Disclosure still could be an issue despite new options

New reporting options from the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) are a good step forward in the effort to prevent the disclosure of sensitive information through the accreditation process, says an attorney who is responding to the concerns of risk managers. But, she cautions, the two options may not work unless state laws already provide significant protection for such privileged information.

JCAHO recently announced two options designed to address legal disclosure concerns related to the Periodic Performance Review (PPR), which is an integral component of its new accreditation process that debuts in 2004. The PPR process requires each accredited organization to conduct a midcycle self-assessment against applicable JCAHO standards; develop a plan of action to address identified areas of noncompliance; and identify measures of success for validating resolution of the identified problem areas when the organization undergoes its complete on-site survey 18 months later.

Under the usual PPR process, organizations will be expected to share all of this information with the JCAHO at the midcycle point. JCAHO staff will work with the organization to refine its plan of action to assure that its corrective efforts are on target.

Risk managers and health care lawyers expressed concerns about the potential discoverability of PPR information, particularly where it is shared with the JCAHO, says Elizabeth Summy, executive director of the American Society for Healthcare Risk Management (ASHRM) in Chicago. Along with other health care groups, ASHRM has been communicating with JCAHO about the legal concerns raised by risk managers. As originally proposed, the plan would have forced health care providers to hand over protected information in a way that would make it available to the public and plaintiff’s attorneys, Ms. Summy says. The new options will help some providers avoid that risk, but they don’t solve the problem entirely, she says.

"It depends on what state they reside in as to what legal protections they have," Ms. Summy says. "These changes are a good positive step, but there will still be people who have a hard time using this tool because of their legal situation."

ASHRM plans to provide specific guidance on how to use the PPR process without putting an institution at risk, but Ms. Summy says that the best advice in the meantime is for risk managers to study the protections provided under their own state laws. "It’s a very complicated issue," she says. "To really understand it, you need to be an expert in 50 state statutes regarding protection of confidential information."

These are the two options recently offered by JCAHO:

Option 1 was designed to address "waiver of confidentiality" concerns that could arise if an organization shares sensitive performance information with the Joint Commission. Under Option 1, the organization performs the midcycle self-assessment, and develops the plan of action and measures of success. It then attests that it has completed the foregoing activities but has, for substantive reasons, been advised not to submit its self-assessment or plan of action to the Joint Commission. The provider does not submit. The organization may discuss standards-related issues with JCAHO staff without identifying its specific levels of standards compliance. It also provides its measures of success to the Joint Commission for assessment at the time of the complete on-site survey.

Option 2 has been designed to address concerns that the very requirement for a self-assessment at a specified point in time may create a vulnerability to discovery of the self-assessment findings and any related plan of action. Under Option 2, the organization need not conduct a midcycle self-assessment and develop a plan of action. It will undergo an on-site survey at the midpoint of the organization’s accreditation cycle. The survey will be approximately one-third the length of a typical full on-site survey. The organizations will be charged a fee to cover the costs of the survey. The provider develops and submits to JCAHO a plan of action to address any areas of noncompliance found during the on-site survey. JCAHO will work with the organization to refine its plan of action. The organization provides its measures of success to the Joint Commission for assessment at the time of the complete on-site survey.

Still working on more options

In announcing the new options, JCAHO president Dennis S. O’Leary, MD, said he believed most health care organizations will use the PPR process despite concerns about confidentiality. "However, these two constructive options should assuage legal concerns some organizations may have about sharing self-developed performance information with the Joint Commission," he said.

Mr. O’Leary also noted that JCAHO staff and legal counsel continue to work with risk managers and with lawyers from the American Hospital Association and state hospital associations to explore other potential options and to determine whether there are any additional steps that would help in addressing the legal concerns.

The options are welcomed as a sign that JCAHO is trying to address risk manager’s concerns, but they don’t go far enough, says Mary Marta, MSN, JD, attorney with Epstein Becker & Green in Washington, DC. Neither of the two options will alleviate the concerns of all risk managers, she says.

Some lawyers have concerns about the first option because some state laws have language stating that accreditation-related information can be requested or must go to a state regulatory agency. In those states, the information might still be accessible under Option 1 through state Freedom of Information laws.

"Option 2 allows the surveyors to come in and do a third of the standards at cost, which is still a substantial amount of money, and the issue is that everyone is seeing that as punitive," Ms. Marta says. "First, you don’t get as much information out of the process because you’re only doing a third of the standards. And second, you’re paying a hefty fee, and a lot of hospitals can’t afford that."

The second option was expected to help a lot of providers, but Ms. Marta says many analysts still see substantial risk. Some providers have suggested that they would be better off with something like the Option 4 that is available in JCAHO’s sentinel events policy.

That option, developed in response to concerns that the previous requirements for reporting sentinel events risked the disclosure of sensitive information, says that it can be used when "the organization affirms that it meets specified criteria respecting the risk of waiving legal protection for root-cause analysis information shared with the Joint Commission," an on-site visit will be used to conduct interviews and review relevant documentation to obtain information about the organization.

Ms. Marta says she is optimistic that JCAHO will offer better options soon, but in the meantime, she says risk managers must study their own state laws to see whether either of the current options will suffice. She cautions that understanding the applicable laws is a big task to undertake.

"Because the state laws are so varied, with some states having no protection and some having a lot, it’s very important for risk managers to take a look at not only their state regulatory scheme but also what state case law says," she says. "In South Carolina and New Jersey, for example, neither of these options seem like they will work at this time because those states offer so little protection."

[Contact JCAHO and Mr. O’Leary at (630) 792-5000; Ms. Summy at (312) 422-3980; and Ms. Marta at (202) 861-1885.]