Bryan A. Liang, MD, PhD, JD

Continuing Education Information


Patient safety has assumed a prominent role in medicine since the Institute of Medicine Report was released in November 1999.[1] Recognition of medical error as the predominant mechanism by which patients in the United States [1] and around the world [2,3,4] are injured provides an extremely important insight into the operation of the medical care delivery system. This recognition may result in improvements within the systems of delivery and minimization of the emotional and financial toll caused by iatrogenic injury.

Critical to progress in patient safety is the participation by key providers. Patient injury results in as many as 98,000 deaths annually in the inpatient setting alone; further, mental health patients are often some of the most vulnerable, and may be at particular risk of harm associated with medical errors. Since psychologists work in significant and diverse areas directly associated with safety, from suicidal evaluation, medication administration, to potential delivery systems improvements and other areas, they must be part of the team approach to improve safety and to report and analyze medical errors.

Although professional ethics and professional performance improvement are perhaps the most important reasons for participating in patient safety activities, there are, however, legal mandates - and accompanying legal risks - in performing this important work. This piece provides information on the major laws that affect psychologist participation in safety work and the legal risks of having the data and information inappropriately used for sanction and suit rather than patient safety activities.


Medical error is a mistake, inadvertent occurrence, or unintended event in a health care delivery that may, or may not, result in patient injury.[5] Note that medical error is not purposeful or reckless actions that are intended to harm the patient. This distinction is not merely academic; these latter actions represent only a small fraction of patient injuries; and these actions are malicious and volitional, rather than medical error. Instead of focusing on bad actors, we are interested in the much more frequent problem of error by individuals who are trying to do the right thing, but are working in systems where mistakes happen,[6] shifting the cultural and ethical paradigm to an emphasis of cooperative systems assessment.[7]

Deaths and injuries associated with medical error are widespread. [1] Estimates from the 1999 Institute of Medicine Report “To Err Is Human” indicate that an estimated 270 deaths occur each and every day in hospitals in the U.S., 365 days a year - a number of deaths greater than a Boeing 757 or Airbus 320 jet crashing and killing every person aboard daily. From a public health perspective, this estimate represents more deaths than highway fatalities, breast cancer deaths, and AIDS deaths annually.[1] Furthermore, medical error has incredibly high financial cost: between $17 and $29 billion dollars annually, which does not include the roughly $8 to $9 billion spent on the medical injury litigation and insurance. [1,8] Thus, medical error drains tremendous human and economic resources from society and represents a major societal issue for providers and patients alike in the health delivery system.


All humans err. Error occurs as part of the complex systems in which humans act to achieve high level social goals [9]; but “no matter how professional they might be, no matter their care and concern, humans can never outperform the system which bounds and constrains them.”[10]

Noted British psychologist James Reason has studied human error and identified its occurrence and the critical cognitive processes therein.[9] In general, errors arise from 2 primary sources: unintentional acts in routinized task performance, and mistakes in judgment or inadequate action plans. Humans are involved in this error-generating process through “active failures,” involving errors and rule violations, and “managerial” or “latent failures,” focusing upon organizational or systemic processes where the human operates. Latent failures, those intimately involved in the design and structure of complex systems, such as health care delivery, are considered to be the most dangerous failure types that lead to human error. In fact, latent failures are often unrecognized and remain in the system; this increases the potential for future adverse events because they predispose the system to failure. Latent failures are considered “accidents waiting to happen,” the human is “set up to fail” under these conditions.[6]

Complex systems have several layers of activity as well as defenses against the potential adverse consequences of error, each representing both an error source and a barrier to error progression to an adverse event. In Reason’s “Swiss-cheese” model of error, each layer of activity has holes, representing active and particularly latent failures within the system, and solid areas, representing barriers against the occurrence of adverse events associated with error. When the holes of failure in each layer of activity align, an error penetrates through the entire system resulting in an accident or adverse event.[9] Importantly, an error may penetrate all but a last barrier of the system; these situations are sometimes called “near misses” or “close calls” and, thankfully, are much more common and do not result in an adverse event while also providing important system information.

It should be emphasized that complex social systems, such as medicine, aviation, and nuclear power operations, have a high potential for error. These errors result from some common characteristics, for example: high-level technical requirements, the need for quick reaction times, 24-hour-a-day/7- day-a-week operations, team coordination, long hours, tradeoffs between service and safety, the fact that only a small fraction of errors leads to adverse events, and the fact that a single individual is not responsible for the entire system’s outcome. [9,10,11,12,13] Note that in contrast to traditional health care belief, health care delivery is a team effort, as is its outcomes. For example, in aviation, it is not the pilot alone who is responsible for getting passengers to the appropriate destination safely. The pilot, the flight attendants, the ground staff, the maintenance crew, and the air traffic controllers all are members of the aviation system, and each and every one of these aviation system members contribute to the flight’s outcome. Thus, from an error analysis and safety point of view, it is not the last person who touches the controls, or the last person who talks or touches the patient, who is solely responsible for the final outcome; it is the system that is the necessary and appropriate focus.[5,6,14]

A systems approach has been successful in addressing error occurrence and its mitigation. The stages of this error reduction paradigm are inprocess detection, system process change/design, and process reassessment. These stages loop continuously for each detected error and intervention. Two important illustrations of the success of this approach are the aviation and nuclear power industries; after instituting systems analysis and corrective action efforts, errors and accidents were reduced significantly while productivity substantially improved in both industries.[11]

The fundamental systems-based nature of error and its successful reduction and effect mitigation clearly indicate that individually-oriented, “shame-and-blame” mechanisms are antithetical to and ineffective in reducing error.[6,9,14] Because human error is inevitable, and it is not the last person who touches the controls or patient who is responsible for the entire system outcome, shame and blame of single individuals is highly counterproductive to improving system safety. Such actions only serve to drive knowledge of error underground, does not induce the individual to perform his or her best, nor allows the system of which he or she is a part to perform its best.[5] Cooperative, nonthreatening, blame-free approaches encompassing the entire system and its members is the primary basis for effective error reduction.[11,15]

As may be discerned from the above, the first and fundamental step in promoting safety is to determine the epidemiology of error: where errors are occurring [11,16] so as to allow the active and particularly latent failures within the system can be identified and these holes filled in.

The primary mode to identify such systems failures is through provider reporting; state, federal, and Joint Commission on Accreditation of Healthcare Organizations (JCAHO) requirements mandate the error reporting associated with adverse events as part of a larger safety effort, although these reporting mandates have been plagued by significant underreporting owing to legal concerns of the information’s use for nonsafety purposes.[1,17] The legal issues associated with such reporting are outlined below.


One tremendous barrier to effective patient safety work is use of this safety information for an unintended purpose -plaintiff lawsuits. Generally, this information may most commonly be accessed for lawsuit purposes through the process of evidentiary discovery.

Discovery is a legal means whereby a party in a lawsuit may force another to produce evidence. The Federal Rules of Civil Procedure, which have been adopted by most state court systems in which patient injury suits most often are tried, allows discovery of virtually all information that is not protected by some specific evidentiary privilege. The breadth of discovery is extremely broad: even information that is not admissible in court is discoverable as long as it is “reasonably calculated” to lead to the discovery of some admissible information. [18,19,20] There are discovery disclosure rules that require automatic production of “all documents, data compilations, and tangible things in the possession, custody, or control of the party that are relevant to the disputed facts,”[18] as well as court holding that excluding evidence using privilege is to be discouraged.[21,22,23]

Thus, the general rule as applied to safety work is that virtually all information is discoverable unless protected by a specific legal privilege.


The baseline legal rule is that all information is generally subject to discovery unless the information is protected by some legal privilege. The major legal privileges often considered most “protective” include the state peer review/quality assurance (PR/QA) privilege and the attorney-client privilege. [24] Note there are significant weaknesses associated with both with regard to protection of medical error and patient safety information.


PR/QA privilege theoretically protects PR/QA committee quality assessments and reviews of provider activities from discovery. The rationale of the privilege is that full and honest assessments of clinical activities are produced in open, nonthreatening, cooperative environments where discussions are confidential.[25]

However, state-based peer review statutes are highly variable in coverage. Some state statutes cover only specific information, others differing information; still others cover only information generated by particular providers such as hospitals while ignoring other provider forms such as managed care organizations and medical care groups; and some statutes focus on the institutional provider’s for-profit or not-for-profit status.[20] As well, PR/QA privilege coverage is subject to significant interpretation by multiple courts in the same and multiple states, which makes the scope of protections often difficult to determine. Moreover, in U.S. Supreme Court has been narrowing privilege application “in favor of full disclosure of relevant facts.”[26]

Under PR/QA privilege, then, there may be limited protections for safety efforts and information. In addition, although some statutes may protect some information generated by a PR/QA committee for safety purposes, these laws do not extend it to information from an original source; one cannot simply present information to a PR/QA committee to protect it from discovery. If that were the case, any sensitive information for any reason could be so presented.[19]

Further, even the broadest laws have generally held that the PR/QA privilege does not protect “administrative information,” such as incident and occurrence reports, investigation reports, documents in the possession of and information known to the hospital’s board and chief executive officer (CEO); information originating outside the PR process; personnel, administrative, and other hospital records; PR/QA proceeding effects; PR/QA information from other sources; documents created for rendering legal opinions; documents weighing liability risks; documents instituting corrective action; and, significantly, any information created in the normal course of business. [5,19,20]

PR/QA privilege also does not extend to non-health care provider information. For example, a third-party systems engineering firm or patient safety consulting group brought in to collect data on error, assist in systems analysis, and/or set up corrective action programs and procedures would not have PR/QA privilege extended to them.[5]

In this environment, safety information that results from participating in medical error reporting and analysis may be subject to significant legal discoverability risk, unprotected by PR/QA privilege.[27,28]

Further, even in the most protective of states, a legal nuance also applies: PR/QA privilege does not apply if a federal cause of action is attached to the medical liability claim and the case is brought in federal court. Due to its state law basis, PR/QA privilege is applicable only in federal court if the federal court chooses to adopt it for its proceedings. However, due to the U.S. Supreme Court’s holdings that limit exclusionary privileges, federal courts have been almost entirely uniform in rejecting any peer review privilege claims based on state law.[19] Thus, if a medical malpractice claim is pleaded with a federal cause of action in federal court, the federal court generally rejects any evidentiary privilege claim, specifically PR/QA, thus allowing for discovery of what otherwise could be protected under state PR/QA privilege.[19,20]

Making things worse, PR/QA privilege does not apply in the increasingly common criminal cases against providers. It also does not apply under the federal Health Care Quality Improvement Act, which provides qualified immunity to the participants of PR/QA, but not to the PR/QA materials themselves. [19] As well, the privilege does not apply to institutional review board (IRB) information provided under federal law or to information disclosed to an investigating state provider board.[19]

Even assuming the best of conditions - error and safety information are considered PR/QA materials, a balancing test for protection favors the entity,[11,18,19,20] no federal law is involved, it is not a criminal case, and there is no issue of IRB or state provider board activity - sensitive error and safety information may potentially be obtained through the general subpoena and testimony process. Although some (but not all) state peer review laws protect various participants from being called to testify, that protection is not extended to nonmembers of the PR/QA committee.[19] This lack of protection is particularly important for safety activities; there are a large number of persons who will need to participate to provide an adequate qualitative systems analysis of medical error and systems issues surrounding it. Therefore, persons present at the error’s occurrence, who have relevant information about an error, and who participate in its analysis through input outside the PR/QA committee forum, can be called to testify in a liability suit. These individuals may be questioned directly to ascertain each party’s knowledge of the event, the highly critical safety analysis and discussions of the event, and conversations between important groups in corrective action efforts. Hence, even within the most protective PR/QA statutes, the protected information may still be obtained for lawsuit purposes through the standard legal mechanism of subpoena and testimony. It should also be noted that providers may be obliged to testify regarding a patient’s injury in court even if a PR/QA committee has obtained this very same information from this provider at a PR/QA committee meeting.[19] As well, some courts have rejected plaintiff requests to break the PR/QA privilege because the same information may be elicited by the standard subpoena and testimony mechanisms.[20]


Like an analysis of PR/QA privilege, the limits of attorneyclient privilege are important to consider when engaging in reporting and analyses of medical error. The theory behind attorney-client privilege is similar to that of PR/QA privilege: communication promotion. Attorney-client privilege exists to provide a safe environment where attorneys and clients may communicate openly and confidentially with each other all relevant information so that attorneys may protect clients’ rights in the best manner possible.[5] However, this privilege provides little in the way of protecting error-reduction and patient safety information.

First, error and safety information often must be disclosed to third parties, such as the state department of health under adverse event reporting statutes or JCAHO. Because this information has gone beyond the 2 parties within the privilege - attorney and client - and beyond the rationale of the privilege - promotion of communication for attorney advice - the privilege may be waived and the information deemed discoverable. [5,19] Second, error and safety information may be used by codefendants in their defense. For example, if a restraint injury occurs, members of the system - the hospital, evaluating providers, nurses, administration, and others - participate in reporting and analyzing the event from their diverse perspectives in order to understand its root causes and strategize for corrective action. During the patient injury lawsuit, these parties may want to introduce information gleaned from this error reporting and analysis into court to support his, her, or its defense, perhaps indicating the systems nature of the error and the varying factors that have been identified leading to appropriate corrective action. Internal and external discussions on this basis will result in the information regarding the error spread beyond any single client and attorney, making this information beyond the protection of the attorney-client privilege and, thus, discoverable for lawsuit purposes. But even if this information were within the attorney-client privilege up to this point, a dubious assumption at best,[11, 20] disclosure of any of the error analysis by any of these parties in court or during any other process such as deposition as part of a defense would break the privilege, making the information discoverable.[5] Finally, and perhaps most damaging to safety efforts, if information regarding an error and safety analysis is discussed for any reason other than in preparation for litigation - for example, to improve safety and reduce medical error - the information will then be discoverable because it has gone beyond what is traditionally within the rationale of the privilege.5


Other mandates interface with medical error reduction/mitigation activities. Most commonly, state adverse event reporting statutes require that medical errors resulting in specific adverse events as defined by statute be reported to a particular state agency1 and federal law via JCAHO requirements also mandates certain specific activities relating to patient safety.[19] These required activities create legal risks. Other mandates also include voluntary reporting systems; these do create risks but are not mandated or focus on near miss reporting, and hence are not of as great concern.


Roughly 1 to 2 dozen states require that adverse events associated with patient care be reported to a state agency, usually the state’s department of health or equivalent, often under quality of care regulations.[1,29]

Several legal risks are associated with reporting under state adverse event reporting statutes that may, unfortunately, result in the use of this information for sanction and lawsuit rather than being limited to intended safety purposes.

First, information submitted to the state under its reporting statute regarding an adverse event may be used by the state agency or department to sanction the provider, usually for poor quality of care.[30] Indeed, this information may be disclosed to the public by the state, depending on the specific provisions of the state statute.[30] Hence, even when providers are attempting to improve quality through an analysis of errors and reporting, the state may incorrectly believe that due to the presence of a medical accident, there exists poor quality of care at the reporting facility.

In addition, this information may be subject to legal discovery in a patient injury lawsuit. Because, documents indicating that an error and medical accident occurred, the type of patient who suffered this error, the potential causes of the error, and supporting documentation involved in an adverse event report (such as incident and occurrence reports, patient charts, other medical records, and administrative information) would be highly likely be considered relevant to a patient injury case, as well as could be “reasonably calculated” to lead to admissible information, safety activities, and the information provided under state adverse event reporting statutes may be at high risk for nonsafety disclosure and use.

As well, beyond issues of general discoverability, it is important to note that information and documents submitted under the state’s adverse event reporting statutes may possible discoverable under the state’s freedom of information act. Unless protected by some specific legal privilege, provision of adverse event information to the state is equivalent to provision of this information to the citizens of that state, i.e., the public. Hence, it may be accessible by any member of the public through a freedom of information act request to the relevant agency. The state, on receipt of this request, would then may be required to disclose this information to the requesting party even if this request is for the purpose of supporting a patient injury lawsuit rather than improving quality of care.

It should be emphasized that PR/QA and attorney-client privileges would likely not be helpful for protecting this information under these circumstances. Adverse event information submitted under state adverse event reporting statutes could plausibly be considered administrative information; nonhospital information if others are involved in reporting, analyzing, and creating and implementing corrective action; information merely submitted to or shared with - not created by - the PR/QA committee; and, importantly, information created in the normal course of business owing to the state’s reporting mandate. Therefore, PR/QA privilege would appear inapplicable in efforts to protect this information. Further, this information may be shared with third parties - the appropriate state agency or department; may be used by codefendants in court for their defense; and, in particular, may be discussed in any manner other than in preparation for litigation - that is, for patient safety purposes. Thus, attorney-client privilege would also appear inapplicable in protecting state adverse event reports and information from nonsafety sanction and lawsuit uses.


Federal law requires that providers such as hospitals fulfill certain requirements known as Medicare Conditions of Participation in order to be able to serve Medicare beneficiaries and bill for these activities; similar state-based requirements also attend to serve state Medicaid beneficiaries. JCAHO accreditation is “deemed” by statute to fulfill these requirements. Thus, a vast majority of hospitals in the United States seek JCAHO accreditation and must fulfill JCAHO requirements to serve and bill patients and their insurers. One key policy relating to patient safety and medical errors is the Sentinel Event Policy (SEP).

JCAHO implemented the SEP in 1995, with several updates since then, for all hospitals accredited by it.[31] The SEP requires [32] that certain adverse or “sentinel” events be reported to the JCAHO, that the hospital perform a highly self-critical, qualitative systems-based root cause analysis of these adverse events, develop a corrective action plan on the basis of this analysis, and submit this information to the JCAHO for its review and approval. Owing to the very critical nature of the analysis, this document and the supporting materials are highly sensitive and potentially damaging to the provider if inappropriately disclosed and/or used.

A sentinel event is defined in the SEP as “an unexpected occurrence involving death or severe physical or psychological injury, or the risk thereof,” including unanticipated death or major loss of function unrelated to the patient’s condition, patient suicide, wrong-sided surgery, infant abduction or discharge to the wrong family, rape, and hemolytic transfusion reactions involving major blood histocompatibility groups.[33] Clearly, any significant injury associated with patient care is contemplated by the policy.

In contrast with other error reporting systems, such as the Aviation Safety Reporting System (ASRS),[15,34] the SEP excludes “near miss” reporting.[35] This is lamentable, since it thus may not capture important facets of error17,[36] or promote safety activity progress and participation that could occur because of the higher frequency of near misses, availability for use as both a systems analysis for failure holes and success strategy owing to avoidance of an adverse event, and much greater willingness of system members to participate in reporting, analysis, and corrective action owing to lack of any patient injury - and concomitant risk of lawsuits.[32,35] Although initially required, the JCAHO now officially only “encourages” sentinel event reports. However, mandated review of organizational responses to sentinel events remains a part of the standard JCAHO accreditation process,[33] and SEP activities are required if an event is discovered by the JCAHO.[32]

Once a sentinel event has been reported, the entity must perform a root cause analysis (RCA). An RCA is a detailed and thorough systems analysis by all appropriate members of the health care delivery system reviewing the entity’s alteration in performance that led to the sentinel event. As a part of the RCA, an “action plan” must be created addressing identified problems and system weak-nesses. The RCA must be submitted to the JCAHO within 45 days of the event or of the organization learning of the event. If the report is not made, or the RCA is not acceptable to JCAHO, JCAHO may place the offending provider on Accreditation Watch. If, however, the organization does not report the event, and JCAHO discovers its occurrence through whatever means (e.g., the media, provider employees, the patient, or the patient’s family; these nonprovider reports represent a large bulk of JCAHO reports under the SEP19), the entity will be contacted and must submit an RCA under the same 45-day schedule. Ultimately, in these circumstances, the JCAHO may revoke the provider’s accreditation. [31] Note that if the JCAHO deems the reported or discovered event a “continuous threat to patient safety” with significant noncompliance with a JCAHO standard, it will immediately instigate an on-site sentinel event review and assessment.

Risks for inappropriate disclosure of SEP information are significant under the SEP. This is generally due to the policy of the JCAHO itself and to the legal rules that may not protect this safety information. Indeed, the American Society for Healthcare Risk Management characterized SEP-mandated materials a “lawsuit kit for attorneys.”[27,28] Thus, providers involved in patient safety activities must carefully review SEP requirements and thoroughly understand its legal risks.

The JCAHO may disclose to third parties, including the lay press, that the reporting entity is under sentinel event review. Furthermore, any disclosure of SEP information to third parties is under the control of the JCAHO, rather than the reporting entity.

Providers have shown great concern regarding reporting under the SEP. From an error-reduction perspective, it is important to note that JCAHO control of the disclosure of provider-supplied information and potential threats to accreditation are in direct opposition to the cooperative, nonthreatening, blame-free mechanism essential for reducing errors. Further, few errors associated with patient injury in hospitals have in fact been reported, even under the best of assumptions. [19,20]

Beyond the significant time constraints to complete an adequate RCA and the potential rejection by the JCAHO, the important and most obvious risk for the provider is legal discovery of sensitive SEP materials for use in a lawsuit. The general JCAHO expectation for providing the RCA to the JCAHO is for the entity to simply send a copy to the JCAHO using the traditional U.S. mail system. But due to significant provider resistance to this default policy centered about legal concerns, the JCAHO promulgated four alternatives.[37] Alternative 1 allows an entity employee to hand-deliver the RCA to JCAHO, where it will be reviewed and returned on the same day. Alternative 2 allows a JCAHO surveyor to come to the facility and conduct an on-site RCA review. Alternative 3 allows the entity to have a JCAHO surveyor conduct an on-site RCA review without viewing RCA documents the surveyor conducts interviews and reviews “relevant documentation,” including “any documentation relevant to the organization’s process for responding to sentinel events, and the action plan resulting from the analysis of the subject sentinel event.”[33] Alternative 4, which attempts to address legal discovery directly, allows a JCAHO surveyor to conduct an on-site review through interviews and review of relevant documentation. No surveyor reference to the RCA or action plan is made, and the focus is on review of the entity’s analysis process. Alternative 4 is only available if the entity’s CEO affirms that state law indicates disclosure would waive material confidentiality.[11]

From a legal discoverability perspective, it is important to recognize that SEP materials, like state adverse event materials, may be considered in whole or in part, administrative information, nonhospital information, information merely submitted to or shared with PR/QA committees rather than being generated by them, and certainly information obtained in the normal course of business on the basis of JCAHO mandates; hence, the PR/QA privilege against discovery may be ineffective in protecting this information. Indeed, SEP information has been deemed discoverable in patient injury lawsuits.38 Similarly, SEP materials may be shared with third parties (JCAHO and possibly the state under state adverse event reporting statutes), may be used by codefendants at trial in support of their defense in a patient injury suit, and certainly are discussed in any manner other than in preparation for litigation - for safety and error reduction. Hence, attorney-client privilege may have limited application for information mandated for creation under the SEP.


JCAHO in 2001 promulgated another medical error requirement that may subject providers to legal risk. Under hospital accreditation standard RI. 2.90. [formerly RI 1.2.2.]: “Patients and, when appropriate, their families are informed about the outcomes of care, including unanticipated outcomes.”39 Providers under this standard have been mandated to “tell patients when they received substandard care.”[40] Providers have expressed significant concern regarding potential liability under this new policy and the unworkability of the standard. Key concern include the fact that, substantively, every admission has unanticipated outcomes, the standard will create awkwardness between hospitals and medical staffs, and “the hospital, by definition, is now intruding into the patientphysician relationship if there is a [JCAHO] documentation process required” for these disclosures.[40] Because the standard may require disclosure of all “unanticipated outcomes” by any provider, provider practices may be subject to increased scrutiny by hospitals attempting to fulfill this JCAHO standard. Similarly, individual providers may respond by increased scrutiny of hospital functions and point to errors there to avoid sanction and suit, contravening the team effort necessary to improve safety and reduce/mitigate medical error. Thus, the standard may create conflicts between hospitals and the providers who work within them that may chill effective safety reporting and analysis within these delivery systems and lead to increase risks of litigation for both.



One practical concern for providers is the vagaries of medical liability insurance. Generally, within traditional liability policies, there exists a standard clause requiring the covered entity to immediately report the any covered event and to make no statements or take no actions that would impede the insurer from defending the claim.[41] However, in a patient safety systems analysis, providers will obtain a report, act to interview all relevant parties, perform analysis to assess the root and system causes of the error, design corrective action strategies in response, and assess whether the new interventions have created any additional system weaknesses. [9,10,11,42] Any one of these appropriate actions may delay reporting, and, perhaps more materially in terms of a breach of the insurance contract, create a legally discoverable, highly critical self-analysis. If this occurs, such as when an SEP document is found discoverable by a court in a patient injury lawsuit, as has occurred, [43] the provider has made statements and taken actions that would likely hinder the insurer from defending the claim. Thus, unaddressed medical error may result in lawsuits, but participation in error-reduction efforts may subject entities to lawsuits without liability insurance coverage. [5,19] This circumstance will be problematic owing to the source of the critical information - the provider him, her, or itself - and, hence, may be seen by juries as an admission of fault, especially in the context of potential plaintiff jury bias that has been reported.[44]


Beyond state freedom of information acts, information may be subject to disclosure through the federal Freedom of Information Act (FOIA).[45] Federal regulation related to hospitals accredited by the JCAHO mandates that hospitals permit the JCAHO to release, both to the state and to the Center for Medicare and Medicaid Services (CMS, formerly the Health Care Financing Administration [HCFA]), a copy of the most current accreditation survey. Such information could include anything related to the survey. Allowing CMS access as a public entity to the information may be problematic, because interested parties may potentially be able to obtain patient safety information in CMS’s hands via a FOIA request. Thus, even if a particular state’s PR/QA statute is protective of the information, and a court rules in favor of protection, it is feasible that a plaintiff could still obtain safety information through the FOIA-CMS mechanism.[19,41] It should be noted that although there are government exemptions to FOIA requests, 46 exemptions are construed narrowly by the U.S. Supreme Court[47] and have been largely unsuccessful when based on peer review status.[48,49]


An important set of rules that affects the patient safety effort beyond rules associated with litigation are the medical privacy provisions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[50]

HIPAA rules in this area, encompassing hundreds of pages of federal regulations, cover all identifiable patient health care information in any form - oral, written, or electronic - maintained or transmitted by “covered entities,”[51] including providers, healthcare clearinghouses, contractors, subcontractors, and health plans.[52]

The final rule requires significant administrative policies, physical safeguards, technical security services and mechanisms to be put into place by covered entities.[53] A privacy official or contact person must be designated by these entities to address complaints and provide privacy information, develop employee privacy training programs, implement “appropriate” systems against unauthorized access and mistaken misuse, create a mechanism of complaint for the entity’s privacy practices, and develop employee sanctions for violations of the rule and the covered entity’s privacy policies.[54]

Beyond the covered entities themselves, business associates of these entities are subject to the HIPAA privacy regulations, including: legal, actuarial, accounting, consulting, management, accreditation, data aggregation, and financial services contractors and any other entity that receives protected health information from or performs a function or activity on behalf of the covered entity.[55] Contracts between the parties must limit business associate use/disclosure of patient information to parties specified and must require particular security, inspection, and reporting mechanisms by the business associates, as well as by subcontractors used by the business associates. Internal records must be made available to the Secretary of the Department of Health and Human Services, and all protected information must be returned or destroyed at the end of the contract period if practicable.[56] Note that covered entities may be responsible for rule violations of business associates if it has knowledge of them and fail to act.[57,58]

Patients have several specific rights. They may inspect their health care information, copy and amend it, authorize (or not authorize) its use, and receive formal accounting of how their information is used.[59] Covered entities have time limits to respond to requests for access, copying and inspection.[60]

If disclosure and use of medical information is allowed, the covered entity must have policies and procedures in place that limit disclosure to that “minimum necessary,” with limited exception for treatment-related disclosures, i.e., only the information necessary to accomplish the purpose for which the information is used or disclosed be released.[61]

The rule provides significant incentives for providers to err on the side of too little information use/disclosure rather than too much: criminal and civil sanctions. Civil monetary penalties of up to $25,000, and criminal penalties of imprisonment of up to 10 years and fines of up to $250,000 for each standard violation [62] may be imposed, with providers being subject to both for the same violation.[63] HIPAA is a federal law and represents a floor of protection for medical privacy; stricter state laws with their accompanying sanctions are not preempted.[64]

Originally, HIPAA required written patient “consent” for the use of identifiable patient information for all routine treatment, payment, and health care operations[65]; all other uses generally required specific and detailed written “authorizations”.[66] On August 14, 2002, the Department of Health and Human Services (DHHS) released modifications to the HIPAA privacy rule.[67] Of note, DHHS dropped the HIPAA consent requirement for treatment, payment, or health care operations, but does require covered entities to provide patients with notice of the patient’s privacy rights and the privacy practices and policies of the entity. The modified final rule also encourages providers to make a good faith effort to obtain patient’s written acknowledgement that they have received this notice. Authorization requirements remain.

Patient treatment cannot be based on whether a patient authorizes any requested disclosure. Further, authorizations must also be voluntary, specific as to the information to be disclosed, and revocable.[68] The minimum necessary rule will not apply for uses and/or disclosures that the patient has authorized, and this information is exempt from the accounting of uses/disclosures of patient information by the entity.

There are exceptions to the patient authorization requirements. [69,70] Authorization exceptions include health oversight activities, public health activities, and research; as well, law enforcement, legal proceedings, marketing, public safety and welfare circumstances and listing in facility patient directories require no or limited patient approval.[71]

Note, however, that use or disclosure of patient information must be performed under the restrictions of the rule. Indeed, an entity cannot use or disclose information in any other forum even if legal as defined by the rule if patient approval is given only for limited use or the covered entity has agreed to a particular limitation.[72]


It should be noted that providing patients a notice of provider privacy practices for routine treatment, payment, and healthcare operation activities does not allow providers to perform safety work under the “health care operations” provision. Although standard health care operations expressly include “quality assessment and improvement” activities within the regulations, the regulations expressly note that health care operations do not encompass studies that result in “generalizable knowledge.” Thus, patient safety efforts, which seek just that kind of knowledge, are excluded.[73]

In addition, authorization requirements may make obtaining safety information highly impractical. Administrative barriers abound. Simply obtaining authorization is highly costly.

For example, for valid HIPAA authorization, the regulations indicate that [74]:

If an authorization is requested by the covered entity for its own use or disclosure ... the covered entity must comply with the following requirements:

(1) Required elements. The authorization for the uses or disclosures must, in addition to meeting the requirements of paragraph (c) which includes a description of information to be used or disclosed that identifies the information in a specific and meaningful fashion; the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or dis-closure; the name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure; an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; a statement of the patient’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization; a statement that the information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer protected by the rule; the signature of the patient and the date; and that the authorization request be written in plain language contain the following elements:

(i)...a statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility of benefits on the individual’s providing authorization for the requested use or disclosure;

(ii) A description of each purpose of the requested use or disclosure;

(iii) A statement that the individual may:

(A) Inspect or copy the protected health information to be used or disclosed...

(B) Refuse to sign the authorization; and

(iv) If use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement that such remuneration will result.

Because of the tremendous and broad array of information required to perform thorough systems-based assessments of a health care delivery system for safety purposes, specifying this extensive amount of information in an authorization form, even if known at the outset which is unlikely, may make that document by necessity long, extensive, and expensive in creation and may, in fact, deter patient consideration of HIPAA authorization. Providers may be deterred by the efforts and costs involved for simply creating such a document and requesting such authorization.

Further, there are no express provisions taking into account the qualitative nature of patient safety activities within the privacy rule. [38] This lack of express allowance for patient safety activities may deter organized efforts within and across organizations to aggressively medical error study efforts using their patient information.

As well, patient safety activities do not fit well within any of the three exceptions to patient authorization: health oversight activities, public health activities, and research.“ Health oversight activities” appear substantively limited to assisting fraud and abuse reviews, licensure and disciplinary actions, and civil and criminal investigations, rather than quality of care and patient safety.[75] Furthermore a “health oversight agency” in the regulations is limited to public governmental agencies or their contractees.[38,76]

Although it would seem logical that medical error reduction and patient safety promotion would be public health activities, the “public health activities” exception to HIPAA patient authorization does not apply to this work or private entities. Instead, this exception is limited to standard collection of traditional public health data by public health entities represented by state and federal health departments and agencies and/or their grantees, i.e., limited to public entities similar to the health oversight agency exception.[77] Any disclosure of protected health information regarding safety and adverse events is limited to oversight and reporting activities of the U.S. Food and Drug Administration.[78]

Research is the final exception to the patient authorization requirement.[79] Although potentially applicable to patient safety work, this exception appears to be more narrowly limited to research in the traditional clinical trials sense, since the rule consistently refer to clinical trials as the prototype for research,[80] rather than broad-based qualitative safety work that requires an extensive array of groups with administrative, clinical, human factors, cognitive psychology, ergonomics, legal, information systems, and other expertise assessing a similarly extensive array of factors, guided by deeper and deeper analysis of continuously identified systems factors, rather than distinct clinical characteristics or results.[38] There is, hence, some serious question as to whether the qualitative
systems analysis of medical error falls within the rule’s definition of research, or at least how to adequately fit safety work into the research paradigm contemplated by the regulations.[38]

As well, the research exception requires that covered entities employ a set of waiver criteria through an IRB to determine whether patient authorization is not needed. However, the number of criterion to be fulfilled, the permissible alteration of such criterion, and the specifics by which to assess fulfillment of regulatorily listed or altered criterion for IRB use are absent within the rule regulations. Note also that research not requiring patient authorization may be approved through a “privacy board” rather than an IRB; [81] however, there is little guidance as to what, when, and how this board would function any differently from an IRB, the relationship this board would have to an IRB, the kinds of factors that would require assessment regarding the impact of the safety research on privacy, and how these factors would be applied to the relatively nontraditional methods (from a traditional clinical trials research perspective) of qualitative patient safety research.[38]

Note that research is subject to the minimally necessary standard as to the appropriate patient information to be disclosed for the work.[82] This leads to difficult issues for safety researchers; patient safety researchers often cannot determine ex ante the kinds of information needed to assess the specific health care delivery system appropriately - indeed, part of the exercise of safety work is to identify the kinds of information important to analyzing a particular system weakness; although such a requirement may be potentially applicable to clinical trials research, it is virtually inapplicable to a full systems-based assessment for patient safety purposes. [83]

The privacy rule does outline two mechanisms by which a covered entity can demonstrate meeting the research exception: having a person with “appropriate knowledge and experience” in statistics indicate that “the risk is very small that the information could be identify the subject” and documenting this analysis; and, as a safe harbor, deidentification,[84] removing 19 patient identifiers from the patient’s records.[85]

Unfortunately, it is difficult if not impossible to determine “statistically” how a risk could be “very small” for “inappropriate use,” however defined. There simply is no precedent for such statistical analysis, and the regulations provide no examples or guidance on this analysis.

Furthermore, regarding deidentification, the removal of the factors to comply with the standard may eliminate the usefulness of the data generally.[38] In addition, within the safe harbor, 1 of the factors to be fulfilled is deidentification of “[a]ny other unique identifying number, characteristic, or code.”[86] [emphasis supplied] Yet adverse events per facility are rare; thus, dramatic wrong-sided surgery or other adverse event would have to exclude the outcome itself so as to fully deidentify the patient’s record, totally vitiating its usefulness for safety efforts. Importantly in terms of broad-based provider efforts, owing to their smaller patient base, this deidentification requirement of patient identifiers in suburban and rural communities for may necessitate exclusion not only of the adverse event outcome, but, indeed, the patient’s diagnosis, making this health information useless not only for patient safety work, but also for traditional clinical research.[38]

Finally, under a provision created by the August 14, 2002 amendments to the HIPAA rule, if researchers wish to create limited data sets (that cannot include direct patient-identifiable information), it is permitted and deemed research without the need for patient authorization or accounting. However, the privacy rule requires that disclosure of the limited data set of a covered entity to another party requires the execution of a “data use agreement.” This contractual mandate requires the receiving party to agree to limit the use of the data set for the purpose for which it was given, ensure security of the data therein, and not identify the information or use it to contact any individual. The creation of limited data sets must also fulfill the minimum necessary rule. These data sets may have little impact on safety efforts due to the minimal information that can be collected and included within in combination with the costs associated with executing yet another legal agreement before engaging in substantive patient safety analysis.


Professional ethics demands we place the patient’s welfare first and foremost in our actions, and professional interest provides the impetus to improve health care knowledge and performance. Both of these goals are promoted by actively engaging in patient safety activities, including error reporting and its analysis. Indeed, psychologists have unique skills and training to improve how the delivery system functions, and hence have important competencies to bring to the safety effort.

However, important legal requirements and accompanying risks are associated with substantive engagement in safety work. Laws and policies interact with the legal discovery rules and privilege against disclosure that could result in medical error and safety materials used and disclosed for sanction and lawsuit purposes rather than being limited to their intended use to promote quality. Furthermore, federal privacy provisions may make participating in patient safety work highly problematic and may chill efforts to perform these activities.

But even under these difficult circumstances, engaging in safety work is possible by close attention to the legal issues associated with these activities. An understanding of the delineating factors represented by the legal risks can provide the psychologist with how best to participate in safety activities as well as may provide him or her and legal counsel an opportunity to develop site-specific strategies that will protect this information from unintended, nonsafety use. These efforts will be intensive. However, when successful, participation may result in important, substantive knowledge and contributions to systems approaches that will promote safety continuously for all within the health care delivery system today and in the future. Such a result will fulfill both our professional ethics, and our professional interests for the benefit of patients and providers for generations to come.


Thanks to Shannon M. Biggs, JD, MA, M.Ed, for her insights and assistance with the manuscript.


Professor and Executive Director, Institute of Health Law Studies, California Western School of Law, San Diego, CA; Adjunct Associate Professor, Department of Anesthesiology, University of California San Diego School of Medicine; and Co-Investigator and Member, Executive Committee, San Diego Center for Patient Safety, VA Medical Center, University of California San Diego School of Medicine, San Diego, CA. Professor Liang received an MD from Columbia University College of Physicians & Surgeons, a PhD in Health Policy Studies from the Harris School of Public Policy Studies, University of Chicago; and a JD from Harvard Law School.


  1. Kohn LT, Corrigan JM, Donaldson MS (eds): To Err is Human: Building a Safer Health System. Washington, DC, National Academy of Sciences, 1999
  2. UK Department of Health: An Organization with a Memory: Report of an Expert Group on Learning from Adverse Events in the NHS. London, England, NHS, 2000
  3. Tito F: Compensation and Professional Indemnity in Health Care: Review of Professional Indemnity Arrangements for Health Care Professionals. Canberra, Australia, Commonwealth Dept of Human Services and Health, 1994
  4. Wilson LL: Quality management: Prevention is better than cure. Aust Clin Rev 13:75–82, 1993
  5. Liang BA: Special paper: A system of medical error disclosure. Qual Safety Health Care 11:64-68, 2002
  6. Leape LL: Error in medicine. JAMA 272:1851–1857, 1994
  7. Liang BA: A policy of system safety: Shifting the medical and legal paradigms to effectively address error in medicine. Harvard Health Pol’y Rev 5:6- 13, 2004
  8. Weiler PC: Medical Malpractice on Trial. Cambridge, MA, Harvard University Press, 1991
  9. Reason J: Human Error. New York, Cambridge University Press, 1990
  10. Maurino D, Reason J, Lee R: Beyond Aviation Human Factors. Aldershot, England: Avery Press, 1995
  11. Liang BA: Error in medicine: Legal impediments to U.S. reform. J Health Politics Pol’y Law 24:27–58, 1999
  12. Foushee HC, Helmreich RL: Group interaction and flight crew performance, in Wiener EL, Nagael DC (eds): Human Factors in Aviation. San Diego, Academic Press, 1988
  13. Lauber JK, Kayten PJ: Sleepiness, circadian dysrhythmia, and fatigue in transportation system accidents. Sleep 11:503–512, 1988
  14. Liang BA: Error disclosure for quality improvement: Authenticating a team of patients and providers to promote patient safety. In: Sharpe VA, ed. Accountability, Patient Safety and Policy Reform. Washington, DC: Georgetown University Press: In press, 2004
  15. Moore D: JCAHO urges “do tell” in sentinel event fight: Aviation’s lesson: Learn from experience. Mod Healthcare 60, 1998
  16. Lucas DA: Organizational aspects of near miss reporting, in van der Schaaf TW, Lucas DA, Hale AR (eds). Near Miss Reporting as a Safety Tool Oxford: Butterworth-Heinemann, 1991
  17. National Health Care Safety Council, National Patient Safety Foundation: A Tale of Two Stories: Contrasting Views of Patient Safety. Chicago: NPSF, 1998
  18. Federal Rules of Civil Procedure, Rule 26(b). Minneapolis, MN, West Pub, 2001
  19. Liang BA: Risks of reporting sentinel events. Health Aff 19(5):112–120, 2000
  20. Liang BA, Storti K: Creating problems as part of the “solution”: The JCAHO Sentinel Event Policy, legal issues, and patient safety. J Health Law 33:263–285, 2000
  21. University of Pennsylvania v EEOC, 493 US 192 (1990)
  22. Trammel v United States, 445 US 40 (1980)
  23. United States v Nixon, 418 US 683 (1974)
  24. Bressler HJ: Sentinel events and the JCAHO: The genesis of patient safety. Proceedings of Addressing the Medical, Legal, and Ethical Dilemmas in Modern Health Care, 39th Annual Conference of the American College of Legal Medicine, New Orleans, LA, March 11–13, 1999 (Milwaukee: ACLM, 1999)
  25. Scheutzow SO: State medical peer review: High cost but no benefit: Is it time for a change? Am J Law Med 25:7–60, 1999
  26. Cepelewicz BB, Dunn LJ, Feltch DM, et al: Recent developments in medicine and law. Tort Ins Law J 33:580–603, 1998
  27. American Society for Healthcare Risk Management: Position Statement and Recommendations: JCAHO Sentinel Event Reporting Program [March 3 1999]. Available at: Accessed April 3, 2000
  28. Medical Risk Management Associates: Conducting a cost-effective root cause analysis. Available at: Accessed April 3, 2000
  29. Adams D: Bills have been proposed in several states aimed at reducing medical errors and improving patient safety. Am Med News March 12, 2001
  30. Howley CJ: Error analysis and reduction, part I. Proceedings of Medical Errors and Quality Assurance: A Local, Regional and National Perspective, Grants Pass, OR, November 9–10, 2000, Medford, OR, Asante/Providence Health Care Systems, 8–26, 2000
  31. Joint Commission on Accreditation of Healthcare Organizations: Facts about the sentinel event policy. Available at: http:// Accessed April 9, 2003
  32. Liang BA: Other people’s money: A reply to the Joint Commission. J Health Law 33:657–664, 2000
  33. Joint Commission on Accreditation of Healthcare Organizations: Sentinel event policy and procedures. Available at: http:// Accessed April 9, 2001
  34. Dorheim MA: ASRS fights to curb dangerous trends. Aviation Week Space Technol 145:72, 1996
  35. Loeb JM: Sentinel events and root-cause analysis: A workshop by the Joint Commission. Proceedings of Enhancing Patient Safety and Reducing Errors in Health Care, November 8–10, 1998, Chicago, National Patient Safety Foundation, 1999
  36. Cooper J, Gaba D, Liang B, et al: Agenda for Research and Development in Patient Safety. Chicago, National Patient Safety Foundation, 2000
  37. Joint Commission on Accreditation of Healthcare Organizations: Joint Commission statement regarding the sentinel event policy. Available at: Accessed April 3, 2003
  38. Liang BA. The Adverse Event of Unaddressed Medical Error: Filling the Holes in the Legal and Health-Care Systems. J Law Med Ethics 29: 346-368, 2001
  39. Joint Commission on Accreditation of Healthcare Organizations: Revisions to Joint Commission Standards in Support of Patient Safety and Medical/Health Care Error Reduction. Available at: Accessed March 10, 2003
  40. Lovern B: JCAHO’s new tell-all: standards require that patients know about below-par care. Mod Healthcare January 1:2, 2001
  41. Rozovsky FA: The JCAHO sentinel event policy. Health Law Digest May:3–11, 1998
  42. Moray N: Error reduction as a systems problem, in Bogner MS (ed): Human Error in Medicine. Hillsdale: Lawrence Erlbaum Associates, 1994
  43. Liang BA, Small SD: Communicating about care: Addressing state-federal issues in peer review and mediation to promote patient safety. Houston J Health Law Pol’y , 3:219-64, 2003
  44. Liang BA. Layperson and physician perceptions of the malpractice system: Implications for patient safety. Soc Sci Med 57: 147-53, 2003
  45. 5 USC §552 (1999)
  46. 5 USC §§ 552(b)(4), 552(b)(6) (1999)
  47. Department of Interior v Klamath Water Users Protective Association, US, 121 SCt 1060 (2001)
  48. Washington Post Co v United States Department of Health and Human Services, 865 F2d 320, 324 (DC Cir 1989)
  49. Association for Women in Science v Califano, 566 F2d 339, 342 (DC Cir 1977)
  50. Health Insurance Portability and Accountability Act. Pub L No. 104–191 (1996)
  51. 45 CFR §§164.500, 164.501
  1. 45 CFR §§160.103, 160.105, 164.500
  2. 45 CFR §§164.524, 164.526, 164.528
  3. 45 CFR §164.530
  4. 45 CFR §§160.103, 164.502, 164.504
  5. 45 CFR §§164.504(c), 164.504(e)
  6. 65 Federal Register 82461, 82476 (December 28, 2000)
  7. 45 CFR §164.534
  8. 45 CFR §§164.524, 164.526, 164.528
  9. 45 CFR §§164.524, 164.526
  10. 45 CFR §§164.502, 164.514(d)
  11. Pub L No. 104-191, §262
  12. Liang BA: Health Law & Policy. Oxford, Butterworth-Heinemann, 2000
  13. 45 CFR §§160.201, 164.202, 164.203
  14. 45 CFR §164.506
  15. 45 CFR §§164.506, 164.508
  16. 67 Federal Register 53182 (August 14, 2002)
  17. 45 CFR §164.506(b)
  18. 45 CFR §164.512
  19. 45 CFR §§164.506(a), 164.512(j)
  20. 45 CFR §§164.510, 164.512(e), 164.512(f) 164.512(i)
  21. 45 CFR §164.522
  22. 65 Federal Register 82461, 82490, 82497 (December 28, 2000)
  23. 45 CFR §164.508(d)
  24. 45 CFR §164.512(d)
  25. 65 Federal Register 82461, 82491 (December 28, 2000)
  26. 45 CFR §§164.501, 164.512(b)
  27. 45 CFR §164.512(b)(iii)
  28. 45 CFR §512(i)
  29. 65 Federal Register 82461, 82516, 82518 (December 28, 2000)
  30. 45 CFR §164.512(i)
  31. 45 CFR §164.514
  32. 45 CFR §164.512(h)
  33. 45 CFR §164.514
  34. 65 Federal Register 82461, 82543 (December 28, 2000)
  35. 45 CFR §164.514(b)(2)(i)(R)