[Federal Register: February 12, 2008 (Volume 73, Number 29)]
[Proposed Rules]
[Page 8111-8183]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12fe08-8]
[[Page 8111]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 3
Patient Safety and Quality Improvement; Proposed Rule
[[Page 8112]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement
AGENCY: Agency for Healthcare Research and Quality, Office for Civil
Rights, HHS.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: This document proposes regulations to implement certain
aspects of the Patient Safety and Quality Improvement Act of 2005
(Patient Safety Act). The proposed regulations establish a framework by
which hospitals, doctors, and other health care providers may
voluntarily report information to Patient Safety Organizations (PSOs),
on a privileged and confidential basis, for analysis of patient safety
events. The proposed regulations also outline the requirements that
entities must meet to become PSOs and the processes for the Secretary
to review and accept certifications and to list PSOs.
In addition, the proposed regulation establishes the
confidentiality protections for the information that is assembled and
developed by providers and PSOs, termed ``patient safety work product''
by the Patient Safety Act, and the procedures for the imposition of
civil money penalties for the knowing or reckless impermissible
disclosure of patient safety work product.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than April
14, 2008.
ADDRESSES: Interested persons are invited to submit written comments by
any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Comments should include agency name and ``RIN 0919-AA01''.
Mail: Center for Quality Improvement and Patient Safety,
Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road,
Rockville, MD 20850.
Hand Delivery/Courier: Center for Quality Improvement and
Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for
Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission or electronic mail. For
detailed instructions on submitting comments and additional information
on the rulemaking process, see the ``Public Participation'' heading of
the SUPPLEMENTARY INFORMATION section of this document. Comments will
be available for public inspection at the AHRQ Information Resources
Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern
Time on federal business days (Monday through Friday).
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION:
Public Participation
We welcome comments from the public on all issues set forth in this
proposed rule to assist us in fully considering issues and developing
policies. You can assist us by referencing the RIN number (RIN: 0919-
0AA01) and by preceding your discussion of any particular provision
with a citation to the section of the proposed rule being discussed.
A. Inspection of Public Comments
All comments (electronic, mail, and hand delivery/courier) received
in a timely manner will be available for public inspection as they are
received, generally beginning approximately 6 weeks after publication
of this document, at the mail address provided above, Monday through
Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment
to view public comments, call Susan Grinder, (301) 427-1111 or (866)
403-3697.
Comments submitted electronically will be available for viewing at
the Federal eRulemaking Portal.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted through the Federal eRulemaking Portal identified in the
ADDRESSES section of this preamble. Copies of electronically submitted
comments will be available for public inspection as soon as practicable
at the address provided, and subject to the process described, in the
preceding paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The Web site address is: http://www.gpoaccess.gov/nara/index.html.
This document is available
electronically at the following Web site of the Department of Health
and Human Services (HHS): http://www.ahrq.gov/.
F. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
I. Background
A. Purpose and Basis
This proposed rule establishes the authorities, processes, and
rules necessary to implement the Patient Safety and Quality Improvement
Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Much of the impetus for this legislation can be traced to the
publication of the landmark report, ``To
[[Page 8113]]
Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The
Report cited studies that found that at least 44,000 people and
potentially as many as 98,000 people die in U.S. hospitals each year as
a result of preventable medical errors.\2\ Based on these studies and
others, the Report estimated that the total national costs of
preventable adverse events, including lost income, lost household
productivity, permanent and temporary disability, and health care costs
to be between $17 billion and $29 billion, of which health care costs
represent one-half.\3\ One of the main conclusions was that the
majority of medical errors do not result from individual recklessness
or the actions of a particular group; rather, most errors are caused by
faulty systems, processes, and conditions that lead people to make
mistakes or fail to prevent adverse events.\4\ Thus, the Report
recommended mistakes can best be prevented by designing the health care
system at all levels to improve safety--making it harder to do
something wrong and easier to do something right.\5\
---------------------------------------------------------------------------
\1\ Institute of Medicine, ``To Err is Human: Building a Safer
Health System'', 1999.
\2\ Id. at 31.
\3\ Id. at 42.
\4\ Id. at 49-66.
\5\ Id.
---------------------------------------------------------------------------
As compared to other high-risk industries, the health care system
is behind in its attention to ensuring basic safety.\6\ The reasons for
this lag are complex and varied. Providers are often reluctant to
participate in quality review activities for fear of liability,
professional sanctions, or injury to their reputations. Traditional
state-based legal protections for such health care quality improvement
activities, collectively known as peer review protections, are limited
in scope: They do not exist in all States; typically they only apply to
peer review in hospitals and do not cover other health care settings,
and seldom enable health care systems to pool data or share experience
between facilities. If peer review protected information is transmitted
outside an individual hospital, the peer review privilege for that
information is generally considered to be waived. This limits the
potential for aggregation of a sufficient number of patient safety
events to permit the identification of patterns that could suggest the
underlying causes of risks and hazards that then can be used to improve
patient safety.
---------------------------------------------------------------------------
\6\ Id. at 75.
---------------------------------------------------------------------------
The Report outlined a comprehensive strategy to improve patient
safety by which public officials, health care providers, industry, and
consumers could reduce preventable medical errors. The Report
recommended that, in order to reduce medical errors appreciably in the
U.S., a balance be struck between regulatory and market-based
initiatives and between the roles of professionals and organizations.
It recognized a need to enhance knowledge and tools to improve patient
safety and break down legal and cultural barriers that impede such
improvement.
Drawing upon the broad framework advanced by the Institute of
Medicine, the Patient Safety Act specifically addresses a number of
these long-recognized impediments to improving the quality, safety, and
outcomes of health care services. For that reason, implementation of
this proposed rule can be expected to accelerate the development of
new, voluntary, provider-driven opportunities for improvement, increase
the willingness of health care providers to participate in such
efforts, and, most notably, set the stage for breakthroughs in our
understanding of how best to improve patient safety.
These outcomes will be advanced, in large measure, through
implementation of this proposed rule of strong Federal confidentiality
and privilege protections for information that is patient safety work
product under the Patient Safety Act. For the first time, there will
now be a uniform set of Federal protections that will be available in
all states and U.S. territories and that extend to all health care
practitioners and institutional providers. These protections will
enable all health care providers, including multi-facility health care
systems, to share data within a protected legal environment, both
within and across states, without the threat of information being used
against the subject providers.
Pursuant to the Patient Safety Act, this proposed rule will also
encourage the formation of new organizations with expertise in patient
safety, known as patient safety organizations (PSOs), which can provide
confidential, expert advice to health care providers in the analysis of
patient safety events.\7\ The confidentiality and privilege protections
of this statute attach to ``patient safety work product.'' This term as
defined in the Patient Safety Act and this proposed rule means that
patient safety information that is collected or developed by a provider
and reported to a PSO, or that is developed by a PSO when conducting
defined ``patient safety activities,'' or that reveals the
deliberations of a provider or PSO within a patient safety evaluation
system is protected. Thus, the proposed rule will enable health care
providers to protect their internal deliberations and analysis of
patient safety information because this type of information is patient
safety work product.
---------------------------------------------------------------------------
\7\ As we use the term, patient safety event means an incident
that occurred during the delivery of a health care service and that
harmed, or could have resulted in harm to, a patient. A patient
safety event may include an error of omission or commission,
mistake, or malfunction in a patient care process; it may also
involve an input to such process (such as a drug or device) or the
environment in which such process occurs. Our use of the term
patient safety event in place of the more limited concept of medical
error to describe the work that providers and PSOs may undertake
reflects the evolution in the field of patient safety. It is
increasingly recognized that important insights can be derived from
the study of patient care processes and their organizational context
and environment in order to prevent harm to patients. We note that
patient safety in the context of this term also encompasses the
safety of a person who is a subject in a research study conducted by
a health care provider. In addition, the flexible concept of a
patient safety event is applicable in any setting in which health
care is delivered: A health care facility that is mobile (e.g.,
ambulance), fixed and free-standing (e.g., hospital), attached to
another entity (e.g., school clinic), as well as the patient's home
or workplace, whether or not a health care provider is physically
present.
---------------------------------------------------------------------------
The statute and the proposed rule seek to ensure that the
confidentiality provisions (as defined in these proposed regulations)
will be taken seriously by making breaches of the protections
potentially subject to a civil money penalty of up to $10,000. The
combination of strong Federal protections for patient safety work
product and the potential penalties for violation of these protections
should give providers the assurances they need to participate in
patient safety improvement initiatives and should spur the growth of
such initiatives.
Patient safety experts have long recognized that the underlying
causes of risks and hazards in patient care can best be recognized
through the aggregation of significant numbers of individual events; in
some cases, it may require the aggregation of thousands of individual
patient safety events before underlying patterns are apparent. It is
hoped that this proposed rule will foster routine reporting to PSOs of
data on patient safety events in sufficient numbers for valid and
reliable analyses. Analysis of such large volumes of patient safety
events is expected to significantly advance our understanding of the
patterns and commonalities in the underlying causes of risks and
hazards in the delivery of patient care. These insights should enable
providers to more effectively and efficiently target their efforts to
improve patient safety.
We recognize that risks and hazards can occur in a variety of
environments, such as inpatient, outpatient, long-term
[[Page 8114]]
care, rehabilitation, research, or other health care settings. In many
of these settings, patient safety analysis is a nascent enterprise that
will benefit significantly from the routine, voluntary reporting and
analysis of patient safety events. Accordingly, we strive in the
proposed rule to avoid imposing limitations that might preclude
innovative approaches to the identification of, and elimination of,
risks and hazards in specific settings for the delivery of care,
specific health care specialties, or in research settings. We defer to
those creating PSOs and the health care providers that enter ongoing
relationships with them to determine the scope of patient safety events
that will be addressed.
Finally, we note that the statute is quite specific that these
protections do not relieve a provider from its obligation to comply
with other legal, regulatory, accreditation, licensure, or other
accountability requirements that it would otherwise need to meet. The
fact that information is collected, developed, or analyzed under the
protections of the Patient Safety Act does not shield a provider from
needing to undertake similar activities, if applicable, outside the
ambit of the statute, so that the provider can meet its obligations
with non-patient safety work product. The Patient Safety Act, while
precluding other organizations and entities from requiring providers to
provide them with patient safety work product, recognizes that the data
underlying patient safety work product remains available in most
instances for the providers to meet these other information
requirements.
In summary, this proposed rule implements the Patient Safety Act
and facilitates its goals by allowing the health care industry
voluntarily to avail itself of this framework in the best manner it
determines feasible. At the same time, it seeks to ensure that those
who do avail themselves of this framework will be afforded the legal
protections that Congress intended and that anyone who breaches those
protections will be penalized commensurately with the violation.
B. Listening Sessions
We held three listening sessions for the general public (March 8,
13, and 16, 2006) which helped us better understand the thinking and
plans of interested parties, including providers considering the use of
PSO services and entities that anticipate establishing PSOs. As stated
in the Federal Register notice 71 FR 37 (February 24, 2006) that
announced the listening sessions, we do not regard the presentations or
comments made at these sessions as formal comments and, therefore, they
are not discussed in this document.
C. Comment Period
The comment period is sixty (60) days following the publication of
the proposed rule.
II. Overview of Proposed Rule
We are proposing a new Part 3 to Title 42 of the Code of Federal
Regulations to implement the Patient Safety Act. As described above,
the Patient Safety Act is an attempt to address the barriers to patient
safety and health care quality improvement activities in the U.S. In
implementing the Patient Safety Act, this proposed rule encourages the
development of provider-driven, voluntary opportunities for improving
patient safety; this initiative is neither funded, nor controlled by
the Federal Government.
Under the proposal, a variety of types of organizations--public,
private, for-profit, and not-for-profit--can become PSOs, and offer
their consultative expertise to providers regarding patient safety
events and quality improvement initiatives. There will be a process for
certification and listing of PSOs, which will be implemented by the
Agency for Healthcare Research and Quality (AHRQ), and providers can
work voluntarily with PSOs to obtain confidential, expert advice in
analyzing the patient safety event and other information they collect
or develop at their offices, facilities, or institutions. PSOs may also
provide feedback and recommendations regarding effective strategies to
improve patient safety as well as proven approaches for implementation
of such strategies. In addition, to encourage providers to undertake
patient safety activities, the regulation is very specific that patient
safety work product is subject to confidentiality and privilege
protections, and persons that breach the confidentiality provisions may
be subject to a $10,000 civil money penalty, to be enforced by the
Office for Civil Rights (OCR).
The provisions of this proposed rule greatly expand the potential
for participation in patient safety activities. The proposal, among
other things, enables providers across the health care industry to
report information to a PSO and obtain the benefit of these new
confidentiality and privilege protections. This proposal minimizes the
barriers to entry for listing as a PSO by creating a review process
that is both simple and efficient. As a result, we expect a broad range
of organizations to seek listing by the Secretary as PSOs. Listing will
not entitle these entities to Federal funding or subsidies, but it will
enable these PSOs to offer individual and institutional providers the
benefits of review and analysis of patient safety work product that is
protected by strong Federal confidentiality and privilege protections.
Our proposed regulation will enable and assist data aggregation by
PSOs to leverage the possibility of learning from numerous patient
safety events across the health care system and to facilitate the
identification and correction of systemic and other errors. For
example, PSOs are required to seek contracts with multiple providers,
and proposed Subpart C permits them, with certain limitations, to
aggregate patient safety work product from their multiple clients and
with other PSOs. In addition, the Secretary will implement other
provisions of the Patient Safety Act that, independent of this proposed
rule, require the Secretary to facilitate the development of a network
of patient safety databases for the aggregation of nonidentifiable
patient safety work product and the development of consistent
definitions and common formats for collecting and reporting patient
safety work product. These measures will facilitate a new level of data
aggregation that patient safety experts deem essential to maximize the
benefits of the Patient Safety Act.
The Patient Safety Act gives considerable attention to the
relationship between it and the Standards for the Privacy of
Individually Identifiable Health Information under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We
caution that the opportunity for a provider to report identifiable
patient safety work product to a PSO does not relieve a provider that
is a HIPAA covered entity of its obligations under the HIPAA Privacy
Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to
be business associates of providers that are HIPAA covered entities.
Thus, providers who are HIPAA covered entities will need to enter into
business associate agreements with PSOs in accordance with their HIPAA
Privacy Rule obligations. If such a provider also chooses to enter a
PSO contract, we believe that such contracts could be entered into
simultaneously as an agreement for the conduct of patient safety
activities. However, the Patient Safety Act does not require a provider
to enter a contract with a PSO to receive the protections of the
Patient Safety Act.
Proposed Subpart A, General Provisions, sets forth the purpose of
the provisions and the definitions
[[Page 8115]]
applicable to the subparts that follow. Proposed Subpart B, PSO
Requirements and Agency Procedures, sets forth the requirements for
PSOs and describes how the Secretary will review, accept, revoke, and
deny certifications for listing and continued listing of entities as
PSOs and other required submissions. Proposed Subpart C,
Confidentiality and Privilege Protections of Patient Safety Work
Product, describes the provisions that relate to the confidentiality
protections and permissible disclosure exceptions for patient safety
work product. Proposed Subpart D, Enforcement Program, includes
provisions that relate to activities for determining compliance, such
as investigations of and cooperation by providers, PSOs, and others;
the imposition of civil money penalties; and hearing procedures.
III. Section by Section Description of the Proposed Rule
A. Subpart A--General Provision
1. Proposed Sec. 3.10--Purpose
The purpose of this proposed Part is to implement the Patient
Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which
amended the Public Health Service Act (42 U.S.C. 299 et seq.) by
inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-
26.
2. Proposed Sec. 3.20--Definitions
Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21,
defines several terms, and our proposed rules would, for the most part,
restate the law. In some instances, we propose to clarify definitions
to fit within the proposed framework. We also propose some new
definitions for convenience and to clarify the application and
operation of this proposed rule. Moreover, we reference terms defined
under the HIPAA Privacy Rule for ease of interpretation and
consistency, given the overlap between the Patient Safety Act
protections of patient-identifiable patient safety work product
(discussed below) and the HIPAA Privacy Rule.
Proposed Sec. 3.20 would establish the basic definitions
applicable to this proposed rule, as follows:
AHRQ stands for the Agency for Healthcare Research and Quality in
the U.S. Department of Health and Human Services (HHS). This definition
is added for convenience.
ALJ stands for an Administrative Law Judge at HHS. This definition
is added for convenience in describing the process for appealing civil
money penalty determinations.
Board would mean the members of the HHS Departmental Appeals Board.
This definition is added for convenience in providing for appeals of
civil money penalty determinations.
Bona fide contract would mean (a) a written contract between a
provider and a PSO that is executed in good faith by officials
authorized to execute such contract; or (b) a written agreement (such
as a memorandum of understanding or equivalent recording of mutual
commitments) between a Federal, State, local, or Tribal provider and a
Federal, State, local, or Tribal PSO that is executed in good faith by
officials authorized to execute such agreement.
In addition to the primary interpretation of an enforceable
contract under applicable law as proposed under paragraph (a) of this
definition, we propose to make the scope of the term broad enough to
encompass agreements between health care providers and PSOs that are
components of Federal, State, local or Tribal governments or government
agencies. Such entities could clearly perform the same data collection
and analytic functions as performed by other providers and PSOs that
the Patient Safety Act seeks to foster. Thus, paragraph (b) of the
definition recognizes that certain government entities may not enter a
formal contract with each other, but may only make a commitment with
other agencies through the mechanism of some other type of agreement.
We note that proposed Sec. 3.102(a)(2) incorporates the statutory
restriction that a health insurance issuer and a component of a health
insurance issuer may not become a PSO. That section also proposes to
prohibit the listing of public and private entities that conduct
regulatory oversight of health care providers, including accreditation
and licensure.
Complainant would mean a person who files a complaint with the
Secretary pursuant to proposed Sec. 3.306.
Component Organization would mean an entity that is either: (a) A
unit or division of a corporate organization or of a multi-
organizational enterprise; or (b) a separate organization, whether
incorporated or not, that is owned, managed or controlled by one or
more other organizations (i.e., its parent organization(s)). We discuss
our preliminary interpretation of the terms ``owned,'' ``managed,'' or
``controlled'' in the definition of parent organization. Multi-
organizational enterprise, as used here, means a common business or
professional undertaking in which multiple entities participate as well
as governmental agencies or Tribal entities in which there are multiple
components.\8\
---------------------------------------------------------------------------
\8\ The concept of multi-organizational enterprise as used in
this regulation, in case law, and in a legal reference works such as
Blumberg on Corporate Groups, Sec. 6.04 (2d ed. 2007 Supplement)
refers to multi-organizational undertakings with separate
corporations or organizations that are integrated in a common
business activity. The component entities are often, but not
necessarily, characterized by interdependence and some form of
common control, typically by agreement. Blumberg notes that health
care providers increasingly are integrated in various forms of
multi-organizational enterprises.
---------------------------------------------------------------------------
We anticipate that PSOs may be established by a wide array of
health-related organizations and quality improvement enterprises,
including hospitals, nursing homes and health care provider systems,
health care professional societies, academic and commercial research
organizations, Federal, State, local, and Tribal governmental units
that are not subject to the proposed restriction on listing in proposed
Sec. 3.102(a)(2), as well as joint undertakings by combinations of
such organizations. One effect of defining component organization as we
propose is that, pursuant to section 924 of the Patient Safety Act, 42
U.S.C. 299b-24, all applicant PSOs that fall within the scope of the
definition of component organization must certify to the separation of
confidential patient safety work product and staff from the rest of any
organization or multi-organizational enterprise of which they (in the
conduct of their work) are a part. Component organizations must also
certify that their stated mission can be accomplished without
conflicting with the rest of their parent organization(s).
A subsidiary corporation may, in certain circumstances, be viewed
as part of a multi-organizational enterprise with its parent
corporation and would be so regarded under the proposed regulation.
Thus, an entity, such as a PSO that is set up as a subsidiary by a
hospital chain, would be considered a component of the corporate chain
and a component PSO for purposes of this proposed rule. Considering a
subsidiary of a corporation to be a ``component'' of its parent
organization may seem contrary to the generally understood separateness
of a subsidiary in its corporate relationship with its parent.\9\
[[Page 8116]]
That is, where two corporate entities are legally separate, one entity
would ordinarily not be considered a component of the other entity,
even when that other entity has a controlling interest or exercises
some management control. However, we have preliminarily determined that
viewing a subsidiary entity that seeks to be a PSO as a component of
its parent organization(s) would be consistent with the objectives of
the section on certifications required of component organizations in
the Patient Safety Act and appears to be consistent with trends in the
law discussed below. We invite comment on our interpretation.
---------------------------------------------------------------------------
\9\ Corporations are certain types of organizations that are
given legal independence and rights, (e.g. the right to litigate).
Subsidiary corporations are corporations in which a majority of the
shares are owned by another corporation, known as a parent
corporation. Thus, subsidiaries are independent corporate entities
in a formal legal sense, yet, at the same time, they are controlled,
to some degree, by their parent by virtue of stock ownership and
control. Both corporations and subsidiaries are legal constructs
designed to foster investment and commerce by limiting
entrepreneurial risks and corporate liabilities. In recognition of
the legitimate utility of these objectives, courts have generally
respected the separateness of parent corporations and subsidiaries,
(e.g., courts do not ordinarily allow the liabilities of a
subsidiary to be attributed to its parent corporation, despite the
fact that by definition, parent corporations have a measure of
control over a subsidiary). However, courts have looked behind the
separate legal identities that separate parent and subsidiary to
impose liability when individuals in litigation can establish that
actual responsibility rests with a parent corporation by virtue of
the degree and manner in which it has exercised control over its
subsidiary. Under these circumstances, courts permit ``the corporate
veil to be pierced.''
---------------------------------------------------------------------------
Corporations law or ``entity law,'' which emphasizes the
separateness and distinct rights and obligations of a corporation, has
been supplemented by the development of ``relational law'' when
necessary (e.g., to address evolving organizational arrangements such
as multi-organizational enterprises). To determine rights and
obligations in these circumstances, courts weigh the relationships of
separate corporations that are closely related by virtue of
participating in the same enterprise, (i.e., a common chain of economic
activity fostering and characterized by interdependence).\10\ There has
been a growing trend in various court decisions to attribute legal
responsibilities based on actual behavior in organizational
relationships, rather than on corporate formalities.
---------------------------------------------------------------------------
\10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate
Groups Sec. Sec. 6.01 and 6.02.
---------------------------------------------------------------------------
We stress that neither the statute nor the proposed regulation
imposes any legal responsibilities, obligations, or liability on the
organization(s) of which a component PSO is a part. The focus of the
Patient Safety Act and the regulation is principally on the entity that
voluntarily seeks listing by the Secretary as a PSO.
We note that two of the three certifications that the Patient
Safety Act and the proposed regulation requires component entities to
make--relating to the security and confidentiality of patient safety
work product--are essentially duplicative of attestations that are
required of all entities seeking listing or continued listing as a PSO
(certifications made under section 924(a)(1)(A) and (a)(2)(A) of the
Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A)
with respect to patient safety activities described in section
921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-
21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have
to attest that they have in place policies and procedures to, and
actually do, perform patient safety activities, which include the
maintenance of procedures to preserve patient safety work product
confidentiality and the provision of appropriate security measures for
patient safety work product. The overlapping nature of these
confidentiality and security requirements on components suggests
heightened congressional concern and emphasis regarding the need to
maintain a strong ``firewall'' between a component PSO and its parent
organization, which might have the opportunity and potential to access
sensitive patient safety work product the component PSO assembles,
develops, and maintains. A similar concern arises in the context of a
PSO that is a unit of a corporate parent, a subsidiary or an entity
affiliated with other organizations in a multi-organizational
enterprise.
Requiring entities seeking listing to disclose whether they have a
parent organization or are part of a multi-organizational enterprise
does not involve ``piercing the corporate veil'' as discussed in the
footnote above. The Department would not be seeking this information to
hold a parent liable for actions of the PSO, but to ensure full
disclosure to the Department about the organizational relationships of
an entity seeking to be listed as a PSO. Accordingly, we propose that
an entity seeking listing as a PSO must do so as a component
organization if it has one or more parent organizations (as described
here and in the proposed definition of that term) or is part of a
multi-organizational enterprise, and it must provide the names of its
parent entities. If it has a parent or several parent organizations, as
defined by the proposed regulation, the entity seeking to be listed
must provide the additional certifications mandated by the statute and
by the proposed regulation at Sec. 3.102(c) to maintain the
separateness of its patient safety work product from its parent(s) and
from other components or affiliates\11\ of its parent(s). Such
certifications are consistent with the above-cited body of case law
that permits and makes inquiries about organizational relationships and
practices for purposes of carrying out statutes and statutory
objectives.
---------------------------------------------------------------------------
\11\ Corporate affiliates are commonly controlled corporations;
sharing a corporate parent, they are sometimes referred to as sister
corporations. Separate corporations that are part of a multi-
organizational enterprise are also referred to by the common terms
``affiliates'' or ``affiliated organizations''.
---------------------------------------------------------------------------
It may be helpful to illustrate how a potential applicant for
listing should apply these principles in determining whether to seek
listing as a component PSO. The fundamental principle is that if there
is a parent organization relationship present and the entity is not
prohibited from seeking listing by proposed Sec. 3.102(a)(2), the
entity must seek listing as a component PSO. In determining whether an
entity must seek listing as a component organization, we note that it
does not matter whether the entity is a component of a provider or a
non-provider organization and, if it is a component of a provider
organization, whether it will undertake patient safety activities for
the parent organization's providers or providers that have no
relationship with its parent organization(s). The focus here is
primarily on establishing the separateness of the entity's operation
from any type of parent organization. Examples of entities that would
need to seek listing as a component organization include: A division of
a provider or non-provider organization; a subsidiary entity created by
a provider or non-provider organization; or a joint venture created by
several organizations (which could include provider organizations, non-
provider organizations, or a mix of such organizations) where any or
all of the organizations have a measure of control over the joint
venture.
Other examples of entities that would need to seek listing as a
component PSO include: a division of a nursing home chain; a subsidiary
entity created by a large academic health center or health system; or a
joint venture created by several organizations to seek listing as a PSO
where any or all of the organizations have a measure of control over
the joint venture.
Component PSO would mean a PSO listed by the Secretary that is a
component organization.
Confidentiality provisions would mean any requirement or
prohibition concerning confidentiality established by Sections 921 and
922(b)-(d), (g) and (i) of the Public Health Service Act, 42
[[Page 8117]]
U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed
provisions, at Sec. Sec. 3.206 and 3.208, by which we propose to
implement the prohibition on disclosure of identifiable patient safety
work product. We proposed to define this new term to provide an easy
way to reference the provisions in the Patient Safety Act and in the
proposed rule that implements the confidentiality protections of the
Patient Safety Act for use in the enforcement and penalty provisions of
this proposed rule. We found this a useful approach in the HIPAA
Enforcement Rule, where we defined ``administrative simplification
provision'' for that purpose. In determining how to define
``confidentiality provisions'' that could be violated, we considered
the statutory enforcement provision at section 922(f) of the Public
Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by
reference section 922(b) and (c).\12\ Thus, the enforcement authority
clearly implicates sections 922(b) and (c) of the Patient Safety Act,
42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec.
3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d),
is entitled the ``Continued Protection of Information After
Disclosure'' and sets forth continued confidentiality protections for
patient safety work product after it has been disclosed under section
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with
certain exceptions. Thus, section 922(d) of the Public Health Service
Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality
protections provided for in section 922(b) of the Public Health Service
Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued
confidentiality provision at proposed Sec. 3.208 herein to be one of
the confidentiality provisions. In addition, our understanding of these
provisions is based on the rule of construction in section 922(g) of
the Public Health Service Act, 42 U.S.C. 299b-22(g), and the
clarification with respect to HIPAA in section 922(i) of the Public
Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions
are included in the definition.
---------------------------------------------------------------------------
\12\ Section 922(f) of the Public Health Service Act, 42 U.S.C.
299b-22(f), states that ``subject to paragraphs (2) and (3), a
person who discloses identifiable patient safety work product in
knowing or reckless violation of subsection (b) shall be subject to
a civil money penalty of not more than $10,000 for each act
constituting such violation'' (emphasis added). Subsection (b) of
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b),
is entitled, ``Confidentiality of Patient Safety Work Product'' and
states, ``Notwithstanding any other provision of Federal, State, or
local law, and subject to subsection (c), patient safety work
product shall be confidential and shall not be disclosed'' (emphasis
added). Section 922(c) of the Public Health Service Act, 42 U.S.C.
299b-22(c), in turn, contains the exceptions to confidentiality and
privilege protections.
---------------------------------------------------------------------------
In contrast to the confidentiality provisions, the privilege
provisions in the Patient Safety Act will be enforced by the tribunals
or agencies that are subject to them; the Patient Safety Act does not
authorize the imposition of civil money penalties for breach of such
provisions. We note, however, that to the extent a breach of privilege
is also a breach of confidentiality, the Secretary would enforce the
confidentiality breach under 42 U.S.C. 299b-22(f).
Disclosure would mean the release, transfer, provision of access
to, or divulging in any other manner of patient safety work product by
a person holding patient safety work product to another person. An
impermissible disclosure (i.e., a disclosure of patient safety work
product in violation of the confidentiality provisions) is the action
upon which potential liability for a civil money penalty rests.
Generally, if the person holding patient safety work product is an
entity, disclosure occurs when the information is shared with another
entity or a natural person outside the entity. We do not propose to
hold entities liable for uses of the information within the entity,
(i.e., when this information is exchanged or shared among the workforce
members of the entity) except as noted below concerning component PSOs.
If a natural person holds patient safety work product, except in the
capacity as a workforce member, a disclosure occurs whenever exchange
occurs to any other person or entity. In light of this definition, we
note that a disclosure to a contractor that is under the direct control
of an entity (i.e., a workforce member) would be a use of the
information within the entity and, therefore, not a disclosure for
which a permission is needed. However, a disclosure to an independent
contractor would not be a disclosure to a workforce member, and thus,
would be a disclosure for purposes of this proposed rule and the
proposed enforcement provisions under Subpart D.
For component PSOs, we propose to recognize as a disclosure the
sharing or transfer of patient safety work product outside of the legal
entity, as described above, and between the component PSO and the rest
of the organization (i.e., parent organization) of which the component
PSO is a part. The Patient Safety Act demonstrates a strong desire for
the separation of patient safety work product between a component PSO
and the rest of the organization. See section 924(b)(2) of the Public
Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to
recognize component organizations as component PSOs which exist within,
but distinct from, a single legal entity, and such a component
organization as a component PSO would be required to certify to limit
access to patient safety work product under proposed Sec. 3.102(c),
the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product from a component PSO to the
rest of the organization will be recognized as a disclosure for
purposes of this proposed rule and the proposed enforcement provisions
under Subpart D.
We considered whether or not we should hold entities liable for
disclosures that occur within that entity (uses) by defining disclosure
more discretely, (i.e., as between persons within an entity). If we
were to define disclosure in this manner, it may promote better
safeguarding against inappropriate uses of patient safety work product
by providers and PSOs. It may also allow better control of uses by
third parties to whom patient safety work product is disclosed, and it
would create additional enforcement situations which could lead to
additional potential civil money penalties. We note that HIPAA
authorized the Department to regulate both the uses and disclosures of
individually identifiable health information and, thus, the HIPAA
Privacy Rule regulates both the uses and disclosures of such
information by HIPAA covered entities. See section 264(b) and (c)(1) of
HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand,
addresses disclosures and authorizes the Secretary to penalize
disclosures of patient safety work product.
Nonetheless, we do not propose to regulate the use, transfer or
sharing by internal disclosure, of patient safety work product within a
legal entity. We also decline to propose to regulate uses because we
would consider regulating uses within providers and PSOs to be
intrusive into their internal affairs. This would be especially the
case given that this is a voluntary program. Moreover, we do not
believe that regulating uses would further the statutory goal of
facilitating the sharing of patient safety work product with PSOs. In
other words, regulating uses would not advance the ability of any
entity to share patient safety work product for patient safety
activities. Finally, we presume that there are sufficient incentives in
place for providers and PSOs to prudently manage the uses of sensitive
patient safety work product.
[[Page 8118]]
We are not regulating uses, whether in a provider, PSO, or any
other entity that obtains patient safety work product. Because we are
not proposing to regulate uses, there will be no federal sanction based
on use of this information. If a provider or other entity wants to
limit the uses or further disclosures (beyond the regulatory
permissions) by a PSO or any future recipient, a disclosing entity is
free to do so by contract. See section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec. 3.206(e). We
seek comment about whether this strikes the right balance.
The proposed definition mirrors the definition of disclosure used
in the HIPAA Privacy Rule concerning disclosures of protected health
information. Although we do not propose to regulate the use of patient
safety work product, HIPAA covered entities that possess patient safety
work product which contains protected health information must comply
with the use and disclosure requirements of the HIPAA Privacy Rule with
respect to the protected health information. Patient safety work
product containing protected health information could only be used in
accordance with the HIPAA Privacy Rule use permissions, including the
minimum necessary requirement.
Entity would mean any organization, regardless of whether the
organization is public, private, for-profit, or not-for-profit. The
statute permits any entity to seek listing as a PSO by the Secretary
except a health insurance issuer and any component of a health
insurance issuer and Sec. 3.102(a)(2) proposes, in addition, to
prohibit public or private sector entities that conduct regulatory
oversight of providers.
Group health plan would mean an employee welfare benefit plan (as
defined in section 3(1) of the Employee Retirement Income Security Act
of 1974 (ERISA) to the extent that the plan provides medical care (as
defined in paragraph (2) of section 2791(a) of the Public Health
Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services
paid for as medical care) to employees or their dependents (as defined
under the terms of the plan) directly or through insurance,
reimbursement, or otherwise. Section 2791(b)(2) of the Public Health
Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from
the defined class of `health insurance issuer.' Therefore, a group
health plan may establish a PSO unless the plan could be considered a
component of a health insurance issuer, in which case such a plan would
be precluded from being a PSO by the Patient Safety Act.
Health insurance issuer would mean an insurance company, insurance
service, or insurance organization (including a health maintenance
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed
to engage in the business of insurance in a State and which is subject
to State law which regulates insurance (within the meaning of 29 U.S.C.
1144(b)(2)). The term, as defined in the Public Health Service Act,
does not include a group health plan.
Health maintenance organization would mean (1) a Federally
qualified health maintenance organization (as defined in 42 U.S.C.
300e(a)); (2) an organization recognized under State law as a health
maintenance organization; or (3) a similar organization regulated under
State law for solvency in the same manner and to the same extent as
such a health maintenance organization. Because the ERISA definition
relied upon by the Patient Safety Act includes health maintenance
organizations in the definition of health insurance issuer, an HMO may
not be, control, or manage the operation of a PSO.
HHS stands for the United States Department of Health and Human
Services. This definition is added for convenience.
HIPAA Privacy Rule would mean the regulations promulgated under
section 264(c) of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part
164.
Identifiable Patient Safety Work Product would mean patient safety
work product that:
(1) Is presented in a form and manner that allows the
identification of any provider that is a subject of the work product,
or any providers that participate in activities that are a subject of
the work product;
(2) Constitutes individually identifiable health information as
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the
identification of an individual who in good faith reported information
directly to a PSO, or to a provider with the intention of having the
information reported to a PSO (``reporter'').
Identifiable patient safety work product is not patient safety work
product that meets the nonidentification standards proposed for
``nonidentifiable patient safety work product''.
Nonidentifiable Patient Safety Work Product would mean patient
safety work product that is not identifiable in accordance with the
nonidentification standards proposed at Sec. 3.212. Because the
privilege and confidentiality protections of the Patient Safety Act and
this Part do not apply to nonidentifiable patient safety work product
once disclosed, the restrictions and data protection rules in this
proposed rule phrased as pertaining to patient safety work product
generally only apply to identifiable patient safety work product.
OCR stands for the Office for Civil Rights in HHS. This definition
is added for convenience.
Parent organization would mean a public or private sector
organization that, alone or with others, either owns a provider entity
or a component PSO, or has the authority to control or manage agenda
setting, project management, or day-to-day operations of the component,
or the authority to review and override decisions of a component PSO.
We have not proposed to define the term ``owns.'' We propose to use the
term ``own a provider entity'' to mean a governmental agency or Tribal
entity that controls or manages a provider entity as well as an
organization having a controlling interest in a provider entity or a
component PSO, for example, owning a majority or more of the stock of
the owned entity, and expressly ask for comment on whether our further
definition of controlling interest as follows below is appropriate.
Under the proposed regulation, if an entity that seeks to be a PSO
has a parent organization, that entity will be required to seek listing
as a component PSO and must provide certifications set forth in
proposed Sec. 3.102(c), which indicate that the entity maintains
patient safety work product separately from the rest of the
organization(s) and establishes security measures to maintain the
confidentiality of patient safety work product, the entity does not
make an unauthorized disclosure of patient safety work product to the
rest of the organization(s), and the entity does not create a conflict
of interest with the rest of the organization(s).
Traditionally, a parent corporation is defined as a corporation
that holds a controlling interest in one or more subsidiaries. By
contrast, parent organization, as used in this proposed rule, is a more
inclusive term and is not limited to definitions used in corporations
law. Accordingly, the proposed definition emphasizes a parent
organization's control (or influence) over a PSO that may or may not be
based on stock ownership.\13\ Our
[[Page 8119]]
approach to interpreting the statutory reference in section 924(b)(2)
of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another
organization'' in which an entity is a ``component'' (i.e., a ``parent
organization'') is analogous to the growing attention in both statutory
and case law, to the nature and conduct of business organizational
relationships, including multi-organizational enterprises. As discussed
above in the definition of ``component,'' the emphasis on actual
organizational control, rather than the organization's structure, has
numerous legal precedents in legislation implementing statutory
programs and objectives and courts upholding such programs and
objectives.\14\ Therefore, the definition of a ``parent organization,''
as used in the proposed regulation would encompass an affiliated
organization that participates in a common enterprise with an entity
seeking listing, and that owns, manages or exercises control over the
entity seeking to be listed as a PSO. As indicated above, affiliated
corporations have been legally defined to mean those who share a
corporate parent or are part of a common corporate enterprise.\15\
---------------------------------------------------------------------------
\13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* *
* the power to direct or cause the direction of the management and
policies of an * * * [entity] whether through the ownership of
voting securities, by contract, or otherwise.'')
\14\ Blumberg on Corporate Groups Sec. 13 notes that, where
applications for licenses are in a regulated industry, information
is required by states about the applicant as well as corporate
parents, subsidiaries and affiliates. In the proposed regulation,
pursuant to the Patient Safety Act, information about parent
organizations with potentially conflicting missions would be
obtained to ascertain that component entities seeking to be PSOs
have measures in place to protect the confidentiality of patient
safety work product and the independent conduct of impartial
scientific analyses by PSOs.
\15\ See for example the definition of affiliates in regulations
jointly promulgated by the Comptroller of the Currency, the Federal
Reserve board, the FDIC, and the Office of Thrift Supervision to
implement privacy provisions of Gramm Leach Bliley legislation using
provisions of the Fair Credit Reporting Act (dealing with
information sharing among affiliates): ``any company that is related
or affiliated by common ownership, or affiliated by corporate
control or common corporate control with another company.''
Blumberg, supra note 2, at Sec. 122.09[A] (citing 12 CFR pt.41.3,
12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1)
(2004)).
---------------------------------------------------------------------------
Parent organization is defined to include affiliates primarily in
recognition of the prospect that otherwise unrelated organizations
might affiliate to jointly establish a PSO. We can foresee such an
enterprise because improving patient safety through expert analysis of
aggregated patient safety data could logically be a common and
efficient objective shared by multiple potential cofounders of a PSO.
It is fitting, in our view, that a component entity certify, as we
propose in Sec. 3.102(c), that there is ``no conflict'' between its
mission as a PSO and all of the rest of the parent or affiliated
organizations that undertake a jointly sponsored PSO enterprise.\16\
Similarly, it is also appropriate that the additional certifications
required of component entities in proposed Sec. 3.102(c) regarding
separation of patient safety work product and the use of separate staff
be required of an entity that has several co-founder parent
organizations that exercise ownership, management or control, (i.e. to
assure that the intended ``firewalls'' exist between the component
entity and the rest of any affiliated organization that might exercise
ownership, management or control over a PSO).
---------------------------------------------------------------------------
\16\ We note that the certifications from a jointly established
PSO could be supported or substantiated with references to
protective procedural or policy walls that have been established to
preclude a conflict of these organizations' other missions with the
scientific analytic mission of the PSO.
---------------------------------------------------------------------------
To recap this part of the discussion, we would consider an entity
seeking listing as a PSO to have a parent organization, and such entity
would seek listing as a component organization, under the following
circumstances: (a) The entity is a unit in a corporate organization or
a controlling interest in the entity is owned by another corporation;
or (b) the entity is a distinct organizational part of a multi-
organizational enterprise and one or more affiliates in the enterprise
own, manage, or control the entity seeking listing as a PSO. An example
of an entity described in (b) would be an entity created by a joint
venture in which the entity would be managed or controlled by several
co-founding parent organizations.
The definition of provider in the proposed rule (which will be
discussed below) includes the parent organization of any provider
entity. Correspondingly, our definition of parent organization includes
any organization that ``owns a provider entity.'' This is designed to
provide an option for the holding company of a corporate health care
system to enter a multi-facility or system-wide contract with a PSO.
Patient Safety Act would mean the Patient Safety and Quality
Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new
Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-
21 through 299b-26.
Patient safety activities would mean the following activities
carried out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health
care delivery;
(2) The collection and analysis of patient safety work product;
(3) The development and dissemination of information with respect
to improving patient safety, such as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety work product for the purposes
of encouraging a culture of safety and of providing feedback and
assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with
respect to patient safety work product;
(6) The provision of appropriate security measures with respect to
patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety
evaluation system and to the provision of feedback to participants in a
patient safety evaluation system.
This definition is taken from the Patient Safety Act. See section
921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient
safety activities is used as a key reference term for other provisions
in the proposed rule and those provisions provide descriptions related
to patient safety activities. See proposed requirements for PSOs at
Sec. Sec. 3.102 and 3.106 and the proposed confidentiality disclosure
permission at Sec. 3.206(b)(4).
Patient safety evaluation system would mean the collection,
management, or analysis of information for reporting to or by a PSO.
The patient safety evaluation system is a core concept of the Patient
Safety Act through which information, including data, reports,
memoranda, analyses, and/or written or oral statements, is collected,
maintained, analyzed, and communicated. When a provider engages in
patient safety activities for the purpose of reporting to a PSO or a
PSO engages in these activities with respect to information for patient
safety purposes, a patient safety evaluation system exists regardless
of whether the provider or PSO has formally identified a ``patient
safety evaluation system''. For example, when a provider collects
information for the purpose of reporting to a PSO and reports the
information to a PSO to generate patient safety work product, the
provider is collecting and reporting through its patient safety
evaluation system (see definition of patient safety work product ).
Although we do not propose to require providers or PSOs formally to
identify or define their patient safety evaluation system--because such
systems exist by virtue of the providers or PSOs undertaking certain
patient safety activities--a patient safety evaluation system can be
[[Page 8120]]
formally designated by a provider or PSO to establish a secure space in
which these activities may take place.
The formal identification or designation of a patient safety
evaluation system could give structure to the various functions served
by a patient safety evaluation system. These possible functions are:
1. For reporting information by a provider to a PSO in order to
generate patient safety work product and to protect the fact of
reporting such information to a PSO (see section 921(6) and
(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and
(7)(A)(i)(I));
2. For communicating feedback concerning patient safety events
between PSOs and providers (see section 921(5)(H) of the Public Health
Service Act, 42 U.S.C. 299b-21(5)(H));
3. For creating and identifying the space within which
deliberations and analyses of information and patient safety work
product are conducted (see section 921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(ii));
4. For separating patient safety work product and information
collected, maintained, or developed for reporting to a PSO distinct and
apart from information collected, maintained, or developed for other
purposes (see section 921(7)(B)(ii) of the Public Health Service Act,
42 U.S.C. 299b-21(7)(B)(ii)); and,
5. For identifying patient safety work product to maintain its
privileged status and confidentiality, and to avoid impermissible
disclosures (see section 922(b) of the Public Health Service Act, 42
U.S.C. 299b-22(b)).
A provider or PSO need not engage in all of the above-mentioned
functions in order to establish or maintain a patient safety evaluation
system. A patient safety evaluation system is flexible and scalable to
the individual needs of a provider or PSO and may be modified as
necessary to support the activities and level of engagement in the
activities by a particular provider or PSO.
Documentation. Because a patient safety evaluation system is
critical in identifying and protecting patient safety work product, we
encourage providers and PSOs to document what constitutes their patient
safety evaluation system. We recommend that providers and PSOs consider
documenting the following:
How information enters the patient safety evaluation
system;
What processes, activities, physical space(s) and
equipment comprise or are used by the patient safety evaluation system;
Which personnel or categories of personnel need access to
patient safety work product to carry out their duties involving
operation of, or interaction with the patient safety evaluation system,
and for each such person or category of persons, the category of
patient safety work product to which access is needed and any
conditions appropriate to such access; and,
What procedures or mechanisms the patient safety
evaluation system uses to report information to a PSO or disseminate
information outside of the patient safety evaluation system.
A documented patient safety evaluation system, as opposed to an
undocumented or poorly documented patient safety evaluation system, may
accrue many benefits to the operating provider or PSO. Providers or
PSOs that have a documented patient safety evaluation system will have
substantial proof to support claims of privilege and confidentiality
when resisting requests for production of, or subpoenas for,
information constituting patient safety work product or when making
requests for protective orders against requests or subpoenas for such
patient safety work product. Documentation of a patient safety
evaluation system will enable a provider or PSO to provide supportive
evidence to a court when claiming privilege protections for patient
safety work product. This may be particularly critical since the same
activities can be done inside and outside of a patient safety
evaluation system.
A documented and established patient safety evaluation system also
gives notice to employees of the privileged and confidential nature of
the information within a patient safety evaluation system in order to
generate awareness, greater care in handling such information and more
caution to prevent unintended or impermissible disclosures of patient
safety work product. For providers with many employees, an established
and documented patient safety evaluation system can serve to separate
access to privileged and confidential patient safety work product from
employees that have no need for patient safety work product.
Documentation can serve to limit access by non-essential employees. By
limiting who may access patient safety work product, a provider may
reduce its exposure to the risks of inappropriate disclosures.
Given all of the benefits, documentation of a patient safety
evaluation system would be a prudent business practice. Moreover, as
part of our enforcement program, we would expect entities to be
following sound business practices in maintaining adequate
documentation regarding their patient safety evaluation systems to
demonstrate their compliance with the confidentiality provisions.
Absent this type of documentation, it may be difficult for entities to
satisfy the Secretary that they have met and are in compliance with
their confidentiality obligations. While we believe it is a sound and
prudent business practice, we have not required a patient safety
evaluation system to be documented, and we do not believe it is
required by the Patient Safety Act. We seek comment as to these issues.
Patient Safety Organization (PSO) would mean a private or public
entity or component thereof that is listed as a PSO by the Secretary in
accordance with proposed Sec. 3.102.
Patient Safety Work Product is a defined term in the Patient Safety
Act that identifies the information to which the privilege and
confidentiality protections apply. This proposed rule imports the
statutory definition of patient safety work product specifically for
the purpose of implementing the confidentiality protections under the
Patient Safety Act. The proposed rule provides that, with certain
exceptions, patient safety work product would mean any data, reports,
records, memoranda, analyses (such as root cause analyses), or written
or oral statements (or copies of any of this material) (A) which could
result in improved patient safety, health care quality, or health care
outcomes and either (i) is assembled or developed by a provider for
reporting to a PSO and is reported to a PSO; or (ii) is developed by a
PSO for the conduct of patient safety activities; or (B) which
identifies or constitutes the deliberations or analysis of, or
identifies the fact of reporting pursuant to, a patient safety
evaluation system. The proposed rule excludes from patient safety work
product a patient's original medical record, billing and discharge
information, or any other original patient or provider information and
any information that is collected, maintained, or developed separately,
or exists separately, from a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO does not by
reason of its reporting become patient safety work product. The
separately collected and maintained information remains available, for
example, for public health reporting or disclosures pursuant to court
order. The information contained in a provider's or PSO's patient
safety evaluation system is protected, would be privileged and
confidential, and may not be disclosed absent a statutory or regulatory
permission.
[[Page 8121]]
What can become patient safety work product. The definition of
patient safety work product lists the types of information that are
likely to be exchanged between a provider and PSO to generate patient
safety work product: ``Any data, reports, records, memoranda, analyses
(such as root cause analyses), or written or oral statements''
(collectively referred to below as ``information'' for brevity).
Congress intended the fostering of robust patient safety evaluation
systems for exchanges between providers and PSOs. We expect this
expansive list will maximize provider flexibility in operating its
patient safety evaluation system by enabling the broadest possible
incorporation and protection of information by providers and PSOs.
In addition, information must be collected or developed for the
purpose of reporting to a PSO. Records collected or developed for a
purpose other than for reporting to a PSO, such as to support internal
risk management activities or to fulfill external reporting
obligations, cannot become patient safety work product. However, copies
of information collected for another purpose may become patient safety
work product if, for example, the copies are made for the purpose of
reporting to a PSO. This issue is discussed more fully below regarding
information that cannot become patient safety work product.
When information is reported by a provider to a PSO or when a PSO
develops information for patient safety activities, the definition
assumes that the protections apply to information that ``could result
in improved patient safety, health care quality, or health care
outcomes.'' This phrase imposes few practical limits on the type of
information that can be protected since a broad range of clinical and
non-clinical factors could have a beneficial impact on the safety,
quality, or outcomes of patient care. Because the Patient Safety Act
does not impose a narrow limitation, such as requiring information to
relate solely, for example, to particular adverse or ``sentinel''
incidents or even to the safety of patient care, we conclude Congress
intended providers to be able to cast a broad net in their data
gathering and analytic efforts to identify causal factors or
relationships that might impact patient safety, quality and outcomes.
In addition, we note that the phrase ``could result in improved''
requires only potential utility, not proven utility, thereby allowing
more information to become patient safety work product.
How information becomes patient safety work product. Paragraphs
(1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition
indicate three ways for information to become patient safety work
product and therefore subject to the confidentiality and privilege
protections of the Patient Safety Act.
Information assembled or developed and reported by providers. By
law and as set forth in our proposal, information that is assembled or
developed by a provider for the purpose of reporting to a PSO and is
reported to a PSO is patient safety work product. Section
921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-
21(7)(A)(i)(I).
As noted, to become patient safety work product under this section
of the definition, information must be reported by a provider to a PSO.
For purposes of paragraph (1)(i)(A) of this definition, ``reporting''
generally means the actual transmission or transfer of information, as
described above, to a PSO. We recognize, however, that requiring the
transmission of every piece of paper or electronic file to a PSO could
impose significant transmission, management, and storage burdens on
providers and PSOs. In many cases, providers engaged in their own
investigations may desire to avoid continued transmission of additional
related information as its work proceeds.
To alleviate the burden of reporting every piece of information
assembled by a provider related to a particular patient safety event,
we are interested in public comment regarding an alternative for
providers that have established relationships with PSOs. We note that
the reporting and generation of patient safety work product does not
require a contract or any other relationship for a PSO to receive
reports from a provider, for a PSO to examine patient safety work
product, or for a PSO to provide feedback to a provider based upon the
examination of reported information. Nonetheless, we anticipate that
providers who are committed to patient safety improvements will
establish a contractual or similar relationship with a PSO to report
and receive feedback about patient safety incidents and adverse events.
Such a contract or relationship would provide a basis to allow
providers and PSOs to establish customized alternative arrangements for
reporting.
For providers that have established contracts with PSOs for the
review and receipt of patient safety work product, we seek comment on
whether a provider should be able to ``report'' to the PSO by providing
its contracted PSO access to any information it intends to report
(i.e., ``functional reporting''). For example, a provider and a PSO may
establish, by contract, that information put into a database shared by
the provider and the PSO is sufficient to report information to the PSO
in lieu of the actual transmission requirement. We believe that
functional reporting would be a valuable mechanism for the efficient
reporting of information from a provider to a PSO. We are seeking
public comment about what terms and conditions may be necessary to
provide access to a PSO to be recognized as functional reporting. We
also seek comment about whether this type of functional reporting
arrangement should only be available for subsequent related information
once an initial report on a specific topic or incident has been
transmitted to a PSO.
We do not intend a PSO to have an unfettered right of access to any
provider information. Providers and PSOs are free to engage in
alternative reporting arrangements under the proposed rule, and we
solicit comments on the appropriate lines to be drawn around the
arrangements that should be recognized under the proposed rule.
However, our proposals should not be construed to suggest or propose
that a PSO has a superior right to access information held by a
provider based upon a reporting relationship. If a PSO believes
information reported by a provider is insufficient, a PSO is free to
request additional information from a provider or to indicate
appropriate limitations to the conclusions or analyses based on
insufficient or incomplete information.
We seek public comment on two additional aspects regarding the
timing of the obligation of a provider to report to a PSO in order for
information to become protected patient safety work product and for the
confidentiality protections to attach. The first issue relates to the
timing between assembly or development of information for reporting and
actual reporting under the proposed definition of patient safety work
product. As currently proposed, information assembled or developed by a
provider is not protected until the moment it is reported, (i.e.,
transmitted or transferred to a PSO). We are considering whether there
is a need for a short period of protection for information assembled
but not yet reported. We note that in such situations, a provider
creates and operates a patient safety evaluation system. (See
discussion of the definition of patient safety evaluation system at
proposed Sec. 3.20.) We further note that even without such short
period of
[[Page 8122]]
protection, information assembled or developed by a provider but not
yet reported may be subject to other protections in the proposed rule
(e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42
U.S.C. 299b-21(7)(A)(ii)).
Our intent is not to relieve the provider of the statutory
requirement for reporting pursuant to section 921(7)(A)(i) of the
Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to
providers flexibility to efficiently transmit or transfer information
to a PSO for protection. A short period of protection for information
assembled but not yet reported could result in greater operational
efficiency for a provider by allowing information to be compiled and
reported to a PSO in batches. It could also alleviate the uncertainty
regarding the status of information that is assembled, but not yet
reported for administrative reasons. If we do address this issue in the
final rule, we seek input on the appropriate time period for such
protection and whether a provider must demonstrate an intent to report
in order to obtain protections. If we do not address this issue in the
final rule, such information held by a provider would not be
confidential until it is actually transmitted to a PSO under this prong
of the definition of patient safety work product.
Second, for information to become patient safety work product under
this prong of the definition, it must be assembled or developed for the
purpose of reporting to a PSO and actually reported. We solicit comment
on the point in time at which it can be established that information is
being collected for the purpose of reporting to a PSO such that it is
not excluded from the definition of patient safety work product as a
consequence of it being collected, maintained or developed separately
from a patient safety evaluation system. See section 921(7)(B)(ii) of
the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble
information with the purpose of reporting to a PSO, a PSO must
potentially exist, and thus, we believe that collection efforts cannot
predate the passage of the Patient Safety Act on July 29, 2005.
Information that is developed by a PSO for the conduct of patient
safety activities. By law and as set forth in our proposal, information
that is developed by a PSO for patient safety activities is patient
safety work product. Section 921(7)(A)(i)(II) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the
definition does not address information discussed in the previous
section that is assembled or developed by a provider and is reported to
a PSO which becomes patient safety work product under that section.
Rather, this section addresses other information that a PSO collects
for development from third parties, non-providers and other PSOs for
patient safety activities.
For example, a PSO may be asked to assist a provider in analyzing a
complex adverse event that took place. The initial information from the
provider is protected because it was reported. If the PSO determines
that the information is insufficient and conducts interviews with
affected patients or collects additional data, that information is an
example of the type of information that would be protected under this
section of the definition. Even if the PSO ultimately decided not to
analyze such information, the fact that the PSO collected and evaluated
the information is a form of ``development'' transforming the
information into patient safety work product. Such patient safety work
product would be subject to confidentiality protections, and thus, the
PSO would need safe disposal methods for any such information in
accordance with its confidentiality obligations.
Information that constitutes the deliberations or analysis of, or
identifies the fact of reporting pursuant to, a patient safety
evaluation system. By law and as set forth in our proposal, information
that constitutes the deliberations or analysis of, or identifies the
fact of reporting pursuant to, a patient safety evaluation system is
patient safety work product. Section 921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends
patient safety work product protections to any information that would
identify the fact of reporting pursuant to a patient safety evaluation
system or that constitutes the deliberations or analyses that take
place within such a system. The fact of reporting through a patient
safety evaluation system (e.g., a fax cover sheet, an e-mail
transmitting data, and an oral transmission of information to a PSO) is
patient safety work product.
With regard to providers, deliberations and analyses are protected
while they are occurring provided they are done within a patient safety
evaluation system. We are proposing that under paragraph (1)(ii) of
this definition, any ``deliberations or analysis'' performed within the
patient safety evaluation system becomes patient safety work product.
In other words, to determine whether protections apply, the primary
question is whether a patient safety evaluation system, which by law
and as set forth in this proposed rule, is the collection, management,
or analysis of information for reporting to a PSO, was in existence at
the time of the deliberations and analysis.
To determine whether a provider had a patient safety evaluation
system at the time that the deliberations or analysis took place, we
propose to consider whether a provider had certain indicia of a patient
safety evaluation system, such as the following: (1) The provider has a
contract with a PSO for the receipt and review of patient safety work
product that is in effect at the time of the deliberations and
analysis; (2) the provider has documentation for a patient safety
evaluation system demonstrating the capacity to report to a PSO at the
time of the deliberations and analysis; (3) the provider had reported
information to the PSO either under paragraph (1)(i)(A) of the proposed
definition of patient safety work product or with respect to
deliberations and analysis; or (4) the provider has actually reported
the underlying information that was the basis of the deliberations or
analysis to a PSO. For example, if a provider claimed protection for
information as the deliberation of a patient safety evaluation system,
and had a contract with the PSO at the time the deliberations took
place, it would be reasonable to believe that the deliberations and
analysis were related to the provider's PSO reporting activities. This
is not an exclusive list. We note therefore that a provider may still
be able to show that information was patient safety work product using
other indications.
We note that the statutory protections for deliberations and
analysis in a patient safety evaluation system apply without regard to
the status of the underlying information being considered (i.e., it
does not matter whether the underlying information being considered is
patient safety work product or not). A provider can fully protect
internal deliberations in its patient safety evaluation system over
whether to report information to a PSO. The deliberations and analysis
are protected, whether the provider chooses to report the underlying
information to a PSO or not. However, the underlying information,
separate and apart from the analysis or deliberation, becomes protected
only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public
Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).
To illustrate, consider a hospital that is reviewing a list of all
near-misses
[[Page 8123]]
reported within the past 30 days. The purpose of the hospital's review
is to analyze whether to report any or part of the list to a PSO. The
analyses (or any deliberations the provider undertakes) are fully
protected whether the provider reports any near-misses or not. The
status of the near-misses list does not change because the
deliberations took place. The fact that the provider deliberated over
reporting the list does not constitute reporting and does not change
the protected status of the list. Separate and apart from the analysis,
this list of near misses is not protected unless it is reported. By
contrast, this provision fully protects the provider's deliberations
and analyses in its patient safety evaluation system regarding the
list.
Delisting. In the event that a PSO is delisted for cause under
proposed Sec. 3.108(b)(1), a provider may continue to report to that
PSO for 30 days after the delisting and the reported information will
be patient safety work product. Section 924(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a
delisted PSO after the 30-day period will not be patient safety work
product. However, after a PSO is delisted, the delisted entity may not
continue to generate patient safety work product by developing
information for the conduct of patient safety activities or through
deliberations and analysis of information. Any patient safety work
product held or generated by a PSO prior to its delisting remains
protected even after the PSO is delisted. See discussion in the
preamble regarding proposed Sec. 3.108(b)(2) for more information.
We note that proposed Sec. 3.108(c) outlines the process for
delisting based upon an entity's voluntary relinquishment of its PSO
listing. As we discuss in the accompanying preamble, we tentatively
conclude that the statutory provision for a 30-day period of continued
protection does not apply after delisting due to voluntary
relinquishment.
Even though a PSO may not generate new patient safety work product
after delisting, it may still have in its possession patient safety
work product, which it must keep confidential. The statute establishes
requirements, incorporated in proposed Sec. 3.108(b)(2) and (b)(3),
that a PSO delisted for cause must meet regarding notification of
providers and disposition of patient safety work product. We propose in
Sec. 3.108(c) to implement similar notification and disposition
measures for a PSO that voluntarily relinquishes its listing. For
further discussion of the obligations of a delisted PSO, see proposed
Sec. 3.108(b)(2), (b)(3), and (c).
What is not patient safety work product. By law, and as set forth
in this proposed rule, patient safety work product does not include a
patient's original medical record, billing and discharge information,
or any other original patient or provider record; nor does it include
information that is collected, maintained, or developed separately or
exists separately from, a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO shall not by
reason of its reporting be considered patient safety work product.
The specific examples cited in the Patient Safety Act of what is
not patient safety work product--the patient's original medical record,
billing and discharge information, or any other original patient
record--are illustrative of the types of information that providers
routinely assemble, develop, or maintain for purposes and obligations
other than those of the Patient Safety Act. The Patient Safety Act also
states that information that is collected, maintained, or developed
separately, or exists separately from a patient safety evaluation
system, is not patient safety work product. Therefore, if records are
collected, maintained, or developed for a purpose other than for
reporting to a PSO, those records cannot be patient safety work
product. However, if, for example, a copy of such record is made for
reporting to a PSO, the copy and the fact of reporting become patient
safety work product. Thus, a provider could collect incident reports
for internal quality assurance purposes, and later, determine that one
incident report is relevant to a broader patient safety activity. If
the provider then reports a copy of the incident report to a PSO, the
copy of the incident report received by the PSO is protected as is the
copy of the incident report as reported to the PSO that is maintained
by the provider, while the original incident report collected for
internal quality assurance purposes is not protected.
The proposed rule sets forth the statutory rule of construction
that prohibits construing anything in this Part from limiting (1) the
discovery of or admissibility of information that is not patient safety
work product in a criminal, civil, or administrative proceeding; (2)
the reporting of information that is not patient safety work product to
a Federal, State, or local governmental agency for public health
surveillance, investigation, or other public health purposes or health
oversight purposes; or (3) a provider's recordkeeping obligation with
respect to information that is not patient safety work product under
Federal, State or local law. Section 921(7)(B)(iii) of the Public
Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or
regulations require the reporting of the information regarding the type
of events also reported to PSOs, the Patient Safety Act does not shield
providers from their obligation to comply with such requirements.
As the Patient Safety Act states more than once, these external
obligations must be met with information that is not patient safety
work product, and, in accordance with the confidentiality provisions,
patient safety work product cannot be disclosed for these purposes. We
note that the Patient Safety Act clarifies that nothing in this Part
prohibits any person from conducting additional analyses for any
purpose regardless of whether such additional analysis involves issues
identical to or similar to those for which information was reported to
or assessed by a PSO or a patient safety evaluation system. Section
922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy
of information generated for such purposes may be entered into the
provider's patient safety evaluation system for patient safety purposes
although the originals of the information generated to meet external
obligations do not become patient safety work product.
Thus, information that is collected to comply with external
obligations is not patient safety work product. Such activities may
include: State incident reporting requirements; adverse drug event
information reporting to the Food and Drug Administration (FDA);
certification or licensing records for compliance with health oversight
agency requirements; reporting to the National Practitioner Data Bank
of physician disciplinary actions; or complying with required
disclosures by particular providers or suppliers pursuant to Medicare's
conditions of participation or conditions of coverage. In addition, the
proposed rule does not change the law with respect to an employee's
ability to file a complaint with Federal or State authorities regarding
quality of care, or with respect to any prohibition on a provider's
threatening or carrying out retaliation against an individual for doing
so; the filing of any such complaint would not be deemed to be a
violation of the Patient Safety Act, unless patient safety work product
was improperly disclosed in such filing.
Health Care Oversight Reporting and Patient Safety Work Product.
The Patient Safety Act establishes a
[[Page 8124]]
protected space or system of protected information in order to allow
frank discussion about causes and remediation of threats to patient
safety. As described above, this protected system is separate,
distinct, and resides alongside but does not replace other information
collection activities mandated by laws, regulations, and accrediting
and licensing requirements as well as voluntary reporting activities
that occur for the purpose of maintaining accountability in the health
care system. Information collection activities performed by the
provider for purposes other than for reporting to a PSO by itself do
not create patient safety work product. In anticipation of questions
about how mandatory and voluntary reporting will continue to be
possible, a brief explanation may be helpful regarding how this new
patient safety framework would operate in relation to health care
oversight activities (e.g., public health reporting, corrective
actions, etc.).
Situations may occur when the original (whether print or
electronic) of information that is not patient safety work product is
needed for a disclosure outside of the entity but cannot be located
while a copy of the needed information resides in the patient safety
evaluation system. If the reason for which the original information is
being sought does not align with one of the permissible disclosures,
discussed in proposed Subpart C, the protected copy may not be
released. Nevertheless, this does not preclude efforts to reconstruct
the information outside of the patient safety evaluation system from
information that is not patient safety work product. Those who
participated in the collection, development, analysis, or review of the
missing information or have knowledge of its contents can fully
disclose what they know or reconstruct an analysis outside of the
patient safety evaluation system.
The issue of how effectively a provider has instituted corrective
action following identification of a threat to the quality or safety of
patient care might lead to requests for information from external
authorities. The Patient Safety Act does not relieve a provider of its
responsibility to respond to such requests for information or to
undertake or provide to external authorities evaluations of the
effectiveness of corrective action, but the provider must respond with
information that is not patient safety work product.
To illustrate the distinction, consider the following example. We
would expect that a provider's patient safety evaluation system or a
PSO with which the provider works may make recommendations from time to
time to the provider for changes it should make in the way it manages
and delivers health care. The list of recommendations for changes,
whether they originate from the provider's patient safety evaluation
system or the PSO with which it is working, are always patient safety
work product. We would also note that not all of these recommendations
will address corrective actions (i.e., correcting a process, policy, or
situation that poses a threat to patients). It is also possible that a
provider with an exemplary quality and safety record is seeking advice
on how to perform even better. Whatever the case, the feedback from the
provider's patient safety evaluation system or PSO may not be disclosed
to external authorities unless permitted by the disclosures specified
in Subpart C of this proposed rule.
The provider may choose to reject the recommendations it receives
or implement some or all of the proposed changes. While the
recommendations always remain protected, whether they are adopted or
rejected by a provider, the actual changes that the provider implements
to improve how it manages or delivers health care services (including
changes in its organizational management or its care environments,
structures, and processes) are not patient safety work product. In a
practical sense, it would be virtually impossible to keep such changes
confidential in any event, and we stress that if there is any
distinction between the change that was adopted and the recommendation
that the provider received, the provider can only describe the change
that was implemented. The recommendation remains protected. Thus, if
external authorities request a list of corrective actions that a
provider has implemented, the provider has no basis for refusing the
request. Even though the actions are based on protected information,
the corrective actions themselves are not patient safety work product.
On the other hand, if an external authority asks for a list of the
recommendations that the provider did not implement or whether and how
any implemented change differed from the recommendation the provider
received, the provider must refuse the request; the recommendations
themselves remain protected.
Person would mean a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private. We propose to define ``person'' because the Patient
Safety Act requires that civil money penalties be imposed against
``person[s]'' that violate the confidentiality provisions. However, the
Patient Safety Act does not provide a definition of ``person''. The
Definition Act at 1 U.S.C. 1 provides, ``in determining any Act of
Congress, unless the context indicates otherwise * * * the words
`person' and `whoever' include corporations, companies, associations,
firms, partnerships, societies, and joint stock companies, as well as
individuals'' (emphasis added). The Patient Safety Act indicates that
States and other government entities may hold patient safety work
product with the protections and liabilities attached, which is an
expansion of the Definition Act provision. For this reason, we propose
the broader definition of the term ``person''. We note that this
proposed approach is consistent with the HHS Office of Inspector
General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement
Rule, 45 CFR 160.103.
Provider would mean any individual or entity licensed or otherwise
authorized under State law to provide health care services. The list of
specific providers in the proposed rule includes the following:
institutional providers, such as a hospital, nursing facility,
comprehensive outpatient rehabilitation facility, home health agency,
hospice program, renal dialysis facility, ambulatory surgical center,
pharmacy, physician or health care practitioner's office (including a
group practice), long term care facility, behavior health residential
treatment facility, clinical laboratory, or health center; or
individual clinicians, such as a physician, physician assistant,
registered nurse, nurse practitioner, clinical nurse specialist,
certified registered nurse anesthetist, certified nurse midwife,
psychologist, certified social worker, registered dietitian or
nutrition professional, physical or occupational therapist, pharmacist,
or other individual health care practitioner. This list is merely
illustrative; an individual or entity that is not listed here but meets
the test of state licensure or authorization to provide health care
services is a provider for the purpose of this proposed rule.
The statute also authorizes the Secretary to expand the definition
of providers. Under this authority, we propose to add the following to
this list of providers:
(a) Agencies, organizations, and individuals within Federal, State,
local, or Tribal governments that deliver health care, organizations
engaged as contractors by the Federal, State, local or Tribal
governments to deliver health care, and individual health care
[[Page 8125]]
practitioners employed or engaged as contractors by the Federal
government to deliver health care. It appears that all of these
agencies, organizations, and individuals could participate in, and
could benefit from, working with a PSO.
(b) A corporate parent organization for one or more entities
licensed or otherwise authorized to provide health care services under
state law. Without this addition, hospital or other provider systems
that are controlled by a parent organization that is not recognized as
a provider under State law might be precluded from entering into
system-wide contracts with PSOs. This addition furthers the goals of
the statute to encourage aggregation of patient safety data and a
coordinated approach for assessing and improving patient safety. We
particularly seek comments regarding any concerns or operational issues
that might result from this addition, and note that a PSO entering one
system-wide contract still needs to meet the two contract minimum
requirement based on section 924(b)(1)(C) of the Public Health Service
Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed
Sec. 3.102(b). The PSO can do this by entering into two contracts with
different providers within the system.
(c) A Federal, State, local, or Tribal government unit that manages
or controls one or more health care providers described in the
definition of provider at (1)(i) and (2). We propose this addition to
the definition of ``provider'' for the same reason that we proposed the
addition of parent organization that has a controlling interest in one
or more entities licensed or otherwise authorized to provide health
care services under state law.
Research would have the same meaning as that term is defined in the
HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule,
research means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute
to generalizable knowledge. This definition is used to describe the
scope of the confidentiality exception at proposed Sec. 3.206(b)(6).
We propose to use the same definition as in the HIPAA Privacy Rule to
improve the level of coordination and to reduce the burden of
compliance. At the same time, if there is a modification to the
definition in the HIPAA Privacy Rule, the definition herein will
automatically change with such regulatory action.
Respondent would mean a provider, PSO, or responsible person who is
the subject of a complaint or a compliance review.
Responsible person would mean a person, other than a provider or
PSO, who has possession or custody of identifiable patient safety work
product and is subject to the confidentiality provisions. We note that
because the Patient Safety Act has continued confidentiality protection
at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs
may be subject to the confidentiality provisions. Thus, for example,
researchers or law enforcement officials who obtain patient safety work
product under one of the exceptions to confidentiality would be
considered a ``responsible person''.
Workforce would mean employees, volunteers, trainees, contractors,
and other persons whose conduct, in the performance of work for a
provider, PSO or responsible person, is under the direct control of
such provider, PSO or responsible person, whether or not they are paid
by the provider, PSO or responsible person. We use the term workforce
member in several contexts in the proposed rule. Importantly, in
proposed Sec. 3.402 where we discuss principal liability, we propose
that an agent for which a principal may be liable can be a workforce
member. We have included the term ``contractors'' in the definition of
workforce member to clarify that such permitted sharing may occur with
contractors who are under the direct control of the provider, PSO, or
responsible person. For example, a patient safety activity disclosure
by a provider to a PSO may be made directly to the PSO or to a
consultant, as a workforce member, contracted by the PSO to help it
carry out patient safety activities.
B. Subpart B--PSO Requirements and Agency Procedures
Proposed Subpart (B) sets forth requirements for Patient Safety
Organizations (PSOs). This proposed Subpart specifies the certification
and notification requirements that PSOs must meet, the actions that the
Secretary may and will take relating to PSOs, the requirements that
PSOs must meet for the security of patient safety work product, the
processes governing correction of PSO deficiencies, revocation, and
voluntary relinquishment, and related administrative authorities and
implementation responsibilities. The requirements of this proposed
Subpart would apply to PSOs, their workforce, a PSO's contractors when
they hold patient safety work product, and the Secretary.
This proposed Subpart is intended to provide the foundation for
new, voluntary opportunities to improve the safety, quality, and
outcomes of patient care. The Patient Safety Act does not require a
provider to contract with a PSO, and the proposed rule does not include
such a requirement. However, we expect that most providers will enter
into contracts with PSOs when seeking the confidentiality and privilege
protections of the statute. Contracts offer providers greater certainty
that a provider's claim to these statutory protections will be
sustained, if challenged. For example, the statutory definition of
patient safety work product describes the nature and purpose of
information that can be protected, the circumstances under which
deliberations or analyses are protected, and the requirement that
certain information be reported to a PSO. Pursuant to a contractual
arrangement, providers can require and receive assistance from PSOs to
ensure that these requirements are fully met. Contracts can provide
clear evidence that a provider is taking all reasonable measures to
operate under the ambit of the statute in collecting, developing, and
maintaining patient safety work product. Contracts enable providers to
specify even stronger confidentiality protections in how they report
information to a PSO or how the PSO handles and uses the information.
Contracts can also give providers greater assurance that they will
have access to the expertise of the PSO to provide feedback regarding
their patient safety events. While some providers may have patient
safety expertise in-house, a PSO has the potential to offer providers
considerable additional insight as a result of its expertise and
ability to aggregate and analyze data from multiple providers and
multiple PSOs. Experience has demonstrated that such aggregation and
analysis of large volumes of data, such as a PSO has the ability to do,
will often yield insights into the underlying causes of the hazards and
risks associated with patient care that are simply not apparent when
these analyses are limited to the information available from only one
office, clinic, facility, or system.
Pursuant to a contract with a PSO, a provider may also be able to
obtain from a PSO operational guidance or best practices with respect
to operation of a patient safety evaluation system. Such a contract
also provides a mechanism for a provider to control the nature and
extent of a PSO's aggregation of its data with those of other providers
or PSOs, and the nature of related analysis and discussion of such
data. A provider can also require, pursuant to its contract with a PSO,
that the PSO will notify the provider if improper disclosures are
[[Page 8126]]
made of patient safety work product relating to that provider.
This proposed Subpart enables a broad variety of health care
providers to work voluntarily with entities that have certified to the
Secretary that they have the ability and expertise to carry out broadly
defined patient safety activities of the Patient Safety Act and,
therefore, to serve as consultants to eligible providers to improve
patient care. In accordance with the Patient Safety Act, we propose an
attestation-based process for initial and continued listing of an
entity as a PSO. This includes an attestation-based approach for
meeting the statutory requirement that each PSO, within 24 months of
being listed and in each sequential 24-month period thereafter, must
have bona fide contracts with more than one provider for the receipt
and review of patient safety work product.
This streamlined approach of the statute and the proposed rule is
intended to encourage the rapid development of expertise in health care
improvement. This framework allows the marketplace to be the principal
arbiter of the capabilities of each PSO. Listing as a PSO by the
Secretary does not entitle an entity to Federal funding. The financial
viability of most PSOs will derive from their ability to attract and
retain contracts with providers or to attract financial support from
other organizations, such as charitable foundations dedicated to health
system improvement. Even when a provider organization considers
establishing a PSO (what this proposed rule terms a component PSO) to
serve the needs of its organization, we expect it will weigh the value
of, and the business case for, such a PSO.
Proposed Subpart B attempts to minimize regulatory burden while
fostering transparency to enhance the ability of providers to assess
the strengths and weaknesses of their choice of PSOs. For example, we
encourage, but do not require, an entity seeking listing to develop and
post on their own Web sites narrative statements describing the
expertise of the personnel the entity will have at its disposal, and
outlining the way it will approach its mission and comply with the
statute's certification requirements.
We similarly propose to apply transparency to our implementation of
the statute's requirement for disclosure by PSOs of potential conflicts
of interest with their provider clients. While the statute only
requires public release of the findings of the Secretary after review
of such disclosures, we propose to make public, consistent with
applicable law, including the Freedom of Information Act, a PSO's
disclosure statements as well. In our view, in addition to having the
benefit of the Secretary's determination, a provider, as the
prospective consumer of PSO services, should be able to make its own
determination regarding the appropriateness of the relationships that a
PSO has with its other provider clients and the impact those
relationships might have on its particular needs. For example, a
provider might care if a PSO--despite the Secretary's determination
that it had been established with sufficient operational and other
independence to qualify for listing as a PSO--was owned, operated, or
managed by the provider's major competitor.
The provisions of this proposed Subpart also emphasize the need for
vigilance in providing security for patient safety work product. To
achieve the widespread provider participation intended by this statute,
PSOs must foster and maintain the confidence of providers in the
security of patient safety work product in which providers and patients
are identified. Therefore, we propose to require a security framework,
which each PSO must address with standards it determines appropriate to
the size and complexity of its organization, pertaining to the
separation of data and systems and to security management control,
monitoring, and assessment.
The Patient Safety Act recognizes that PSOs will need to enter
business associate agreements to receive protected health information
from providers that are covered entities under the HIPAA Privacy Rule.
As a business associate of such a provider, a PSO will have to meet
certain contractual requirements on the use and disclosure of protected
health information for compliance with the HIPAA Privacy Rule that are
in addition to the requirements set forth in this proposed rule. Those
requirements include the notification of a covered entity when
protected health information is inappropriately disclosed in violation
of the HIPAA Privacy Rule.
We do not propose to require reporting of impermissible disclosures
of other patient safety work product that does not contain protected
health information. We solicit comments on whether to parallel the
business associate requirements of the HIPAA Privacy Rule. Such a
requirement, if implemented, would require a PSO to notify the
organizational source of patient safety work product if the information
it shared has been impermissibly used or disclosed. Note that such
reporting requirements could be voluntarily agreed to by contract
between providers and their PSO.
Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42
U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a
strong firewall must be maintained between a component PSO and the rest
of the organization(s) of which it is a part. This proposed subpart
proposes specific safeguards that such component PSOs must implement to
effectively address those concerns.
As this discussion suggests, in developing this proposed Subpart,
we have proposed the most specific requirements in the areas of
security and disclosure of potential conflicts of interest. We expect
to offer technical assistance and encourage transparency wherever
possible to promote implementation, compliance, and correction of
deficiencies. At the same time, this proposed Subpart establishes
processes that will permit the Secretary promptly to revoke a PSO's
certification and remove it from listing, if such action proves
necessary.
1. Proposed Sec. 3.102--Process and Requirements for Initial and
Continued Listing of PSOs
Proposed Sec. 3.102 sets out: The submissions that the Department,
in carrying out its responsibilities, proposes to require, consistent
with the Patient Safety Act, for initial and continued listing as a
PSO; the certifications that all entities must make as part of the
listing process; the additional certifications that component
organizations must make as part of the listing process; the requirement
for biennial submission of a certification that the PSO has entered
into the required number of contracts; and the circumstances under
which a PSO must submit a disclosure statement regarding the
relationships it has with its contracting providers.
(A) Proposed Sec. 3.102(a)--Eligibility and Process for Initial and
Continued Listing
In this section, we propose to establish a streamlined
certification process that minimizes barriers to entry for a broad
variety of entities seeking to be listed as a PSO. With several
exceptions, any entity--public or private, for-profit or not-for
profit--may seek initial or continued listing by the Secretary as a
PSO. The statute precludes a health insurance issuer and a component of
a health insurance issuer from becoming a PSO (section 924(b)(1)(D) of
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(D)).
In addition, we propose to preclude any other entity, public or
private, from
[[Page 8127]]
seeking listing as a PSO if the entity conducts regulatory oversight of
health care providers, including accreditation or licensure. We propose
this restriction for consistency with the statute, which seeks to
foster a ``culture of safety'' in which health care providers are
confident that the patient safety events that they report will be used
for learning and improvement, not oversight, penalties, or punishment.
Listing organizations with regulatory authority as PSOs would be likely
to undermine provider confidence that adequate separation of PSO and
regulatory activities would be maintained.
We note that the Patient Safety Act permits a component
organization of an entity to seek listing as a PSO if the component
organization establishes a strong firewall between its activities as a
PSO and the rest of the organization(s) of which it is a part. As
drafted, this proposed regulation permits a component organization of
an entity with any degree of regulatory authority to seek listing as a
component PSO. We have not proposed any restrictions on such component
organizations for several reasons. First, we expect that the statutory
requirement for a strong firewall between a component PSO and its
parent organization(s) with respect to its activities as a PSO and the
protected information it holds will provide adequate safeguards.
Second, providers will have access to the names of parent organizations
of component PSOs. We propose in Sec. 3.102(c) that any component
organization must disclose the name of its parent organization(s) (see
the proposed definitions of component and parent organizations in Sec.
3.20). We intend to make this information publicly available and expect
to post it on the PSO Web site we plan to establish (see the preamble
discussion regarding proposed Sec. 3.104(d)). This will provide
transparency and enable providers to determine whether the
organizational affiliation(s) of a component PSO are of concern.
Finally, we believe that allowing the marketplace to determine whether
a component PSO has acceptable or unacceptable ties to an entity with
regulatory authority is consistent with our overall approach to
regulation of PSOs.
At the same time, we recognize that some organizations exercise a
considerable level of regulatory oversight over providers and there may
be concerns that such organizations could circumvent the firewalls
proposed below in Sec. 3.102(c) or might attempt to require providers
to work with a component PSO that the regulatory entity creates.
Accordingly, we specifically seek comment on the approach we have
proposed and whether we should consider a broader restriction on
component organizations of entities that are regulatory. For example,
should components of state health departments be precluded from seeking
listing because of the broad authority of such departments to regulate
provider behavior? If a broader restriction is proposed, we would
especially welcome suggestions on clear, unambiguous criteria for its
implementation.
We will develop certification forms for entities seeking initial
and continued listing that contain or restate the respective
certifications described in proposed Sec. 3.102(b) and Sec. 3.102(c).
An individual with authority to make commitments on behalf of the
entity seeking listing would be required to acknowledge each of the
certification requirements, attest that the entity meets each of the
certification requirements on the form, and provide contact information
for the entity. The certification form would also require an
attestation that the entity is not subject to the limitation on listing
proposed in this subsection and an attestation that, once listed as a
PSO, it will notify the Secretary if it is no longer able to meet the
requirements of proposed Sec. 3.102(b) and Sec. 3.102(c).
To facilitate the development of a marketplace for the services of
PSOs, entities are encouraged, but not required, to develop and post on
their own Web sites narratives that specify how the entity will
approach its mission, how it will comply with the certification
requirements, and describe the qualifications of the entity's
personnel. With appropriate disclaimers of any implied endorsement, we
expect to post citations or links to the Web sites of all listed
entities on the PSO Web site that we plan to establish pursuant to
proposed Sec. 3.104(d). We believe that clear narratives of how PSOs
will meet their statutory and regulatory responsibilities will help
providers, who are seeking the services of a PSO, to assess their
options. The Department's PSO Web site address will be identified in
the final rule and will be available from AHRQ upon request.
(B) Proposed Sec. 3.102(b)--Fifteen General Certification Requirements
In accordance with section 924(a) of the Public Health Service Act,
42 U.S.C. 299b-24(a), the proposed rule would require all entities
seeking initial or continued listing as a PSO to meet 15 general
certification requirements: eight requirements related to patient
safety activities and seven criteria governing their operation. At
initial listing, the entity would be required to certify that it has
policies and procedures in place to carry out the eight patient safety
activities defined in the Patient Safety Act and incorporated in
proposed Sec. 3.20, and upon listing, would meet the seven criteria
specified in proposed Sec. 3.102 (b)(2). Submissions for continued
listing would require certifications that the PSO is performing, and
will continue to perform, the eight patient safety activities and is
complying with, and would continue to comply with, the seven criteria.
(1) Proposed Sec. 3.102(b)(1)--Required Certification Regarding Eight
Patient Safety Activities
Proposed Sec. 3.102(b)(1) addresses the eight required patient
safety activities that are listed in the definition of patient safety
activities at proposed Sec. 3.20 (section 921(5) of the Public Health
Service Act, 42 U.S.C. 299b-21(5)). Because certification relies
primarily upon attestations by entities seeking listing, rather than
submission and review of documentation, it is critical that entities
seeking listing have a common and shared understanding of what each
certification requirement entails. We conclude that five of the eight
required patient safety activities need no elaboration. These five
patient safety activities include: Efforts to improve patient safety
and quality; the collection and analysis of patient safety work
product; the development and dissemination of information with respect
to improving patient safety; the utilization of patient safety work
product for the purposes of encouraging a culture of safety and
providing feedback and assistance; and the utilization of qualified
staff.
We address a sixth patient safety activity, related to the
operation of a patient safety evaluation system, in the discussion of
the definition of that term in proposed Sec. 3.20. We provide greater
clarity here regarding the actions that an entity must take to comply
with the remaining two patient safety activities, which involve the
preservation of confidentiality of patient safety work product and the
provision of appropriate security measures for patient safety work
product.
We interpret the certification to preserve confidentiality of
patient safety work product to require conformance with the
confidentiality provisions of proposed Subpart C as well as the
requirements of the Patient Safety Act. Certification to provide
appropriate security measures require PSOs, their workforce members,
and their
[[Page 8128]]
contractors when they hold patient safety work product to conform to
the requirements of proposed Sec. 3.106, as well as the provisions of
the Patient Safety Act.
(2) Proposed Sec. 3.102(b)(2)--Required Certification Regarding Seven
PSO Criteria
Proposed Sec. 3.102(b)(2) lists seven criteria that are drawn from
the Patient Safety Act (section 924(b) of the Public Health Service
Act, 42 U.S.C. 299b-24(b)), which an entity must meet during its period
of listing. We conclude that the statutory language for three of the
seven required criteria is clear and further elaboration is not
required. These three criteria include: The mission and primary
activity of the entity is patient safety, the entity has appropriately
qualified staff, and the entity utilizes patient safety work product
for provision of direct feedback and assistance to providers to
effectively minimize patient risk.
Two of the criteria are addressed elsewhere in the proposed rule:
the exclusion of health insurance issuer or components of health
insurance issuers from being PSOs is discussed above in the context of
the definition of that term in proposed Sec. 3.20 and the requirements
for submitting disclosure statements are addressed in the preamble
discussion below regarding proposed Sec. 3.102(d)(2) (the proposed
criteria against which the Secretary will review the disclosure
statements are set forth i