Last month, the Illinois Supreme Court interpreted the confidentiality provision of the Health Care Professional Credentials Data Collection Act, 410 ILCS 517/1 (“Credentials Act”), to require a hospital that is a defendant in a negligent credentialing lawsuit to turn over to the plaintiff unredacted credentialing forms filled out by the physician whose credentialing is at issue. In Klaine v. Southern Illinois Hospital Services, the court ruled that the confidentiality provision of the Credentials Act, 410 ILCS 517/15(h), does not make information created or exchanged under the Act privileged in a civil lawsuit. See 2016 IL 118217 (January 22, 2016). The court’s ruling clears a procedural roadblock for plaintiffs suing healthcare providers for the tort of negligent credentialing. The court’s ruling in Klaine may also have unintended consequences.
Background: The Credentials Act
Hospitals, surgical centers, clinics, healthcare groups, health plans, and other healthcare entities must verify the credentials of all physicians and other healthcare professionals who are applying for staff privileges. See 410 ILCS 517/15. The Credentials Act was enacted by the Illinois legislature in 1999 for the purpose of standardizing and regulating the collection of credentials data by health care providers to ensure that health care professionals’ qualifications are properly evaluated. See 410 ILCS 517/1; Davis v. Kewanee Hospital, 5 N.E.3d 1138 (2nd Dist. 2014). The Credentials Act created the Health Care Credentials Council, which collaborates with the Department of Public Health to create uniform credentialing and recredentialing forms for health care agencies and hospitals. See 410 ILCS 517/10, 15. Once completed, the forms contain all of the credentialing data that is necessary for a health care entity or hospital to credential or recredential a health care professional. See 410 ILCS 517/15(a)(3),(4). The uniform data credentials form is the only information under the Act that a health care entity or hospital must require of a physician who is applying for staff privileges. See 410 ILCS 517/15(a), (e); Davis, 5 N.E.3d 1138.
Hospitals, health care plans and health care entities must comply with the Act’s requirements. A “health care entity” includes:
(i) a health care facility or other health care organization licensed or certified to provide medical or health services in Illinois, other than a hospital;
(ii) a health care professional partnership, corporation, limited liability company, professional services corporation or group practice; or
(iii) an independent practice association or physician hospital organization.
Credentials Act, 410 ILCS 517/5. Once the credentials data is collected, it must be verified “in a timely fashion.” 410 ILCS 517/15(f). Once verification is complete, the health care entity or plan then has 60 days to complete the process of credentialing or recredentialing the health care professional. 410 ILCS 517/15(f).
The Tort of Negligent Credentialing
Illinois recently joined the list of states that recognizes the tort of negligent credentialing of physicians and other healthcare providers in a medical negligence claim. See Frigo v. Silver Cross Hospital and Medical Center, 377 Ill. App. 3d 43, 72 (1st Dist. 2007). In the Frigo case, the court recognized a cause of action for negligent credentialing for the first time in the state and laid out the requirements for a plaintiff to prove his or her claim: (1) that “the hospital failed to meet the standard of reasonable care in the selection of the physician it granted medical staff privileges to whose treatment provided the basis for the underlying medical malpractice claim”; (2) that the physician breached the applicable standard of care while practicing pursuant to the staff privileges granted; and (3) that negligent granting of medical staff privileges was a proximate cause of the plaintiff’s injuries. See Frigo, 377 Ill. App. 3d at 72. Expert testimony is required to prove the applicable standard of care and whether that standard was violated. See Frigo, 377 Ill. App. 3d at 72.
The Illinois Supreme Court’s Interpretation of the Credentials Act in Klaine
In Klaine, a man and his wife sued a colo-rectal surgeon and the surgeon’s practice group for negligence when a mis-incision was made during a gallbladder removal procedure on the man, causing a colon perforation and two additional procedures to resection the colon and create an ileostomy. See Klaine v. S. Ill. Hosp. Servs., 2014 IL App. 130356 (5th Dist. 2014). The procedure was performed at a hospital that had evaluated the surgeon’s credentials and granted him operating privileges. See Klaine, 2016 IL 118217. The plaintiff also sued the hospital for negligent credentialing.
During the discovery phase of the suit, the plaintiff’s attorney asked for the surgeon’s applications for staff privileges, but the hospital refused, arguing that credentialing documents are confidential and therefore privileged under the Credentials Act and the Medical Studies Act, 735 ILCS 5/8-2101. The trial court disagreed and ordered the hospital to turn over the surgeon’s applications.
On appeal, the appellate court affirmed the trial court’s holding, but modified the trial court’s holding by ordering that all references to an external peer review report be redacted, as well as all patient HIPAA information in the applications, but found that no HIPAA-protected information was present.
The Illinois Supreme Court agreed with the appellate court that the hospital must turn over the surgeon’s unredacted application forms and that no HIPAA information was present in the forms. Although the Credentials Act provides that all “credentials data collected or obtained by the hospital shall be confidential,” the court said that confidentiality and privilege are different concepts. See Klaine, 2016 IL 118217; 410 ILCS 517/15(h). The court noted that in other laws where the Illinois legislature intended to make information privileged, non-discoverable, or inadmissible, the legislature wrote into the law that the information was expressly “privileged” instead of simply labeling the information “confidential.” See Klaine, 2016 IL 118217.
In the Klaine case, attorneys for the hospital also argued that information in the applications that is reported to the National Practitioner Data Bank (“NPDB”) should be redacted because it is privileged under section 11137 of the Health Care Quality Improvement Act of 1986. 42 U.S.C. § 11137(a). The NPDB is a national data bank of information about medical professionals created under the Health Care Quality Improvement Act. See 42 U.S.C. § 11101. Generally, when a health care practitioner applies for a position on a hospital’s medical staff or for clinical privileges, the hospital must request information on the practitioner from the National Practitioner Data Bank (“NPDB”). See 45 C.F.R. § 60.17(a)(1). Hospitals must inquire from the NPDB every two years about any health care practitioner who is on its medical staff or has clinical privileges at the hospital. See 45 C.F.R. § 60.17(a)(2).
In Klaine, the Illinois Supreme Court disagreed with the hospital, holding that information required to be reported to NPDB pursuant to the Health Care Quality Improvement Act was not privileged from discovery in a negligent credentialing action. See Klaine, 2016 IL 118217.
Finally, the hospital argued that in turning over the hospital’s credentialing file, all references to medical care and treatment rendered to nonparty patients should be redacted. See Klaine, 2016 IL 118217. The Illinois Supreme Court refused the hospital’s request for a redaction because it found that the surgeon’s applications contained no individually identifiable health information and it was therefore was not protected by HIPAA. See Klaine, 2016 IL 118217; 45 C.F.R. § 164.102. The court also pointed out that HIPAA permits disclosure of protected health information for judicial and administrative hearings if there is a court order or a qualified protective order. See Klaine, 2016 IL 118217; 45 C.F.R. § 164.512.
Klaine is Consistent with Davis But May Have an Unintended Result
In addition to the Klaine case, there is another recent appellate case of interest to health care providers that impacts medical credentialing practices. Two years ago, an Illinois Court of Appeals bolstered the confidentiality of information collected and kept under the Credentials Act and the Medical Studies Act, 735 ILCS 5/8-2101. The appellate court upheld a hospital’s refusal to turn over credentialing documents to a physician who had been in contract negotiations with the hospital but whose employment was ultimately rejected. See Davis v. Kewanee Hosp., 2014 IL App (2d) 130304. The Davis court found that exceptions to the confidentiality provisions of the Credentials Act and the Medical Studies Act do not create a private cause of action that allows medical professionals to legally require hospitals, health care entities, and health care plans to turn over information. See Davis, 2014 IL App (2d) 130304. As a result, lawsuits by medical professionals to obtain credentialing records that are based solely on the Credentials Act or Medical Studies Act must be dismissed in the Second Appellate District of Illinois, which covers Du Page, Lake, Kane, McHenry, and Kendall Counties.
In Klaine, unlike in Davis, the plaintiff had a lawsuit pending and used the discovery process to gain access to credentialing information. Therefore, the Klaine and Davis cases are consistent rulings. However, one unintended consequence of Klaine and Davis may be that medical professionals who are investigating and evaluating whether to file suit for an employment claim, breach-of-contract claim, or other cause of action, will be encouraged to file suit in order to further their investigation by gaining access to a defendant health care provider’s credentialing file. This may provide medical professionals with incentive to file suit. Whether this happens or not remains to be seen, but the message to hospitals and health care entities from the courts in Klaine and Davis is clear: expect to turn over credentialing information in a lawsuit, but you are not required to turn over credentialing information to a medical professional who does not have a lawsuit pending.
Generally when a physician applies for a position on a hospital’s medical staff or for clinical privileges, the hospital collects the physician’s completed uniform data credentials form and submits to the hospital’s credentialing subcommittee. A credentialing subcommittee collects the form and materials and submits it to the hospital’s medical executive committee, which forms a recommendation for approval or denial of the physician’s application for credentialing or recredentialing. The medical executive committee sends its recommendation to the hospital board of trustees, which has the final say on whether the physician’s application for staff privileges will be granted. Hospitals are required to exercise reasonable care in the granting of medical staff privileges. See Frigo, 377 Ill. App. 3d at 72. “Reasonable care” means the degree of care, skill and judgment usually exercised under similar circumstances by the average hospital. See Frigo, 377 Ill. App. 3d at 72.
Health care entities other than hospitals often adopt similar internal credentialing procedures. One important difference, though is that once verification of the application form is complete, a health care entity or plan has only 60 days to complete the process of credentialing or recredentialing the physician. See Credentials Act, 410 ILCS 517/15(f). In addition to submitting the uniform data application, physicians should expect to sign a “Release of Liability and Practitioner’s Statements” so that the health care entity can obtain information to verify they physician’s representations about his or her competence and qualifications.
In the aftermath of the Klaine and Davis cases, health care providers and physicians alike should assume that the physician’s uniform data application will be disclosed in discovery in a lawsuit despite the Credentials Act. Physicians and health care providers should keep this in mind when completing and verifying the data in the application.