opportunity to review corporate,
business and operational records, and documents related to all aspects of the other healthcare organization. This allows governance and management of a healthcare organization the opportunity to identify
the risks and liabilities of the other healthcare organization, and it provides them with information
measuring both the potential and outstanding risks and liabilities of the other healthcare organization.
Based on the information obtained during the due diligence process, the board and management can
then make an informed decision to finalize, or close, the proposed transaction or withdraw from the
proposed transaction altogether.
Typical language to avoid inadvertently committing to closing a transaction is as follows: Both Parties reserve the
right, in their sole discretion, to reject any and all proposals made with regard to a potential strategic relationship and to
terminate discussions and negotiations with the other at any time. Without limiting the preceding sentence, nothing in
this Agreement requires either Party to enter into a strategic relationship or to negotiate such strategic relationship for any
specified period of time.
387

The depth of review that occurs during the due diligence process of a Strategic Transaction allows
a healthcare organization to take a very detailed snapshot of the other healthcare organizations potential and outstanding risks and liabilities. Thus, the goals of a healthcare organizations ERM program
are greatly aligned with the goals of the due diligence process in Strategic Transactions.
24.5
Transaction Risk Analysis and the ERM Program
When a healthcare organization enters into a Strategic Transaction with another healthcare organization, certain of the other healthcare organizations risks and liabilities may be assumed by or
transferred to the acquiring or merging healthcare organization. Conversely, when a healthcare organization divests itself of certain interests through a Strategic Transaction, some of that organizations
risks and liabilities may be retained after the transaction closes. The object of a due diligence process
(coupled with thoughtfully crafted documentation) is to ensure that the assuming or the retaining of
risks and liabilities are done deliberately with full knowledge of any associated risk.
Whether the risks and liabilities of the acquired or merged healthcare organization are transferred
to the surviving healthcare organization is highly dependent on the structure of the transaction.8 These
pre-existing risks and liabilities may take many forms, such as financial, legal, quality, or other risks.
As noted previously, the underlying principle of a healthcare organizations ERM program provides that a board should have adequate plans to protect its assets.9 The due diligence process in a
Strategic Transaction becomes an integral part of a healthcare organizations ERM program because,
regardless of the type of Strategic Transaction, it is likely that certain risks and liabilities may be
transferred or shifted through the transaction. Thus, identifying these risks and liabilities at an early
stage allows a healthcare organization to have the opportunity to measure the risks and liabilities
proactively. Additionally, because acquisitions, mergers, divestitures, and joint ventures potentially
include risks and liabilities that encompass multiple business units across a healthcare organization,
integrating these transactions, and specifically the due diligence process, into a healthcare organizations ERM program allows the pre-existing risks and liabilities to be addressed and managed more
effectively. Further, it provides for a global perspective of the risks and liabilities at the board and
senior management levels.
More specifically, a proper in-depth analysis of the organizations risks and liabilities during the
due diligence phase of the transaction serves three purposes. First, it provides for identification of
the risks and liabilities that will be assumed, transferred, or retained by the healthcare organization
through the transaction. Second, it allows the healthcare organization to gauge and understand the
ERM program of the other healthcare organization and allows the healthcare organizations own ERM
program to have an opportunity to assign priority to those risks and liabilities. Finally, and possibly
most importantly, it provides the business unit(s) that have responsibility and accountability over the
specific risks or liabilities identified during the due diligence process with the opportunity to proac-
The various transaction structures through which an organization acquires or merges with another organization are
discussed in more detail below in the following Part.
9
See chapter 1.
8
388

tively manage, monitor, and mitigate those risks and liabilities in conjunction with the highest levels of
the healthcare organization and other business and support units within the healthcare organization.
24.6
Impact of the Form of Strategic Transaction on ERM Program
The structure of a Strategic Transaction will have a direct impact on how the existing risks and
liabilities of another healthcare organization may be transferred. Even though the transaction documents may describe allocation of risks and liabilities between the parties, careful consideration should
be given to selecting the transaction form that best suits the needs of the parties with regard to that
allocation determination. A proper identification and prioritization of the risks and liabilities that are
transferred during the due diligence process allows a healthcare organization to proactively mitigate its
ongoing risks and liabilities. For this to occur, awareness of the benefits and risks of the transactions
structure by the board and management of a healthcare organization is crucial. The more common
transaction structures in the healthcare industry, and the potential transfer of risks and liabilities that
occur through these types of transactions are briefly summarized below.
24.6.1
Statutory Merger
A statutory merger occurs when two separate healthcare organizations agree to join, or merge, and
form one successor healthcare organization. When a statutory merger occurs, the risks and liabilities
of both healthcare organizations are generally transferred to, and assumed by, the successor healthcare
organization. The assumption of risks and liabilities extends not only to disclosed or known risks and
liabilities, but also to those risks and liabilities that are undisclosed or unknown at the time of the
transaction. Thus, the due diligence process is instrumental to the successor healthcare organizations
ERM program, as it will form the framework in which the successor healthcare organization identifies
and prioritizes the risks and liabilities that will exist after the transaction closes.
24.6.2
Acquisition of the Membership or Directorship Interest of a Non-Profit Healthcare

Organization
Another common Strategic Transaction occurs when a non-profit healthcare organization acquires
the membership or directorship interest of another non-profit healthcare organization. In this type of
transaction, the risks and liabilities of the acquired healthcare organization remain with the original
healthcare organization, but because of the substitution of membership or directorship, the liabilities
of the acquired organization become those of the family of organizations of the acquirer unless the
transaction documents are able to carve out certain assets and the risks and liabilities associated with
those assets.
As is the case with a statutory merger, the acquiring healthcare organization assumes undisclosed
or unknown risks and liabilities as well as the disclosed or known risks. Therefore, the due diligence
process is also instrumental to a healthcare organizations ERM program when it acquires another
healthcare organizations membership or directorship interest. Again, this process will provide the
framework through which the acquiring healthcare organization identifies and prioritizes the risks and
liabilities that the acquiring healthcare organization will assume.
389

24.6.3
Asset Acquisition
In an asset acquisition, all or certain of the assets of one healthcare organization are transferred
to another healthcare organization. Unlike a statutory merger or the acquisition of a membership or
directorship interest of a non-profit organization, the risks and liabilities that are assumed by or transferred to the acquiring healthcare organization, and which will become part of the acquiring healthcare
organizations ERM program, are generally more limited and specific.
In an asset acquisition, the terms of the transaction documents generally control the risks and
liabilities that will be assumed by, or transferred to, the acquiring healthcare organization.10 In this
respect, the acquiring healthcare organization has some measure of control over the risks and liabilities
that it assumes. Many times, these risks and liabilities only extend to risks and liabilities associated
with the actual assets that are acquired. Thus, the transactions impact on managing and monitoring the
acquiring healthcare organizations ERM program will be much less substantial than that necessary
in a statutory merger or acquisition of a membership or directorship interest of a non-profit healthcare
organization.
24.6.4
Physician Practice Acquisitions
A type of acquisition that is specific to the healthcare industry is a physician practice acquisition.
In this type of transaction, a healthcare organization acquires the practice of a physician or a physician healthcare organization. When this occurs, the acquiring healthcare organization may or may not
assume the existing risks and liabilities of the practice it is acquiring, depending on the negotiations of
the parties. State or federal regulations and the specifics of a transaction will determine what can and
cannot be transferred or rejected.11 For example, in some jurisdictions patient records can be subject
to sale and in others not. Therefore, the due diligence process in these types of transactions need to
be tailored to the risks and liabilities that the acquiring healthcare organization will assume or have
transferred to it in order for the acquirers ERM program to identify and prioritize these risks and
liabilities.
24.6.5
Acquisition of Stock of a For-Profit Healthcare Organization
When a for-profit healthcare organization is acquired by another healthcare organization, the risks
and liabilities assumed by the acquiring healthcare organization may be limited to the assets of the
company whose stock it acquires. Although liability may be limited in a stock acquisition, the attendant
risks and liabilities of the acquired for-profit healthcare organization still pose issues for the acquiring
healthcare organizations ERM program. Although risks or liabilities that materialize after the acquisition may not directly impact the assets of the acquiring healthcare organization, they nonetheless have
the potential to substantially reduce the value of the acquiring healthcare organizations investment by
reducing the value of the acquired for-profit healthcare organization.
Some laws may supercede the terms of the transaction documents and affect the allocation of risks and liabilities.
Id.
10
11
390
24.6.6
Divestitures
While due diligence is generally perceived to be the buyers burden and prerogative in a Strategic
Transaction, the seller also has a unique interest is pursuing due diligence on itself. Nearly every Strategic Transaction final agreement will call for the Seller to make representations and to give warranties
regarding the business or assets being sold. While lawyers often disagree over the standard to be used
for measuring the degree of inquiry to be undertaken by the seller (ranging from no representation
or warranty at all, to the best of knowledge not having undertaken an independent inquiry, to strict
liability), it is almost certain that a failure to disclose what was known in some parts of the business
or knowable with little effort could lead to liability down the road. In fact, many agreements contain
a provision to withhold a portion of the purchase price in escrow for a period of time to reduce the
ultimate price if undisclosed liabilities surface later.
In addition, the seller may have legitimate due diligence concerns about the buyer and its ability
to actually close the transaction or to make good on promises it will make at the transactions closing
(for example, promises regarding employment conditions for the sellers employees post-closing). As
a result, sellers as well as buyers should take the due diligence process seriously and actively participate in it.
24.6.7
Joint Ventures
Aside from acquisitions, mergers and divestitures, healthcare organizations enter into other forms
of transactions with each other, commonly described under the very general heading of joint venture. The transactions may actually be a true joint venture, a partnership, a limited partnership, a
limited liability corporation, or some other form of legal entity or organization, each of which carries
its own unique risks.
The risks and liabilities associated with these types of transactions are distinct from the risks and
liabilities associated with a more traditional acquisition or merger. In a joint venture, a healthcare
organization generally does not assume any existing risks or liability of its joint venture partners.
Therefore, an in-depth review of the joint venture partners corporate records and documents generally
does not occur.
However, risks and liabilities may arise out of the joint venture operation and consequently be
shared between the partners. Thus, much like when a healthcare organization acquires the stock of a
for-profit organization, the value of the healthcare organizations investment in the joint venture may
be reduced, or wiped out entirely.
In this respect, it becomes even more imperative for a healthcare organization to incorporate its
ERM program into the joint venture. Minimally, a healthcare organizations ERM program should be
in a position to review the ongoing operations of the joint venture to assess risks that may arise out of
the joint venture operation.
391

24.7
Overview of the Due Diligence Process in the Context of a Enterprise Risk

Management Program
In a Strategic Transaction, the risks and liabilities stretch across all units of the healthcare organization. Some of these risks and liabilities are general risks and liabilities that organizations in all
industries encounter, while some are very specific to healthcare organizations.
Most of the risks and liabilities discussed in this section have also been addressed in other chapters
in this book. However, since a Strategic Transaction has the potential to involve substantial risk to the
healthcare organization, some of the more significant, as well as some of the more common, risks that
need to be identified in the due diligence process in furtherance of the organizations ERM program
are discussed briefly in this section. The scope and depth of the review in each of the following areas
should be tailored to the structure of the transaction, and the risks and liabilities assumed or divested
by the healthcare organization, as determined by both the structure of the transaction and the transactional documents themselves. NOTE: The following discussion is necessarily a brief overview of
specific issues that should be highlighted during a due diligence review. It is not a comprehensive
list of issues or a comprehensive discussion of specific inquiries that should be made during a
due diligence process. There are many published lists to assist in due diligence processes, including
several in the meeting materials from the Annual American Health Lawyers Association Meetings.
24.7.1
Limitations of Due Diligence
It is important for the health care practitioner to understand that no due diligence will ever be perfect, and thus it is even more important for the practitioner to have a discussion with his or her client
about the limitations of due diligence in order to avoid subsequent misunderstandings. Ascertaining
whether a company is in full compliance with all applicable laws at any one point in time is nearly
unattainable, either internally as a manager or externally as an investor assessing corporate performance or a community concerned with regulatory or corporate accountability. Generally speaking,
there is no single management or monitoring system that comprehensively assures full compliance
with all legal requirements on a continuous, uninterrupted basis.12
24.7.2
General Risks and Liabilities.
24.7.2.1
Corporate Organization
One of the most important aspects regarding general risks and liabilities relates to corporate
organizational issues. Specific corporate organizational issues to consider include the good corporate
standing of the organization (whether or not all forms have been properly filed and approved by
the applicable state and local jurisdictions), officer and director actions, and valid 501(c)(3) status
for non-profit organizations. To identify these risks, a review of the organizations corporate records
(articles, bylaws, resolutions, and minutes) should be undertaken during the due diligence process.
Monsma, David and Buckley, John, Non-Financial Corporate Performance: The Material Edges Of Social And Environmental Disclosure, 11 U. Balt. J. Envtl. L. 151, 152 (2004).
12
392
24.7.2.2 Real Estate and Environmental Issues

From a financial and strategic perspective, real estate issues may raise very large risks and liabilities for a healthcare organization. The failure to identify a lien or restriction on title to real estate or
environmental liabilities associated with the real estate can cause significant financial risks and also
may derail a healthcare organizations strategic plans for the property. Likewise, environmental risks
in hospital settings are likely to be significant, particularly for older facilities. Most healthcare facilities deal with toxic or hazardous waste of many kinds, so an in-depth environmental assessment may
be a very significant part of a healthcare transaction.
24.7.2.3 Contract Issues
A due diligence review must include a comprehensive listing and detailed review of all the organizations contracts. Issues raised can range from assignability to identifying current breaches of the
assumed contracts to regulatory issues. While time-consuming and often resisted during the due diligence process, the comprehensive contract review to identify terms and conditions of what is being
assumedor even what is being lost if the contract is not assignableis one of the foundation blocks
for building the new organization after the transaction is complete.
24.7.2.4 Intellectual Property Issues
Intellectual property issues are increasingly important in the complex world of healthcare organizations. They are often closely related to the contract issues described above. Issues involving
assignability and the right to use certain intellectual property are only one side of the intellectual
property coin. Buyers should also develop a clear understanding of whether there are significant intellectual property assets of the acquired entity that the buyer seeks to protect in the transaction. Specific
issues regarding the use of proprietary material that could pose risks to a healthcare organizations
strategic planning should be thoroughly explored.
24.7.2.5 Litigation Issues
Actual, pending, or threatened litigation claims must be identified during the due diligence process. Obviously, the closely related issue of insurance coverage is a critical element of the due diligence
process and is discussed elsewhere in this handbook. Often-overlooked issues involving litigation are
claims that may be brought by the acquired organization against third parties. Due diligence should
identify those claims in order for the transaction documents to be clear about their ownership after the
closing.
24.7.2.6 Antitrust Issues
While antitrust issues may not be applicable in every transaction, it is essential early on to identify
the need to make appropriate state or federal antitrust filings. In the event that complex regulatory
filings are needed, it is likely that due diligence efforts will be enhanced by the preparation of those
filings.
393

24.7.2.7 Labor and Employment Issues
Labor and employment issues can be critical aspects of a Strategic Transaction. Generally, costs
associated with labor and employment (including retirement related liabilities) can be 50% or more
of the cost structure of the acquired organization, and by that standard alone demand significant attention. There are obvious areas of labor and employment matters to include in due diligence processes,
but (like other specialized areas such as antitrust) it is essential that experts in these areas participate
in the due diligence design and execution. Matters are as far ranging as union agreements, pending
employment related claims (EEOC, FLSA, wage and hour laws, and others), employment agreements,
severance policies or agreements, and retirement plans (including their funded status).
An often overlooked aspect of due diligence in this regard is the nature of the current employeremployee relationship. That relationship is often key to a businesss success, and an effective due
diligence process in this area will be instructive about the culture of the organization.
24.7.2.8 Tax, Securities and Financial Issues
An analysis of the other organizations tax and financial documents (and, if applicable, securities
filings) is also needed to provide the organizations ERM program with an identification of risks and
liabilities related to those issues. It is essential in most transactions that the acquired organizations
financial statements be independently audited so that the acquirer has a complete and accurate picture
of the organizations financial health. Additionally, the due diligence process should involve a review
of the other organizations tax filings to identify if any unaccounted for tax liabilities exist. Issues specific to tax-exempt entities are discussed below. Although issues related to securities filings are beyond
the scope of this chapter, parties in a transaction involving securities must comply with applicable
regulatory requirements.
24.7.3
Specific Risks and Liabilities in the Healthcare Industry
24.7.3.1
Tax and Financial Issues
In the tax-exempt setting, the biggest potential tax risk to a healthcare organization may be the
other organizations 501(c)(3) status and challenges to that status. While this is especially true in
Strategic Transactions involving merger or acquisition of a membership interest, there are real tax
implications to many other transactions, especially those characterized as joint ventures above.
If the transaction is with another tax-exempt entity, the due diligence should confirm that
501(c)(3) status exists and that there are no pending challenges to that status. This analysis should be
more than a simple check of the status, but should also include an in-depth review of key issues such
as the organizations charity care policies and practices, general community benefit practices, and
compensation levels and processes to ensure that those policies and practices support the organizations 501(c)(3) status.
394

Acquiring organizations should pay particular attention to compensation of directors, officers, or
other interested individuals. The compensation policies and documentation supporting the reasonableness of the compensation of those individuals should be reviewed in the due diligence process.
Tax issues arising out of any outstanding tax-exempt debt that the organization may have could
also exist. Therefore, a review of the organizations post-issuance compliance with the Internal Revenue Service regulations related to tax-exempt debt should be undertaken. Alternatively, an acquiring
organization may choose to take out all of the pre-existing debt with new taxable or tax-exempt debt,
which may give the organization the opportunity to avoid any pre-existing risks or liabilities associated with the other organizations pre-existing tax-exempt debt.
The organizations accounting of its unrelated business activity should also be reviewed for
potential risks and liabilities. Activities of a tax-exempt healthcare organizations taxable entities or
activities should also be reviewed. Finally, a tax-exempt organizations form 990 filings should be
carefully reviewed, especially in a transaction such as substitution of membership where the acquiring
entity effectively becomes the acquired entity and assumes its existing liabilities.
In the for-profit setting, a general review of the organizations tax position should be undertaken
in the due diligence process.
24.7.3.2 Regulatory and Compliance Issues
Healthcare organizations can face significant risks and liabilities under the myriad laws and regulations that impact its business. A review of a healthcare organizations compliance with these laws
and regulations during the due diligence process is crucial to understanding the risks and liabilities that
may impact the healthcare organizations ERM program.
One of the most significant compliance risks that may arise from government regulation is related
to healthcare fraud and abuse. Compliance with two federal statutes, the Anti-Kickback Statute and
the Stark Law,13 governing the relationship between different healthcare organizations, providers,
and other third-parties should be analyzed in almost every Strategic Transaction in which a healthcare organization will assume risks and liabilities of another healthcare organization. In addition to a
review of actual written agreements between providers (for example, hospital/physician employment
or independent contractor agreements, leases to or from physicians and hospitals), the due diligence
review should also closely review the procedures and policies that the acquired organization has used
to ensure compliance with this series of complex laws. Acquirers should be particularly alert to determinations of fair market value for any of these relationships that will be acquired in the Strategic
Transaction process.
Another governmental regulation that may pose risks and liability to a healthcare organization is
the HIPAA patient medical records provisions and the requirements (and accompanying penalties) that
HIPAA imposes on healthcare organizations. Thus, an organizations policies and practices related to
patient privacy should also be reviewed.
42 U.S.C. 1320a-7b and 42 U.S.C. 1395nn respectively. Both statutes have state law counterparts in many states;
thus, analysis of compliance with the state law version of these statutes is also necessary.
13
395

Finally, compliance with Medicare and Medicaid billing requirements as well as the Medicare
conditions of participation should also be reviewed. This may involve the coordination of billing and
coding specialists and the compliance team of a healthcare organization.
24.7.3.3 Medical Staff Issues
Another area of potential risk and liability relates to the medical staff of the other healthcare organization. The due diligence process should review the credentialing process that has been used and any
open medical staff disciplinary processes. The process should also include an analysis of peer review
hearings, disciplinary reports, or other medical staff actions.
24.7.3.4 Licensing Issues
One of the biggest risks to the finances of a healthcare organization is the loss of a required license.
If a facility loses a required license, the revenue stream associated with that facility has the potential
to severely impact the overall healthcare organizations financial situation. Any pending investigations
or inquiries that may result in the loss of the license of a facility included in the Strategic Transaction should be reviewed as part of the due diligence process, including a history of past challenges to
licenses and any corrective action plans that have been undertaken.
24.7.3.5 Reimbursement
Issues related to a healthcare organizations revenue stream should also be analyzed during the
due diligence process, both for governmental and non-governmental payors. This should include a
review of the healthcare organizations managed care and other payor contracts, as well as a review
of its overall payor mix. Specifically, notices related to payment disputes with significant payors or
Medicare and Medicaid should be examined and the risks and liabilities associated with those disputes
prioritized upon closing of the Strategic Transaction. Special attention should be paid to the assignability of the payor contracts.
24.8
The Most Often Overlooked Due Diligence Item: Culture
When two organizations come together, through merger, acquisition, joint venture, or any other
transactional form, the single most overlooked aspect of due diligence is the compatibility of the culture of the two organizations. No two organizations function in exactly the same ways, no matter their
apparent similarities. Business goals can be quickly undermined by the inability of the two cultures
to adapt and to move toward integration. ERM processes should ensure that due diligence includes an
effective assessment of the two cultures and a clear understanding of what it will take for the two organizations to successfully integrate, including the retention of key employees to help assure a smooth
transition or integration of the organizations.
396
24.9
Managing Costs
Due diligence processes can be very expensive. Parties to a transaction often engage outside
professionals to conduct all or parts of the due diligence process. Outside counsel, consulting firms of
various kinds and even outside clerical support to assist with the gathering and collating of data and
document requests are a few of those third parties that may be involved.
Because the rational of many Strategic Transactions is often to save costs by consolidation of
expense categories among the transactions participants, it is not uncommon to have the expense of
due diligence challenged by business operations. This is especially the case when the transaction itself
involves business enterprises with small dollars involved, but in which there is a great deal of regulatory risk if noncompliant matters are not discovered.
Accordingly, those in charge of conducting due diligence processes need to be advocates for the
value of the process and remind management periodically of the potential cost to the organization if
discoverable risks go undiscovered and later create significant financial, regulatory, or reputational
issues for the organization.
24.10
Managing the Strategic Transaction and the Due Diligence Process
24.10.1
Who Leads Due Diligence
Because due diligence is potentially a long, expensive, and complex process, it is essential to its
success that there be a clearly established leader to manage all aspects of due diligence. That position
is often, but not necessarily the lead lawyer involved in the transaction. Organizations that have a
designated business development team may choose that function to lead the process instead. In any
event, it is essential that there be one point of contact through which all due diligence requests and
responses flow.
That due diligence leader should assure that an accurate log of all incoming and outgoing responses
is maintained and that the appropriate peopleand only the appropriate peoplehave access to the
documents necessary to conduct the analysis. Limiting the contacts between the parties to one central
contact point will also avoid needless duplication and more easily resolve disagreements between the
parties.
24.10.2
Checklists
Due diligence checklists range from the simplistic, to the complex and sophisticated, to the overwhelming and over-reaching. However, because it is impossible to anticipate every issue that may
surface during due diligence, it is important that checklists be somewhat flexible, with some issues that
barely surfaced during the early stages taking on greater importance later, while others that seemed
urgent drop out of sight.
In addition, due diligence lists and questionnaires are by their very nature subject to interpretation
and often raise issues or concerns in the receiving party. For those reasons and others, it is critical to
397

have the persons with centralized responsibility for the due diligence process described above have
the responsibility and authority for answering those kinds of questions, organizing the due diligence
materials, and tracking the responses received and the responses given.
24.10.3
Timing of Due Diligence Process
As noted above, there are at least three discernable Phases in a due diligence process: (1) early
due diligence designed to confirm preliminarily that the Buyer does indeed have an interest in the
transaction and that there are no obvious deal-breaker issues, (2) the earnest due diligence phase that
is most labor intensive, and (3) the integrative phase where the Buyer continues to examine the Seller
in detail but primarily for the purpose of assessing integration strategies after the deal closes. The key,
however, is to begin the entire processand subsequently each stage of the processas early as possible. The bulk of due diligence in the acquisition transaction takes place before the acquirer agrees
to proceed with the acquisition. It becomes a very expensive process for the acquirer if it chooses to
terminate the process or to bear extra costs if items which should have been taken into account during
the due diligence investigation arise later in the process.14
24.11
Due Diligence Reports
There is no consensus way to document the results of the due diligence process. Some prefer written reports, while others prefer oral presentations with accompanying visual aids. If there is a concern
about the ability of the organization to maintain the confidentiality of the report, clearly the oral report
format should be preferredespecially if given by counsel under the protection of privilege. What is
essential is that the decision-makers within the organization receive a full report and have time to ask
questions regarding the report and its process, and that the report-giver adequately document for his or
her own purposes the details of the report and the context in which it was given.
24.12
Commentary
Healthcare businesses are highly regulated and complex. In the current environment, regulation
changes frequently and the business itself is undergoing constant change. For example, in the world
of tax-exemption alone, the advent of the new IRS Form 990 is likely to substantially increase the
public and governmental scrutiny of tax-exempt organizations and may significantly change the regulatory landscape. It is essential for practitioners to understand, and for them to educate their clients to
understand, that no due diligence process can ever be an absolute failsafe against unexpected surprises
that surface after a transaction is completed. Although there is often pressure to minimize either the
intrusiveness or the expense of due diligence, a part of the practitioners role is to educate her or his
client to the exposures that exist when due diligence processes or minimized. In that regard, it is often
helpful to ensure that the due diligence process is viewed as a team effort, including business leaders
and others in the organization, and not just a function of the legal or risk management department.
Katz, supra note 4 607.
14
398
24.13
Conclusion
The matters discussed in this chapter are complex, and specific issues described can present significant risks to a healthcare organization. This chapter can do no more than provide an introduction to
some, but not all, of the many and varied issues that should be considered. There are many examples
of checklists for conducting due diligence available through the American Health Lawyers Association that provide more detailed guidance. However, readers are cautioned that no single checklist can
cover every issue that should be examined in a Strategic Transaction. Consulting with experienced
practitioners familiar with the complex regulatory world of healthcare is essential in minimizing risks
in such transactions.
399
Medical Tourism Risks: Have Patient Will Travel To Thailand, India, and the Taj Mahal!!
25
Medical Tourism Risks: Have Patient Will
Travel To Thailand, India, and the Taj Mahal!!
Ila Rothschild, MA, JD1
Healthcare Attorney
25.1
Introduction
Consider the following:

You, like millions of Americans, are either uninsured, under-insured or have high healthcare
insurance deductibles.
You are now in need of major surgery, be it a hip or knee replacement or a cardiac artery
bypass graft (CABG).
Upon researching the cost of obtaining this necessary medical treatment within the United
States, you have determined that your ability to obtain this needed care is cost prohibitive.
However, your Internet research uncovers the term medical tourism,2 where citizens of
highly developed countries travel to less developed areas of the world3 to obtain medical
services at a substantially lower cost than that provided in the individuals home country.
Its ironic. There was a time (and there still is) when foreigners traveled to the United States in
need of sophisticated medical care that their nation could not provide. Witness the Shah of Iran, who
traveled in 1979 to Manhattan to be treated for lymphatic cancer. Although, many adults and children
come to the United States for complex medical procedures, clearly the reverse is happeningthat is
U.S. citizens are taking the opposite journey, that of serving as medical tourists in countries outside of
the United States.
It is not uncommon for Americans to go to Canada to obtain lower cost pharmaceuticals. Many
Mexicans and retired Americans living in the Southwest travel to Mexico for lower cost dental care.4
The opinions stated in the chapter are merely those of Ila S. Rothschild, Esq., and not those of The Joint Commission.
A search of the term medical tourism in May of 2007 uncovers at least 777,000 sites. Michael D. Horowitz and Jeffrey A. Rosensweig, Medical TourismHealth Care in the Global Economy, November-December 2007, The Physician
Executive, 24 [hereinafter, Horowitz, Medical Tourism].
3
Id. at 24, 26, Table 1. The term medical tourist is synonymous with medical traveler. Both terms will be used
throughout the chapter.
4
Annette B. Ramirez de Arellano, Patients Without Borders: The Emergency of Medical Tourism, 31 Interl J. of Hlth
Services, 193, 194 (2007).
1
2
401
For those Mexicans traveling back to their home country for dental and medical care, they are in an
environment closer to family and health practitioners who speak Spanish and are familiar with the
Mexican culture.5
Recently, U.S. News and World Report6 chronicled the journey of Brad Barnum who traveled
from Ruidosa, New Mexico to Wockhardt Hospital located in Bangalore, India as he underwent successful knee and hip surgery.7 The surgery, including airfare, hotel and other costs totaled $28,000.8
These costs of travel, hospital, and physician draw a stark comparison to U.S. costs, which could have
cost Mr. Barnum approximately $125,000.9
The United States is at a critical crossroads with respect to providing affordable safe quality
healthcare. The statistics are staggering. As of 2006, healthcare spending for a family of four exceeded
the annual earnings of a minimum-wage worker.10 Between the years 2000 and 2007, healthcare premiums increased 91%, while wages only saw an increase of 24%.11 Moreover, many businesses and
insurance plans have restricted benefits. In fact, smaller businesses have been forced to triple the cost
of employee deductibles.12 The result has been that certain prescription drug benefits have been eliminated and dental and vision care have either been curtailed or totally eliminated by health plans.
In 2005, almost 47 million Americans lacked healthcare insurance, up from 31 million uninsured
in 1987.13 A recent study published by the Commonwealth Fund found that the number of underinsured Americans had risen dramatically.14 For the year 2007, approximately 14% of nonelderly
In response to the number of Mexicans and Americans traveling to Mexico, a number of marketing groups are building
additional hospitals in Mexico to cater to the influx of medical tourists. Grupo Empresarial Los Angeles, Mexicos largest
private hospital chain plans to spend $700 million and build 15 hospitals. The goal is to increase the number of Americans
utilizing its hospitals from 5% to 20%. Currently, Grupo Angeles hospital, in Tijuana, treated 40,000 patients in 2007.
Christus Health, a non-profit hospital chain based in Irving, Texas, has 6 hospitals in Mexico. Procedures performed at
these hospitals include hip replacements, spinal fusions, knee surgery and angioplasty. Christus will be building another
hospital across the border from Texas to attract more American medical tourists. Mexico Builds Hospitals to Lure Medical
Tourists from America, Bloomberg.com at 1-3, March 27, 2008, http://www.bloomberg.com/apps/news?pid=20670001&
refer=home&sid=audTNhllsFSg.
6
U.S. News & World Report, at 42, May 12, 2008.
7
Id. at 45. (Wockhardts hospitals in Bangalore and Bombay operated on about 850 U.S. patients in 2007, more than
double the 2006 total.).
8
Id.
9
Id. In addition, hospitals, like Miamis Jackson Memorial Hospital, cater to wealthy, international, and privately insured
patients. The hospital is developing a program of seamless medical care that goes from soup to nuts and arranges for
medical and hospital care, as well as transportation and other necessary travel and medical accommodations. Florida
public hospital goes five star route, Fierce Healthcare, July 9, 2006 (visited March 10, 2008), http://www.fiercehealthcare.
com/story/fla-public-goes-five-star-route/2006-07-10.
10
Arnold Milstein and Mark Smith, Will the Surgical World Become Flat? 26 Health Affairs 137 (January/February
2007) (hereinafter Milstein, Surgical World) citing California HealthCare Foundation, Health Insurance: Can Californians
Afford It? 3, 2005, http://www.chch.org/documents/insurance/Health Insurance Affordability.pdf.
11
C. Schoen, S.R. Collins, J.L. Kriss, M.M. Doty, How Many Are Underinsured? Trends Among U.S. Adults, 2003-2007,
The Commonwealth Fund, at w298 (June 10, 2008) (hereinafter Schoen, How Many Are Underinsured?).
12
Id. at w298 (citing authors analysis of data from Henry J. Kaiser Family Foundation/Health Research and Educational
Trust & Employer Health Benefits Surveys, 2000 and 2007.).
13
Nathan Cortez, Patients Without Borders: The Emerging Global Market for Patients and the Evolution of Modern
Health Care, 83 Ind. L. J. 71,72 (2008) (hereinafter Cortez, Patients Without Borders) (citing, Carmen DeNavas-Walt,
Bernadette D. Proctor and Cheryl Hill Lee, U.S. Census Bureau, Income, Poverty, and Health Insurance Coverage in the
United States: 2005 at 20, 23 (Aug. 2006), http://www.census.gov/prod/2006pubs/p60-231.pdf).
14
Schoen, How Many are Underinsured? at w299. (The article defined underinsured as insured individuals whose outof-pocket medical expenses amounted to 10% or more of their income (or 5% if they were low income individuals below
5
402
adults were underinsured and 25% of adults (49.5 million) were uninsured for all or part of the year.15
All told, 75 million adults or 42 % of the under-65 adult population had either no or inadequate insurance in 2007, up from 35% in 2003.16
Not surprisingly, an estimated 350,000 Americans sought medical care overseas in 2003, with
a projected number of six million Americans estimated to seek care outside of the United States by
2010.17 With the rise in healthcare premiums and deductibles; pre-existing conditions serving as the
vehicle by which insurance companies will not cover the condition for a specified period of time; the
desire of consumers to obtain procedures not covered by insurance (i.e. cosmetic surgery; fertility
treatment, drug rehabilitation; and gender reassignment), exorbitant medical practice insurance premiums, and a graying baby boomer tsunami,18 it is inevitable that Americans would turn elsewhere
for lower cost medical care. Used as a metaphor from a move with the same title, this conflagration of
factors has lead to the perfect storm of medical tourism.
This chapter will discuss medical tourismits advantages and risks. It will further focus on some
issues that have promoted and intensified the growing interest in medical tourisms, as well as discuss
those risks inherent when healthcare is obtained outside of the United States.
Part I will focus on the intricacy of factors that have influenced the choice of medical tourism
destinations and medical care. Part II considers the legal ramifications of medical tourism from the
perspective of providers, patients, physicians, and payors. The question to be answeredis medical
tourism merely a blip on the spectrum of healthcare services, or is it a service that will continue to
see growth and ultimately become a sophisticated new healthcare industry as Americans pursue quality healthcare at low cost?
200% of the federal poverty line) or if their deductibles equaled or exceeded 5% of their income.)
15
Id. at w300.
16
Id.
17
Howowitz, Medical Tourism at 24 (citing H. Baliga, Medical tourism is the new wave of outsourcing from India, India
Daily, Dec. 23, 2006, http://222.indiadaily.com/editorial/145858.asp. Contra Tilman Ehrbeck, Ceani Guevara, and Paul
D. Mango, Mapping the Market for Medical Travel, The McKinsey Quarterly, May 2008, http://www.mckinseyquarterly.
com/article_print.aspx?L2=12&L3=63&ar=2134.) (Hereinafter, Tilman, Mapping the Market for Medical Travel). (The
McKinsey Quarterly places medical tourism at 60,000 to 85,000 inpatients per year. However, this number does not
include individuals who obtain emergency medical care; medical tourists who travel abroad for wellness procedures like
massages or acupuncture; or expatriates who seek care.)
18
Bruce Einhorn, Medical Travel is Going to Be Part of the Solution; David Boucher of Blue Cross & Blue Shield of South
Carolina is forging alliance that allow members to go abroad for surgery and other procedures, Business Week Online,
March 18, 2008, http://www.business week.com/globalbiz/content/Mar2008/gb20080312_835774.htm (Last visited May
12, 2008). (Here in the U.S. you have the Silver Tsunami. In 2008, 365 Americans an hour will turn 62. Over half are
selecting early Social Security and many do not have employer-sponsored medical plans. The number turning 62 goes to
1.400 an hour by 2010 and the numbers continue to stack up until the peak of 2017.) See also, Jonathan S. Edelheit, The
U.S. Healthcare Crises: Rising Supply of American Patients, Medical Tourism, March 2008, 30, www.medicaltravelauthority.com (The author notes that there is a growing marketplace for medical tourisms in the U.S.Baby Boomers. As
the Baby Boomer generation gets older, they will place an extra burden on the US. healthcare system, and many will start
looking overseas for their orthopedic and cardiac procedures.).
403
25.2
Part IChoice of Medical Travel Destination and Medical Care
25.2.1
Foreign Government Initiatives and Political and Cultural Issues
Among the factors to consider when traveling abroad to obtain medical care is the need to research
the political stability as well as the culture of the country being visited. Who is the main driver of
medical tourism in the country?19 If medical tourism is driven primarily or regulated strongly by
the government, there may be greater assurance that the international consumer would be adequately
protected because the countrys reputation would be at stake.20 An example of country driven medical
tourism is found in Dubai, United Arab Emirates, where the Dubai Health Authority (DHA) requires
all of its hospitals to be Joint Commission International accredited (see below).21 The Director-General
of DHA stated, This is not the end it is the start for us to continue offering special services across our
medical outlets, to take our work procedure a step higher, and develop the qualifications of the service
providers to comply and keep up with the rapid growth in Dubai.22 The Dubai government has raised
more than $100 million to develop medical facilities that will enhance medical care, research, and
education.23 With the assistance of Harvard Medical International, the United Arab Emirates plans to
develop a 435-acre state of the art Dubai Healthcare City before 2010.24
Similarly, in 2003, Singapores government launched the Singapore Medicine Initiative that is
meant to promote Singapore as a healthcare destination.25 American medical institutions (John Hopkins and Duke Medical Center) and pharmaceutical companies (GlaxoSmithKline and Novartis) have
collaborated with the Singapore government to promote excellence in healthcare.26
Regardless of a foreign countrys attempt to encourage and develop medical tourism, political events have had a profound impact on global economy and medical travel. Internal and external
conflicts, terrorism, and acts of nature (e.g. tsunamis, devastating earthquakes, and cyclones) have
prevented, from time to time, medical tourists from traveling to foreign countries for medical care. For
example, after September 11, 2001, the travel of individuals from the Middle East to the United States
was significantly curtailed. Between 2001 and 2003, travel from one country in the Middle East to the
United States saw a decline from 44% to 8%. Although, numbers have returned to the pre-9/11 level,
it took the political market over 6 years to adjust to its pre-terrorism numbers.27
For a number of years, the American Medical Association (AMA) has vocalized its concern
regarding complications involving international organ transplantation. The AMA, in a report to the
19
Darren Tan and Dr. Jeremy Lim, Selecting Medical Travel Destination, December 2007, Medical Tourism, 10 (Other
sources of information include the U.S. State Department regular travel advisory and the World Bank publicationGovernance Matters 2007).
20
Id.
21
UAE: JCI status for six more facilities, International Medical Travel Journal, March 20, 2008.
22
Id.
23
Josef Woodman, Patients Beyond Borders, 301 (2007) (hereinafter Woodman, Patients Beyond Borders).
24
Id. (Despite the United Arab Emirates push to create a mecca of medical tourisms, travelers who have an Israeli
passport or who have traveled to Israel, and have had their passports stamped, will be denied entrance into United Arab
Emirates. It is unfortunate that political/religious matters trump healthcare needs of travelers.)
25
Id. at 265.
26
Id.
27
Tilman, Mapping the Market for Medical Travel at 5.
404
2008 Annual Meeting of the AMA (held in Chicago June 14-18, 2008) expressed its concern with
transplant tourism or organ trafficking. The AMA defined transplant tourism or organ trafficking
as traveling to another country for the purpose of organ transplantation, [and] thereby increasing
the possibility of exploitation of donors through coercive practices including paid donation.28 In
its report, the AMA referenced a 2007 resolution that the AMA and the World Medical Association
(WMA) would collaborate to provide ethical guidelines regarding transplant tourism. Also referenced
was a 2007 World Health Organization (WHO) report of guiding principles on organ donation and
transplantation. The principles, entitled Global Knowledge Base of Transplants consist of an ambitious four-part program meant to protect the safety and rights of living donors; to disseminate laws
and regulations applicable to transplantation activities in Member States;29 provide information and
organization of transplantation services in Member States; and most importantly, collect and disseminate information on threats to the success of transplantation, including information on the safety and
ethics of practices and on measures to counter these threats.30 Of interest, 193 Members States are
members of WHO. Member States of WHO are defined as those countries that are members of the
United Nations and agree to accept WHOs constitution. Other countries may be admitted as members
of WHO when their applications have been approved by a majority of the World Health Assembly.31
India, Nepal, China, and Philippinescountries that have been cited for organ trafficking are members
of WHO.32 Clearly, much remains to be seen as to whether pressure on these countries to comply with
WHOs transplantation guidelines will lessen the occurrence of organ trafficking, and at the same time,
ultimately encourage ethical and legal transplants.
There are also many cases of medical tourists who travel to foreign countries to obtain procedures
that are either unavailable or illegal in the tourists home countries. For example, Americans travel
to Mexico for immunologic treatments banned in the United States, Germans acquire donor eggs
in Spain, [and] Austrian lesbians secure sperm abroad.33 We are also seeing a rise in reproductive
tourism that involves any number of personal and governmental issues: privacy, governmental regulatory authority, developing technology, and commercialismall of which vary in intensity from one
country to other.
The desperation of individuals who yearn for a healthy child are the driving force for medical
tourists to travel to the United States, Brazil, Spain, and Saudi Arabia to obtain, for example, preimplantation genetic diagnoses that will assist the prospective parents in determining whether they carry
a gene for Tay-Sachs or help the prospective parents in preselecting the babys sex.34
Other medical tourists are willing to pay $6,000-10,000 and travel to India to obtain the services
of a surrogate mother.35 In India, specialized clinics contract with poor Indian woman who agree
Report of the AMA Board of Trustees, Ethical Procurement of Organs for Transplantation, B of T Report 13-A-08).
Id.
30
Id. at 4, 5.
31
http://www.int/countries/en (Last visited June 27, 2008).
32
http://www.who.int/countries/en (Last visited June 12, 2008).
33
Debora Spar, Reproductive Tourism and the Regulatory Map, 352 NEJM 531 (Feb. 2005).
34
Id.
35
Jennifer Miller, Medical Tourism Ethics II: Outsourcing Wombs to India, Jan. 8, 2008, http://www.bioethicsinternational.org/?p=424 (Last visited Feb. 2, 2008).
28
29
405
to serve as surrogate mothers. The mothers are housed in clinic dormitories for the duration of the
pregnancy, where they are constantly monitored and provided with pre-natal healthcare.36 One might
cringe and feel that this is commercialism carried to its ugliest extreme. However, many of the surrogate mothers, who claim to love pregnancy, feel that the compensation they are given is empowering
them to provide homes and education for their children (most of these women live in households that
have yearly earning of merely $600).37
At the other end of the spectrum is the organization Dignitas, a Swiss not-for-profit organization
that provides aid-in-dying services for those individuals who are terminally ill. Dignitas, founded in
1998, has been headquartered, until recently, in an apartment complex located in the suburbs of Zurich,
Switzerland. For a fee of $6,800, foreigners wishing aid-in-dying can travel to the apartment complex
where they are given a lethal cocktail of barbiturates. Over the years, approximately 753foreigners
have used Dignitas services. In September 2007, Dignitas was evicted from its headquarters and has
resorted to assisting individuals to die in parked cars (akin to Dr. Kevorkians model of assisted suicide). The organization is currently seeking new space for its services.38
25.2.2
International Accreditation
One of the most critical pieces in ensuring that safe quality healthcare is provided abroad is to
investigate how medical care is provided and measured at foreign hospitals. Clearly, medical tourists
do not have the knowledge or expertise to guide them in determining what medical care standards
medical facilities must meet. The globalization of healthcare, however, is bringing to the fore the
importance of international accreditation by such organizations as the Canadian Council on Health
Services Accreditation and its international arm, Accreditation Canada International (ACI).39 ACI is
currently in communication with approximately 30 hospitals in the Middle East, North Africa, the
Caribbean, Latin American, and Europe.40 It has a cadre of over 550 healthcare professionals who
survey hospitals in Canada and abroad that wish to be accredited. ACIs purpose is to guide clients
through every step in the accreditation process: readiness assessment, self assessment, onsite survey, accreditation report, and post-survey coaching.41 Between surveys, ACI works with its clients,
through the philosophy of continuous quality improvement to assure that quality patient safety and
optimum services42 are the linchpins of service provided to the international medical traveler. ACI
Id.
Id.
38
Michael Leidig and Henry Samuel, Evicted Suicide Service Goes on Road, Nov. 10, 2007, http://www.smh.com.au/
cgi-bin/common/popupPrintArticle.pl?path=articles/2007/11/09/11943295009959.html# (Last visited June 15, 2008).
39
Kenny Koyle, International Expansion, The International Medical Travel Journal, Issue 04 2008 (Last visited May 17,
2008).
40
Id. Interview with Wendy Nicklin, President & CEO of the Canadian Council on Health Services Accreditation
(CCHSA).
41
Id.
42
Id. (Similarly, the Australian Council on Healthcare Standards (ACHS) was established in 1974 to improve the quality
of care provided by healthcare facilities in Australia. In February 2004, the ACHS decided to accredit hospitals outside of
Australia and thus established the Australian council on Healthcare Standards International (ACHSI). As part of its Evaluation & Quality Improvement Programme, ACHSI standards stress safe management of blood, fall prevention, continuity
of care between healthcare providers and infection control. Currently, hospitals in India, the Asia-Pacific and Middle East
have shown interest in ACHSI.)
36
37
406
has already accredited six hospitals in the Middle East. The latest hospital to be accredited is Sharjah
Teaching Hospital in Sharja, United Arab Emirates; it has 210 beds and over 114 dental chairs.43
Among all of the accrediting organizations, The Joint Commission is the oldest and largest
accreditation organization, founded in 1951. The Joint Commission evaluates and accredits nearly
15,000 health care organizations and programs in the United States, including more than 8,000 hospitals and more than 6,800 other health care organizations that provide long term care, assisted living,
behavior health care, laboratory and ambulatory care services.44 The Joint Commissions international affiliate, Joint Commission International (JCI), has evaluated and accredited hospitals outside
of the United States since 1999.45 JCIs accreditation mandate is ambitious. The JCI accredits foreign
hospitals, ambulatory care organizations, clinical laboratories, medical-transport organizations, care
continuum and certifies a number of disease or condition-specific services including primary care,
maternal and well-child care, chronic kidney disease, HIV-AIDS, oncology care, cardiac disease, and
diabetes care.46 Accreditation by JCI is rigorousthe entire process, up to the point of accreditation,
may take as long as four years. The facilities being accredited must collect data and show JCI surveyors that they have established a plan to meet patient safety and quality of care standards.47
JCI standards, though similar to The Joint Commissions standards, are modified to adapt to the
cultural needs and laws and regulations of countries outside of the United States.48 In addition to
developing standards that apply to the qualifications of physicians and nurses, matching medical care
to the needs of the patient, and establishing anesthesia procedures and safe use of medication, the JCI
collaborates with and assists the hosting countries in developing their own accreditation standards.49
Critical to this piece, is that patients be spoken to in their own native tongue. Most, if not all, JCIaccredited hospitals have medical and nursing staff who speak any number of languages, including
English and the languages of other medical tourists. Pursuant to JCI standards, privacy and confidentiality must be respected and medical recommendations and complete medical records must follow
patients upon their return to their native countries.50
In August 2005, in line with the JCIs mission to collaborate with foreign countries, the WHO
designated The Joint Commission and JCI as the worlds first WHO Collaborating Centre dedicated
Canada: CCHSA International Becomes Accreditation Canada International, International Medical Travel Journal,
http://www.imtjonline.com/news/canada-cchsa-international-becomes-accreditation-canada-international (Last visited
May 27, 2008).
44
The WHO Collaborating Centre on Patient Safety (Solutions), the World Alliance for Patient Safety and the Commonwealth Fund, Announce Action on Patient Safety (High 5s) Initiative, WHO Collaborating Centre on Patient Safety
(Solutions) News Release, Dec. 4, 2006.
45
Tom Otley, Accredit to the Nation, International Medical Tourism Journal, 01 2007, 32, 34.
46
Id.
47
Id. at 33.
48
Karen Timmons, The Value of Accreditation, Medical Tourism, December 2007, 12, 13. (An example of the JCI acceptance of cultural variation is in the arena of informed consent. Although most informed consent forms are filled out by the
patients, often in front of a witness, some cultures mandate that family members, other than the patient, are the only ones
who can consent on behalf of the patient.)
49
Id.
50
Id.
43
407
solely to patient safety.51 As part of this collaboration, a number of organizations, including the WHO
Collaborating Centre for Patient Safety, implemented the High 5s initiative, which will develop protocols for patient safety.52 The initiative, which includes the collaborative efforts of Australia, Canada,
New Zealand, The United Kingdom of Germany, the Netherlands, and the United States, is to achieve
significant, sustained, and measurable reduction or elimination of five highly prevalent patient safety
problems found in hospitals.53 The five most prevalent patient safety concerns include: (1) Prevention
of patient care hand-over errors; (2) Prevention of wrong site/wrong procedure/wrong person surgical
errors; (3) Prevention of continuity of medication errors; (4) Prevention of high-concentration drug
errors; and (5) Promotion of effective hand hygiene practices.54 As a means of incorporating these
protocols country wide, each country is expected to designate an agency that can enroll at least 10 hospitals to cooperate with this initiative. Tools, including patient safety indicators, root causes analyses,
adverse events, and cultural and economic indices,55 will be utilized as hospitals work to prevent harm
to patients and to promote high levels of patient safety.
Recently, the JCI launched an additional tool to assist foreign countries in evaluating, applying,
and implementing science-based evidence surrounding the relationship between design, patient safety,
and quality.56 Teams of clinical practitioners and engineers will help organizations to establish and
maintain an environment that promotes safe patient practices.57
To date, the JCI has accredited over 150 hospitals, approximately seven ambulatory care entities,
five clinical labs, and a number of disease certification programs relating to acute stroke, acute myocardial infarction and heart failure.58
Although foreign hospitals are to be applauded for their efforts to seek and maintain accreditation
and to have medical staffs that are trained in the United States and board certified, the question remains
as to whether patients will receive quality medical care. For example, patients who obtain surgical care
abroad are subject to complications from infectious diseases that may be indigenous to the foreign
country. India, Thailand, Malaysia, and Costa Rica have a higher incidence of tuberculosis, hepatitis
A, and amoebic dysentery, all of which could deleteriously impact patient recovery after surgery.59
Although patients may ask foreign institutions or physicians about surgical complications, it remains
difficult to verify whether the statistics quoted are correct.
WHO Collaborating Centre for Patient Safety Solutions, Joint Commission International Centre for Patient Safety,
http://www.jcipatientsafety.org/24971/ (Last visited May 12, 2008).
52
Joint Commission International Centre for Patient Safety, High 5s Project, http://www.jcipoatientsafety.org/24433/
(Last visited May 12, 2008).
53
The WHO Collaborating Centre on Patient Safety (Solutions), The World Alliance for Patient Safety and the Commonwealth Fund, Announce Action on Patient Safety (High 5s) Initiative, Who Collaborating Centre on Patient Safety
(Solutions) News Release, Dec. 4, 2006.
54
Id. at 2.
55
Id. at 3.
56
USA: JCI Launches New Consulting Programme, International Medical Travel Journal, March 20, 2008.
57
Id.
58
Joint Commission International, Joint Commission International (JCI) Accredited Organizations, http://wwwjointcommisioninternational.org/23218/iortiz/ (Last visited May 12, 2008).
59
Douglas W. Lundy, M.D., The Liability Implications of Medical Tourism, American Academy of Orthopedic Surgeons,
May 31.2008, http://www.aaos.org/news/aaosnow/feb08/managing 7.asp. (Last visited May 31, 2008).
51
408
Moreover, Americans take safe blood transfusions for granted, knowing that there are rigorous
standards in place to prevent the transfusion of tainted blood or incorrectly typed blood. As part of the
medical travelers due diligence, if there is a possibility the traveler may need a blood transfusion, the
patient should ask where the blood came from; were donors screened for HIV, hepatitis, syphilis, and
malaria; and how does the hospital ensure that the right blood is transfused into the right patient.60
One of the major risks of traveling long distances for medical care is postoperative venous thromboembolism (VTE). In a recent study, researchers found a number of factors that contributed to the
risk of VTE occurring (within 28 days post-op) in medical tourists who had traveled more than 5000
km to obtain surgical care.61 Factors contributing to the risk included, long periods of relative immobility (economy class syndrome), obstruction to venous return due to compression of popliteal veins at
the edge of the [airplane] seat, and possible dehydration due to decreased fluid intake or too excessive
use of alcohol during the flight.62 Another interesting point made by the study is that VTE developed
earlier in the post-operative stage, suggesting that VTE may have developed on the long flight to the
foreign country. 63 Medical travelers are urged to obtain medical evaluation prior to any long distance
flight. When arranging how much time a medical tourist should recuperate after major surgery, the
traveler, on the advice of his or her physicians, should build in significant post-operative recuperation
to minimize any post-operative VTE complications.64 Ultimately medical tourists should weigh the
benefits of traveling long distances for surgery versus the risks of post-operative complications.
25.2.3
Companies and Hospitals That Promote Medical Tourism
Many foreign countries are well known for promoting and advertising medical tourism. For
example, Brazil is well known for hospitals and clinics that specialize in cosmetic surgery.65 Antigua
is best known for the treatment of substance abuse addiction.66 The rock star Eric Clapton founded
Crossroads Centre in 1997. In 2006, 87% of the clients visiting Crossroads were international patients,
with 73% coming from the United States.67 Barbados is well known for in-vitro fertilization and other
types of cutting edge reproductive procedures.68 Thailand and India boast top-notch cardiac and orthopedic procedures.
Singapore, for example, has at least eleven hospitals that are JCI-accredited and over 410,000
medical tourists traveled to Singapore in 2006 for medical care.69 As a means of encouraging Americans to travel to Singapore for medical and surgical care, three Singapore hospitals operated by
ParkwayHealth (Mount Elizabeth Hospital, Gleneagles Hospital, and East Shore Hospital) are now
Avery Comarow, Medical Tourism: Under the Knife in Bangalore, U.S. News & World Report at 42, 49, May 12,
2008.
61
Ognjen Gajic, M.D.; David Ol. Warner, M.D.; Paul A. Decker, M.S.; Rimki Rana, M.D.; Dennis L. Bourke, M.D.; and
Juraj Sprung, M.D., PhD, Long-Haul Air Travel Before Major Surgery: A Prescription for Thromboembolism? Mayo Clin.
Proc., 728 (June 2005).
62
Id. at 729.
63
Id.
64
See Woodman, Patients Beyond Borders at 13.
65
Woodman, Patients Beyond Borders, at 19.
66
Id. at 186, 187.
67
Id. at 187.
68
Id. at 188.
69
Three Hospitals in Singapore Join Companion Global Healthcare Network, PRNewsire, and March 6, 2008.
60
409
the first foreign hospitals that are set to provide medical care to members of BlueCross BlueShield
of South Carolina and Blue Choice.70 This affiliation, orchestrated by Companion Global Healthcare
Inc., serves the uninsured, insurance companies, and employer groups by providing for travel, medical
appointments, case management, and medical follow-up.71
Although many foreign hospitals have their own websites that detail the services provided by the
institutions, many medical travelers rely upon health travel agents or medical tourism companies
that have formed partnerships with leading hospitals in these countries that offer cardiovascular services, cosmetic surgery, dental care, neurosurgery, ophthalmology, and orthopedics.72 For example,
the website, HealthbaseHealthcare Beyond Boundaries, states that its primary purpose is quality
of care and that its hospitals, which are JCI-accredited, are screened based on the quality of care,
procedural availability, pricing, and overall patient experience.73 One of its hospital groups, Apollo
Hospital Group (located in New Delhi, India) has over 7,000 patient beds spread out among 38 hospitals.74 Escorts Hospital, also located in India, boasts that it performed over 9,756 angiographies,
2,707coronary interventions, and 5,519 cardiac surgeries in 2005.75
Countries that in the past had not allowed their hospitals to advertise their medical services are
now recognizing the economic advantage of promoting healthcare to medical travelers. One such
country is South Korea. In the past, South Korea had laws and regulations that did not allow its hospitals (considered as non-profit organizations) to advertise healthcare procedures.76 As soon as South
Koreas Parliament reverses its law preventing advertising, hospitals will be allowed to work with
travel agencies in order to provide a full cadre of services for the medical traveler, including air fare,
medical services, hotel accommodations, and even visits to local tourist attractions.77 By promoting
medical tourism to its neighbors China and Japan, as well as Russia and the United States, South
Korea hopes that it will increase the number of medical tourists to 100,000 in 2012, provide medical
care to 6,000 of its local natives, and add $900 million to its local economy.78
To provide information to the general public, The Joint Commission Internationals (JCI) website
has links to accredited hospitals in over 50 countries. By mouse clicking on the JCI site and Wockhardt
Hospital, for example, the medical traveler is immediately taken to the Wockhardt website where all
sorts of information are readily available. Wockhardts website recommends that the medical traveler
contact certain physicians through listed websites or phone numbers. The website also lists the physicians credentials as well as the physicians prior education and current hospital positions. By clicking
on the name of a randomly chosen physician the medical traveler is able to determine the previous
posts the physician held, his or her specialty, training, and teaching experiences. In fact, the website
allows the medical traveler to arrange an appointment with a physician and to email Wockhardt staff
Id.
Id.
72
Woodman, Patients Beyond Borders at 267.
73
http://www.healthbase.com/hb/pages/hospitals.jsp (Last visited March 10, 2008)
74
Id.
75
Id.
76
South Korea: Hospital Prepare for New Laws, International Medical Travel Journal, http://www.imtjonline.com/news/
south-korea-hospitals-prepare-for-new-laws (Last visited June 12, 2008)
77
Id.
78
Id.
70
71
410
regarding any questions the medical traveler might have. Furthermore, Wockhardt lists its collaboration with Harvard Medical International, which adds to the credibility of Wockhardt. Hospitals, like
Harvard, provide foreign hospitals with medical expertise, along with standards oversight and best
practices discipline.79 In addition to establishing protocols to deal with infection control and patient
safety, Wockhardt is participating in a global study to monitor infection rates in hospitals.80
Given that many of the foreign hospitals are accredited, the medical traveler must take an additional step in his or her inquiryhas any of the hospitals ever lost its accreditation and what types of
patient complaints have been filed against the hospital. Foreign hospitals should be forthcoming to the
medical traveler, although, as mentioned above, it is difficult to verify a hospitals data. Accreditation
organizations, like JCI, provide medical tourists with the most current accreditation information.
25.2.3
Healthcare Practitioner Competency
Concomitant in determining which foreign hospitals are appropriate for various procedures, the
potential medical traveler must painstakingly research the qualifications of the medical practitioners
who will be providing care to the traveler. Here, in the United States, there is a broad range of questions to ask of physicians or surgeons prior to obtaining medical care. Questions that should be asked
include the following: (1) Where did the physician obtain his or her undergraduate and medical school
degree; (2) Where did the physician complete his or her residency, did he serve as a chief resident, did
he or she go on for any fellowship in any particular specialty; (3) Is the physician board certified and
in what specialty; (4) Did the physician do any research in any particular specialty and under whom
did she train; (5) Where is the physician licensed (many physicians are licensed in more than one
state); (6)At what hospital(s) is the physician on staff; what medical staff privileges does the physician have; has the physician ever been suspended from the medical staff or had his or her privileges
revoked; (7)How does the physician keep his or her skills and knowledge current; (8) If the physician
is a surgeon, what kinds of surgery does the surgeon perform; how many operations does the physician perform in a year; does the surgeon have staff privileges to perform the surgical procedures at an
accredited healthcare facility; and (9) What is the physicians safety record? Has the physician been
involved in any adverse events or medical professional liability actions? In addition, consumers can
go to the American Board of Medical Specialties website, as well as other websites to obtain current
information on physicians.
Determining the competency of healthcare practitioners in foreign countries is more complex
due to the difficulty of verifying information obtained from the physician or medical travel agency.
The problem is that medical travelers are not as familiar with the type of training foreign practitioners obtained. Many physicians are board certified in the United States and then return to their
native country. Still others are trained at prestigious universities and hospitals throughout the world.
Websites of foreign hospitals or medical travel companies offer some guidance. For example, IndUShealth.com, a website devoted to assisting the medical traveler obtain healthcare in India, assists the
traveler in selecting the appropriate Indian hospital and physician depending upon the medical needs
Woodman, Patients Beyond Borders at 227.
Id. a t227. See also, http://www.wockhardhospitals.net/general/jci.asp (Last visited May 31. 2008).
79
80
411
of the traveler. The website lists the costs of obtaining any number of procedures in India (e.g. hip
replacement/resurfacing, knee replacement, CABG, gastric bypass, and laparoscopic surgeries). It also
lists the approximate cost of travel, airfare, obtaining passport/visa, ground transportation, hotels, and
meals.81
If the medical traveler ultimately decides that it is to his or her advantage to travel to a foreign
country for medical care, websites like the one for the International Society of Aesthetic Plastic Surgery (ISAPS) can offer guidance for travelers. With respect to obtaining plastic surgery, the medical
tourist is urged to check the ISAPS site that lists the names and addresses of over 1,600 internationally
certified plastic surgeons. The site also urges patients to check the physicians references, talk directly
to the doctor and the doctors staff, and discuss possible complications, aftercare, and appropriate
follow-up in the medical travelers home country.82 A website that has actual videos of surgical procedures being performed (whether they are cardiac, abdominal, or laparoscopic procedures) is that of the
National Library of Medicine. The website also gives the medical traveler advice on how to choose
the right physician for the specific surgical procedure.83 Despite having made as informed a decision as
possible, the medical tourist must also ponder the legal ramifications of obtaining potentially negligent
healthcare in a foreign land.
25.3
Part IILegal Ramifications of Medical Travel from the Physician, Provider,

and Payor Perspective84
In addition to foreign-owned healthcare providers seeking to provide services to the growing

number of medical travelers, many U.S.-based healthcare providers are expanding their services to
locations in foreign countries. Physicians and hospital groups, facing the trends of declining reimbursement, increasing overhead, and increasing numbers of non or underinsured patients, are now
more than ever before open to new business opportunities. As these alternative possibilities and
sources are explored, counsel will need to understand the attendant legal, financial, and regulatory
risks. Understanding and advising clients about the legal risks and issues inherent in the new universe
of medical tourism requires an understanding of the respective roles of the four Ps in the medical
tourism industry: patients, payors, providers, and physicians.
Physician clients may be involved in the medical tourism industry from two perspectives, as a
physician investor in a foreign joint venture or business investment in a hospital, or as the treating
physician encountering increasing numbers of private patients contemplating traveling abroad for care.
As competition increases, there will be more business investment opportunities for physicians who
identify the provision of overseas medical treatment as an emerging business model.
http://indushealth.com/pricing.htm and http://indushealth.com/why_indushealth.htm (Last visited May 31, 2008).

http://www.isaps.org/mtourisms.thp?subsection=guidelines.3e.
83
http://www.nlm.nih.gov/medlineplus/surgery videos.html (Last visited May 31, 2008). (In addition, the website for the
American College of Surgeons lists a book entitled I Need an OperationNow What, written by Thomas R. Russell,
MD.)
84
This part was written by Nancy T. Poblenz, RN, BSN, DDS, JD,CPHRM, Director, Litigation and Loss Prevention,
CHRISTUS Health, 2707 North Loop West, Houston, TX 77008.
81
82
412
Hospital providers may be seeking to diversify their investment portfolio by entering into joint
venture or other business relationships in foreign countries. These providers may develop package
programs that encompass the full spectrum of medical and hospital care, along with transportation and
accommodations.
Payors will play an important role in the expansion of the medical tourism market with an increasing demand from patients to shift from the self-pay to a reimbursement model. Overseas medical
care has the potential to save payors money just as medical tourism cuts costs for individual patients.
However, the difficulty of assessing quality of care is a major barrier to payors offering coverage of
overseas procedures.
As physicians, providers, and payors journey into global alliances in non-U.S. countries, there
will be many unanswered legal questions. The legal uncertainty ranges from a variety of multidisciplinary issues from jurisdictional to public policy concerns.
25.3.1
Jurisdiction
As discussed above in the patient context, the classic issue is the hurdle of where the controversies
involving the medical tourism plaintiff be litigated? While most states have a long-arm statue that may
be applicable, (depending on whether there are sufficient contacts with the forum jurisdiction) legal
counsel for a U.S.-based provider that has foreign operations should be prepared to do an analysis of
how to keep the plaintiff litigant in a jurisdiction more favorable to the patient, physician, provider, or
payor client.
There are three main lines of defense for a defendant seeking to defeat a plaintiffs attempt to
bring suit in a U.S. forum: personal jurisdiction, forum non conveniens, and forum selection clauses
in a contract.
From the point of view of a physician, provider, or payor, it is important to note that avoiding specific personal jurisdiction may be complicated by communications between the foreign medical service
provider and the patient, the patients domestic medical team, and any medical travel broker that may
facilitate travel arrangements and records transfer. Physicians, providers, and payors may find their
websites scrutinized to determine whether the foreign medical services are linked to solicitations in the
United States. At a minimum, the foreign based provider must have some initial or minimal contacts
with the U.S. to inform the patient of its services. The courts have devised a sliding scale approach to
determine the degree to which a foreign medical services website will establish minimum contacts.85
For example, a court will look to the presence of a website, an email link, the exchange of information
over the website, toll-free phone numbers and advertising materials to determine whether the websites
conduct was such that it would reasonably anticipate being hauled into [a U.S.] court.86
The doctrine of forum non conveniens provides another powerful vehicle for avoiding litigation in
the United States depending upon, of course, whose interests are being represented. A court considering a forum non conveniens argument engages in a balancing of public and private interests, which
Hersey Co. v. Pagosa Candy Co., 2008 WL 1730538 at *4 (M.D.Pa.).
Good v. Fuji Fire & Marine Ins. Co., Ltd., 2008 WL 822453 at *3 (C.A.10(N.M.)).
85
86
413
usually includes where it will be more convenient to litigate the particular matter. For instance, most
of the fact witnesses and evidence will be located abroad and attempts to bring key parties, witnesses,
and evidence to the United States may be cost prohibitive. Forum non conveniens is very fact intensive
and courts may be reluctant to litigate a case where there is little if no connection to the plaintiffs
home forum.
Finally, courts will uphold forum selection clauses in contracts as long as the clauses are reasonable
and the negotiations were fairly entered into. For example, contracts between physicians, providers,
and payors will be analyzed for location of parties and witnesses, choice of law, and provisions that
the patient is a third-party beneficiary. Forum selection clauses should, therefore, be drafted to cover
both contract disputes and torts arising out of the subject matter of the contract. Adding a well drafted
forum selection (and choice of law) clause to a contract is a good way for hospitals and physicians to
control where future litigation may take place.
25.3.2
Business Issues
Legal counsel should carefully review the business operations of the foreign investment company
or healthcare system. A close review of issues of control, bylaws, and articles of incorporation may
ultimately impact liability. Payors and employers should be advised of the risks that may arise as they
explore opportunities to reduce costs by using foreign healthcare providers for their health benefit
plans.
25.3.3
AMA Guidelines
Legal counsel should also be knowledgeable regarding the new AMA Guidelines on Medical
Tourism pertaining to patient care, after care, Health Insurance Portability and Accountability Act
(HIPAA), and legal liability issues. The guidelines provide that:
a. Medical care outside of the U.S. must be voluntary.
b. Financial incentives to travel outside the U.S. for medical care should not inappropriately
limit the diagnostic and therapeutic alternatives that are offered to patients, or restrict treatment or referral options.
c. Patients should only be referred for medical care to institutions that have been accredited by
recognized international accrediting bodies (e.g., the Joint Commission International or the
International Society for Quality in Health Care).
d. Prior to travel, local follow-up care should be coordinated and financing should be arranged
to ensure continuity of care when patients return from medical care outside the U.S.
e. Coverage for travel outside the U.S. for medical care must include the costs of necessary
follow-up care upon return to the U.S.
f. Patients should be informed of their rights and legal recourse prior to agreeing to travel outside the U.S. for medical care.
g. Access to physician licensing and outcome data, as well as facility accreditation and outcomes data, should be arranged for patients seeking medical care outside the U.S.
414
h. The transfer of patient medical records to and from facilities outside the U.S. should be consistent with HIPAA guidelines.
i.
Patients choosing to travel outside the U.S. for medical care should be provided with information about the potential risks of combining surgical procedures with long flights and vacation
activities.
25.3.4
Patient Transfer and Continuity of Care
Given the additional entities sometimes involved in treating medical tourists, proper communication between the overseas provider and the patients domestic medical team regarding medical records
and coordination of pre-and post-procedure treatment is essential to establish an appropriate standard
of care (an ultimate liability issue in any suit based on a poor medical outcome).
25.3.5
Professional Liability Claims
Claims of professional negligence or malpractice will likely be based on the laws of the country in
which the medical treatment took place. Misrepresentation of the credentials of the treating physician
or facility may also be alleged. In addition, hospitals may also be subject to vicarious liabilityall
depending upon the laws of the country in which the client is doing business.
25.4
Commentary
It is clear that medical tourism brings with it some new and interesting enterprise risk
issues for the hospital that chooses to expand its operations into foreign territories. (Note,
however, that religious organizations have for centuries been providing healthcare as part of
their foreign ministries.) Such issues include appropriate insurance coverage for all operations and physical structures (See Chapter 3 for review of various coverages), implementing
appropriate clinical policies and procedures, employee safety training, etc.
In addition, as an employer, a hospital may find itself handling interesting employee relations
issues should an employee decide to become a medical tourist when the employers plan does
not cover specific medical treatment.
25.5
Conclusions
25.5.1
From the Patients Perspective
This chapter has taken medical tourism on quite a ride. There are those medical tourists who
choose to travel to foreign countries for their medical care because they are underinsured or uninsured; they may require a procedure that is either experimental or is considered illegal in their native
country. In addition, employers, employees, and insurance companies are beginning to recognize the
economic value in obtaining safe quality healthcare in foreign countries at substantial savings. As
an additional incentive, insurance companies, like AOS Assurance Co., a Barbados-based insurance
company, are providing insurance for those medical travelers who may become victims of medical
415
professional liability abroad.87 The insurance product, Patient Medical Malpractice Insurance (PMMI)
handles medical negligence claims in accordance with the patients own home country standards, and
claims are paid in U.S. currency. No lawyers or lawsuits are involvedand claims are simply settled
in an environment that is 80 percent faster than the traditional litigation environment.88 The insurance, however, only covers those foreign hospitals that are accredited by JCI and have physicians who
are U.S. board certified, or similarly certified abroad.89 As more employers pursue insurance options,
knowing that quality care will be provided abroad and financial reparation will be available without
the need for protracted litigation, the course of medical tourism will take an even more dramatic
upswing.
As mentioned above, the AMA recognizes that patients, who are unable to obtain affordable insurance and healthcare in the United States, are traveling abroad for their health and that patients need to
be vigilant in researching and obtaining quality foreign medical care. Finally, until the United States
effectively and successfully addresses healthcare reform issues and can provide healthcare for the
uninsured, medical tourism will continue to evolve and thrive.
25.5.2
From the Healthcare Providers Perspective
The new concept of medical tourism will force all players in the healthcare spectrum to rethink
and to review all aspects of the healthcare industry. Clearly, medical tourism has opened the door
for many new business opportunities and for those with entrepreneurial spirits, but these opportunities come with a new set of unfamiliar risks. Similarly, as medical tourism globalizes there will be a
tremendous potential benefit to patients, physicians, providers, and payors. The next few years will
be a very exciting time as both sides of the spectrum mesh and provide the type of quality healthcare
required by all patients.
Insurer Covers Malpractice in Overseas Care, Workforce Management, Sept. 28, 2007, http://www.workforce.com/
section/00/article/25/13/99_printer.html (Last visited June 15, 2008).
88
Id.
89
Id.
87
416
Retail Health Clinics
26
Jeffery Layne
Christopher N. Kanagawa
India K. Brim1
Fulbright & Jaworski L.L.P.
26.1
Introduction
Gone are the days when the only options available to a person with a runny nose or a child in need
of a vaccination for school were the emergency room or a primary care physicianoptions that can be
inconvenient to most work schedules. Over the past few years, this country has seen an explosion of
retail health clinics (RHCs) popping up not only in national drug stores and big box retail stores, but
also regional grocery chains. As of February 2009, more than 1,100 of these clinics had been opened
in 37 states across the U.S.2
The RHC concept provides customers with access to healthcare in convenient locations during
expanded hours, including evenings and weekends. RHCs offer a limited menu of medical services
that are often administered by a nonphysician, typically a nurse practitioner or physician assistant
under the indirect supervision of a physician. Appointments are generally not required, and customers can shop for groceries or household items in the host store while waiting for an exam. Services
provided in RHCs range from basic health screenings, such as diabetes and high blood pressure, to the
treatment of simple health conditions, such as ear and sinus infections, and the provision of flu and
other common vaccinations.3 All services are charged at a flat rate displayed in the clinic. Prices are
generally well under $100, with many services ranging between $45 and $75.4
Most RHCs now accept commercial insurance. Some of the major insurance companies such as
Cigna, United HealthCare, Humana, Aetna, and select Blue Cross Blue Shield plans have contracted
with RHCs to pay these clinics significantly less than they would pay a primary care physician for the
The authors would like to thank Summer Associates Lauren Battaglia and Tracy Stewart for their assistance in drafting
this chapter.
2
Andrew Thangasamy and Richard Cauchi, Retail Health Clinics: State Legislation and Laws, National Conference of
State Legislatures, February 18, 200, http://www.ncsl.org/programs/health/retailclinics.htm.
3
American Medical Association, Report 7 of the Council on Medical Service: Store-Based Health Clinics, 1 (2006),
available at http://www.ama-assn.org/ama1/pub/upload/mm/471/cms7A06.doc.
4
Julie Schmit, Could Walk-In Retail Clinics Help Slow Rising Health Costs?, U.S.A. Today, Aug. 28, 2006, available at
http://www.usatoday.com/money/industries/health/2006-08-24-walk-in-clinic-usat_x.htm.
1
417

same service.5 Some insurance plans also offer discounts, such as waiver of co-payments, to patients
who visit RHCs in lieu of their regular physician.6 However, despite the numerous incentives provided
by commercial insurers, approximately one in five individuals who visit RHCs still opt to pay cash for
their services.7
With such rapid expansion and numerous companies eager to jump on the bandwagon, many
are surprised to learn that the RHC business model is still highly experimental and often difficult to
implement. Because RHCs are such a new phenomenon, most of the well understood risks unique to
this model relate to regulatory and legal issues as opposed to purely clinical risks. Moreover, these
clinics are expensive and complex to start up and operate, and those in the RHC industry have stated
that it can often take up to two years for these clinics to become profitable enough to recover start-up
costs.8
Although the popularity of RHCs continues to grow among consumers as well as investors, there
is also intensifying opposition to these clinics from within the medical community. Although nonphysician practitioners in RHCs provide services under the indirect supervision of a physician, many
of the physician groups have spoken out against the spread of RHCs. These groups contend that there
is too little oversight of these clinics and that RHCs have the potential to result in lower overall quality
healthcare services being provided to the communities in which they are located.9 They also argue that
RHCs are not designed to provide preventative healthcare and are not equipped to develop long-term
relationships with patients. Without previous knowledge of the patients medical history, opponents
argue that nurse practitioners providing services in RHCs are more likely to overlook or ineffectively
treat severe or long-term illnesses.10 Such situations, obviously pose significant professional liability
exposures.
RHC proponents, however, contend that retail clinics might be a step in the right direction in
developing a more effective and efficient healthcare system in the United States. They argue that transparent pricing increases the likelihood that consumer-patients will make more efficient purchasing
choices.11 Furthermore, proponents add that many of the services offered by RHCs are those that are
not required to be exclusively performed by primary care or emergency room physicians, and instead
may be provided in a more cost-effective way by non-physician professionals in an RHC setting.12
American Medical Association, supra note 2, at 3; Families USA, Retail Medical Clinics: Okay in a Pinch, but No Substitute for Real Health coverage, 3 (2007), available at http://www.familiesusa.org/assets/pdfs/retail-medical-clinics.pdf.
6
Families at 3.
7
Freudenheim, supra, note 1.
8
Jacob Goldstein, Retail Clinic Closures Not Unlike the Dot Com Bubble, Wall Street Journal, May 7, 2008, http://
blogs.wsj.com/health/2008/05/07/retail-clinic-closures-not-unlike-the-dot-com-bubble/. See also California Healthline,
Operators of Retail Health Clinics Scaling Back Operations, California Healthcare Foundation, http:www.californiahealthline.org/articles/2008/5/7/Operators-of-Retail-Health-Clinics-Scaling-Back-Operations.aspx?topicID=37.
9
Rahul K. Parikh, M.D., Wal-Mart Can Be Good for Your Health, Salon, Feb. 19, 2008, http:www.salon.com/mwt/
feature/2008/02/19/retail_health_clinics/print.html.
10
Vital Signsthe Member Publication of the Massachusetts Medical Society, MMS Concerns About Retail
Health Clinics, http://www.massmed.org/Content/NavigationMenu3/BackIssues/2007/JuneNuly2007/TopStories/deafult.
htm; see also Families, supra, note 4 at 4.
11
William M. Sage, Might the Fact that 90% of Americans Live Within 15 Miles of a Wal-Mart Help Achieve Universal
Healthcare?, 55 U. Kan. L. Rev. 1233, 1237 (2007).
12
Id. at 12391240; see also Parikh, supra, note 7.
5
418

In addition, concerns about access to healthcare are likely to be eased since RHCs are well-suited to
function in traditionally underserved areas, such as rural areas and poor, urban communities.13 The
combination of increased convenience, broader patient access, and lower costs have increased the
popularity of RHCs, because individuals no longer have to take time away from the workplace in order
to receive basic medical services or treatment for minor illnesses and other common conditions.
26.2
Retail Health Clinic Structures
To be able to analyze the federal and state laws governing RHCs and minimize the risks associated with establishing and operating an RHC, it is of paramount importance to understand how such
clinics are (or should be) structured. In general, the structure of a clinic will depend on whether the
state in which the clinic is operated maintains a prohibition against the corporate practice of medicine.
The corporate practice of medicine doctrine prohibits corporations and other business entities from
engaging in the practice of medicine. In its basic terms, this doctrine prohibits the employment of doctors by unlicensed individuals or by corporations that are not formed and owned by doctors.14 Many
states have some variation of this rule, while many states do not prohibit the practice at all. As will
be discussed in more detail in this article, nurse practitioners providing services in RHCs generally
require physician oversight or collaboration to some degree. As such, the corporate practice of medicine doctrine may easily be implicated.
Two states that have strict prohibitions against the corporate practice of medicine are Texas and
California. In Texas, arrangements in which a general business corporation employs physicians to
provide medical services to the clients of the corporation have been held to constitute the unlawful
practice of medicine by a corporation and a violation by the physician of the prohibition on aiding and
abetting the practice of medicine by a nonlicensed corporation.15 In addition, physicians are prohibited
from entering into partnerships, employee relationships, fee-splitting, or other situations with nonphysicians where the physicians practice of medicine is in any way controlled or directed by, or fees
shared with a non-physician.16 However, physicians and for-profit companies are permitted to enter
into independent contractor arrangements without violating the doctrine.17 In California, unlicensed
persons, including general business corporations, are prohibited from practicing or holding themselves
out as practicing medicine.18 The Medical Board of California notes that this policy is intended to prevent unlicensed persons from interfering with or influencing the physicians professional judgment.19
Id. at 1242.
George F. Indest, III & Barbara A. Egolf, Is Medicine Headed for an Assembly Line? Exploring the Doctrine of the
Unauthorized Corporate Practice of Medicine, 6 Bus. L. Today 32, 3334 (1997).
15
Gupta v. Eastern Idaho Tumor Institute, Inc., 140 S.W.3d 747, 752 (2004) (Under the Medical Practice Act, when a
corporation comprised of lay persons employs licensed physicians to treat patients and the corporation receives the fee, the
corporation is unlawfully engaged in the corporate practice of medicine) (citing Flynn Bros., Inc. v. First Med. Assocs.,
715 S.W.2d 782, 785 (Tex. App.Dallas 1986, writ refd n.r.e.)).
16
Texas Medical Board, Corporate Practice of Medicine, http://www.tmb.state.tx.us/professionals/physicians/licensed/
cpq.php (last visited June 13, 2008) (citing Tex. Occ. Code Ann. 164.052(13), (17)).
17
Id.
18
Cal. Bus & Prof. Code 2052. See also Cal. Bus & Prof. Code 2400 (Corporations and other artificial entities shall
have no professional rights, privileges, or powers).
19
Medical Board of California, Corporate Practice of Medicine, http://www.medbd.ca.gov/licensee/corporate_practice.html.
13
14
419

Because the parameters of the corporate practice of medicine prohibition vary widely from state
to state, careful consideration must be given when establishing the structure of an RHC. Traditionally, RHCs are structured as a clinic model or as a professional entity model, both of which are
discussed in more detail below.
26.2.1
The Clinic Model
Under the Clinic Model, a for-profit company directly operates the RHC through a non-professional entity, such as a general business corporation or a limited liability company (the Clinic). This
model is generally limited to states that do not maintain a corporate practice of medicine prohibition.
Under the model, the Clinic employs (or otherwise contracts with) all of the clinic staff, including the
nurse practitioners who see and treat patients. In order to obtain the requisite physician supervision,
the Clinic either employs a physician to provide oversight for the nurse practitioners or enters into an
independent contractor agreement with a physician or physician group to provide such oversight.20
Finally, the Clinic directly bills patients and third party payors for the healthcare services provided by
the nurse practitioners in the RHC.
In general, the Clinic Model is preferable from the perspective of the for-profit company that
establishes the RHC because, among other things, the company directly receives the revenue from the
healthcare services provided at the RHC.
26.2.2
The Professional Entity Model
Under the Professional Entity Model, the RHC is operated through a friendly physician owned
professional entity (the Professional Entity). This model is typically used in corporate practice states.
Under this model, the Professional Entity employs (or otherwise contracts with) all of the clinic staff,
including the nurse practitioners who see and treat patients. In order to obtain the requisite physician
supervision, the Professional Entity either employs a physician to provide oversight for the nurse
practitioners or enters into an independent contractor agreement with a physician or physician group
to provide such oversight. The for-profit company enters into a contract with the Professional Entity
to provide a wide range of practice management services, such as billing and collection services and
other administrative services.21 In order to retain some control over the operations of the RHC, the forprofit company will typically enter into one or more agreements with the friendly physician owner
of the Professional Entity. Under the Professional Entity Model, the Professional Entity bills patients
and third-party payors for the healthcare services provided by the nurse practitioners in theRHC.
26.3
Enterprise Risk Management Considerations
Generally, the key players involved in the development and operation of an RHC are governed
by different regulatory schemes. Often the risks associated with the development and operation of
an RHC will vary depending upon the role of each player involved. The following section discusses
For a discussion of required physician oversight, see Section 26.3.3.1 infra.
As discussed in more detail in Section 26.3.1.2 infra, the for-profit management company needs to fully understand its
role as a management services company versus acting as true provider of healthcare services.
20
21
420

the risks associated with: (1) the for-profit company that establishes the clinic;22 (2) the physician
that owns the Professional Entity and/or supervises the nurse practitioners and physician assistants;
(3)the nurse practitioners and physician assistants; and (4) the retail or host store in which the RHC
is located.
26.3.1
For-Profit Company (Retail Health Clinic Company)
The companies that seek to establish a chain of RHCs face the greatest potential risk that often
accompanies the operation of these clinics. As noted previously, the RHC business model has yet to be
perfected, typically involving high start-up and operational costs and a complex organizational structure. There have been numerous highly-publicized business failures in the RHC industry as a result of
these factors and other related market conditions.
26.3.1.1
Political Climate
For-profit companies that establish RHCs may likely face numerous challenges in the years to
come as more pressure is placed on state legislators to enact regulations to restrict the operation of
such clinics. State regulations of RHCs are likely to become more stringent as primary care physicians
continue losing money because their patients have opted to be treated for common ailments by a nurse
practitioner at a local RHC. Many states, such as Illinois, have already proposed various restrictions on
RHCs, including limiting the type of stores in which these clinics may be located,23 imposing greater
reporting and communication obligations, adopting stringent physician supervision and collaboration
requirements and prescribing more limitations on the practice authority of nurse practitioners.
On the other hand, a recent letter issued by the Federal Trade Commission (FTC) regarding an
RHC bill recently introduced in the Illinois State Legislature suggests that the proposed legislation
and the regulations mentioned above may go too far in imposing potentially burdensome restrictions
on RHCs.24 Of particular interest to the FTC was the fact that the proposed legislation may restrict
competition among RHCs if the statute is interpreted to exempt physician and hospital-owned clinics
from the burdensome requirements imposed on other operations.25 The FTC also questioned the rationale for prohibiting RHCs from being located in retail stores that sell alcohol or tobacco.26 The FTC
noted that, as written and depending on how the statute was interpreted, the proposed legislation may
be unduly burdensome and potentially harmful to competition.27
As illustrated above, the political environment in which RHCs exist is quite uncertain as states
begin to impose more stringent operational requirements for these clinics. Due to the various mechan For purposes of this article, we will focus on a national or regional for-profit company that operates RHCs in multiple
states.
23
A bill recently introduced in the Illinois state legislature contains a provision which would prohibit RHCs from being
located in a retail stores which sell tobacco or alcohol. Illinois House Bill 5372.
24
Letter from Maureen K. Ohlhausen, Director, Office of Policy Planning, Federal Trade Commission to the Hon. Elaine
Nekritz (May 29, 2008) (avail. online at http://www.ftc.gov/os/2008/06/V0800113letter.pdf) (regarding Illinois House Bill
5372, 95th General Assembly 200708).
25
Id. at 5.
26
Id. at 10.
27
Id. at 58.
22
421

ics that govern RHCs at the state level, it is imperative that the political climate in each state in which
a for-profit entity wishes to establish an RHC be thoroughly and carefully examined.
26.3.1.2
Companies that Operate in Multiple States
A for-profit company that wishes to establish RHCs in multiple states must understand the parameters of each states corporate practice of medicine prohibition while structuring its operations. For
example, it is likely that the for-profit company will directly establish its RHCs in non-corporate practice states utilizing the Clinic Model. Alternatively, in corporate practice states, it will likely establish
RHCs utilizing the Professional Entity Model. The for-profit company needs to take care in understanding its role in each state. For example, when RHCs are operated under the Clinic Model, the
for-profit company will, through its nurse practitioners, be the treating provider. However, when the
RHCs are operated under the Professional Entity Model, the for-profit company will only act as a practice management company that provides services to the Professional Entity who will be the treating
provider. Failure of a company to fully understand this distinction and implement appropriate policies
can raise the level of risk to all of the key players involved in the operation of the RHC.
It is also important that a company operating in multiple states establish a corporate structure that
will help minimize its risks. One method a company can employ to minimize its risks is to establish a
separate legal entity for each state, and thereby limiting exposure of liability from its operations in one
state from the exposure to liability in another state. However, to fully benefit from such a corporate
structure (and thereby reduce its risks), the company will need to strictly adhere to corporate formalities with respect to its various subsidiaries.
26.3.1.3
Federal and State Anti-Kickback Statutes
Federal and state anti-kickback laws must be considered when establishing an RHC. In general,
these statutes, which are very broad, are designed to prohibit arrangements in which healthcare providers are incentivized to make recommendations or referrals based on economic considerations. For
example, the federal Anti-Kickback Statute (the AKS) imposes criminal liability on any individual
who knowingly solicits or receives any remuneration, directly or indirectly, in return for recommending or referring an individual for the furnishing of goods, items or services for which payment may
be made in whole or in part by a federal healthcare program, including Medicare and State Medicaid
programs.28 Most states have similar anti-kickback prohibitions, although many are broader in that
they apply to all healthcare servicesnot just those paid for federal healthcare programs.
One of the primary risks associated with the federal AKS and state anti-kickback statutes to the forprofit company (as well as the retail host store) results from the lease arrangement between for-profit
company and the host store. This is particularly true if the retail host store operates a pharmacy where
the nurse practitioner can refer RHC patients or otherwise recommend that RHC patients have their
prescriptions filled at the host stores pharmacy. Specifically, any acceptance on the part of the host
store of reduced rent or rent below fair market value could be viewed by state and federal authorities
as illegal remuneration in exchange for the referrals or recommendations to the host stores pharmacy.
42 U.S.C. 1320a-7b.
28
422

To minimize these risks, the rent should be set at an amount commensurate with fair market value and
should not vary based on whether RHC patients actually use the host stores pharmacy. Furthermore,
patients of the RHC should be informed that they are free to have their prescriptions filled from a
pharmacy other than one operated by the host store.
Another significant arrangement that has potential anti-kickback implications includes the arrangement between the supervising physician and the RHC given the fact that the RHC nurse practitioner
and physician have the ability to refer patients to each other. Therefore, to minimize the anti-kickback
risks, any payment made by an RHC to a supervising physician or physician group should be commensurate with fair market value.
An additional anti-kickback risk arises from the Professional Entity Model. As discussed above,
the for-profit company typically provides management services to the professional entity. These management services often include marketing services for the professional entity as well as negotiating
and overseeing agreements between third party payors and the professional entity. As a result of these
activities, an argument can be made that the management company is essentially recommending the
healthcare services provided by the professional entity. The Office of the Inspector General (OIG) has
expressed particular concern regarding these types of management arrangements when the management company is compensated based on a percentage of the professional entitys net revenue of the
practice.29 Specifically, the OIG noted that such payment methodology may include financial incentives to increase patient referrals and increase the risk of abusive billing practices. While the risks
associated with this type of arrangement can be can be greatly minimized by ensuring that the compensation in each arrangement is consistent with fair market value, establishing the fair market value
amount may be difficult. In this context, the for-profit company and the professional entity would be
well advised to work with an independent valuation consultant and legal counsel in establishing a
management services fee.
In addition to the foregoing, RHCs can face anti-kickback risk in their dealings with pharmaceutical companies. Many pharmaceutical companies are looking for opportunities to promote their
products through joint initiatives with RHCs, such as sponsoring blood pressure or other health screening events. Because RHCs are often mere feet away from the pharmacy, pharmaceutical companies are
interested in capturing the attention of RHC patients, who may be more likely to purchase medications
or have prescriptions filled. While sponsorship arrangements may be permissible in certain circumstances, the RHC must be careful that it does not cross the line into actually promoting the sponsors
products, as recommending or promoting pharmaceuticals paid for by Medicare could directly implicate the AKS. Further, if a practitioner in an RHC prescribes a drug manufactured by a sponsoring
company, and the patient experiences an adverse event, the RHC could be vulnerable to a liability
claim in which the patient argues that the practitioners medical judgment was improperly influenced
by the sponsorship.
OIG Adv. Op. 98-4 (April 15, 1998).
29
423

26.3.1.4. HIPAA Compliance
Most patient medical information is protected by various federal and state privacy regulations
and security safeguards. Subtitle F of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) requires the Secretary of the U.S. Department of Health and Human Services to issue standards
and requirements for the electronic transmission of certain health information (HIPAA Standards).30
The HIPAA Standards include, among other things, standards for the privacy and security of health
information (collectively, the HIPAA Privacy and Security Standards). Such standards apply to covered entities which include health plans, healthcare clearinghouses, and healthcare providers who
transmit health information in electronic form in connection with a HIPAA transaction (e.g., healthcare claims, etc.).31 In general, the Privacy Standards (i) provide minimum federal standards relating to
the use and disclosure of protected health information, (ii) describe the administrative requirements a
covered entity must implement relating to the privacy of protected health information (e.g., workforce
training, etc.), and (iii) establish certain rights patients have with respect to their health information
(e.g., right to access, right to request amendments, etc.). Alternatively, the Security Standards outline
the security requirements that must be developed and maintained by covered entities, including certain
administrative procedures, physical safeguards, and technical security services/mechanisms related to
electronic medical records.
As healthcare providers, most RHCs easily fall under the definition of a covered entity, and
therefore, must comply with the HIPAA Privacy and Security Standards. Given the complexity of
the various relationships, compliance with the HIPAA Privacy and Security Standards can prove to
be difficult for all of the parties involved. However, the Privacy Standards provide a mechanism for
reducing the administrative burdens associated with compliance by permitting multiple covered entities to designate themselves as a single covered entity for purposes of compliance. In order to do so,
the multiple covered entities can claim Affiliated Covered Entity (ACE) status.32 Such designation,
which must be documented, would likely be beneficial for a for-profit company that operates RHCs
through various wholly owned subsidiaries utilizing the Clinic Model.33 The participating RHC entities would likely be able to share information in a way that would otherwise be impermissible under
the Privacy Standards. However, each RHC would still be separately subject to liability for enforcement actions and need to provide appropriate privacy notices to patients.34
On the other hand, if RHCs are operated through both the Clinic Model as well as the Professional
Entity Model, all of the covered entities may not meet the common ownership or control requirement necessary to claim ACE status. For example, in some corporate practice states, a professional
entity may need to operate the RHC with the for-profit company acting only as a management company. In such case, it is doubtful that the for-profit management company would retain the requisite
Health Insurance Portability and Accountability Act of 1996, Subtitle F; 45 CFR 160164.
45 CFR 160.104.
32
Under the HIPAA Privacy Standards, legally separate covered entities that are under common ownership or control
may claim ACE Status. 45 CFR 164.105(b). Common control exists if an entity has the power, directly or indirectly,
significantly to influence or direct the actions or policies of another entity. 45 CFR 164.103. Furthermore, common
ownership exists if an entity or entities possess an ownership or equity interest of 5% or more in another entity.
33
45 CFR 164.105(b).
34
Id.
30
31
424

control over the professional entity such that the two could claim ACE status. Rather, the for-profit
management company will likely be a business associate in connection with its provision of management services to the professional entity.
In any event, the HIPAA policies will need to be tailored based on the operations and structure of
the particular entities involved.
26.3.2
Retail Host Store
The host store typically receives several benefits from the presence of an RHC including potential
referrals from the RHC to the retail stores pharmacy and rent payments for the lease of clinic space
within the store. Nonetheless, these benefits also give rise to potential liability for the host store.
26.3.2.1 Anti-Kickback Statutes
As discussed above, the relationship between the host store and the RHC may potentially implicate the federal and state anti-kickback statutes if there is a potential for referrals from the RHC to the
host stores pharmacy, particularly if the RHCs rent payments are not set at fair market value. Additionally, if the rental charges are determined in a manner that takes into account the volume or value
of referrals or other business generated between the RHC and the host store, this may also implicate
the federal AKS and/or a state anti-kickback statute. Any indirect profit sharing agreements or other
arrangements between the RHC and the retail host store may also have significant anti-kickback or
fraud and abuse implications. In order to minimize the risk of a potential anti-kickback violation, the
rental charges should be set in advance, at fair market value and be commercially reasonable.
26.3.2.2 HIPAA Compliance
It is important to note that the host store may also have HIPAA obligations if it operates an RHC.
In such case, it may elect a written designation of its business activities that specifically involve
healthcare operations in order to comply with the HIPAA Privacy Standards.35 In basic terms, the retail
store must segregate its covered health records from other business records related to non-healthcare
functions.36 The costs of HIPAA compliance are often significant; however, if the retail store operating
an RHC fails to designate its healthcare components, the store may easily find itself subject to penalties for violating the HIPAA Privacy Standards.
26.3.3
Physicians
26.3.3.1 Supervising Physicians

Physicians engaged in supervisory roles within RHCs face numerous potential risks while providing medical services to these clinics. In many states, RHCs must employ or otherwise contract with
a licensed physician to provide medical oversight for the nurse practitioners treating patients within
the RHC. As discussed above, many states have enacted strict regulations imposing requirements on
45 CFR 164.105(a).
Id.
35
36
425

physicians engaged in such roles. Currently, approximately 28 states require some form of physician
involvement in the RHCs ranging from actual physical presence in the clinic to phone or email availability or written medical protocols.37
Texas and California are two states that have adopted stringent regulations governing the physician supervision over nurse practitioners. In Texas, a physician may delegate the authority to prescribe
certain drugs to advance practice nurses and physician assistants located at sites outside of the primary
physicians practice location.38 However, the physician is prohibited from supervising professionals
practicing at sites located more than sixty miles away from the primary physicians practice.39 In addition, the Texas Code requires the supervising physician to be on-site at least 20% of time and to review
a minimum of 10% of the medical charts at the off-site location.40 The physician must be available
for consultation or assistance at all times and the number of advanced practice nurses and physician
assistants that the physician may supervise is limited to three.41
In California, a physician may supervise up to four nurse practitioners42 and four physician assistants at a time.43 With respect to the nurse practitioners, the supervising physician must be available
at all times either in person or via telephone.44 In addition, the physician must supervise physician
assistants by one of the following methods: (1) the physician must examine the patient treated by the
physician assistant the same day that the care is given;45 (2) the physician must review, sign, and date
the medical record of every patient treated by the physician assistant within 30 days of the treatment;46
(3) the physician must adopt written protocols to guide the actions of the physician assistant, and
review, sign, and date a minimum of 5% of the records within 38 days of the treatment;47 or (4)in special circumstances, the physician may provide supervision through additional methods at the approval
of the Physician Assistant Committee.48
Prior to entering into any type of collaborative practice agreement, a physician should also be
sure to understand any state laws that may address their liability exposure associated with supervising
nurse practitioners and/or physician assistants. For example, in Texas, a delegating physician remains
responsible for the medical acts of the person performing the delegated medical acts.49 However,
unless the physician has reason to believe the physician assistant or advanced practice nurse lacked the
competency to perform the act, a physician is not liable for an act of a physician assistant or advanced
California HealthCare Foundation, Health Care in the Express Lane: Retail Clinics Go Mainstream, 22 (2007)
(hereinafter Retail Clinics Go Mainstream), available at http://www.chcf.org/documents/policy/HealthCareInTheExpressLaneRetailClinics2007.pdf.
38
Tex. Occ. Code Ann. 157.0541.
39
Id.
40
Id.
41
Id.
42
Cal. Bus & Prof. Code 2836.1(e).
43
Cal. Bus & Prof. Code at 3516(b).
44
Cal. Bus & Prof. Code at 2836.1(d), Cal. Code Regs. tit. 16, 1399.545(a) (for physician assistants, the physician
must be available in person or by electronic communication).
45
Cal. Code Regs. tit. 16, 1399.545(e)(1).
46
Cal. Code Regs. tit. at 1399.545(e)(2).
47
48
49
Tex. Occ. Code Ann. 157.001(b).
37
426

practice nurse solely because the physician signed a standing medical order, a standing delegation
order, or another order or protocol authorizing the physician assistant or advanced practice nurse to
administer, provide, carry out, or sign a prescription drug order.50 In addition, a supervising physician
retains legal responsibility for a physician assistants patient care activities, including the provision of
care and treatment to a patient in a healthcare facility.51
26.3.3.2 Fee-Splitting Prohibitions
Fee-splitting prohibitions raise additional concerns for physicians practicing in RHCs. Many state
Rules of Professional Conduct prohibit physicians from entering into agreements to split fees for
professional services with individuals who did not personally render the services, except in cases of
professional partnerships, corporations, or associations. Typically, these laws apply only to physicians
and are implicated when the Professional Entity Model is utilized. In this model, the professional
entity makes payments to the for-profit practice management company. Any payments made by the
professional entity to the management company in excess of fair market value, may arguably be categorized as fee-splitting.
For example, Illinois, a corporate practice state, maintains a fee-splitting statute that prohibits
the [d]ividing with anyone other than physicians with whom the licensee practices any fee, commission, rebate or other form of compensation for any professional services not actually and personally
rendered.52 A recent case reviewed an arrangement between a professional corporation of physicians
and a medical billing company.53 Pursuant to their agreement, the billing company was to be compensated on a percentage basis of all reimbursements as well as all claims not originally processed
by the company.54 Ultimately, the court held that the statute prohibits not only traditional fee-splitting
(i.e.two providers sharing a patients fee), but also any other fee-sharing arrangement where the fee to
be paid to a non-physician is a percentage of the profits of the physician, or is otherwise linked to, or
based on, the revenue of the physician.55
Not all states have enacted fee-splitting prohibitions; thus, the rules of the state in which the RHC
is located should be consulted before entering into any profit or fee-sharing arrangements.
26.3.3.3 Physician Self-Referral Prohibitions
The Stark Law is a federal civil law that prohibits a physician from referring a Medicare patient
to an entity for the furnishing of designated health services (DHS) if the physician (or one of his or
her immediate family members) has a financial relationship with the entity, unless the relationship
fits within an exception.56 The Stark Law also prohibits an entity that has provided DHS to an improperly referred patient from submitting a claim to Medicare for such DHS.57 Under the Stark Law, DHS
52
53
54
55
56
57
50
51

225 Ill. Comp. Stat. 60/22(A)(14).
Ctr. for Athletic Med. v. Indep. Med. Billers of Illinois, 383 Ill. App. 3d 104, 889 N.E. 2d 750 (Ill. App. Ct. 2008).
Id. at *1.
Id. at *6.
42 U.S.C. 1395nn(a)(1)(A).
42 U.S.C. 1395nn(a)(1)(B).
427

includes various healthcare services including (1) clinical laboratory services, (2) physical therapy,
occupational therapy, and speech-language pathology services, (3) radiology and certain other imaging services, (4) radiation therapy services and supplies, (5) durable medical equipment and supplies,
(6) parenteral and enteral nutrients, equipment, and supplies, (7) prosthetics, orthotics, and prosthetic
devices and supplies, (8) home health services, (9) outpatient prescription drugs, and (10) inpatient
and outpatient hospital services.58 Furthermore, many states have similar counterparts that in some
cases are broader than the federal Stark Law.
In the RHC context, the analysis with respect to the Stark Law and the various state counterparts
involves analyzing the compensation arrangement between the supervising physicians and the RHC.
In addition, if the Professional Entity Model is utilized, the ownership interest of the physician owner
could trigger a self-referral law prohibition. As the RHC business model becomes increasingly popular
in the medical industry, ownership in these clinics may prove to be extremely lucrative investments
for physicians. Nonetheless, physicians should fully understand the potential self-referral related risks
associated with these clinics.
26.3.3.4 Anti-Kickback Statutes
The two primary physician arrangements have potential anti-kickback implications, including the
arrangement between the supervising physician and the RHC, and, in states in which the Professional
Entity Model is used, the arrangement between the professional entity and the for-profit management
company. These relationships are more fully discussed in Section 26.3.1.3 above and the analysis
described therein is similar from the perspective of the physician.
26.3.4
Nurse Practitioners
26.3.4.1 Authority of Nurse Practitioners

Nurse practitioners play a significant role in the daily operation of RHCs. Their presence is one of
the primary reasons why service costs in RHCs can be kept low, thus increasing the appeal of RHCs
to consumers and enhancing their profitability. However, the rules governing the practice of nurse
practitioners vary greatly by state. Many states have enacted regulations imposing limitations on nurse
practitioners prescribing and referral authority as well as the necessary degree of physician oversight,
supervision, and collaboration required in their practice.
In Virginia, a nurse practitioner may engage in practices constituting the practice of medicine in
collaboration with and under the medical direction and supervision of a licensed physician.59 The
regulations define medical direction and supervision as the development of a written protocol and
guidelines for consultation, periodic review and collaboration, and the minimum availability of the
physician to collaborate with the nurse practitioner.60 However, the regulations do not specify the
42 U.S.C. 1395nn(h).
18 Va. Admin. Code 90-30-120(A).
60
Id., at 90-30-120(E).
58
59
428

required minimum physician contact requirements or the need for a review by the supervising physician of the nurse practitioners diagnoses.61
Ultimately, nurse practitioners must understand the scope of their authority to provide medical
services and to limit their activities accordingly. They must only accept those assignments that are
commensurate with their own educational preparation, experience, and knowledge.62 In addition, nurse
practitioners should not directly or indirectly hold themselves out as licensed physicians or represent
that they are able to practice independently of a physician.63
26.3.4.2 Licensing Violations
Similar to circumstances facing physicians in this context, there is a risk that if the nurse practitioner exceeds the scope of his or her permitted practice within a jurisdiction; the nurse practitioner could
be subject to a licensing violation. The potential consequences of such a licensing violation include the
imposition of fines, suspension of the nurse practitioners license, or in extreme cases, the revocation
of the nurse practitioners license to practice advanced nursing.
26.3.4.3 Professional Liability Requirements
There are professional liability risks associated with the practice of medicine within an RHC.
Nurse practitioners are subject to professional liability in situations where a nurse practitioner fails
to refer a patient to a primary care physician or hospital for treatment when the illness or affliction
is beyond that which the clinic is equipped or designed to treat. Many RHCs minimize this risk by
designing and implementing highly regimented decision-making trees for the treatment of patients and
determining when a referral is appropriate or necessary. The nurse practitioner responsible for treating
the patient simply adheres to the RHCs established guidelines when treating or referring patients. For
example, at least one national RHC posts its referral policies on its website. For each service offered
at an RHC, there are established guidelines used to determine when a patient should be referred from
the RHC to a primary care physician.
By requiring nurse practitioners practicing in RHCs to rely on highly regimented, heavily guided
treatment and referral plans, the RHC is less reliant on the judgment of individual nurse practitioners,
therefore reducing the risk of error in judgment and liability for the RHC.
26.4

Commentary
The RHC business model generally is still highly experimental and difficult to implement.
Although the number of RHCs is growing rapidly, it is also important to remember that there
have been some large-scale RHC venture failures.64
Id., at 85-50-110(3).
Texas Board of Nursing, Guidelines for Determining APN Scope of Practice, available at http://www.bon.state.tx.us/
practice/apn-scopeofpractice.html.
63
18 Va. Admin. Code 90-30-220.
64
According to a report posted on the Wall Street Journal website on May 7, 2008, in recent months 69 clinics in 15 states
have shut down. See Goldstein, supra, note 8.
61
62
429

The structuring of an RHC entity, whether in the form of a single clinic or a large-scale,
multi-clinic venture, is largely dependent upon whether the state in which the clinics are to
be located has a corporate practice of medicine prohibition. Therefore, a careful examination
of state regulations and case law is required to minimize the risk of running into a corporate
practice of medicine issue.
Given the number of different players involved in the operation of an RHC, the risk factors
surrounding RHCs should be analyzed from various perspectivesfrom that of the supervising physician, nurse practitioner, retail host store, and the for-profit entity.
26.5
Conclusion
Making a special trip to a primary care physician for a flu vaccination or to receive antibiotics
for a sinus infection is now a thing of the past. The growing presence of RHCs makes receiving treatment for minor medical conditions as easy as stopping by the local grocery store or retail store on the
way home from work. RHCs have increased in popularity as consumers value their affordability and
convenience.
Despite their benefits, RHCs pose numerous legal and regulatory challenges, as many physicians
and other opponents challenge the quality of healthcare services provided at such clinics. As the RHC
industry continues to grow, many states will continue to enact strict regulations governing the establishment and operation of RHCs. The corporate practice of medicine statutes also serve as deterrent
to companies looking to expand the range of retail clinics into new states. Although RHCs appear to
be a growing trend, it still remains to be seen whether these clinics will be a dominant force within
the healthcare industry. Without a doubt, this one-time treatment model is appealing to consumers in
providing quick, affordable medical services for busy individuals with minimal waiting time and no
appointments necessary.
430
Part VIII
Technology
Telemedicine and Enterprise Risk Management
27
Adorno & Yoss
27.1
Introduction
Telemedicine and telehealth can be defined as the use of telecommunications technology to

deliver healthcare services. The types of telecommunications technology used to deliver telemedicine
services may include, for example, dial-up, a dedicated T-1 connection, digital subscriber line (DSL),
virtual private network (VPN), wireless and Internet. Although the term ehealth is often used to
describe the use of the Internet to deliver health information and/or services, all three terms often are
used interchangeably.
For purposes of this chapter, telemedicine and telehealth will be used as synonyms to discuss
the use of telecommunications technology to deliver healthcare services (as opposed to delivering
only healthcare information, such as WebMD or similar websites might provide). More specifically,
this chapter will focus on the legal and enterprise risk management issues associated with healthcare
providers, hospitals, and health systems using telecommunications technology for the purpose of providing diagnostic and treatment services.
In the institutional healthcare environment, telemedicine often means the delivery of diagnostic
or treatment services using video cameras for real time or live transmissions; the transfer of still
images or taped video encounters known as store and forward technology that is most often used
for teleradiology encounters; and telemetry, which refers to the use of medical devices to transmit
vital signs and other patient information to distant monitoring healthcare providers. Video cameras
might be used in a hospital operating room to transmit real time images of a patient during surgery
to a distant specialist acting as a consultant during the surgery. Remote monitoring devices might be
used to record and forward the vital signs of an ICU patient to a distant on-call physician monitoring
the patients case.
433

Trends found by the Agency for Healthcare Research and Quality (AHRQ) in its August 2008
report regarding telehealth projects funded by AHRQ1 pointed toward the following evidence of
improvements in patient outcomes and experiences using telemedicine:

One project demonstrated that remote pharmacy services provided to rural hospitals during
irregular hours (nights, weekends, and holidays) could more effectively detect and prevent
dangerous medication errors than traditional methods.
Another project demonstrated that remote pediatric care easily treated common childhood
illnesses from schools and child care centers, helping working parents who cannot leave their
jobs and saving money by reducing unnecessary visits to the emergency room.
Within ten years, many examples of cutting edge telehealth likely will no longer seem cutting
edge, and the use of certain telehealth technology may well represent the standard of care by that time.
In the meantime, facilities using telemedicine to deliver healthcare services should be prepared to
address the following risk management concerns.
27.2
Telemedicine Risk Management Summary
For purposes of this telemedicine section, we refer interchangeably to healthcare provider,

provider and physician. The use of any of these terms, particularly physician, should not be
interpreted to exclude any other types of providers from the risk management considerations outlined
herein.
27.2.1
Medical Professional Liability and Negligence
Medical professional liability issues and accompanying risk management considerations are
everyday concerns for providers. The traditional principles of medical professional liability risk
management include: (1) appropriate and timely documentation of patient encounters and strong
record-keeping practices; (2) excellent provider-patient rapport; (3) patient informed consent, including a full explanation of the risks, benefits, and possible alternatives to the proposed treatment or
procedure; (4) appropriate and timely referral of patients; (5) maintaining or exceeding the expected
standard of patient care, including staying current in the providers specialty and participating in
appropriate continuing medical education; and (6) maintaining in good standing any necessary hospital privileges, state licensure and federal drug enforcement administration numbers. These principles
are as important to providers practicing medicine via telecommunications as they are for providers
who never touch a computer or participate in video-conferencing. There are, however, certain risk
management strategies that are appropriate for providers participating in patient care via telecommunications. Providers providing telemedicine services should consider the risk management ideas set
forth in this section.
See AHRQ Publication No: 08-0045, August 2008, http://healthit.ahrq.gov/images/aug08telehealthdmbrief/telehealth.

html.
1
434
27.2.2
Standard of CareUnique Telehealth Considerations
A physician should know the ins and outs of operating the telemedicine equipment he or she
uses, and should recognize and report obvious malfunctions of the equipment. If a patient could incur
harm due to the failure of the equipment and interruption of the consult, the physician should know how
to respond in such an emergency, either by performing feasible equipment maintenance or continuing
the consult in another manner, such as over the phone. In non-urgent situations, the owner/operator of
the equipment (e.g., hospital or clinic) or the equipment vendor should be contacted to perform necessary maintenance as soon as possible. Also, non-physician personnel who use the equipment should
be trained in its proper use. Equipment, particularly software, should be updated periodically to ensure
the best results from telemedicine patient encounters.
A physician should use equipment appropriate for diagnosing and treating a patients particular
ailment; for example, a dermatology consultation conducted via video-conferencing may require a
camera and monitor with higher resolution than what is needed for a psychiatric consultation. The
physician should recognize the limitations of the telecommunications medium being used; e-mail or
the telephone may not provide sufficient information for the physician to make an accurate diagnosis.
A providers telehealth policies and procedures should speak specifically to training providers and
staff to: (a) understand the use of the equipment, including its limitations for diagnostic purposes,
(b) recognize problems with the equipment, (c) report equipment problems, and (d) know how to
respond to emergencies during patient encounters.
27.2.3
Documentation
It is important to properly document any patient encounter, but documentation of a telemedicine

encounter is particularly important to ensure that the participating providers have proof of the consult, diagnosis, prognosis, and recommendations for follow-up. Both the consulting and referring site
should create records of the telemedicine consult, or else work together to create a single document
that reflects the consult. Many providers have asked whether a video should be recorded of the consult. While it is not necessary to create a video record of the consult, if a provider captures the consult
on video or audio, the record will be subject to the laws that apply to such media in the healthcare
environment. Similar to electronic records, video and audio records would be subject to the laws of
e-discovery, state and federal record retention requirements, and the HIPAA privacy and security regulations, and these laws should be taken into consideration when a provider decides how it will retain
evidence of a telemedicine consultation. Whether paper or electronic records are maintained (or both),
uniformity, timeliness, and completeness are essential. Encryption and/or a secure dedicated telecommunications link should be used for the transfer of patient identifiable information.
27.2.4
ProviderPatient Relations in a Telemedicine Context
Strong physician-patient rapport reduces the likelihood of miscommunications between physician

and patient, and reduces the chance that a patient will sue a physician following a poor outcome. In
many cases, delivering care via telecommunication weakens physician-patient relationships since the
physician and patient may not see or even speak to one another (e.g., e-mail consultations). VideoEnterprise Risk Management for Healthcare Facilities, First Edition
435

conferencing may create a relationship in which the physician briefly appears to the patient for the
consultation, then disappears without establishing any meaningful personal link with the patient.
As part of the informed consent process, physicians should clearly delineate their responsibilities
to patients treated via telecommunications. For example, physicians providing telemedicine services
should: (1) clearly (and in plain language) define the scope and limitations of the services that can and
will be provided to the patient; (2) describe the risks and benefits of conducting a telecommunications
consultation; (3) obtain the consent (preferably written)2 of the patient for the services provided and
the risks, benefits, and limitations thereof; and (4) to the extent possible, disclaim responsibility for
patient harm that was not directly caused by the physician, or harm that resulted from the patients failure to be completely honest with the physician (e.g., failure to provide complete medical or personal
information).
27.2.5
Provider Relations in Telehealth
Healthcare providers often do not place sufficient emphasis on the liability risks associated with
working with physicians and other healthcare providers. Regardless of the healthcare service provided,
physicians should ensure that agreements are in writing, and that each agreement fully describes the
duties, obligations, rights, and responsibilities of the parties. For example, a provider who contracts
with a teleradiologist for the provision of radiology services to his or her patients should be certain
to address the turn around time for reports, and which party will be responsible for the provision of
equipment necessary to transfer images (and the type of equipment to be used, so as to ensure compatibility). Agreements should fully define the roles each provider (e.g., consulting versus referring) will
play during the term of the arrangement, and the responsibility for patient care (including appropriate
provisions regarding physician credentials and privileges in accordance with The Joint Commission or
other accrediting organization, insurance, record-keeping, billing, and indemnification). Last but not
least, all arrangements should comply with state and federal law, including the federal Anti-kickback
Statute and the Stark Act.
27.2.6
Insurance for Telemedicine Services
The importance of general and professional liability insurance for individuals and entities providing services to patients via telecommunications cannot be over-emphasized. Prior to delivering any
healthcare information or service via e-mail, the Internet, video-conferencing, or any other telecommunications medium, the provider should ascertain whether the provision of such information or service
is covered by the providers current liability insurance policy. Any limitations on coverage should be
resolved with the insurance carrier, and any appropriate increases in coverage should be analyzed.
Importantly, some professional liability insurance carriers provide coverage only for certain states
or regions; in other words, a teleradiologist with coverage limited to the Northeast might be shocked to
learn that, despite holding a license to practice in a distant state, his or her professional liability coverage is not valid in that state due to restrictions in the policy. Just as importantly, professional liability
California requires that oral and written consent to a video-conferencing consultation be obtained from a patient prior
to the initiation of the consultation.
2
436

coverage typically does not provide coverage (or pay defense costs) for actions brought against a physician who does not hold a license to practice in the state where the action arose (i.e., where diagnosis/
treatment was provided). Furthermore, any entity in the business of providing healthcare information
and services via telecommunications should carry general liability insurance and, if appropriate, professional liability insurance sufficient to address the potential risks associated with this new method of
delivering healthcare information and services.
27.3
Telemedicine Equipment Risk Management Issues
In its August 2008 summary report, the AHRQ noted that some of the telehealth programs it has
funded experienced technical challenges with telemedicine equipment:

One project indicated that vendor-supplied home monitoring devices failed to work on a
regular basis. As a result of this failure, approximately one-third of the patients who were
enrolled in the study became frustrated with the devices and stopped using them.
Two projects reported that the video cameras they were using to transmit video and still
images did not provide adequate resolution to yield clear images of small pills and patient
wound areas.
Any provider using telemedicine equipment, and any hospital or clinic furnishing such equipment, may find themselves sued for the equipments failure or malfunction if it causes harm to a
patient (e.g., resolution too poor to permit adequate diagnosis, or complete system failure during an
emergency consult). The AHRQ 2008 report also noted that its grantees stated that technical support
must be available around the clock to ensure patient safety. The report found that:

While large healthcare organizations have internal IT departments that provide support for
telehealth systems, smaller organizations rely primarily on vendors for technical support.
The level of support available to projects from vendors varied; many small companies were
closed during weekends and evenings.
Projects receiving vendor support that was not available 24 hours a day, 7 days a week
reported that such arrangements have the potential to negatively impact patient safety and
mission-critical patient services.
In this context, the importance of legal counsel is clear in ensuring that the provider takes the
appropriate risk management steps prior to purchase or lease of telemedicine equipment. First, appropriate vendors must be chosen. Vendors must be fiscally sound and with sufficient longevity and public
reputation to represent in good faith that the vendor will not only exist in the years to come, but is large
enough to provide 24/7/365 support. Second, legal counsel must ensure that contract negotiations
consider these issues (including the cost of support and upgrades), as well as insurance and indemnification. On the flip side, agreements with the largest equipment vendors frequently bring new meaning
to contracts of adhesion, and some of these larger vendors have reputations for being unwilling
to move much during contract negotiations. Third, counsel must consider the costs of telecommunications in all telehealth program negotiations. Fourth, interoperability is imperativetelemedicine
437

equipment should integrate fairly seamlessly into any existing computer network (including the providers electronic medical record system, or EHR).
When considering negligence and professional liability risk management issues, providers should
realize they are responsible for any harm to a patient caused by a lack of knowledge or skill, and
must exercise reasonable care and diligence while using telemedicine equipment to treat a patient. If
a provider does not know how to correctly use telemedicine equipment and a patient is harmed, or a
diagnosis is missed, liability may result. Additionally, the hospital or clinic providing the equipment is
required to maintain the equipment so that it is reasonably fit for the purposes to which it will be put.3
A hospital or clinic may be liable for furnishing defective equipment if the organization was negligent
in the equipments care or upkeep.4
One question raised by telemedicine is the degree of responsibility an individual practitioner has
for determining whether the equipment is working correctly and is adequate to perform its intended
function (i.e., is the equipments performance sufficient for the physician to make a correct diagnosis?). The general rule is that the practitioner should inspect the equipment for patent, or obvious,
defects and may be liable for an injury caused by a defect which the physician should have noticed.
Patients who are injured by equipment that is defective and unreasonably dangerous might sue
the manufacturers and sellers of the equipment under the rule of strict liability in tort. Pursuant to the
theory of strict liability, manufacturers and sellers of defective and unreasonably dangerous products
are liable, without proof of negligence or other fault, for injuries caused by such products to the user
or consumer.5 Hospitals and practitioners, in general, are not subject to strict liability claims, since
they are not engaged in the business of selling or supplying products but instead provide professional
services.6
27.4
Negligence in TelemedicineCase Law Review
Using telecommunications media to deliver healthcare services, whether video-conferencing, the

Internet, e-mail, or some other form of communications, does not change the traditional legal concepts
of the physician-patient relationship, duty and standard of care, joint and several liability, negligent
supervision, liability for equipment failure and patient abandonment. In fact, the earliest telemedicine medical professional liability cases involve the use of the telephone to deliver advice to patients,
while other professional liability cases address the issues associated with mailing and phoning in
prescriptions for patients located outside the state in which the physician is licensed.
W.E. Shipley, Hospitals Liability to Patient for Injury Sustained From Defective Equipment Furnished by Hospital for
Use in Diagnosis or Treatment of Patient, 14 A.L.R.3d 1254 (1967), citing South Highlands Infirmary v. Camp, 180 So.2d
904 (Ala.1965).
4
In Berg v. United States, 806 F.2d 978, 982 (10th Cir. 1986), the court held that the hospital failed to maintain its equipment properly and that its technologists were not adequately familiar with the equipment, therefore the hospital was liable
for the patients stroke caused by the hospitals attempted cerebral angiogram. The rule for equipment failure is, in most
cases, that the provider or hospital might be liable for negligence in the care, maintenance, or use of the equipment, but will
not be liable for latent defects which cause harm to a patient.
5
Marc L. Carmichael, J.D., Liability of Hospital or Medical Practitioner Under Doctrine of Strict Liability in Tort,
or Breach of Warranty, for Harm Caused by Drug, Medical Instrument, or Similar Device Used in Treating Patient, 54
A.L.R.3d 258 (1974).
6
Id.
3
438

The volume and complexity of telemedicine services likely will increase provider liability risks.
On the other hand, the increased efficiency that should result from using telecommunications to deliver
healthcare services (e.g., rapid access to care and a broad array of preventive information and services)
may decrease the overall incidence of negligence. In an effort to address the issues raised by the use of
telecommunications technology to deliver healthcare, discussed below are the legal principles associated with potential telemedicine negligence claims. Currently, the principle legal issues associated
with telemedicine professional liability claims include (1) the physician-patient relationship, (2)the
telemedicine standard of care,7 (3) division of liability between and/or among providers for negligent
actions, (4) abandonment, (5) equipment failure, and (6) jurisdictional issues.
In order to address the liability concerns specifically related to the use of telemedicine, a brief
review of traditional medical professional liability principles is necessary. The word malpractice
describes a breach of the duty owed by someone rendering professional services to a person who has
contracted for such services.8 A plaintiff in a medical professional liability action must establish the
following elements: (1) a duty by the provider to act according to certain standards; (2) a breach of the
applicable standard of care; (3) an injury to the patient; and (4) a causal connection between the breach
of care and the patients injury.9 Medical professional liability occurs if a provider owes a patient a
duty of due care, fails to meet the standard of care established by his or her profession and pertinent
case law, and negligently injures the patient. It is a basic principle of tort law that no cause of action
for negligence exists unless the defendant owes a legal duty to the plaintiff.10 Whether a duty to the
patient exists is a question of law that must be decided in a medical professional liability case before
the issue of the standard of care arises.11 If a physician-patient relationship exists, then the physician
has a duty to exercise that reasonable degree of learning and skill ordinarily possessed and used by
members of his or her profession.12
The elements of medical professional liability are long-established fundamentals of tort law; however, the manner in which these principles will be applied to long distance healthcare raises important
questions. A provider diagnosing or treating a patient via telemedicine is confronted with the following
questions: (1) is a provider-patient relationship established during a telemedical consultation; (2) what
is the appropriate standard of care for telemedicine; (3) may a patient claim abandonment once the
telemedicine consult is concluded (alternatively, does the provider have a continued duty to the patient
after the consultation); (4) may a physician be guilty of negligently supervising other providers via
telemedicine; (5) what is the providers liability for a missed diagnosis due to technological (rather
than human) error; and (6) where will a practitioner providing services via telecommunications be
sued for professional liability?
As telemedicine becomes more commonplace (especially the use of the Internet) the standard of care question that
may eventually arise is whether a practitioner should have used telemedicine to assist a patient and whether the physician
breached the standard of care (and his or her duty to the patient) by failing to make use of available technology.
8
Weaver v. University of Michigan Board of Regents, 506 N.W.2d 264, 266 (Mich. App. 1993).
9
Ortiz v. Shah, 905 S.W.2d 609 (Tex. App. 1995).
10
Weaver, 506 N.W.2d at 266.
11
King v. Fisher, 918 S.W.2d 108 (Tex. App. 1996), St. John v. Pope, 901 S.W.2d 420 (Tex. 1995).
12
Dodd-Anderson v. Stevens, 905 F. Supp. 937, 945 (D. Kan. 1995).
7
439

27.4.1
The Physician-Patient Relationship
In order for a medical professional liability action to be brought by a plaintiff, a physician-patient

relationship must exist between the parties prior to the time of the alleged negligence.13 In order to
determine whether a physician-patient relationship is formed in a face-to-face encounter between a
consultant and a patient, a court will typically review: (1)whether the consultant and the patient met;
(2)whether the consultant examined the patient;14 (3) whether the patients records were viewed by
the consultant; (4) whether the consulting physician knew the patients name; and (5) whether the
consultation was gratuitous or for a fee.15 Only a few of these elements must be met to establish a
relationship.
A physician-patient relationship can also be established by other means, such as the performance
of diagnostic tests. In Dougherty v. Gifford, the court held that a physician-patient relationship existed
between a pathologist and a patient whose biopsy was incorrectly interpreted as malignant.16 The
pathologist never met the patient and never reviewed the patients records. Instead, the court found
that a physician-patient relationship was created by the acceptance of the pathology work, the conduction of the tests, the preparation of a lab report, and the acceptance of a fee for the services rendered.
The court stated that there could be no doubt that the diagnostic services were furnished on behalf of
the patient. A teleradiologist could be found liable for professional liability by the same reasoning, as
could any physician providing second opinion or primary care medical services via telecommunications, regardless of whether a face-to-face consultation has occurred.
27.4.2
Standard of Care
Various professional organizations have promulgated standards related to the practice of telemedicine, including standards for the use of telemedicine equipment. For example, the American College
of Radiology has issued various standards that impact teleradiology, digital imaging, and radiologist
coverage of hospital emergency rooms.17 The American Telemedicine Association and other organizations are reviewing the need for specific standards related to telemedicine equipment and the practice
of telemedicine.
Phyllis F. Granade, Medical Malpractice Issues Related to the Use of Telemedicine - An Analysis of the Ways in Which
Telecommunications Affects the Principles of Medical Malpractice, 73 N.D. L. Rev. 65 (1997).
14
An interactive video consultation or the examination of still pictures by a consultant should be considered an examination of the patient for purposes of a physician-patient relationship. It is counterproductive to argue that telemedicine should
be relied upon by the public, and that in many cases reimbursement should be made for its use, but that services provided
by telecommunications do not hold the same measure of protection for the public (i.e., do not establish physician-patient
relationships) as do face-to-face encounters.
15
Granade, Medical Malpractice, citing Clarke v. Hoek, 219 Cal. Rptr. 845 (Cal. App. 1985).
16
Id., citing Dougherty v. Gifford, 826 S.W.2d 668 (Tex. App. 1992).
17
See American College of Radiology Technology Standard for Teleradiology: www.acr.org/Hidden/Economics/FeaturedCategories/mps/medicare_info/teleradiology/ACRTechnicalStandardsDoc4.aspx; the ACR Technical Standard for
Electronic Practice of Medical Imaging: http://www.acr.org/SecondaryMainMenuCategories/quality_safety/guidelines/
med_phys/electronic_practice.aspx and the ACR Practice Guideline for Radiologist Coverage of Imaging Performed in
Hospital Emergency Departments: http://www.acr.org/SecondaryMainMenuCategories/quality_safety/guidelines/dx/hospital_er%20_imaging.aspx.
13
440
27.4.3
Joint and Several Liability
With a traditional referral, a patient travels to the specialists office and responsibility for diagnosis and continued treatment lies primarily with the specialist. During an interactive video consultation,
the patients local physician may be involved and remain in control of the patients treatment after the
consultation with the distant specialist concludes. During a video consult the consultant will generally
not be the sole physician responsible for diagnosing the patient. For telemedical consultations, control
over the patients diagnosis and course of treatment (or at least those elements of diagnosis and treatment that are at issue during trial) may become a key element in establishing liability.
A specialist participating in a telemedicine encounter must understand that the involvement of the
referring physician does not prevent the specialist from establishing a physician-patient relationship
with the patient. Physicians treating a patient for the same illness may be jointly and severally liable
for professional liability damages. Case law evidences a trend toward allowing joint and several liability against independently treating physicians when the injury suffered by the plaintiff is not clearly
divisible in terms of which physician caused the harm.18 Stated more clearly, if it cannot be shown
which physician is responsible for the patients injury, it is possible that a court will find those physicians involved with the treatment of the patients illness to be jointly and severally liable.19
27.4.4
Abandonment Claims
In order to prove abandonment, a plaintiff must show (1) the unilateral severance of the physicianpatient relationship by the doctor; (2) the severance occurred without reasonable notice or without
adequate provision of alternative medical care; and (3) the severance was at a time when there was a
necessity for continuing medical treatment.20 Abandonment may be avoided by providing the patient
with an alternative source for medical treatment, such as referring the patient to another physician.
To reduce the likelihood of an abandonment claim, a healthcare provider offering advice via telecommunications should establish a safety net checklist to ensure that a patient will continue to have
access to adequate medical care after the telemedical evaluation concludes.21 For example, a physician
treating or diagnosing a patient via telecommunications should know (1) whether after the consult
concludes the patient will be receiving continued healthcare supervision or treatment, (2) who will be
providing the care, and (3) that the patient has been provided with an emergency contact number if,
after considering factors (1) and (2), the distant physician is not comfortable that the patient will have
access to adequate medical care after the conclusion of the telemedicine consult. In the event that the
services are provided via the Internet (for example, a web site devoted to offering medical consultations), the physician should attempt to reduce his or her liability exposure by placing limitations on
the types of medical advice offered via the Internet, requiring that the patient have a local primary care
Martin J. McMahon, J.D., Annotation, Joint And Several Liability Of Physicians Whose Independent Negligence In
Treatment Of Patient Causes Indivisible Injury, 9 A.L.R.5th 746 (1993).
19
Ravo v. Rogatnick, 514 N.E.2d 1104, 9 A.L.R.5th 1170 (N.Y. 1987), (holding a pediatrician jointly and severally liable
with an obstetrician for injuries negligently inflicted on a child, resulting in brain damage that rendered her severely and
permanently retarded. Although treatment by the physicians was not concurrent, the responsibility for the injury was not
divisible.).
20
King v. Fisher, 918 S.W.2d 108, 111 (Tex. App. 1996), Smith v. Lerner, 387 N.W.2d 576, 579 (Iowa 1986).
21
Id.
18
441

physician, and obtaining the patients assent to the terms and conditions of the sites use. Although
it seems unlikely that a physician consulting via telecommunications would be found guilty of abandonment while a local physician is involved in the patients treatment, as telemedicine increasingly
reaches into the home (e.g., home healthcare and Internet medical services) it will remain the responsibility of the physician to ensure that the patient receives necessary treatment and that severance of
the physician-patient relationship is handled carefully when the patient needs continued care.
27.4.5
Jurisdiction in a Telemedicine Professional Liability Case
The use of telecommunications to deliver healthcare information and services has raised a significant issue regarding where the practice of medicine occurs. Traditionally, a physician practiced
medicine within the boundaries of the state in which he or she was licensed to practice. The physician
might treat patients from other states, but these patients traveled to the physicians state in order to
receive treatment. The use of the telephone to deliver professional advice to distant patients heralded
the dawn of a new era in jurisdictional questions. The courts were required to sift through conflicts of
law, public policy, and tort principles in order to determine the proper forum for a medical professional
liability suit.
Case law involving professional liability jurisdictional issues indicates the point of service is
not the patients location.22 In Wright v. Yackley, a medical professional liability action was brought
by an Idaho citizen against a South Dakota doctor.23 The Idaho citizen was originally treated in South
Dakota, and upon moving to Idaho called the South Dakota physician to request that a copy of an
existing prescription be mailed across the state line. The Idaho citizen then sued for injuries incurred
while taking the drug. The court found that no tort was committed within the state of Idaho sufficient
to establish jurisdiction over the South Dakota physician. The court stated that:
if the appellee was guilty of malpractice, it was through acts of diagnosis and prescription
performed in South Dakota. The mailing of the [existing] prescriptions to Idaho did
not constitute [a] new prescription. It was simply confirmation of an old diagnosis and
prescription...24
The courts footnote to the above comment states that the due process determination might have
been different if the doctor could be said to have treated an out-of-state patient by mail or to have
provided a new prescription or diagnosis in such fashion. 25 This implies that even the diagnosis or
treatment of a patient by mail might subject the physician to the jurisdiction of the distant patients
state.
Presbyterian University Hospital v. Wilson, 654 A.2d 1324 (Ct. App. Md. 1995), Ores v. Kennedy, 578 N.E.2d 1139
(Ct. App. Ill. 1991), Simmons v. State of Montana, 670 P.2d 1372 (Mont. 1983), McGee v. Riekhof, 442 F.Supp. 1276
(D.Mont. 1978),and Wright v. Yackley, 459 F.2d 287 (9th cir. 1972).
23
Wright v. Yackley, 459 F.2d 287 (9th cir. 1972).
24
Id. at 288.
25
Id.
22
442

The rule as set forth in Wright concerning the location of the point of service is stated as
follows:
In the case of personal services focus must be on the place where the services are rendered,
since this is the place of the receivers (here the patients) need. This need is personal and the
services rendered are in response to the dimensions of that personal need. They are directed
to no place but to the needy person herself.26
Interestingly, the court did recognize that the forum states natural interest in protecting its citizens
can be countered by the citizens interest in access to medical services whenever needed; however, the
court interpreted this access to services interest to simply mean a citizens right to procure medical care in distant states while traveling or living there. The court felt that a physician who through
systemic or continuing effort provided services into a distant state would be subject to that states
jurisdiction.27
A professional liability case also may be brought in the physicians state, since that state would
have sufficient ties through its licensure and regulation of the physician to be chosen as a suitable
forum by the plaintiff. Additionally, telemedicine is rapidly becoming a multi-state business; therefore, the establishment of business sites in multiple states could open a telemedical venture to suit in
any jurisdiction where it possesses sufficient business contacts. Furthermore, if a medical professional
liability action meets the diversity of citizenship requirements, a plaintiff may choose to bring suit in
federal court. The plaintiff in a medical professional liability case involving interstate telemedicine
may have the opportunity to forum-shop, and pick the jurisdiction in which he or she is most likely to
win or avoid statutory caps on punitive damages.
One concern among providers is whether the failure to possess a separate license to practice in
each jurisdiction contacted via telemedicine might lead to additional professional liability. For purposes of medical professional liability, the question is whether the lack of licensure can be construed
as evidence of negligence (i.e., the physician was not licensed to practice in the state, therefore was
not qualified to perform the diagnosis or treatment).28 Some jurisdictions have determined that failure
to have a license to practice does not automatically infer negligence.29 In fact, the court in Andrewsv.
Lofton stated [a] breach of duty to the state does not necessarily involve a breach of duty to an
individual.30 In some jurisdictions, however, the lack of a license might be considered evidence of
negligence.
28
29
30
26
27
Id., at 289.
Id., at 290.
Id.
Andrews v. Lofton, 57 S.E.2d 338, 342 (Ga. App. 1950); Irwin v. Arrendale, 159 S.E.2d 719, 725 (Ga. App. 1967).
Andrews, 57 S.E.2d at 342.
443

27.5
Clinical Risk ManagementExtending Performance Improvement Policies to

Telemedicine
In the authors opinion, if a provider desires to deliver healthcare services using telecommunications technology, the provider should establish specific telemedicine policies and procedures (P&Ps).
The following topics are examples of the subjects which telemedicine P&Ps should address: (i) the
appropriate delivery of telemedicine, (ii) how and when to use telemedicine to provide care (e.g., when
to consult with a specialist), (iii) the record that will be kept of the encounter, (iv) the appropriate use
of telemedicine equipment, including maintenance schedules, updates/upgrades, and (v) telehealth
privacy and security issues, such as encryption. Last but not least, if the telemedicine consult will
result in the prescription of controlled substances to a patient, the practitioner should ensure compliance with the Ryan Haight Online Pharmacy Protection Act of 2008.31 The Ryan Haight Act prohibits
the prescription of controlled substances without an initial face-to-face consultation (often referred to
as f2f). The Ryan Haight Act negatively impacts the use of telemedicine services via the Internet
to prescribe to patients (absent an initial face-to-face consultation), and casts the prescription of controlled substances to telehealth patients into doubt even in the most above-board circumstances.
Teleradiology provides the best role model for telemedicine, since teleradiology services are
currently the most used and recognized telehealth service. This is due in part to the fact that there is no
face to face physician-patient relationship requirement in order for a provider to receive reimbursement from most payors for teleradiology services. Due to teleradiologys success, most institutional
providers have been working with some form of telehealth service and have adopted P&Ps related
to teleradiology services. These teleradiology P&Ps may be expanded to address most telehealth
services.
27.6
ReimbursementMedicare, Medicaid, Grants and Private Pay
The greatest obstacle to the success of telemedicine has been the lack of consistent, comprehensive reimbursement for telehealth services. Regardless of the benefits offered by telemedicine,
in light of the overall lack of reimbursement for equipment and services available, it is little wonder
that telemedicine services have been slow to expand to the extent that technology permits. No healthcare provider should consider establishing a telemedicine program or service without first drafting a
detailed business plan that takes into consideration the costs of setting up the program, running the
program, and maintaining the programincluding equipment purchase and upkeep; medical professional liability insurance coverage; public relations; provider relations; and payor agreements (e.g.,
reimbursement amounts).
Many of the telemedicine programs initiated by academic medical centers and hospitals systems
have been funded, at least in part, by pilot programs or demonstration projects at the federal and/or
state level. Many of these programs fail to thrive once the grants disappear. Medicare has implemented
a limited number of telemedicine reimbursement benefits, but even those are subject to interpretation
by the intermediaries and carriers. Medicaid reimbursement for telemedicine differs vastly between
H.R. 6353, with a compliance deadline of approximately April 15, 2009 (the Act became effective 180 days after it was
signed by the President, October 15, 2008).
31
444

the states, and is subject to interpretation and change year-to-year. Some states appear to have successful Medicaid participation; for example, Marquette General Hospitals website states that the Upper
Peninsula Telehealth Network of Michigan has made:
some significant progress in the state of Michigan in the area of telemedicine reimbursement.
Most recently the announcement of coverage by Medicaid for Telemedicine Services effective
May 1, 2006. To-date 95% of telemedicine services provided in our region is reimbursable by
third-party payers. See website: www.mgh.org/telehealth/reimbursement.html.
Telemedicine programs operated at the level of a health system or academic medical center may
have the clout to negotiate reimbursement of rates from health plans and/or state Medicaid agencies.
The Upper Peninsula Telehealth Network of Michigan also notes on its website that it has had
achieved reimbursement for telemedicine services from the following private payors:
*Blue Cross/Blue Shield of Michigan (BCBSM) announced, in the August 2003 RECORD
publication, that telehealth is now a payable service for the state of Michigan. Please refer to
the RECORD publication for the billing guidelines or contact me and I will fax a copy to you.
BCBSM will be paying practitioners and facility fees for telehealth services.
*Upper Peninsula Health Plan (UPHP) a Medicaid Managed Care provider now covers clinical
telemedicine. This announcement and billing guidelines are available in the August 2004
PROVIDER NOTES, Volume 7, Issue 3. UPHP is reimbursing practitioners and originating
site fees for telemedicine services as of July 1, 2004.
*United Healthcare announced they would be reimbursing for telemedicine services following
Medicares guidelines for patients in the Upper Peninsula.
*Preferred Provider of Michigan (PPOM) also announced they will be following Medicares
guidelines for telemedicine reimbursement for patients in the Upper Peninsula.
Many proactive telemedicine programs have applied for and received grants at the state and federal
level. For example, since 2004 the Agency for Healthcare Research and Quality (AHRQ) has funded
telemedicine to the tune of more than $260 million at over 150 communities, hospitals, providers
and healthcare systems in 48 states. AHRQ grants were awarded in ten statesArkansas, California,
Minnesota, Montana, New Mexico, New York, Oklahoma, Pennsylvania, Tennessee, and Texasand
served primarily low-income rural areas with high rates of chronic illness. See AHRQ Publication No:
08-0045, August 2008, http://healthit.ahrq.gov/images/aug08telehealthdmbrief/telehealth.html.
27.7
Commentary & Conclusions
For purposes of determining jurisdiction, patient consults occur where the patient is located
and the practitioner should be licensed and insured accordingly.
State physician licensure requirements (and the resulting impact on medical malpractice and
professional negligence insurance coverage) continue to negatively impact the growth and
acceptance of telemedicine services.
445

Traditional professional liability risk management principles continue to apply to telehealth
encounters. Telemedicine providers should ensure: (1) appropriate and timely documentation
of patient encounters; (2) provider-patient rapport; (3) patient informed consent, including
explanation of the risks, benefits, and possible alternatives to using telemedicine; (4) appropriate and timely referral of patients; (5) maintaining the expected standard of patient care; and
(6) maintaining in good standing necessary hospital privileges, state licensure and federal drug
enforcement administration numbers.
Creation and retention of electronic medical records, video and audio records related to telehealth consults requires compliance with the providers e-discovery policies; state and federal
record retention requirements; and the HIPAA privacy and security regulations (including the
changes brought about by the HITECH Act).
Telemedicine providers should consider encryption and/or a secure dedicated telecommunications link for the transfer of patient identifiable information.
Telemedicine Equipment Policies, Procedures and Training should address:
1. Appropriate use of the equipment, including its diagnostic limitations;
2. Recognition of equipment problems;
3. Reporting equipment problems; and
4. Responding to equipment related emergencies during patient encounters.
Risk management steps regarding the purchase/lease of telemedicine equipment include:
1. Choose fiscally sound vendors with longevity and good reputations;
2. 24/7/365 support (AHRQs 2008 report noted that AHRQ grantees stated that technical
support must be available 24/7/365 to ensure patient safety);
3. Legal counsel involvement in contract negotiations (e.g., insurance, indemnification,
IT support, costs, avoid contracts of adhesion, etc.);
4. Ensure interoperability with legacy and other systems operated by the enterprise,
including the EHR/EMR. Support, patches, upgrades, revised versions, etc.
5. Items one through four, above, should be memorialized in Telemedicine Equipment
Policies and Procedures.
Provider-to-provider contracting issues:
1. Agreements in writing, describing the duties, obligations, rights, and responsibilities of the
parties.
2. An Agreement for Teleradiology Services might contain, for example:
446

Equipment to be used by teleradiologists;
Compliance with American College of Radiology (ACR) teleradiology standards
and Joint Commission standards for staff privileges/credentialing;
Turn around time for reports;
Insurance coverage;
State licensure, Board certification, DEA number and credentialing;
Emergency back-up plans, including timely response to, and responsibility for, broken equipment and power failure, etc.; and
Record creation and maintenance (e.g., evidence of medical necessity; compliance
with HIPAA privacy and security regulations)
In addition to the Telemedicine Equipment P&Ps discussed above, the telehealth provider
should adopt Clinical Telemedicine Policies, Procedures and Training addressing:
1. When to use telemedicine to provide care;
2. How to meet the standard of care using telemedicine;
3. Records that will be kept of the encounter;
4. The appropriate use of telemedicine equipment, including maintenance schedules,
updates/upgrades, and
5. Telehealth privacy and security issues.
The Ryan Haight Online Pharmacy Protection Act of 2008, H.R. 6353, negatively impacted
the use of telemedicine services via the Internet absent an initial face-to-face consultation. The
Ryan Haight Act prohibits the use of telemedicine if the result is the prescription of controlled
substances without an initial face-to-face consultation.
Reimbursement continues to slow down the growth of telehealth services. There is a general
lack of reimbursement for telehealth services, and telemedicine reimbursement offered by
Medicare, State Medicaid agencies and private insurers is a confusing patchwork quilt.
The growth of Medicare Advantage HMOs and similar managed care programs at the
federal and state level may result in greater use of telehealth to reduce the need for f2f
consultations (e.g., providers are using telemetry to track patient statistics like blood
sugar and blood pressure for disease management purposes).
The HITECH Act of 2009, and the significant changes it makes to HIPAA, will require modifications to existing telemedicine network policies and procedures, business associate agreements,
software and hardware.
447
Electronic Health Records: An Enterprise Risk Approach
28
Electronic Health Records: An Enterprise Risk
Approach
Marilyn Lamar, Esq.
Liss & Lamar, P.C
Nestor J. Rivera, Esq.
Carlton Fields, P.A.
28.1
Introduction
As information technology evolves, the use of electronic health record (EHR) systems has
emerged as an important factor in reducing both medical errors and the cost of healthcare.1 For this
reason, federal regulators created an exception2 from the Stark law and a parallel safe harbor3 under the
anti-kickback statute to permit hospitals to subsidize a portion of the cost of certain EHR technology
for physicians, assuming that all the requirements of these regulations are satisfied (collectively, the
EHR Rules). The importance of EHRs is also illustrated by the substantial funding made available to
certain physicians and hospitals that establish meaningful use of EHRs under HITECH and the future
reductions in Medicare reimbursement for those that fail to do so by 2015.4 The EHR Rules and other
regulatory aspects of EHRs are discussed below in this Chapter.
However, the implementation of new information technology (IT) does not always improve the
quality of care, and can introduce new risks. Some risks arise simply from the fact that using the
technology is a new skill that requires learning and practice. Others arise from to the actual design and
operation of the system. Negotiations with an EHR vendor can reduce some of these risks, but others
must be addressed by the healthcare provider in implementing the system and monitoring its ongoing
use. Healthcare providers that are subject to accreditation by The Joint Commission should also be
aware that some of the risks identified in this chapter and steps to address them have been identified in
The Joint Commissions Sentinel Event Alert 42.5
1
Commission on Systemic Interoperability, Ending the Document Game: Connecting and Transforming Your Healthcare through Information Technology, at http://ending the document game.gov (Oct. 25, 2005).
2
71 Fed. Reg. 45140.
3
71 Fed. Reg. 45110.
4
HITECH is the Health Information Technology for Economic and Clinical Health Act adopted as part of the American
Recovery and Reinvestment Act of 2009.
5
Safely implementing health information and converging technologies, Sentinel Event Alert, Issue 42, December 11,
2008, published by The Joint Commission, available at http://www.jointcommission.org/Sentinel Events/SentinelEventAlert/sea_42.htm
449

Because many risks of an EHR do not become apparent until after implementation, sound risk
management requires ongoing work with risk managers, clinicians and IT personnel to develop a
process to evaluate the actual results from using EHRs, including unintended adverse consequences.
This process, together with appropriate responses to adverse developments, will allow adjustments to
maintain the benefits of these systems while reducing any new risks.
An EHR risk evaluation must include the potential impact of new e-discovery rules. As discussed
in Chapter 30, they may permit discovery of all relevant electronically stored information (ESI).
ESI typically contains far more information than the equivalent paper records, including metadata,
which is sometimes defined as data about data. The metadata in EHRs could identify who made or
edited each entry, who merely accessed the record and when such activity occurred. In addition, some
of the metadata may document or illuminate decisions made in the course of patient care (e.g., whether
physicians override or ignore drug interaction alerts).
Not all opposing counsel realize yet how much metadata exists in EHRs and other IT systems,
but discovery demands are likely to increase significantly as this awareness grows. Some plaintiffs
experts are already recommending that their colleagues subpoena audit trails. Hospitals opponents
are also using the internal and external costs of e-discovery as a weapon to compel earlier and more
expensive settlements.6
28.1.1
EHRs and Personal Health Records
Terminology surrounding EHRs can be confusing because IT personnel, clinicians, vendors, risk
managers and counsel may have very different understandings of the same terms. This chapter uses the
definition of EHR published by the Health Information Management Systems Society (HIMSS):
The Electronic Health Record (EHR) is a longitudinal electronic record of patient health
information generated by one or more encounters in any care delivery setting. Included
in this information are patient demographics, progress notes, problems, medications, vital
signs, past medical history, immunizations, laboratory data and radiology reports. The EHR
automates and streamlines the clinicians workflow. The EHR has the ability to generate
a complete record of a clinical patient encounter, as well as supporting other care-related
activities directly or indirectly via interfaceincluding evidence-based decision support,
quality management, and outcomes reporting.7
Many important elements of an EHR will depend on the choices made by the client during implementation, e.g., the nature and extent of clinical decision support like drug alerts. Possible alerts include
drug-drug interactions, nonstandard doses, drug-lab test interactions, and drug allergy interactions.
System planners also must decide whether the reason for disregarding an alert must be documented
and subject to further review and whether the reason is included in the patients medical record. Users
of the EHR should understand these kinds of system choices and how they will affect care decisions
Forrester Research, Inc. estimates that $1.4 billion was spent on electronic discovery services in 2006 (across all
industries) and that this spending will increase to $4.8 billion by 2011. See http://www.forrester.com/Research/Document/
Excerpt/0,7211,40619,00.html.
7
http://www.himss.org/ASP/topics_ehr.asp.
6
450

and the documentation of care, including electronic metadata that may exist in the system though not
visible in the patients chart.
The increased use of personal health records (PHRs) also makes it important for patients and
providers to understand exactly what each type of PHR includes, and how patients use them. Currently
some insurers offer the use of PHRs to their members that consist primarily of claims-based data and
whatever the patient may add. Microsoft, Google and employer groups are also offering PHRs. The
use of PHRs raises many questions, including how they can effectively complement, or at least coexist with, the providers EHR system, whether healthcare providers will be expected to review all of
the information contained in the PHR, whether providers can reasonably rely on the PHR in providing
care and what privacy protections will apply.
As a starting point in dealing with PHRs, HIMSS has published the following definition of electronic PHRs:
An electronic Personal Health Record (ePHR) is a universally accessible, layperson
comprehensible, lifelong tool for managing relevant health information, promoting health
maintenance and assisting with chronic disease management via an interactive, common data
set of electronic health information and e-health tools. The ePHR is owned, managed, and
shared by the individual or his or her legal proxy(s) and must be secure to protect the privacy
and confidentiality of the health information it contains. It is not a legal record unless so
defined and is subject to various legal limitations.8
The HIMSS definition of PHRs illustrates some of the issues that providers must address, such
as the PHRs relationship to the legal record. The layperson comprehensible element also makes a
PHR very different from an EHR that includes test results and progress notesdifferences a layperson
might not understand. In addition, the universally accessible element seems to go well beyond the
interoperability requirement of the EHR Rules.
The extent to which providers will use PHRs or integrate them into EHR systems remains uncertain. But patients who use their own PHR may have rising expectations about access to their own
records in the providers EHR system. The balance of this chapter focuses on the providers EHR, but
PHRs must remain a key part of overall planning.
28.2
Medical Professional Liability
The landmark Institute of Medicine study published in 20009 estimated that preventable medical
errors cause between 44,000 to 98,000 patient deaths each year. A later study estimated that 195,000
deaths were due to medical errors.10 EHRs that include computerized provider order entry (CPOE) systems and clinical decision support software are expected to reduce the number and severity of medical
http://www.himss.org/ASP/topics_phr.asp.
Kohn, L., J. Corrigan, and M. Donaldson. To Err is Human: Building a Safer Health System. Committee of Health Care
in America, Institute of Medicine, 2000.
10
HealthGrades. In-Hospital Deaths from Medical Errors at 195,000 per Year, Health Grades Study Finds. July 27, 2004.
8
9
451

errors.11 However, as they are more widely used, users have noted some adverse unintended consequences associated with these systems. Informatics specialists have also reported some problems.
CPOE systems provide examples of both improved quality and new risks. CPOE systems are
often included in EHRs to allow physicians to order tests and medications electronically. Although
several studies12, 13 have reported a reduction in adverse drug events and other medication errors after
implementing a CPOE system, one study at a tertiary-care pediatric hospital found an increase in mortality rates for patients admitted by transport from an outside hospital.14 The authors suggested that the
increased mortality rate might have resulted from several changes in process and workflow generated
by the implementation of the CPOE, including:

Not permitting staff to enter orders for medications and testing until the patient had physically arrived at the hospital rather than entering orders before arrival based on radio contact
with the transport team.
The increased time required to enter orders on the system compared to the time previously
needed for handwritten orders.
Insufficient bandwidth during peak periods leading to slower system functionality.
Relocation of critical medications from the ICU to a central pharmacy.
Increased nurse and physician time spent at computer terminals rather than at the patient
bedside.
This study is unusual because most studies of CPOEs and EHRs show improved quality. But it
highlights how changes to workflow and technical requirements brought about by implementation of
a new system may increase risk. For example, new delays in ordering medication and tests and moving critical medications from the ICU may not have been necessary to implement the CPOE system,
and the hospital in question has revised those procedures. Fortunately, the hospital closely monitored
mortality rates immediately after implementation of the CPOE system and was able to make appropriate adjustments.
28.2.1
Potential Professional Liability and Patient Safety Benefits of EHR Systems:
The development and implementation of an EHR system may help reduce a healthcare providers
exposure to medical professional liability claims by improving the quality and safety of medical treatment and care. An EHR system may also improve a providers defense of medical professional claims
by creating a more comprehensive healthcare record and providing better access to potential evidence.
In recognition of these potential benefits, a few professional liability insurance carriers provide limited
Commission on Systemic Interoperability. Ending the Document Game: Connecting and Transforming Your Healthcare
through Information Technology, at http://endingthedocumentgame.gov (Oct. 25, 2005).
12
Upperman, J.S., et al. The Impact of Hospitalwide Computerized Physician Order Entry on Medical Errors in a Pediatric Hospital. Journal of Pediatric Surgery. 2005; 40:5759.
13
Bates, D.W., et al. The Impact of Computerized Physician Order Entry on Medication Error Prevention. Journal of
the American Medican Informatics Association. 1999; 6:313321.
14
Han, Y.Y., et al. Unexpected Increased Mortality after Implementation of a Commercially Sold Computerized Physician Order Entry System. Pediatrics. 2005; 116; 15061512.
11
452

premium discounts or credits on insurance policies issued to healthcare providers that are appropriately utilizing EHR systems. Potential benefits include:
1. Improved access to a patients full medical history, providing a healthcare provider with all
the information necessary to make the most accurate diagnosis and design the most appropriate course of treatment.
2. Faster and more accurate notice of the results of tests, treatment and consultations.
3. Prevention of adverse medical events or unintended drug interactions, through the collection
of and ready access to more comprehensive information about a patients medical history,
allergies, etc.
4. Electronic documentation of the specific disclosures necessary for informed consent.
5. A comprehensive record designed to demonstrate adherence to applicable standards of care
and to healthcare provider policies and procedures.
6. Production of comprehensive, legible electronic copies of records with (potentially) less
effort.
7. Permanent records of the timing, author, and rationale for supplemental entries in an electronic health record.
8. Faster and more thorough quality assurance analysis and programming.
28.2.2
Increased Liability Risk Associated with EHRs
Expectations are high for safety improvements from electronic systems. Conversely, the risks
of the systems are often subtle, arising in both implementation and ongoing use. This should not be
surprising given that EHRs, CPOEs and other electronic systems are relatively immature technologies
operating in the complex, multi-provider, time-sensitive healthcare environment. They allow healthcare providers to capitalize on computer-based systems ability to quickly recall and manipulate large
amounts of data, but providers should not expect the systems to excel at making complex judgments.
As technology evolves, the potential risks will also evolve, so counsel should be alert to the concerns
identified below and to additional risks as they arise.
As noted in an article in Health Affairs, substantial gaps may exist between advocates vision of
e-prescribing and how physicians use commercial e-prescribing systems today.15 Although the authors
found that the e-prescribing systems often eliminated illegible prescriptions and allowed faster printing, they expressed concern about whether the anticipated benefits of e-prescribing will be achieved
given their survey findings of (1) inaccurate medication lists for patients, and (2) the complete deactivation of drug interaction alerts by some practices.
In addition, as healthcare entities adopt and integrate EHRs into regional or national networks, a
different standard of care may evolve, particularly if the EHRs include clinical protocols or clinical
decision support.
J. Grossman et al., Physicians Experiences Using Commercial E-Prescribing Systems, Health Affairs. 2007;
26: w393w404.
15
453

Questions are also likely to arise about whether a provider is obligated to review the substantially
increased volume of electronic patient information that a new patient may provide. The provider will
have to decide whether to rely equally on all available information, including claims data from insurers and data provided by the patient in his or her PHR, and whether to incorporate such data into the
EHR with a notation of the sources.
Although the clinical decision support (CDS) software often included in EHRs may improve
quality and make it easier to implement and monitor clinical protocols, end users seldom have easy
access to the formulas and databases used in commercial systems. The unknown black box nature
of these CDS systems may make professional liability claims harder to defend. For example, in cases
involving reliance on commercially available drug interaction reports, expert testimony may be necessary to prove that reliance on information generated by the system was consistent with the relevant
standard of care without the provider double checking whether the systems algorithm was correct.
The mere existence of electronic data may enable plaintiffs to assert claims or achieve greater
settlements than would have been likely with paper-based systems. For example, a former patient
sued a Florida hospital for negligent administration of anesthesia. The patient, undergoing surgery for
a brain tumor, awoke paralyzed after the surgery. The hospital reportedly settled for much more than
its initial estimates based on two elements of information derived from its automated anesthesiology
record-keeping (AARK) system:

A 93-minute gap in the information normally recorded by the AARK system was not noticed
during surgery because it was blocked by other information on the screen. By the time plaintiffs expert questioned the gap, the missing information previously stored on other hardware
was no longer available to help defend the hospital.
An electronic entry made by the anesthesiologist stating that he was present at emergence
from anesthesia after surgery was time stamped by the AARK system. The electronic time
stamp showed that the anesthesiologist made the entry during the first hour of the seven-hour
surgery,16 a fact that would appear nowhere in a paper record.
The risks and unintended consequences of electronic systems are the subject of a growing body of
research focusing on a wide range of factors including changes in workflow, the impact of ergonomics
on system usage and changes in communications patterns among providers. These studies can help
providers identify pitfalls, but the research is at an early stage.
Ironically, these studies could make it more difficult for providers to defend cases involving errors
that arise while using EHR systems. Attorneys for plaintiffs are learning of the large amount of data
available from electronic systems and of these studies. Therefore healthcare attorneys must help their
clients recognize the risks that may arise in implementing and using these systems and develop strategies to mitigate the risks, at least through the involvement of clinical risk managers in the planning
and design process.
Vigoda M.M., Lubarsky D.A. Failure to Recognize Loss of Incoming Data into an Anesthesia Record Keeping System
Increased Medical Liability. Anesth Analg 2006; 102:17981802.
16
454

Some of the general risks and unintended adverse consequences identified in recent articles17 are
discussed below. This list is not comprehensive, as new issues still arise and systems are constantly
evolving, including their interaction with other electronic systems.
1. Disregarded Alerts
One of the most common criticisms of CPOE systems is that they require more work for physicians to enter information (for example, justifying the selection of an order or a treatment) or respond
to alerts that the system generates (for example, deciphering the alert, deciding how to respond, and
documenting the reasons for not complying with the alert). The increased work may have unexpected
consequences. One recent study found that clinicians override drug safety alerts (such as alerts regarding drug interactions) in 49% to 96% of the cases.18 The frequency with which clinicians disregard
safety alerts and widespread criticism of excessive alerts suggest that physicians may not have confidence in the clinical input that the alert is intended to provide, which may in turn lead to disregarding
most alerts, even valuable ones.
Thus, although alerts are an important tool in reducing medical errors, disregarding appropriate
alerts presents significant risk management issues. All personnel need to be aware that the electronic
system may retain evidence of the disregarded alert and that it may be discoverable even if it is not
included in the patients medical record. Providers that administer systems with alerts should be careful in setting the levels for alerts and should continue to monitor the need to adjust them based on
actual use and clinical feedback. In setting the alerts, the organization should decide (a) whether the
alerts or warnings will be interruptive, meaning that the activity cannot be continued without an
override, possibly requiring a documented reason, or will they be non-interruptive, (b) how will the
disregarded alerts will be handled by organization and (c) how will alerts be monitored and periodically adjusted.
2. Generation of New Types of Errors: e-iatrogenesis
The systems themselvesand how they are usedcan generate new errors. Some researchers19
have coined the term e-iatrogenesis as a general term to describe errors caused by electronic healthcare systems, presumably as a derivative of the term iatrogenesis (the term sometimes used to refer to
illness or other problems caused by medical treatment). Some of the new types of errors include the
following:
a. Juxtaposition errors that result when the wrong item is selected from a dense pick list, such
as an alphabetical drop down list of medications. The use of long electronic lists may increase
the likelihood that the EHR user will select the wrong patient or medication. Drop down lists
may be especially difficult to use when the provider is trying to maintain eye contact with the
patient or is otherwise distracted. Suggestions to address these risks include having a second
Campbell et al. Types of Unintended Consequences Related to Computerized Provider Order Entry. Journal of the
American Medical Informatics Association 13, no 5 (2006): 547556.
18
H. van der Sijs et al., Overriding of Drug Safety Alerts in Computerized Physician Order Entry, Journal of the American Medical Informatics Association 13, no 2 (2006): 138147.
19
Weiner et al., e-iatrogenesis: The Most Critical Unintended Consequence of CPOE and Other HIT, Journal of the
American Medical Informatics Association, 14, no 5 (2007): 387388.
17
455

confirmatory screen with large letters, on which the user must confirm the choice before proceeding. Errors arising from medication lists might be reduced if the medications were listed
by type (for example, all antibiotics listed together) rather than listing the entire formulary
alphabetically.
b. End user confusion about system functions may also lead to new errors. For example, a user
might expect that a CPOE system will report possible drug-lab test interactions, but that capability might not be included in the particular system. System owners can address this risk in
initial and ongoing training to remind users of exactly what the system can and cannot do.
c. Workstation monitors inability to display all relevant information requires users to navigate
between screens, creating additional possible errors. A related problem is the lack of a back
command in some CPOE systems, which makes it more difficult for providers to correct any
initial errors. Although training may help, vendors may need to address these issues in their
programs so that necessary information appears in a single screen.
d. Providers may not know where to enter data, leading to its incorrect location in the system.
This can result from poor training or poor data input design. This may result in data appearing in a miscellaneous section, not where the electronic system or a subsequent user would
look for it. In addition, criteria-based searches and other processing may miss data included
in a miscellaneous or other incorrect field. Users of reports and other aggregate data need
to be aware of these possible problems with information gathered electronically from specific
data fields.
e. Systems may auto-complete entries with new and potentially incorrect information. This
raises the potential for medical errors as well as possible reimbursement and false claims
issues. For example, the system might indicate a more detailed patient evaluation than actually occurred because something else triggered it to say so. Risk management review of an
EHR system should examine any auto-complete functions and evaluate whether the possible
benefits outweigh the likely risks. Auto-complete functionality frequently can be turned off,
but if not, this merits serious consideration during system selection.
3. Workflow Changes and Unfavorable Impact on Clinical Care
Some EHR system components (or the choices made in implementation) use linear approaches
to workflow that are very different from the more concurrent, interdependent and adaptable nature of
actual workflow. The study (noted above) of an EHR implementation at a childrens hospital found
that workflow changes led to a delay in orders for medications and increased staff time away from the
patients bedside, with an adverse impact on clinical care.20
Another problem involves the elimination of the gatekeeper function of clerical and other personnel in questioning orders. Experienced nursing or clerical staff might question an order that a
CPOE system would process without question.
Han, Y.Y., et al. Unexpected Increased Mortality after Implementation of a Commercially Sold Computerized Physician Order Entry System. Pediatrics. 2005; 116; 15061512.
20
456

4. Excessive Use of the Cut and Paste Feature
Some practitioners have complained that the cut and paste function, when used to excess,
encourages progress notes with repetitive entries, making it difficult to find the new information. A
recent article also suggests that easy duplication of information from one provider to another may
make subsequent physicians less likely to perform a sufficient personal evaluation of the patient. The
authors refer to the practice as a form of clinical plagiarism with potentially deleterious consequences
for the patient.21 Repetitive notes also create an impression in litigation that no one looked for new
patient developments regardless of the actual scope of the examinations.
5. Overdependence on Technology
Clinicians have reported that it seems difficult to revert to paper-based systems when electronic
systems are down. System failures of more than a few hours have led to cancellation of outpatient
procedures and diversion of cases from affected emergency rooms. Overdependence also leads users
to assume that the information in the electronic system is accurate and complete. An EHR may contain
inaccurate information due to human error, the inability of the system to understand some abbreviations or a number of other factors. There is no commonly accepted standard yet for data confirmation
and validation in an EHR, so human users must remain alert for bad information.
6. Ongoing System Changes and Inconsistent Records
Business requirements, regulatory changes and new vendor releases all demand continuous changes
to software and hardware, a tremendous challenge to IT and administrative staff. These demands are
especially severe if physicians using the system create unique order sets or the software includes
custom modifications. As systems become more complex, it becomes harder to manage the necessary
maintenance, downtime and retraining of personnel necessary to maintain and update the system.
As the software changes and features added or removed, the EHR for a given patient may look
different, even if there have been no additional entries for the patient after the system modifications.
For example, some information may no longer appear on the same screen or there may be a blank
field because the field was added after the last patient encounter. In addition to the possible impact on
clinical care, this can confuse providers, especially if they are facing old patient data viewed through
the new system lens. It may also lead to a negative inference in litigation if the provider cannot find
information because it has moved or if blanks imply that someone failed to collect information.
Counsel and RM staff must work with IT personnel to try to understand and reduce the adverse
impact of these changes. At a minimum, the involved personnel should map all changes as they occur
and knowledgeable IT personnel should be included in preparing for discovery so the healthcare provider can readily explain any discrepancies.22
Hartzband and Groopman, Off the RecordAvoiding the Pitfalls of Going Electronic, New England Journal of Medi358;16, (April 17, 2008): 16561658.
22
E. Zych, Discovery of Electronic Health Records, paper included with materials for the May 22, 2008 teleconference
presented by the Health Information Technology Practice Group on EHRs and e-Discovery.
21
cine:
457

28.3
EHR Vendor Contracts
Negotiating and implementing an EHR system is an expensive and time-consuming undertaking for most organizations and there are widespread reports of significant cost overruns, delays, and
technical problems. The suggestions below can help attorneys identify contractual provisions that
may reduce some of the risks that are likely to arise with EHR systems, if successfully evaluated
and negotiated. However, these issues are only a subset of the many provisions to negotiate in any
software license or services arrangement. The reader must note that this section is not a complete list
of issues that require negotiation.23
As noted above, HITECH provides funding for certain hospitals and physicians that meet the
meaningful use requirements (to be established by regulation) and reduces the Medicare reimbursement available to those who do not achieve meaningful use by 2015. Providers that wish to satisfy the
HITECH requirements should consider including specific contract language to address whether the
vendors EHR will enable the provider to satisfy the HITECH requirements for meaningful use as
they are set forth in the then current and future regulations.
Attorneys can provide important assistance in an EHR acquisition by taking an active role in
helping the provider understand each partys actual obligations under the contract and how that may
differ from the clients expectations. This step is critical because client healthcare providers often
misunderstand the capabilities of EHR systems and the substantial resources necessary to implement
and maintain them.
Therefore, in addition to negotiating the business and legal terms in the vendors standard contract, counsel for the EHR buyer should confirm that the clients IT personnel and senior management
understand: (a) exactly what the vendor is offering, (b) what the vendor is not providing that must be
obtained from another vendor or the client, (c) the scope of effort and resources that the client will
need to implement the system, (d) whether all other business terms are accurately reflected, and (e)
how caution in implementation and ongoing monitoring during the use of the system can reduce risk
and allow for necessary adjustments.
By negotiating the contract as outlined below, providers can reduce the risks presented by this
technology.
A. Duration and Scope of the Vendors Support Commitment
1. The agreement needs to specify the number of years during which the vendor will support the software and any conditions or exceptions to this obligation. The period specified is often much shorter than the client expected.
2. Discussing the vendors view of the EHR products life cycle presents an opportunity to
explore the likelihood that the new system will be replaced at some point and the need
for contract provisions to address transition services and data conversion.
3. Ideally, the client should only be committed on a year-to-year basis but the vendor should
be obligated to support the product for the entire period anticipated by the client (fre For a broader discussion of elements to be negotiated in IT contracts, see the Health Information and Technology
Practice Guide (Elisabeth Belmont, Ed., 2003) American Health Lawyers Association.
23
458

quently from five to 10 years). The vendor may want the clients commitment to use (and
pay for) support for the same period. The counterargument is that the vendor should not
incur additional cost if the client does not renew support, as opposed to the very significant adverse impact to client if support were not available.
4. If the vendors services include maintaining or processing data, there should be specific
contract provisions that address disaster recovery. The vendor should provide a copy of
its disaster recovery plan to the client, agree with the client on testing involving use of
the clients facilities, share the results of any disaster recovery testing and promptly advise the client of any changes in the disaster recovery plan.
5. The client should consider whether to request any specific services from the vendor that
will help the client respond to e-discovery requests involving data stored on the EHR
or questions regarding the functionality of the EHR. These might include assistance in
structuring databases, converting historical data, responding to discovery requests or
testimony regarding how the system works.
7. The client should also try to have the vendor commit to keep any interfaces up to date
in response to changes in the vendors software or changes in the third party product to
which it interfaces.
8. In an application service provider (ASP) arrangement, the software resides with the vendor, not on the clients hardware. As with any software license or service negotiation,
the details of the support obligations in an ASP structure should be carefully reviewed
and negotiated with respect to response times, resource levels corresponding to severity
levels, and service levels. For example, there should be a binding commitment to work
without interruption to resolve any serious problem, with escalating levels of resources.
B. Obligation of the Client to Adopt the Vendors New Releases as a Condition of Continuing
to Receive Support
1. Most clients will want to delay adopting a new version until others have used it and the
vendor has addressed any bugs that become evident in use by the early adopters. Agreements often express this as the right to remain one version behind the most recent release.
As discussed in subsection C below, they may also need the right not to adopt a new release until the software has been certified by Certification Commission for Healthcare
Information Technology (CCHIT) in order to satisfy the interoperability requirement of
the EHR Rules.
2. Hospitals that make EHR software available to members of their medical staff should
include a similar requirement to stay current in their agreements with medical staff so
that all users can stay on the same software and the costs of transition can be allocated
appropriately.
3. The client needs to understand that the software and related services will change over
time and allocate sufficient time and personnel to retrain periodically after the initial
implementation.
459

C. Contract Provisions for Clients that Rely on the EHR Rules
1. Please note that most of the requirements of the EHR Rules need to be addressed outside
of the vendor contract. Please refer to the preceding discussion of the EHR Rules in this
chapter and to the Member Briefing24 published by the Health Information and Technology Practice Group of the American Health Lawyers Association for a full discussion of
the EHR Rules and sample contract language.
2. The EHR Rules require that the EHR technology made available must be interoperable
when provided to the recipient or deemed interoperable because it has been certified
by a recognized certifying body not more than 12 months before it is provided to the
recipient.25 The EHR Rules define interoperability as follows:26

Interoperable means able to communicate and exchange data accurately, effectively,

securely, and consistently with different information technology systems, software applications, and networks, in various settings; and exchange data such that the clinical or
operational purpose and meaning of the data are preserved and unaltered.
The currently recognized certifying body for purposes of the interoperability requirement is the CCHIT.27
3. In order to address the interoperability requirement of the EHR Rules, the client should
receive a representation and warranty from the vendor that the licensed version and new
releases of the software will be interoperable as defined in the EHR Rules. The vendor
could make this representation based on the general definition of interoperability in the
EHR Rules or if the EHR technology has been certified by CCHIT.
4. The client should be aware that some EHR vendors feel that the general definition of
interoperability in the EHR Rules is too vague and they therefore choose to rely on
CCHIT certification. This may present timing issues for future versions and the risk that
the CCHIT certification standards may change.
5. If the vendor is not willing to promise that all future versions will be interoperable (either as defined in the EHR Rules or by CCHIT certification), one compromise would be
to allow the client to delay moving to a new version until CCHIT certification or other
evidence of interoperability is provided by the vendor. However, this will not address
the need to use governmental updates and error fixes that might be included in the new
(uncertified) version.
6. The EHR Rules also require that the EHR technology must include either electronic
prescribing capability or an interface to the recipients existing electronic prescribing
system that meets the Medicare Part D standards.28 The client therefore will want the
vendor to represent and warrant that the technology meets this standard.
The Final Regulations of Stark Law Exceptions and Anti-Kickback Statute Safe Harbors for the Donation of E-Prescribing and Electronic Health Records Items and Services (Edward F. Shay and Rebecca L. Williams, eds., 2008) American
Health Lawyers Association Member Briefing.
25
42 CFR 411.357(w)(2) and 1001.952(y).
26
42 CFR 411.351.
27
See http://cchit.org.
28
42 CFR 411.357(w)(11) and 1001.952(y)(10).
24
460

7. How the fees to the EHR vendor are determined and documented is important because the
EHR Rules require the entity (typically a hospital) that provides EHR technology to physicians to document the total cost (not fair market value) of the EHR technology and to have
the physician pay in advance at least 15% of the cost. It will be very helpful to have the
hospitals contract with the EHR vendor include pricing on a per physician basis for fees
payable with respect to the EHR technology so this element of cost can be determined.
D. Termination Provisions in Agreement between Client and EHR Vendor
1. Given the importance of EHRs to patient safety and general operations of the client,
the client should consider adding a provision stating that in the event of a dispute both
parties will continue to perform their obligations under the agreement until the dispute
has been resolved. Counsel must draft these provisions carefully to preserve the clients
ability to terminate promptly if necessary to comply with other legal requirements.
2. Escalation of disputes to senior officers, mediation and arbitration should also be considered in determining how to structure remedies for material breach.
3. Software licenses typically require that the client return all copies of the software and
related documentation at the end of the license term.29 Clients may benefit from negotiating the following exceptions in light of e-discovery requirements and possible medical
professional litigation:
a. Allow the client to retain an archival copy of the most recently used software,
all previous versions and all documentation for use in responding to e-discovery
requests for documentation in its native format.
b. Allow use of the archived software and documentation in litigation regarding
reimbursement, professional or other matters in which use of such items would
help establish what the provider knew at the time of the act or omission in question
and how it appeared. For example, it may be necessary to use an old version of the
software to determine what information a physician who reviewed the EHR at a
particular point in time could have seen and whether it was obvious on the initial
screen or would have required further action to access it.
c. The right to use earlier software and documentation should be broad enough to
permit use in disputes with the vendor.
4. If the vendor provides software on an ASP basis, it will be necessary to impose these
requirements on the vendor itself because the client typically would never possess the
software in an ASP arrangement.
5. Use of a source code escrow with respect to licensed software or ASP services may be
advisable, with release conditions triggered by the existence of a dispute, pending litigation or governmental investigation in addition to typical release conditions.
6. Ability to continue to use the licensed software or receive the same support or ASP
services during a wind down period is important because it typically takes a significant
It should be noted that the need to use previous versions may exist during the term of the license or ASP arrangement,
so these concerns should also be addressed in the contract with respect to use of prior versions during the term.
29
461

amount of time to implement a new system (including the time to select a new vendor if
the change is unexpected). Single hospital clients commonly request a transition period
of at least 18 months. Multi-facility systems may need a substantially longer time.
7. In addition to continuing the services that were the subject of the agreement, the client
may need assistance from the current vendor to convert data and facilitate the change
to a new vendors system. In some situations, it may be extremely difficult to have an
effective transition without cooperation from the prior vendor. (Organizations and their
counsel need to remember this aspect of the relationship when dealing with disputes during the course of the agreement, as well.)
E. Use and Termination by Physician
1. Assuming that the client is a hospital that makes the EHR vendors software or services
available to nonemployed physicians, the vendor contract should specify the terms on
which such a physician30 will be able to use the software or services. The following are
common approaches, but it is important that both the hospital and the physician understand the differences.
a. An agreement between the vendor and the physician on terms negotiated by the
hospital (the hospital typically would not be a party).
b. An agreement between the physician and the hospital that includes terms required
by the vendor, but the vendor would not be a party. It might be a sublicense of the
vendors software with the software installed on the physicians hardware or an
agreement to provide services to the physician on an ASP basis with the software
used primarily on the hospitals hardware.
2. Under either approach, the vendors standard contract may require the hospital to be fully
responsible for the physicians use of the software, including indemnification of patient
claims. The hospital should try to negotiate reasonable limitations on this potential liability with the vendor as discussed below. In any event, the physician should indemnify
the hospital for patient claims arising out of the physicians acts or omissions.
3. If the physician has entered into a direct agreement with the vendor, the agreement should
address whether the physician can continue to use the software and receive support after
the physician terminates its relationship with the hospital and the terms that would apply
to such an arrangement. The hospital may wish to require repayment of some or all of the
costs that it subsidized for the terminating physician if the physician stops participating
in the EHR arrangement prior to an agreed upon period.
4. If the physicians right to use the EHR comes solely from an agreement with the hospital,
the physician may negotiate for the right to continue to use the software after termination of its agreement with the hospital. This will depend on the willingness of both the
hospital and the vendor to agree in advance to continue the arrangement. As noted above,
the hospital may want to condition such continuing use on the repayment of some or all
of the amounts that it previously subsidized for the EHR.
For purposes of the following discussion, the term physician is used for ease of reference rather than referring also to
physician groups and other healthcare providers.
30
462

5. From the hospitals perspective, it may want the right to reassign the license used by
a departing physician to a new physician and not pay any additional license fee to the
vendor.
6. In addition to use of the EHR software and support, the contract between the hospital
and the physician needs to address many issues that are beyond the scope of this outline,
including how to handle information regarding patients of a terminating physician.
F. Implementation Costs and Timing
1. Cost overruns and delays are widely reported in EHR system implementations. Contract
provisions may provide some degree of protection. Effective terms only work, however,
when the client understands and commits to both the internal and external resources required to implement the EHR system.
2. At a minimum, the parties should agree on an initial implementation plan and a process
for updating it during the term, specifying who at the client has the authority to authorize
material changes.
3. If possible, the vendor should be responsible for the overall implementation except for
specific items assigned to the client. If this is not acceptable, a compromise approach
would be to have the vendor be responsible for making sure that all necessary implementation tasks are listed on the implementation plan, with each party then responsible for
completion of its responsibilities by specific deadlines.
4. In order to reduce the risk of a blank check implementation, consider negotiating a
threshold dollar amount that, if exceeded, will result in a lower hourly rate or a percentage sharing of cost overruns. Another approach is to give the client the right to cancel if
the parties cannot agree on a more definite implementation plan within a stated period
after signing the contract, although a publicly traded vendor may find this unacceptable
due to revenue recognition requirements.
G. Warranties
1. The software and services will have the features and functionality described in the vendors response to the request for proposal (RFP) and any other specific functions that the
client expects. (Note that the vendor may not agree to provide a warranty with respect to
its RFP response unless the RFP included this requirement.)
2. The software will function in accordance with the vendors documentation. Many vendors do not normally provide documentation until after the contract is signed but the
purchaser must obtain and review it in advance for this warranty to be meaningful.
3. The vendors services will be provided in a professional, competent and workmanlike
manner.
4. There is no infringement or misappropriation of a third partys patents, trademarks, trade
secrets or other intellectual property. To avoid the risk of infringing a business process
patent, the agreement should address services as well as the software and documentation.
463

5. There is no pending or threatened litigation involving the software or services.
6. The EHR software is interoperable or deemed interoperable as defined in the EHR
Rules.
7. All of the vendors software functions together in an integrated manner and interfaces
efficiently and accurately to third party software.
8. A readable version of the entire EHR can be printed consistently, including information
from interfaces and other sources that the system allows the client to include in the EHR
(e.g., scanned documents) and metadata. Printing copies might be a problem area for
some vendors so the best approach is to include these items in the RFP and evaluate the
responses before selecting a vendor. At a minimum, raising these issues at the warranty
stage should enable the client and its counsel to understand and plan for the issues that
may arise in litigation involving records produced from EHRs.
9. All necessary hardware, network connections, software and databases have been disclosed. If the vendor has recommended or required some of these third party items, the
vendor should provide representations and warranties (for example, regarding the sufficiency of the hardware to work with the vendor software to provide certain response
times, subject to appropriate assumptions).
10. If the vendor is not a publicly traded company, the client should ask to receive its audited
financial statements as part of due diligence and should obtain a representation and warranty regarding the financial statements. The client needs to understand that the language
permitting termination in the event of the vendors bankruptcy may not be enforceable if
there is no other reason for termination.
H. Acceptance Testing
1. As with other types of software, the client acquiring EHR software or services should
have the right to withhold a portion of the payments until successful acceptance testing
has occurred. Many vendors strenuously resist acceptance-testing provisions because
they may be a contingency that delays their ability to recognize the initial payments as
revenue under generally accepted accounting principles.
2. Structuring appropriate acceptance testing in EHRs that will be rolled out to many departments and physicians over a period of years presents even greater difficulties due to
the time involved and the risk that the system will not work well when fully rolled out.
3. Negotiating appropriate remedies for unsatisfactory acceptance testing can be challenging. Typically, the vendor will try to limit the refund to the license fees, excluding the
amounts spent on implementation and hardware. However, the client will want to have
all of these amounts refunded if it completely rejects the system.
4. The client should also consider whether it should have the option to require the vendor
to fix the problems disclosed in acceptance testing so the client need not choose between
terminating the entire system after the time and expense of implementation and accepting a system with known problems.
464

I. Assumptions, Client Obligations, and Exclusive Remedies
1. Counsel for the client needs to review carefully all assumptions and client obligations
with the appropriate business people in order to adequately negotiate these provisions
and obtain appropriate client resources. Vendors frequently introduce these at the end of
the negotiation and then they may appear only in the exhibits (or even in the footnotes).
2. Assumptions may have a significant impact on the vendors pricing (either positive or
negative) so it is important to have them reviewed from both an operational and financial
perspective, including any foreseeable change in the assumptions due to possible acquisitions or divestitures.
3. In-depth discussions with the clients business personnel are needed if the vendor refuses
to change language stating that a particular remedy is the clients sole and exclusive
remedy for a breach. For example, if reperformance of a service is the sole remedy for
a breach of the obligation to provide the service in a competent, professional and workmanlike manner, the reperformance may not cure the initial breach.
4. General statements regarding client obligations may also result in disputes, for example,
if the client is supposed to provide sufficient or competent staff, provide all necessary resources or make necessary implementation decisions promptly. The obligations of the client should be as specific as possible so that the client knows what internal
resources are required and when important decisions will be made.
J. Divested Facilities
1. If the client plans to use the vendors EHR for more than one facility, it is advisable to
add provisions that will permit a divested facility to continue to use the EHR software or
services during a transition period after the divestiture. Having an agreement in advance
regarding the price and minimum length of transition services generally makes it easier
to sell a facility and improves the quality of the transition.
2. The vendor may prefer to have a separate agreement with the new owner of the divested
facility rather than having the client provide the transition services directly. In either
case, the client will want to make sure that it is not responsible for the new owners use
or misuse of the EHR software and services.
3. It may also be appropriate to negotiate for a decrease in the ongoing vendor fees if one
or more facilities are divested.
K. Responsibility for Clinical Decisions, Indemnification, and Exclusion of Consequential
Damages
1. Disclaimers of consequential damages are typical in commercial software agreements,
but the client needs to understand that medical professional liability claims that might
arise in connection with the EHRs may involve consequential damages.
2. Risk management personnel and medical professional liability counsel should help evaluate and manage the risks that may arise from use of clinical decision support in EHRs,
including the creation of data regarding disregarded alerts that may be discoverable even
though it is not included in the patients medical record.
465

3. Senior management, clinical personnel, risk managers, and medical professional liability
counsel should be made aware of the language in the EHR vendors standard contract
that attempts to make the client fully responsible for use of the system and requires the
client to indemnify the vendor for almost all third party claims that may arise.
4. It is often beneficial to try to negotiate the following specific language if it occurs in the
vendors contract:
a. Delete loss of data as a type of excluded consequential damage, especially if the
vendor maintains the data on an ASP basis or if it provides disaster recovery services.
b. Delete any disclaimer of an implied warranty of accuracy.
c. State that the following are exceptions to the general exclusion of consequential
damages: (i) damages arising from intellectual property infringement or misappropriation, (ii) personal injury or property damage caused by vendors employees or
(iii) breach of confidentiality obligations, including the business associate agreement entered into pursuant to the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) privacy regulations.
d. Delete any statement that the software is complex and likely to contain some errors.
e. Delete provisions that require the client to test for errors in software and any updates
from the vendor. This may be impossible for the client to perform because it does
not have the knowledge necessary to perform such testing. It also raises the question
of whether the client could be deemed liable for breach of contract if it did not test.
5. The client should also note that the vendors form contract might not include a reciprocal indemnification provision for third party claims caused by errors in the EHR system
due to the vendors negligence or breach of the agreement. The client should consider
whether to try to negotiate such indemnification.
28.4
Regulatory Concerns: HIPAA, Stark, and Anti-Kickback
While a single healthcare provider can benefit from implementing an EHR system, the greatest benefits result from the networking of EHRs among healthcare providers, pharmacies and other
healthcare entities to create a full picture of a patients healthcare history and needs. Yet the same
features that generate this promise also lead to the major regulatory concerns about EHRs: security and
fraud and abuse in the acquisition and implementation of the systems.
Electronic records present a number of security risks that fall into two categories. First, the physical integrity of the data must be protected from a different set of hazards than those facing paper
records. Second, the very accessibility offered by EHRs puts them at risk for unauthorized access.
The federal regulations surrounding EHR systems recognize these risks, and uniformly require that
providers address them during system implementation. The rest of this section addresses those issues
in more detail.
In 2004, President George W. Bush created the position of National Coordinator for Health Information Technology (NCHIT) within the Office of the Secretary of the Department of Health and
466

Human Services (Secretary) to support the creation and use of a nationwide interoperable EHR system
to handle most Americans medical records by the year 2014. The President charged the NCHIT with
developing a nationwide interoperable health information technology infrastructure that:

Ensures that appropriate information to guide medical decisions is available at the time and
place of care;
Improves healthcare quality, reduces medical errors, and advances the delivery of appropriate, evidence-based medical care;
Reduces healthcare costs resulting from inefficiency, medical errors, inappropriate care, and
incomplete information;
Promotes a more effective marketplace, greater competition, and increased choice through
the wider availability of accurate information on healthcare costs, quality, and outcomes;
Improves the coordination of care and information among hospitals, laboratories, physician
offices, and other ambulatory care providers through an effective infrastructure for the secure
and authorized exchange of healthcare information; and
Ensures that patients individually identifiable health information is secure and protected.
28.5
Patient Privacy and Security: HIPAA
Ensuring the privacy and security of the information contained within an EHR system is probably the most important consideration in its development and implementation. HIPAA addresses
these concerns directly. In addition, the Stark and Anti-Kickback provisions (discussed in more detail
below) provide incentives to meet specific standards for security and privacy of information stored on
EHRs.
HIPPA Privacy Rule31 and Security Rule32 impose requirements on covered entities regarding the creation, storage, use and disclosure of patient protected health information (PHI). While the
Privacy Rule applies to all PHI regardless of form, the Security Rule applies only to electronic PHI
(EPHI). Since the Security Rule is unique to electronic PHI, the following discussion will address only
the requirements imposed by the Security Rule that affect organizations developing and implementing
an EHR system.
28.5.1
Scope of the Security Rule
The Security Rule contains three categories of standards: Administrative, Physical, and Technical.
They share some general characteristics:

The Security Rule standards set a minimum level of security for electronic PHI. A covered
entity may choose to implement internal security policies and procedures that exceed the
Security Rule standards.
45 CFR parts 160 and 164.

45 CFR parts 160, 162, and 164.
31
32
467

The Security Rule allows scaled standards based upon the size, capabilities, and complexity
of the covered entity.
The covered entity must perform internal risk analysis and vulnerability assessment.
Failure to implement and comply with the Security Rule standards could result in the violation of the Security Rule standards and the Privacy Rule.
The Security Rule standards are technology neutral; they do not require any particular technology but establish conditions once an entity incorporates technology.
28.5.2
Security Standards
The Security Rule sets out 18 security standards or safeguards which fall into three categories:
administrative, physical, and technical. Thirty-five required and addressable implementation
specifications further define the standards. For addressable implementation specifications (AIS), the
covered entity has three options: (1) implement the specification, if it is reasonable and appropriate
for the covered entity; (2) if the AIS is not reasonable or appropriate, implement an appropriate and
reasonable alternative security measure to accomplish the purpose of the AIS; or (3) decide not to
address the standard after determining that the AIS is not reasonable and appropriate and that the
Security standards can still be met in another manner. The covered entity must document its rationale
for not adopting a security measure that addresses the AIS. Table 1 below outlines these standards and
the related specifications.
28.5.3
Business Associate Agreement Rules
In addition to the administrative safeguards, the Security Rule standards also require that covered
entities include in their business associate agreements language contained in 45 CFR 164.314(a)
(2) in order to protect the security of electronic PHI. The following template language reflects those
specifications:
468
Business Associate shall implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI
that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
Business Associate shall report to Covered Entity [Optional: within ___ (___) business
days; or on a quarterly basis] any security incident of which it becomes aware, as such
term is defined in the HIPAA Security Rule. [Optional: The report to Covered Entity shall
identify: the date of the security incident, the scope of the security incident, the Business
Associates response to the security incident, and the identification of the party responsible
for causing the security incident, if known. Thereafter, Business Associate shall provide periodic updates regarding the security incident, at Covered Entitys written request.]
Business Associate shall ensure that any agent, including a subcontractor, to whom it provides EPHI agrees [Optional: in writing] to implement reasonable and appropriate safeguards
to protect EPHI.
28.5.4
Policies and Procedures and Documentation Requirements
Covered entities must maintain written records (which may be electronic) of the implemented
policies and procedures supporting security activities and of any required action, activity or assessment, including the following:

Document the rationale if addressable implementation specifications are not implemented;
Document and communicate to relevant staff security policies and procedures;
Periodically update security policies, procedures and training; and
Covered entities must maintain documentation (e.g., policies, procedures, and agreements
required by the Security Rule standards) for six years from the date of creation or the date
they were last in effect, whichever is later.
28.5.5
Security Rule Risk Management Practice Pointers
Those responsible for managing EHR risk should confirm that the appropriate staff has executed
the following steps, which will support HIPAA compliance and constitute much of the risk management process for the physical security of the system:
28.5.5.1 Administrative Safeguards

Obtain a copy of the HIPAA Security Rule;
Conduct a risk assessment of the current or proposed EHR system to identify security
threats;
Assign responsibility to a workforce member to oversee security policies and procedures;
Implement policies and procedures for preventing, detecting, reporting, and addressing security violations (including sanctions);
Periodically review role-based access and make adjustments accordingly;
Educate and train workforce members about their obligations to protect the privacy and security of PHI;
Develop internal policies to address disciplinary actions and sanctions for unauthorized or
inappropriate access to PHI; and
Update business associate agreements to include an agreement to abide by the Security Rule
standards
28.5.5.2 Physical Safeguards

Conduct a risk analysis of the physical security of computer stations and other hardware
through which PHI is stored, maintained, or transferred;
Limit physical access to equipment and locations that contain PHI; and
Develop policies and procedures addressing the back up and storage of electronic PHI and the
legal destruction of same.
469

28.5.5.3 Technical Safeguards

Employ user IDs, passwords, access codes, biometrics, and other authentication tools to prevent unauthorized use;
Employ security procedures to protect electronic PHI that is transmitted electronically;
Conduct periodic audits of the EHR system to ensure that employees are not misusing the
system; and
Educate and train workforce about the covered entitys security audit practices and plans for
enforcement.
28.6
Fraud and Abuse
The adoption of EHR systems has encountered resistance at the provider level for several reasons, including implementation expense, the time and energy to acquire and implement the system,
concerns about the systems effect on workflow, and Stark and anti-kickback concerns. Undoubtedly,
providers also fear the learning curve involved in adopting any new technology. Unfortunately, many
efforts by large hospitals or systems to support smaller providers as they grapple with these anxieties
could trigger regulatory violations.
Cost imposes one of the largest barriers to the development and implementation of a system wide
or regionally networked EHR. While larger healthcare providers, such as hospitals and large health
systems, usually have the financial resources to implement and maintain an EHR system, smaller providers do not. The potential for violating fraud and abuse laws discourages larger healthcare providers
from assisting physicians and other smaller entities in their efforts to acquire the systems. Because
they fear conflicting with fraud and abuse laws, many healthcare providers have chosen not to develop
and implement a fully functional and networked EHR system.
The Stark statute, the anti-kickback statute33 and their corresponding regulations34 address possible payment for referrals.
35
36
33
34
Strict liability provisions, the Stark laws35 impose possible civil penalties, including exclusion from the Medicare and Medicaid programs. They prohibit a physician and his or her
immediate family from making referrals for designated health services to an entity, and
prohibit those entities from submitting claims for prohibited referrals, where the physician (or
immediate family) has a financial relationship with the entity, unless an exception applies.
The anti-kickback provisions36 impose criminal penalties on those who willfully or knowingly solicit, offer, pay, or receive remuneration for a referral for which payment can be
made under a government program, unless the arrangements falls under one of several safe
harbors. As with Stark, violations of the anti-kickback law often result in civil monetary
penalties and exclusion from the Medicare and Medicaid programs, as well as large fines or
imprisonment.
42 U.S.C. 1395nn.
42 CFR part 411.
42 U.S.C. 1395nn; 42 CFR part 411.
42 U.S.C. 1320a-7b(b), 42 CFR part 1001.
470

The Stark and anti-kickback laws became obstacles to moving forward with the vision of a
nationwide interoperable EHR system. So, on August 8, 2006, the Centers for Medicare and Medicaid
Services (CMS), as required by the Medicare Prescription Drug, Improvement, and Modernization Act
of 2003 (MMA), published a final rule37 establishing two exceptions to the Stark statute for certain
electronic prescribing and EHR arrangements that meet the conditions outlined below in Table 2.38
Similarly, on August 8, 2006, the Office of the Inspector General (OIG), as required by the MMA,
published a final rule39 establishing two new safe harbors under the anti-kickback statute for certain
electronic prescribing and EHR arrangements that meet the detailed conditions described below in
Table 2.40
28.6.1
Stark and Anti-Kickback Exceptions
The Stark and anti-kickback EHR exceptions are nearly identical, and they allow nonmonetary
remuneration consisting of items and services in the form of software or information technology and
training services that is necessary and used predominantly to create, maintain, transmit, or receive
electronic health records, if the arrangements meet all of the 13 conditions in Table 2 (EHR table).
The Stark provisions apply when an entity (as defined by 42 CFR 411.351) provides the items and
services to a physician, The antikickback provisions address a broader pool of recipients such as health
plans or other individuals or entities that provide covered services and submit claims for payment.
The Stark and anti-kickback e-prescribing exceptions are also nearly identical, and they allow
nonmonetary remuneration consisting of items and services in the form of hardware, software, or
information technology and training services that is necessary and used solely to receive and transmit
electronic prescription information, if the following conditions listed in Table 3 are met.
28.6.2
Key Differences between the EHR and e-Prescribing Exceptions
While the Stark and anti-kickback EHR provisions (EHR rules) are similar, and the Stark and antikickback e-prescribing provisions (e-prescribing rules) are also similar, there are some key differences
between the EHR rules and the e-prescribing rules.

39
40
37
38
The category of items and services covered by the EHR rules (EHR Qualifying Technology)
is much broader than the category of items and services covered by the e-prescribing rules
(e-Prescribing Qualifying Technology). The e-prescribing rules apply to items and services
necessary and used solely to transmit and receive electronic prescription information, while
the EHR rules apply to items and services predominantly used to create, maintain, transmit,
or receive EHRs. Furthermore, the e-prescribing rules include hardware, while the EHR rules
do not.
71 FR 45140.
42 CFR 411.357(v), (w).
71 FR 45110.
42 CFR 1001.952(x), (y).
471

EHR Qualifying Technology and e-Prescribing Technology both must comply with standards
for e-prescribing adopted by CMS. However, the EHR rules also require that the items and
services be interoperable.
Whereas the e-prescribing rules are concerned with criteria that take into account both directly
and indirectly the volume or value of referrals, the EHR rules are concerned only with methods that take into account directly the volume or value of referrals.
Under the e-prescribing rules, there is no limit on the value of donation for E-Prescribing
Qualifying Technology. The EHR rules are more limiting and require a recipient to pay 15
percent of the donors cost for the donated items and services, and the donor is prohibited
from financing such payments on behalf of the recipient.
The EHR rules expire on December 31, 2013. The e-prescribing rules have no expiration.
28.6.3
Managing the Fraud and Abuse Risk
This section outlines only basic information about possible fraud and abuse exposures generated
by multi-party EHR system development. Healthcare entities planning to share or network their technology need to include someone knowledgeable of these issues on their planning team. As systems roll
out, sound risk management also requires ongoing review for any changes in financial or supporting
relationships that could stumble into forbidden territory under the Stark and anti-kickback laws.
28.7
Conclusion
EHR selection, implementation, and operation offer tremendous opportunities to apply enterprise
risk management processes. These activities create risk and opportunity in many areas for a clinical provider or healthcare organization. The EHR forms the nucleus of a complex system that can
potentially affect clinical care, reimbursement, employee satisfaction, patient satisfaction and liability.
Managing all the risks requires a thorough understanding of the provider organization and the EHR
system, from the first choices in implementation to monitoring the system in practice and making
periodic adjustments. Retention and protection of data and the ability to reproduce it dependably can
protect the organization in disputes, whether with the government or an injured patient. These responsibilities merit multi-disciplinary support, with input from clinical staff, risk management, counsel, IT,
and other relevant departments. The time commitment may be significant, but the benefits in patient
safety, cost reduction and quality measurement should make it well worth the effort.
472
Table 1 HIPAA Security Rule: Security Standards

Administrative Standards
1. Security Management Process
Risk Analysis (Required) Assessment of potential
risks and vulnerabilities to the confidentiality, integrity,
and availability of electronic PHI held by entity.
Risk Management (Required) Implement security
measures sufficient to reduce risks and vulnerabilities
to a reasonable and appropriate level.
Sanction Policy (Required) Apply appropriate sanctions against workforce members who fail to comply
with security policies and procedures.
2. Assigned Security Responsibility
3. Workforce Security Implement

policies and procedures to permit
or deny access by the covered
entitys workforce to electronic
PHI, as appropriate.
4. Information Access Management

Policies and procedures to
authorize access to electronic PHI
in conformity with Privacy Rule.
Information System Activity Review (Required) Procedures to regularly review records of information system
activity, such as audit logs, access reports, and security
incident tracking reports.
(Required) Identify security official responsible for
development and implementation of the Required
security policies and procedures.
Authorization and/or Supervision (Addressable)
Procedures relating to workforce accessing electronic
PHI or locations where electronic PHI might be
accessed.
Workforce Clearance Procedure (Addressable)
Procedures to determine if access is appropriate.
Termination Procedures (Addressable) Terminate
employees access to electronic PHI when
employment ends or as otherwise Required.
Isolating Healthcare Clearinghouse Functions
(Required) If clearinghouse is part of larger
organization, protect unauthorized access of
clearinghouses electronic PHI by larger organization.
Access Authorization (Addressable) Policies and
procedures for granting access to electronic PHI.
Access Establishment and Modification (Addressable)
Establish, document, review, and modify users right
of access to workstation, transaction, program, or
process based on covered entitys access authorization
policies.
473
5. Security Awareness and Training Security Reminders (Addressable) Periodic security
Required for both covered entity
updates.
workforce and management.
Protection From Malicious Software (Addressable).
Log-in Monitoring (Addressable) Monitor log-in
attempts and report discrepancies.
Password Management (Addressable) Create,
change, and safeguard passwords.
6. Security Incident Procedures
Response and Reporting (Required) Identify and
respond to suspected or known security incidents;
mitigate harmful effects; document incidents and
outcomes.
7. Contingency Plan Protect Data Backup Plan (Required) Create and maintain
retrievable exact copies of electronic PHI.
systems containing electronic
PHI from emergencies and Disaster Recovery Plan (Required) Restore any loss
of data.
other occurrences, such as fire,
vandalism, system failure, and Emergency Mode Operation Plan (Required) Enable
continuation of critical business processes.
natural disaster.
Testing and Revision Procedures (Addressable)
Periodic testing and revision of contingency plans.
Applications and Data Criticality Analysis
(Addressable) Assess relative criticality of specific
applications and data in support of contingency plan.
8. Evaluation
(Required)
Evaluation covers all components of the Security Rule
and not just the information systems
Performance of a periodic technical
and non-technical evaluation.
9. Physical Safeguards
Contingency Operations (Addressable) Allow
10. Facility Access Controls
facility access in support of restoration of lost data
Prevent unauthorized physical
under disaster recovery plan and emergency mode
access to IT systems and the
operations plan in event of emergency.
facilities in which they are housed,
Facility Security Plan (Addressable) Safeguard
while permitting authorized
facility and equipment from unauthorized physical
access.
access, tampering, and theft.
Access Control and Validation Procedures
(Addressable) Control and validate access to facility
and software for testing and revision purposes, based
on role or function.
Maintenance Records (Addressable) Document
repairs and modifications to facility security
components.
474
11. Workstation Use
12. Workstation Security

13. Device and Media Controls
(Required) Specify proper functions and attributes
of surroundings of workstations accessing electronic
PHI.
Physical safeguards for workstations that access
electronic PHI, to restrict access to authorized users.
Disposal (Required) Address final disposition of
electronic PHI and/or the hardware or electronic media
on which it is stored.
Media Re-use (Required) Removal of electronic PHI
from media before media is made available for re-use.
Accountability (Addressable) Maintain record of
movements of hardware and electronic media and any
responsible person.
Data Backup Storage (Addressable) Create a
retrievable, exact copy of electronic PHI, when
needed, before movement of equipment.
14. Technical Safeguards

15. Access Control Policies and
Unique User Identification (Required) Assign
procedures to allow access only to
a unique name and/or number for identifying and
authorized persons and programs.
tracking user identity.
Emergency Access Procedure (Required) Obtain
necessary electronic PHI during emergency.
Automatic Logoff (Addressable) Terminate session
after predetermined time of inactivity.
Encryption and Decryption (Addressable)
Mechanism to encrypt or decrypt electronic PHI.
16. Audit Controls
17. Integrity Protect electronic

PHI from improper alteration or
destruction.
18. Person or Entity Authentication
(Required) Hardware, software, and/or procedural

mechanisms that record and examine activity in IT systems containing or using electronic PHI.
Mechanism to Authenticate Electronic PHI
(Addressable).
(Required) Verify that a person or entity seeking

access to electronic PHI is the one claimed.
475
Integrity Controls (Addressable) Security measures
19. Transmission Security
to ensure that transmitted electronic PHI is not
Technical security measures to
improperly modified without detection.
guard against unauthorized access
Encryption (Addressable) Mechanism to encrypt
to electronic PHI that is being
electronic PHI whenever deemed appropriate.
transmitted over an electronic
communications network.
476
Table 2 Stark and Anti-Kickback EHR Provisions

The Stark exceptions and the Anti-Kickback safe harbors allow nonmonetary remuneration consisting of items and services in the fort of software or information technology and training services that
is necessary and used predominantly to create, maintain, transmit or receive electronic health records,
if all of the following 13 conditions are met. Though they are very similar, both lists appear here for
comparison.
Stark EHR Exception
Anti-Kickback EHR Safe Harbor
(These only apply if an entity as defined by 42 CFR

411.351 provides the items to a physician.)
(These apply to transactions that provide items

to qualified healthcare providers.)
1. The software is interoperable (as defined 1. The items and services are provided to an
individual or entity engaged in the delivery of
by 42 CFR 411.351) at the time it is prohealthcare by an individual or entity that provided to the physician. Software is deemed
vides services covered by a federal healthcare
interoperable if a certifying body recognized
program and submits claims or requests payby the Secretary has certified the software
ment, either directly or through reassignment,
no more than 12 months prior to the date it
to the federal healthcare program, or a health
is provided to the physician).
plan.
2. The donor (or any person on the donors 2. The software is interoperable at the time it is
provided to the recipient. Software is deemed
behalf) does not take any action to limit or
interoperable if a certifying body recognized
restrict the use, compatibility, or interoperby the Secretary has certified the software no
ability of the items or services with other
more than 12 months prior to the date it is proelectronic prescribing or electronic health
vided to the recipient).
records systems.
3. The physician pays 15% of the donors costs 3. The donor (or any person on the donors
behalf) does not take any action to limit or
for the items and services, and the donor
restrict the use, compatibility, or interoper(or any party related to the donor) does not
ability of the items or services with other
finance the physicians payment or loan
electronic prescribing or electronic health
funds to be used by the physician to pay for
records systems.
the items and services.
4. Neither the physician nor the physicians 4. Neither the recipient nor the recipients practice (or any affiliated individual or entity)
practice, including employees and staff
makes the receipt of items or services, or the
members, makes the receipt of items or seramount or nature of the items or services, a
vices, or the amount or nature of the items
condition of doing business with the donor.
or services, a condition of doing business
with the donor.
477
Stark EHR Exception


5. Neither the physicians eligibility for nor 5. Neither the recipients eligibility for nor the
amount or nature of the items or services may
the amount or nature of the items or services
be determined in a manner that directly takes
may be determined in a manner that directly
into account the volume or value of refertakes into account the volume or value
rals or other business generated between the
of referrals or other business generated
parties. Notwithstanding this condition, the
between the parties. Notwithstanding this
parties may make determinations of eligibilcondition, the parties may make determinaity based on:
tions of eligibility based on these factors:
The total number of prescriptions written by the physician (but not the volume
or value of prescriptions dispensed or
paid by the donor or billed to a federal
healthcare program);
The total number of prescriptions written

by the recipient (but not the volume or
value of prescriptions dispensed or paid
by the donor or billed to a federal healthcare program);
The size of the physicians medical

practice (e.g., total patients, total patient
encounters);
The size of the recipients medical practice (e.g., total patients, total patient
encounters);
The total number of hours that the physician practices medicine;
The total number of hours that the recipient practices medicine;
The physicians overall use of automated

technology in his or her medical practice
(without specific reference to the use of
technology in connection with referrals
made to the donor);
The recipients overall use of automated

technology in his or her medical practice
(without specific reference to the use of
technology in connection with referrals
made to the donor);
Whether the physician is a member of

the donors medical staff;
Whether the recipient is a member of the

donors medical staff, if the donor has a
formal medical staff;
The level of uncompensated care provided by the physician; or

Any reasonable and verifiable manner
that does not directly take into account
the volume or value of referrals or other
business generated between the parties.
478
The level of uncompensated care provided

by the recipient; or
Any reasonable and verifiable manner that
does not directly take into account the volume or value of referrals or other business
generated between the parties.
Stark EHR Exception


6. The arrangement is set forth in a written 6. The arrangement is set forth in a written agreement that:
agreement that:
Is signed by the parties;
Specifies the items and services being

provided, the donors cost of the items
and services, and the amount of the physicians contribution;
Specifies the items and services being provided, the donors cost of the items and
services, and the amount of the recipients
contribution;
Covers all of the electronic health records

items and services to be provided by the
donor.
Covers all of the electronic health records

items and services to be provided by the
donor (or any affiliate).
This requirement is met if all separate

This requirement is met if all sepaagreements
between the donor and the recipirate agreements between the donor and the
ent (and affiliated parties) incorporate each
physician (and the donor and any family
other by reference or if they cross-reference a
members of the physician) incorporate each
master list of agreement that is maintained and
other by reference or if they cross-reference
updated centrally and is available for review
a master list of agreement that is maintained
by the Secretary upon request. The master list
and updated centrally and is available for
must be maintained in a manner that preserves
review by the Secretary upon request. The
the historical record of agreements.
master list must be maintained in a manner that preserves the historical record of
agreements.
7. The donor does not have actual knowledge 7. The donor does not have actual knowledge of,
and does not act in reckless disregard or delibof, and does not act in reckless disregard
erate ignorance of, the fact that the recipient
or deliberate ignorance of, the fact that the
possesses or has obtained items or services
physician possesses or has obtained items or
equivalent to those provided by the donor.
services equivalent to those provided by the
donor.
8. For items or services that are of the type that 8. For items or services that are of the type that
can be used for any patient without regard to
can be used for any patient without regard
payor status, the donor does not restrict, or
to payor status, the donor does not restrict,
take any action to limit, the recipients right
or take any action to limit, the physicians
or ability to use the items or services for any
right or ability to use the items or services
patient.
for any patient.
479
Stark EHR Exception


9. The items and services do not include staff- 9. The items and services do not include staffing of the recipients office and are not used
ing of physician offices and are not used
primarily to conduct personal business or
primarily to conduct personal business or
business unrelated to the recipients medical
business unrelated to the physicians medipractice.
cal practice.
10. The electronic health records software con- 10. The electronic health records software contains electronic prescribing capacity.
tains electronic prescribing capacity.
11. The arrangement does not violate the 11. Before receipt of the items and services, the
recipient pays 15 percent of the donors costs
Anti-Kickback Statute or any other law
for the items and services, and the donor (or
or regulation governing billing or claims
any affiliated individual or entity) does not
submission.
finance the recipients payment or loan funds
to be used by the recipient to pay for the items
and services.
12. The transfer of items or services occurs and 12. The donor does not shift the costs of the
items and services to any federal healthcare
all conditions in this exception are satisfied,
program.
on or before December 31, 2013.
13. The transfer of items or services occurs and 13. The transfer of items or services occurs and
all conditions in this safe harbor are satisfied,
all conditions in this exception are satisfied,
480
Table 3 Stark and Anti-Kickback e-Prescribing Provisions

The Stark exception and Anti-Kickback safe harbor for e-Prescribing allow nonmonetary remuneration consisting of items and services in the form of hardware, software, or information technology and
training services that is necessary and used solely to receive and transmit electronic prescription information, if all of the following eight conditions are met. The first conditions differ; the others are identical.
Stark E-Prescribing Exception
1.
2.
3.
4.
Anti-Kickback E-Prescribing
Safe Harbor
The items and services are provided by: (1) 1. The items and services are provided by: (1)
a hospital to a physician who is a member
a hospital to a physician who is a member of
of its medical staff, (2) a group practice
its medical staff, (2) a group practice to a
to a prescribing healthcare professional who
physician who is a member of the group
is a member of the group (as such terms
(as such terms are defined in Stark), or (3) a
are defined in Stark), or (3) a Prescription
Prescription Drug Plan sponsor or Medicare
Drug Plan sponsor or Medicare Advantage
Advantage organization to a prescribing
organization to pharmacists and pharmacies
physician.
participating in the network of such sponsor
and to prescribing healthcare professionals.
The items and services are provided as part of, or are used to access, an electronic prescription
drug program that meets the applicable standards under Medicare Part D at the time the items
and services are provided.
The donor (or any person on the donors behalf) does not take any action to limit or restrict the
use or compatibility of the items and services with other electronic prescribing or EHR systems.
For items and services that are of the type that can be used for any patient without regard to
payor status, the donor does not restrict, or take any action to limit, the physicians right or ability to use the items or services for any patient.
5. Neither the physician nor the physicians practice (including employees and staff members)
makes the receipt of items or services, or the amount of nature of the items or services, a condition of doing business with the donor.
6. Neither the physicians eligibility for nor the amount or nature of the items or services is determined in a manner that takes into account the volume or value of referrals or other business
generated between the parties.
7. The arrangement is set forth in a written agreement that:
Specifies the items and services being provided, the donors cost of the items and services;
Covers all of the electronic prescribing items and services to be provided by the donor (or
any affiliate).
This requirement is met if all separate agreements between the donor and the physician (and the
donor and any family members of the physician) incorporate each other by reference or if they
cross-reference a master list of agreement that is maintained and updated centrally and is available
for review by the Secretary upon request. The master list must be maintained in a manner that preserves the historical record of agreements.
481
Stark E-Prescribing Exception
Anti-Kickback E-Prescribing
Safe Harbor
8. The donor does not have actual knowledge of, and does not act in reckless disregard or deliberate
ignorance of, the fact that the physician possesses or has obtained items or services equivalent to
those provided by the donor.
482
Radio Frequency IdentificationA Challenge forHealthcare
29
Radio Frequency IdentificationA Challenge
forHealthcare
Joshua I. Rozovsky
The Rozovsky Group, Inc./RMS
Adorno & Yoss
29.1
Introduction
Radio Frequency Identification (RFID) technology is often misunderstood in the healthcare arena.
Much of the opposition to RFID implementation stems from misconceptions regarding its capabilitiesthat RFID allows individuals or objects to be tracked with pinpoint accuracy everywhere they
go. Discussions over injectable RFID tags (implants) have raised issues of ethical use of RFID
technologies, and led to legislation in several states banning the forced implantation of RFID tags.1
Some critics voice concerns that information on a tag, such as a social security, passport, or credit card
number, might be intentionally corrupted or stolen from a distance. A major manufacturer has creating
RFID shielded envelopes.2
RFID is an extremely valuable technology in the healthcare setting, and has already seen wide use
in healthcare environments and pharmaceuticals. With EPC or barcode identification, products such as
pharmaceuticals can be traced back to the manufacturer and identified globally via the Internet-linked
EPC or GS1 database. Data about the particular drug, or which patients are taking it, are not stored
on the RFID tag, or in the EPCglobal database. That information would be stored in the healthcare
facilitys own servers and the EPC Code (e.g. tag serial number) would be linked to that patient or
drug information.3
There remain competing standards for RFID tags, with many available choices for tag type and
capability. Implementing a successful RFID strategy requires understanding of the multidisciplinary
risk factors associated with this technology, and requires close cooperation between multiple parties
North Dakota and Wisconsin have banned the involuntary insertion of RFID chips into employees. See, N.D. Code
12.1-15, Wisc. Stat. 146.25.
2
National Envelope Corporation. Smart Card Guard Envelopes. These envelopes would protect the enclosed RFID chip
from being skimmed or read by a hackers RFID reader. http://www.nationalenvelope.com/prod/SmartCardGuardEnvelopes.htm.
3
An Accountable Supply Chain: Pharmaceutical Pedigree Handout. Healthcare Distribution Management Association.
www.healthcaredistribution.org/issues_in_dist/pdf_epc/AIDC-0403-1_pharma0516033.pdf.
1
483

in the organization, from shipping and receiving to security, physical plant, IT, contracting, pharmacy,
and any outside contractors working in the facility.
29.2
What is RFID?
The term RFID can describe several different types of systems. This has been a source of
confusion for prospective buyers of RFID systems, and for advocates concerned about privacy and
security. Failing to understand the different types of RFID devices can also lead to disappointment
when purchased systems are found to be incompatible with a new type of asset to be tagged or with
existing IT infrastructure. Alternatively, poorly planned systems may be vulnerable to, or the cause of,
electromagnetic interference.
RFID tags are a combination of a radio receiver and transmitter (called a transponder), antenna(s),
memory, and a controller. Typically, these devices are manufactured to contain just a microchip and
one or more antennas. The chip and antenna are placed inside a paper, plastic, or glass capsule or label
that can then be affixed to an object.
RFID is often implemented as a smart label. Information about the object (such as an inventory
or patient number) can be retrieved by computer when a user scans the tag. In this sense, RFID is often
described as a barcode replacement. RFID tags can offer several advantages over barcoding:4

Tags do not have to be directly exposed to the reader, so tags on objects in a box can be
scanned without unpacking
Because the tag does not have to be on the outside of the packaging, the tag can be more
durable than a barcode
Tags do not have to be as carefully lined up with the scanner
Anywhere from dozens to thousands of tags can be scanned in quickly and automatically,
instead of requiring slow, sequential scanning
Some tags allow the tag data to be changed by the user (they have read/write capabilities).
More advanced tags offer even greater potential benefits:

Groups of tags can be selected by the reader and their data read, or even changed
More complex tags can contain multiple pages of information.
More complex tags have encryption and password functionality, and access to the data can be
password-locked
Some tags can be permanently disabled by issuing a password-protected kill command
Some advanced types of tags (semi-passive and active) can be connected to sensors or beacon
information, allowing for telemetry functionality and real-time location tracking.
RFID in Healthcare A Panacea for the Regulations and Issues Affecting the Industry? UPS Supply Chain Solutions,
White Paper. 2005. http://ups-scs.com/solutions/white_papers/wp_RFID_in_healthcare.pdf.
4
484
29.3
Types of RFID Tags
Passive tags (the most common), have no battery. If the tag is brought close enough to an
external reader (also called an interrogator) the readers transmissions provide instructions to the tag,
such as to retrieve the information stored in it. The reader emits enough radio-frequency energy to
provide the electricity needed to operate the tag, allowing it to transmit its responses back to the reader.
Because there is no battery to malfunction or run out, the tags can be very small and have a longer
lifespan. The tag will remain off until it encounters a compatible RFID reader from which powers
it wirelessly. Appropriately selected tags can be placed almost anywhere any other type of label (such
as barcodes or property tags) could be placed, and can also be hidden inside packaging. The range on
passive tags is less than that of the battery-assisted tags described below, with actual range varying
significantly based upon the frequency chosen.
Two types of RFID tags do have onboard batteries. It is important for healthcare risk managers
to understand the differences between these devices because their relative risks differ significantly in
terms of implementation, cost, and privacy concerns.

Semi-passive tags (sometimes also called battery-assisted passive or semi-active tags) contain
a battery to help power the microchip inside the tag and any sensors packaged with it. Like
passive tags, the semi-passive tag does not transmit anything until it is queried by the external
reader. For example, a semi-passive tag with a temperature sensor could populate a chart of
the temperatures encountered by a shipment of drugs during transport and communicate that
information when queried by a reader. Semi-passive tags will have a much greater range than
passive tags because the chip receives assistance from the battery in turning itself on. The
disadvantage of any battery-connected tag is their much greater cost and size compared to
passive devices.
Risk Management Tip: Risk managers should be aware of any deployment within the organization of semi-passive tags because the extended range can increase privacy and security
concerns. An advantage of semi-passive and active tags over passive systems is that despite
their greater range, they require less radio frequency (RF) output power to achieve that range
because the RF signal from the tag only needs to convey information back to the reader. In a
passive system, the reader must emit much more power because its RF output has to turn on
and power the passive tags within range.
Active tags do not require a reader to power the communication at all. Active tags contain
a battery and a more advanced transmitter. Active devices can often initiate communications without an interrogator first querying them. Some tags may be configured to require
reader activation (they are normally in sleep mode) similar to semi-passive tags. These
tags are larger, more expensive, and have been used in the container shipping industry and
in locating and storing information on railroad cars. When used with three or more readers
in different locations, they can form a real-time location system based on triangulation. If
global positioning system (GPS) receivers are interfaced to the tag, this can provide another
means of real-time tracking in areas where the GPS satellite signal can be received (generally
outdoors). In healthcare, medical equipment carts and other expensive, portable devices may
485

use active tags because readers throughout the healthcare entity would be able to receive the
location beacon signals from the active tag. With a passive system, the location of the cart
would be tracked based on the last location at which a reader scanned it in, such as the entry
point to a floor or building.

Risk Management Tip: Legal counsel must be aware of the use of active tag technology in
healthcare settings. Limits on active tag technology should be clearly defined in any RFID
implementation strategy, with an approval process for the use of such devices. Clear guidelines must be established if active tags are used to track patients, such as ankle bracelets.
29.4
Frequency and Range of RFID Tags
Beyond passive, active, and semi-passive RFID tag types, other technical characteristics can significantly affect the risk opportunities presented by a particular RFID implementation proposal. The
range of the tags and readers is of significant concern for several reasons, including:

Privacy & Security: from how far away can someone read or modify the data on the tag, or
track its location?
Interference: Longer-range readers and tags are more likely to interfere with each other
(called a collision). More powerful readers can also be a source of electromagnetic interference to other electronic devices in a healthcare environment. In recent tests published by
JAMA, RFID devices caused 34 electromagnetic interference incidents in 123 tests of medical devices, at a median range of 30 cm.5
Incompatible Frequencies and Related Issues: RFID readers and tags designed for a particular frequency are not compatible with those designed for another frequencya
high-frequency(HF) reader cannot read ultra high frequency (UHF) tags. Meanwhile, a lowfrequency (LF) system may use tags with a very small data capacity and shorter range, but
could provide better penetration of liquids, and fewer problems around metallic items. This
is why LF tags are used in implantable tags, and often seen on bottles of liquid formulations
and metal cans. Each frequency range also provides new opportunities for potential electromagnetic interference with different existing systems (or systems that might be added to the
healthcare environment later) that occupy nearby frequencies.
Differences in International Standards: Note that other countries may employ different frequencies for their UHF and microwave tags, rendering them incompatible in the U.S. This
is of some concern if the healthcare entity seeks to incorporate manufacturer-installed RFID
tamper-resistant or anti-counterfeiting seals into a pharmaceutical safety program. The
only globally accepted frequencies are those at LF and HF.6
Other Issues: The systems frequency can affect other limitations, including what materials the tag can be attached to, how much data the tag can store, and how many tags can be
read at one time. For example, the type of RFID tags attached by the hospital in a pharmacy
van der Togt, van Lieshout, Beinat, Binnekade, Bakker. Electromagnetic Interference from Radio Frequency Identification Inducing Potentially Hazardous Incidents in Critical Care Medical Equipment. JAMA p. 2884. June 25, 2008 Vol.
299, No. 24.
6
Page 120, CompTIA RFID+ Study Guide. Sweeney, Patrick J. Indianapolis: 2007.
5
486

may no longer function if the packaging of the medications has changed because at that frequency, the packaging material weakens or reflects the radio signal. Likewise, a medication
distributor may change formulations or their embedded tag frequency or tag type, rendering
it incompatible with the RFID system used by the hospital pharmacy.
29.5
RFID Tag and Data Standardization
The purpose of any RFID tag is to link data to the tagged object or person. For a small LF or
HF tag, this is often done in much the same manner as a traditional barcode: the scanned barcode or
RFID chip provides a number linked uniquely with a particular record. That record is then retrieved
from a database and displayed either in print or on-screen, or the system automatically modifies the
record in the database (such as counting items of that type in inventory). For pharmaceuticals and
general-purpose items, some electronic product codes (EPC codes) can be linked to the manufacturer
via global databases such as that maintained by EPCglobal, an organization focused on creating global
standards for RFID.
In order for the tag to communicate with a database or interface correctly with a reader, the information retrieved from the tags memory and the protocol used for the radio communication between
the devices has to follow the same data and air standards. The chosen standards must reflect the
long-term interoperability requirements of a healthcare data system. Maintaining the standards-compliance of a system should be a consideration in any contracting bid. Several organizations promote
basic RFID standards, including GS1, EPCglobal, and the ISO. There are currently two generations
of RFID technologies recognized. Generation 2 is the current standard, which is divided into various
classes of tags. These classes specify certain tag features, such as encryption, sensors, tags that also
can be readers, and tags with extra memory capacity. Most tags with these features are not yet recognized as meeting these EPC class standards. There are also many vendor-specific, manufacturer, and
facility-based proprietary standards in use:

International Standards Organization: The ISO has defined standards for RFID tags and their
uses, such as non-contact access control passes. Some ISO standards have been incorporated
into the EPC standards and vice-versa.
GS1 and EPCglobal: Many UHF tags now use the EPC standards by GS1, an industry
organization. EPCglobal supports RFID technologies in the GS1 system. Current EPC implementations allow the unique EPC code to be looked up on the EPC database to obtain its
history. Some tags have a user-writable area (for use at the facilitys discretion, such as a
patient identification number).7
Dangers of a proprietary RFID system (a system that is unique to a particular network or

manufacturer): The risk with proprietary standards is that switching vendors may become
costly, as none of the old tags or infrastructure will function. Replacement parts and software may prove difficult to acquire, and the collapse of the proprietary-system contractor
could leave the institution without any support options or replacement for single-use tags. A
proprietary standard can be successful for a very large organization (such as the military) or
GS1 Systems of Standards GS1 Healthcare Standards. http://www.gs1.org/sectors/healthcare/standards/.
487

when an organization can tolerate multiple standards. A proprietary system creates problems
if outside tags may need to be accessed, such as those worn by patients in emergency medical jewelry or implants. Proprietary systems also may not provide more security despite a
secret standard that they may claim to follow. Some proprietary RFID encryption systems
have been cracked.8
29.6
Regulatory Approvals by the Federal Communications Commission
RFID readers, semi-passive, and active tags are all powered radio transmitters. As a result, the
Federal Communications Commission (FCC) has authority to regulate the transmissions from these
devices. The regulations promulgated by the FCC regarding radio frequency devices are found at
47C.F.R. Part 15. Frequencies are selected for RFID use in the U.S. pursuant to frequency allocations
and international agreements. Different regulatory processes result in differences in RFID devices,
including frequency assignments around the world. It must be noted that all RFID devices must be
certified by the FCC in the U.S. Licensure may be required for operation of transmitters if they exceed
the power output limits specified by the FCC.
It is important to ensure that tags and readers used in the U.S. be certified by the FCC, use International Telecommunication Union Region 2 (North and South America) frequency allocations, and
do not exceed FCC power output limits. The certification of RFID readers and other equipment can
be checked online.9 Changing the antenna on a reader can increase the effective power output of a
reader, requiring its transmitter power to be reduced. Legal counsel needs to verify that readers sold
to the healthcare facility by outside vendors meet FCC specifications. Contracts with outside vendors
must include a means for recovery and replacement of readers found to have been decertified or sold
improperly. The FCC should be notified of any apparent interference problems that conflict with Part
15 regulations, under which non-licensed RFID devices may operate.10
The FCC also regulates radio frequency safety. Debate continues over the exact dangers posed
by radio waves (RF radiation). While the power of RFID installations is very low compared to many
other types of radio transmitters, including some portable handheld radios, healthcare organizations
should incorporate RF safety into personnel training. Safe exposure limits should be discussed with
outside vendors, documented carefully, and updated if any changes are made to the installation (such
as adding a new antenna, shortening a cable to the antenna, or increasing the reader power output).
Part15 regulates radiated emission limits.11
RFID Crack Raises Spectre of Weak Encryption. InfoWorld. Paul Roberts. http://www.infoworld.com/article/05/03/17/
HNrfidcrack_1.html?RADIO%20FREQUENCY%20IDENTIFICATION%20-%20RFID.
9
Federal Communications Commission, Office of Engineering and Technology. FCC ID Help
http://www.fcc.gov/oet/fccid/help.html.
10
47 C.F.R. Part 15.
11
47 C.F.R. 15.109.
8
488
29.7
Food and Drug Administration Regulation
29.7.1
Implantable and Other Patient Safety Related RFID Devices
When the RFID tags are used in a medical device, FDA regulation is also a concern. A number
of RFID devices have been approved as medical devices by the FDA. Tagging surgical instruments,
using non-approved RFID telemetry tags without authorization, or other non-approved uses for RFID
tags are potential source of liability. The FDA has issued letters permitting the marketing of at least
two RFID chips pursuant to the 510(k) medical device process. In 2004, the FDA cleared a surgical
markerthe SurgiChipconsisting of a tag or smart label with an integrated passive transponder, along
with a printer, encoder, and RFID reader. According to an FDA Talk Paper, SurgiChip works as
follows:
The patients name and surgical site are printed on the SurgiChip tag. The inside of the tag
is encoded with the date of surgery, type of procedure and name of the surgeon. The tag is
scanned with a desktop RFID reader for confirmation by the patient and is then placed into the
patients hospital file. On the day of the surgery, the tag is removed from the file and scanned
again, and the encoded information is verified by the patient. The tag, which has an adhesive
backing, is then placed on the patients body near the surgical site. In the operating room, the
tag is again scanned and the encoded information is verified with the patients chart. The tag
is removed just before surgery and returned to the patients hospital file.12
The other RFID chip cleared for marketing by the FDA as a Class II medical device is the VeriChip
Health Information Microtransponder System, an implantable RFID prescription device. According
to the FDAs 2004 letter to the Digital Angel Corporation permitting the marketing of the device:
The VeriChip Pocket Reader is indicated for use as a portable instrument that noninvasively reads the ID number of an implantable microchip that is inserted in the arm of the
patient. When activated, the VeriChip Pocket Reader displays a unique identification number
that may be used to access the patients identity and authorized health information from a
secure database. The VeriChip is indicated for use as a miniature implantable microchip
that is inserted into the subcutaneous tissue of the patient. The VeriChip provides the patient
a unique identification number that may be used to access a database containing the patients
identity and health information.13
Importantly, the FDA notes in the VeriChip letter that certain special controls are applicable to
this device because it is implantable. Absent meeting these special controls, the FDA states that an
implantable RFID device would be considered a Class III device subject to far more stringent requirements prior to marketing. Any entity considering implanting RFID devices in humans must consider
the FDA regulation found at 21 C.F.R. 880.6300, Implantable Radiofrequency Transponder System
See FDA Talk Paper, T04-51, November 19, 2004.

See the FDAs letter dated October 12, 2004 to James Santelli, VP and CFO of Digital Angel Corporation.
12
13
489

for Patient Identification and Health Information, which limits implantable RFID devices under the
Class II category to those devices that are:
intended to enable access to secure patient information and corresponding health
information include[ing] a passive implanted transponder, inserter and scanner. The
implanted transponder is used only to store a [unique ID] read by the scanner. The identification
code is used to access patient identity and health information stored in a database.14
As noted by the FDA, the potential risks to the human receiving an implantable RFID device such
as the VeriChip might include: adverse tissue reactions; migration of the device; compromised electronic security; failure of the device, inserter and/or scanner; electromagnetic interference; electrical
hazards; and MRI incompatibility.
29.7.2
ePedigreeTracking and Preventing Counterfeit Drugs
Congress and the FDA are pursuing the possibility of regulation requiring the use of RFID to track
the manufacture and distribution of pharmaceuticals. This type of regulation or program is frequently
referred to as an ePedigree program. In April of 2008, a bill was introduced to Congress (H.R. 5839)
entitled Safeguarding Americas Pharmaceuticals Act of 2008 which would amend the FDCA to
require the issuance of regulations to establish an effective drug identification and tracking system
through which drug manufacturers, repackagers, wholesale distributors, and dispensers may authenticate the wholesale distribution history of any prescription drug H.R. 5839 would require the FDA
to propose ePedigree regulations no later than March 31, 2010, and to issue final regulations no later
than a year after the proposed regulations are promulgated. The proposed Act requires the FDA to
develop regulations that:
(i) establish standards for electronically accessible and interoperable databases through which
drug manufacturers, repackagers, wholesale distributors, and dispensers may authenticate the
wholesale distribution history of prescription drugs using the numerical identifiers required
under paragraph (2), while maintaining the proprietary information of each entity;
(ii) require the manufacturer or repackager of a prescription drug to apply such numerical identifier in at least 1 standardized form that is electronically readable;
(iii) require the repackager of a prescription drug to link electronically within such databases the
numerical identifier applied to the drug by the repackager to the numerical identifiers applied
to the drug by the manufacturer or previous repackager;
(iv) require each person that receives a prescription drug in wholesale distribution to authenticate
the transaction history of the drug by authenticating the numerical identifier with the appropriate database; and
(v) require protections to ensure patient privacy, in compliance with the regulations promulgated
under section 264(c) of the Health Insurance Portability and Accountability Act of 1996.
Id.
14
490

Some states already have passed pedigree legislation in an effort to prevent the distribution of
counterfeit drugs. The first was Florida, whose law became effective in 2006; however, the law does
not require an electronic or RFID tracked pedigree. See Fl. Stat. 499.01212. According to the Florida
law, each person who is engaged in the wholesale distribution of a prescription drug must, prior to or
simultaneous with each wholesale distribution, provide a pedigree paper to the person who receives
the drug. The Florida law regulates pharmaceutical wholesalers and distributors.
California passed an ePedigree statute that was to become effective in January 2009, but due to
technical difficulties, the compliance deadline has been extended by the California Board of Pharmacy
to 2011. The California law requires pharmaceutical manufacturers to create unique identifiers for
products, track each products pedigree and maintain electronic supply chain records. See California
Bus. & Prof. Code 4034, 4163.
29.8
Using RFID in Healthcare
RFID is already becoming widely used in healthcare. Listed below are only a few possible uses
for which the technology could be deployed as new RFID products are brought to market. As discussed
previously, many of these applications require different frequencies and types of tags. A healthcare
entity may use several types of RFID systems throughout its organization, including low-frequency
RFID tags on smart cards used to access employee-restricted areas, HF tags in pharmaceuticals
tracking, UHF-passive tags for storing patient information on a wrist bracelet, and UHF-active tags
for determining in real time the location of a critical piece of equipment and its current usage or maintenance status.
Note that many of these applications may overlap, and that some may not yet be recognized as a
standard by GS1/EPCglobal. As an example of overlap between categories, a patient fall detection
active tag (an active tag used to signal the emergency) could also provide a means of immediately
locating the downed patient, known as a real time location system or RTLS. (See the Recommended
Reading list at the end of the RFID section for additional reference materials regarding potential RFID
applications in healthcare.)

Potential Active Tag Applications: Battery-supported tags that transmit to nearby RFID readers include the following:
o Bed check systemsalert based on status of patient activity, movement to/from bed.
o Restroom or staff assistance/call buttonsdetect patient call button activation, door
opening to a restroom, flushing of toilet, or use of the sink.
o Fall alert/detectionmanual or automatic alarm.
o Medical telemetrysending medical telemetry data via RFID.
o Intrusion and building emergency alarmsalert activated in response to fire, flooding,
carbon monoxide, panic alarm, glass break, window or door opening, etc.
o Medical equipment activationsends a signal to nearby readers if the equipment is
turned on. Could also be configured to transmit a signal when ready for use (such as
491

when the batteries are fully charged or when a sensor detects the equipment is being
moved.
o As part of an invasive medical deviceWhile most invasive tags are passive LF units,
it is possible that RFID active tag technology could be incorporated into an invasive or
implantable device, either permanent or temporary. A novel use could be seen in future
pacemakers, for example. If an emergency is detected, the device could use active tag
technology to radio for help to an external reader that would then alert emergency services.

Potential Real-Time Location System (RTLS) active tag applications: These are active tag
applications (discussed previously) that use three or more readers, or GPS technology to
show in real-time where the tagged object is located in a facility.
o Active patient surveillancesends a beacon periodically to nearby RFID readers, which
use triangulation techniques to determine the tag location. Alternatively, the active tag
may rely on a satellite GPS signal outdoors to determine location information, which is
then transmitted to nearby RFID readers. RTLS can be used to prevent elopement and
abduction with location information. To be effective, the system has to transmit frequently enough so that the location displayed on the monitor is recent enough to be useful.
o Active provider trackinglocate personnel within the institution. This is the same application as patient tracking, but used to locate personnel within a facility.
o Locating critical equipment, containers, or vehicles in real time.

Potential semi-passive tag applications include the following:
o Monitoring of equipment and pharmaceuticals in transport, possibly equipped with sensors for logging applications.
o Monitoring of equipment and pharmaceuticals, including blood product, when in storage.
o Tracking of equipment, assets, supplies, or pharmaceuticals in cases where a longer read
range is needed over passive tags.
o Vehicle or cart access controls (similar to the EZPass highway-toll system).
o Medical telemetry applications where the semi-passive tag stores data to be downloaded to the care provider system. This could include devices such as a home blood pressure monitor, implantable device controller, or insulin pump that will download their
data when interrogated by the care providers reader unit.
o Any application requiring a longer range where extra signal strength is required to overcome existing sources of interference, but an active device is not required.

492
Passive tag applications: most current RFID tags are of the passive type. These have been
used traditionally for inventory control applications, but UHF and microwave tags that contain larger memories are finding use as data storage devices in their own right. Some tags
include random-number generator capability, encryption, and passwords. These features are

especially valuable when the device contains individually identifiable health information, but
also where anti-counterfeiting, source-verification, or authentication is required.
o Inventory controltracking non-medical general items throughout the supply chain by
scanning them in at various points, such as loading, delivery, warehousing, or repackaging stages. By knowing when and where the tag was scanned, its progress through the
supply chain can be monitored.
o Tracking patient-owned or patient-supplied property in the healthcare institutionthis
may be particularly useful in nursing facilities, especially for tracking dentures, eyeglasses and personal medical equipment.
o Inventory control for pharmaceuticalstracking pharmaceutical products throughout
the healthcare supply distribution network and within the healthcare organization; detect
expired products.
o Tracking use patterns for medical devicesi.e. keeping an electronic record tagged to
the device that would contain a record of when and with whom it was used, records of
sterilization and maintenance issues, and when the device is scheduled for disposal, sterilization or replacement.
o Tracking the timely and/or appropriate destruction of waste products and records to be
destroyed. Just as it is important to track the progress of some items throughout the supply chain, healthcare organizations need to track the process by which decommissioned
devices, personally identifiable records, soiled linens, hazardous materials (chemical and
biological), and expired products are removed from the facility and disposed. Tracing
these items until proper destruction is verified prevents diversion of products into illicit reuse, or accidental reprocessing (e.g., to assure destruction of all appropriate devices
following exposure to Creutzfeldt-Jakob Mad Cow Disease).
o Authenticating the legitimacy of a medical device or pharmaceutical (an RFID seal)
and ensuring that it is not a counterfeit or decommissioned device.
o Authenticating paper records or documentation (the RFID chip can be embedded in the
paper of a document, attached by adhesive, or affixed to the folder or binder holding the
record).
o Matching pharmaceutical, blood products, or customized formulations to individual
patients.
o Tracking human tissue and blood samples from collection through the laboratory and
ensuring proper matching of test results to patients. Tagging samples can also help track
the process by which samples authorized for destruction have been disposed.
o Identifying patientsthis can include attaching the RFID tag to patients via temporary
wristband, injectable capsule (implantable tag), or as part of more permanent medical
jewelry.
493

o Identifying the deceased, particularly in a mass casualty or post-disaster situation.15
o As part of an authentication system for medical insurance or payment cardspassive
tags have been embedded in credit cards, and could be embedded into other valuable
credentials such as medical insurance documentation.
o As a way of storing an electronic health recordUHF and microwave frequency tags
can have larger memories and faster transfer speeds than tags at lower frequencies. Instead of just storing an identification number that enables a computer to cross-reference
the tag-number to a patient record, employee access control list, or a device database,
these tags can store a much more lengthy history, possibly an entire medical record on
the device itself. A tag of this type could allow an entire patients medical history to be
worn on the patient.
o Access controlNon-contact LF and HF swipe cards and key fobs are familiar in
many institutions. These can be used to open doors to credentialed personnel, or provide
a means of improving the integrity and counterfeit-resistance of traditional identification
badges. Access control tags can track the areas accessed (and when) by an employee or
contractor. In some situations, access control tags may be given to family members or
patients to allow access to a locker or patient suite. As discussed previously, access control for vehicles will often use active or semi-passive tags. These ID tags may be injected
as well.16
o Patientassistive technologyRFID in a prescription may allow an automated reader to
speak to a patient, for example with medication instructions. Alternatively, an RFID
tag on the patient could allow a computer to identify the patient at a kiosk, providing
assistance while also crosschecking the patients prescriptions against the medical record.17
o Surgical MarkersAn attached or implanted tag on a person scheduled for operation
can ensure that staff is operating on the right patient as well as the right body part.
o Passive tags embedded in surgical sponges or attached to surgical instruments, can help
surgical staff track sponges and/or instruments used during a procedure. However, hospitals should not rely solely on a system that scans the patient for retained items While
durable, RFID tags are subject to interference, failure, and their signals can be blocked
or shadowed by other objects (such as organs). Ideally, an RFID system can complement counting processes to reduce the risk of leaving sponges and/or instruments in a
patient.
RFID tags used to track Hurricane Katrina dead. Michael Kanellos. Silicon.com/CNET. http://networks.silicon.com/
lans/0,39024663,39152382,00.htm.
16
SolutionsRFID page 9m, AHIMA Audio Seminar / Webinar. Disaster Recovery for Health Records Oct. 4,
2007.
17
LTC HIT Summit, Medication Management Slide Presentation. www.ahima.org/meetings/ltc/documents/LTC-Medication-Management.ppt. Also see Disaster Recovery for Health Records
15
494
29.9
Challenges for Legal Counsel
RFID technology presents challenges in its implementation. The technology can suffer failures
from scenarios not previously encountered in a healthcare asset-tracking environment. For example,
potential risks for system compromise or failure can arise from bringing a new piece of equipment into
a room, changing from a tablet to a liquid prescription, running a new electrical line in a nearby room,
changing a computer around the corner, or moving from plastic to glass bottles.
RFID is also susceptible to perception challenges. The technology can be used for very shortrange applications or over extended distances. It can contain entire medical records or just a serial
number. Terms like tracking and radio frequency radiation are often misunderstood, and can be a
source of confusion and even fear to patients. Currently, there are consumer organizations vehemently
opposed to any use of RFID due to fears that the RFID in question will be used to track the individuals
and invade their privacy. A quick Google search for Stop RFID finds dozens of such organizations.
Undoubtedly, federal and state legislation will be proposed in the future that attempt to control
how RFID is used with regard to personal information and tracking people. Legal counsel should
remain alert for changes in this area.
29.10
RFID Privacy Concerns
One of the most frequent concerns is that the technology will allow recipients of RFID-enabled
products or identification cards to be tracked. It is critical to note that the term tracking can be
used in two different contexts when discussing RFID technologies. RFID tags, particularly passive
tags, are often used in the same way as barcode labels to track objects in supply chain or institution.
This is not the same as real-time location tracking, a concern from RFID tracking critics.
Tracking by barcode or RFID tag in a supply chain records the progress of an object through an
organization at various checkpoints. A patient could be tracked to the fourth floor because the
nursing station on that floor had scanned in a patients RFID-enabled bracelet upon his or her arrival.
The system does NOT track the patient between the time the tag or barcode was previously scanned
and its arrival at the nursing station. However, such tracking systems can prove invaluable when trying
to determine who last had custody of a particular item, and when. Access control cards are an example
of this type of checkpoint tracking. A passive system only records the location of an access control
card when someone uses it at a reader.
On the other hand, active RFID systems such as real-time location systems are often designed
to provide the type of tracking some privacy advocates fear. For that reason, legal counsel needs
to ensure that any use of RTLS technology follows an appropriate protocol for the organization. If a
system uses active tags but not as part of a real-time location system, legal counsel must ensure that
policies and procedures are in place to respond to accusations that such active technology could
be used with triangulation to track individuals. Furthermore, counsel should help to limit the use of
the term tracking to prevent the RFID program from being misunderstood or receiving negative
attention.
495

29.11
Other Privacy and Security Concerns
Unlike barcoding or magnetic swipe cards, some RFID tags can be read at a distance and, depending on the type of tag (see discussion on frequency and range), they may not need to be presented by
the bearer to be read. Indeed, this is one great advantage for RFID. Unfortunately, it raises the risk
management issues, such as potential identity theft or invasion of medical privacy from reading
a patients information off their RFID-enabled medical jewelry from a handheld reader. Active tag
ranges can approach a kilometer, allowing potential thieves to find very expensive or critical pieces of
equipment, disable the active tracking tags, and walk away with the equipment. Similarly, active tags
could act as beacons, broadcasting far too much information about the valuable object to which it is
attached.
All of these issues must be addressed during planning and in the organizations RFID policy. In
developing the RFID policy, legal counsel should bring together outside experts, vendors, and stakeholders within the organization (particularly from physical security and information technology) to
creatively address potential malicious exploitation of each RFID deployment, whether by internal or
external sources. Many RFID vulnerabilities are similar to those that result from wireless networking.
After weighing the countermeasures, legal counsel will be better equipped to advise executive leadership as to whether the deployment of the particular RFID system will truly enhance the organizations
posture concerning safety, security, and privacy.
Protective measures such as encryption technology, logging of all RFID transactions, and mandatory authentication of all readers in the IT system can help prevent the installation of an unauthorized
RFID reader on the network. Encryption should represent the strongest available using open and
well-known standards. Earlier forms of encryption and RFID credit card communications have demonstrated vulnerabilities.18 Routine radiofrequency environmental analysis and checking reader logs
for unexpected interference and reader collisions can provide a warning that an unauthorized reader
has been installed, possibly to steal access codes or other tag data. To reduce the risk of a malicious
party listening in on RFID transmissions (and to reduce interference), RFID reader output power
should be kept as low as possible without negatively affecting acceptable read rates. Upgrades to the
RFID software should be carefully coordinated to ensure that such upgrades do not create new vulnerabilities in other linked systems, such as in back-end databases. Internal firewalls and anti-intrusion
systems should also be deployed to keep the RFID system from having full access to the rest of the
network, and to prevent a hijacked reader or a malicious RFID tag from causing havoc. Indeed, at
least one wireless RFID virus has used an RFID tag containing malicious code to infect the systems
connected to the RFID reader.19
Heydt-Benjamin, Bailey, Fu, Juels, OHare. Vulnerabilities in First-Generation RFID-enabled Credit Cards. University of Massachusetts, RSA Laboratories, Innealta, Inc. http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/rfid-cc/
RFID-CC-manuscript.pdf.
Also see RFID Crack Raises Spectre of Weak Encryption above.
19
Rieback, Crispo, Tanenbaum. Is Your Cat Infected with a Computer Virus? Vrije Universiteit Amsterdam Computer
Systems Group. http://www.rfidvirus.org/papers/percom.06.pdf An excellent article on RFID security vulnerabilities, and
on the creation of the first RFID virus.
18
496
29.12
Radiofrequency Interference
Healthcare facilities can be electromagnetically noisy environments. Many new healthcare devices
rely on wireless communications in the same industrial, scientific, and medical (ISM) bands that RFID
devices use. Tag reading may fail because of interference from other transmission sources, and the
relatively powerful transmissions of RFID readers may cause other devices to malfunction, including
critical equipment. Because of interference-related challenges, any RFID implementation plan should
involve the RFID vendor performing at least one Full Cycle Faraday Analysis to record the ambient noise during normal operations. Testing of new medical devices with the RFID system should
occur in a controlled setting. The healthcare organization should incorporate lessons learned from its
own interference and incident reports when designing their own RFID exclusion zones or criteria.
Organizations should not rely on regulatory approvals alone when considering interference potential
between one or more RFID systems and other facility devices and systems.
Preferably, a consultant or outside counsel familiar with RFID, medical devices, and wireless
networks will help devise an implementation plan that minimizes the interference between the RFID
system and other devices. A pilot implementation can also help identify areas where interference may
be problematic, allowing adjustments prior to full implementation of a facility-wide RFID plan.20
29.13
Training Staff and Educating the Public
RFID systems can be easier to use than a barcode scanner. A data entry technician can scan a shipment without unpacking the boxes, or verify their authenticity automatically. Attaching an RFID tag
can be as simple as attaching any other type of label, whether to a shipping box, identification bracelet,
or new equipment. However, staff may not be aware of the technical and perception challenges RFID
can present.
Staff members need to be prepared to answer basic patient concerns regarding privacy and security. A handout on the healthcare entitys RFID policy can help staff discuss the issues with those
concerned, particularly if tags are used in any direct way with patients. The pamphlet should be written in plain language for a non-technical audience. It should include basic information such as the
estimated range of the devices used in the healthcare facility and a list of objects to which the tags are
affixed.
Education sessions provide opportunities to assuage staff concerns about privacy and security,
such as theft of employee information or illicit access to their personnel file. Employees may also be
concerned that the system is an invasion of their privacy, used to track their whereabouts throughout
the facility. This perception could create morale challenges, with employees fearing that they are not
trusted.
Technical training should inform staff which tag types to use and how to affix them on different
materials. For example, tags on bottles belong on the neck of the bottle, preferably above the liquid.
The organization should also consider certifying staff members who play a major role in maintaining
Radiofrequency Identification Technology in Health Care: Benefits and Potential Risks. Binita Ashar, MD, MBA,
Ann Ferriter BS. November 21, 2007 Vol 298, No. 19. Journal of the American Medical Association (JAMA).
20
497

the RFID system. If the information technology department is heavily involved in the system and will
work closely with outside RFID vendors, the facility should consider CompTIAs RFID+ technician
certification or a similar certification.21
Readers should be configured to report failed reads or other interference statistics, but employees
should be educated as to the operation of the system so that they recognize system errors and failures.
Only the staff using the system can provide vital information about its actual operation in the environment. Employees should understand the risk of stray readspicking up distant tag information. Any
suspected stray reads should be reported because the system may need to be adjusted. Staff should be
encouraged to report incidents of suspected interference with other readers, a high number of tag failures, or interference problems with other medical or non-medical equipment, even if the interference
incident seems to be a one-time event.
29.14
Information Technology Interface: Risks and Opportunities
While it may seem prudent to place much of the responsibility for an RFID system on the health
information technology (HIT) department, the RFID system will have many other stakeholders and
parties that could affect its operation. If the organization divides up responsibility for the RFID system
by function (e.g., pharmacy, shipping and receiving, security, health information, etc.), system-wide
vulnerabilities, updates, and interference issues may escape resolution.
One concern is how the RFID readers interface with the facilitys records system. Whether the
RFID tag contains a patient identifier or an EPC-compatible product code, the number has to interface
somehow with the institutions backend database and possibly the Internet (for EPC codes or other offsite records). The facility must determine how this request will be handled securely. There may be little
purpose in encrypting tag contents if the contents are then sent out over an unsecured wireless network
or unencrypted onto the Internet. Facilities should define (1) who is responsible for maintaining the
connection between the RFID reader and the facility IT network and (2) who ensures that the RFID
firmware and middleware systems comply with the IT system policy for secure communications?
Physically securing the RFID readers, particularly portable units, is important because they can
scan protected information and locate valuable assets for illicit purposes. Portable readers also provide
possible access to the healthcare organizations backend network. Authentication of readers and the
credentials of the user, together with internal firewalls, can help protect the hospital network from
internal intrusion attempts. These steps also increase security with barcoding systems, patient data
entry carts, and automated network-enabled medical devices. All these systems, even network printers, are computers on the network and can be compromised by an attacker as a means of circumventing
the externally-facing firewall.
IT should be involved in ensuring that the system will not display protected information when
a scan is performed without security. For example, readers can scan in many tags at once (e.g., tags
belonging to everyone in a waiting area). The system should require passwords to access the tag data
(on those tags that support encryption), and the system should ensure that the computer attached to the
Radio Frequency Identification, CompTIA RFID+ Certification, http://certification.comptia.org/rfid/.
21
498

RFID reader verifies the credentials of the staffer doing the scans. In other words, the system should
not allow a staffer to access all the data just because the reader found the corresponding tags.
Input to underlying databases should be checked to ensure its validity. Many attacks on SQL22 and
other database systems occur when attackers input an unexpected or malformed command or search
string, causing the system to crash or exposing protected information.23
RFID systems can be disrupted by changes in the environment, such as adding a new fluorescent bulb, a new type of medical equipment, plumbing, electric lines, or metallic sheeting. Metals in
particular can bounce the radio waves and increase the signal level in one place while blocking it
in another. RFID systems use the general-purpose industrial, scientific, and medical frequency allocations (ISM bands) and share that space with many other consumer and healthcare wireless devices
including everything from microwave ovens to Bluetooth and wireless local-area networks. The use
of spread spectrum as implemented in RFID devices minimizes interference, but cannot eliminate it.
Particularly at close range, recent tests indicate clear hazards between some RFID devices and critical
medical equipment.24
29.15
Who is Responsible for Maintaining the System?
An RFID system integrated into a medical device or used in the security department may not be
seen as an IT department responsibility. Similarly, IT and security may regard the decommissioning
of an access control tag as being a human resources issue. Facility shipping and receiving may be
perceived as independent from pharmacy. All of these entities may use common readers on the same
frequencies following the same standards. Or any of those factors (readers, frequencies and standards)
may be different, which can make interference resolution and maintenance of the system a challenge.
Legal counsel should realize that potential interference issues, network security and privacy concerns
are all part of an RFIDenabled system.
Legal counsel should ensure that contracts with outside RFID vendors include a provision for
assessing the current and projected RF environment by performing the full-cycle Faraday analysis
mentioned earlier. Legal counsel should also ensure that outside contractors working in HVAC, electric systems, plumbing, carpentry, and other specialties that could affect the integrity of the system
be notified and work with RFID vendors to reduce conflicts. Agreements with such contractors may
include indemnification provisions covering damage to the integrity of the RFID system due to a failure to follow the RFID vendors guidelines.
SQL (Structured Query Language) is a database computer language designed for the retrieval and management of data
in relational database management systems (RDBMS), database schema creation and modification, and database object
access control management.
23
See ref. Is Your Cat Infected with a Computer Virus?
24
See JAMA article above, Electromagnetic Interference from Radio Frequency Identification Inducing Potentially
Hazardous Incidents in Critical Care Medical Equipment.
22
499

29.16
Selecting RFID Vendors and Consultants
Installing an RFID system in a healthcare entity can be challenging. As mentioned, healthcare

facilities are electrically noisy environments containing many other devices that could be affected by
the installation of a new potential electromagnetic interference source. Furthermore, RFID readers
could link to protected information, which may be located across multiple database systems, even
the Internet. In a healthcare environment, an RFID system outage may result in delayed patient care
or increased incidence of errors. Any implementation of a new RFID system needs to be assessed
carefully, with a recognition that new uses for the technology may appear while ensuring backwardscompatibility.
RFID is gaining ground in healthcare and there are vendors and installers experienced in interfacing RFID systems into a healthcare environment. Legal counsel should ensure that the following
criteria at a minimum are followed when selecting vendors:

All devices are FCC certified and designed for the U.S.
Long-term support and maintenance contract, including emergency service 24/7/365.
Frequent system audits (including ambient electromagnetic noise), and pre-installation Full
Faraday Cycle analysis to determine ambient noise.
Familiarity with interference reports between RFID systems and healthcare devices, and a
willingness to test the system against any newly-purchased equipment or changes in equipment (including new acquisitions of similar make/model to those previously tested).
Consulting contract to advise on potential conflicts and warnings should other work need to
be done in the area (electric, water, HVAC, etc).
Insurance and a recovery plan for recalled or decertified readers.
Assistance in developing an RF Safety plan.
Maintaining multiple sources of readers and tags if purchased through the vendor, particularly if using a proprietary protocol.
HIPAA compliance.
29.17
RFID Backup
RFID can improve the efficiency of product movement, documentation, medication, equipment,
and personnel throughout an organization, improve the integrity of processes by reducing errors, reduce
the risk of patient loss (e.g., abducted newborns and wandering dementia patients), and allow detection of counterfeit and expired equipment or medication. RFID technology can improve the transfer
of information throughout the organization. If implemented well, the system can become a well-liked,
even essential, part of an organizations business model.
As a potentially important system, its failure must be anticipated. Legal counsel must ensure that
contracts with outside vendors arrange for the rapid restoration of service or replacement of equipment, and that insurance coverage extends to the system (e.g., business interruption). Clear guidelines
for staff must address managing without a functioning RFID implementation. Liability for a poten500

tially increased error rate, a result of staff work-arounds during system downtime, must be anticipated.
Regular drills can ensure that automated medication and error-detection systems do not result in the
inability to function without them.
One technical solution puts a barcode and human-readable backup (e.g., a regular label) on all
tagged items, assuming the costs associated with this redundancy are feasible. Many RFID printers
are designed specifically to print a barcode along with human-readable information on the label. Similarly, access control devices should allow a manual override (such as keypad with passcode) if the tag
reader were to fail. However, an entire information system may fail. This is a growing vulnerability as
electronic records lead to the phasing out of paper-based systems. The organizations overall disaster
and emergency response plans must include appropriate contingencies.
29.18
Who Controls RFID Policy in the Organization?
Different parts of the healthcare organization may seek to use RFID technologies without even
recognizing it as RFID. For example, non-contact access control cards and smart cards are a type
of RFID tag. Vendors may supply general-purpose items and medical equipment in cardboard boxes
affixed with or embedded with RFID tags for their own inventory control purposes. Equipment manufacturers may have embedded RFID tags in their products. In sum, the majority of healthcare facilities
are likely already using some RFID devices, thereby making it very difficult to say that we dont
(or wont) use RFID tracking in our organization. The facility must discover and review all uses for
RFID in the organization and coordinate a policy for the use (or restriction of) RFID technology.
Because of the potential liability associated with using RFID in the organization, issues ranging
from privacy to diversion or counterfeiting and infant abduction, legal counsel may be in the best position to act as a central clearinghouse for RFID policy. The first step in creating such an RFID policy is
to determine what departments, if any, are using RFID technologies currently. The potential areas in
which RFID could be used should be assessed. Any links that exist between the different departments
RFID infrastructure, including shared IT systems, contractors, or supply-chain should be noted, along
with vulnerabilities (legal and technical) that these links create.
Each type of RFID in use may expose the organization to different risks. Anticipating these risks,
with a particular focus on the links between systems and departments is important in developing an
appropriate RFID deployment policy. The risks of not deploying RFID, or of using alternative technologies such as barcoding or manual entry, should be explored. Important steps in developing a RFID
policy include:

Ensuring that organizational leadership gives legal counsel (or another appropriate department) the authority to create and enforce a unified RFID policy.
Facility leadership supports the RFID implementation plan and policy
Planning the systemwhy and where will the technology be used?
Why is RFID the appropriate solution? RFID can save money and time and reduce errors,
prevent diversion, counterfeiting, and provide a means for tracking people and objects to
improve efficiency and accountability. However, the organization should consider conduct-
501

ing a study (possibly including a pilot project) to determine if RFID will achieve these goals
in this healthcare facility.

Clear lines of responsibility are established for all uses of RFID technology, including
tag selection, data access, contracting of vendors, tag destruction or deactivation, and any
construction or introduction of equipment that could affect (or be affected by) the RFID
deployment.
Workforce, medical staff and if appropriate, business associates, are made aware of the
policy.
The policy is regularly reviewed and updated as needed.
RFID usage at the facility is regularly audited for compliance with the policy.
29.19
Challenges that Require Special Attention
A number of areas require special attention when considering RFID use:
502
Is RFID the right solution? RFID may serve as a useful tool in one area of a healthcare
organization and be problematic in another area. Implementation plans, assessment of the
organizations business processes, environmental planning and current risk opportunities all
must be considered. Is RFID the right solution, or does another technology or increased staffing/training offer a more effective solution?
RF Interference and Changes in Environment: RFID can be both susceptible to, and the cause
of, interference with other devices. This risk can be controlled if outside contractors and
others changing the electromagnetic environment are made aware of the potential for problems and an effective recognition and reporting mechanism is established when problems
do occur. Selection of reader frequency and tag type, RFID exclusion areas, and power settings can all be adjusted based upon such incident reports and ambient environmental noise
(AEN) measurements taken as part of full Faraday cycle testing. Testing of the RFID devices
around newly-acquired medical equipment, or previously untested devices, should be carried
out in the healthcare environment prior to deployment of RFID technologies or susceptible
equipment into a critical care situation. Do not simply rely on regulatory approvals to ensure
electromagnetic compatibility. Contracts with RFID vendors should focus on preventive testing and the need to minimize interference.
Vendor selection and chains of responsibility: In selecting a vendor, the need for backup
systems, non-proprietary or open standards, secondary sourcing for parts, technical support
24/7/365 and rapid maintenance service should all be emphasized. The vendor may also be
able to assist with developing employee-training programs. Inside the organization, development of the operational policy and maintenance of the system needs to be centralized,
with clear chains of authority over the system. The information technology department may
be an appropriate hub for technical issues, with the legal counsel working to develop an
organization-wide policy. Executive leadership needs to support policy developments and the
establishment of clear chains of command for responsibility for the RFID system.

Perception challenges, privacy, and security concerns: Many of the security and privacy
concerns regarding RFID exist because people assume RFID systems have nearly omniscient
powers to track and record information, when in fact most applications have very short range
and do not store anything beyond an EPC code or other serial number. Legal counsel needs
to know what aspects of RFID technology are being used, how, and what new features are
proposed by the facility he or she represents. Internal and external public relations needs
to clearly explain the technical limitations of the RFID systems employed and the protections that have been established to protect the security and privacy of staff, patients and the
public.
29.20
Conclusion
RFID technology allows the improvement of processes and quality in a wide variety of healthcare organization departments. Wireless tags can be easier and faster to use than barcoding, can scan
multiple tags, collectively and work over a longer distance. Used in medication readers or carried with
patients as a key to (or in the future, a form of) personal health record, or implanted to allow patient
and/or procedure identification, RFID technology can also be used to prevent fraud, diversion or the
administration of expired or damaged equipment or drugs.
However, multiple competing standards, multiple frequency ranges, very different RFID capabilities offered by vendors, and confusion over what data is contained or exposed by RFID system poses
significant risk management issues. Legal counsel must take a leadership role in establishing a unified
RFID policy for the organization. Counsel must work with vendors, leadership, employees, medical
staff, IT, and patients to maximize the RFID system availability with minimal interference issues to
ensure patient safety while increasing the efficiencies of the facility through effective RFID use.
503

Recommended Reading
http://www.rfidc.com/pdfs_downloads/IEE%20RFID%20Paper.pdf.
Radio Frequency Identification Device Technology. FactFile. Institute of Electrical Engineers
(Europe). Note some references, such as laws limiting the use of RFID, apply only to Europe and may
be dated.
Dr. Bill Crouse. RFID: Increasing patient safety, reducing healthcare costs. Microsoft. http://
www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/rfid.mspx.
Heather Havenstein. Pharmaceutical, health care firms launch RFID projects. Computerworld
Security. http://www.computerworld.com/securitytopics/security/story/0,10801,99899,00.html.
RFID Journal Healthcare White Papers. http://www.rfidjournal.com/whitepapers/7.
504
E-Discovery and Enterprise Risk Management
30
Steven M. Puiszis, Esq.1
Hinshaw & Culbertson, LLP
30.1
Introduction
For years, healthcare risk management programs focused on clinical practice and related risks.
However, the implementation of electronic health record (EHR) systems, coupled with the advent of
e-discovery rules have introduced new concerns that spread far beyond the documentation issues
that historically occupied risk managers.
The federal e-discovery rules recognize that the discovery of electronically stored information
(ESI) presents a number of unique issues that do not exist with paper documents.2 The rules target five
specific areas:

early attention to e-discovery in litigation;
electronic information that is not reasonably accessible;
inadvertent production of privileged information;
forms of electronic information production; and
a safe harbor against discovery sanctions.
The rules themselves are discussed in detail later in this chapter.

The ESI generated by EHR systems pose several key enterprise risk challenges. EHR systems
generate many different forms of data from a wide variety of sources, some of which are unlike
anything found in traditional paper record-keeping systems, and some of which can be difficult to
preserve. Many current EHR systems are also not very good at reconstructing the data in a consistent
form. These factors trigger a number of legal issues for organizations.
Given the cost of e-discovery and the disastrous impact that the mishandling of ESI can have on
litigation and other organizational interests, the traditional reactive approach that many risk management programs employ will quickly prove to be inadequate. Healthcare entities must adopt a proactive
approach which addresses the management of e-discovery as a part of an enterprise risk management
program. A number of reasons justify this change in approach to the risk management.
I thank Keith Olenik, M.A., RHIA, C.H.P., of the Olenik Group for his technical insights on the materials in this chapter
and Alice Kush, one of my former partners at Hinshaw, for her thoughts on various drafts of the materials.
2
E*Trade Securities LLC, v. Deutsche Bank AG, 230 F.R.D. 582, 591 (D. Minn. 2005).
1
505

First, a growing body of literature identifies various unintended consequences following the implementation of EHR systems.3 Certain features of EHR systems can raise roadblocks to the successful
defense of professional liability claims, and the ESI captured by various features of those systems can
be used against healthcare entities in a variety of litigation contexts. Second, the costs of processing,
reviewing and producing ESI can exceed the value of a plaintiffs claim.4 Third, courts have repeatedly sanctioned parties for the loss or mishandling of ESI. Sanctions have varied between an award
of costs and attorneys fees,5 the imposition of a large fine,6 the issuance of an adverse inference jury
instruction,7 and the entry of a default judgment.8 Courts have also required defendants to pay the cost
of retrieving ESI from inaccessible sources when it was inadvertently lost or destroyed from an active
data source.9 Moreover, corporate officers and managers can be held personally responsible for an
organizations failure to preserve relevant ESI.10
Most insurance policies generally do not provide coverage for discovery sanctions,11 and the
reserves for deductibles or self-insured retentions may be similarly off-limits for fines or an award
See, e.g., H. van der Sijs, et al., Overriding of Drug Safety Alerts in Computerized Physician Order Entry, Journal
American Medical Informatics Association Vol. B, No. 13 (2006): 138147 (literature review of drug safety alert
overrides); M. Vigoda, et. al., Failure to Recognize Loss of Incoming Data in an Anesthesia Record-Keeping System
May Have Increased Medical Liability, Anesthesia & Analgesia 2006; 102: 17981802 (explaining how an automated
anesthesia record-keeping system increased an anesthesiologists malpractice exposure); E. Campbell, et al., Types of
Unintended Consequences Related to Computerized Provider Order Entry, Journal of the American Medical Informatics
Association, Vol. 13, No. 5 (2006): 54756 (identifying nine categories of adverse unintended consequences following the
implementation of computerized provider order entry (CPOE) systems); Y. Han, et al., Unexpected Increase in Mortality
After Implementation of a Commercially Sold Computerized Physician Order Entry System, Pediatrics, Vol. 116, No. 6
(2005) (documenting a significant increase in mortality rates in the ICU Unit of a childrens hospital following the implementation of a CPOE system).
4
In 2005, 10% of corporate counsel indicated that they have settled a lawsuit rather than incur the costs of electronic
discovery. See S. Nelson, B. Olson, and J. Simek, The Electronic Evidence and Discovery Handbook. ABA Publishing,
at xvi. However, any settlement entered into by a physician must be reported to the national practitioner databank. Thus,
concerns over e-discovery costs will not likely trigger many settlements of malpractice claims involving physicians;
however, it will likely drive up their insurance costs. The authors also provide several sobering statistics concerning the
cost of e-discovery. In 2005, U.S. companies spent $4.6 billion internally to analyze e-mails and another $1.2 billion was
spent on outside e-discovery services. Id.
5
See, e.g., Phoenix Four, Inc. v. Strategic Resources Corp., 2006 WL 1409413 at *7 (S.D.N.Y. May 23, 2006) (ordering
defendant and its counsel to pay the fees and costs associated with a sanctions motion and $10,000 per witness for the
redeposition of three witnesses due to the untimely recovery of ESI from the defendants server).
6
See, e.g., United States v. Philip Morris USA, Inc., 327 F.Supp. 2d 21, 26 (D.D.C. 2004) ($2.75 million sanction for
employees failure to follow litigation hold process resulting in the loss of e-mails).
7
See, e.g., Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 42930 (S.D.N.Y. 2004) (Zubulake V).
8
Metro. Opera Assn v. Local 100, Hotel Employee & Rest. Employees Intl Union, 212 F.R.D. 178, 231 (S.D.N.Y. 2003).
9
See, e.g., Treppel v. Biovail Corp., 2008 WL 866594 at *9 (S.D.N.Y. April 2, 2008) (ordering a forensic examination
of the laptop computer of Biovails Chairman and CEO at defendants expense); Zubulake I, 217 F.R.D. at 324 (ordering
defendant to restore five backup tapes at an estimated cost of approximately $19,000). After reviewing the results of the
restoration of that sample of tapes, the court subsequently ordered UBS to pay 75% of the approximate $166,000 cost of
restoring the remaining backup tapes$123,000. Zubulake v. UBS Warburg LLC, 216 F.R.D. 280, 289 (S.D.N.Y. 2003)
(Zubulake III). That cost did not include the cost of outside counsels review of e-mails generated from those backup tapes,
which UBS estimated to be in excess of $107,000. UBS incurred approximately $250,000 in discovery costs relating to
production of e-mails from backup tapes.
10
See Danis v. USN Comm., Inc., 2000 WL 1694325 at *6, *38 (N.D.Ill. Oct. 23, 2000) (adverse inference instruction,
$10,000 fine personally levied against CEO, and $1,500,000 in costs imposed for failing to implement a comprehensive
document preservation policy and to ensure affirmative steps were being taken to preserve ESI).
11
Cf. Wardrip v. Hart, 28 F.Supp.2d 1213, 1216 (D. Kan. 1998) (granting Continental Insurance Companys motion to
dismiss a post-judgment garnishment action following a physicians failure to pay a Rule 37 discovery sanction imposed
in an underlying medical professional liability lawsuit).
3
of the
506

of fees and costs. Thus, organizations will likely pay monetary penalties resulting from e-discovery
sanctions out of current revenues. Additionally, depending how an insurance policy defines the term
claim, only a filed lawsuit triggers an insurance carriers duty to defend.12 Should a presuit litigation
hold make it necessary to retain an e-discovery vendor,13 the policy may not cover those costs.14 Organizations simply cannot afford the impact that the mishandling of ESI will have on their bottom line.
Healthcare organizations must develop a full understanding of the complexities of their EHR systems to avoid sanctionsa challenging task. The process needs to consider all aspects of their systems
including equipment such as IV pumps and EKG monitors where important data may be stored for
only a short period of time. EHR systems are unique, complex systems that frequently involve multiple
modules or databases, often built on incompatible platforms with different levels of functionality and
interoperability.15 They were not developed with litigation or discovery in mind. Many hospitals have
painfully learned that their EHR systems cannot print all of the information contained in the system or
appearing on a computer screen for a given patient.16
Potentially relevant ESI can be widely dispersed throughout an organization in a number of different formats. It is generated and stored for at least short periods by many types of hospital equipment.17
ESI can also reside locally on the hard drives of workstations or portable laptops, network servers,
PDAs, voice-mail systems, smart phones and portable storage devices. It can be downloaded onto
CDs or DVDs. It is found on home computers and resides on backup tapes both on site and hundreds
of miles away.
EHR systems create a cache of ESI not contained in traditional paper record keeping systems,
discoverable under the federal and new state e-discovery rules.18 The federal e-discovery rules are
far broader in scope than any definition of a patients legal health record. They potentially apply to
any type of ESI.19 As long as data is fixed in a tangible form that can be retrieved and examined, it
See Lapham-Hickey v. Protection Mut. Ins., 166 Ill.2d 520, 53233, 655 N.E.2d 842 (1995).
A litigation hold involves the suspension of any practices that could result in the loss or destruction of any data or
documents that may be relevant to a lawsuit once litigation is reasonably anticipated. The implementation of a litigation hold ensures that relevant information is not inadvertently destroyed and requires that key employees are notified of
document preservation requirements.
14
Lapham-Hickey, 166 Ill. 2d at 53233.
15
42 C.F.R. 411.351 defines interoperability in these terms: Interoperable means able to communicate and exchange
data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings; and exchange data such that the clinical or operational purpose and meaning of
the data are preserved and unaltered.
16
When ordered to make all information in the EHR system about the plaintiff available to his or her counsel, to prevent
direct access to their computer systems, hospitals have set up read-only terminals that provided access to plaintiffs
electronic records. While that may sound like a simple and inexpensive solution, it is not. It is a time-intensive process
requiring the involvement of experienced IT staff from both the hospital and its EHR vendor.
17
National Institutes of Health, National Center for Research Resources, Electronic Health Records Overview. (April
2006) at p. 8, citing R. Haugh, Linked Monitoring Devices and EHRs Round Up Data in Real Time. Hospitals and Health
Networks. (February 2006) (noting IV pumps and EKG monitors generate electronic data).
18
This chapters focus is on the federal e-discovery rules. As this chapter was heading to press, 20 states had adopted
their own set of e-discovery rules based in large part on the federal rules, and several other states were either awaiting state
Supreme Court action on proposed e-discovery rules or were accepting public comments on proposed rules. Kroll OnTrack
maintains a fairly up-to-date summary of each states e-discovery rules with links to each states discovery rules in the
Resources section of its website found at www.krollontrack.com.
19
See, e.g., Fed. R. Civ. P. 34 2006 Amendment Advisory Committees Notes (Rule 34(a)(1) is expansive and includes
any type of information that is stored electronically).
12
13
507

is discoverable under the rules.20 Far more ESI will have to be preserved, reviewed, and potentially
produced than merely the patients legal health record.
Counsel must understand the complexities of an EHR system to navigate the e-discovery rules and
limit the cost of electronic discovery. Rule 26(b)(2)(B) defines the scope of e-discovery, and provides
that a party need not provide discovery from sources that are not reasonably accessible because of
undue burden or cost.21 The rule places the burden of proving inaccessibility on the party raising it.22
Unless an organization has a thorough understanding of its EHR system, backup processes and any
legacy systems, it will be unable to establish that ESI from those sources is inaccessible. That means
the cost of retrieving, reviewing, and producing ESI from inaccessible sources may be unnecessarily
incurred.
The federal e-discovery rules require that outside counsel be prepared to discuss the preservation
and production of ESI at the initial Rule 26(f) scheduling conference. That can only effectively occur
if counsel has a firm understanding of the clients EHR and e-mail systems. Thus, a hospitals information technology (IT) and/or health information management (HIM) staffs must be prepared to explain
to its counsel how the various applications of its EHR and e-mail systems function so that counsel is
prepared to discuss those systems at the Rule 26(f) conference or with the court should an e-discovery
dispute occur.
Before addressing the substance of the federal e-discovery rules, the next two sections address
steps that should be considered in order to effectively manage and control e-discovery risks as part of
an enterprise risk management program.
30.2
Identify Technologically Based Risks of Your EHR System
30.2.1
Basic Features of EHR Systems
To grasp the risk management issues that EHR systems can trigger, counsel must first understand
the basic technological features of these systems. Many of todays EHR systems are relational databases containing thousands of files and fields of information that are connected by a series of pointers.
Each patient is assigned a specific identifier in a master-patient index. When someone accesses the
patients information, the system pulls the relevant data from its various files and fields, displaying
them on a computer screen.
EHR systems link the master-patient index directly to a hospitals billing and financial system. An
electronic interface between that master-patient index and various other modules ties in components
such as the laboratory system, the pharmacy system, the radiology system, the emergency department
system, etc.
Fed. R. Civ. P. 34(a) 2006 Amendment Advisory Committees Notes.
Fed. R. Civ. P. 26(b)(2)(B).
22
Id. (On a motion to compel discovery or for a protective order, the party from whom discovery is sought must show
that the information is not reasonably accessible because of undue burden or cost). See also Auto Club Family Ins. Co. v.
Ahner, 2007 WL 2480322 at *1 (E.D.La. Aug. 29, 2007) (denying motion to quash production because there was no showing made to support the argument that production would be unduly burdensome or costly).
20
21
508

Orders flow through the main system to departmental modules that record that areas activity. The
resulting information is transmitted to the core health system through the electronic interface which
transmits the data to any other appropriate EHR module or database within the system. Reports can
be printed and filed in a patients chart and/or sent to a portal for a physicians review. Thus, the same
ESI can exist in the same or in slightly different formats in multiple EHR modules or databases. Currently, there is no readily available method to de-duplicate the identical ESI residing in multiple
EHR modules.
While some data may be stored in multiple modules of an EHR system, certain types of information concerning the specifics of patient care such as who drew a patients blood, when it was drawn and
the person who analyzed it may only exist in a specific module in many EHR systems. These details
are typically not considered part of the legal health record, and may be subject to a shorter retention
period than the test result. However, parties may actively seek that information in discovery, which
could play a critical role in litigation.
30.2.2
Functionality and Interoperability Issues
EHR systems can be comprised of different modules or separate databases developed by different
vendors. Different EHR modules, databases and/or systems can have different features, applications
and levels of functionality that may influence their compatibility and interoperability. Depending upon
the system architecture, these modules or databases may be fully integrated into the overall EHR
system and be capable of sharing information with other modules of the system. However, that is not
always the case. The electronic data generated by a non-integrated module may not be transmitted to
or shared with other EHR modules in the system. These non-integrated modules or silos of information require a clinical user to open a series of applications, log in and then find the patient record
within each application before seeing the patients complete record.23 These silos of data may also
have to be separately preserved and searched for relevant ESI.
Vendors can customize their systems to meet a hospital, department, or services particular needs.
This can result in subtle yet significant differences between the same vendors EHR system at two
different hospitals or within different modules of a vendors system at the same hospital. As a result,
various modules or systems can produce printed records that appear different. The display of information on a computer screen may also differ in various departments depending upon how a particular
vendor customized that user or departments application display.24 Do not assume that all clinicians
using an EHR system have access to or know the complete patient record. 25
Different versions of a patients electronic records (or any ESI), some partial or outdated, and
some duplicates, can appear in different ancillary databases in the system. Questions about the integ National Institutes of Health, National Center for Research Resources, Electronic Health Records Overview, (April
2006) at p. 4.
24
Id. at p. 3 (EHRs are used in complex clinical environments. Features and interfaces that are very appropriate for one
medical specialty, such as pediatrics, may be frustratingly unusable in another (such as intensive care). The data presented,
the format, the level of detail, and the order of presentation may be remarkably different, depending on the service venue
and the role of the user).
25
E. Campbell et al., Types of Unintended Consequences Related to Computerized Provider Order Entry. Journal of the
American Medical Informatics Association, Vol. 13, No. 5 (2006): 54756.
23
509

rity of a patients medical record (or any other organizational records) can arise when different parts
of the record appear in slightly different formats because of the differences in various modules and
databases that comprise the system.
Some applications of an EHR database may allow electronic searches. The notes to Rule 34
explain that if ESI is ordinarily maintained in an electronically searchable manner, the information
should not be produced in a form that removes or significantly degrades this feature. 26
30.2.3
Evolving Nature of EHR Systems
Part of the complexity of EHR systems arises from their free-flowing nature. The ESI will grow
and evolve as new information about the patient is generated. While historical clinical data will not
change, some of the demographic data such as the patients age, address, and marital status may automatically be updated by the system as that information changes over time. This factor coupled with
the addition of new treatment information and records can make it difficult to pinpoint exactly how a
patients record looked at a specific point in the past.
System upgrades or the addition of new data fields can also affect the appearance of older data.
For example, when information concerning a prior hospitalization or visit is printed out after a system
upgrade, the newly added fields may appear as blanks because those fields did not exist when the
information was originally created. These types of system nuances should be identified and explained
to outside counsel, who can explain them to opposing counsel or the court before they become a
problem.
30.2.4
Pop Ups, Alerts, and Clinical Support Features
EHR systems typically incorporate various types of alerts, pop-ups, and clinical support features
intended to serve as aides in clinical decision-making. The failure to take action or the override of
an alert may become a key fact in litigation or a quality survey.27 Opposing parties may request the
alert or clinical support features of an EHR system. Unless periodically updated, those features could
potentially incorporate outdated or incorrect clinical standards.
Plaintiffs (and potentially regulators) will seek to discover practice patterns related to overrides, generally, or in specific cases. Organizations must monitor those patterns (see discussion in Chapter 28), and
also understand what potentially discoverable data about those patterns remains stored on the system.
30.2.5
Audit Trail and Access Log Features
The audit trail feature of an EHR system will disclose who accessed a patients electronic record,
how long they viewed it, what screen or page they viewed, whether any part of the record was printed
or altered and, if altered, what aspect of the record was changed. For many types of EHR systems,
Fed. R. Civ. P 34(b) 2006 Amendment advisory committee notes.
A recent review of the literature on drug safety alerts found that alerts were overridden in 49% to 96% of the cases
studied. See H. van der Sijs et al., Overriding of Drug Safety Alerts in Computerized Physician Order Entry, Journal of
the American Medical Information Association Vol. 13, No. 2 (2006): 138147.
26
27
510

the audit trail feature is essential to proving the integrity of the patients electronic record. Therefore,
hospitals and healthcare organizations should have policies that prohibit turning off or overriding the
systems audit trail feature.
The type of information available through the audit trail feature or a systems access logs will be
sought in a variety of potential discovery contextsquality assurance or peer reviews, the grant or
withdrawal of staff or hospital privileges, fraud and abuse investigations, and in litigation ranging from
antitrust claims to professional liability actions. Audit trails, like alerts and clinical support features of
an EHR system, do not typically constitute part of the legal health record, but they can be discovered,
so counsel needs to learn the organizations practices for retaining the information. Because it can take
up large amounts of storage space, audit trail data is often archived. However, it should be considered
part of a systems active dataunlike backup tapes.
30.2.6
Forms of ESI (Data Types) in EHR Systems
The retention of ESI in multiple formats raises several thorny issues that the federal e-discovery
rules attempt to address. Various types of patient information are stored in different formats in EHR
systems, including image, sound and video formats. Some formats may be proprietary, belonging to
the vendor of the system.
If electronic data is produced in its native state, recipients of any data that is created or stored
in a unique or proprietary format may be unable to view it without the underlying software. It may
require translation into a different format, or the requesting party may seek direct access to a hospitals
EHR system.28
30.2.7
Time Stamp Issues
EHR systems typically time-stamp entries. If caregivers make untimely entries, the system will
clearly show that, which can raise a red flag in medical professional liability litigation, billing audits, or in
fraud and abuse investigations. The impact of time stamps on entry timing is [o]ne of the unanticipated
consequences of transitioning from paper to EHRs [and] the effect on documentation practices.29
The Advisory Committee Notes to Rule 34(b)(2) explain: Under some circumstances, the responding party may
need to provide some reasonable amount of technical support, information in application software, or other reasonable
assistance to enable the requesting party to use the information. Because proprietary licensing restrictions may limit the
type of information or assistance a hospital can provide the requesting party about the format used to create or store certain aspects of its ESI, translation of that data into another reasonably useable format may preclude direct access to the
organizations system. However, see Opperman v. Allstate New Jersey Ins. Co., 2008 WL 5071044 (D.N.J. Nov. 14, 2008)
(ordering production of a proprietary software owned by a third party and rejecting defendants trade secret and licensing
restriction arguments against its production).
29
M. Vigoda et al., The Medicolegal Importance of Enhancing Timeliness of Documentation When Using Anesthesia
Information System and the Response to Automated Feedback in an Academic Practice, Anesthesia & Analgesia 2006,
103:131136. In this article the authors note that some physicians may complete all documentation needed for billing
purposes at one time and warn: Some may consider that such documentation, if done prospectively, lends itself to fraud.
Id. at 131. Later the authors acknowledge that concerns over entry timing did not arise when their practice converted to
an electronic record-keeping system and this was an unrecognized pitfall in transitioning from paper-based records to an
EHR. Id. at 132.
28
511

30.2.8
Versions or Drafts of Reports in EHR Systems
Versioning is an e-discovery issue that should be addressed because prior versions of reports are
now stored in electronic systems and discoverable. This problem arises in several scenarios. It can
happen when authors correct early versions of reports, leading to the existence of several versions on
the system. It can also occur when staff files information in the wrong place, for example attaching a
report to the wrong patient. With paper record-keeping systems, this was not an issue. Only the final
version of a report signed by a clinician was included in the patients chart. Prior drafts or versions
were simply discarded. However, EHR systems retain prior drafts and document the changes.
30.3
E-Discovery Risk Management Steps
Several concrete steps will move an organization into a robust e-discovery risk management program. Listed here, they are described in more detail below.

create a data or content map;
identify all organizational practices for electronic and paper records;
review and evaluate record retention policies;
develop litigation hold procedures to account for e-discovery;
evaluate e-mail usage and policies;
identify and evaluate system and application metadata; and
evaluate the accessibility of electronic data.
30.3.1
Create a Data or Content Map
Healthcare organizations should develop a data or content map of their systems. This process
requires a multi-disciplinary team approach that should include members from the IT, HIM, risk
management, and legal departments. The organization should identify and document the following
components of its systems:

every piece of hardware and software involved in the creation, transmission, and storage of
ESI should be verified;
the flow of electronic information to and from those sources should be mapped; and
all locations where ESI resides within the system, even temporarily30 should be noted.
Staff should repeat that task for each application of the EHR system, resulting in a matrix of all ESI
repositories.
The mapping process is more involved than merely taking an inventory and creating a flow chart,
it should also note information about data types, volume, retention periods, and difficulties that may be
encountered in accessing ESI from any of its potential repositories. Data created and stored in unique
One hospital identified 300 data islands where clinical information was stored after auditing its clinical systems. See
National Institutes of Health, National Center for Research Resources, Electronic Health Records Overview, (April 2006)
at p. 2, citing Electronic Medical Records Help Physicians and Boost Revenues While Saving Millions, Microsoft Health
Care Industry Case Study, (November 2004).
30
512

or proprietary formats should be highlighted because of the problems that may be encountered producing it electronically. The map should also identify archived information, describe the organizations
backup practices, and outline how long backup media are held before they are recycled.
When physicians or staff electronically communicate with patients or view information on computers or PDAs outside the organizations system (e.g., using remote access to a network), potentially
relevant information may be stored on those devices.31 The computers and PDAs of physicians and
other healthcare providers can thereby become potential sources of ESI that must be preserved. So the
mapping process should account for that possibility as well.
30.3.2
Identify Organizational Practices for Electronic and Paper Records
Currently, most healthcare organizations have a hybrid record-keeping system, with some aspects
of their records in a paper format and others in one or more electronic formats. The organization
should identify all information generated and/or stored in an electronic format and those records that
are created and/or preserved on paper. The organization should clarify its philosophy and approach to
the retention of its paper and electronic records.
Rule 34 specifies that information should normally be produced in the form in which it is ordinarily maintained or in a reasonably useable form.32 Thus, questions during this process should focus on
how those records are ordinarily maintained. Are paper records scanned and made a part of the EHR
system? Are those parts of the ESI that the organization has designated as the patients legal health
record printed out and made a part of the patients chart? Or are the paper and electronic records
separately maintained?
The organization should further answer a series of questions relevant to the litigation hold process
which are addressed in more detail below.
30.3.3
Review and Evaluate Record Retention Policies
The transition to electronic record keeping systems has increased the focus on information and
record management. Organizations must implement33 and consistently enforce34 document retention
policies. Courts have recognized that organizations are not obligated to retain all paper and electronic
See, e.g., Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F.Supp.2d 627, 63940 (E.D. Pa.
2007) (explaining how a computers cache file temporarily stores web pages and information accessed by the computer).
32
Fed. R. Civ. P. 34(b)(2)(E)(ii).
33
See Doe v. Norwalk Community College, 248 F.R.D. 372, 378 (D.Conn. 2007) (refusing to extend Rule 37(f)s safe
harbor provision because the defendant did not have one consistently applied, routine document retention policy or system
in place).
34
See Arthur Andersen LLP v. U.S., 544 U.S. 696, 704 (2005) (explaining document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in
business and that generally, it is not wrongful for a manager to instruct his employees to comply with a valid document
retention policy under normal circumstances); Willard v. Caterpillar, Inc., 40 Cal.App.4th 892, 921 (Cal. 1995) (explaining the good faith disposal pursuant to a bona fide, consistent and reasonable document retention policy could justify a
failure to produce documents in discovery).
31
513

data.35 However, a haphazard and uncoordinated approach to document retention that results in the
loss or destruction of potentially relevant information can result in sanctions.36
The record retention policy should apply to both paper records and ESI. The policy should also
include a requirement that any automated features of an EHR or e-mail system or any organizational
practice that periodically deletes, overwrites, or destroys potentially relevant paper records or ESI will
be suspended when litigation is reasonably anticipated.
30.3.4
Litigation Hold Procedures for E-Discovery
A process for implementing a litigation hold and preserving relevant ESI and paper records should
be established to limit the risk of sanctions being imposed for the spoliation of evidence. A litigation
hold should be implemented whenever litigation is reasonably anticipated,37 and it should be applied
to information the destruction of which would prejudice the other party to that litigation.38 The failure to implement a litigation hold will preclude a party from invoking Rule 37s safe harbor against
the imposition of sanctions.39
The following questions should be addressed in a risk management assessment of systems when
designing a litigation-hold process:

Is ESI that is generated and temporarily stored by hospital equipment routed to the EHR
system or will it be lost forever if it is not promptly preserved?
How long is any ESI not included in the patients legal health record stored by each data
repository?
Is old data archived and accessible or only available on backup tapes?
Does any application of the EHR or e-mail system have an automated delete feature that
should be overridden in the event a litigation hold is put into place?
Can the automated features of the system be interrupted or turned off?
See, e.g., Wiginton v. Ellis, 2003 WL 22439865 at *4 (N.D. Ill., Oct. 27, 2003) (an organization does not have to
preserve every single scrap of paper in its business); Concord Boat Corp. v. Brunswick Corp., 1997 WL 33352759 at *4
(E.D. Ark., Aug. 29, 1997) (same regarding e-mail); Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2003)
(Zubulake IV) (explaining a corporation is under no obligation to preserve every e-mail, electronic document, or backup
tape even upon recognizing the threat of litigation).
36
In re Prudential Ins. Co. of Am. Sales Practices Litig., 169 F.R.D. 598, 615 (D.N.J. 1997) (holding a haphazard approach
to document retention warranted an adverse inference instruction and a million dollar sanction); Finley v. Hartford Life
and Accident Ins. Co., 2008 WL 509084 (N.D. Cal. Feb. 22, 2008) (imposing sanctions for not timely producing the full
version of a video surveillance tape as part of its Rule 26(a) disclosures). In Finley, the court found it was unreasonable for
Hartford to rely on a system which contains so few checks and balances that the mere fact that an administrative assistant
did not look for a file could undermine Hartfords entire initial disclosure apparatus. Id. at *2.
37
Zubulake IV, 220 F.R.D. at 217. See also Silvestri v. General Motors, 271 F.3d 583, 591 (4th Cir. 2001) (The duty
to preserve material evidence arises not only during litigation, but also extends to that period before the litigation when a
party should reasonably know that the evidence may be relevant to anticipated litigation); Kronisch v. U.S., 150 F.3d 112,
126 (2d Cir. 1998) (same).
38
Miller v. Holzmann, 2007 WL 172327 at *3 (D.D.C. Jan. 17, 2007).
39
See Fed. R. Civ. P. 37(f) advisory committee note (The good faith requirement of Rule 37(f) means that a party is
not permitted to exploit the routine operation of an information system to thwart discovery obligations by allowing that
operation to continue in order to destroy specific stored information that it is required to preserve). Under the 2007 style
amendments to the federal rules, Rule 37(f) was renumbered and is now Rule 37(e).
35
514

Is the organizations philosophy and approach to its ESI and paper records clearly spelled out
in its document retention policies, and more importantly, have the organizations practices
been audited and are they consistent with those policies?
A duty to preserve is not triggered when there is merely a potential for litigation.40 Obviously,
the occurrence of a sentinel41 or never event42 should immediately trigger a duty to preserve potentially relevant information. However, otherwise attempting to determine when the threat of litigation
crosses the threshold from mere potential to reasonably anticipated, can be elusive. The Sedona
Conferences Commentary on litigation holds explains that making the determination requires consideration of various factors:

the nature and specificity of the complaint or threat;

the party and the position of the party making the claim;
the business relationship between the accused and accusing parties;
whether the threat is direct, implied, or inferred;
whether the party making the claim is known to be aggressive or litigious;
whether a party who could assert a claim is aware of the claim;
the strength, scope, or value of a potential claim;
the likelihood that data relating to a claim will be lost or destroyed;
the significance of the known or reasonably anticipated issues;
whether the company has learned of similar claims;
the experience of the industry;
whether the relevant records are being retained for some other reason; and
press or industry coverage of the issue either directly pertaining to the client or of complaints
brought against someone similarly situated in the industry.43
Counsel should carefully address the need to preserve ESI. Written litigation hold notices should
be sent to IT and HIM staffs as well as to any hospital employees who were directly involved in the
events leading up to the claim or who may have relevant knowledge.44 The notices should explain the
issues and defenses potentially involved in the litigation and broadly describe the types, categories, or
Lekkas v. Mitsubishi Motors Corp., 2002 WL 31163722 at *2 (N.D. Ill. Sept. 26, 2002).
A sentinel event is an unexpected occurrence involving death of serious physical or psychological injury or the
risk thereof. Serious injury includes loss of limb or function. The phrase or risk thereof includes any process variance
for which a reoccurrence would carry a significant chance of a serious adverse outcome. www.jointcommission.org/
sentinelevents/.
42
Never events are hospital-acquired conditions, for which CMS will not reimburse the cost of treatment. CMS list
of never events include: catheter-associated urinary track infections; air embolism; blood incompatibility; objects left in
the body following surgery; pressure ulcers; catheter-associated vascular infections; surgical site infections after coronary
artery bypass graft surgery hospital injuries such as fractures, dislocations, intracranial injury, burns and other unspecified
affects of external causes. See Fed. Register Vol. 73, No. 84 at 2354723552.
43
The Sedona Conference, Commentary on Legal Holds The Trigger & the Process (August 2007, Public Comment
Version) at p. 9.
44
While hold notices should be broadly disseminated,[t]he notice does not need to reach all employees, only those
reasonably likely to maintain documents relevant to the litigation or investigation. Miller, 2007 WL 172327 at *6, quoting
The Sedona Conference, Best Practices Recommendations & Principles for Addressing Electronic Document Production,
(2004 Annotated Version Comment 5.d) at p. 54.
40
41
515

sources of information that need to be preserved. Further, the notice should spell out how information
should be preserved and/or collected and should also describe the nature of any potential sanctions that
could be imposed if relevant information is not preserved. If possible, a member of Risk Management
should be designated to answer any questions that staff may have about the hold and that person should
be identified in the written hold notice.
The organization should keep a record of all steps taken to implement the litigation hold, including the recipients and content of the preservation directive. Courts are requiring both in-house and
outside counsel to follow-up with key personnel to confirm they understand and are following the
preservation directive.45 Counsel should also periodically review the process and reissue the written
hold notice to existing and new employees.46
30.3.5
Evaluate E-mail Usage and Policies
E-mail and instant messages (IM) can present special concerns in regulatory or litigation matters. Does the organizations system have the capability of logging or capturing instant messages?47
If so, has that feature been activated?48 Does the organization have a process to incorporate electronic
communication with patients in their charts? Are the messages archived, or just kept on backup tapes?
What steps are required to retrieve them?
If an organizations policy provides that employees have no personal right of privacy in any material communicated or stored on its computer or e-mail systems, that policy may destroy a claim of
attorneyclient privilege as to any communications over the e-mail system. If so, have physicians and
staff been advised that the attorney-client privilege may not apply to e-mails sent or received via the
organizations system?49
Zubulake V, 229 F.R.D. at 432 (it is not sufficient to notify all employees of a litigation hold and expect that the party
will then retain and produce all relevant information. Counsel must take affirmative steps to monitor compliance so that all
sources of discoverable information are identified and searched).
46
Id. at 433 (The litigation hold should be periodically re-issued so that new employees are aware of it, and so that it is
fresh in the minds of all employees).
47
See Malletier v. Dooney & Bourke, Inc., 2006 WL 3851151 at *2 (S.D.N.Y. Dec. 22, 2006) (rejecting a spoliation claim
involving the failure to preserve colloquies from a customer relations chat room because the defendants technology did
not provide a ready means for retaining such communications). The court further noted that by the time the defendant
installed software that was capable of saving these communications, it was unlikely that any chat room comments would
have been pertinent to the lawsuit.
48
Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162, 177 (S.D.N.Y. 2004) (holding there was no duty to preserve
wave forms on an oscilloscope by printing the screen each time a wave form was altered because the data was ephemeral
in nature and it would have required heroic efforts far beyond those consistent with [the defendants] regular course of
business). The court observed a somewhat analogous situation arises with the use of Instant Messenger functions. 223
F.R.D. at 177 n.4. However, the court noted the question with IM was a close one because some IM programs have the
capability like e-mail of storing messages and because such information is intended to be transmitted to others. Id.
49
Scott v. Beth Israel Medical Center, Inc., 847 N.Y.S.2d 436, 43944 (N.Y. Supp. 2007) (holding no privilege attached
to a physicians e-mails to his attorney in view of the hospitals e-mail policy). However, in Quon v. Arch Wireless Operating Co., Inc., 529 F3d. 892 (9th Cir. 2008), an employers informal practice of not reviewing employees text messages
when the employees paid any monthly overage charge was sufficient to create a reasonable expectation of privacy in those
messages notwithstanding a written policy to the contrary.
45
516
30.3.6
Identify and Evaluate System and Application Metadata
Organizations should also determine what additional electronic information their system embeds
into its ESI. This is the phenomena of metadatadefined as data about data. Metadata is information
generated by computer systems that cannot be seen when a document is displayed on a computer
screen or when it is printed on paper.50 However, metadata is generated for every piece of data, document, or e-mail stored on or generated by a computer. Metadata may be discoverable if it is relevant to
the claim or defense of one of the parties,51 and is subject to litigation hold requirements.52
Some forms of metadata may provide relevant information in litigation, such as when the authenticity of a document is questioned or if establishing who received what information and when is
important to the claims or defenses of a party.53 There are different types of metadata which vary in
their potential importance to litigation and thus, their discoverability.
System metadata identifies the author of a document, the date it was created or modified, its
title, subject and size, the names of the person who revised and/or who last accessed the document.
Application metadata, reflects modifications to a document such as prior edits or editorial comments,
and includes data that instructs a computer how to display a document. Embedded metadata include
spreadsheet formulas, hidden columns, externally or internally linked files (such as sound files), hyperlinks references and fields, and database information.54 Similar metadata fields exist for e-mails.
While the metadata for standard documents or e-mails is readily available, with EHR systems,
the metadata for various data elements is not easily determined. Even some IT and HIM professionals
have difficulty accurately pinpointing the metadata associated with various data types generated by
EHR modules. There is no properties button for EHR systems that will reveal the metadata generated by the system or one of its applications. Where necessary, an organization should contact its
system vendor(s) to identify types of metadata created for different data types by various applications
of the system. This is important because the production of ESI in its native state, normally includes
any metadata associated with the ESI.
The Sedona Conference Glossary for E-Discovery and Digital Information Management Conference defines metadata
as information about a particular data set or document which describes how, when and by whom it was collected, created,
accessed, modified and how it is formatted. Can be altered intentionally or inadvertently. Can be extracted when native files
are converted to image. Some metadata, such as file dates and sizes, can easily be seen by users; other metadata can be hidden or embedded and unavailable to computer users who are not technically adept. Metadata is generally not reproduced
in full form when a document is printed.
51
Aguilar v. Immigration and Customs Enforcement Div., 2008 WL 6062700, *4 (S.D.N.Y. Nov. 21, 2008).
52
See, e.g., Williams v. Sprint/United Mgmt. Co., 230 F.R.D. 640 (D. Kan. 2005). However, several district courts have
taken a more narrow approach to the discovery of metadata. In Wyeth v. Impax Laboratories, Inc., 248 F.R.D. 169 (D. Del.
2006), the court observed Emerging standards of electronic discovery appear to articulate a general presumption against
the production of metadata. Another district court observed [i]n most cases and for most documents, metadata does not
provide relevant information. Kentucky Speedway, LLC v. NASCAR, 2006 U.S. Dist. LEXIS 92028 at *24 (E.D. Ky. Dec.
28, 2006). See also Michigan First Credit Union v. Cumis Ins. Society, Inc., 2007 WL 4098213 at*3 (E.D. Mich. Nov. 16,
2007) (refusing to order production of metadata because it would be overly burdensome with no corresponding evidentiary
value). Wyeth and Kentucky Speedway require a showing of a particularized need for metadata before it should be produced. Thus, hospitals should make every effort to preserve their metadata while resisting its production. Information as to
how costly and burdensome to produce the requested metadata should be presented to opposing counsel and the court.
53
Aguilar, 2008 WL 5062700 at *4 .
54
Id. at *34 (discussing when and under what circumstances, application metadata, system metadata, and embedded
metadata may be discoverable). They are not treated the same by courts. [T]he more interactive the application, the more
important the metadata is to understanding the applications output. Williams, 230 F.R.D. at 647.
50
517

The audit trail feature of EHR systems will supply some of the same types of information that
can be found in certain metadata fields. However, the audit trail is typically a separate feature of EHR
systems and not generally considered part of the legal health record. Unlike metadata, audit trail information may not be included in the production of a patients electronic record in its native state. But
sophisticated plaintiff attorneys will request it.
30.3.7
Evaluate The Accessibility of ESI Repositories
The federal e-discovery rules recognize that the production of ESI from certain sources can be
extremely costly and that the time and effort required to produce it may outweigh the marginal benefit
gained by its production.55 The rules set up a two-tiered approach to the discovery of ESI. Rule 26
provides that parties should produce relevant, nonprivileged and readily accessible ESI. However, if
a party can demonstrate producing ESI from other sources would be too burdensome, then it need not
produce that ESI unless the requesting party can demonstrate good cause for its production.56
Neither the rules nor their accompanying notes explain what sources of ESI may be inaccessible
under Rule 26. The note to Rule 26(b)(2) explains, it is not possible to define in a rule the different
types of technological features that may affect the burden and costs of accessing [ESI].57 However,
the Standing Committee Report58 issued prior to the passage of the federal e-discovery rules provides
some guidance. The report identifies three sources of ESI that may be inaccessibleexamples under
current technology include deleted information, information kept on some backup-tape systems for
disaster recovery purposes59 and legacy data60 remaining from systems no longer in use.
Accordingly, organizations should proactively review all aspects of an EHR system to determine
if any sources of ESI would qualify as inaccessible, outlining the steps required to restore, process,
and produce ESI from those sources, including the hours and costs involved. That information can
support an argument that it would be unduly burdensome and/or costly to produce ESI from those
sources.
See, e.g., Petcou v. C.H. Robinson Worldwide, Inc., 2008 WL 54284 *2 (N.D.Ga. Feb. 25, 2008) (holding the burden
and expense of the proposed discovery outweighed its likely benefit where the discovery requests were overbroad and it
would cost hundreds of thousands of dollars to respond).
56
Fed. R. Civ. P. 26(b)(2)(B).
57
Fed. R. Civ. P. 26(b)(2) advisory committees note.
58
Report of the Judicial Conference Committee on Rules of Practice and Procedure to the Chief Justice of the United
States and Members of the Judicial Conference of the United States, reprinted in The New E-Discovery Rules, Dahlstrom
Legal Publishing (2007) at p. 15.
59
The data on backup tapes is typically compressed. Compression permits more data to be stored on tape but also makes
restoration of the tape time-consuming. In addition, data on backup tapes is typically recorded and stored sequentially and
is not electronically searchable. This means that to locate a particular file or an e-mail on a backup tape, all of the preceding information on the tape must be reviewed. These features make finding specific data or information on backup tapes
extremely costly and explain why backup tapes may be an inaccessible source of ESI. Zubulake I, 217 F.R.D. at 314; see
also Zubulake IV, 220 F.R.D. at 218 (As a general rule, the litigation hold does not apply to inaccessible backup tapes,
e.g., those typically maintained solely for the purpose of disaster recovery which may continue to be recycled on the same
schedule set forth in the companys policy).
60
Determine if backup tapes are used for anything other than disaster recovery. If information is periodically pulled
from backup tapes for routine business purposes, it is unlikely a court would view those tapes as inaccessible under
Rule26(b)(2)(B).
55
518
30.4
The Federal Rules Approach to E-Discovery
The federal e-discovery rules do not change the basic parameters of discoverability. Rather, they
target the unique nature of ESI. This section addresses the rules relating to ESI.
30.4.1
Early Attention to Electronic Discovery
Rule 16(b)(2) requires that a district court issue a scheduling order no later than 120 days after
a defendant has been served or 90 days after any defendant has appeared.61 Rule 26(f)(1) requires
that the parties confer no later than 21 days before that scheduling order is due.62 At that conference,
Rule26(f)(3) mandates that the parties specifically address issues involving the presentation and discovery of ESI, including the forms in which it will be produced. The parties are also required to
discuss issues involving claims of privilege or work product. If they can agree on a procedure to assert
privilege or work product after the inadvertent production of confidential information, the must ask the
court to include their agreement in an order.63
This means outside counsel must be prepared to discuss e-discovery issues within 99 days of service on the client to meet the rules deadlines. Counsel will need to meet with a hospitals IT or HIM
staff early on to learn the nuances of its EHR and e-mail systems. Developing a data map before litigation occurs will decrease the amount of time IT or HIM staff will need to spend studying the system
and familiarizing their counsel with its intricacies.
30.4.1.1
Topics for the Initial Rule 26(f) Conference
The specific topics addressed at an initial Rule 26(f) conference may vary depending on the nature
of the claim asserted, the clients information and e-mail systems, the approach taken by opposing counsel on e-discovery and the district courts local rules.64 The Advisory Committee Notes to Rule26(f)
explain that the issues addressed at the initial scheduling conference may depend upon the nature of the
parties information systems, also emphasizing that it is important for counsel to become familiar with
those systems before the conference.65 Counsel should be prepared to address the following topics:

the scope of any ESI request including the types of data, subject matters, custodians, time
frames, electronic search capability, and metadata;
ESI production format(s); the pros and cons of producing ESI in those forms; whether ESI
will be produced natively or in another form; if in an imaged format any specific metadata
fields to be loaded in the image if metadata is requested;
Fed. R. Civ. P. 16(b)(2) (formerly Fed. R. Civ. P. 16(b)).

Fed. R. Civ. P. 26(f)(1) (formerly Fed. R. Civ. P. 26(f)).
63
Fed. R. Civ. P. 26(f)(3)(D)(E) (formerly Fed. R. Civ. P. 26(f)(3)-(4)).
64
A number of federal districts have developed their own local rules addressing e-discovery that can impose requirements beyond those specified in the federal rules. The District of Delaware for example, requires the parties to exchange
information prior to their initial Rule 26(f) conference including: the name of the person who will serve as that partys
e-discovery liaison, the name of the person who is responsible for the partys document retention policies, the most likely
custodians of relevant electronic information and notice of any problems reasonably anticipated to arise in connection with
e-discovery. Accordingly, the local rules for the district court where the lawsuit was filed should always be consulted for
additional e-discovery obligations that they may impose.
65
Fed. R. Civ. P. 26(f) 2006 Amendment Advisory Committee Notes.
61
62
519

the costs and burdens of producing ESI from the various sources; whether any sources are
inaccessible and whether the requesting party is willing to pay any portion of the costs of
producing ESI from those sources;
strategies for limiting duplicative and irrelevant data or e-mails such as de-duplication, keyword searches, filtering by file type, custodians, or date ranges;
exception reports; the review, processing, and production of password protected, encrypted,
or corrupted data and data with unrecognizable file extensions;
nonwaiver agreements and whether an agreement can be included in a court order;
steps taken to preserve ESI and the adequacy of those measures;
whether there is any need to preserve backup tapes or legacy data; and
anticipated problems producing any sources of ESI and any unique features of the clients
information systems.
30.4.1.2 Initial Disclosures

Rule 26(a) requires that a party provide a copy or description by category and location of all
ESI that it has in its possession or under its custody or control that it may use to support its claims or
defenses.66 Neither the rule itself, nor its accompanying note explain what information a party must
provide to comply with Rule 26(a)s disclosure requirement. However, one treatise addressing the
issue explains:
If electronically stored information is involved, the disclosing party should identify the nature
of its computer systemincluding its backup system, network system and e-mail systemas
well as any software applications as part of its initial disclosure obligation. 67
Rule 26 generally requires that a party make its initial disclosures at or within 14 days after the
Rule 26(f) conference unless a different time is set by stipulation or court order.68 A data map and
inventory of the organizations EHR, e-mail, and data storage systems will reduce the burden of meeting these deadlines.
30.4.2
Proportionality and Scope of E-DiscoveryAccessibility
Rule 26(b)(1) permits discovery regarding any non-privileged matter that is relevant to any partys claim or defense.69 It defines the concept of relevancy for discovery purposes broadly: Relevant
information need not be admissible at trial if the discovery appears reasonably calculated to lead to the
discovery of admissible evidence.70 Rule 26, however, attempts to limit the scope of e-discovery by
setting up a two-tier system for ESI.
68
69
70
66
67
Fed. R. Civ. P. 26(a)(1)(A)(ii) (formerly Fed. R. Civ. P. 26(a)(1)(B)).

J. M. Moore, Moores Federal Practice 37A.21[1] (3d. Ed., 2005).
Fed. R. Civ. P. 26(a)(1)(C) (formerly Fed. R. Civ. P. 26(a)(1)).
Fed. R. Civ. P. 26(b)(1).
Id.
520

Once a party has determined that ESI from one or more sources is inaccessible, it has no obligation to determine if relevant information may be stored there. A party merely has to identify, by
category or type, the sources containing potentially responsive information that it is neither searching
nor providing.71 When drafting a letter identifying an inaccessible source of ESI, counsel should
explain in detail the burdens and costs of producing ESI from that source.72 The party asserting inaccessibility bears the burden of proving it.73
Rule 26 nonetheless permits a court to order discovery from those sources if the requesting party
shows good cause, considering the limitations of Rule 26(b)(2)(C).74 An organizations failure to
impose a litigation hold and the resulting loss of ESI from an accessible source is a factor that may lead
a court to find good cause to order production of that information from an inaccessible source.75
Rule 26(b)(2)(C) permits a court to limit the scope of discovery otherwise allowed where:

the discovery sought is unreasonably cumulative or duplicative;

the discovery can be obtained from another more convenient, less burdensome or less expensive source;
the party seeking discovery has had ample opportunity to obtain the information through
discovery in the action; and
the burden or expense involved outweighs its likely benefit when considering the needs of the
case; the amount in controversy; the partys resources; the importance of the issues at stake;
and the importance of discovery in resolving those issues.76
The note to Rule 26(b)(2) explains that in addition to Rule 26s proportionality principles, additional factors should be considered in determining whether to allow discovery from an inaccessible
source:

the specificity of the discovery request;

the amount of information available from other sources;
the likelihood of finding relevant information that cannot be obtained elsewhere;
whether relevant ESI may have existed but is no longer available from other sources; and
the importance and usefulness of the information.77
Fed. R. Civ. P. 26(b)(2)(B) 2006 Amendment advisory committee notes.

The advisory committee note to Rule 26(b)(2)(B) explains, The identification should, to the extent possible provide
enough detail to enable the requesting party to evaluate the burdens and costs of providing the discovery and the likelihood
of finding responsive information on the identified sources.
73
See, e.g., Trinos v. Quality Staffing Servs. Corp., 250 F.R.D. 696, 69899 (S.D. Fla. 2008) (explaining courts should
only limit discovery based on evidence of the burden involved, not on a mere recitation that the discovery request is
unduly burdensome).
74
Id.
75
Disability Rights Counsel of Greater Wash. v. Wash. Metro. Transit Auth., 242 F.R.D. 139, 148 (D.D.C. 2007) (ordering production of e-mails from backup tapes where defendants failed to suspend a feature of their e-mail program that
automatically deleted e-mails every 60 days).
76
Fed. R. Civ. P. 26(b)(2)(C)(i)(iii). See also Best Buy Stores, L.P. v. Developers Diversified Realty Corp., 247 F.R.D.
567, 571 (D. Minn. 2007) (refusing to order production of information from an inaccessible database absent a showing that
the information on that database could not be found on a more accessible source).
77
Fed. R. Civ. P. 26(b)(2) 2006 Amendment Advisory Committee Notes.
71
72
521

The rules contemplate that some circumstances will require focused discovery on these factors
before a court can address whether ESI from an inaccessible source should be produced and/or whether
any portion of the cost of its production should be shifted to the requesting party. Rule 34(a)(1) now
permits a test or sampling of information sought in discovery.78 Courts have ordered that samples of
inaccessible sources, such as backup tapes, be analyzed before addressing whether ESI from those
sources should be produced.
30.4.3
Forms of E-Discovery Production
Rule 34 permits a party requesting the production of ESI to specify the form in which ESI will be
produced.79 One of the ways e-discovery can be produced is in its native application or native state.
The term native, when used in an e-discovery context, simply refers to the program or file format
in which the ESI was created. In other words, producing a WordPerfect document in its native state
would require production in a WordPerfect format.
30.4.3
Production in Native State versus an Imaged Format
The two primary options for producing information electronically are natively or in an imaged
format. An organization should be aware of the advantages and risks of each form and should decide
on its preferred format before the initial Rule 26(f) scheduling conference.
30.4.4
Native State
The pros and cons of producing ESI in its native state include:

a native document cannot be redacted or Bates stamped and can be altered;
native files contain metadata and can include embedded comments, tracked changes, and
formulas used to create spreadsheets;
viewing a document produced natively requires the same software used to create it or a specialized software such as Quick View Plus;
native production is less costly than imaged formats; and
it can be difficult to electronically search a large volume of documents in their native state
unless database software is used with optical character recognition (OCR) or extracted text.
30.4.5
Imaged Format
The most common imaged formats used in the production of ESI are the portable document
format (PDF) and tagged image file format (TIFF). The pros and cons of producing ESI in an imaged
format include:

imaged documents can be redacted and Bates stamped and cannot be altered;
metadata, embedded data, and tracked changes do not accompany the documentunless a
load file with specific metadata fields is added to the image;
Fed. R. Civ. P. 34(a)(1).

Fed. R. Civ. P. 34 (b)(1)(C) (formerly Fed. R. Civ. P. 34(b)).
78
79
522

imaged documents can be electronically searched if extracted text or OCR is added to the image;
it is more costly and takes longer to produce imaged documents; and
imaged documents can be readily used with litigation support tools.
When redacting an imaged document, remember that it has several layers. Beneath the imaged
layer is a text file. If only the imaged layer is redacted and the underlying text file is not, the confidential information can still be readily obtained.
30.4.6
Rule 34s Provisions on Data Forms
Rule 34 specifies that where an objection is made to the requested production format or where no
form is specified in a discovery request, the responding party must specify the format it intends to use
when producing ESI.80 This provision is intended to encourage the resolution of production disputes
before the production of any ESI occurs. The note to Rule 34 explains that a party producing ESI in
a form of its choice, without identifying that form in advance of the production runs a risk that the
requesting party can show that the produced form is not reasonably useable and that it is entitled to
production of some or all of the information in an additional form.81
Additionally, if the responding party ordinarily stores ESI in a way that makes it searchable
by electronic means, the information should not be produced in a form that removes or significantly
degrades this feature.82 This however, presupposes that a dispute has triggered the duty to preserve
ESI. In the absence of a litigation hold and/or no duty to preserve information, an organization can
handle ESI in accordance with its established and routine document practices.83
Rule 34 recognizes that parties frequently store different types of ESI in different formats and
acknowledges that it may be unduly burdensome to require a responding party to produce all ESI in
the same format. Therefore, the rule permits the production of different data types in different formats,
but only requires the production of the same ESI in one format.84 In other words, a party does not need
to print out a report on paper and then produce it as a TIFF image.
30.4.7
Safe Harbor Against Inadvertent Loss of ESI
The federal e-discovery rules contain a provision, Rule 37(e), that some have described as a safe harbor against discovery sanctions.85 However, the rule is more like a wading pool than a safe harbor.86 While
at first blush Rule 37(e) may sound impressive, there are at least four exceptions built into the rule.
Fed. R. Civ. P. 34(b)(2)(D) (formerly Fed. R. Civ. P. 34(b)).
Fed. R. Civ. P. 34(b) Advisory Committee Note.
82
Aguilar, 2008 WL 5062700 at *5, quoting Fed. R. Civ. P. 34 (b)s Advisory Committee Note.
83
See, e.g., Oxford House, Inc. v. City of Topeka, 2007 WL 1246200 at *34 (D. Kan. Apr.27, 2007).
84
Fed. R. Civ. P. 34(b)(2)(E)(iii) (formerly Fed. R. Civ. P. 34(b)(iii)).
85
Rule 37(e) provides, Absent exceptional circumstances a court may not impose sanctions under these rules on a party
for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic
information system. Fed. R. Civ. P. 37(e) (formerly Fed. R. Civ. P. 37(f)).
86
Oklahoma ex rel. Edmonson v. Tyson Foods, Inc., 2007 WL 1498973 at *6 (N.D.Okla. May 17, 2007) (The Court
further advises the parties that they should be very cautious in relying upon any safe harbor doctrine as described in new
Rule 37(f)).
80
81
523

Its opening phrase absent exceptional circumstances, recognizes that courts may impose sanctions for egregious discovery violations. Rule 37(e) is also limited to sanctions imposed under the
rules, and does not limit a courts ability to sanction parties under its inherent authority.87 Moreover,
Rule 37(e) only protects against the loss of ESI resulting from the routine operation of a computer
system.88 Obviously, it does not protect against the deliberate or intentional deletion or destruction of
ESI. Finally, the rule incorporates a good-faith standard. The note to Rule 37(e) explains that good
faith requires a partys intervention to modify or suspend certain features of routine operation to
prevent the loss of information, if that information is subject to a preservation obligation.89 While the
federal rules do not specify when or under what circumstances a litigation hold should be imposed,
Rule 37(e)s good-faith requirement is a back-door attempt at imposing such a requirement.
30.4.8
Obligation to Preserve Inaccessible ESI
One of the remaining conundrums under the federal e-discovery rules is whether a party has a
duty to preserve ESI from sources that it has designated as inaccessible. The note for Rule 26(b)(2)
crystallizes the issue:
A partys identification of sources of electronically stored information as not reasonably
accessible does not relieve the party of its common-law or statutory duties to preserve evidence.
Whether, a responding party is required to preserve and search sources of potentially responsive
information that it believes are not reasonably accessible depends on the circumstances of
each case. It is often useful for the parties to discuss this issue early in discovery.90
The note sends a clear signal that parties should attempt to reach an accommodation on this issue
whenever possible. Where an agreement with counsel cannot be reached addressing preservation of
inaccessible sources of ESI, the safest course is to bring a motion for a protective order spelling out
why it would be unduly burdensome to preserve ESI from those sources.
30.4.9
Inadvertent Waiver of Privilege
The inadvertent production of a privileged document is a specter that haunts every document
intensive case.91 E-discovery accentuates the problem because few organizations have the foresight
to segregate confidential ESI immediately into a privilege folder. The volume of ESI that needs to be
reviewed increases the risk that privileged information could be inadvertently produced. The federal
87
Id., Chambers v. NASCO, Inc., 501 U.S. 32, 46 (1991); (addressing a courts inherent authority to award sanctions);
Fed. R. Civ. P. 37 Advisory Committees notes for the 2006 Amendment: The protection provided by Rule 37(f) applies
only to sanctions under these rules. It does not affect other sources of authority to impose sanctions or rules of professional responsibility. See also Phoenix Four, Inc. v. Strategic Resources Corp., 2006 WL 1409413 at *7 (S.D.N.Y. May
23, 2006) (entering monetary sanctions under the courts inherent authority for the untimely production of electronic
documents).
88
See, e.g., Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F.Supp.2d 627, 641 (E.D.Pa., 2007)
(addressing the automatic deletion of temporary cache files by a computer and a refusal to impose sanctions because the
temporary files were automatically deleted by the computer system before the defendants had any reason to believe that
litigation was likely to occur).
89
Fed. R. Civ. P. 37 Advisory Committee Notes.
90
Fed. R. Civ. P. 26(b)(2) 2006 Amendment Advisory Committee Notes.
91
Federal Deposit Ins. Co. v. Marine Midland Realty Credit Corp., 138 F.R.D. 479, 479-80 (D.C. Va. 1991).
524

e-discovery rules provide several options to address this issue, none of which is completely satisfactory. Accordingly, sound risk management programs will hopefully address that issue prospectively
with an early review of ESI or, more globally, by tagging privileged documents at the start. The Rules
provide several mechanisms to protect the producing party, but none can retrieve or protect the
information with any certainty.
30.4.9.1 Procedure for Asserting Privilege After Its Disclosure
Rule 26(b)(5)(B) creates a procedure for asserting privilege or work-product after production has
occurred.92 Rule 26(b)(5)(B) is not limited to ESIit applies to any form of confidential information.
Unfortunately, the rule provides no real protection because it does not address the substantive question
of whether privilege or work-product has been waived through the inadvertent production of confidential information.93 Rule 26(b)(5)(B) merely provides a new procedure for presenting and addressing
these issues.94 Depending upon the jurisdictions approach to inadvertent waiver,95 Rule 26(b)(5)(B)
may provide no benefit to a party that inadvertently produced privileged information. The rule also
does not address subject-matter waiverwhere the production of a single privileged document results
in a waiver of privilege as to all other documents concerning that subject matter.96
30.4.9.2 Nonwaiver Agreements and Court Orders
Rule 26(f)(3)(D) requires parties to discuss their views and proposals on claims of privilege or
work-product at the initial Rule 26(f) scheduling conference and provides if the parties agree on a
procedure to assist these claims after productionwhether to ask the court to include their argument in
The rule provides that if information produced in discovery is subject to a claim of privilege or work product, the party
claiming the privilege must notify the party receiving the information of the basis for its privilege assertion. After being
notified, the receiving party must either return, sequester or destroy the information and may not use or disclose the information until the claim of privilege is resolved. The party which received the privileged material must also take reasonable
steps to retrieve that information from any third parties to whom it forwarded the information before being notified. The
party which received the privileged information is also permitted to present the information to the court under seal for a
determination of the privilege claim. Fed. R. Civ. P. 26(b)(5)(B).
93
Stanley, Inc. v. Creative Pipe, Inc., 250 F.R.D. 251, 258 n.5 (D. MD. 2008) (the recently adopted rules of civil procedure relating to ESI do not effect any change in the substantive law of privilege waiver).
94
See Fed. R. Civ. P. 26(b)(5)(B) 2006 Amendment Advisory Committee Notes: Rule 26(b)(5)(B) does not address
whether the privilege or protection that is asserted after production was waived by the production.
95
The law on privilege waiver varies between jurisdictions. There are three approaches generally taken as to whether
an inadvertent disclosure waives privilege. Under one approach, because a waiver involves the intentional relinquishment of an known right, the inadvertent disclosure of privileged information rarely, if ever, constitutes a waiver. See, e.g.,
Mendenhall v. Barber-Greene Co., 531 F. Supp. 951, 954 (N.D.Ill. 1982). Many of the decisions following this approach
also note that the privilege can only be waived by the client, and an attorneys inadvertent production cannot constitute a
waiver. At the other extreme, some courts have concluded that once the production of privileged information has occurred,
no matter how inadvertent, the privilege has been waived. Under that view, there is no way to restore confidentiality to a
document once it has been disclosed. See, e.g., Carter v. Gibbs, 909 F.2d 1450, 1451 (Fed. Cir. 1990); Fed. Deposit Ins.
Corp. v. Singh, 140 F.R.D. 252, 253 (D.Me. 1992). It appears that a majority of courts follow an intermediate balancing
approach which involves a review of multiple factors to determine if a party acted reasonably to protect the privilege under
the circumstances presented. See, e.g., United Investors Life Ins. Co. v. Nationwide Life Ins. Co., 233 F.R.D. 483, 48990
(N.D.Miss. 2006); Bud Antle, Inc. v. Grow-Tech, Inc., 131 F.R.D. 179, 183 (N.D.Cal. 1990).
96
See In re Sealed Case, 877 F.2d 976 (D.C.Cir. 1989) (holding inadvertent disclosure of privileged documents in discovery triggered a subject matter waiver).
92
525

a court order.97 Rule 26(f)(3)(D) encourages parties to consider entering into nonwaiver agreements
clawback98 or quick peek99 agreements.
Rule 16(b) authorizes district courts, when requested by the parties, to include any agreements for
asserting claims of privilege or work product in a scheduling order.100 While nonwaiver agreements are
generally enforceable between the parties, that view is not universally held.101 Where, however, a nonwaiver agreement is incorporated into a court order, it would be enforceable between the parties.102
Another problem with nonwaiver agreements is they provide no protection as to third parties.103
Litigants in other lawsuits are not bound by a nonwaiver agreement and can obtain the privileged
information once it has been disclosed. However, several district courts have held that when a nonwaiver agreement is included in a court order, that order may protect a party against claims by third
parties that the inadvertent production constituted a waiver of privilege. The courts rationale is that a
judicially compelled disclosure of otherwise privileged information is not a waiver of any privilege
that could be claimed.104 This approach was adopted in F.R.E. 502 discussed immediately below.
Accordingly, counsel should always strive to include a nonwaiver agreement in a court order.
30.4.9.3 Federal Rule of Evidence 502
On September 19, 2008, Rule 502 was added to the Federal Rules of Evidence. 105 It provides
additional protection against the inadvertent waiver of attorney-client privilege and work product.
Fed. R. Civ. P. 26(f)(3)(D).
In a clawback agreement, the parties agree that the producing party will take reasonable measures to screen materials
for privilege, but that if a privileged document is inadvertently produced, that disclosure will not constitute a waiver of
privilege. The agreements usually specify that when the receiving party is notified, all copies of privileged documents and
any notes pertaining to those documents will be returned. Typically, these agreements permit the party returning the documents to challenge the claim of privilege or work product on grounds other than it has been waived.
99
With quickpeek agreements, the parties agree to make materials available for review by opposing counsel without
conducting any prior privilege review. The party producing the information only reviews for privilege those materials that
the opposing counsel has designated for production. Because these agreements are not enforceable against third parties and
because production of information without any prior review could be viewed as an intentional waiver of privilege, quick
peek agreements should be avoided whenever possible. As one district court cautioned, it would be unwise to assume that
such agreements will excuse parties from undertaking any pre-production privilege review, or doing less of a pre-production
review than is reasonable under the circumstances. The district court further explained: The better approach is to assume
that complete pre-production privilege review is required unless it can be demonstrated with particularity that it would be
unduly burdensome or expensive to do so. Hopson v. Mayor of Baltimore, 232 F.R.D. 228, 244 (D. Md. 2005).
100
Fed. R. Civ. P. 16(b)(3)(B)(iv), formerly Fed. R. Civ. P. 16(b)(6).
101
See Ciba-Geigy, 916 F. Supp. at 41112 (applying an intermediate balancing approach and finding a waiver of privilege occurred notwithstanding a clawback agreement).
102
See, e.g., Prescient Partners, L.P. v. Fieldcrest Cannon, Inc., 1997 WL 736726 at *4 (S.D.N.Y. Nov. 26, 1997); In re
Southeast Banking Corp. Sec. & Loan Loss Reserves Litig., 212 B.R. 386, 394 (S. D. Fla. 1997).
103
See, e.g., In re Quest Comm. Intl, Inc., 450 F.3d 1179, 118689 (10th Cir. 2006). While the Eighth Circuit has recognized the concept of the selective waiver of privilege, other circuits have rejected that approach.
104
See Equity Analytics, 2008 WL 615528 at *3, citing Hopson, 232 F.R.D. at 232.
105
The text of Rule 502 can be found at the United States Courts website at www.uscourts.gov. Rule 502 does not alter
federal or state law on whether material is protected by attorney-client privilege or the work-product doctrine. It only
addresses waivers by disclosure and does not alter existing law on common-law waiver doctrines such as reliance on advice
of counsel or the impact that a malpractice claim has on the waiver of privilege. The Rule is limited to attorney-client privilege and work-product protection and does not address waiver of any other type of evidentiary privilege. The Rule also does
not address the issue of selective waiverwhere the provision of privilege or confidential information to the government
in a criminal or regulatory investigation does not constitute a waiver for all purposes in any subsequent proceeding.
97
98
526

Itapplies in all proceedings commenced after its enactment and insofar as it is just and practicable,
in all proceedings pending on the date of its enactment.106
Rule 502(b) adopts the intermediate balancing approach to inadvertent waivers of privilege.
It provides that if the inadvertent disclosure of information covered by attorney-client privilege or
work-product protection occurs in a federal proceeding or is made to a federal office or agency, that
disclosure does not constitute a waiver in any other federal or state proceeding if the holder of the
privilege: (1) took reasonable steps to prevent such a disclosure before it occurred;107 and (2) took
reasonably prompt steps to retrieve the mistakenly disclosed information.
Rule 502(d) provides that if a federal court enters a nonwaiver order, then the disclosure of privileged information in that proceeding does not constitute a waiver in any other federal or state-court
proceeding. Moreover, unlike with Rule 26(f)(4), the agreement of the parties is not a prerequisite to
the entry or enforceability of such an order under Rule 502(d).
Rule 502 has limited applicability when the inadvertent disclosure initially occurs in a state-court
proceeding, and there is no state-court order addressing the issue. In that scenario, Rule 502(c) provides that an inadvertent disclosure does not operate as a waiver in a subsequent federal proceeding if
the disclosure does not constitute a waiver under Rule 502 or if it does not constitute a waiver under
the law of the state where the disclosure occurred. In other words, Rule 502(c) requires a comparison
of the applicable state and federal law on privilege and applies the law that is more protective of
privilege and work product. Where a state-court order provides that the disclosure of privileged information does not constitute a waiver, it would be enforceable in a subsequent federal court proceeding
by virtue of 28 U.S.C. 1738.
As originally drafted, Rule 502 provided a uniform waiver rule in both state and federal court,
irrespective of where the disclosure occurred. That aspect of the rule drew strong objections and was
removed from the final version passed by Congress. Thus, Rule 502 does not address whether the
disclosure of privileged information in one state-court proceeding can be used in other state-court proceedings. That issue is still governed by state law. Rule 502 emphasizes the need to include nonwaiver
provisions in court orders whenever possible.
See Pub. L. No. 110-322, 122 Stat. 3537 (2008); Rhoads Industries, Inc., v. Building Materials Corp. of America,
254F.R.D. 216, 218 (E.D.Pa. 2008) (applying F.R.E. 502 in a case where the inadvertent production occurred before the
rules enactment). However, the district court in Rhoads concluded that a waiver had occurred because the party that inadvertently produced the information failed to timely provide a privilege log as required by Rule 26(b)(5). Id. at 226.
107
The district court in Rhoads, 254 F.R.D. at 222, cited with approval the explanatory note to Rule 502 which provides:
A party that uses advanced analytical software applications and linguistic tools in screening for privilege and work product
may be found to have taken reasonable steps to prevent inadvertent disclosure. The implementation of an efficient system
of records management before litigation may also be relevant. The court in Rhoads went on to note that the retention of a
consultant who recommended and used a fairly sophisticated screening device to search for privileged documents showed
substantial compliance with Rule 502s requirement that reasonable care be taken to prevent the inadvertent disclosure
from occurring. Id.
106
527

30.4.10
Non-Party DiscoverySubpoenas
Healthcare entities possess patients health information, which is often relevant to a myriad of
disputes that do not involve the entity itself. Personal injury claims, divorces, child custody cases,
and custodial matters are just a few examples of the outside disputes in which parties will request or
subpoena ESI. Any organization must properly address the production of ESI to third parties in the
normal course of its business.
The federal e-discovery rules also address discovery from third parties. The various e-discovery
provisions found in Rules 26(b) and 34(b) were also woven into the fabric of Rule 45. Rule 45(c)(2)(B)
permits a party receiving a subpoena to file a written objection to producing ESI in the format specified in the subpoena the same type of objection that can be made to a production request under Rule
34(b)(2). Rule 45(d)(1)(B) also incorporates Rule 34(b)(2)(E)(ii)s requirements as to the forms of
productionwhere a subpoena does not specify any form, the person responding must produce ESI
in the form in which it is ordinarily maintained or in a reasonably useable form. Additionally, Rule
45(d)(1)(C) incorporates Rule 34(b)(2)(E)(iii)s one form of production rulea party responding to
a subpoena need not produce the same ESI in more than one form.
Just as with Rule 26(b), a party responding to a subpoena need not produce ESI from inaccessible
sources.108 The same burden-shifting approach found in Rule 26(b)(2)(B) is incorporated into Rule
45. The subpoenaed party has the initial burden of demonstrating that the production of ESI would
be unduly burdensome, but a court may still order discovery from those sources if the issuing party
can show good cause.109 The procedures under Rule 26(b)(2)(B) and Rule 45(d)(1)(D) are virtually
identical.
30.4.10.1 Protection from Significant Expense
Several provisions of the federal rules which predate the e-discovery amendments, protect nonparties from undue expense when responding to a subpoena. The e-discovery rules augment the
protection available to non-parties.
Rule 45(c)(1) obligates the party issuing a subpoena to take reasonable steps to avoid imposing
undue burden or expense on the party receiving the subpoena. The rule also provides that a court
must enforce this rule and impose an appropriate sanction on a party or attorney who fails to comply.110
Additionally, if the party receiving a subpoena serves a written objection before the time specified
for compliance or within 14 days after the subpoena was served, whichever is earlier, Rule 45(c)(2)
(B)(ii) mandates that any subsequent court order must protect the party receiving the subpoena from
significant expense resulting from compliance.111
No court has examined the interplay between Rule 45(c)(2)(B)(ii)s rule involving protection
against significant expense and Rule 45(d)(1)(D)s protection against producing information that
110
111
108
109
See Fed. R. Civ. P. 45 (d)(1)(D).

See Fed. R. Civ. P. 45(c)(3)(A)(iv); 45(d)(1)(D).
Fed. R. Civ. P. 45(c)(1) (emphasis added).
Fed. R. Civ. P. 45(c)(2)(B)(ii) (emphasis added).
528

is not reasonably accessible. However, given Rule 45(c)(2)(B)(ii)s mandatory language, it should
protect a non-party responding to a subpoena against significant expense even for ESI that is readily
accessible.
30.5
Commentary
The advent of the e-discovery rules have made IT and HIM departments more important than
ever before. E-discovery rules highlight the need for legal counsel to work closely with a
hospitals IT and HIM staffs.
Hospitals will need to explain their EHR and e-mail systems. Rule 30(b)(6) depositions of
the person(s) most knowledgeable about those systems are a staple of federal-court litigation
Therefore, hospitals should carefully identify the person(s) best suited for that task. In those
jurisdictions that require parties to designate an e-discovery liaison, the same person can also
fill that role.
It is common to delegate discovery tasks to less experienced personnel. However, the complexity of e-discovery argues against that approach. Courts have imposed sanctions for
e-discovery blunders committed by inexperienced staff charged with critical tasks without
adequate supervision.112
When the use of an outside e-discovery consultant is required, exercise due diligence in making that selection. Courts have held parties responsible for their vendors mistakes.113
Before selecting an e-discovery vendor, critically analyze the nature of the services required
and the projects scope. Is data collection, storage, review and/or production (i.e., litigation support) needed, or is data recovery or forensic expertise required? Many vendors have recently
entered the market and while many may claim to offer a full range of e-discovery services, in
fact, they may specialize in specific areas and subcontract the other services they offer.
Once an organization has identified the nature of the services required and the scope of the discovery-support project, consider issuing a request for information (RFI). Obtain information
about the vendors background, experience, past projects, and specific areas of e-discovery
expertise. Ask for technical literature, case studies or any other information that might shed
light on the vendors credentials. Ask for client references and contact them. Determine the
person(s) who will be assigned to your e-discovery project and review his or her qualifica-
112
See, e.g. Danis, 2000 WL 1694325 at 83741 (imposing a $10,000 sanction for delegating the preservation of ESI
to an inexperienced general counsel who did not know how to devise and manage document preservation). In Danis,
the court explained a company must see to it that the person(s) whether inside or outside the companygiven the task
[ofimplementing a document preservation plan] have the ability to perform the task. Id. at *40; Cardenas v. Dorel Juvenile Group, 2006 WL 1537394 at *9-10 (imposing sanctions for a paralegals failure to timely locate critical responsive
documents because she was unaware the companys accounting department maintained the particular files, explaining
[p]arties cannot be permitted to jeopardize the integrity of the discovery process by engaging in halfhearted and ineffective efforts to identify and produce relevant documents); In re Seroquel Product Liability Litigation, 244 F.R.D. at 660
n.6 (criticizing defendants search for relevant electronic data, and finding the decision to offer testimony about the search
methodology from a junior level attorney, only somewhat versed in technical issues and one who came late to the process
is puzzling).
113
In re: Seroquel Products Liability Litigation, 244 F.R.D. at 664 (a party is responsible for the errors of its
vendors).
529

tions. Ask for and evaluate the vendors capability to timely complete the project and ability
to meet any unique requirements.114
30.6
Conclusion
Enterprise risk management must evolve to meet the new technological risks that EHR systems
and e-discovery present. Risk management programs must accomplish this seemingly daunting task to
remain effective in todays digital era. Healthcare organizations that master the nuances of their EHR
systems and the intricacies of the e-discovery rules, can control the risks that they present.
30.7
References
There are number of valuable e-discovery resources available on line. The Sedona Conference
is a leading resource on e-discovery and their publications outline best practices to follow. Its publications are available at www.thesedonaconference.org. Several e-discovery vendors also have useful
materials available on line. Kroll Ontrack has compiled hundreds of pages of e-discovery case summaries organized by jurisdiction and by topic on its web site at www.krollontrack.com. Another useful
site is www.discoveryresources.org sponsored by Fios, Inc. Other helpful resources include www.law.
com and www.abanet.org.
The Sedona Conference Working Group Series has published an excellent resource that outlines the substance of a
strong vendor selection process: Best Practices for the Selection of Electronic Discovery Vendors: Navigating the Vendor
Proposal Process, (June 2007 Version) that can be downloaded from its website.
114
530

Erm-Health Care PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Erm-Health Care PDF

Caricato da

Copyright:

Formati disponibili

Enterprise Risk Management

for Healthcare Entities

BY A TASK FORCE OF THE RISK MANAGEMENT

ELLEN L. BARTON, EDITOR-IN-CHIEF

RECENT TITLES FROM HEALTH LAWYERS

Enterprise Risk Management for Healthcare Facilities, First Edition

Enterprise Risk Management for Healthcare Facilities, First Edition

About the Editor

Enterprise Risk Management for Healthcare Facilities, First Edition

Nicola A. Nelson, Esq.

Steven O. Grubbs, Esq.

Ellen L. Barton, JD, CPCU

Mary S. Schaefer, RN, M.Ed, ARM, JD

Kathryn K. Wire, JD, MBA, FASHRM

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continues

Terie Zimmerman, RN, BSN, JD, ARM,

Ellen Barron, Esq.

Phyllis F. Granade, Esq.

Mary Mahoney, Esq.

Marilyn Lamar, Esq.

Ila Rothschild, MA, JD

Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM

Steven M. Puiszis, Esq.

Nestor J. Rivera, Esq.

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Deborah Martin Norcross

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Kathryn Kottemann Wire

Enterprise Risk Management for Healthcare Facilities, First Edition

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued

Part IIFinancial Issues

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued

Table of Contents, continued

Other Key Relationships ....................................................................153

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued

Federal Regulatory Infrastructure ......................................................226

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued