It is a phrase found in 19th century writings and 20th century movies, but most often on elementary-school playgrounds. When one kid asks another to reveal coveted information, he responds: “That’s for me to know and you to find out!” Perhaps it is time to bring that phrase into the 21st century world of the corporate attorney–client privilege—a world beset with information dissemination and concomitant privilege-waiver concerns.

We know that corporate entities can waive the privilege by disclosing privileged communications outside the organization. But less clear is whether and how corporate entities can waive the privilege by disseminating  privileged communication too widely within the organization.

In my Fall 2020 Privilege Place column (p.34) in Today’s General Counsel, I explore this phenomenon in some detail, focusing on courts’ “need to know” standard. When finished, perhaps you’ll be more inclined to tell employees asking for privileged information–“that’s for me to know and you to find out.”

A Pennsylvania appellate court rejected the federal healthcare work-product privilege for a hospital’s peer-review reports, including an event report and root cause analysis. Stating that “courts disfavor evidentiary privileges,” the court ordered production of these reports despite a lengthy affidavit from the hospital’s Director of Patient Services detailing the hospital’s relationship with a Patient Safety Organization and the origin and development of these reports. Ungurian v. Beyzman, 232 A.3d 786 (Pa. Super. Ct. 2020). You may read the opinion here.

Medical-Malpractice Action

Something allegedly went wrong during a cystoscopy procedure at Wilkes-Barre General Hospital on March 5, 2018. Following the procedure, a CRNA completed an event report relating to “Surgery, Treatment, Test, Invasive Procedure” in accordance with the hospital’s Event Reporting Policy. About six weeks later, the hospital’s Root Cause Analysis Committee prepared a (you guessed it) Root Cause Analysis Report about the March 5, 2018 procedure and event.

In the subsequent medical-malpractice action, the plaintiff moved to compel the Event Report and Root Cause Analysis Report. The hospital objected, in part, on grounds that the work-product privilege found in the federal Patient Safety Quality Improvement Act protected these reports from discovery.

PSQIA Privilege

The PSQIA, codified at 42 U.S.C. §§ 299b–21 to 299b–26, includes a work-product privilege at § 299b–22. This privilege, with limited exceptions, protects from disclosure in federal, state, or local civil, criminal, or administrative proceedings certain “patient safety work product.” The patient safety work product consists of “data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements.” But the privilege only protects this patient safety work product if it—

Is assembled or developed by a healthcare provider for reporting to a patient safety organization (PSO) and is reported to a PSO; or is developed by a PSO for the conduct of patient safety activities; and which could improve healthcare quality; or

Identifies or constitutes the deliberations or analysis of, or identify the fact of reporting pursuant to a patient safety evaluation system.

But just as the attorney-client privilege does not protect underlying facts, the PSQIA privilege does not protect underlying medical records and billing and discharge information.

Event Report and Root Cause Analysis

To support its PSQIA privilege assertion and protect the Event Report and Root Cause Analysis from discovery, the Wilkes-Barre General Hospital submitted a lengthy affidavit from its Director of Patient Safety Services. She declared that the hospital has maintained a relationship with CHS PSO, LLC, a patent safety organization, since 2012.

The hospital maintains a patient safety evaluation system—an internal process for collecting, maintaining, and analyzing peer-review type of information that the hospital may report to a PSO. It created the Event Report within this evaluation system, but not the Root Cause Analysis Report.

Event Report

The appellate court noticed something missing from the Patient Safety Director’s affidavit. The Court rejected the PSQIA privilege for the Event Report because there was no proof that the hospital actually submitted the report to its PSO. The Director of Patient Safety said that the hospital prepared the Event Report within its evaluation system for purposes of reporting to the PSO—which satisfied the privilege’s first element.

But she did not declare that the hospital submitted the Event Report to the PSO—which failed the privilege’s second element. The hospital stated in its appellate brief that it submitted the report to the PSO—but briefs and arguments are no substitute for evidentiary proof, the court said.

Root Cause Analysis Report

The Root Cause Analysis Report suffered a similar fate. The PSQIA privilege expressly applies to reports of an event’s “root cause analyses,” but only if a healthcare provider prepares the analysis for the purposes of reporting to, and actually reports to, a PSO. The Patient Safety Director testified that the hospital (1) prepared the analysis to evaluate the patient’s care and improve patient safety and the quality of care; (2) maintained the analysis within its event reporting system; and (3) submitted the analysis to its PSO.

So, doesn’t that fall within the privilege? The court said no because the Director did not specifically say that the Root Cause Analysis Committee prepared the analysis for purposes of reporting to the PSO—only that it maintained the report for reporting to the PSO. What’s the difference, you ask? The court did not elaborate.

And based on an email between the hospital’s Chief Quality Officer and a physician discussing the root cause analysis, the court found that the hospital failed to maintain the analysis within its patient safety evaluation system. Why did that matter? The court did not elaborate.

Will the Pennsylvania Supreme Court Elaborate?

Wilkes-Barre General Hospital filed a petition to appeal to the Pennsylvania Supreme Court on July 30, 2020. And the amici appear to be lining up to provide commentary. No surprise there. This will be interesting to follow.


Want to avoid producing privileged information in response to a document request, you say? Of course, you must have a solid, good-faith basis for asserting a privilege, but how does one procedurally challenge a document request on privilege grounds? A federal court recently reminded us that a motion for protective order is not the proper way for a discovery-responding party to obtain a privilege decision. But were there adverse consequences? RX Savings, LLC v. Besch, 2020 WL 5094686 (D. Kan. Aug. 28, 2020). You may read the decision here.

Do you have a Privilege Objection?

Before procedural etiquette matters, the discovery-responding party must determine whether an evidentiary privilege or non-disclosure doctrine protects putatively protected information from disclosure. If asserting the attorney–client privilege, the question is whether the information sought is a confidential communication between a client and its attorney made for legal-advice purposes with an intent that the communication remain confidential.

If asserting the work-product doctrine, then the question is whether the information is a document prepared in anticipation of litigation or for trial by or for another party or its representative, including its lawyer. And there are myriad other privileges, including a psychotherapist–patient privilege, bank-examination privilege, spousal privilege, clergy–communicant privilege, accountant–client privilege, and so on. But remember—rules of confidentiality are not evidentiary privileges.

Rule 34 Objections

If one of these privileges or non-disclosure doctrines covers requested information, then FRCP 34 (and its state-law equivalents) requires the responding party to state its objections “with specificity.” The rule also requires the party to identify whether it is withholding any documents on the basis of these objections. As now-retired Magistrate Judge Andrew Peck said in his “wake-up call,” “most lawyers who have not changed their ‘form file’” violate Rule 34. Fischer v. Forrest, 2017 WL 773694 (SDNY Feb. 28, 2017).

Privilege Log

FRCP 26(b)(5), adopted in 1993, requires a responding party to identify on a privilege log the documents it is withholding based on privilege-related objections. An objecting party’s log must provide sufficient information to enable its adversary to evaluate the applicability of the claimed privilege or protection.

A party may seek a protective order regarding the scope and detail of the privilege log if providing the information presents an “unreasonable burden.” But one should not confuse the ability to seek a protective order on privilege-log scope with a protective order to prevent disclosure of privileged information.  And parties should remember this adage:

Although the person from whom the discovery is sought decides whether to claim a privilege or protection, the court ultimately decides whether, if this claim is challenged, the privilege or protection applies.

FRCP 26 Advisory Committee Notes.

Motion to Compel

To start this privilege decision-making process, the party seeking the putatively privileged information must file a Rule 37(a)(1)(B)(iv) motion to compel.  Although the party seeking discovery files the motion, the party asserting the privilege or non-disclosure doctrine has the burden of proving the protection applies.

Motion for Protective Order

In RX Savings, the defendant properly filed a Rule 37 motion to compel seeking production of communications involving in-house counsel and a Board member that the plaintiff withheld as privileged. The plaintiff did not file a response to the motion.

Instead, the plaintiff filed a FRCP 26(c) motion for protective order. This rule simply provides that—

The court may, for good cause, issue an order to protect the party or person from annoyance, embarrassment, oppression, or undue burden or expense.

One of the enumerated remedies is “forbidding the disclosure or discovery.” But as the RX Savings court stated, “attorney-client privilege isn’t a proper ground for a protective order”:

Rule 26(c) does not provide for any type of order to protect a party from having to divulge privileged information or materials that are not calculated to lead to the discovery of admissible evidence.

Rather, the court noted, the “plaintiffs should have appropriately asserted their objections to the e-mails at issue through an opposition to the motion to compel.”

The court could have simply denied the protective-order motion on these grounds. And if so, it could have granted the motion to compel because the plaintiff never formally opposed it. But the court applied leniency and addressed the privilege objections on the merits.

And guess what? The plaintiff won with the court sustaining its privilege objections.

But think of the alternative outcome—the plaintiff, with clearly valid privilege objections, could have lost those objections because it filed a protective-order motion rather than following the process outlined above.