Reminder To Follow Confidentiality, Due Process When Conducting Peer Revew & Credentialing

Hospitals, physicians, health plans and others participating in credentialing and peer review activities need to use care to ensure that they and others involved in these matters understand and comply with the confidentiality requirements of the Health Care Quality Improvement Act and similar state laws.

Hospitals and their medical staffs, physician and other practice groups and other health care organizations commonly require or query the National Practitioner Data Bank (NPDB) established under HCQIA and other sensitive professional and personal when checking the backgrounds and credentials of physicians seeking admission to the medical staff, employment, staff privileges, participation in provider panels or other positions.  These health care organizations and providers also frequently may receive inquiries from other health care providers or organizations seeking information about a provider who is applying for admission, employment or other status.  Finally, medical staffs, practices and other health care organizations from time to time may conduct credentialing, peer review or other disciplinary activities, or quality assurance reviews that may involve the discussion of information about the conduct, quality, discipline or other credentials and qualifications of current or former physicians at their own or another health care organization.

The investigation or discipline of a physician and certain other information regarding potential performance or credentialing concerns about a physician or other health care worker often by necessity involves the receipt, sharing, or use of sensitive professional or personal information with credentialing, management, medical staff leadership or others involved in the investigation, review or process.  When participating in any of these activities, all parties involved in the activities or providing input or participation in their conduct need to understand and be required to comply fully with all applicable confidentiality and privacy requirements.   While participants in these processes often may feel great temptation to circumvent formal processes in the name of expediency, to share sensitive insight with special relationships or other inducements to cut corners on confidentiality, the participants in these activities and the organizations conducting the activities should take all necessary steps to ensure that the participants carefully comply with the confidentiality and privacy requirements and only obtain and share information as allowed by and in accordance with the procedures established by these rules.

The background check rules of the Fair Credit Reporting Act (FCRA) generally require that health care organizations, as well as other businesses, conducting background check or other investigations using third party data or investigators comply with the notice, consent and disclosures of the FCRA.  Parties requesting or providing information as part of a credentialing, peer review or other investigation should ensure that the necessary disclosures, notices and consents have been obtained before requesting or sharing information.  The fulfillment of these requirements should not be assumed as experience demonstrates that these requirements are commonly overlooked by many health care and other organizations engaged in these activities.

In addition to meeting the FCRA, HCQIA, most state peer review, and medical staff bylaws generally require that credentialing, peer review, quality assurance, and other performance and discipline activities be conducted in accordance with carefully prescribed rules, including specific requirements concerning the protection of the confidentiality of information about a provider.  While relatively rare, violation of HCQIA’s confidentiality rules can create significant liability.  For instance, after it self-disclosed conduct to the Department of Health & Human Services Office of Inspector General (OIG), The Queen’s Medical Center (QMC), Hawaii, agreed to pay $150,500 in civil money penalties for allegedly violating the NPDB in 2009.

Beyond the rare sanctions under HCQIA, failing to following the rules of HCQIA and state laws can undermine the defensibility of peer review and credentialing decisions by undermining the ability of participants in the process to rely upon the peer review privilege to protect deliberations and discussions conducted in connection with the peer review and credentialing process from discovery, as well as by providing evidence of bad faith, malice or other bad motivation or acts corrupted the process and determination.  Beyond hurting the defensibility of the credentialing and peer review process, violations of confidentiality or other procedures often also give rise to antitrust, defamation, invasion of privacy, tortious interferences, and other damage claims by physicians who feel their ability to practice and reputations have been injured by alleged improper conduct in connection with a peer review, credentialing or quality assurance process.

Beyond avoiding giving rise to claims by the targeted physician or other health care provider, all participants in these processes also need to use care to properly protect any individually identifiable patient information.  Records and information about a patient, his medical condition, payment history and other related patient data and information often involved in these activities typically qualifies as personal health information, the use, access, and disclosure of which is restricted by the Privacy Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state common law, HIPAA and other medical records privacy and confidentiality laws.  In addition to the specific requirements of HIPAA and other medical information privacy laws, patient financial information and certain other sensitive information also may be protected by a broad range of federal and state laws protecting personal financial and other sensitive personal information, contractual rights created by privacy policies of the organizations involved or other laws.

Conducting proper credentialing, peer review and quality assurance activities is a critical aspect of the hiring and oversight of physicians and others providing care.  As important as these requirements are, health care providers and organizations participating in these activities need to remember that the physicians who are subjected to these requirements also enjoy confidentiality, due process and other legal protections, which can create significant liability when violated.  Consequently, health care organizations, physicians and members of management, and other staff and participants should use care to follow the proper procedures to ensure that physician rights to confidentiality, due process and other protections are honored as these activities are conducted.

Using care when discussing these concerns is equally important for a physician or other health care provider who is the subject of an investigation, credentialing, peer review, quality assurance or other activity.  While a physician whose personal or professional conduct or credentials are questioned understandably feels a strong urge to defend him or herself through a campaign of communication or other actions, physicians on the receiving end also need to follow the process and restrict their discussions.

Cynthia Marcotte Stamer, for additional information or representation.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Board Certified in Labor & Employment Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters.

Throughout her career, Ms. Stamer has advised and represented health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to health care, human resources, tax, privacy, safety, antitrust, civil rights, and other laws as well as with internal investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at


©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.

[1] WHD’s announcement of the planned rule notes that this draft shared December 15 remains subject to change before formally published in the Federal Register

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: