[Federal Register Volume 73, Number 29 (Tuesday, February 12, 2008)]
[Proposed Rules]
[Pages 8112-8183]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-2375]
[[Page 8111]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 3
Patient Safety and Quality Improvement; Proposed Rule
��Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 /
Proposed Rules��
[[Page 8112]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement
AGENCY: Agency for Healthcare Research and Quality, Office for Civil
Rights, HHS.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: This document proposes regulations to implement certain
aspects of the Patient Safety and Quality Improvement Act of 2005
(Patient Safety Act). The proposed regulations establish a framework by
which hospitals, doctors, and other health care providers may
voluntarily report information to Patient Safety Organizations (PSOs),
on a privileged and confidential basis, for analysis of patient safety
events. The proposed regulations also outline the requirements that
entities must meet to become PSOs and the processes for the Secretary
to review and accept certifications and to list PSOs.
In addition, the proposed regulation establishes the
confidentiality protections for the information that is assembled and
developed by providers and PSOs, termed ``patient safety work product''
by the Patient Safety Act, and the procedures for the imposition of
civil money penalties for the knowing or reckless impermissible
disclosure of patient safety work product.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than April
14, 2008.
ADDRESSES: Interested persons are invited to submit written comments by
any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Comments should include agency name and ``RIN 0919-AA01''.
Mail: Center for Quality Improvement and Patient Safety,
Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road,
Rockville, MD 20850.
Hand Delivery/Courier: Center for Quality Improvement and
Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for
Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission or electronic mail. For
detailed instructions on submitting comments and additional information
on the rulemaking process, see the ``Public Participation'' heading of
the SUPPLEMENTARY INFORMATION section of this document. Comments will
be available for public inspection at the AHRQ Information Resources
Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern
Time on federal business days (Monday through Friday).
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION:
Public Participation
We welcome comments from the public on all issues set forth in this
proposed rule to assist us in fully considering issues and developing
policies. You can assist us by referencing the RIN number (RIN: 0919-
0AA01) and by preceding your discussion of any particular provision
with a citation to the section of the proposed rule being discussed.
A. Inspection of Public Comments
All comments (electronic, mail, and hand delivery/courier) received
in a timely manner will be available for public inspection as they are
received, generally beginning approximately 6 weeks after publication
of this document, at the mail address provided above, Monday through
Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment
to view public comments, call Susan Grinder, (301) 427-1111 or (866)
403-3697.
Comments submitted electronically will be available for viewing at
the Federal eRulemaking Portal.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted through the Federal eRulemaking Portal identified in the
ADDRESSES section of this preamble. Copies of electronically submitted
comments will be available for public inspection as soon as practicable
at the address provided, and subject to the process described, in the
preceding paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The Web site address is: http://www.gpoaccess.gov/nara/index.html. This document is available
electronically at the following Web site of the Department of Health
and Human Services (HHS): http://www.ahrq.gov/.
F. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
I. Background
A. Purpose and Basis
This proposed rule establishes the authorities, processes, and
rules necessary to implement the Patient Safety and Quality Improvement
Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Much of the impetus for this legislation can be traced to the
publication of the landmark report, ``To
[[Page 8113]]
Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The
Report cited studies that found that at least 44,000 people and
potentially as many as 98,000 people die in U.S. hospitals each year as
a result of preventable medical errors.\2\ Based on these studies and
others, the Report estimated that the total national costs of
preventable adverse events, including lost income, lost household
productivity, permanent and temporary disability, and health care costs
to be between $17 billion and $29 billion, of which health care costs
represent one-half.\3\ One of the main conclusions was that the
majority of medical errors do not result from individual recklessness
or the actions of a particular group; rather, most errors are caused by
faulty systems, processes, and conditions that lead people to make
mistakes or fail to prevent adverse events.\4\ Thus, the Report
recommended mistakes can best be prevented by designing the health care
system at all levels to improve safety--making it harder to do
something wrong and easier to do something right.\5\
---------------------------------------------------------------------------
\1\ Institute of Medicine, ``To Err is Human: Building a Safer
Health System'', 1999.
\2\ Id. at 31.
\3\ Id. at 42.
\4\ Id. at 49-66.
\5\ Id.
---------------------------------------------------------------------------
As compared to other high-risk industries, the health care system
is behind in its attention to ensuring basic safety.\6\ The reasons for
this lag are complex and varied. Providers are often reluctant to
participate in quality review activities for fear of liability,
professional sanctions, or injury to their reputations. Traditional
state-based legal protections for such health care quality improvement
activities, collectively known as peer review protections, are limited
in scope: They do not exist in all States; typically they only apply to
peer review in hospitals and do not cover other health care settings,
and seldom enable health care systems to pool data or share experience
between facilities. If peer review protected information is transmitted
outside an individual hospital, the peer review privilege for that
information is generally considered to be waived. This limits the
potential for aggregation of a sufficient number of patient safety
events to permit the identification of patterns that could suggest the
underlying causes of risks and hazards that then can be used to improve
patient safety.
---------------------------------------------------------------------------
\6\ Id. at 75.
---------------------------------------------------------------------------
The Report outlined a comprehensive strategy to improve patient
safety by which public officials, health care providers, industry, and
consumers could reduce preventable medical errors. The Report
recommended that, in order to reduce medical errors appreciably in the
U.S., a balance be struck between regulatory and market-based
initiatives and between the roles of professionals and organizations.
It recognized a need to enhance knowledge and tools to improve patient
safety and break down legal and cultural barriers that impede such
improvement.
Drawing upon the broad framework advanced by the Institute of
Medicine, the Patient Safety Act specifically addresses a number of
these long-recognized impediments to improving the quality, safety, and
outcomes of health care services. For that reason, implementation of
this proposed rule can be expected to accelerate the development of
new, voluntary, provider-driven opportunities for improvement, increase
the willingness of health care providers to participate in such
efforts, and, most notably, set the stage for breakthroughs in our
understanding of how best to improve patient safety.
These outcomes will be advanced, in large measure, through
implementation of this proposed rule of strong Federal confidentiality
and privilege protections for information that is patient safety work
product under the Patient Safety Act. For the first time, there will
now be a uniform set of Federal protections that will be available in
all states and U.S. territories and that extend to all health care
practitioners and institutional providers. These protections will
enable all health care providers, including multi-facility health care
systems, to share data within a protected legal environment, both
within and across states, without the threat of information being used
against the subject providers.
Pursuant to the Patient Safety Act, this proposed rule will also
encourage the formation of new organizations with expertise in patient
safety, known as patient safety organizations (PSOs), which can provide
confidential, expert advice to health care providers in the analysis of
patient safety events.\7\ The confidentiality and privilege protections
of this statute attach to ``patient safety work product.'' This term as
defined in the Patient Safety Act and this proposed rule means that
patient safety information that is collected or developed by a provider
and reported to a PSO, or that is developed by a PSO when conducting
defined ``patient safety activities,'' or that reveals the
deliberations of a provider or PSO within a patient safety evaluation
system is protected. Thus, the proposed rule will enable health care
providers to protect their internal deliberations and analysis of
patient safety information because this type of information is patient
safety work product.
---------------------------------------------------------------------------
\7\ As we use the term, patient safety event means an incident
that occurred during the delivery of a health care service and that
harmed, or could have resulted in harm to, a patient. A patient
safety event may include an error of omission or commission,
mistake, or malfunction in a patient care process; it may also
involve an input to such process (such as a drug or device) or the
environment in which such process occurs. Our use of the term
patient safety event in place of the more limited concept of medical
error to describe the work that providers and PSOs may undertake
reflects the evolution in the field of patient safety. It is
increasingly recognized that important insights can be derived from
the study of patient care processes and their organizational context
and environment in order to prevent harm to patients. We note that
patient safety in the context of this term also encompasses the
safety of a person who is a subject in a research study conducted by
a health care provider. In addition, the flexible concept of a
patient safety event is applicable in any setting in which health
care is delivered: A health care facility that is mobile (e.g.,
ambulance), fixed and free-standing (e.g., hospital), attached to
another entity (e.g., school clinic), as well as the patient's home
or workplace, whether or not a health care provider is physically
present.
---------------------------------------------------------------------------
The statute and the proposed rule seek to ensure that the
confidentiality provisions (as defined in these proposed regulations)
will be taken seriously by making breaches of the protections
potentially subject to a civil money penalty of up to $10,000. The
combination of strong Federal protections for patient safety work
product and the potential penalties for violation of these protections
should give providers the assurances they need to participate in
patient safety improvement initiatives and should spur the growth of
such initiatives.
Patient safety experts have long recognized that the underlying
causes of risks and hazards in patient care can best be recognized
through the aggregation of significant numbers of individual events; in
some cases, it may require the aggregation of thousands of individual
patient safety events before underlying patterns are apparent. It is
hoped that this proposed rule will foster routine reporting to PSOs of
data on patient safety events in sufficient numbers for valid and
reliable analyses. Analysis of such large volumes of patient safety
events is expected to significantly advance our understanding of the
patterns and commonalities in the underlying causes of risks and
hazards in the delivery of patient care. These insights should enable
providers to more effectively and efficiently target their efforts to
improve patient safety.
We recognize that risks and hazards can occur in a variety of
environments, such as inpatient, outpatient, long-term
[[Page 8114]]
care, rehabilitation, research, or other health care settings. In many
of these settings, patient safety analysis is a nascent enterprise that
will benefit significantly from the routine, voluntary reporting and
analysis of patient safety events. Accordingly, we strive in the
proposed rule to avoid imposing limitations that might preclude
innovative approaches to the identification of, and elimination of,
risks and hazards in specific settings for the delivery of care,
specific health care specialties, or in research settings. We defer to
those creating PSOs and the health care providers that enter ongoing
relationships with them to determine the scope of patient safety events
that will be addressed.
Finally, we note that the statute is quite specific that these
protections do not relieve a provider from its obligation to comply
with other legal, regulatory, accreditation, licensure, or other
accountability requirements that it would otherwise need to meet. The
fact that information is collected, developed, or analyzed under the
protections of the Patient Safety Act does not shield a provider from
needing to undertake similar activities, if applicable, outside the
ambit of the statute, so that the provider can meet its obligations
with non-patient safety work product. The Patient Safety Act, while
precluding other organizations and entities from requiring providers to
provide them with patient safety work product, recognizes that the data
underlying patient safety work product remains available in most
instances for the providers to meet these other information
requirements.
In summary, this proposed rule implements the Patient Safety Act
and facilitates its goals by allowing the health care industry
voluntarily to avail itself of this framework in the best manner it
determines feasible. At the same time, it seeks to ensure that those
who do avail themselves of this framework will be afforded the legal
protections that Congress intended and that anyone who breaches those
protections will be penalized commensurately with the violation.
B. Listening Sessions
We held three listening sessions for the general public (March 8,
13, and 16, 2006) which helped us better understand the thinking and
plans of interested parties, including providers considering the use of
PSO services and entities that anticipate establishing PSOs. As stated
in the Federal Register notice 71 FR 37 (February 24, 2006) that
announced the listening sessions, we do not regard the presentations or
comments made at these sessions as formal comments and, therefore, they
are not discussed in this document.
C. Comment Period
The comment period is sixty (60) days following the publication of
the proposed rule.
II. Overview of Proposed Rule
We are proposing a new Part 3 to Title 42 of the Code of Federal
Regulations to implement the Patient Safety Act. As described above,
the Patient Safety Act is an attempt to address the barriers to patient
safety and health care quality improvement activities in the U.S. In
implementing the Patient Safety Act, this proposed rule encourages the
development of provider-driven, voluntary opportunities for improving
patient safety; this initiative is neither funded, nor controlled by
the Federal Government.
Under the proposal, a variety of types of organizations--public,
private, for-profit, and not-for-profit--can become PSOs, and offer
their consultative expertise to providers regarding patient safety
events and quality improvement initiatives. There will be a process for
certification and listing of PSOs, which will be implemented by the
Agency for Healthcare Research and Quality (AHRQ), and providers can
work voluntarily with PSOs to obtain confidential, expert advice in
analyzing the patient safety event and other information they collect
or develop at their offices, facilities, or institutions. PSOs may also
provide feedback and recommendations regarding effective strategies to
improve patient safety as well as proven approaches for implementation
of such strategies. In addition, to encourage providers to undertake
patient safety activities, the regulation is very specific that patient
safety work product is subject to confidentiality and privilege
protections, and persons that breach the confidentiality provisions may
be subject to a $10,000 civil money penalty, to be enforced by the
Office for Civil Rights (OCR).
The provisions of this proposed rule greatly expand the potential
for participation in patient safety activities. The proposal, among
other things, enables providers across the health care industry to
report information to a PSO and obtain the benefit of these new
confidentiality and privilege protections. This proposal minimizes the
barriers to entry for listing as a PSO by creating a review process
that is both simple and efficient. As a result, we expect a broad range
of organizations to seek listing by the Secretary as PSOs. Listing will
not entitle these entities to Federal funding or subsidies, but it will
enable these PSOs to offer individual and institutional providers the
benefits of review and analysis of patient safety work product that is
protected by strong Federal confidentiality and privilege protections.
Our proposed regulation will enable and assist data aggregation by
PSOs to leverage the possibility of learning from numerous patient
safety events across the health care system and to facilitate the
identification and correction of systemic and other errors. For
example, PSOs are required to seek contracts with multiple providers,
and proposed Subpart C permits them, with certain limitations, to
aggregate patient safety work product from their multiple clients and
with other PSOs. In addition, the Secretary will implement other
provisions of the Patient Safety Act that, independent of this proposed
rule, require the Secretary to facilitate the development of a network
of patient safety databases for the aggregation of nonidentifiable
patient safety work product and the development of consistent
definitions and common formats for collecting and reporting patient
safety work product. These measures will facilitate a new level of data
aggregation that patient safety experts deem essential to maximize the
benefits of the Patient Safety Act.
The Patient Safety Act gives considerable attention to the
relationship between it and the Standards for the Privacy of
Individually Identifiable Health Information under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We
caution that the opportunity for a provider to report identifiable
patient safety work product to a PSO does not relieve a provider that
is a HIPAA covered entity of its obligations under the HIPAA Privacy
Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to
be business associates of providers that are HIPAA covered entities.
Thus, providers who are HIPAA covered entities will need to enter into
business associate agreements with PSOs in accordance with their HIPAA
Privacy Rule obligations. If such a provider also chooses to enter a
PSO contract, we believe that such contracts could be entered into
simultaneously as an agreement for the conduct of patient safety
activities. However, the Patient Safety Act does not require a provider
to enter a contract with a PSO to receive the protections of the
Patient Safety Act.
Proposed Subpart A, General Provisions, sets forth the purpose of
the provisions and the definitions
[[Page 8115]]
applicable to the subparts that follow. Proposed Subpart B, PSO
Requirements and Agency Procedures, sets forth the requirements for
PSOs and describes how the Secretary will review, accept, revoke, and
deny certifications for listing and continued listing of entities as
PSOs and other required submissions. Proposed Subpart C,
Confidentiality and Privilege Protections of Patient Safety Work
Product, describes the provisions that relate to the confidentiality
protections and permissible disclosure exceptions for patient safety
work product. Proposed Subpart D, Enforcement Program, includes
provisions that relate to activities for determining compliance, such
as investigations of and cooperation by providers, PSOs, and others;
the imposition of civil money penalties; and hearing procedures.
III. Section by Section Description of the Proposed Rule
A. Subpart A--General Provision
1. Proposed Sec. 3.10--Purpose
The purpose of this proposed Part is to implement the Patient
Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which
amended the Public Health Service Act (42 U.S.C. 299 et seq.) by
inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-
26.
2. Proposed Sec. 3.20--Definitions
Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21,
defines several terms, and our proposed rules would, for the most part,
restate the law. In some instances, we propose to clarify definitions
to fit within the proposed framework. We also propose some new
definitions for convenience and to clarify the application and
operation of this proposed rule. Moreover, we reference terms defined
under the HIPAA Privacy Rule for ease of interpretation and
consistency, given the overlap between the Patient Safety Act
protections of patient-identifiable patient safety work product
(discussed below) and the HIPAA Privacy Rule.
Proposed Sec. 3.20 would establish the basic definitions
applicable to this proposed rule, as follows:
AHRQ stands for the Agency for Healthcare Research and Quality in
the U.S. Department of Health and Human Services (HHS). This definition
is added for convenience.
ALJ stands for an Administrative Law Judge at HHS. This definition
is added for convenience in describing the process for appealing civil
money penalty determinations.
Board would mean the members of the HHS Departmental Appeals Board.
This definition is added for convenience in providing for appeals of
civil money penalty determinations.
Bona fide contract would mean (a) a written contract between a
provider and a PSO that is executed in good faith by officials
authorized to execute such contract; or (b) a written agreement (such
as a memorandum of understanding or equivalent recording of mutual
commitments) between a Federal, State, local, or Tribal provider and a
Federal, State, local, or Tribal PSO that is executed in good faith by
officials authorized to execute such agreement.
In addition to the primary interpretation of an enforceable
contract under applicable law as proposed under paragraph (a) of this
definition, we propose to make the scope of the term broad enough to
encompass agreements between health care providers and PSOs that are
components of Federal, State, local or Tribal governments or government
agencies. Such entities could clearly perform the same data collection
and analytic functions as performed by other providers and PSOs that
the Patient Safety Act seeks to foster. Thus, paragraph (b) of the
definition recognizes that certain government entities may not enter a
formal contract with each other, but may only make a commitment with
other agencies through the mechanism of some other type of agreement.
We note that proposed Sec. 3.102(a)(2) incorporates the statutory
restriction that a health insurance issuer and a component of a health
insurance issuer may not become a PSO. That section also proposes to
prohibit the listing of public and private entities that conduct
regulatory oversight of health care providers, including accreditation
and licensure.
Complainant would mean a person who files a complaint with the
Secretary pursuant to proposed Sec. 3.306.
Component Organization would mean an entity that is either: (a) A
unit or division of a corporate organization or of a multi-
organizational enterprise; or (b) a separate organization, whether
incorporated or not, that is owned, managed or controlled by one or
more other organizations (i.e., its parent organization(s)). We discuss
our preliminary interpretation of the terms ``owned,'' ``managed,'' or
``controlled'' in the definition of parent organization. Multi-
organizational enterprise, as used here, means a common business or
professional undertaking in which multiple entities participate as well
as governmental agencies or Tribal entities in which there are multiple
components.\8\
---------------------------------------------------------------------------
\8\ The concept of multi-organizational enterprise as used in
this regulation, in case law, and in a legal reference works such as
Blumberg on Corporate Groups, Sec. 6.04 (2d ed. 2007 Supplement)
refers to multi-organizational undertakings with separate
corporations or organizations that are integrated in a common
business activity. The component entities are often, but not
necessarily, characterized by interdependence and some form of
common control, typically by agreement. Blumberg notes that health
care providers increasingly are integrated in various forms of
multi-organizational enterprises.
---------------------------------------------------------------------------
We anticipate that PSOs may be established by a wide array of
health-related organizations and quality improvement enterprises,
including hospitals, nursing homes and health care provider systems,
health care professional societies, academic and commercial research
organizations, Federal, State, local, and Tribal governmental units
that are not subject to the proposed restriction on listing in proposed
Sec. 3.102(a)(2), as well as joint undertakings by combinations of
such organizations. One effect of defining component organization as we
propose is that, pursuant to section 924 of the Patient Safety Act, 42
U.S.C. 299b-24, all applicant PSOs that fall within the scope of the
definition of component organization must certify to the separation of
confidential patient safety work product and staff from the rest of any
organization or multi-organizational enterprise of which they (in the
conduct of their work) are a part. Component organizations must also
certify that their stated mission can be accomplished without
conflicting with the rest of their parent organization(s).
A subsidiary corporation may, in certain circumstances, be viewed
as part of a multi-organizational enterprise with its parent
corporation and would be so regarded under the proposed regulation.
Thus, an entity, such as a PSO that is set up as a subsidiary by a
hospital chain, would be considered a component of the corporate chain
and a component PSO for purposes of this proposed rule. Considering a
subsidiary of a corporation to be a ``component'' of its parent
organization may seem contrary to the generally understood separateness
of a subsidiary in its corporate relationship with its parent.\9\
[[Page 8116]]
That is, where two corporate entities are legally separate, one entity
would ordinarily not be considered a component of the other entity,
even when that other entity has a controlling interest or exercises
some management control. However, we have preliminarily determined that
viewing a subsidiary entity that seeks to be a PSO as a component of
its parent organization(s) would be consistent with the objectives of
the section on certifications required of component organizations in
the Patient Safety Act and appears to be consistent with trends in the
law discussed below. We invite comment on our interpretation.
---------------------------------------------------------------------------
\9\ Corporations are certain types of organizations that are
given legal independence and rights, (e.g. the right to litigate).
Subsidiary corporations are corporations in which a majority of the
shares are owned by another corporation, known as a parent
corporation. Thus, subsidiaries are independent corporate entities
in a formal legal sense, yet, at the same time, they are controlled,
to some degree, by their parent by virtue of stock ownership and
control. Both corporations and subsidiaries are legal constructs
designed to foster investment and commerce by limiting
entrepreneurial risks and corporate liabilities. In recognition of
the legitimate utility of these objectives, courts have generally
respected the separateness of parent corporations and subsidiaries,
(e.g., courts do not ordinarily allow the liabilities of a
subsidiary to be attributed to its parent corporation, despite the
fact that by definition, parent corporations have a measure of
control over a subsidiary). However, courts have looked behind the
separate legal identities that separate parent and subsidiary to
impose liability when individuals in litigation can establish that
actual responsibility rests with a parent corporation by virtue of
the degree and manner in which it has exercised control over its
subsidiary. Under these circumstances, courts permit ``the corporate
veil to be pierced.''
---------------------------------------------------------------------------
Corporations law or ``entity law,'' which emphasizes the
separateness and distinct rights and obligations of a corporation, has
been supplemented by the development of ``relational law'' when
necessary (e.g., to address evolving organizational arrangements such
as multi-organizational enterprises). To determine rights and
obligations in these circumstances, courts weigh the relationships of
separate corporations that are closely related by virtue of
participating in the same enterprise, (i.e., a common chain of economic
activity fostering and characterized by interdependence).\10\ There has
been a growing trend in various court decisions to attribute legal
responsibilities based on actual behavior in organizational
relationships, rather than on corporate formalities.
---------------------------------------------------------------------------
\10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate
Groups Sec. Sec. 6.01 and 6.02.
---------------------------------------------------------------------------
We stress that neither the statute nor the proposed regulation
imposes any legal responsibilities, obligations, or liability on the
organization(s) of which a component PSO is a part. The focus of the
Patient Safety Act and the regulation is principally on the entity that
voluntarily seeks listing by the Secretary as a PSO.
We note that two of the three certifications that the Patient
Safety Act and the proposed regulation requires component entities to
make--relating to the security and confidentiality of patient safety
work product--are essentially duplicative of attestations that are
required of all entities seeking listing or continued listing as a PSO
(certifications made under section 924(a)(1)(A) and (a)(2)(A) of the
Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A)
with respect to patient safety activities described in section
921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-
21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have
to attest that they have in place policies and procedures to, and
actually do, perform patient safety activities, which include the
maintenance of procedures to preserve patient safety work product
confidentiality and the provision of appropriate security measures for
patient safety work product. The overlapping nature of these
confidentiality and security requirements on components suggests
heightened congressional concern and emphasis regarding the need to
maintain a strong ``firewall'' between a component PSO and its parent
organization, which might have the opportunity and potential to access
sensitive patient safety work product the component PSO assembles,
develops, and maintains. A similar concern arises in the context of a
PSO that is a unit of a corporate parent, a subsidiary or an entity
affiliated with other organizations in a multi-organizational
enterprise.
Requiring entities seeking listing to disclose whether they have a
parent organization or are part of a multi-organizational enterprise
does not involve ``piercing the corporate veil'' as discussed in the
footnote above. The Department would not be seeking this information to
hold a parent liable for actions of the PSO, but to ensure full
disclosure to the Department about the organizational relationships of
an entity seeking to be listed as a PSO. Accordingly, we propose that
an entity seeking listing as a PSO must do so as a component
organization if it has one or more parent organizations (as described
here and in the proposed definition of that term) or is part of a
multi-organizational enterprise, and it must provide the names of its
parent entities. If it has a parent or several parent organizations, as
defined by the proposed regulation, the entity seeking to be listed
must provide the additional certifications mandated by the statute and
by the proposed regulation at Sec. 3.102(c) to maintain the
separateness of its patient safety work product from its parent(s) and
from other components or affiliates\11\ of its parent(s). Such
certifications are consistent with the above-cited body of case law
that permits and makes inquiries about organizational relationships and
practices for purposes of carrying out statutes and statutory
objectives.
---------------------------------------------------------------------------
\11\ Corporate affiliates are commonly controlled corporations;
sharing a corporate parent, they are sometimes referred to as sister
corporations. Separate corporations that are part of a multi-
organizational enterprise are also referred to by the common terms
``affiliates'' or ``affiliated organizations''.
---------------------------------------------------------------------------
It may be helpful to illustrate how a potential applicant for
listing should apply these principles in determining whether to seek
listing as a component PSO. The fundamental principle is that if there
is a parent organization relationship present and the entity is not
prohibited from seeking listing by proposed Sec. 3.102(a)(2), the
entity must seek listing as a component PSO. In determining whether an
entity must seek listing as a component organization, we note that it
does not matter whether the entity is a component of a provider or a
non-provider organization and, if it is a component of a provider
organization, whether it will undertake patient safety activities for
the parent organization's providers or providers that have no
relationship with its parent organization(s). The focus here is
primarily on establishing the separateness of the entity's operation
from any type of parent organization. Examples of entities that would
need to seek listing as a component organization include: A division of
a provider or non-provider organization; a subsidiary entity created by
a provider or non-provider organization; or a joint venture created by
several organizations (which could include provider organizations, non-
provider organizations, or a mix of such organizations) where any or
all of the organizations have a measure of control over the joint
venture.
Other examples of entities that would need to seek listing as a
component PSO include: a division of a nursing home chain; a subsidiary
entity created by a large academic health center or health system; or a
joint venture created by several organizations to seek listing as a PSO
where any or all of the organizations have a measure of control over
the joint venture.
Component PSO would mean a PSO listed by the Secretary that is a
component organization.
Confidentiality provisions would mean any requirement or
prohibition concerning confidentiality established by Sections 921 and
922(b)-(d), (g) and (i) of the Public Health Service Act, 42
[[Page 8117]]
U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed
provisions, at Sec. Sec. 3.206 and 3.208, by which we propose to
implement the prohibition on disclosure of identifiable patient safety
work product. We proposed to define this new term to provide an easy
way to reference the provisions in the Patient Safety Act and in the
proposed rule that implements the confidentiality protections of the
Patient Safety Act for use in the enforcement and penalty provisions of
this proposed rule. We found this a useful approach in the HIPAA
Enforcement Rule, where we defined ``administrative simplification
provision'' for that purpose. In determining how to define
``confidentiality provisions'' that could be violated, we considered
the statutory enforcement provision at section 922(f) of the Public
Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by
reference section 922(b) and (c).\12\ Thus, the enforcement authority
clearly implicates sections 922(b) and (c) of the Patient Safety Act,
42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec.
3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d),
is entitled the ``Continued Protection of Information After
Disclosure'' and sets forth continued confidentiality protections for
patient safety work product after it has been disclosed under section
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with
certain exceptions. Thus, section 922(d) of the Public Health Service
Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality
protections provided for in section 922(b) of the Public Health Service
Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued
confidentiality provision at proposed Sec. 3.208 herein to be one of
the confidentiality provisions. In addition, our understanding of these
provisions is based on the rule of construction in section 922(g) of
the Public Health Service Act, 42 U.S.C. 299b-22(g), and the
clarification with respect to HIPAA in section 922(i) of the Public
Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions
are included in the definition.
---------------------------------------------------------------------------
\12\ Section 922(f) of the Public Health Service Act, 42 U.S.C.
299b-22(f), states that ``subject to paragraphs (2) and (3), a
person who discloses identifiable patient safety work product in
knowing or reckless violation of subsection (b) shall be subject to
a civil money penalty of not more than $10,000 for each act
constituting such violation'' (emphasis added). Subsection (b) of
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b),
is entitled, ``Confidentiality of Patient Safety Work Product'' and
states, ``Notwithstanding any other provision of Federal, State, or
local law, and subject to subsection (c), patient safety work
product shall be confidential and shall not be disclosed'' (emphasis
added). Section 922(c) of the Public Health Service Act, 42 U.S.C.
299b-22(c), in turn, contains the exceptions to confidentiality and
privilege protections.
---------------------------------------------------------------------------
In contrast to the confidentiality provisions, the privilege
provisions in the Patient Safety Act will be enforced by the tribunals
or agencies that are subject to them; the Patient Safety Act does not
authorize the imposition of civil money penalties for breach of such
provisions. We note, however, that to the extent a breach of privilege
is also a breach of confidentiality, the Secretary would enforce the
confidentiality breach under 42 U.S.C. 299b-22(f).
Disclosure would mean the release, transfer, provision of access
to, or divulging in any other manner of patient safety work product by
a person holding patient safety work product to another person. An
impermissible disclosure (i.e., a disclosure of patient safety work
product in violation of the confidentiality provisions) is the action
upon which potential liability for a civil money penalty rests.
Generally, if the person holding patient safety work product is an
entity, disclosure occurs when the information is shared with another
entity or a natural person outside the entity. We do not propose to
hold entities liable for uses of the information within the entity,
(i.e., when this information is exchanged or shared among the workforce
members of the entity) except as noted below concerning component PSOs.
If a natural person holds patient safety work product, except in the
capacity as a workforce member, a disclosure occurs whenever exchange
occurs to any other person or entity. In light of this definition, we
note that a disclosure to a contractor that is under the direct control
of an entity (i.e., a workforce member) would be a use of the
information within the entity and, therefore, not a disclosure for
which a permission is needed. However, a disclosure to an independent
contractor would not be a disclosure to a workforce member, and thus,
would be a disclosure for purposes of this proposed rule and the
proposed enforcement provisions under Subpart D.
For component PSOs, we propose to recognize as a disclosure the
sharing or transfer of patient safety work product outside of the legal
entity, as described above, and between the component PSO and the rest
of the organization (i.e., parent organization) of which the component
PSO is a part. The Patient Safety Act demonstrates a strong desire for
the separation of patient safety work product between a component PSO
and the rest of the organization. See section 924(b)(2) of the Public
Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to
recognize component organizations as component PSOs which exist within,
but distinct from, a single legal entity, and such a component
organization as a component PSO would be required to certify to limit
access to patient safety work product under proposed Sec. 3.102(c),
the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product from a component PSO to the
rest of the organization will be recognized as a disclosure for
purposes of this proposed rule and the proposed enforcement provisions
under Subpart D.
We considered whether or not we should hold entities liable for
disclosures that occur within that entity (uses) by defining disclosure
more discretely, (i.e., as between persons within an entity). If we
were to define disclosure in this manner, it may promote better
safeguarding against inappropriate uses of patient safety work product
by providers and PSOs. It may also allow better control of uses by
third parties to whom patient safety work product is disclosed, and it
would create additional enforcement situations which could lead to
additional potential civil money penalties. We note that HIPAA
authorized the Department to regulate both the uses and disclosures of
individually identifiable health information and, thus, the HIPAA
Privacy Rule regulates both the uses and disclosures of such
information by HIPAA covered entities. See section 264(b) and (c)(1) of
HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand,
addresses disclosures and authorizes the Secretary to penalize
disclosures of patient safety work product.
Nonetheless, we do not propose to regulate the use, transfer or
sharing by internal disclosure, of patient safety work product within a
legal entity. We also decline to propose to regulate uses because we
would consider regulating uses within providers and PSOs to be
intrusive into their internal affairs. This would be especially the
case given that this is a voluntary program. Moreover, we do not
believe that regulating uses would further the statutory goal of
facilitating the sharing of patient safety work product with PSOs. In
other words, regulating uses would not advance the ability of any
entity to share patient safety work product for patient safety
activities. Finally, we presume that there are sufficient incentives in
place for providers and PSOs to prudently manage the uses of sensitive
patient safety work product.
[[Page 8118]]
We are not regulating uses, whether in a provider, PSO, or any
other entity that obtains patient safety work product. Because we are
not proposing to regulate uses, there will be no federal sanction based
on use of this information. If a provider or other entity wants to
limit the uses or further disclosures (beyond the regulatory
permissions) by a PSO or any future recipient, a disclosing entity is
free to do so by contract. See section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec. 3.206(e). We
seek comment about whether this strikes the right balance.
The proposed definition mirrors the definition of disclosure used
in the HIPAA Privacy Rule concerning disclosures of protected health
information. Although we do not propose to regulate the use of patient
safety work product, HIPAA covered entities that possess patient safety
work product which contains protected health information must comply
with the use and disclosure requirements of the HIPAA Privacy Rule with
respect to the protected health information. Patient safety work
product containing protected health information could only be used in
accordance with the HIPAA Privacy Rule use permissions, including the
minimum necessary requirement.
Entity would mean any organization, regardless of whether the
organization is public, private, for-profit, or not-for-profit. The
statute permits any entity to seek listing as a PSO by the Secretary
except a health insurance issuer and any component of a health
insurance issuer and Sec. 3.102(a)(2) proposes, in addition, to
prohibit public or private sector entities that conduct regulatory
oversight of providers.
Group health plan would mean an employee welfare benefit plan (as
defined in section 3(1) of the Employee Retirement Income Security Act
of 1974 (ERISA) to the extent that the plan provides medical care (as
defined in paragraph (2) of section 2791(a) of the Public Health
Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services
paid for as medical care) to employees or their dependents (as defined
under the terms of the plan) directly or through insurance,
reimbursement, or otherwise. Section 2791(b)(2) of the Public Health
Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from
the defined class of `health insurance issuer.' Therefore, a group
health plan may establish a PSO unless the plan could be considered a
component of a health insurance issuer, in which case such a plan would
be precluded from being a PSO by the Patient Safety Act.
Health insurance issuer would mean an insurance company, insurance
service, or insurance organization (including a health maintenance
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed
to engage in the business of insurance in a State and which is subject
to State law which regulates insurance (within the meaning of 29 U.S.C.
1144(b)(2)). The term, as defined in the Public Health Service Act,
does not include a group health plan.
Health maintenance organization would mean (1) a Federally
qualified health maintenance organization (as defined in 42 U.S.C.
300e(a)); (2) an organization recognized under State law as a health
maintenance organization; or (3) a similar organization regulated under
State law for solvency in the same manner and to the same extent as
such a health maintenance organization. Because the ERISA definition
relied upon by the Patient Safety Act includes health maintenance
organizations in the definition of health insurance issuer, an HMO may
not be, control, or manage the operation of a PSO.
HHS stands for the United States Department of Health and Human
Services. This definition is added for convenience.
HIPAA Privacy Rule would mean the regulations promulgated under
section 264(c) of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part
164.
Identifiable Patient Safety Work Product would mean patient safety
work product that:
(1) Is presented in a form and manner that allows the
identification of any provider that is a subject of the work product,
or any providers that participate in activities that are a subject of
the work product;
(2) Constitutes individually identifiable health information as
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the
identification of an individual who in good faith reported information
directly to a PSO, or to a provider with the intention of having the
information reported to a PSO (``reporter'').
Identifiable patient safety work product is not patient safety work
product that meets the nonidentification standards proposed for
``nonidentifiable patient safety work product''.
Nonidentifiable Patient Safety Work Product would mean patient
safety work product that is not identifiable in accordance with the
nonidentification standards proposed at Sec. 3.212. Because the
privilege and confidentiality protections of the Patient Safety Act and
this Part do not apply to nonidentifiable patient safety work product
once disclosed, the restrictions and data protection rules in this
proposed rule phrased as pertaining to patient safety work product
generally only apply to identifiable patient safety work product.
OCR stands for the Office for Civil Rights in HHS. This definition
is added for convenience.
Parent organization would mean a public or private sector
organization that, alone or with others, either owns a provider entity
or a component PSO, or has the authority to control or manage agenda
setting, project management, or day-to-day operations of the component,
or the authority to review and override decisions of a component PSO.
We have not proposed to define the term ``owns.'' We propose to use the
term ``own a provider entity'' to mean a governmental agency or Tribal
entity that controls or manages a provider entity as well as an
organization having a controlling interest in a provider entity or a
component PSO, for example, owning a majority or more of the stock of
the owned entity, and expressly ask for comment on whether our further
definition of controlling interest as follows below is appropriate.
Under the proposed regulation, if an entity that seeks to be a PSO
has a parent organization, that entity will be required to seek listing
as a component PSO and must provide certifications set forth in
proposed Sec. 3.102(c), which indicate that the entity maintains
patient safety work product separately from the rest of the
organization(s) and establishes security measures to maintain the
confidentiality of patient safety work product, the entity does not
make an unauthorized disclosure of patient safety work product to the
rest of the organization(s), and the entity does not create a conflict
of interest with the rest of the organization(s).
Traditionally, a parent corporation is defined as a corporation
that holds a controlling interest in one or more subsidiaries. By
contrast, parent organization, as used in this proposed rule, is a more
inclusive term and is not limited to definitions used in corporations
law. Accordingly, the proposed definition emphasizes a parent
organization's control (or influence) over a PSO that may or may not be
based on stock ownership.\13\ Our
[[Page 8119]]
approach to interpreting the statutory reference in section 924(b)(2)
of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another
organization'' in which an entity is a ``component'' (i.e., a ``parent
organization'') is analogous to the growing attention in both statutory
and case law, to the nature and conduct of business organizational
relationships, including multi-organizational enterprises. As discussed
above in the definition of ``component,'' the emphasis on actual
organizational control, rather than the organization's structure, has
numerous legal precedents in legislation implementing statutory
programs and objectives and courts upholding such programs and
objectives.\14\ Therefore, the definition of a ``parent organization,''
as used in the proposed regulation would encompass an affiliated
organization that participates in a common enterprise with an entity
seeking listing, and that owns, manages or exercises control over the
entity seeking to be listed as a PSO. As indicated above, affiliated
corporations have been legally defined to mean those who share a
corporate parent or are part of a common corporate enterprise.\15\
---------------------------------------------------------------------------
\13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* *
* the power to direct or cause the direction of the management and
policies of an * * * [entity] whether through the ownership of
voting securities, by contract, or otherwise.'')
\14\ Blumberg on Corporate Groups Sec. 13 notes that, where
applications for licenses are in a regulated industry, information
is required by states about the applicant as well as corporate
parents, subsidiaries and affiliates. In the proposed regulation,
pursuant to the Patient Safety Act, information about parent
organizations with potentially conflicting missions would be
obtained to ascertain that component entities seeking to be PSOs
have measures in place to protect the confidentiality of patient
safety work product and the independent conduct of impartial
scientific analyses by PSOs.
\15\ See for example the definition of affiliates in regulations
jointly promulgated by the Comptroller of the Currency, the Federal
Reserve board, the FDIC, and the Office of Thrift Supervision to
implement privacy provisions of Gramm Leach Bliley legislation using
provisions of the Fair Credit Reporting Act (dealing with
information sharing among affiliates): ``any company that is related
or affiliated by common ownership, or affiliated by corporate
control or common corporate control with another company.''
Blumberg, supra note 2, at Sec. 122.09[A] (citing 12 CFR pt.41.3,
12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1)
(2004)).
---------------------------------------------------------------------------
Parent organization is defined to include affiliates primarily in
recognition of the prospect that otherwise unrelated organizations
might affiliate to jointly establish a PSO. We can foresee such an
enterprise because improving patient safety through expert analysis of
aggregated patient safety data could logically be a common and
efficient objective shared by multiple potential cofounders of a PSO.
It is fitting, in our view, that a component entity certify, as we
propose in Sec. 3.102(c), that there is ``no conflict'' between its
mission as a PSO and all of the rest of the parent or affiliated
organizations that undertake a jointly sponsored PSO enterprise.\16\
Similarly, it is also appropriate that the additional certifications
required of component entities in proposed Sec. 3.102(c) regarding
separation of patient safety work product and the use of separate staff
be required of an entity that has several co-founder parent
organizations that exercise ownership, management or control, (i.e. to
assure that the intended ``firewalls'' exist between the component
entity and the rest of any affiliated organization that might exercise
ownership, management or control over a PSO).
---------------------------------------------------------------------------
\16\ We note that the certifications from a jointly established
PSO could be supported or substantiated with references to
protective procedural or policy walls that have been established to
preclude a conflict of these organizations' other missions with the
scientific analytic mission of the PSO.
---------------------------------------------------------------------------
To recap this part of the discussion, we would consider an entity
seeking listing as a PSO to have a parent organization, and such entity
would seek listing as a component organization, under the following
circumstances: (a) The entity is a unit in a corporate organization or
a controlling interest in the entity is owned by another corporation;
or (b) the entity is a distinct organizational part of a multi-
organizational enterprise and one or more affiliates in the enterprise
own, manage, or control the entity seeking listing as a PSO. An example
of an entity described in (b) would be an entity created by a joint
venture in which the entity would be managed or controlled by several
co-founding parent organizations.
The definition of provider in the proposed rule (which will be
discussed below) includes the parent organization of any provider
entity. Correspondingly, our definition of parent organization includes
any organization that ``owns a provider entity.'' This is designed to
provide an option for the holding company of a corporate health care
system to enter a multi-facility or system-wide contract with a PSO.
Patient Safety Act would mean the Patient Safety and Quality
Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new
Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-
21 through 299b-26.
Patient safety activities would mean the following activities
carried out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health
care delivery;
(2) The collection and analysis of patient safety work product;
(3) The development and dissemination of information with respect
to improving patient safety, such as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety work product for the purposes
of encouraging a culture of safety and of providing feedback and
assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with
respect to patient safety work product;
(6) The provision of appropriate security measures with respect to
patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety
evaluation system and to the provision of feedback to participants in a
patient safety evaluation system.
This definition is taken from the Patient Safety Act. See section
921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient
safety activities is used as a key reference term for other provisions
in the proposed rule and those provisions provide descriptions related
to patient safety activities. See proposed requirements for PSOs at
Sec. Sec. 3.102 and 3.106 and the proposed confidentiality disclosure
permission at Sec. 3.206(b)(4).
Patient safety evaluation system would mean the collection,
management, or analysis of information for reporting to or by a PSO.
The patient safety evaluation system is a core concept of the Patient
Safety Act through which information, including data, reports,
memoranda, analyses, and/or written or oral statements, is collected,
maintained, analyzed, and communicated. When a provider engages in
patient safety activities for the purpose of reporting to a PSO or a
PSO engages in these activities with respect to information for patient
safety purposes, a patient safety evaluation system exists regardless
of whether the provider or PSO has formally identified a ``patient
safety evaluation system''. For example, when a provider collects
information for the purpose of reporting to a PSO and reports the
information to a PSO to generate patient safety work product, the
provider is collecting and reporting through its patient safety
evaluation system (see definition of patient safety work product ).
Although we do not propose to require providers or PSOs formally to
identify or define their patient safety evaluation system--because such
systems exist by virtue of the providers or PSOs undertaking certain
patient safety activities--a patient safety evaluation system can be
[[Page 8120]]
formally designated by a provider or PSO to establish a secure space in
which these activities may take place.
The formal identification or designation of a patient safety
evaluation system could give structure to the various functions served
by a patient safety evaluation system. These possible functions are:
1. For reporting information by a provider to a PSO in order to
generate patient safety work product and to protect the fact of
reporting such information to a PSO (see section 921(6) and
(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and
(7)(A)(i)(I));
2. For communicating feedback concerning patient safety events
between PSOs and providers (see section 921(5)(H) of the Public Health
Service Act, 42 U.S.C. 299b-21(5)(H));
3. For creating and identifying the space within which
deliberations and analyses of information and patient safety work
product are conducted (see section 921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(ii));
4. For separating patient safety work product and information
collected, maintained, or developed for reporting to a PSO distinct and
apart from information collected, maintained, or developed for other
purposes (see section 921(7)(B)(ii) of the Public Health Service Act,
42 U.S.C. 299b-21(7)(B)(ii)); and,
5. For identifying patient safety work product to maintain its
privileged status and confidentiality, and to avoid impermissible
disclosures (see section 922(b) of the Public Health Service Act, 42
U.S.C. 299b-22(b)).
A provider or PSO need not engage in all of the above-mentioned
functions in order to establish or maintain a patient safety evaluation
system. A patient safety evaluation system is flexible and scalable to
the individual needs of a provider or PSO and may be modified as
necessary to support the activities and level of engagement in the
activities by a particular provider or PSO.
Documentation. Because a patient safety evaluation system is
critical in identifying and protecting patient safety work product, we
encourage providers and PSOs to document what constitutes their patient
safety evaluation system. We recommend that providers and PSOs consider
documenting the following:
How information enters the patient safety evaluation
system;
What processes, activities, physical space(s) and
equipment comprise or are used by the patient safety evaluation system;
Which personnel or categories of personnel need access to
patient safety work product to carry out their duties involving
operation of, or interaction with the patient safety evaluation system,
and for each such person or category of persons, the category of
patient safety work product to which access is needed and any
conditions appropriate to such access; and,
What procedures or mechanisms the patient safety
evaluation system uses to report information to a PSO or disseminate
information outside of the patient safety evaluation system.
A documented patient safety evaluation system, as opposed to an
undocumented or poorly documented patient safety evaluation system, may
accrue many benefits to the operating provider or PSO. Providers or
PSOs that have a documented patient safety evaluation system will have
substantial proof to support claims of privilege and confidentiality
when resisting requests for production of, or subpoenas for,
information constituting patient safety work product or when making
requests for protective orders against requests or subpoenas for such
patient safety work product. Documentation of a patient safety
evaluation system will enable a provider or PSO to provide supportive
evidence to a court when claiming privilege protections for patient
safety work product. This may be particularly critical since the same
activities can be done inside and outside of a patient safety
evaluation system.
A documented and established patient safety evaluation system also
gives notice to employees of the privileged and confidential nature of
the information within a patient safety evaluation system in order to
generate awareness, greater care in handling such information and more
caution to prevent unintended or impermissible disclosures of patient
safety work product. For providers with many employees, an established
and documented patient safety evaluation system can serve to separate
access to privileged and confidential patient safety work product from
employees that have no need for patient safety work product.
Documentation can serve to limit access by non-essential employees. By
limiting who may access patient safety work product, a provider may
reduce its exposure to the risks of inappropriate disclosures.
Given all of the benefits, documentation of a patient safety
evaluation system would be a prudent business practice. Moreover, as
part of our enforcement program, we would expect entities to be
following sound business practices in maintaining adequate
documentation regarding their patient safety evaluation systems to
demonstrate their compliance with the confidentiality provisions.
Absent this type of documentation, it may be difficult for entities to
satisfy the Secretary that they have met and are in compliance with
their confidentiality obligations. While we believe it is a sound and
prudent business practice, we have not required a patient safety
evaluation system to be documented, and we do not believe it is
required by the Patient Safety Act. We seek comment as to these issues.
Patient Safety Organization (PSO) would mean a private or public
entity or component thereof that is listed as a PSO by the Secretary in
accordance with proposed Sec. 3.102.
Patient Safety Work Product is a defined term in the Patient Safety
Act that identifies the information to which the privilege and
confidentiality protections apply. This proposed rule imports the
statutory definition of patient safety work product specifically for
the purpose of implementing the confidentiality protections under the
Patient Safety Act. The proposed rule provides that, with certain
exceptions, patient safety work product would mean any data, reports,
records, memoranda, analyses (such as root cause analyses), or written
or oral statements (or copies of any of this material) (A) which could
result in improved patient safety, health care quality, or health care
outcomes and either (i) is assembled or developed by a provider for
reporting to a PSO and is reported to a PSO; or (ii) is developed by a
PSO for the conduct of patient safety activities; or (B) which
identifies or constitutes the deliberations or analysis of, or
identifies the fact of reporting pursuant to, a patient safety
evaluation system. The proposed rule excludes from patient safety work
product a patient's original medical record, billing and discharge
information, or any other original patient or provider information and
any information that is collected, maintained, or developed separately,
or exists separately, from a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO does not by
reason of its reporting become patient safety work product. The
separately collected and maintained information remains available, for
example, for public health reporting or disclosures pursuant to court
order. The information contained in a provider's or PSO's patient
safety evaluation system is protected, would be privileged and
confidential, and may not be disclosed absent a statutory or regulatory
permission.
[[Page 8121]]
What can become patient safety work product. The definition of
patient safety work product lists the types of information that are
likely to be exchanged between a provider and PSO to generate patient
safety work product: ``Any data, reports, records, memoranda, analyses
(such as root cause analyses), or written or oral statements''
(collectively referred to below as ``information'' for brevity).
Congress intended the fostering of robust patient safety evaluation
systems for exchanges between providers and PSOs. We expect this
expansive list will maximize provider flexibility in operating its
patient safety evaluation system by enabling the broadest possible
incorporation and protection of information by providers and PSOs.
In addition, information must be collected or developed for the
purpose of reporting to a PSO. Records collected or developed for a
purpose other than for reporting to a PSO, such as to support internal
risk management activities or to fulfill external reporting
obligations, cannot become patient safety work product. However, copies
of information collected for another purpose may become patient safety
work product if, for example, the copies are made for the purpose of
reporting to a PSO. This issue is discussed more fully below regarding
information that cannot become patient safety work product.
When information is reported by a provider to a PSO or when a PSO
develops information for patient safety activities, the definition
assumes that the protections apply to information that ``could result
in improved patient safety, health care quality, or health care
outcomes.'' This phrase imposes few practical limits on the type of
information that can be protected since a broad range of clinical and
non-clinical factors could have a beneficial impact on the safety,
quality, or outcomes of patient care. Because the Patient Safety Act
does not impose a narrow limitation, such as requiring information to
relate solely, for example, to particular adverse or ``sentinel''
incidents or even to the safety of patient care, we conclude Congress
intended providers to be able to cast a broad net in their data
gathering and analytic efforts to identify causal factors or
relationships that might impact patient safety, quality and outcomes.
In addition, we note that the phrase ``could result in improved''
requires only potential utility, not proven utility, thereby allowing
more information to become patient safety work product.
How information becomes patient safety work product. Paragraphs
(1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition
indicate three ways for information to become patient safety work
product and therefore subject to the confidentiality and privilege
protections of the Patient Safety Act.
Information assembled or developed and reported by providers. By
law and as set forth in our proposal, information that is assembled or
developed by a provider for the purpose of reporting to a PSO and is
reported to a PSO is patient safety work product. Section
921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-
21(7)(A)(i)(I).
As noted, to become patient safety work product under this section
of the definition, information must be reported by a provider to a PSO.
For purposes of paragraph (1)(i)(A) of this definition, ``reporting''
generally means the actual transmission or transfer of information, as
described above, to a PSO. We recognize, however, that requiring the
transmission of every piece of paper or electronic file to a PSO could
impose significant transmission, management, and storage burdens on
providers and PSOs. In many cases, providers engaged in their own
investigations may desire to avoid continued transmission of additional
related information as its work proceeds.
To alleviate the burden of reporting every piece of information
assembled by a provider related to a particular patient safety event,
we are interested in public comment regarding an alternative for
providers that have established relationships with PSOs. We note that
the reporting and generation of patient safety work product does not
require a contract or any other relationship for a PSO to receive
reports from a provider, for a PSO to examine patient safety work
product, or for a PSO to provide feedback to a provider based upon the
examination of reported information. Nonetheless, we anticipate that
providers who are committed to patient safety improvements will
establish a contractual or similar relationship with a PSO to report
and receive feedback about patient safety incidents and adverse events.
Such a contract or relationship would provide a basis to allow
providers and PSOs to establish customized alternative arrangements for
reporting.
For providers that have established contracts with PSOs for the
review and receipt of patient safety work product, we seek comment on
whether a provider should be able to ``report'' to the PSO by providing
its contracted PSO access to any information it intends to report
(i.e., ``functional reporting''). For example, a provider and a PSO may
establish, by contract, that information put into a database shared by
the provider and the PSO is sufficient to report information to the PSO
in lieu of the actual transmission requirement. We believe that
functional reporting would be a valuable mechanism for the efficient
reporting of information from a provider to a PSO. We are seeking
public comment about what terms and conditions may be necessary to
provide access to a PSO to be recognized as functional reporting. We
also seek comment about whether this type of functional reporting
arrangement should only be available for subsequent related information
once an initial report on a specific topic or incident has been
transmitted to a PSO.
We do not intend a PSO to have an unfettered right of access to any
provider information. Providers and PSOs are free to engage in
alternative reporting arrangements under the proposed rule, and we
solicit comments on the appropriate lines to be drawn around the
arrangements that should be recognized under the proposed rule.
However, our proposals should not be construed to suggest or propose
that a PSO has a superior right to access information held by a
provider based upon a reporting relationship. If a PSO believes
information reported by a provider is insufficient, a PSO is free to
request additional information from a provider or to indicate
appropriate limitations to the conclusions or analyses based on
insufficient or incomplete information.
We seek public comment on two additional aspects regarding the
timing of the obligation of a provider to report to a PSO in order for
information to become protected patient safety work product and for the
confidentiality protections to attach. The first issue relates to the
timing between assembly or development of information for reporting and
actual reporting under the proposed definition of patient safety work
product. As currently proposed, information assembled or developed by a
provider is not protected until the moment it is reported, (i.e.,
transmitted or transferred to a PSO). We are considering whether there
is a need for a short period of protection for information assembled
but not yet reported. We note that in such situations, a provider
creates and operates a patient safety evaluation system. (See
discussion of the definition of patient safety evaluation system at
proposed Sec. 3.20.) We further note that even without such short
period of
[[Page 8122]]
protection, information assembled or developed by a provider but not
yet reported may be subject to other protections in the proposed rule
(e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42
U.S.C. 299b-21(7)(A)(ii)).
Our intent is not to relieve the provider of the statutory
requirement for reporting pursuant to section 921(7)(A)(i) of the
Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to
providers flexibility to efficiently transmit or transfer information
to a PSO for protection. A short period of protection for information
assembled but not yet reported could result in greater operational
efficiency for a provider by allowing information to be compiled and
reported to a PSO in batches. It could also alleviate the uncertainty
regarding the status of information that is assembled, but not yet
reported for administrative reasons. If we do address this issue in the
final rule, we seek input on the appropriate time period for such
protection and whether a provider must demonstrate an intent to report
in order to obtain protections. If we do not address this issue in the
final rule, such information held by a provider would not be
confidential until it is actually transmitted to a PSO under this prong
of the definition of patient safety work product.
Second, for information to become patient safety work product under
this prong of the definition, it must be assembled or developed for the
purpose of reporting to a PSO and actually reported. We solicit comment
on the point in time at which it can be established that information is
being collected for the purpose of reporting to a PSO such that it is
not excluded from the definition of patient safety work product as a
consequence of it being collected, maintained or developed separately
from a patient safety evaluation system. See section 921(7)(B)(ii) of
the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble
information with the purpose of reporting to a PSO, a PSO must
potentially exist, and thus, we believe that collection efforts cannot
predate the passage of the Patient Safety Act on July 29, 2005.
Information that is developed by a PSO for the conduct of patient
safety activities. By law and as set forth in our proposal, information
that is developed by a PSO for patient safety activities is patient
safety work product. Section 921(7)(A)(i)(II) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the
definition does not address information discussed in the previous
section that is assembled or developed by a provider and is reported to
a PSO which becomes patient safety work product under that section.
Rather, this section addresses other information that a PSO collects
for development from third parties, non-providers and other PSOs for
patient safety activities.
For example, a PSO may be asked to assist a provider in analyzing a
complex adverse event that took place. The initial information from the
provider is protected because it was reported. If the PSO determines
that the information is insufficient and conducts interviews with
affected patients or collects additional data, that information is an
example of the type of information that would be protected under this
section of the definition. Even if the PSO ultimately decided not to
analyze such information, the fact that the PSO collected and evaluated
the information is a form of ``development'' transforming the
information into patient safety work product. Such patient safety work
product would be subject to confidentiality protections, and thus, the
PSO would need safe disposal methods for any such information in
accordance with its confidentiality obligations.
Information that constitutes the deliberations or analysis of, or
identifies the fact of reporting pursuant to, a patient safety
evaluation system. By law and as set forth in our proposal, information
that constitutes the deliberations or analysis of, or identifies the
fact of reporting pursuant to, a patient safety evaluation system is
patient safety work product. Section 921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends
patient safety work product protections to any information that would
identify the fact of reporting pursuant to a patient safety evaluation
system or that constitutes the deliberations or analyses that take
place within such a system. The fact of reporting through a patient
safety evaluation system (e.g., a fax cover sheet, an e-mail
transmitting data, and an oral transmission of information to a PSO) is
patient safety work product.
With regard to providers, deliberations and analyses are protected
while they are occurring provided they are done within a patient safety
evaluation system. We are proposing that under paragraph (1)(ii) of
this definition, any ``deliberations or analysis'' performed within the
patient safety evaluation system becomes patient safety work product.
In other words, to determine whether protections apply, the primary
question is whether a patient safety evaluation system, which by law
and as set forth in this proposed rule, is the collection, management,
or analysis of information for reporting to a PSO, was in existence at
the time of the deliberations and analysis.
To determine whether a provider had a patient safety evaluation
system at the time that the deliberations or analysis took place, we
propose to consider whether a provider had certain indicia of a patient
safety evaluation system, such as the following: (1) The provider has a
contract with a PSO for the receipt and review of patient safety work
product that is in effect at the time of the deliberations and
analysis; (2) the provider has documentation for a patient safety
evaluation system demonstrating the capacity to report to a PSO at the
time of the deliberations and analysis; (3) the provider had reported
information to the PSO either under paragraph (1)(i)(A) of the proposed
definition of patient safety work product or with respect to
deliberations and analysis; or (4) the provider has actually reported
the underlying information that was the basis of the deliberations or
analysis to a PSO. For example, if a provider claimed protection for
information as the deliberation of a patient safety evaluation system,
and had a contract with the PSO at the time the deliberations took
place, it would be reasonable to believe that the deliberations and
analysis were related to the provider's PSO reporting activities. This
is not an exclusive list. We note therefore that a provider may still
be able to show that information was patient safety work product using
other indications.
We note that the statutory protections for deliberations and
analysis in a patient safety evaluation system apply without regard to
the status of the underlying information being considered (i.e., it
does not matter whether the underlying information being considered is
patient safety work product or not). A provider can fully protect
internal deliberations in its patient safety evaluation system over
whether to report information to a PSO. The deliberations and analysis
are protected, whether the provider chooses to report the underlying
information to a PSO or not. However, the underlying information,
separate and apart from the analysis or deliberation, becomes protected
only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public
Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).
To illustrate, consider a hospital that is reviewing a list of all
near-misses
[[Page 8123]]
reported within the past 30 days. The purpose of the hospital's review
is to analyze whether to report any or part of the list to a PSO. The
analyses (or any deliberations the provider undertakes) are fully
protected whether the provider reports any near-misses or not. The
status of the near-misses list does not change because the
deliberations took place. The fact that the provider deliberated over
reporting the list does not constitute reporting and does not change
the protected status of the list. Separate and apart from the analysis,
this list of near misses is not protected unless it is reported. By
contrast, this provision fully protects the provider's deliberations
and analyses in its patient safety evaluation system regarding the
list.
Delisting. In the event that a PSO is delisted for cause under
proposed Sec. 3.108(b)(1), a provider may continue to report to that
PSO for 30 days after the delisting and the reported information will
be patient safety work product. Section 924(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a
delisted PSO after the 30-day period will not be patient safety work
product. However, after a PSO is delisted, the delisted entity may not
continue to generate patient safety work product by developing
information for the conduct of patient safety activities or through
deliberations and analysis of information. Any patient safety work
product held or generated by a PSO prior to its delisting remains
protected even after the PSO is delisted. See discussion in the
preamble regarding proposed Sec. 3.108(b)(2) for more information.
We note that proposed Sec. 3.108(c) outlines the process for
delisting based upon an entity's voluntary relinquishment of its PSO
listing. As we discuss in the accompanying preamble, we tentatively
conclude that the statutory provision for a 30-day period of continued
protection does not apply after delisting due to voluntary
relinquishment.
Even though a PSO may not generate new patient safety work product
after delisting, it may still have in its possession patient safety
work product, which it must keep confidential. The statute establishes
requirements, incorporated in proposed Sec. 3.108(b)(2) and (b)(3),
that a PSO delisted for cause must meet regarding notification of
providers and disposition of patient safety work product. We propose in
Sec. 3.108(c) to implement similar notification and disposition
measures for a PSO that voluntarily relinquishes its listing. For
further discussion of the obligations of a delisted PSO, see proposed
Sec. 3.108(b)(2), (b)(3), and (c).
What is not patient safety work product. By law, and as set forth
in this proposed rule, patient safety work product does not include a
patient's original medical record, billing and discharge information,
or any other original patient or provider record; nor does it include
information that is collected, maintained, or developed separately or
exists separately from, a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO shall not by
reason of its reporting be considered patient safety work product.
The specific examples cited in the Patient Safety Act of what is
not patient safety work product--the patient's original medical record,
billing and discharge information, or any other original patient
record--are illustrative of the types of information that providers
routinely assemble, develop, or maintain for purposes and obligations
other than those of the Patient Safety Act. The Patient Safety Act also
states that information that is collected, maintained, or developed
separately, or exists separately from a patient safety evaluation
system, is not patient safety work product. Therefore, if records are
collected, maintained, or developed for a purpose other than for
reporting to a PSO, those records cannot be patient safety work
product. However, if, for example, a copy of such record is made for
reporting to a PSO, the copy and the fact of reporting become patient
safety work product. Thus, a provider could collect incident reports
for internal quality assurance purposes, and later, determine that one
incident report is relevant to a broader patient safety activity. If
the provider then reports a copy of the incident report to a PSO, the
copy of the incident report received by the PSO is protected as is the
copy of the incident report as reported to the PSO that is maintained
by the provider, while the original incident report collected for
internal quality assurance purposes is not protected.
The proposed rule sets forth the statutory rule of construction
that prohibits construing anything in this Part from limiting (1) the
discovery of or admissibility of information that is not patient safety
work product in a criminal, civil, or administrative proceeding; (2)
the reporting of information that is not patient safety work product to
a Federal, State, or local governmental agency for public health
surveillance, investigation, or other public health purposes or health
oversight purposes; or (3) a provider's recordkeeping obligation with
respect to information that is not patient safety work product under
Federal, State or local law. Section 921(7)(B)(iii) of the Public
Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or
regulations require the reporting of the information regarding the type
of events also reported to PSOs, the Patient Safety Act does not shield
providers from their obligation to comply with such requirements.
As the Patient Safety Act states more than once, these external
obligations must be met with information that is not patient safety
work product, and, in accordance with the confidentiality provisions,
patient safety work product cannot be disclosed for these purposes. We
note that the Patient Safety Act clarifies that nothing in this Part
prohibits any person from conducting additional analyses for any
purpose regardless of whether such additional analysis involves issues
identical to or similar to those for which information was reported to
or assessed by a PSO or a patient safety evaluation system. Section
922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy
of information generated for such purposes may be entered into the
provider's patient safety evaluation system for patient safety purposes
although the originals of the information generated to meet external
obligations do not become patient safety work product.
Thus, information that is collected to comply with external
obligations is not patient safety work product. Such activities may
include: State incident reporting requirements; adverse drug event
information reporting to the Food and Drug Administration (FDA);
certification or licensing records for compliance with health oversight
agency requirements; reporting to the National Practitioner Data Bank
of physician disciplinary actions; or complying with required
disclosures by particular providers or suppliers pursuant to Medicare's
conditions of participation or conditions of coverage. In addition, the
proposed rule does not change the law with respect to an employee's
ability to file a complaint with Federal or State authorities regarding
quality of care, or with respect to any prohibition on a provider's
threatening or carrying out retaliation against an individual for doing
so; the filing of any such complaint would not be deemed to be a
violation of the Patient Safety Act, unless patient safety work product
was improperly disclosed in such filing.
Health Care Oversight Reporting and Patient Safety Work Product.
The Patient Safety Act establishes a
[[Page 8124]]
protected space or system of protected information in order to allow
frank discussion about causes and remediation of threats to patient
safety. As described above, this protected system is separate,
distinct, and resides alongside but does not replace other information
collection activities mandated by laws, regulations, and accrediting
and licensing requirements as well as voluntary reporting activities
that occur for the purpose of maintaining accountability in the health
care system. Information collection activities performed by the
provider for purposes other than for reporting to a PSO by itself do
not create patient safety work product. In anticipation of questions
about how mandatory and voluntary reporting will continue to be
possible, a brief explanation may be helpful regarding how this new
patient safety framework would operate in relation to health care
oversight activities (e.g., public health reporting, corrective
actions, etc.).
Situations may occur when the original (whether print or
electronic) of information that is not patient safety work product is
needed for a disclosure outside of the entity but cannot be located
while a copy of the needed information resides in the patient safety
evaluation system. If the reason for which the original information is
being sought does not align with one of the permissible disclosures,
discussed in proposed Subpart C, the protected copy may not be
released. Nevertheless, this does not preclude efforts to reconstruct
the information outside of the patient safety evaluation system from
information that is not patient safety work product. Those who
participated in the collection, development, analysis, or review of the
missing information or have knowledge of its contents can fully
disclose what they know or reconstruct an analysis outside of the
patient safety evaluation system.
The issue of how effectively a provider has instituted corrective
action following identification of a threat to the quality or safety of
patient care might lead to requests for information from external
authorities. The Patient Safety Act does not relieve a provider of its
responsibility to respond to such requests for information or to
undertake or provide to external authorities evaluations of the
effectiveness of corrective action, but the provider must respond with
information that is not patient safety work product.
To illustrate the distinction, consider the following example. We
would expect that a provider's patient safety evaluation system or a
PSO with which the provider works may make recommendations from time to
time to the provider for changes it should make in the way it manages
and delivers health care. The list of recommendations for changes,
whether they originate from the provider's patient safety evaluation
system or the PSO with which it is working, are always patient safety
work product. We would also note that not all of these recommendations
will address corrective actions (i.e., correcting a process, policy, or
situation that poses a threat to patients). It is also possible that a
provider with an exemplary quality and safety record is seeking advice
on how to perform even better. Whatever the case, the feedback from the
provider's patient safety evaluation system or PSO may not be disclosed
to external authorities unless permitted by the disclosures specified
in Subpart C of this proposed rule.
The provider may choose to reject the recommendations it receives
or implement some or all of the proposed changes. While the
recommendations always remain protected, whether they are adopted or
rejected by a provider, the actual changes that the provider implements
to improve how it manages or delivers health care services (including
changes in its organizational management or its care environments,
structures, and processes) are not patient safety work product. In a
practical sense, it would be virtually impossible to keep such changes
confidential in any event, and we stress that if there is any
distinction between the change that was adopted and the recommendation
that the provider received, the provider can only describe the change
that was implemented. The recommendation remains protected. Thus, if
external authorities request a list of corrective actions that a
provider has implemented, the provider has no basis for refusing the
request. Even though the actions are based on protected information,
the corrective actions themselves are not patient safety work product.
On the other hand, if an external authority asks for a list of the
recommendations that the provider did not implement or whether and how
any implemented change differed from the recommendation the provider
received, the provider must refuse the request; the recommendations
themselves remain protected.
Person would mean a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private. We propose to define ``person'' because the Patient
Safety Act requires that civil money penalties be imposed against
``person[s]'' that violate the confidentiality provisions. However, the
Patient Safety Act does not provide a definition of ``person''. The
Definition Act at 1 U.S.C. 1 provides, ``in determining any Act of
Congress, unless the context indicates otherwise * * * the words
`person' and `whoever' include corporations, companies, associations,
firms, partnerships, societies, and joint stock companies, as well as
individuals'' (emphasis added). The Patient Safety Act indicates that
States and other government entities may hold patient safety work
product with the protections and liabilities attached, which is an
expansion of the Definition Act provision. For this reason, we propose
the broader definition of the term ``person''. We note that this
proposed approach is consistent with the HHS Office of Inspector
General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement
Rule, 45 CFR 160.103.
Provider would mean any individual or entity licensed or otherwise
authorized under State law to provide health care services. The list of
specific providers in the proposed rule includes the following:
institutional providers, such as a hospital, nursing facility,
comprehensive outpatient rehabilitation facility, home health agency,
hospice program, renal dialysis facility, ambulatory surgical center,
pharmacy, physician or health care practitioner's office (including a
group practice), long term care facility, behavior health residential
treatment facility, clinical laboratory, or health center; or
individual clinicians, such as a physician, physician assistant,
registered nurse, nurse practitioner, clinical nurse specialist,
certified registered nurse anesthetist, certified nurse midwife,
psychologist, certified social worker, registered dietitian or
nutrition professional, physical or occupational therapist, pharmacist,
or other individual health care practitioner. This list is merely
illustrative; an individual or entity that is not listed here but meets
the test of state licensure or authorization to provide health care
services is a provider for the purpose of this proposed rule.
The statute also authorizes the Secretary to expand the definition
of providers. Under this authority, we propose to add the following to
this list of providers:
(a) Agencies, organizations, and individuals within Federal, State,
local, or Tribal governments that deliver health care, organizations
engaged as contractors by the Federal, State, local or Tribal
governments to deliver health care, and individual health care
[[Page 8125]]
practitioners employed or engaged as contractors by the Federal
government to deliver health care. It appears that all of these
agencies, organizations, and individuals could participate in, and
could benefit from, working with a PSO.
(b) A corporate parent organization for one or more entities
licensed or otherwise authorized to provide health care services under
state law. Without this addition, hospital or other provider systems
that are controlled by a parent organization that is not recognized as
a provider under State law might be precluded from entering into
system-wide contracts with PSOs. This addition furthers the goals of
the statute to encourage aggregation of patient safety data and a
coordinated approach for assessing and improving patient safety. We
particularly seek comments regarding any concerns or operational issues
that might result from this addition, and note that a PSO entering one
system-wide contract still needs to meet the two contract minimum
requirement based on section 924(b)(1)(C) of the Public Health Service
Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed
Sec. 3.102(b). The PSO can do this by entering into two contracts with
different providers within the system.
(c) A Federal, State, local, or Tribal government unit that manages
or controls one or more health care providers described in the
definition of provider at (1)(i) and (2). We propose this addition to
the definition of ``provider'' for the same reason that we proposed the
addition of parent organization that has a controlling interest in one
or more entities licensed or otherwise authorized to provide health
care services under state law.
Research would have the same meaning as that term is defined in the
HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule,
research means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute
to generalizable knowledge. This definition is used to describe the
scope of the confidentiality exception at proposed Sec. 3.206(b)(6).
We propose to use the same definition as in the HIPAA Privacy Rule to
improve the level of coordination and to reduce the burden of
compliance. At the same time, if there is a modification to the
definition in the HIPAA Privacy Rule, the definition herein will
automatically change with such regulatory action.
Respondent would mean a provider, PSO, or responsible person who is
the subject of a complaint or a compliance review.
Responsible person would mean a person, other than a provider or
PSO, who has possession or custody of identifiable patient safety work
product and is subject to the confidentiality provisions. We note that
because the Patient Safety Act has continued confidentiality protection
at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs
may be subject to the confidentiality provisions. Thus, for example,
researchers or law enforcement officials who obtain patient safety work
product under one of the exceptions to confidentiality would be
considered a ``responsible person''.
Workforce would mean employees, volunteers, trainees, contractors,
and other persons whose conduct, in the performance of work for a
provider, PSO or responsible person, is under the direct control of
such provider, PSO or responsible person, whether or not they are paid
by the provider, PSO or responsible person. We use the term workforce
member in several contexts in the proposed rule. Importantly, in
proposed Sec. 3.402 where we discuss principal liability, we propose
that an agent for which a principal may be liable can be a workforce
member. We have included the term ``contractors'' in the definition of
workforce member to clarify that such permitted sharing may occur with
contractors who are under the direct control of the provider, PSO, or
responsible person. For example, a patient safety activity disclosure
by a provider to a PSO may be made directly to the PSO or to a
consultant, as a workforce member, contracted by the PSO to help it
carry out patient safety activities.
B. Subpart B--PSO Requirements and Agency Procedures
Proposed Subpart (B) sets forth requirements for Patient Safety
Organizations (PSOs). This proposed Subpart specifies the certification
and notification requirements that PSOs must meet, the actions that the
Secretary may and will take relating to PSOs, the requirements that
PSOs must meet for the security of patient safety work product, the
processes governing correction of PSO deficiencies, revocation, and
voluntary relinquishment, and related administrative authorities and
implementation responsibilities. The requirements of this proposed
Subpart would apply to PSOs, their workforce, a PSO's contractors when
they hold patient safety work product, and the Secretary.
This proposed Subpart is intended to provide the foundation for
new, voluntary opportunities to improve the safety, quality, and
outcomes of patient care. The Patient Safety Act does not require a
provider to contract with a PSO, and the proposed rule does not include
such a requirement. However, we expect that most providers will enter
into contracts with PSOs when seeking the confidentiality and privilege
protections of the statute. Contracts offer providers greater certainty
that a provider's claim to these statutory protections will be
sustained, if challenged. For example, the statutory definition of
patient safety work product describes the nature and purpose of
information that can be protected, the circumstances under which
deliberations or analyses are protected, and the requirement that
certain information be reported to a PSO. Pursuant to a contractual
arrangement, providers can require and receive assistance from PSOs to
ensure that these requirements are fully met. Contracts can provide
clear evidence that a provider is taking all reasonable measures to
operate under the ambit of the statute in collecting, developing, and
maintaining patient safety work product. Contracts enable providers to
specify even stronger confidentiality protections in how they report
information to a PSO or how the PSO handles and uses the information.
Contracts can also give providers greater assurance that they will
have access to the expertise of the PSO to provide feedback regarding
their patient safety events. While some providers may have patient
safety expertise in-house, a PSO has the potential to offer providers
considerable additional insight as a result of its expertise and
ability to aggregate and analyze data from multiple providers and
multiple PSOs. Experience has demonstrated that such aggregation and
analysis of large volumes of data, such as a PSO has the ability to do,
will often yield insights into the underlying causes of the hazards and
risks associated with patient care that are simply not apparent when
these analyses are limited to the information available from only one
office, clinic, facility, or system.
Pursuant to a contract with a PSO, a provider may also be able to
obtain from a PSO operational guidance or best practices with respect
to operation of a patient safety evaluation system. Such a contract
also provides a mechanism for a provider to control the nature and
extent of a PSO's aggregation of its data with those of other providers
or PSOs, and the nature of related analysis and discussion of such
data. A provider can also require, pursuant to its contract with a PSO,
that the PSO will notify the provider if improper disclosures are
[[Page 8126]]
made of patient safety work product relating to that provider.
This proposed Subpart enables a broad variety of health care
providers to work voluntarily with entities that have certified to the
Secretary that they have the ability and expertise to carry out broadly
defined patient safety activities of the Patient Safety Act and,
therefore, to serve as consultants to eligible providers to improve
patient care. In accordance with the Patient Safety Act, we propose an
attestation-based process for initial and continued listing of an
entity as a PSO. This includes an attestation-based approach for
meeting the statutory requirement that each PSO, within 24 months of
being listed and in each sequential 24-month period thereafter, must
have bona fide contracts with more than one provider for the receipt
and review of patient safety work product.
This streamlined approach of the statute and the proposed rule is
intended to encourage the rapid development of expertise in health care
improvement. This framework allows the marketplace to be the principal
arbiter of the capabilities of each PSO. Listing as a PSO by the
Secretary does not entitle an entity to Federal funding. The financial
viability of most PSOs will derive from their ability to attract and
retain contracts with providers or to attract financial support from
other organizations, such as charitable foundations dedicated to health
system improvement. Even when a provider organization considers
establishing a PSO (what this proposed rule terms a component PSO) to
serve the needs of its organization, we expect it will weigh the value
of, and the business case for, such a PSO.
Proposed Subpart B attempts to minimize regulatory burden while
fostering transparency to enhance the ability of providers to assess
the strengths and weaknesses of their choice of PSOs. For example, we
encourage, but do not require, an entity seeking listing to develop and
post on their own Web sites narrative statements describing the
expertise of the personnel the entity will have at its disposal, and
outlining the way it will approach its mission and comply with the
statute's certification requirements.
We similarly propose to apply transparency to our implementation of
the statute's requirement for disclosure by PSOs of potential conflicts
of interest with their provider clients. While the statute only
requires public release of the findings of the Secretary after review
of such disclosures, we propose to make public, consistent with
applicable law, including the Freedom of Information Act, a PSO's
disclosure statements as well. In our view, in addition to having the
benefit of the Secretary's determination, a provider, as the
prospective consumer of PSO services, should be able to make its own
determination regarding the appropriateness of the relationships that a
PSO has with its other provider clients and the impact those
relationships might have on its particular needs. For example, a
provider might care if a PSO--despite the Secretary's determination
that it had been established with sufficient operational and other
independence to qualify for listing as a PSO--was owned, operated, or
managed by the provider's major competitor.
The provisions of this proposed Subpart also emphasize the need for
vigilance in providing security for patient safety work product. To
achieve the widespread provider participation intended by this statute,
PSOs must foster and maintain the confidence of providers in the
security of patient safety work product in which providers and patients
are identified. Therefore, we propose to require a security framework,
which each PSO must address with standards it determines appropriate to
the size and complexity of its organization, pertaining to the
separation of data and systems and to security management control,
monitoring, and assessment.
The Patient Safety Act recognizes that PSOs will need to enter
business associate agreements to receive protected health information
from providers that are covered entities under the HIPAA Privacy Rule.
As a business associate of such a provider, a PSO will have to meet
certain contractual requirements on the use and disclosure of protected
health information for compliance with the HIPAA Privacy Rule that are
in addition to the requirements set forth in this proposed rule. Those
requirements include the notification of a covered entity when
protected health information is inappropriately disclosed in violation
of the HIPAA Privacy Rule.
We do not propose to require reporting of impermissible disclosures
of other patient safety work product that does not contain protected
health information. We solicit comments on whether to parallel the
business associate requirements of the HIPAA Privacy Rule. Such a
requirement, if implemented, would require a PSO to notify the
organizational source of patient safety work product if the information
it shared has been impermissibly used or disclosed. Note that such
reporting requirements could be voluntarily agreed to by contract
between providers and their PSO.
Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42
U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a
strong firewall must be maintained between a component PSO and the rest
of the organization(s) of which it is a part. This proposed subpart
proposes specific safeguards that such component PSOs must implement to
effectively address those concerns.
As this discussion suggests, in developing this proposed Subpart,
we have proposed the most specific requirements in the areas of
security and disclosure of potential conflicts of interest. We expect
to offer technical assistance and encourage transparency wherever
possible to promote implementation, compliance, and correction of
deficiencies. At the same time, this proposed Subpart establishes
processes that will permit the Secretary promptly to revoke a PSO's
certification and remove it from listing, if such action proves
necessary.
1. Proposed Sec. 3.102--Process and Requirements for Initial and
Continued Listing of PSOs
Proposed Sec. 3.102 sets out: The submissions that the Department,
in carrying out its responsibilities, proposes to require, consistent
with the Patient Safety Act, for initial and continued listing as a
PSO; the certifications that all entities must make as part of the
listing process; the additional certifications that component
organizations must make as part of the listing process; the requirement
for biennial submission of a certification that the PSO has entered
into the required number of contracts; and the circumstances under
which a PSO must submit a disclosure statement regarding the
relationships it has with its contracting providers.
(A) Proposed Sec. 3.102(a)--Eligibility and Process for Initial and
Continued Listing
In this section, we propose to establish a streamlined
certification process that minimizes barriers to entry for a broad
variety of entities seeking to be listed as a PSO. With several
exceptions, any entity--public or private, for-profit or not-for
profit--may seek initial or continued listing by the Secretary as a
PSO. The statute precludes a health insurance issuer and a component of
a health insurance issuer from becoming a PSO (section 924(b)(1)(D) of
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(D)).
In addition, we propose to preclude any other entity, public or
private, from
[[Page 8127]]
seeking listing as a PSO if the entity conducts regulatory oversight of
health care providers, including accreditation or licensure. We propose
this restriction for consistency with the statute, which seeks to
foster a ``culture of safety'' in which health care providers are
confident that the patient safety events that they report will be used
for learning and improvement, not oversight, penalties, or punishment.
Listing organizations with regulatory authority as PSOs would be likely
to undermine provider confidence that adequate separation of PSO and
regulatory activities would be maintained.
We note that the Patient Safety Act permits a component
organization of an entity to seek listing as a PSO if the component
organization establishes a strong firewall between its activities as a
PSO and the rest of the organization(s) of which it is a part. As
drafted, this proposed regulation permits a component organization of
an entity with any degree of regulatory authority to seek listing as a
component PSO. We have not proposed any restrictions on such component
organizations for several reasons. First, we expect that the statutory
requirement for a strong firewall between a component PSO and its
parent organization(s) with respect to its activities as a PSO and the
protected information it holds will provide adequate safeguards.
Second, providers will have access to the names of parent organizations
of component PSOs. We propose in Sec. 3.102(c) that any component
organization must disclose the name of its parent organization(s) (see
the proposed definitions of component and parent organizations in Sec.
3.20). We intend to make this information publicly available and expect
to post it on the PSO Web site we plan to establish (see the preamble
discussion regarding proposed Sec. 3.104(d)). This will provide
transparency and enable providers to determine whether the
organizational affiliation(s) of a component PSO are of concern.
Finally, we believe that allowing the marketplace to determine whether
a component PSO has acceptable or unacceptable ties to an entity with
regulatory authority is consistent with our overall approach to
regulation of PSOs.
At the same time, we recognize that some organizations exercise a
considerable level of regulatory oversight over providers and there may
be concerns that such organizations could circumvent the firewalls
proposed below in Sec. 3.102(c) or might attempt to require providers
to work with a component PSO that the regulatory entity creates.
Accordingly, we specifically seek comment on the approach we have
proposed and whether we should consider a broader restriction on
component organizations of entities that are regulatory. For example,
should components of state health departments be precluded from seeking
listing because of the broad authority of such departments to regulate
provider behavior? If a broader restriction is proposed, we would
especially welcome suggestions on clear, unambiguous criteria for its
implementation.
We will develop certification forms for entities seeking initial
and continued listing that contain or restate the respective
certifications described in proposed Sec. 3.102(b) and Sec. 3.102(c).
An individual with authority to make commitments on behalf of the
entity seeking listing would be required to acknowledge each of the
certification requirements, attest that the entity meets each of the
certification requirements on the form, and provide contact information
for the entity. The certification form would also require an
attestation that the entity is not subject to the limitation on listing
proposed in this subsection and an attestation that, once listed as a
PSO, it will notify the Secretary if it is no longer able to meet the
requirements of proposed Sec. 3.102(b) and Sec. 3.102(c).
To facilitate the development of a marketplace for the services of
PSOs, entities are encouraged, but not required, to develop and post on
their own Web sites narratives that specify how the entity will
approach its mission, how it will comply with the certification
requirements, and describe the qualifications of the entity's
personnel. With appropriate disclaimers of any implied endorsement, we
expect to post citations or links to the Web sites of all listed
entities on the PSO Web site that we plan to establish pursuant to
proposed Sec. 3.104(d). We believe that clear narratives of how PSOs
will meet their statutory and regulatory responsibilities will help
providers, who are seeking the services of a PSO, to assess their
options. The Department's PSO Web site address will be identified in
the final rule and will be available from AHRQ upon request.
(B) Proposed Sec. 3.102(b)--Fifteen General Certification Requirements
In accordance with section 924(a) of the Public Health Service Act,
42 U.S.C. 299b-24(a), the proposed rule would require all entities
seeking initial or continued listing as a PSO to meet 15 general
certification requirements: eight requirements related to patient
safety activities and seven criteria governing their operation. At
initial listing, the entity would be required to certify that it has
policies and procedures in place to carry out the eight patient safety
activities defined in the Patient Safety Act and incorporated in
proposed Sec. 3.20, and upon listing, would meet the seven criteria
specified in proposed Sec. 3.102 (b)(2). Submissions for continued
listing would require certifications that the PSO is performing, and
will continue to perform, the eight patient safety activities and is
complying with, and would continue to comply with, the seven criteria.
(1) Proposed Sec. 3.102(b)(1)--Required Certification Regarding Eight
Patient Safety Activities
Proposed Sec. 3.102(b)(1) addresses the eight required patient
safety activities that are listed in the definition of patient safety
activities at proposed Sec. 3.20 (section 921(5) of the Public Health
Service Act, 42 U.S.C. 299b-21(5)). Because certification relies
primarily upon attestations by entities seeking listing, rather than
submission and review of documentation, it is critical that entities
seeking listing have a common and shared understanding of what each
certification requirement entails. We conclude that five of the eight
required patient safety activities need no elaboration. These five
patient safety activities include: Efforts to improve patient safety
and quality; the collection and analysis of patient safety work
product; the development and dissemination of information with respect
to improving patient safety; the utilization of patient safety work
product for the purposes of encouraging a culture of safety and
providing feedback and assistance; and the utilization of qualified
staff.
We address a sixth patient safety activity, related to the
operation of a patient safety evaluation system, in the discussion of
the definition of that term in proposed Sec. 3.20. We provide greater
clarity here regarding the actions that an entity must take to comply
with the remaining two patient safety activities, which involve the
preservation of confidentiality of patient safety work product and the
provision of appropriate security measures for patient safety work
product.
We interpret the certification to preserve confidentiality of
patient safety work product to require conformance with the
confidentiality provisions of proposed Subpart C as well as the
requirements of the Patient Safety Act. Certification to provide
appropriate security measures require PSOs, their workforce members,
and their
[[Page 8128]]
contractors when they hold patient safety work product to conform to
the requirements of proposed Sec. 3.106, as well as the provisions of
the Patient Safety Act.
(2) Proposed Sec. 3.102(b)(2)--Required Certification Regarding Seven
PSO Criteria
Proposed Sec. 3.102(b)(2) lists seven criteria that are drawn from
the Patient Safety Act (section 924(b) of the Public Health Service
Act, 42 U.S.C. 299b-24(b)), which an entity must meet during its period
of listing. We conclude that the statutory language for three of the
seven required criteria is clear and further elaboration is not
required. These three criteria include: The mission and primary
activity of the entity is patient safety, the entity has appropriately
qualified staff, and the entity utilizes patient safety work product
for provision of direct feedback and assistance to providers to
effectively minimize patient risk.
Two of the criteria are addressed elsewhere in the proposed rule:
the exclusion of health insurance issuer or components of health
insurance issuers from being PSOs is discussed above in the context of
the definition of that term in proposed Sec. 3.20 and the requirements
for submitting disclosure statements are addressed in the preamble
discussion below regarding proposed Sec. 3.102(d)(2) (the proposed
criteria against which the Secretary will review the disclosure
statements are set forth in Sec. 3.104(c)). The remaining two PSO
criteria--the minimum contract requirement and the collection of data
in a standardized manner--are discussed here.
The Minimum Contracts Requirement. First, we propose to clarify the
requirement in section 924(b)(1)(C) of the Public Health Service Act,
42 U.S.C. 299b-24(b)(1)(C) that a PSO must enter into bona fide
contracts with more than one provider for the receipt and review of
patient safety work product within every 24-month period after the
PSO's initial date of listing.
We note that the statutory language establishes four conditions
that must be met for a PSO to be in compliance with this requirement.
We propose to interpret two of them for purposes of clarity in the
final rule: (1) The PSO must have contracts with more than one
provider, and (2) the contract period must be for ``a reasonable period
of time.'' Most contracts will easily meet the third requirement: that
contracts must be ``bona fide'' (our definition is in proposed Sec.
3.20). Finally, the fourth requirement, that contracts must involve the
receipt and review of patient safety work product, does not require
elaboration.
We propose that a PSO would meet the requirement for ``contracts
with more than one provider'' if it enters a minimum of two contracts
within each 24-month period that begins with its initial date of
listing. We note that the statutory requirement in section 924(b)(1)(C)
of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C),
unambiguously requires multiple contracts (i.e., more than one). One
contract with two or more providers would not fully meet the statute's
requirement. To illustrate, one contract with a 50-hospital system
would not meet the requirement; two 25-hospital contracts with that
same hospital system would meet the requirement. We believe that the
statutory requirement was intended to encourage PSOs to aggregate data
from multiple providers, in order to expand the volume of their data,
thereby improving the basis on which patterns of errors and the causes
for those errors can be identified. This statutory objective is worth
noting as a goal for PSOs. A PSO can achieve this goal by aggregating
data from multiple providers or by pooling or comparing data with other
PSOs, subject to statutory, regulatory, and contractual limitations.
The statute requires that these contracts must be ``for a
reasonable period of time.'' We propose to clarify in the final rule
when a PSO would be in compliance with this statutory requirement. The
approach could be time-based (e.g., a specific number of months), task-
based (e.g., the contract duration is linked to completion of specific
tasks but, under this option, the final rule would not set a specific
time period), or provide both options. We seek comments on the
operational implications of these alternative approaches and the
specific standard(s) for each option that we should consider. By
establishing standard(s) in the final rule, we intend to create
certainty for contracting providers and PSOs as to whether the duration
requirement has been met. We note that whatever requirement is
incorporated in the final rule will apply only to the two required
contracts. A PSO can enter other contracts, whether time-based or task-
based, without regard to the standard(s) for the two required
contracts.
Apart from the requirements outlined above, there are no limits on
the types of contracts that a PSO can enter; its contracts can address
all or just one of the required patient safety activities, assist
providers in addressing all, or just a specialized range, of patient
safety topics, or the PSO can specialize in assisting specific types of
providers, specialty societies, or provider membership organizations.
Because of the limits on the extraterritorial application of U.S. law
and the fact that privilege protections are limited to courts in the
United States (Federal, State, etc.), the protections in the proposed
rule apply only to protected data shared between PSOs and providers
within the United States and its territories; there is only this one
geographical limitation on a PSO's operations.
If they choose to do so, providers and PSOs may enter into
contracts that specify stronger confidentiality protections than those
specified in this proposed rule and the Patient Safety Act (section
922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22 (g)(3)).
For example, a provider could choose to de-identify or anonymize
information it reports to a PSO.
We note that the Secretary proposes to exercise his authority to
extend the definition of ``provider'' for the purposes of this statute
to include a provider's ``parent organization'' (both terms are defined
in proposed Sec. 3.20). This proposed addition is intended to provide
an option for health systems (e.g., holding companies or a state
system) to enter system-wide contracts with PSOs if they choose to do
so. This option would not be available in the absence of this provision
because the parent organizations of many health care systems are often
corporate management entities or governmental entities that are not
considered licensed or authorized health care providers under state
law.
Collecting data in a standardized manner. Section 924(b)(1)(F) of
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(F), requires
PSOs, to the extent practical and appropriate, to collect patient
safety work product from providers in a standardized manner, to permit
valid comparisons of similar cases among similar providers. One of the
goals of the legislation is to facilitate a PSO aggregating sufficient
data to identify and to address underlying causal factors of patient
safety problems. A PSO is more valuable if it is able to aggregate
patient safety work product it receives directly from multiple
providers, and if it chooses to do so, aggregate its data with patient
safety work product received from other PSOs and/or share
nonidentifiable patient safety work product with a network of patient
safety databases described in section 923 of the Public Health Service
Act, 42 U.S.C. 299b-23. We recognize that if patient safety work
product is not collected initially using common data
[[Page 8129]]
elements and consistent definitions, it may be difficult to aggregate
such data subsequently in order to develop valid comparisons across
providers and potentially, PSOs. We also recognize, however, that the
providers who work with PSOs may have varying levels of sophistication
with respect to patient safety issues and that reporting patient safety
work product to a PSO in a standardized manner or using standardized
reporting formats may not be initially practicable for certain
providers or in certain circumstances. The discussion which follows
outlines the timetable and the process to which we are committed.
The Secretary intends to provide ongoing guidance to PSOs on
formats and definitions that would facilitate the ability of PSOs to
aggregate patient safety work product. We expect to provide initial
guidance beginning with the most common types of patient safety events,
before the final rule is issued, to facilitate the ability of PSOs to
develop valid comparisons among providers. The Department will make
such formats and definitions available for public comment in a non-
regulatory format via publication in the Federal Register. We are
considering, and we seek comment on, including a clarification in the
final rule, that compliance with this certification requirement would
mean that a PSO, to the extent practical and appropriate, will
aggregate patient safety work product consistent with the Secretary's
guidance regarding reporting formats and definitions when such guidance
becomes available.
The process for developing and maintaining common formats. AHRQ has
established a process to develop common formats that: (1) Is evidence-
based; (2) harmonizes across governmental health agencies; (3)
incorporates feedback from the public, professional associations/
organizations, and users; and (4) permits timely updating of these
clinically-sensitive formats.
In anticipation of the need for common formats, AHRQ began the
process of developing them in 2005. That process consists of the
following steps: (1) Develop an inventory of functioning patient safety
reporting systems to inform the construction of the common formats (an
evidence base). Included in this inventory, now numbering 64 systems,
are the major Centers for Disease Control and Prevention (CDC) and Food
and Drug Administration (FDA) reporting systems as well as many from
the private sector. (2) Convene an interagency Patient Safety Work
Group (PSWG) to develop draft formats. Included are major health
agencies within the Department--CDC, Centers for Medicare and Medicaid
Services, FDA, Health Resources and Services Administration, the Indian
Health Service (IHS), the National Institutes of Health--as well as the
Department of Defense (DoD) and the Veterans Administration (VA). (3)
Pilot test draft formats--to be conducted in February-March of 2008 in
DoD, IHS, and VA facilities. (4) Publish version 0.1 (beta) of the
formats in the Federal Register, along with explanatory material, and
solicit public comment--planned for July/August 2008. (5) Let a task
order contract (completed) with the National Quality Forum (NQF) to
solicit input from the private sector regarding the formats. NQF's role
will be periodically to solicit input from the private sector to assist
the Department in updating its versions of the formats. NQF will begin
with version 0.1 (beta) of the common formats and solicit public
comments (including from providers, professional organizations, the
general public, and PSOs), triage them in terms of immediacy of
importance, set priorities, and convene expert panel(s) to offer advice
on updates to the formats. This process will be a continuing one,
guiding periodic updates of the common formats. (6) Accept input from
the NQF, revise the formats in consultation with the PSWG, and publish
subsequent versions in the Federal Register. Comments will be accepted
at all times from public and governmental sources, as well as the NQF,
and used in updating of the formats.
This process ensures intergovernmental consistency as well as input
from the private sector, including, most importantly, those who may use
the common formats. This latter group, the users, will be the most
sensitive to and aware of needed updates/improvements to the formats.
The PSWG, acting as the fulcrum for original development and continuing
upgrading/maintenance, assures consistency of definitions/formats among
government agencies. For instance, the current draft formats follow CDC
definitions of healthcare associated infections and FDA definitions of
adverse drug events. AHRQ has been careful to promote consensus among
Departmental agencies on all draft common formats developed to date.
The NQF is a respected private sector organization that is suited to
solicit and analyze input from the private sector.
We welcome comments on our proposed approach to meeting statutory
objectives.
(C) Proposed Sec. 3.102(c)--Additional Certifications Required of
Component Organizations
Section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(2) and the proposed definition of component organization in
proposed Sec. 3.20 requires an entity that is a component of another
organization or multi-organizational enterprise that seeks initial or
continued listing to certify that it will meet three requirements in
addition to certifying that it will meet the 15 general requirements
specified in proposed Sec. 3.102(b). We have indicated the types of
entities that would be required to seek listing as a component
organization in our discussion of the proposed definitions in proposed
Sec. 3.20 of the terms ``component organization'' and ``parent
organization.'' To be listed as a component PSO, an entity would also
be required to make three additional certifications regarding the
entity's independent operation and separateness from the larger
organization or enterprise of which it is a part: the entity would
certify to (1) the secure maintenance of documents and information
separate from the rest of the organization(s) or enterprise of which it
is a part; (2) the avoidance of unauthorized disclosures to the
organization(s) or enterprise of which it is a part; and (3) the
absence of a conflict between its mission and the rest of the
organization(s) or enterprise of which it is a part. We propose in
Sec. 3.102(c) specific requirements that will ensure that such
component PSOs implement the type of safeguards for patient safety work
product that the three additional statutory certification requirements
for component organizations are intended to provide.
First, the statute requires a component PSO to maintain patient
safety work product separate from the rest of the organization(s) or
enterprise of which it is a part (section 924(b)(2)(A) of the Public
Health Service Act, 42 U.S.C. 299b-24(b)(2)(A)). To ensure compliance
with this statutory requirement, we considered, but did not include
here, a proposal to prohibit a component PSO from contracting,
subcontracting, or entering any agreement with any part of the
organization(s) or enterprise of which it is a part for the performance
of any work involving the use of patient safety work product. We seek
comment on the limited exception proposed in Sec. 3.102(c) here that
would permit such contracts or subcontracts only if they can be carried
out in a manner that is consistent with the statutory
[[Page 8130]]
requirements of this section. This means that, while a component PSO
could enter such arrangements involving the use of patient safety work
product with a unit of the organization(s) or enterprise of which it is
a part, the component PSO would maintain the patient safety work
product and be responsible for its security (i.e., control the access
and use of it by the contracting unit). In addition, under our
proposal, while allowing access to the contracting unit of the
identifiable patient safety work product necessary to carry out the
contractual assignment would be a permissible disclosure, the component
PSO would remain responsible for ensuring that the contracting unit
does not violate the prohibitions related to unauthorized disclosures
required under 924(b)(2)(B) of the PHS Act, 42 U.S.C. 299b-24(b)(2)(B),
(i.e., disclosures to other units of the organization or enterprise)
and that there is no conflict between the mission of the component PSO
and the contracting unit, as required under 924(b)(2)(C) of the PHS
Act, 42 U.S.C. 299b-24(b)(2)(C). We invite comment on whether such a
limited exception is necessary or appropriate and, if so, the
appropriateness of the restrictions we have proposed.
Second, a component PSO would not be permitted to have a shared
information system with the rest of the organization(s) since this
might provide unauthorized access to patient safety work product. For
example, we intend to prohibit a component PSO from storing any patient
safety work product in information systems or databases to which the
rest of the organization(s) or enterprise of which it is a part would
have access or the ability to remove or transmit a copy. We
preliminarily conclude that most security measures, such as password
protection of the component PSO's information, are too easily
circumvented.
Third, the proposed rule provides that the workforce of the
component PSO must not engage in work for the rest of the
organization(s) if such work could be informed or influenced by the
individual's knowledge of identifiable patient safety work product. For
example, a component PSO could share accounting or administrative
support staff under our proposal because the work of these individuals
for the rest of the organization(s) would not be informed or influenced
by their knowledge of patient safety work product. By contrast, if the
rest of the organization provides health care services, a physician who
served on a parent organization's credentialing, hiring, or
disciplinary committee(s) could not also work for the PSO. Knowledge of
confidential patient safety work product could influence his or her
decisions regarding credentialing, hiring, or disciplining of providers
who are identifiable in the patient safety work product.
We provide one exception to the last prohibition. It is not our
intent to prohibit a clinician, whose work for the rest of the
organization is solely the provision of patient care, from undertaking
work for the component PSO. We see no conflict if the patient care
provided by the clinician is informed by the clinical insights that
result from his or her work for the component PSO. If a clinician has
duties beyond patient care, this exception only applies if the other
duties do not violate the general prohibition (i.e., that the other
duties for the rest of the organization(s) cannot be informed by
knowledge of patient safety work product).
As part of the requirement that the PSO must certify that there is
no conflict between its mission and the rest of the organization(s), we
propose that the certification form will require the PSO to provide the
name(s) of the organization(s) or enterprise of which it is a part (see
the discussions of our definitions of parent and component
organizations in proposed Sec. 3.20).
We have not proposed specific standards to determine whether
conflicts exist between a PSO and other components of the organization
or enterprise of which it is a part. We recognize that some industries
and particular professions, such as the legal profession through state-
based codes of professional responsibility, have specific standards or
tests for determining whether a conflict exists. We request comments on
whether the final rule should include any specific standards, and, if
so, what criteria should be put in place to determine whether a
conflict exists.
(D) Proposed Sec. 3.102(d)--Required Notifications
Proposed Sec. 3.102(d) establishes in regulation two required
notifications that implement two statutory provisions: a notification
to the Secretary certifying whether the PSO has met the biennial
requirement for bona fide contracts with more than one provider
(section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(C)); and the submission of a disclosure statement to the
Secretary whenever a PSO has established specific types of
relationships (discussed below) with a contracting provider, in
particular where a PSO is not managed or controlled independently from,
or if it does not operate independently from, a contracting provider
(section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(E)).
(1) Proposed Sec. 3.102(d)(1)--Notification Regarding PSO Compliance
With the Minimum Contract Requirement
Proposed Sec. 3.102(d)(1) requires a PSO to notify the Secretary
whether it has entered at least two bona fide contracts that meet the
requirements of proposed Sec. 3.102(b)(2). The notification
requirement implements the statutory requirement in section
924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(C), that a PSO must have contracts with more than one
provider. Notification to the Secretary will be by attestation on a
certification form developed pursuant to proposed Sec. 3.112. Prompt
notification of the Secretary that a PSO has entered two or more
contracts will result in earlier publication of that information by the
Secretary and this may be to the PSO's benefit.
We propose that the Secretary receive initial notification from a
PSO no later than 45 calendar days before the last day of the period
that is 24 months after the date of its initial listing and 45 calendar
days prior to the last day of every 24-month period thereafter. While
each PSO will have the full statutory period of 24 months to comply
with this requirement, we propose an earlier date for notification of
the Secretary to harmonize this notification requirement with the
requirement, established by section 924(e) of the Public Health Service
Act, 42 U.S.C. 299b-24(e), that the Secretary provide each PSO with a
period of time to correct a deficiency. If the Secretary were to
provide a period for correction that begins after the 24-month period
has ended, the result would be that some PSOs would be granted
compliance periods that extend beyond the unambiguous statutory
deadline for compliance. To avoid this unfair result, we propose that a
PSO certify to the Secretary whether it has complied with this
requirement 45 calendar days in advance of the final day of its
applicable 24-month period.
If a PSO notifies the Secretary that it cannot certify compliance
or fails to submit the required notification, the Secretary, pursuant
to proposed Sec. 3.108(a)(2), will then issue a preliminary finding of
deficiency and provide a period for correction that extends until
midnight of the last day of the applicable 24-month assessment period
for the PSO. In this way, the requirement for an opportunity for
correction can be met without granting any PSO a period for compliance
that
[[Page 8131]]
exceeds the statutory limit. We invite comments on alternative
approaches to harmonize these two potentially conflicting requirements.
We note that contracts that are entered into after midnight on the
last day of the applicable 24-month period do not count toward meeting
the two-contract requirement for that 24-month assessment period. If a
PSO does not meet the requirement by midnight of the last day of the
applicable 24-month assessment period, the Secretary will issue a
notice of revocation and delisting pursuant to proposed Sec.
3.108(a)(3).
(2) Proposed Sec. 3.102(d)(2)--Notification Regarding PSO's
Relationships With Its Contracting Providers
Proposed Sec. 3.102(d)(2) establishes the circumstances under
which a PSO must submit a disclosure statement to the Secretary
regarding its relationship(s) with any contracting provider(s) and the
deadline for such required submissions.
The purpose of this disclosure requirement is illuminated by the
statutory obligation of the Secretary, set forth in section 924(c)(3)
of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), to review
the disclosure statements and make public findings ``whether the entity
can fairly and accurately perform the patient safety activities of a
patient safety organization.'' To provide the Secretary with the
information necessary to make such a judgment, section 924(b)(1)(E) of
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(E), requires a
PSO to fully disclose information to the Secretary if the PSO has
certain types of relationships with a contracting provider and, if
applicable, whether the PSO is not independently managed or controlled,
or if it does not operate independently from, the contracting provider.
The statutory requirement for a PSO to submit a disclosure
statement applies only when a PSO has entered into a contract with a
provider; if there is no contractual relationship between the PSO and a
provider pursuant to the Patient Safety Act, a disclosure statement is
not required. Even when a PSO has entered a contract with a provider,
we propose that a PSO would need to file a disclosure statement
regarding a contracting provider only when the circumstances, specified
in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299-
24(c)(3), and discussed here, are present.
A PSO is first required to assess whether a disclosure statement
must be submitted to the Secretary when the PSO enters a contract with
a provider, but we note that the disclosure requirement remains in
effect during the entire contract period. Even when a disclosure
statement is not required at the outset of the contract period, if the
circumstances discussed here arise, a disclosure statement must be
submitted at that time to the Secretary for review.
With respect to a provider with which it has entered a contract, a
PSO is required to submit a disclosure statement to the Secretary only
if either or both of the following circumstances are present. First, a
disclosure statement must be filed if the PSO has any financial,
reporting, or contractual relationships with a contracting provider
(other than the contract entered into pursuant to the Patient Safety
Act). Second, taking into account all relationships that the PSO has
with that contracting provider, a PSO must file a disclosure statement
if it is not independently managed or controlled, or if it does not
operate independently from, the contracting provider.
With respect to financial, reporting or contractual relationships,
the proposed rule states that contractual relationships that must be
disclosed are not limited to formal contracts but encompass any oral or
written arrangement that imposes responsibilities on the PSO. For
example, the provider may already have a contract or other arrangement
with the PSO for assistance in implementation of proven patient safety
interventions and is now seeking additional help from the PSO for the
review of patient safety work product. A financial relationship
involves almost any direct or indirect ownership or investment
relationship between the PSO and the contracting provider, shared or
common financial interests, or direct or indirect compensation
arrangement, whether in cash or in-kind. A reporting relationship
includes a relationship that gives the provider access to information
that the PSO holds that is not available to other contracting providers
or control, directly or indirectly, over the work of the PSO that is
not available to other contracting providers. If any such relationships
are present, the PSO must file a disclosure statement and describe
fully all of these relationships.
The other circumstance that triggers the requirement to disclose
information to the Secretary is the provision of the Patient Safety Act
that requires the entity to fully disclose ``if applicable, the fact
that the entity is not managed, controlled, and operated independently
from any provider that contracts with the entity.'' See section
924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(E). We propose to interpret this provision as noted above
because we believe that the adverb ``independently'' modifies all three
verbs--that is, that the entity is required to disclose when it is not
managed independently from, is not controlled independently from, or is
not operated independently from, any provider that contracts with the
entity.
Disclosure would be required, for example, if the contracting
provider created the PSO and exercises a degree of management or
control over the PSO, such as overseeing the establishment of its
budget or fees, hiring decisions, or staff assignments. Another example
of such a relationship that would require disclosure would be the
existence of any form of inter-locking governance structure. We
recognize that contracts, by their very nature, will enable a
contracting provider to specify tasks that the PSO undertakes or to
direct the PSO to review specific cases and not others. These types of
requirements reflect the nature of any contractual relationship and do
not trigger a requirement to file such a disclosure statement. The
focus of this provision as indicated in section 924(c)(3) of the Public
Health Service Act, 42 U.S.C. 299b-24(c)(3), and here is on the
exercise of the type of control that could compromise the ability of
the PSO to fairly and accurately carry out patient safety activities.
If the contracting provider exercises this type of influence over the
PSO, the PSO must file a disclosure statement and fully disclose the
nature of the influence exercised by the contracting provider.
To meet the statutory requirement for full disclosure, a PSO's
submission should attempt to put the significance of the financial,
reporting, or contractual relationship in perspective (e.g., relative
to other sources of PSO revenue or other types of contractual or
reporting relationships). We would also encourage PSOs to list any
agreements, stipulations, or procedural safeguards that might offset
the influence of the provider and that might protect the ability of the
PSO to operate independently. By doing so, a PSO can ensure that its
disclosure statements present a full and, if applicable, balanced
picture of the relationships and degree of independence that exist
between the PSO and its contracting provider(s).
We propose to require that, whenever a PSO determines that it must
file a statement based upon these requirements, the Secretary must
receive the disclosure statement within 45 calendar days. The PSO must
make an initial determination on the date on which a contract is
entered. If the PSO determines that it must file a disclosure
[[Page 8132]]
statement, the Secretary must receive the disclosure statement no later
than 45 days after the date on which the contract was entered. During
the contract period, the Secretary must receive a disclosure statement
within 45 calendar days of the date on which either or both of the
circumstances described above arise. If the Secretary determines, after
the applicable 45-day period, that a required disclosure statement was
not received from a PSO, the Secretary may issue to the PSO a notice of
a preliminary finding of deficiency, the first step in the revocation
process established by proposed Sec. 3.108.
2. Proposed Sec. 3.104--Secretarial Actions
Proposed Sec. 3.104 describes the actions that the Secretary may
and will take regarding certification submissions for listing or
continued listing, the required notification certifying that the PSO
has entered the required minimum of two contracts, and disclosure
statements, including the criteria that the Secretary will use in
reviewing such statements and the determinations the Secretary may
make. This proposed section also outlines the types of information that
the Secretary will make public regarding PSOs, specifies how, and for
what period of time, the Secretary will list a PSO whose certification
he has accepted and establishes an effective date for Secretarial
actions under this proposed subpart. See section 924(c) of the Public
Health Service Act, 42 U.S.C. 299b-24(c).
(A) Proposed Sec. 3.104(a)--Actions in Response to Certification
Submissions for Initial and Continued Listing as a PSO
Proposed Sec. 3.104(a) describes the actions that the Secretary
may and will take in response to certification for initial or continued
listing as a PSO (section 924(c)(1)-(2) of the Public Health Service
Act, 42 U.S.C. 299b-24(c)(1)-(2)), submitted to the Secretary pursuant
to the requirements of proposed Sec. 3.102. The decision on whether
and how to list an entity as a PSO will be based upon a determination
of whether the entity meets the applicable requirements of the Patient
Safety Act and this proposed part. In most cases, it is anticipated
that the Secretary will either accept the submission and list the
entity or deny the listing on this basis.
In determining whether to list an entity as a PSO, the proposed
rule requires the Secretary to consider the submitted certification and
any relevant history, such as prior actions the Secretary has taken
regarding the entity or PSO including delisting, any history of or
current non-compliance by the entity or PSO with statutory or
regulatory requirements or requests by the Secretary, relationships of
the entity or PSO with providers and any findings by the Secretary in
accordance with proposed Sec. 3.104(c). Initially, the Secretary will
rely solely on the submitted certification; entities seeking listing
will not have any applicable history of the type specified for the
Secretary to consider. Even over time, we anticipate that the Secretary
would normally rely upon the submitted certification in making a
listing determination.
There may be occasions in future years when the Secretary may need
to take into account the history of an entity or PSO in making a
determination for initial or continued listing. Examples of such
situations might include: A PSO seeking continued listing that has a
history of deficiencies; an entity seeking initial listing may be a
renamed former PSO whose certifications had been revoked for cause by
the Secretary; or the leadership of an entity seeking listing may have
played a leadership role in a former PSO that failed to meet its
obligations to providers during voluntary relinquishment (see proposed
Sec. 3.108(c)). In such circumstances, it may not be prudent for the
Secretary to rely solely upon the certification submitted by the entity
or PSO and this proposed subsection would enable the Secretary to seek
additional information or assurances before reaching a determination on
whether to list an entity. To ensure that the Secretary is aware of any
relevant history before making a listing determination, without
imposing additional burden on most entities seeking listing, we propose
to include an attestation on the certification form that would require
acknowledgement if the entity (under its current name or another) or
any member of its workforce have been party to a delisting
determination by the Secretary. We welcome comment on this proposal, or
alternative approaches, for ensuring that the Secretary can carry out
the requirements of this proposed section.
The Secretary also has the authority, under certain circumstances,
to condition the listing of a PSO under section 924(c)(3) of the Public
Health Service Act, 42 U.S.C. 299b-24(c)(3). The Secretary may
establish conditions on the listing of a PSO following a determination,
pursuant to proposed Sec. 3.104(c), that such conditions are necessary
to ensure that the PSO can fairly and accurately perform patient safety
activities. A decision to impose such conditions will typically occur
after the listing of a PSO, when the PSO submits a disclosure statement
about its relationships with a contracting provider. It also could
occur at the time of initial or continued listing based upon a
Secretarial review of a disclosure statement submitted
contemporaneously with the review of an entity's certification
submission.
The Secretary expects to be able to conclude review of an
application for initial or continued listing within 30 days of receipt
unless additional information or assurances, as described above in the
paragraph discussing the history of an entity or PSO, are required, or
the application as initially submitted is incomplete. The Secretary
will notify each entity that requests listing of the action taken on
its certification submission for initial or continued listing. The
Secretary will provide reasons when an entity's certification is not
accepted and, if the listing is conditioned based upon a determination
made pursuant to proposed Sec. 3.104(c), the reasons for imposing
conditions.
(B) Proposed Sec. 3.104(b)--Actions Regarding PSO Compliance With the
Minimum Contract Requirement
Proposed Sec. 3.104(b) sets forth the required Secretarial action
regarding PSO compliance with the requirement of the proposed rule for
a minimum of two bona fide contracts. If a PSO attests, in the
notification required by proposed Sec. 3.102(d)(1), that it has met
the requirement, the Secretary will acknowledge in writing receipt of
the attestation and include information on the list established
pursuant to proposed Sec. 3.104(d) that the PSO has certified that it
has met the requirement. If the PSO notifies the Secretary that it has
not yet met the requirement, or if notification is not received from
the PSO by the date required under proposed Sec. 3.102(d)(1), the
Secretary, pursuant to proposed Sec. 3.108(a)(2), will issue a notice
of a preliminary finding of deficiency to the PSO and provide an
opportunity for correction that will extend no later than midnight of
the last day of its applicable 24-month assessment period. Under this
authority, the Secretary will require notification of correction and
compliance from a PSO by midnight of the final day of the applicable
24-month period. If the deficiency has not been corrected by that date,
the Secretary will issue promptly a notice of proposed revocation and
delisting pursuant to the requirements of proposed Sec. 3.108(a)(3).
[[Page 8133]]
(C) Proposed Sec. 3.104(c)--Actions Regarding Required Disclosures by
PSOs of Relationships With Contracting Providers.
Proposed Sec. 3.104(c) establishes criteria that the Secretary
will use to evaluate a disclosure statement submitted pursuant to
proposed Sec. 3.102(d)(2), specifies the determinations the Secretary
may make based upon evaluation of any disclosure statement, and
proposes public release, consistent with the Freedom of Information
Act, of disclosure statements submitted by PSOs as well as the
Secretary's findings (see section 924(c)(3) of the Public Health
Service Act, 42 U.S.C. 299b-24(c)(3)).
In reviewing disclosure statements and making public findings, we
propose that the Secretary consider the nature, significance, and
duration of the relationship between the PSO and the contracting
provider. We seek input on other appropriate factors to consider.
Following review of the disclosure statement, the Secretary will
make public findings regarding the ability of the PSO to carry out
fairly and accurately defined patient safety activities as required by
the Patient Safety Act. The Secretary may conclude that the disclosures
require no action on his part or, depending on whether the entity is
listed or seeking listing, may condition his listing of the PSO,
exercise his authority under proposed Sec. 3.104(a) to refuse to list,
or exercise his authority under proposed Sec. 3.108 to revoke the
listing of the entity. The Secretary will notify each entity of his
findings and decision regarding each disclosure statement.
This subsection proposes to make this process transparent,
recognizing that providers seeking to contract with a PSO may want to
make their own judgments regarding the appropriateness of the disclosed
relationships. Therefore, with the exception of information, such as
information that would be exempt from disclosure under the Freedom of
Information Act, we propose to make public each disclosure statement
received from a PSO by including it on the list of PSOs maintained
pursuant to proposed Sec. 3.104(d) and we may post such statements on
the PSO Web site we plan to establish. Public release of PSO disclosure
statements would be in addition to the statutory requirement in section
924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3),
that the Secretary's findings regarding disclosure statements must be
made public. Greater transparency is intended to promote more informed
decision making by providers, who are the primary customers for PSO
services.
(D) Proposed Sec. 3.104(d)--Maintaining a List of PSOs
Proposed Sec. 3.104(d) implements the statutory requirement in
section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d),
that the Secretary compile and maintain a list of those entities whose
PSO certifications have been accepted in accordance with proposed Sec.
3.104(a) and which certifications have not been revoked or voluntarily
relinquished in accordance with proposed Sec. 3.108(b) or (c). The
list will include contact information for each PSO, the effective date
and time of listing of the PSO, a copy of each certification form and
disclosure statement that the Secretary receives from the entity, and
information on whether the PSO has certified that it has met the two
contract requirement in each 24-month assessment period. The list will
also include a copy of the Secretary's findings regarding any
disclosure statements filed by each PSO, including whether any
conditions have been placed on the listing of the entity as a PSO, and
other information that this proposed subpart authorizes the Secretary
to make public. To facilitate the development of a marketplace for the
services of PSOs, we plan to establish a PSO Web site (or a future
technological equivalent) and expect to post the list of PSOs on the
PSO Web site, reserving the right to exclude information contained in
disclosure statements that would be exempt from disclosure under the
Freedom of Information Act. We seek comment on whether there are
specific types of information that the Secretary should consider
posting routinely on this Web site for the benefit of PSOs, providers,
and other consumers of PSO services.
(E) Proposed Sec. 3.104(e)--Three-Year Period of Listing
Proposed Sec. 3.104(e) states that, when the Secretary has
accepted certification submitted for initial or continued listing, the
entity will be listed as a PSO for a period of three years (section
924(a)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(2)),
unless the Secretary revokes the listing or the Secretary determines
that the entity has voluntarily relinquished its status as a PSO (see
proposed Sec. 3.108).
This subsection also provides that the Secretary will send a
written notice of imminent expiration to a PSO no later than 45
calendar days before the date on which the PSO's three-year period of
listing expires if the Secretary has not received a certification
seeking continued listing. This notice is intended to ensure that a PSO
does not let its listing lapse inadvertently. We expect that the
Secretary will include in the notice a date by which the PSO should
submit its certifications to ensure that the Secretary has sufficient
time to act before the current period of listing expires.
We are considering including in the final rule, and seek comment
on, a requirement that the Secretary include information on the public
list of PSOs maintained pursuant to Sec. 3.104(d), that identifies the
PSOs to which a notice of imminent expiration has been sent. The intent
of such a requirement would be to ensure that a provider reporting data
to such a PSO has adequate notice and time to ascertain, if it chooses
to do so, whether that PSO intends to seek continued listing and, if
not, to make alternative arrangements for reporting data to another
PSO.
(F) Proposed Sec. 3.104(f)--Effective Date of Secretarial Actions
Proposed Sec. 3.104(f) states that, unless otherwise specified,
the effective date of each action by the Secretary pursuant to this
proposed subpart will be specified in the written notice that is sent
to the entity. To ensure that an entity receives prompt notification,
the Department anticipates sending such a notice by electronic mail or
other electronic means in addition to a hard copy version. We are
confident that any entity seeking listing as a PSO will have electronic
mail capacity. For listing and delisting, the Secretary will specify
both an effective time and date for such actions in the written notice.
Our intent is to ensure clarity regarding when the entity can receive
information that will be protected as patient safety work product.
3. Proposed Sec. 3.106--Security Requirements
Proposed Sec. 3.106 identifies the entities and individuals that
are subject to the security requirements of this section and
establishes the considerations that entities and individuals specified
in subsection (a) should address to secure patient safety work product
in their possession. This section provides a common framework for
compliance with the requirement in section 921(5)(F) of the Public
Health Service Act, 42 U.S.C. 299b-21(5)(F), that a PSO provide
appropriate security measures with respect to patient safety work
product. In light of the importance of data security to those who
supply patient safety work product to any PSO, maintenance of data
security will be a high and ongoing priority for PSOs.
[[Page 8134]]
(A) Proposed Sec. 3.106(a)--Application
Proposed Sec. 3.106(a) states that the security requirements in
proposed Sec. 3.106(b) apply to each PSO, its workforce members, and
its contractors when the contractors hold patient safety work product.
This proposed subsection applies the requirements at all times and at
any location at which patient safety work product is held. We expect
that it will be more efficient for most PSOs to contract for at least a
portion of the expertise they need to carry out patient safety
activities, including the evaluation of certain types of patient safety
events. In such situations, when a PSO discloses patient safety work
product to a contractor to assist the PSO in carrying out patient
safety activities and the contractor maintains such patient safety work
product at locations other than those controlled by the PSO, our intent
is to ensure that these same security requirements apply. We recognize
that some contractors that a PSO chooses to employ may not want to, or
may not have the resources to, meet these requirements at other
locations. In such circumstances, the contractors will need to perform
their services at locations at which the PSO can ensure that these
security requirements can be met.
We note that this regulation does not impose these requirements on
providers, but agreements between PSOs and providers may by contract
call for providers to adopt equivalent standards.
(B) Proposed Sec. 3.106(b)--Security Framework
Proposed Sec. 3.106(b) establishes a framework consisting of four
categories for the security of patient safety work product that a PSO
must consider, including security management, separation of systems,
security control and monitoring, and security assessment.
This framework is consistent with the standards of the National
Institute of Standards and Technology (NIST) that federal agencies must
follow but this section does not impose on PSOs the specific NIST
standards that Federal agencies must meet. We recognize that it is not
likely that PSOs will have the scale of operation or the resources to
comply with Federal data security standards. Instead, we propose to
require that each PSO must consider the four categories of the NIST
framework set forth in this section by developing appropriate and
scalable standards that are suitable for the size and complexity of its
organization. We seek comment on the extent to which this proposal
adequately and appropriately identifies the most significant security
issues, with respect to patient safety work product that PSOs receive,
develop, or maintain, and which PSOs should be expected to address with
due diligence, and the extent to which our approach provides PSOs with
sufficient flexibility to develop scalable standards.
(1) Proposed Sec. 3.106(b)(1)--Security Management
Proposed Sec. 3.106(b)(1) requires the PSO to approach its
security requirements by: documenting its security requirements for
patient safety work product; taking steps to ensure that its workforce
and contractors as specified in proposed Sec. 3.106(a) understand
their responsibilities regarding patient safety work product and the
confidentiality requirements of the statute, including the potential
imposition of civil money penalties for impermissible disclosures; and
monitoring and improving the effectiveness of its security policies and
procedures.
(2) Proposed Sec. 3.106(b)(2)--Separation of Systems
Under the statute, to preserve the confidentiality of patient
safety work product, it is important to maintain a clear separation
between patient safety work product and information that is not
protected, and a clear separation between patient safety activities and
other activities. As a result, we have incorporated requirements in
proposed Sec. 3.106(b)(2) that PSOs must ensure such separation. The
specific requirements for which a PSO must develop appropriate
standards include: maintaining functional and physical separation of
patient safety work product from other systems of records; protection
of patient safety work product while it is held by the PSO; appropriate
disposal or sanitization of media that have contained patient safety
work product; and preventing physical access to patient safety work
product by unauthorized users or recipients.
(3) Proposed Sec. 3.106(b)(3)--Security Control and Monitoring
Proposed Sec. 3.106(b)(3) requires that policies and procedures
adopted by a PSO related to security control and monitoring must enable
the PSO to identify and authenticate users of patient safety work
product and must create an audit capacity to detect unlawful,
unauthorized, or inappropriate activities involving access to patient
safety work product. To ensure accountability, controls should be
designed to preclude unauthorized removal, transmission or disclosures
of patient safety work product.
(4) Proposed Sec. 3.106(b)(4)--Security Assessment
Proposed Sec. 3.106(b)(4) requires a PSO to develop policies and
procedures that permit it to assess periodically the effectiveness and
weaknesses of its overall approach to security of patient safety work
product. A PSO needs to determine the frequency of security
assessments, determine when it needs to undertake a risk assessment
exercise so that the leadership and the workforce of the PSO are aware
of the risks to PSO assets from security lapses, and specify how it
will assess and adjust its procedures to ensure the security of its
communications involving patient safety work product to and from
providers and other authorized parties. Such communications are
potentially vulnerable weak points for any security system and require
ongoing special attention by a PSO.
4. Proposed Sec. 3.108--Correction of Deficiencies, Revocation and
Voluntary Relinquishment
Proposed Sec. 3.108 describes the process by which PSOs will be
given an opportunity to correct deficiencies, the process for
revocation of acceptance of the certification submitted by an entity
for cause and its removal from the list of PSOs, and specifies the
circumstances under which an entity will be considered to have
voluntarily relinquished its status as a PSO.
This section would establish procedural opportunities for a PSO to
respond during the process that might lead to revocation. When the
Secretary identifies a possible deficiency, the PSO would be given an
opportunity to correct the record if it can demonstrate that the
information regarding a deficiency is erroneous, and if the existence
of a deficiency is uncontested, an opportunity to correct it. The PSO
is encouraged to alert the Department if it faces unanticipated
challenges in correcting the deficiency; we propose that the Secretary
will consider such information in determining whether the PSO has acted
in good faith, whether the deadline for corrective action should be
extended, or whether the required corrective action should be modified.
If the Secretary determines that the PSO has not timely corrected the
deficiency and issues a notice of proposed revocation and delisting,
the PSO will be given an automatic right of appeal to present its case
in writing.
If the Secretary makes a decision to revoke acceptance of the
entity's certification and remove it from the list
[[Page 8135]]
of PSOs, this proposed section specifies the required actions that the
Secretary and the entity must take following such a decision. The
proposed rule implements the statutory requirements for the
establishment of a limited period during which providers can continue
to report information to the former PSO and receive patient safety work
product protections for these data, and establishes a framework for
appropriate disposition of patient safety work product or data held by
the former PSO. See section 924(e)-(g) of the Public Health Service
Act, 42 U.S.C. 299b-24(e)-(g).
This section also describes two circumstances under which an entity
will be considered to have voluntarily relinquished its status as a
PSO: (1) Notification of the Secretary in writing by the PSO of its
intent to relinquish its status voluntarily; and (2) if a PSO lets its
period of listing expire without submission of a certification for
continued listing that the Secretary has accepted. In both
circumstances, we propose that such a PSO consult with the source of
the patient safety work product in its possession to provide notice of
its intention to cease operations and provide for appropriate
disposition of such patient safety work product. When the Secretary
removes a PSO from listing as a result of revocation for cause or
voluntarily relinquishment, the Secretary is required to provide public
notice of the action.
We note that section 921 of the Public Health Service Act, 42
U.S.C. 299b-21, and, therefore, the proposed rule, defines a PSO as an
entity that is listed by the Secretary pursuant to the requirements of
the statute that are incorporated into this proposed rule. This means
that an entity remains a PSO for its three-year period of listing
unless the Secretary removes the entity from the list of PSOs because
he revokes acceptance of its certification and listing for cause or
because the entity voluntarily relinquishes its status as described
below. Accordingly, even when a deficiency is identified publicly or
the proposed requirements of this section have been initiated, we
stress that an entity remains a PSO until the date and time at which
the Secretary's removal of the entity from listing is effective. Until
then, data that is reported to a listed entity by providers shall be
considered patient safety work product and the protections accorded
patient safety work product continue to apply following the delisting
of the PSO.
(A) Proposed Sec. 3.108(a)--Process for Correction of a Deficiency and
Revocation
Proposed Sec. 3.108(a) describes the process by which the
Secretary would provide an opportunity for a PSO to correct identified
deficiencies and, if not timely corrected or if the deficiencies cannot
be ``cured,'' the process that can lead to a determination by the
Secretary to revoke acceptance of a PSO's certification. This section
proposes a two-stage process. The first stage would provide an
opportunity to correct a deficiency. Under the proposal, when the
Secretary identifies a deficiency, the Secretary would send the PSO a
notice of preliminary determination of a deficiency. The PSO would then
have an opportunity to demonstrate that the information on which the
notice was based is incorrect. The notice would include a timetable for
correction of the deficiency and may specify the specific corrective
action and the documentation that the Secretary would need to determine
if the deficiency has been corrected. The PSO would be encouraged to
provide information for the administrative record on unexpected
challenges in correcting the deficiency, since the Secretary has great
flexibility to work with a PSO to facilitate correction of
deficiencies. We anticipate that most PSO deficiencies would be
resolved at this stage.
Under the proposal, the second stage would occur when the Secretary
would conclude that a PSO has not timely corrected a deficiency or has
a pattern of non-compliance and issues the PSO a notice of proposed
revocation and delisting. Rather than requiring a PSO to seek an
opportunity to appeal, the proposed rule would provide an automatic
period of 30 days for a PSO to be heard in writing by submitting a
rebuttal to the findings in the Secretary's notice of revocation and
delisting. The Secretary may then affirm, modify, or reverse the notice
of revocation and delisting.
In light of the procedures in the proposed rule to ensure due
process, we have not proposed to incorporate any further internal
administrative appeal process beyond the Secretary's determination
regarding a notice of proposed revocation and delisting pursuant to
proposed Sec. 3.108(a)(5). We invite comments on our proposed
approach.
(1) Proposed Sec. 3.108(a)(1)--Circumstances Leading to Revocation
Proposed Sec. 3.108(a)(1) lists four circumstances, each of which
is statutorily based, that may lead the Secretary to revoke acceptance
of a PSO's certification and delist the entity: the PSO is not meeting
the obligations to which it certified its compliance as required by
proposed Sec. 3.102; the PSO has not certified to the Secretary that
it has entered the required minimum of two contracts within the
applicable 24-month period pursuant to proposed Sec. 3.102(d)(1); the
Secretary, after reviewing a PSO's disclosure statement submitted
pursuant to proposed Sec. 3.102(d)(2), determines that the PSO cannot
fairly and accurately perform its duties pursuant to proposed Sec.
3.104(c); or the PSO is not in compliance with any other provision of
the Patient Safety Act or this proposed part. (See section 924(c) and
(e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e).)
(2) Proposed Sec. 3.108(a)(2)--Notice of Preliminary Finding of
Deficiency and Establishment of an Opportunity for Correction of a
Deficiency
Under proposed Sec. 3.108(a)(2), when the Secretary has reason to
believe that a PSO is not in compliance with the requirements of the
statute and the final rule, the Secretary would send a written notice
of a preliminary finding of deficiency to the PSO (see section 924(c)
and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and
(e)). The notice would specifically state the actions or inactions that
describe the deficiency, outline the evidence that a deficiency exists,
specify the possible and/or required corrective action(s) that must be
taken, establish an opportunity for correction and a date by which the
corrective action(s) must be completed, and, in certain circumstances,
specify the documentation that the PSO would be required to submit to
demonstrate that the deficiency has been corrected.
We propose that, absent other evidence of actual receipt, we would
assume that the notice of a preliminary finding of deficiency has been
received 5 calendar days after it was sent. Under the proposal, if a
PSO submits evidence to the Secretary that demonstrates to the
Secretary that the preliminary finding is factually incorrect within 14
calendar days following receipt of this notice, the preliminary finding
of deficiency would be withdrawn; otherwise, it would be the basis for
a finding of deficiency. We stress that this would not be an
opportunity to file an appeal regarding the proposed corrective
actions, the period allotted for correcting the deficiency, or the time
to provide explanations regarding why a deficiency exists. This 14-day
period would only ensure that the PSO has an opportunity,
[[Page 8136]]
if the information on which the notice is based is not accurate, to
correct the record immediately. For example, a notice of a preliminary
finding of deficiency may be based on the fact that the Secretary has
no record that the PSO has entered the required two contracts. In this
case, if a PSO can attest that it submitted the certification as
required or can attest that it has entered the required two contracts
consistent with the requirements of proposed Sec. 3.102(d)(1), the
Secretary would then withdraw the notice. If a notice of deficiency is
based on the failure of the PSO to submit a required disclosure
statement within 45 days, the PSO might submit evidence that the
required statement had been sent as required. If the evidence is
convincing, the Secretary would withdraw the notice of preliminary
finding of deficiency. If the Secretary does not consider the evidence
convincing, the Secretary would so notify the PSO and the notice would
remain in effect. The PSO would then need to demonstrate that it has
met the requirements of the notice regarding correction of the
deficiency.
We anticipate that in the vast majority of circumstances in which
the Secretary believes there is a deficiency, the deficiency can and
will be corrected by the PSO. In those cases, as discussed above, the
PSO will be given an opportunity to take the appropriate action to
correct the deficiency, and avoid revocation and delisting. However, we
can anticipate situations in which a PSO's conduct is so egregious that
the Secretary's acceptance of the PSO's certification should be revoked
without the opportunity to cure because there is no meaningful cure. An
example would be where a PSO has a policy and practice of knowingly and
inappropriately selling patient safety work product or where the PSO is
repeatedly deficient and this conduct continues despite previous
opportunities to cure. We are considering adding a provision whereby an
opportunity to ``cure'' would not be available in this type of
situation. Providing the PSO with an opportunity for correction, as
provided in the Patient Safety Act, would entail providing an
opportunity to correct the preliminary factual findings of the
Department. Thus, the PSO would have the chance to demonstrate that we
have the facts wrong or there are relevant facts we are overlooking. We
invite comments regarding this approach and how best to characterize
the situations in which the opportunity to ``cure'' (e.g., to change
policies, practices or procedures, sanction employees, send out
correction notices) would not be sufficient, meaningful, or
appropriate.
(3) Proposed Sec. 3.108(a)(3)--Determination of Correction of a
Deficiency
Proposed section Sec. 3.108(a)(3) addresses the determination of
whether a deficiency has been corrected, including the time frame for
submission of the required documentation that the deficiency has been
corrected, and the actions the Secretary may take after review of the
documentation and any site visit(s) the Secretary deems necessary or
appropriate (see sections 924(c) and (e) of the Public Health Service
Act, 42 U.S.C. 299b-24(c) and (e)).
Under the proposal, during the period of correction, we would
encourage the PSO to keep the Department apprised in writing of its
progress, especially with respect to any challenges it faces in
implementing the required corrective actions. Such communications would
become part of the administrative record. Until there is additional
experience with the operational challenges that PSOs face in
implementing specific types of corrective actions, such information, if
submitted, would be especially helpful for ensuring that the time
frames and the corrective actions specified by the Secretary are
reasonable and appropriate. As noted below, such information would be
considered by the Secretary in making a determination regarding a PSO's
compliance with the correction of a deficiency. Unless the Secretary
specifies a different submission date, or approves such a request from
the PSO, we propose that documentation submitted by the PSO to
demonstrate correction of the deficiency must be received by the
Secretary no later than 5 calendar days after the final day of the
correction period.
Under the proposed rule, in making a determination, the Secretary
would consider the documentation and other information submitted by the
PSO, the findings of any site visit that might have been conducted,
recommendations of program staff, and any other information available
regarding the PSO that the Secretary deems appropriate. After
completing his review, the Secretary may make one of the following
determinations: (1) The action(s) taken by the PSO have corrected any
deficiency, in which case the Secretary will withdraw the notice of
deficiency and so notify the PSO; (2) the PSO has acted in good faith
to correct the deficiency but an additional period of time is necessary
to achieve full compliance and/or the required corrective action
specified in the notice of a preliminary finding of deficiency needs to
be modified in light of the actions undertaken by the PSO so far, in
which case the Secretary will extend the period for correction and/or
modify the specific corrective action required; or (3) the PSO has not
completed the corrective action because it has not acted with
reasonable diligence or timeliness to ensure that the corrective action
was completed within the allotted time, in which case the Secretary
will issue to the PSO a notice of proposed revocation and delisting.
When the Secretary issues a notice of proposed revocation and
delisting, this notice would include those deficiencies that have not
been timely corrected. The notice would be accompanied by information
concerning the manner in which the PSO may exercise its opportunity to
be heard in writing to respond to the deficiency findings described in
the notice.
(4) Proposed Sec. 3.108(a)(4)--Opportunity to be Heard in Writing
Following a Notice of Proposed Revocation and Delisting
Proposed Sec. 3.108(a)(4) sets forth our approach to meeting the
statutory requirement established in section 924(e) of the Public
Health Service Act, 42 U.S.C. 299b-24(e), for a PSO to have an
opportunity to dispute the findings of deficiency in a notice of
proposed revocation and delisting.
Absent other evidence of actual receipt, we would assume that the
notice of proposed revocation and delisting has been received by a PSO
five calendar days after it was sent. Under the proposed rule, unless a
PSO chooses to waive its right to contest a notice of proposed
revocation and delisting and so notifies the Secretary, a PSO would not
need to request an opportunity to appeal a notice of proposed
revocation and delisting. A PSO would automatically have 30 calendar
days, beginning the day the notice is deemed to be received, to
exercise its opportunity to be heard in writing. The Secretary would
consider, and include in the administrative record, any written
information submitted by the PSO within this 30-day period that
responds to the deficiency findings in the notice of proposed
revocation and delisting. If a PSO does not take advantage of the
opportunity to submit a substantive response in writing within 30
calendar days of receipt of the notice of proposed revocation and
delisting, the notice would become final as a matter of law at midnight
of the date specified by the Secretary in the notice. The Secretary
[[Page 8137]]
would provide the PSO with policies and rules of procedures that govern
the form or transmission of the written response to the notice of
proposed revocation and delisting.
We are considering incorporating in the final rule an exception to
our proposed policy of automatically providing a PSO with a 30-day
period in which to submit a written response to a notice of proposed
revocation and delisting. The one exception we are considering relates
to failure to meet the requirement for a minimum of two contracts. The
statutory requirement is unambiguous that this requirement must be met
within every 24-month period after the initial date of listing of the
PSO. We propose elsewhere that a PSO submit its notification 45
calendar days early so that a period for correction can be established
that concludes at midnight of the last day of the applicable 24-month
period established by the statute for compliance. The Secretary would
then need to receive notification from a PSO that this requirement has
been met no later than midnight of that last day (see proposed Sec.
3.102(d)(1) and proposed Sec. 3.104(b)). Other than verifying that the
PSO has not entered into and reported the required two bona fide
contracts by midnight on the last day of the applicable 24-month
period, we see no basis for a written rebuttal of such a deficiency
determination. The language we are considering, therefore, would
authorize the Secretary, when the basis for a notice of proposed
revocation and delisting is the failure of a PSO to meet this very
specific requirement, to proceed to revocation and delisting five
calendar days after the notice of proposed revocation and delisting
would be deemed to have been received.
(5) Proposed Sec. 3.108(a)(5)--The Secretary's Decision Regarding
Revocation
If a written response to the deficiency findings of a notice of
proposed revocation and delisting is submitted by a PSO, proposed Sec.
3.108(a)(5) provides that the Secretary will review the entire
administrative record pertaining to the notice of proposed revocation
and delisting and any written materials submitted by the PSO under
proposed Sec. 3.108(a)(4). The Secretary may affirm, reverse, or
modify the notice of proposed revocation and delisting. The Secretary
will notify the PSO in writing of his decision with respect to any
revocation of the acceptance of its certification and its continued
listing as a PSO. (See section 924(e) of the Public Health Service Act,
42 U.S.C. 299b-24(e).)
(B) Proposed Sec. 3.108(b)--Revocation of the Secretary's Acceptance
of a PSO's Certification
When the Secretary makes a determination to remove the listing of a
PSO for cause pursuant to proposed Sec. 3.108(a), proposed Sec.
3.108(b) specifies the actions that the Secretary and the entity must
take, and implements the protections that the statute affords to data
submitted to such an entity.
(1) Proposed Sec. 3.108(b)(1)--Establishing Revocation for Cause
Under our proposal, after following the requirements of proposed
Sec. 3.108(a), if the Secretary determines pursuant to paragraph
(a)(5) of this section that revocation of the acceptance of a PSO's
certification is warranted for failure to comply with the requirements
of the Patient Safety Act, or the regulations implementing the Patient
Safety Act, the Secretary would establish, and notify the PSO of, the
date and time at which the Secretary will revoke the acceptance of its
certification and remove the entity from the list of PSOs. The
Secretary may include information in the notice on the statutory
requirements, incorporated in proposed Sec. 3.108(b)(2) and Sec.
3.108 (b)(4) and discussed below, that apply to the entity following
the Secretary's actions, and the Secretary would provide public notice
as required by proposed Sec. 3.108(d).
(2) Proposed Sec. 3.108(b)(2)--Required Notification of Providers and
Status of Data
Proposed Sec. 3.108(b)(2) incorporates in the proposed rule the
statutory requirements that are intended to ensure that providers
receive a reasonable amount of notice that the PSO with which they are
working is being removed from the list of PSOs (section 924(e)(2) of
the Public Health Service Act, 42 U.S.C. 299b-24(e)(2)) and to clarify
the status of data submitted by providers to a PSO whose listing has
been revoked (section 924(f) of the Public Health Service Act, 42
U.S.C. 299b-24(f)).
As required by the statute, within 15 calendar days of the date
established in the Secretary's notification of action under paragraph
(b)(1) of this section, the entity subject to proposed Sec.
3.108(b)(1) shall confirm to the Secretary that it has taken all
reasonable actions to notify each provider whose patient safety work
product has been collected or analyzed by the PSO that the entity has
been removed from the list of PSOs. We would recommend, but do not
propose to require, that PSOs make a priority of notifying providers
who report most frequently to the PSO, especially providers with
contracts with the PSO. These providers would need to close out any
current contract they have with the PSO, determine if they wish to
enter a contract with another PSO, and if so, they would need time to
identify another PSO and then negotiate another contract.
We also recognize that, even when this statutory notification
requirement is met, the notification period is short. While we do not
have the authority to require a PSO to undertake notification of
providers more quickly than the statute specifies, we invite comment on
whether there are any other steps the Secretary should take to ensure
that affected providers receive timely notice. We are considering
requiring notice by electronic or priority mail if no notice has been
given at the end of seven days.
Confidentiality and privilege protections that applied to patient
safety work product while the former PSO was listed continue to apply
after the entity is removed from listing. Furthermore, section
924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1)
provides that data submitted to an entity within 30 calendar days of
the date on which acceptance of its certification is revoked and it is
removed from the list of PSOs, shall have the same status as data
submitted while the entity was still listed. Thus, data that would
otherwise be patient safety work product had it been submitted while
the PSO was listed, will be protected as patient safety work product if
submitted during this 30-day period after delisting.
We stress that the statutory language in section 924(f)(1) of the
Public Health Service Act, 42 U.S.C. 299b-24(f)(1), pertains only to
data submitted to such an entity within 30 calendar days after such
revocation and removal. This provision does not enable an entity that
has been removed from listing to generate patient safety work product
on its own pursuant to section 921(7)(A)(i)(II) of the Public Health
Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II); the entity loses that
authority on the effective date and time of the Secretary's action to
remove it from listing.
(3) Proposed Sec. 3.108(b)(3)--Disposition of Patient Safety Work
Product and Data
Proposed Sec. 3.108(e) incorporates in the proposed rule statutory
requirements regarding the disposition of patient safety work product
or data following revocation and delisting of a PSO (section 924(g) of
the Public Health Service Act, 42 U.S.C. 299b-24(g)). This proposed
subsection would require that the former PSO provide for the
[[Page 8138]]
disposition of patient safety work product or data in its possession in
accordance with one or more of three alternatives described in section
924(g) of the Public Health Service Act, 42 U.S.C. 299b-24(g). The
three alternatives include: transfer of the patient safety work product
with the approval of the source from which it was received to a PSO
which has agreed to accept it; return of the patient safety work
product or data to the source from which it was received; or, if return
is not practicable, destroy such work product or data.
The text of the proposed rule refers to the ``source'' of the
patient safety work product or data that is held by the former PSO,
which is a broader formulation than the statutory phrase ``received
from another entity.'' While the statutory requirement encompasses PSOs
as well as institutional providers, we tentatively conclude that the
underlying intent of this statutory provision is to require the
appropriate disposition of patient safety work product from all
sources, not merely institutional sources. We note that the statute,
and therefore the proposed rule, permits individual providers to report
data to PSOs and individual providers are able to enter the same type
of ongoing arrangements, or contractual arrangements, as institutional
providers. Moreover, proposed Sec. 3.108(b)(2) would require PSOs to
notify all providers (individual as well as institutional providers)
from whom they receive data about the Secretary's revocation and
delisting decision. We preliminarily conclude, therefore, that it is
consistent with the statute that a former PSO consult with all sources
(individuals as well as entities) regarding the appropriate disposition
of the patient safety work product or data that they supplied.
Moreover, it is a good business practice. If workforce members of a
former PSO retain possession of any patient safety work product, they
would incur obligations and potential liability if it is impermissibly
disclosed. We welcome comments on our interpretation.
The statutory provision indicates that these requirements apply to
both patient safety work product or 'data' described in 924(f)(1) of
the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Subsection
(f)(1), entitled 'new data' and incorporated in proposed Sec.
3.108(b)(2), describes data submitted to an entity within 30 calendar
days after the entity is removed from listing as a PSO and provides
that this data ``shall have the same status as data submitted while the
entity was still listed.'' The proposed regulation mirrors this
formulation.
While the statute and this proposed rule would permit destruction
of patient safety work product, we would encourage entities that have
their listing as a PSO revoked to work with providers to ensure that
patient safety work product remains available for aggregation and
further analysis whenever possible, either by returning it to the
provider or, with concurrence of the provider, transferring it to a PSO
willing to accept it.
The statute does not establish a time frame for a PSO subject to
revocation and delisting to complete the disposition of the patient
safety work product or data in its possession. We invite comment on
whether we should include a date by which this requirement must be
completed (for example, a specific number of months after the date of
revocation and delisting).
(C) Proposed Sec. 3.108(c)--Voluntary Relinquishment
The statute recognizes the right of an entity to relinquish
voluntarily its status as a PSO, in which case the Secretary will
remove the entity from the list of PSOs. See section 924(d) of the
Public Health Service Act, 42 U.S.C. 299b-24(d).
We stress that, if the Secretary determines that an entity has
relinquished voluntarily its status as a PSO and removes the entity
from listing, the confidentiality and privilege protections that
applied to patient safety work product while the former PSO was listed
continue to apply after the entity is removed from listing.
(1) Proposed Sec. 3.108(c)(1)--Circumstances Constituting Voluntary
Relinquishment
Proposed Sec. 3.108(c)(1) provides that an entity would be
considered to have relinquished voluntarily its status as a PSO under
two circumstances: when a PSO advises the Secretary in writing that it
no longer wishes to be a PSO, and when a PSO permits its three-year
period of listing to expire without timely submission of the required
certification to the Secretary for continued listing. To ensure that
such a lapse is not inadvertent, we provide in proposed Sec.
3.104(e)(2) that the Secretary would send a notice of imminent
expiration to any PSO from which the Secretary has not received a
certification for continued listing by the date that is 45 calendar
days before the expiration of its current period of listing. This
notice is intended to ensure that the PSO has sufficient time to submit
a certification for continued listing if it chooses to do so and that,
if a lapse occurs, it is not inadvertent.
(2) Proposed Sec. 3.108(c)(2)--Notification of Voluntary
Relinquishment
Proposed Sec. 3.108(c)(2) would require an entity that seeks to
relinquish voluntarily its status as a PSO to include attestations in
its notice to the Secretary that it has made all reasonable efforts to
provide for the orderly termination of the PSO. First, the PSO must
attest that it has made--or will have made within 15 calendar days of
the date of this notification to the Secretary--all reasonable efforts
to notify organizations or individuals who have submitted data to the
PSO of its intent to cease operation and to alert providers that they
should cease reporting or submitting any further information as quickly
as possible.
We preliminarily conclude that, when a PSO voluntarily relinquishes
its status, data submitted by providers to the entity after the date on
which the Secretary removes it from listing is not patient safety work
product. The statutory provision, incorporated in the proposed rule at
Sec. 3.108(b)(2), that permits providers to submit data to an entity
for an additional 30 days after the date of its removal from listing
applies only to PSOs for which the Secretary has revoked acceptance of
its certification for cause. It does not apply to a PSO that
voluntarily relinquishes its status. We welcome comment on our
interpretation.
Second, the PSO would be required to attest that, in consultation
with the organizations or individuals who submitted the patient safety
work product in its possession, it has established--or will have made
all reasonable efforts within 15 calendar days of the date of this
notification to establish--a plan for the appropriate disposition of
such work product, consistent to the extent possible with the statutory
requirements incorporated in proposed Sec. 3.108(b)(3). Finally, the
individual submitting the notification of voluntary relinquishment
would provide appropriate contact information for further
communications that the Secretary deems necessary.
We caution any PSO considering voluntary relinquishment that its
status remains in effect until the Secretary removes the entity from
listing. The PSO's responsibilities, including those related to the
confidentiality and security of the patient safety work product or data
in its possession, are not discharged by the decision of a PSO to cease
operations. Accordingly, we urge PSOs that are experiencing financial
distress or other circumstances that may
[[Page 8139]]
lead to voluntary relinquishment, to contact AHRQ program staff as
early as possible so that the PSO's obligations can be appropriately
discharged.
(3) Proposed Sec. 3.108(c)(3)--Response to Notification of Voluntary
Relinquishment
In response to the submission of a notification of voluntary
relinquishment, proposed Sec. 3.108(c)(3) provides that the Secretary
would respond in writing and indicate whether the proposed voluntary
relinquishment is accepted. We anticipate that the Secretary would
normally approve such requests but the text provides the Secretary with
discretion to accept or reject such a request from a PSO that seeks
voluntary relinquishment during or immediately after revocation
proceedings. Our proposal is intended to recognize that, in certain
circumstances, for example, when the deficiencies of the PSO are
significant or reflect a pattern of non-compliance with the Patient
Safety Act or the proposed rule, the Secretary may decide that giving
precedence to the revocation process may be more appropriate.
(4) Proposed Sec. 3.108(c)(4)--Implied Voluntary Relinquishment
Proposed Sec. 3.108(c)(4) enables the Secretary to determine that
implied voluntary relinquishment has taken place if a PSO permits its
period of listing to expire without receipt and acceptance by the
Secretary of a certification for continued listing. In our view, the
statute does not permit an entity to function as a PSO beyond its 3-
year period of listing unless it has submitted, and the Secretary has
accepted, a certification for a 3-year period of continued listing. To
ensure that such a lapse is not inadvertent, we propose a requirement
in Sec. 3.104(e)(2) that the Secretary would send a notice of imminent
expiration to any PSO from which the Secretary has not received the
required certification for continued listing by the date that is 45
calendar days prior to the last date of the PSOs current period of
listing. Accordingly, we propose that the Secretary would determine
that a PSO under these circumstances has relinquished voluntarily its
status at midnight on the last day of its current period of listing,
remove the entity from the list of PSOs at midnight on that day, make
reasonable efforts to notify the entity in writing of the action taken,
and promptly provide public notice in accordance with proposed Sec.
3.108(d).
Under the proposed rule, the notice of delisting would request that
the entity make reasonable efforts to comply with the requirements of
proposed Sec. 3.108(c)(2). Compliance with these requirements in this
circumstance would mean that the former PSO would be required to notify
individuals and organizations that routinely reported data to the
entity during its period of listing that it has voluntarily
relinquished its status as a PSO and that they should no longer report
or submit data, and make reasonable efforts to provide for the
disposition of patient safety work product or data in consultation with
the sources from which such information was received in compliance with
the statutory requirements incorporated in proposed Sec.
3.108(b)(3)(i)-(iii). The former PSO would also be expected to provide
appropriate contact information for further communications from the
Secretary.
We are aware that, if a PSO does not give appropriate notice to
providers from which it receives data, that it does not intend to seek
continued listing, this could jeopardize protections for data that
these providers continue to report. To address this issue, we are
seeking comment in proposed Sec. 3.104(e) on a proposal that would
ensure that providers have advance notice that a PSO is approaching the
end of its period of listing but has not yet sought continued listing.
(5) Proposed Sec. 3.108(c)(5)--Non-Applicability of Certain Procedures
and Requirements
Proposed Sec. 3.108(c)(5) provides that neither a decision by a
PSO to notify the Secretary that it wishes to relinquish voluntarily
its status as a PSO, nor a situation in which a PSO lets its period of
listing lapse, constitutes a deficiency as referenced in the discussion
regarding proposed Sec. 3.108(a). As a result, neither the procedures
and requirements that apply to the Secretary or a PSO subject to the
revocation process outlined in that proposed subsection, nor the
requirements that apply to the Secretary or a PSO following action by
the Secretary pursuant to proposed Sec. 3.108(b)(1), would apply in
cases of voluntary relinquishment. Adoption of this proposal would mean
that a PSO has no basis for appealing decisions of the Secretary in
response to a request for voluntary relinquishment or challenging its
removal from listing if its period of listing lapses and the Secretary
determines that implied voluntary relinquishment has occurred. We
specifically welcome comment on this proposal.
(D) Proposed Sec. 3.108(d)--Public Notice of Delisting Regarding
Removal From Listing
Proposed Sec. 3.108(d) incorporates in the proposed rule the
statutory requirement that the Secretary must publish a notice in the
Federal Register regarding the revocation of acceptance of
certification of a PSO and its removal from listing pursuant to
proposed Sec. 3.108(b)(1) (see section 924(e)(3) of the Public Health
Service Act, 42 U.S.C. 299b-24(e)(3)). This proposal also would require
the Secretary to publish such a notice if delisting results from a
determination of voluntary relinquishment pursuant to proposed Sec.
3.108(c)(3) or (c)(4). The Secretary would specify the effective date
and time of the actions in these notices.
5. Proposed Sec. 3.110--Assessment of PSO Compliance
Proposed Sec. 3.110 provides that the Secretary may request
information or conduct spot-checks (reviews or site visits to PSOs that
may be unannounced) to assess or verify PSO compliance with the
requirements of the statute and this proposed subpart. We anticipate
that such spot checks will involve no more than 5-10% of PSOs in any
year. The legislative history of patient safety legislation in the
108th and 109th Congress suggests that the Senate Health, Education,
Labor and Pensions (HELP) Committee assumed that the Secretary had the
inherent authority to undertake inspections as necessary to ensure that
PSOs were meeting their obligations under the statute. In fact, in
reporting legislation in 2004, the Senate HELP Committee justified its
proposal for an expedited process for listing PSOs--that is
substantially the same as the one incorporated in the Patient Safety
Act that was enacted in 2005 and is incorporated in this proposed
rule--on the basis that the Secretary could and would be able to
conduct such inspections.
The ability of the Secretary to ``examine any organization at any
time to see whether it in fact is performing those required
activities'' the Senate HELP Committee wrote, enables the Committee to
``strike the right balance'' in adopting an expedited process for the
listing of PSOs by the Secretary (Senate Report 108-196). Accordingly,
we tentatively conclude that this proposed authority for undertaking
inspections on a spot-check basis is consistent with Congressional
intent and the overall approach of the proposed rule of using
regulatory authority sparingly.
[[Page 8140]]
While patient safety work product would not be a focus of
inspections conducted under this proposed authority, we recognize that
it may not be possible to assess a PSO's compliance with required
patient safety activities without access to all of a PSO's records,
including some patient safety work product. This proposed section
references the broader authority of the Department to access patient
safety work product as part of its proposed implementation and
enforcement of the Patient Safety Act.
We also note that the inspection authority of this proposed subpart
is limited to PSOs and does not extend to providers.
6. Proposed Sec. 3.112--Submissions and Forms
Paragraphs (a) and (b) of proposed Sec. 3.112 explain how to
obtain forms and how to submit applications and other information under
the proposed regulations. Also, to help ensure the timely resolution of
incomplete submissions, proposed paragraph (c) of this section would
provide for requests for additional information if a submission is
incomplete or additional information is needed to enable the Secretary
to make a determination on the submission.
C. Subpart C--Confidentiality and Privilege Protections of Patient
Safety Work Product
Proposed Subpart C would establish the general confidentiality
protections for patient safety work product, the permitted disclosures,
and the conditions under which the specific protections no longer
apply. The proposed Subpart also establishes the conditions under which
a provider, PSO, or responsible person must disclose patient safety
work product to the Secretary in the course of compliance activities,
and what the Secretary may do with such information. Finally, proposed
Subpart C establishes the standards for nonidentifiable patient safety
work product.
The privilege and confidentiality protections set forth in this
proposed Subpart apply to the PSO framework established by the Patient
Safety Act and this proposed Part, which will involve providers, PSOs,
and responsible persons who possess patient safety work product. The
Patient Safety Act and this proposed Subpart seek to balance key
objectives. First, it seeks to address provider concerns about the
potential for damage from unauthorized release of such information,
including the potential for the information to serve as a roadmap for
provider liability from negative patient outcomes. Second, it seeks to
promote the sharing of information about adverse patient safety events
among providers and PSOs for the purpose of learning from those events
to improve patient safety and creating a culture of safety. To address
these objectives, the Patient Safety Act established that patient
safety work product would be confidential and privileged, with certain
exceptions. Thus, the Patient Safety Act allows sharing of patient
safety work product for certain purposes, including for patient safety
activities, but simultaneously attaches strict confidentiality and
privilege protections for that patient safety work product. To further
strengthen the confidentiality protections, the Patient Safety Act
imposes significant monetary penalties for violation of the
confidentiality provisions, as set forth in proposed Subpart D.
Moreover, patient safety work product that is disclosed generally
continues to be privileged and confidential, that is, it may only be
permissibly disclosed by the receiving entity or person for a purpose
permitted by the Patient Safety Act and this proposed Subpart. The only
way that patient safety work product is no longer confidential is if
the patient safety work product disclosed is nonidentifiable or when an
exception to continued confidentiality exists. See section 922(d)(2)(B)
of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(B). A person
disclosing such work product outside of these statutory permissions in
violation of the Patient Safety Act and this proposed Subpart may be
subject to civil money penalties.
Proposed Sec. 3.204, among other provisions, provides that patient
safety work product is privileged and generally shall not be admitted
as evidence in Federal, State, local, or Tribal civil, criminal or
administrative proceedings and shall not be subject to a subpoena or
order, unless an exception to the privilege applies; the exceptions are
discussed in proposed Sec. 3.204(b). Proposed Sec. 3.206 provides
that patient safety work product is confidential and shall not be
disclosed except as permitted in accordance with the disclosures
described in proposed Sec. Sec. 3.206(b)-(e), 3.208 and 3.210. Under
proposed Sec. 3.208, patient safety work product continues to be
privileged and confidential after disclosure with certain exceptions.
Under proposed Sec. 3.210, providers, PSOs, and responsible persons
must disclose to the Secretary such patient safety work product as
required by the Secretary for the purposes of investigating or
determining compliance with this proposed Part, enforcing the
confidentiality provisions, or making determinations on certifying and
listing PSOs. Proposed Sec. 3.210 also provides for disclosure to the
Secretary. Proposed Sec. 3.212 describes the standard for determining
that patient safety work product is nonidentifiable.
Throughout the proposed rule, the term patient safety work product
means both identifiable patient safety work product and nonidentifiable
patient safety work product, unless otherwise specified. In addition,
if a disclosure is made by or to a workforce member of an entity, it
will be considered a disclosure by or to the entity itself.
Finally, throughout our discussion we note the relationship between
the Patient Safety Act and the HIPAA Privacy Rule. Several provisions
of the Patient Safety Act recognize that the patient safety regulatory
scheme will exist alongside other requirements for the use and
disclosure of protected health information under the HIPAA Privacy
Rule. For example, the Patient Safety Act establishes that PSOs will be
business associates of providers, incorporates individually
identifiable health information under the HIPAA Privacy Rule as an
element of identifiable patient safety work product, and adopts a rule
of construction that states the intention not to alter or affect any
HIPAA Privacy Rule implementation provision (see section 922(g)(3) of
the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). We anticipate
that most providers reporting to PSOs will be HIPAA covered entities
under the HIPAA Privacy Rule, and as such, will be required to
recognize when requirements of the HIPAA Privacy Rule apply. Because
this proposed rule focuses on disclosures of identifiable patient
safety work product which may include protected health information, we
discuss where appropriate the overlaps between the proposed Patient
Safety Act permitted disclosures and the existing HIPAA Privacy Rule
use and disclosure permissions.
1. Proposed Sec. 3.204--Privilege of Patient Safety Work Product
Proposed Sec. 3.204 describes the privilege protections of patient
safety work product and when the privilege protections do not apply.
The Patient Safety Act does not give authority to the Secretary to
enforce breaches of privilege protections. Rather, we anticipate that
the tribunals, agencies or professional disciplinary bodies before whom
these proceedings take place will
[[Page 8141]]
adjudicate the application of privilege as set forth in section
922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(1)-(5). Even though the privilege protections will be enforced
through the court systems, and not by the Secretary, we repeat the
statutory privilege provisions and exceptions for convenience. We note,
however, that the same exceptions are repeated in the confidentiality
context, which the Secretary does enforce; so these are repeated at
proposed Sec. 3.206 and such impermissible disclosure may be penalized
under proposed Subpart D.
To determine the permissible scope of disclosures under the Patient
Safety Act, it is important to understand the application of the
privilege protection and its exceptions described in conjunction with
the related proposed confidentiality disclosures. The admission of
patient safety work product as evidence in a proceeding or through a
subpoena, court order or any other exception to privilege, whether
permissibly or not, amounts to a disclosure of that patient safety work
product to all parties receiving or with access to the patient safety
work product admitted. Thus, we use the term disclosure to describe the
transfer of patient safety work product pursuant to an exception to
privilege, as well as to an exception to confidentiality. In addition,
although the Secretary does not have authority to impose civil money
penalties for violations of the privilege protection, a violation of
privilege may also be a violation of the confidentiality provisions.
For these reasons, we include the privilege language in the proposed
implementing regulations.
Finally, as discussed in proposed Sec. 3.204(c), we include a
regulatory exception to privilege for disclosures to the Secretary for
the purpose of enforcing the confidentiality provisions and for making
or supporting PSO certification or listing decisions.
(A) Proposed Sec. 3.204(a)--Privilege
Proposed Sec. 3.204(a) would repeat the statutory language at
section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a),
establishing the general principle that patient safety work product is
privileged and is not subject to Federal, State or local civil,
criminal or administrative proceedings or orders; is not subject to
disclosure under the Freedom of Information Act or similar Federal,
State or local laws; and may not be admitted into evidence in any
Federal, State or local civil, criminal or administrative proceeding or
the proceedings of a disciplinary body established or specifically
authorized under State law. In addition, we have clarified that patient
safety work product shall be privileged and not subject to use in
Tribal courts or administrative proceedings. Because the Patient Safety
Act is a statute of general applicability, it applies to Indian Tribes.
In addition, the application of the Federal privilege to Tribal
proceedings implements the strong privilege protections intended under
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22. (See
section 922(g)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b-
22(g)(1)-(2), preserving more stringent Federal, State, and local
confidentiality laws).
(B) Proposed Sec. 3.204(b)--Exceptions to Privilege
Proposed Sec. 3.204(b) describes the exceptions to the privilege
protection at proposed Sec. 3.204(a) that are established in section
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), as added
by the Patient Safety Act. When the conditions set forth in proposed
Sec. 3.204(b) are met, then privilege does not apply and would not
prevent the patient safety work product from, for example, being
entered into evidence in a proceeding or subject to discovery. In all
cases, the exceptions from privilege are also exceptions from
confidentiality. For proposed Sec. 3.204(b)(1)-(4) and Sec. 3.204(c),
we discuss the scope of the applicable confidentiality protection in
proposed Sec. 3.206(b) and Sec. 3.206(d).
(1) Proposed Sec. 3.204(b)(1)--Criminal Proceedings
Proposed Sec. 3.204(b)(1) would permit disclosure of identifiable
patient safety work product for use in a criminal proceeding, as
provided in section 922(c)(1)(A) of the Public Health Service Act, 42
U.S.C. 299b-22(c)(1)(A). Such patient safety work product is not
subject to the privilege prohibitions described in proposed Sec.
3.204(a) or the confidentiality protection described in proposed Sec.
3.206(a). See proposed Sec. 3.206(b)(1). Prior to a court determining
that an exception to privilege applies pursuant to this provision, a
court must make an in camera determination that the identifiable
patient safety work product sought for disclosure contains evidence of
a criminal act, is material to the proceeding, and is not reasonably
available from other sources. See section 922(c)(1)(A) of the Public
Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). We discuss in full the
requirements of this disclosure under the confidentiality disclosure
discussion below.
(2) Proposed Sec. 3.204(b)(2)--Equitable Relief for Reporters
Proposed Sec. 3.204(b)(2) permits the disclosure of identifiable
patient safety work product to the extent required to carry out the
securing and provision of specified equitable relief as provided for
under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C.
299b-22(f)(4)(A). This exception is based on section 922(c)(1)(B) of
the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(B). The Patient
Safety Act permits this disclosure as an exception to privilege and
confidentiality to effectuate the provision that authorizes equitable
relief for an employee who has been subjected to an adverse employment
action for good faith reporting of information to a PSO directly or to
a provider for the intended report to a PSO. We discuss in full the
requirements of this disclosure under the confidentiality disclosure
discussion below.
(3) Proposed Sec. 3.204(b)(3)--Authorized by Identified Providers
Proposed Sec. 3.204(b)(3) describes when identifiable patient
safety work product may be excepted from privilege when each of the
providers identified in the patient safety work product authorizes the
disclosure. This provision is based on section 922(c)(1)(C) of the
Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). Such patient
safety work product is also not subject to the confidentiality
protections described in proposed Sec. 3.206(a). We discuss in full
the requirements of this disclosure under the confidentiality
disclosure discussion below.
(4) Proposed Sec. 3.2049(b)(4)--Nonidentifiable Patient Safety Work
Product
Proposed Sec. 3.204(b)(4) permits patient safety work product to
be excepted from privilege when disclosed in nonidentifiable form. This
provision is based on section 922(c)(3) of the Public Health Service
Act, 42 U.S.C. 299b-22(c)(3). As with other privilege protections, we
expect the tribunals for which the information is sought to adjudicate
the application of this exception. We discuss in full the requirements
of this disclosure in the confidentiality disclosure discussion below.
(C) Proposed Sec. 3.204(c)--Implementation and Enforcement of the
Patient Safety Act
Proposed Sec. 3.204(c) excepts from privilege disclosures of
relevant patient safety work product to or by the Secretary as needed
for investigation or determining compliance with this Part
[[Page 8142]]
or for enforcement of the confidentiality provisions, or for making or
supporting PSO certification or listing decisions, under the Patient
Safety Act. We propose that the Secretary may use and disclose patient
safety work product when pursuing civil money penalties for
impermissible disclosures. This is a privilege exception in the same
manner as exceptions listed in proposed Sec. 3.204(b), but we state it
separately to provide specific emphasis for the inclusion of this
exception to privilege by the Secretary for enforcement activities.
This information is also a permissible disclosure under proposed Sec.
3.206(d), discussed below.
The Patient Safety Act provides for broad privilege and
confidentiality protections, as well as the authority for the Secretary
to impose civil money penalties on persons who knowingly or recklessly
disclose identifiable patient safety work product in violation of those
protections. However, in order to perform investigations and compliance
reviews to determine whether a violation has occurred, the Secretary
may need to have access to privileged and confidential patient safety
work product.
We believe that Congress could not have intended that the privilege
and confidentiality protections afforded to patient safety work product
operate to frustrate the sole enforcement mechanism Congress provided
for the punishment of impermissible disclosures and to preclude the
imposition of civil money penalties. As a matter of public policy, the
creation of a confidentiality protection is meaningless without the
capacity to enforce a breach of those protections. For these reasons,
we propose a privilege exception narrowly drawn to permit the Secretary
to perform the enforcement and operational duties required by the
Patient Safety Act, which include the submission of patient safety work
product to administrative law judges (ALJs), the Departmental Appeals
Board (Board), and the courts.
This proposed provision would permit the disclosure of patient
safety work product to the Secretary or disclosure by the Secretary so
long as such disclosure is for the purpose of implementation and
enforcement of these proposed regulations. Such disclosure would
include the introduction of patient safety work product into
proceedings before ALJs or the Board under proposed Subpart D by the
Secretary, as well as the disclosure during investigations by OCR or
activities in reviewing PSO certifications by AHRQ. Moreover,
disclosures of patient safety work product made to the Board or other
parts of the Department that are received by workforce members, such as
contractors operating electronic web portals or mail sorting and paper
scanning services, would be permitted as a disclosure to the Secretary
under this proposed provision. This provision would also permit the
Board to disclose any patient safety work product in order to properly
review determinations or to provide records for court review.
Patient safety work product disclosed under this exception remains
protected by both privilege and confidentiality protections as proposed
in Sec. 3.208. This exception does not limit the ability of the
Secretary to disclose patient safety work product in accordance with
the exceptions under proposed Sec. 3.206(b) or this Part. Rather, this
proposed section provides a specific permission by which patient safety
work product may be disclosed to the Secretary and the Secretary may
further disclose such patient safety work product for compliance and
enforcement purposes.
We believe strongly in the protection of patient safety work
product as provided in the Patient Safety Act and the proposed
regulation, and seek to minimize the risk of improper disclosure of
patient safety work product by using and disclosing patient safety work
product only in limited and necessary circumstances. We intend that any
disclosure made pursuant to this proposed provision be limited in the
amount of patient safety work product disclosed to accomplish the
purpose of implementation, compliance, and enforcement. Proposed Sec.
3.312 discusses the limitations on what the Secretary may do with any
patient safety work product obtained pursuant to an investigation or
compliance review under proposed Subpart D. As discussed in the
preamble to proposed Sec. 3.312, section 922(g)(3) of the Public
Health Service Act, 42 U.S.C. 299b-22(g)(3), provides that the Patient
Safety Act does not affect the implementation of the HIPAA
confidentiality regulations. Accordingly, the privilege provisions in
the Patient Safety Act would not bar the Secretary from introducing
patient safety work product in a HIPAA enforcement proceeding.
2. Proposed Sec. 3.206--Confidentiality of Patient Safety Work Product
Proposed Sec. 3.206 describes the confidentiality protection of
patient safety work product as well as exceptions from confidentiality
protection. The following discussion generally refers to an act that
falls within an exception from confidentiality as a permissible
disclosure.
(A) Proposed Sec. 3.206(a)--Confidentiality
Proposed Sec. 3.206(a) would establish the overarching general
principle that patient safety work product is confidential and shall
not be disclosed. The principle applies to patient safety work product
held by anyone. This provision is based on section 922(b) of the Public
Health Service Act, 42 U.S.C. 299b-22(b).
(B) Proposed Sec. 3.206(b)--Exceptions to Confidentiality
Proposed Sec. 3.206(b) describes the exceptions to
confidentiality, or the permitted disclosures. Certain overarching
principles apply to the proposed confidentiality standards. First, we
consider these exceptions to be ``permissions'' to disclose patient
safety work product and the holder of the patient safety work product
retains full discretion whether or not to disclose. Thus, similar to
the disclosures permitted under the HIPAA Privacy Rule, we are defining
a uniform federal baseline of protection that is enforceable by
federally imposed civil money penalties. We are not encouraging or
requiring disclosures, except to the Secretary as provided in this
proposed rule. Therefore, a provider, PSO, or responsible person, may
create confidentiality policies and procedures with respect to patient
safety work product that are more stringent than these proposed rules
and are free to otherwise condition the release of patient safety work
product that comes within these exceptions by contract, employment
relationship, or other means. See, for example, section 922(g)(4) of
the Public Health Service Act, 42 U.S.C. 299b-22(g)(4). However, the
Secretary will not enforce such policies or private agreements.
Second, when exercising the discretion to disclose patient safety
work product, we encourage providers, PSOs, and responsible persons to
consider the purposes for which the disclosures are made. Disclosures
should be narrow and consistent with the overarching goals of the
privilege and confidentiality protections, even though these
protections generally continue to apply to patient safety work product
after disclosure. We encourage any entity or person making a disclosure
to consider both the amount of patient safety work product that is
being disclosed, as well as the amount of identifiable information
disclosed. Even though not required, entities or persons should attempt
to disclose the amount of information commensurate with the
[[Page 8143]]
purposes for which a disclosure is made. We encourage the disclosure of
the least amount of identifiable patient safety work product that is
appropriate for the purpose of the disclosure, which might mean the
disclosure of less information than all of the information that would
be permitted to be disclosed under the confidentiality provisions. We
also encourage the removal of identifiable information when feasible
regardless of whether protection under this rule continues. While a
provider, PSO, or responsible person need not designate a workforce
member to determine when a disclosure of patient safety work product is
permitted, such a designation may be a best practice to ensure that a
disclosure complies with the confidentiality provisions, and contains
the least amount of patient safety work product necessary.
Third, we have addressed the scope of redisclosure by persons
receiving patient safety work product. Persons receiving patient safety
work product would only be allowed to redisclose that information to
the extent permitted by the proposed regulation. For example, we
propose that accrediting bodies receiving patient safety work product
pursuant to the accrediting body disclosure at proposed Sec.
3.206(b)(8) may not further disclose that patient safety work product.
We seek public comment on the subject of whether there are any negative
implications associated with limiting redisclosures in this way.
Additionally, agencies subject to both the Patient Safety Act and
the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when
disclosing patient safety work product. Under the Patient Safety Act,
see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-
22(b), if another law, such as the Privacy Act, permits or requires the
disclosure of patient safety work product, disclosure of this
information would be in violation of the Patient Safety Act unless the
Patient Safety Act also permits this disclosure. However, if the
Privacy Act prohibits the disclosure of information that is patient
safety work product, the permissible disclosure of this information
under the Patient Safety Act would be in violation of the Privacy Act.
Therefore, for agencies subject to both statutes, patient safety work
product must be disclosed in a manner that is permissible under both
statutes. The Privacy Act does permit agencies to make disclosures
pursuant to established routine uses. See 5 U.S.C. 552a(a)(7);
552a(b)(3); and 552a(e)(4)(D). We recommend that Federal agencies that
maintain a Privacy Act system of records containing information that is
patient safety work product include routine uses that will permit
disclosures allowed by the Patient Safety Act.
Finally, for HIPAA covered entities, when individually identifiable
health information is encompassed within the patient safety work
product, the disclosure must also comply with the HIPAA Privacy Rule.
Thus, for patient safety work product disclosures that contain
individually identifiable health information, as defined in 45 CFR
160.103, we note some of the comparable HIPAA Privacy Rule permissions
for consideration.
(1) Proposed Sec. 3.206(b)(1)--Criminal Proceeding
Proposed Sec. 3.206(b)(1) would establish the permitted criminal
proceeding disclosure which parallels the privilege exception
disclosure for use in a criminal proceeding, proposed Sec.
3.204(b)(1). Proposed Sec. 3.206(b)(1) would permit disclosure of
identifiable patient safety work product for use in a criminal
proceeding. Prior to a court determining that an exception to privilege
applies pursuant to this provision, a court must make an in camera
determination that the identifiable patient safety work product sought
for disclosure contains evidence of a criminal act, is material to the
proceeding, and is not reasonably available from other sources. See
section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(A).
After such determinations by a court, the patient safety work
product may be permissibly disclosed within the criminal proceeding.
This provision and these limitations are based on section 922(c)(1)(A)
of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). When
considering claims that confidentiality protection has been breached,
we intend to defer to, and not review, the court's in camera
determinations made in context of determining the privilege exception.
The Secretary has not been authorized to enforce the underlying
privilege protection or make determinations regarding its
applicability. The Secretary's authority is limited to investigating
and enforcing violations of the confidentiality protections parallel to
this privilege exception at proposed Sec. 3.206(b)(1).
The Patient Safety Act establishes that patient safety work
product, once disclosed, will generally continue to be privileged and
confidential as discussed in proposed Sec. 3.208. See section
922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1).
However, the Patient Safety Act limits the continued protection of the
specific patient safety work product disclosed for use in a criminal
proceeding. Patient safety work product disclosed for use in a criminal
proceeding continues to be privileged and cannot be reused as evidence
or in any context prohibited by the privilege protection, but is no
longer confidential. See section 922(d)(2)(A) of the Public Health
Service Act, 42 U.S.C. 299b-22(d)(2)(A). For example, law enforcement
personnel who obtain patient safety work product used in a criminal
proceeding may further disclose that patient safety work product
because the confidentiality protection does not apply. However, if law
enforcement sought to enter the information into another criminal
proceeding, it would need a new in camera determination for the new
criminal proceeding. For a further discussion of continued
confidentiality, see discussion of proposed Sec. 3.208 below.
For entities that are subject to the HIPAA Privacy Rule and this
Part, disclosures must conform to 45 CFR 164.512(e) of the HIPAA
Privacy Rule. We expect that court rulings following an in camera
determination would be issued as a court order, which would satisfy the
requirements of 45 CFR 164.512(e). So long as such legal process is in
compliance with 45 CFR 164.512(e), the disclosure would be permissible
under the HIPAA Privacy Rule.
(2) Proposed Sec. 3.206(b)(2)--Equitable Relief for Reporters
Proposed Sec. 3.206(b)(2) would permit the disclosure of
identifiable patient safety work product to the extent required to
carry out equitable relief as provided for under section 922(f)(4)(A)
of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). See
section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(B). This proposed provision parallels the privilege exception
to carry out equitable relief at proposed Sec. 3.204(b)(2). The
Patient Safety Act permits this disclosure to effectuate the provision
that authorizes an employee to seek redress for adverse employment
actions for good faith reporting of information to a PSO directly or to
a provider with the intended disclosure to a PSO.
The Patient Safety Act prohibits a provider from taking an adverse
employment action against an individual who, in good faith, reports
information to the provider for subsequent reporting to a PSO, or to a
PSO directly. See section 922(e)(1) of the Public Health Service Act,
42 U.S.C. 299b-22(e)(1). Adverse employment actions are described at
section 922(e)(2)
[[Page 8144]]
of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2), and include
loss of employment, failure to promote, or adverse evaluations or
decisions regarding credentialing or licensing. The Patient Safety Act
provides adversely affected reporters a civil right of action to enjoin
such adverse employment actions and obtain other equitable relief,
including back pay or reinstatement, to redress the prohibited actions.
As part of that right to seek equitable relief, the Patient Safety Act
provides that patient safety work product is not subject to the
privilege protections described in section 922(a) of the Public Health
Service Act, 42 U.S.C. 299b-22(a), and as similarly described in
proposed Sec. 3.204(a), or to the confidentiality protection in
section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b),
and as similarly described in proposed Sec. 3.206(a), to the extent
such patient safety work product is necessary to carry out the
equitable relief.
Although such disclosure is excepted from both confidentiality and
privilege as to efforts to seek equitable relief, the identifiable
patient safety work product remains subject to confidentiality and
privilege protection in the hands of all subsequent holders and the
protections apply to all subsequent potential disclosures. See section
922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1).
Thus, even though the reporter is afforded discretion to disclose the
relevant patient safety work product to seek and obtain equitable
relief, all subsequent holders receiving the patient safety work
product from the reporter are bound by the continued privilege and
confidentiality protections.
Thus, this provision would allow the reporter seeking equitable
relief from an adverse employment action to include patient safety work
product in briefs and in open court. To protect the patient safety work
product as much as possible in these circumstances, we could condition
the disclosure of identifiable patient safety work product in these
circumstances on a party's, most likely the reporter's, obtaining of a
protective order in these types of proceedings. Such a protective order
could take many forms that preserve the confidentiality of patient
safety work product. For example, it could limit the use of the
information to case preparation, but not make it evidentiary. Such an
order might prohibit the disclosure of the patient safety work product
in publicly accessible proceedings and in court records to prevent
liability from moving to a myriad of unsuspecting parties (for example,
parties in a courtroom may not know that they may be liable for civil
money penalties if they share the patient safety work product they
hear). We solicit comments on whether a protective order should be a
condition for this disclosure, imposed by regulation, or whether
instead we should require a good faith effort to obtain a protective
order as a condition for this disclosure and use our enforcement
discretion to consider whether to assess a penalty for anyone who
cannot obtain such an order and thus breaches the statutory continued
confidentiality protection of this information. See discussion below at
proposed Sec. 3.402(a).
We also address the intersection of the HIPAA Privacy Rule herein
because identifiable patient safety work product may contain
individually identifiable health information and be sought for
disclosure under this exception from a HIPAA covered entity or that
HIPAA covered entity's business associate. Under the HIPAA Privacy Rule
at 45 CFR 164.512(e), when protected health information is sought to be
disclosed in a judicial proceeding via subpoenas and discovery requests
without a court order, the disclosing HIPAA covered entity must seek
satisfactory assurances that the party requesting the information has
made reasonable efforts to provide written notice to the individual who
is the subject of the protected health information or to secure a
qualified protective order. A protective order that meets the qualified
protective order under 45 CFR 164.512(e) would be permissible under the
HIPAA Privacy Rule and render a disclosure under this exception in
compliance with the HIPAA Privacy Rule.
(3) Proposed Sec. 3.206(b)(3)--Authorized by Identified Providers
Proposed Sec. 3.206(b)(3) would establish a permitted disclosure
parallel to the privilege exception at proposed Sec. 3.204(b)(3), when
each of the providers identified in the patient safety work product
authorizes the disclosure in question. This provision is based on
section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(C). In these circumstances, patient safety work product may be
disclosed, not withstanding the privilege protections described in
proposed Sec. 3.204(a) or the confidentiality protections described in
proposed Sec. 3.206(a). However, patient safety work product disclosed
under this exception continues to be confidential pursuant to the
continued confidentiality provisions at section 922(d)(1) of the Public
Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons are subject to
liability for further disclosures in violation of that confidentiality.
This exception applies to patient safety work product that contains
identifiable provider information. Under the proposed language, each
provider identified in the patient safety work product sought to be
disclosed must separately authorize the disclosure. For example, if
patient safety work product sought to be disclosed by an entity or
person pursuant to this exception describes an incident involving three
physicians, each physician would need to authorize disclosure of the
patient safety work product, in order for the entity or person to
disclose it. Making information regarding one provider nonidentifiable
in lieu of obtaining an authorization is not sufficient.
We considered whether the rule should allow a provider to
nonidentify the patient safety work product with respect to a
nonauthorizing provider and disclose the patient safety work product
with respect to the remaining authorizing providers. However, we
rejected that approach as being impracticable. In light of the
contextual nonidentification standard proposed in Sec. 3.212, it would
seem that there would be very few, if any, situations in which a
nonauthorizing provider could be nonidentified without also needing to
nonidentify, or nearly so, an authorizing provider in the same patient
safety work product. Unless we adopt a less stringent nonidentification
standard, disclosing persons can either totally nonidentify patient
safety work product and disclose under proposed Sec. 3.206(b)(5), or
disclose the patient safety work product only if all identified
providers in patient safety work product authorize its disclosure.
When all identified providers authorize the disclosure of patient
safety work product, the Patient Safety Act permits such disclosure,
but remains silent about the identification of patients or reporters in
such patient safety work product. As to other persons that make patient
safety work product identifiable, i.e., patients and reporters, the
Patient Safety Act does not provide a separate right of authorization.
However, as one of the core principles underlying the Patient Safety
Act is the protection of the privacy and confidentiality concerns of
certain persons in connection with specific patient safety work product
(i.e., providers, patients and reporters), we encourage persons
disclosing patient safety work product to exercise discretion in the
scope of patient safety work product disclosed, even though neither
patient nor reporter authorization is required. Disclosers are
[[Page 8145]]
encouraged to consider whether the disclosure of identifying
information regarding patients and reporters is necessary to accomplish
the particular purpose of the disclosure. As discussed below, if the
disclosing entity is a HIPAA covered entity, the HIPAA Privacy Rule,
including the minimum necessary standard when applicable, would apply
to the disclosure of protected health information contained within the
patient safety work product. We seek public comment as to whether the
proposed approach is sufficient to protect the interests of reporters
and patients identified in the patient safety work product permitted to
be disclosed pursuant to identifiable provider authorizations. Does
this approach sufficiently balance the interests of the patients and
reporters and their confidentiality versus the purposes for which the
providers are authorizing the disclosures?
The Patient Safety Act does not specify the form of the
authorization by a provider to come within this disclosure exception or
a timeframe for recordkeeping. We propose that an authorization be in
writing, be signed by the authorizing provider, and give adequate
notice to the provider of the nature and scope of the disclosures
authorized. The content of the authorization should fairly inform the
provider as to the nature and scope of the identifiable patient safety
work product to be disclosed to ensure the provider is making a knowing
authorization. We do not intend that each authorization identify the
specific patient safety work product to be disclosed. Such a
requirement would be unworkable in complex health care arrangements
existing today. Rather, an authorization can be general, (e.g.,
referring to categories of patient safety work product) and even to
patient safety work product to be created in the future, so long as the
authorization can be determined to have reasonably informed the
authorizing provider of the scope of the authorized disclosure. The
authorization requirement also enables providers to place limits on
disclosures made pursuant to this proposed exception regarding patient
safety work product identifying the provider. Any disclosure must be
made in accordance with the terms of the signed authorization, but we
do not require that any specific terms be included, only that such
terms regarding the scope of the authorized disclosure of patient
safety work product be adhered to. We seek public comment on whether a
more stringent standard would be prudent and workable, such as an
authorization process that is disclosure specific (i.e., no future
application or a one time disclosure only authorization).
We also propose that any authorization be maintained by the
disclosing entity or person for a period of six years from the date of
the last disclosure made in reliance on the authorization, the limit of
time within which the Secretary must initiate an enforcement action.
While we recognize that a prudent person disclosing patient safety work
product under this disclosure will likely maintain records in order to
support a claim that such disclosure was permissible, nonetheless we
require a six year retention of authorizations so that, if challenged,
the Secretary may examine authorizations to determine whether a
disclosure was valid pursuant to this disclosure provision. While we
would not be monitoring or penalizing a person for lack of maintenance
of an authorization, the failure to present a valid authorization will
raise significant concerns regarding the permissibility of a disclosure
pursuant to this permission.
With respect to compliance with the HIPAA Privacy Rule for patient
safety work product that contains individually identifiable health
information, authorization by a provider pursuant to this permitted
disclosure does not permit a HIPAA covered entity or such a HIPAA
covered entity's business associate to release such protected health
information contained in the patient safety work product under the
HIPAA Privacy Rule. Therefore, either the individually identifiable
health information must be de-identified or the release of the
individually identifiable health information must otherwise be
permitted under the HIPAA Privacy Rule. Because this disclosure does
not limit the purposes for which identifiable patient safety work
product may be released with the provider's authorization, a HIPAA
covered entity would need to review releases on a case-by-case basis to
determine if there is an applicable provision in the HIPAA Privacy Rule
that would otherwise permit such disclosure.
(4) Proposed Sec. 3.206(b)(4)--Patient Safety Activities
Section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(A), permits the disclosure of identifiable patient safety
work product for patient safety activities. Proposed Sec. 3.206(b)(4)
permits the disclosure of identifiable patient safety work product for
patient safety activities (i) by a provider to a PSO or by a PSO to
that disclosing provider; or (ii) by a provider or a PSO to a
contractor of the provider or PSO; or (iii) by a PSO to another PSO or
to another provider that has reported to the PSO, or by a provider to
another provider, provided, in both cases, certain direct identifiers
are removed. Patient safety activities are the core mechanism by which
providers may disclose patient safety work product to obtain external
expertise from PSOs. PSOs may aggregate information from multiple
providers, and communicate feedback and analyses to providers.
Ultimately, it is through such communications that much of the
improvement in patient safety may occur. Thus, the rule needs to
facilitate the communication between a provider and one or more PSOs.
To further this essential statutory purpose, we propose to allow
providers to disclose identifiable patient safety work product to PSOs;
one of the ways that information can become patient safety work product
is through reporting of it to a PSO. We also propose to allow PSOs to
reciprocally disclose patient safety work product back to such
providers for patient safety activities. This free flow of information
will ensure that the statute's goals of collecting, aggregating, and
analyzing patient safety event information as well as disseminating
recommendations for safety and quality improvements are achieved. Such
a dialogue will allow both providers and PSOs to take a shared role in
the advancement of patient safety improvements.
In addition, we recognize that there may be situations where
providers and PSOs want to engage contractors who are not agents to
carry out patient safety activities. Thus, the proposal would allow
disclosures by providers to their contractors who are not workforce
members and by PSOs to their contractors who are not workforce members.
Contractors may not further disclose patient safety work product,
except to the entity from which they first received the information. We
note that this limitation does not preclude a provider or PSO from
exercising its authority under section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power
to the contractor to make other disclosures. Although we do not require
a contract between a provider or PSO and its contractor, we expect that
most providers and PSOs will engage in prudent practices when
disclosing confidential patient safety work product for patient safety
activities, (i.e., ensuring such information is narrowly used by the
contractor solely for the purpose for which disclosed and
[[Page 8146]]
adequately protected from wrongful disclosure).
While the permission allows the necessary communication as between
a single provider and its PSO, such exchanges may not be sufficient. It
is possible to conceive of meaningful patient safety activities
occurring between two PSOs or between a PSO and a provider that is
different than the original reporting provider, or between two
providers. For example, PSOs may be able to more effectively aggregate
patient safety work product if such expanded sharing of information is
permitted. Aggregation may help PSOs pool sufficient information to
achieve contextual nonidentification, in accordance with Sec.
3.212(a)(ii), but keep meaningful data in the information when
disclosing to the network of patient safety databases contemplated in
section 923 of the Public Health Service Act, 42 U.S.C. 299b-23.
Providers may be able to collaborate and learn more efficiently about
patient safety solutions if such sharing is permitted. At the same
time, we are concerned that, without any limitation on such sharing,
providers may be not only reluctant to disclose patient safety work
product, but also potentially reticent to participate at all in patient
safety activities, given the sensitive nature of the information, and
the potential lack of certainty with respect to where the information
might ultimately be disclosed.
Balancing these concerns, we are proposing that other than the
reporting relationship between a provider and a PSO, PSOs be permitted
to disclose patient safety work product to other PSOs or to other
providers that have reported to the PSO, and providers be permitted to
make disclosures to other providers, for patient safety activities,
with provider and reporter identifiers in an anonymized (i.e., with
certain direct identifiers removed, but not nonidentifiable under the
proposed rule) or encrypted but not fully nonidentified form. For
patient identifiers, the HIPAA Privacy Rule limited data set standard
would apply. See 45 CFR 164.514(e). To anonymize the provider or
reporter identifiers in the patient safety work product, the disclosing
entity must remove the following direct identifiers of any providers
and of affiliated organizations, corporate parents, subsidiaries,
practice partners, employers, members of the workforce, or household
members of such providers: (1) Names; (2) Postal address information,
other than town or city, State and zip code; (3) Telephone numbers; (4)
Fax numbers; (5) Electronic mail addresses; (6) Social security numbers
or taxpayer identification numbers; (7) Provider or practitioner
credentialing or DEA numbers; (8) National provider identification
number; (9) Certificate/license numbers; (10) Web Universal Resource
Locators (URLs); (11) Internet Protocol (IP) address numbers; (12)
Biometric identifiers, including finger and voice prints; and (13) Full
face photographic images and any comparable images. Removal of such
identifiers may be absolute or may be done through encryption, provided
that the disclosing entity does not disclose the key to the encryption
or the mechanism for re-identification.
We have not proposed an unrestricted disclosure of identifiable
patient safety work product to any person for patient safety
activities. It is our understanding that disclosures to persons other
than those proposed above do not need identifiable patient safety work
product and that sufficient information may be communicated with
nonidentifiable patient safety work product; we seek comment on this
issue. Similarly, we recognize that nonidentifiable patient safety work
product may have more limited usefulness due to the removal of key
elements of identification; however, we have no basis for opening the
patient safety activity disclosure permission further without specific
examples of beneficial disclosures prohibited by our proposal.
The exchange of patient safety work product for patient safety
activities permits extensive sharing among both providers and PSOs
interested in improving patient safety. As patient safety work product
is disclosed, however, it continues to be protected by the
confidentiality provisions. The permission allows continual exchange of
information without breach of confidentiality. At any time and as
needed, information may be nonidentified, and the patient safety
activities disclosure may be employed for this purpose.
Moreover, providers and PSOs are capable of imposing greater
confidentiality requirements for the future use and disclosure of the
patient safety work product through private agreements (see section
922(g)(4) of the Public Heath Service Act, 42 U.S.C. 299b-22(g)(4)).
However, we note that the government would not be permitted to apply
civil money penalties under this Part based on a violation of a private
agreement that was not a violation of the confidentiality provisions.
Compliance With the HIPAA Privacy Rule
With respect to compliance with the HIPAA Privacy Rule, the Patient
Safety Act establishes that PSOs shall be treated as business
associates; and patient safety activities performed by, or on behalf
of, a covered provider by a PSO are deemed health care operations as
defined by the HIPAA Privacy Rule. A HIPAA covered entity is permitted
to use or disclose protected health information as defined at 45 CFR
160.103 without an individual's authorization for its own health care
operations and, in certain circumstances (which would include patient
safety activities), for the health care operations of another HIPAA
covered entity (e.g., HIPAA covered provider) under 45 CFR 164.506. To
share protected health information with another HIPAA covered entity
for that entity's health care operations, both HIPAA covered entities
must share a patient relationship with the individual who is the
subject of the protected health information and the protected health
information that is shared must pertain to that relationship.
In addition, in cases where providers and PSOs share anonymized
patient safety work product, providers may disclose a limited data set
of patient information. Under 45 CFR 164.514(e)(3), a HIPAA covered
entity may use or disclose a limited data set for the purpose of health
care operations, including patient safety activities. Such disclosures,
however, must be accompanied by a data use agreement, ensuring that the
limited data set recipient will only use or disclose the protected
health information for limited purposes. See 45 CFR 164.514(e)(4).
We seek comment regarding whether the HIPAA Privacy Rule definition
for health care operations should contain a specific reference to
patient safety activities conducted pursuant to this regulatory scheme.
A health care provider that is a HIPAA covered entity may not disclose
identifiable patient safety work product that is protected health
information to a PSO unless that PSO is performing patient safety
activities (as a health care operation) for that provider. Under this
exception for patient safety activities, a health care provider that is
a HIPAA covered entity may disclose identifiable patient safety work
product that is protected health information to another provider (1)
for the sending provider's patient safety activities; (2) for the
patient safety activities of an organized health care arrangement
(OHCA) (as defined at 45
[[Page 8147]]
CFR 160.103) if both the sending and receiving provider participate in
the OHCA; or (3) to another provider for the receiving provider's
patient safety activities if the protected health information relates
to a common patient (including to determine that there is a common
patient). We further seek comment regarding whether the provision
permitting the disclosure of protected health information for health
care operations at 45 CFR 164.506 should be modified to conform to the
patient safety work product disclosures for patient safety activities
set forth herein.
(5) Proposed Sec. 3.206(b)(5)--Disclosure of Nonidentifiable Patient
Safety Work Product
Proposed Sec. 3.206(b)(5) permits the disclosure of
nonidentifiable patient safety work product when the patient safety
work product meets the standard for nonidentification in proposed Sec.
3.212. This implements section 922(c)(2)(B) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under proposed Sec.
3.206(b)(5), nonidentifiable patient safety work product may be
disclosed by any entity or person that holds the nonidentifiable
patient safety work product without violating the confidentiality
provisions. Moreover, any provider, PSO or responsible person may
nonidentify patient safety work product. As described in proposed Sec.
3.208(b)(ii), nonidentifiable patient safety work product, once
disclosed, loses its privilege and confidentiality protection. Thus, it
may be redisclosed by its recipient without any Patient Safety Act
limitations.
Nonidentification Standard
The nonidentification standard is proposed at Sec. 3.212. However,
we will discuss that standard at this point in the preamble due to its
connection with the disclosure permission for nonidentifiable patient
safety work product at proposed Sec. 3.206(b)(5). Proposed Sec. 3.212
would establish the standard by which patient safety work product will
be determined nonidentifiable. The determination of what constitutes
nonidentifiable patient safety work product is important because the
standard for nonidentification effectively creates the boundary between
protected and unprotected patient safety work product.
Under the Patient Safety Act and this Part, identifiable patient
safety work product includes information that identifies any provider
or reporter or contains individually identifiable health information
under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2)
of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast,
nonidentifiable patient safety work product does not include
information that permits identification of any provider, reporter or
subject of individually identifiable health information. See section
921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).
Because individually identifiable health information as defined in
the HIPAA Privacy Rule is one element of identifiable patient safety
work product, the de-identification standard provided in the HIPAA
Privacy Rule applies with respect to the patient-identifiable
information in the patient safety work product. Therefore, where
patient safety work product contains individually identifiable health
information, that information must be de-identified in accordance with
45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work
product with respect to individually identifiable health information
under the Patient Safety Act.
We propose that patient safety work product be contextually
nonidentifiable in order to be considered nonidentifiable for the
purposes of this rule. Contextual nonidentification of both providers
and reporters would match the standard of de-identification in the
HIPAA Privacy Rule. We are proposing two methods by which
nonidentification can be accomplished which are similar to the
standards for de-identification under the HIPAA Privacy Rule: (1) A
statistical method of nonidentification and (2) the removal of 15
specified categories of direct identifiers of providers or reporters
and of parties related to the providers and reporters, including
corporate parents, subsidiaries, practice partners, employers,
workforce members, or household members, and that the discloser have no
actual knowledge that the remaining information, alone or in
combination with other information reasonably available to the intended
recipient, could be used to identify any provider or reporter (i.e., a
contextual nonidentification standard).
In proposed Sec. 3.212(a)(1), the first method for rendering
patient safety work product nonidentifiable with respect to a provider
or reporter, we propose that patient safety work product can be
nonidentified if a person with appropriate knowledge of and experience
with generally accepted statistical and scientific principles and
methods for rendering information not individually identifiable
applying such principles and methods, determines that the risk is very
small that the information could be used, alone or in combination with
other reasonably available information, by an anticipated recipient to
identify an identified provider or reporter.
We believe that this method of nonidentification may sometimes be
preferable to the safeharbor method proposed in Sec. 3.212(a)(2)
discussed below and may be especially useful when aggregating data for
populating the network of patient safety databases referenced in
section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Under
this proposal, if a statistician makes a determination as described
above and documents the analysis, patient safety work product could be
labeled as nonidentifiable even though it contains detailed clinical
information and some potentially identifiable information such as zip
codes.
In proposed Sec. 3.212(a)(2), the second method for rendering
patient safety work product nonidentifiable with respect to a provider
or reporter, we outline a process as a safeharbor requiring that the
disclosing entity remove a list of specific typical identifiers and
have no actual knowledge that the information to be disclosed could be
used, alone or in combination with other information that is reasonably
available to the intended recipient, to identify the particular
provider or reporter. We have limited the knowledge component to that
which is known to be reasonably available to the intended recipient in
order to provide data custodians with a workable knowledge standard.
With the contextual nonidentification standard in place, providers will
have the most confidence that their identities will not be derived from
nonidentifiable information and will be more likely to participate in
the program. Moreover, requiring that patient safety work product be
contextually nonidentifiable is consistent with the de-identification
standard for patient identities, as described above.
We recognize that the more stringent the nonidentifiable patient
safety work product standard is, the more cost, burden, and risk of
error in nonidentification there will be to the disclosing entity. We
also acknowledge that our proposal introduces uncertainty and
subjectivity into the standard, making it a harder standard to enforce.
The proposed standard may require the removal of more clinical and
demographic information than would be removed in the absence of the
contextual nonidentification requirement, and the resulting information
would likely be less useful
[[Page 8148]]
to a recipient. This outcome would particularly impact the network of
patient safety databases of nonidentifiable patient safety work product
to be established under section 923 of the Public Health Service Act,
42 U.S.C. 299b-23. In particular, the information that ultimately
resides in the network may have reduced utility and a reduced capacity
to contribute to the evaluation of patient safety issues.
To mitigate these concerns, this standard would work in conjunction
with a separate permission for sharing identifiable patient safety work
product through the patient safety activities disclosure. Disclosures
as patient safety activities should enable the aggregation of
sufficient patient safety work product to allow contextual
nonidentification without the removal of all important specific
clinical and demographic details. We invite comment on the proposed
standards and approaches. For example, we are interested in knowing
whether, under a contextual nonidentification standard, it is possible
to have any geographical identifiers; and if so, at what level of
detail (state, county, zip code). We are also interested in public
comments regarding whether there are alternative approaches to
standards for entities determining when health information can
reasonably be considered nonidentifiable.
Re-identification
We permit a provider, PSO, or other disclosing entity or person to
assign a code or other means of record identification to allow
information made nonidentifiable to be re-identified by the disclosing
person, provided certain conditions that further the goal of
confidentiality are met regarding such code or other means of record
identification. Further, a discloser may not release any key or other
information that would enable a recipient to re-identify any provider
or reporter or subject of individual identifiable health information.
We propose to permit a re-identification mechanism to facilitate
follow-up inquiries regarding, and analysis of, nonidentified patient
safety work product that has been disclosed, such as from users of the
network of patient safety databases when analyzing national and
regional statistics. Such keys would not be for the purpose of
permitting re-identification of patient safety work product obtained
through the network of databases. Rather, such keys would facilitate
the investigation of data anomalies reported to the network, correction
of nonidentifiable records, and the potential to avoid duplicate
records when richer information may be made available due to
aggregation. Finally, with respect to HIPAA compliance, we note that,
because nonidentified patient safety work product will, by definition,
be de-identified information under the HIPAA Privacy Rule, a disclosure
under Sec. 3.206(b)(5) will not violate the HIPAA Privacy Rule.
(6) Proposed Sec. 3.206(b)(6)--For Research
Proposed Sec. 3.206(b)(6) describes the disclosure of identifiable
patient safety work product to entities carrying out research,
evaluations, or demonstration projects that are funded, certified, or
otherwise sanctioned by rule or other means by the Secretary. This
disclosure is not for general research. Any research for which patient
safety work product is disclosed under this exception must be
sanctioned by the Secretary. See section 922(c)(2)(C) of the Public
Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). Research that is not
sanctioned by the Secretary is insufficient to be a basis for the
disclosure of patient safety work product under this exception.
Further, although disclosure can be made for any research, evaluation,
or demonstration project sanctioned by the Secretary, we expect that
most research that may be subject to this disclosure permission will be
related to the methodologies, analytic processes, and interpretation,
feedback and quality improvement results from PSOs, rather than general
medical, or even health services, research. Patient safety work product
disclosed for research under this provision continues to be
confidential and privileged.
Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(C), requires that patient safety work product which
identifies patients may only be released to the extent that protected
health information would be disclosable for research purposes under the
HIPAA Privacy Rule. Under 45 CFR 164.512(i), a HIPAA covered entity may
use or disclose protected health information for research, without the
individual's authorization, provided that there is a waiver (or
alteration of waiver) of authorization by either an Institutional
Review Board (IRB) or a Privacy Board. The IRB/Privacy Board evaluates
the request against various criteria that measure the privacy risk to
the individuals who are the subjects of the protected health
information.\17\ The HIPAA Privacy Rule only operates with respect to
the identifiable health information of patients when held by a HIPAA
covered entity or its business associate, and does not address the
rights of individuals who may otherwise be the subject of the research.
---------------------------------------------------------------------------
\17\ The following are the waiver criteria at 45 CFR
164.512(i)(2)(ii):
(A) The use or disclosure of protected health information
involves no more than a minimal risk to the privacy of individuals,
based on, at least, the presence of the following elements:
a. An adequate plan to protect the identifiers from improper use
and disclosure;
b. An adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless there is
a health or research justification for retaining the identifiers or
such retention is otherwise required by law; and
c. Adequate written assurances that the protected health
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research study, or for other research for which the use or
disclosure of protected health information would be permitted by
this subpart;
(B) The research could not practicably be conducted without the
waiver or alteration; and
(C) The research could not practicably be conducted without
access to and use of the protected health information.
---------------------------------------------------------------------------
We tentatively conclude that the language in the Patient Safety Act
that applies the exception ``to the extent that disclosure of protected
health information would be allowed for research purposes under the
HIPAA [Privacy Rule]'' is intended to apply the HIPAA Privacy Rule
research provisions at 45 CFR 164.512(i) only to HIPAA covered entities
when they release identifiable patient safety work product containing
protected health information for research. This interpretation would
result in the HIPAA Privacy Rule research standards being preserved in
their application to HIPAA covered entities without burdening non-
covered entities with HIPAA compliance.
We note that our interpretation of section 922(c)(2)(C) of the
Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), is not a bar to
the disclosure of identifiable patient safety work product by entities
or persons that are not HIPAA covered entities. We further note that
for providers, reporters and other persons identified in patient safety
work product disclosed for research purposes, the Common Rule, which is
applicable to research conducted or supported by the Secretary, and the
FDA human subjects protection regulations will provide appropriate
protections to any natural persons who would be deemed subjects of the
research.
With regard to research, the incorporation by reference of the
HIPAA Privacy Rule should provide for the proper alignment of
disclosures for research purposes. However, the exception under the
Patient Safety Act also refers to evaluations and demonstration
projects. Some of these activities may meet the definition of research
under the HIPAA Privacy Rule, while other activities may not result in
generalizable knowledge, but may
[[Page 8149]]
nonetheless meet the definition of health care operations under the
HIPAA Privacy Rule. Where the disclosure of protected health
information for evaluations and demonstration projects are permitted as
health care operations under the HIPAA Privacy Rule, HIPAA covered
entities disclosing patient safety work product that includes protected
health information under this exception could do so without violation
of the HIPAA Privacy Rule.
(7) Proposed Sec. 3.206(b)(7)--To the Food and Drug Administration
Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(D) permits the disclosure by a provider to the FDA with
respect to a product or activity regulated by the FDA. Proposed Sec.
3.206(b)(7) permits the disclosing by providers of patient safety work
product concerning products or activities regulated by the Food and
Drug Administration (FDA) to the FDA or to an entity required to report
to the FDA concerning the quality, safety, or effectiveness of an FDA-
regulated product or activity. For example, hospitals and health care
professionals may disclose patient safety work product concerning the
safety of drugs, medical devices, biological products, and dietary
supplements, or vaccine and medical device adverse experiences to the
FDA as part of an FDA monitoring or alert system. The proposed
provision also permits sharing between the FDA, entities required to
report to the FDA concerning the quality, safety, or effectiveness of
an FDA-regulated product or activity, and their contractors for the
same purposes. Patient safety work product disclosed pursuant to this
disclosure permission continues to be confidential and privileged.
The FDA has monitoring and alert systems in place to assure the
safety of FDA regulated products. These systems rely heavily on
voluntary reports from providers, such as hospitals and health care
professionals. Most reports that hospitals and health care
professionals make directly to the FDA today concerning drugs, medical
devices, biological products, and dietary supplements are voluntary,
although health care professionals are required to report to the FDA
certain vaccine adverse experiences, and user facilities such as
hospitals must report to FDA some medical device adverse experiences.
Manufacturers of drugs, devices, and biological products are required
to report to the FDA concerning adverse experiences, but the
manufacturers themselves must rely on information provided voluntarily
by product users, including hospitals and health care professionals.
There are three provisions of the Patient Safety Act that are
implicated for reporting to the FDA: (1) The disclosure for reporting
to the FDA (section 922(c)(2)(D) of the Public Health Service Act, 42
U.S.C. 299b-22(c)(2)(D)); (2) the clarification as to what is not
patient safety work product which states that information ``collected,
maintained, or developed separately, or [that] exists separately, from
a [patient safety evaluation system]'' is not patient safety work
product, and which, accordingly, can be reported for public health
purposes (section 921(7)(B) of the Public Health Service Act, 42 U.S.C.
299b-21(7)(B)); and (3) the rule of construction which preserves
required reporting to the FDA (section 922(g)(6) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(6)).
The FDA disclosure provision at proposed Sec. 3.206(b)(7) would be
applicable when patient safety work product is at issue. For example,
the analysis of events by the provider or PSO that constitutes patient
safety work product may generate information that should be reported to
the FDA because it relates to the safety or effectiveness of an FDA-
regulated product or activity. The exception would allow this patient
safety work product to be disclosed to the FDA. Privilege and
confidentiality protections would attach to the patient safety work
product disclosed when received by FDA and continue to apply to any
future disclosures by the FDA.
We tentatively conclude that the statutory language concerning
reporting ``to the FDA'' includes reporting by the provider to the
persons or entities regulated by the FDA and that are required to
report to the FDA concerning the quality, safety, or effectiveness of
an FDA-regulated product or activity. We propose this interpretation to
allow providers to report to manufacturers who are required to report
to the FDA, such as drug manufacturers, without violating this rule.
This interpretation reflects both the rule of construction which
preserves required reporting to the FDA and the goals of this statute
which are to improve patient safety.
We further propose at Sec. 3.206(b)(7)(ii) that the FDA and
entities required to report to the FDA may only further disclose
patient safety work product for the purpose of evaluating the quality,
safety, or effectiveness of that product or activity; such further
disclosures are only permitted between the FDA, entities required to
report to the FDA, their contractors, and disclosing providers. This
permission is crucial to the effective operation of the FDA's
activities and to facilitate the purpose for which the report was made
initially. Thus, the FDA or a drug manufacturer receiving adverse drug
event information that is patient safety work product may engage in
further communications with the disclosing provider(s), for the purpose
of evaluating the quality, safety, or effectiveness of the particular
regulated product or activity, or may work with their contractors.
Moreover, an entity regulated by the FDA may further disclose the
information to the FDA; without this provision, such reporting would
not meet the regulatory intent that disclosures be to the FDA and a
narrow interpretation could impede the FDA's ability to effectuate
improvements through the use of patient safety work product.
We recognize that there may be situations where the FDA or entities
required to report to the FDA want to engage contractors who are not
agents for the purpose of evaluating the quality, safety, or
effectiveness of that product or activity. Thus, the proposal would
allow disclosures to contractors who are not workforce members.
Contractors may not further disclose patient safety work product,
except to the entity from which they first received the information.
Because Congress did not expressly include disclosure to FDA-
regulated entities, we seek public comment on our proposal related to
this interpretation of section 922(c)(2)(D) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(2)(D). In particular, we question
whether this interpretation will cause any unintended consequences to
disclosing providers.
The HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered
entities to disclose protected health information concerning FDA-
regulated activities and products to persons responsible for collection
of information about the quality, safety, and effectiveness of those
FDA-regulated activities and products. Therefore, disclosures under
this exception of patient safety work product containing protected
health information would be permitted under the HIPAA Privacy Rule.
(8) Proposed Sec. 3.206(b)(8)--Voluntary Disclosure to an Accrediting
Body
Proposed Sec. 3.206(b)(8) permits the voluntary disclosure of
identifiable patient safety work product by a provider to an
accrediting body that accredits the disclosing provider. Voluntary
means not compelled, a disclosure that the provider affirmatively chose
to make. Patient
[[Page 8150]]
safety work product disclosed pursuant to this proposed exception
continues to be privileged and confidential.
Under this proposed disclosure, the identifiable patient safety
work product that would be permitted to be disclosed must identify the
disclosing provider, given the Patient Safety Act's explicit linkage of
the disclosing provider to a body that accredits that specific provider
in this permitted disclosure. We believe that the only information that
would be relevant to that provider's accreditation would be information
about the disclosing provider (i.e., actions or inactions of the
disclosing provider), and not information about the provider's
colleagues or any other accredited provider. Thus, a provider may not
use this exception to disclose patient safety work product that is
unrelated to the actual actions of the disclosing provider, such as
information about the provider's colleagues or any other accredited
individual or entity.
An issue arises concerning the identities of other providers,
reporters, or patients contained within the disclosed patient safety
work product. We considered whether to require the patient safety work
product to be nonidentifiable as to providers other than the disclosing
provider, since incidental disclosures of patient safety work product
identifying other providers, especially if they were also accredited by
the same accrediting institution, would not be a voluntary disclosure
by those other providers. However, we do not believe that such an
approach is necessary.
We understand that most providers that are accredited are large
institutions, and in general their accreditors seek vast amounts of
data during the accreditation process, some of which may include
identifiers of practitioners who work in such institutions. We have
preliminarily concluded that the disclosure of patient safety work
product including practitioners in such circumstances will be harmless
because, in many cases, the providers will not be accredited by the
institution's accrediting body.
Even in circumstances where a non-disclosing provider identified by
a provider voluntarily disclosing to an accrediting body is subject to
the accrediting body, we believe the accrediting body will not use the
information. First, we believe it is unlikely that a provider may have
or seek to disclose patient safety work product containing information
about the actions or inactions of a provider also accredited by the
same accrediting body. Second, even if such a disclosure occurs,
although it may not be voluntary as to the non-disclosing provider, we
do not believe the accrediting body will use such information to take
accrediting actions against the non-disclosing provider. We would
expect that an accrediting body may ignore or give little weight to
information about providers not disclosing information directly to the
accrediting body. Such second hand information may be incomplete and
incorrect. We anticipate that accrediting bodies would seek to obtain
information about a provider's actions directly from the subject
provider rather than second hand.
Furthermore, we propose to limit the accrediting body's permission
to further redisclose such patient safety work product. To ensure that
any patient safety work product in the hands of an accrediting body
that contains provider identifiers of a provider who did not
voluntarily disclose to such body, Sec. 3.206(b)(7)(i) proposes that
an accrediting body may not further disclose the patient safety work
product that was originally voluntarily disclosed. As an alternative to
this approach, we could, as proposed in the patient safety activities
disclosure, require that information with respect to non-disclosing
providers be anonymized. See preamble discussion at proposed Sec.
3.206(b)(4). We seek comments as to whether the problem of information
being disclosed non-voluntarily to an accrediting body by non-
disclosing providers requires rendering such information anonymized.
The accrediting body takes the patient safety work product subject
to the confidentiality protection, and would therefore be subject to
civil money penalties for any re-disclosure. The patient safety work
product disclosed under this permission in the hands of the accrediting
body remains privileged and confidential, in accordance with the
continued confidentiality provisions at proposed Sec. 3.208. Thus, it
is incumbent upon the accrediting body to handle and maintain the
patient safety work product in a way that preserves its confidential
status. Such safeguards may include maintaining this information
separately from other accrediting information in a confidential file,
if the other information is not similarly held confidential.
Additionally, the Patient Safety Act includes strong provisions
limiting the disclosure of patient safety work product to accrediting
bodies and limiting the actions an accrediting body may take to seek
patient safety work product. Proposed Sec. 3.206(b)(8)(ii) provides
that an accrediting body may not take an accreditation action against a
provider based on that provider's participation, in good faith, in the
collection, reporting or development of patient safety work product.
Accrediting bodies are also prohibited from requiring a provider to
reveal its communications with any PSO, without regard to whether such
provider actually reports information to a PSO. Thus, a provider may
disclose patient safety work product to an accrediting body
voluntarily, but cannot be compelled or required as a condition of
accreditation to divulge patient safety work product or communications
with a PSO. This subsection is based on the statutory requirements at
section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(d)(4)(B).
Under the HIPAA Privacy Rule, a HIPAA covered entity may disclose
protected health information to an accrediting body for the HIPAA
covered entity's own health care operations, provided there is a
business associate agreement with the accrediting body. Such health
care operations include the activity of accreditation for the HIPAA
covered entity as well as the accreditation of workforce members. Thus,
providers that are HIPAA covered entities or are workforce members of a
HIPAA covered entity that hold the protected health information may
voluntarily disclose identifiable patient safety work product
containing individually identifiable health information to an
accrediting body that accredits that provider, provided there is a
business associate agreement between the HIPAA covered entity and the
accreditation organization.
(9) Proposed Sec. 3.206(b)(9)--Business Operations
Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(F), gives the Secretary authority to designate additional
disclosures as permissible exceptions to the confidentiality protection
if such disclosures are necessary for business operations and are
consistent with the goals of the Patient Safety Act. Any patient safety
work product disclosed pursuant to a business operations exception so
designated by the Secretary continues to be confidential and
privileged.
We propose to allow disclosures of patient safety work product by a
provider or a PSO to professionals such as attorneys and accountants
for the business operations purposes of the provider or PSO. A
disclosure to an attorney may be necessary when a provider is seeking
outside legal advice in defending against a malpractice claim or other
litigation, even though the
[[Page 8151]]
information would not be admissible as part of a legal proceeding. A
provider might also need to disclose patient safety work product to an
attorney in the case of due diligence related to a merger, sale or
acquisition. Similarly, a provider may need to disclose patient safety
work product to an accountant who is auditing the books and records of
providers and PSOs. In order to ensure that such routine business
operations are possible, we propose to allow disclosures by providers
and PSOs for business operations to attorneys, accountants, and other
professionals. Professionals such as those identified are usually bound
by professional ethics to maintain the confidences of their clients.
Such contractors may not further disclose patient safety work product,
except to the entity from which it received the information. We note
that this limitation does not preclude a provider or PSO from
exercising its authority under section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power
to the contractor to make other disclosures.
We note that if a provider or PSO were to disclose relevant patient
safety work product to such professionals, we would rely upon the
professional's legal and ethical constraints not to disclose the
information for any unauthorized purpose. Our presumption is that
professionals are generally subject to a set of governing rules.
Nonetheless, we expect that providers and PSOs who disclose privileged
and confidential information to attorneys, accountants or other
ethically bound professionals for business purposes will engage in the
prudent practice of ensuring such information is narrowly used by the
contractor solely for the purpose for which it was disclosed and
adequately protected from wrongful disclosure.
Because patient safety work product is specialized and highly
confidential information, we have not conceived of any other third
parties to whom it would be appropriate to disclose patient safety work
product as a business operations disclosure. Because we are not
regulating uses, any business operations need within the entity could
occur unimpeded. Although we considered whether to adopt an exception
for activities in the operation of a patient safety evaluation system,
we believe these activities are within the definition of patient safety
activities and, thus, within the confidentiality exception proposed at
Sec. 3.206(b)(4). We seek public comment regarding whether there are
any other consultants or contractors to whom a business operations
disclosure should also be permitted, or whether there are any
additional exceptions for the Secretary's consideration under this
authority.
Under the HIPAA Privacy Rule, at 45 CFR 164.506, HIPAA covered
entities are permitted to disclose protected health information for the
HIPAA covered entity's own health care operations. ``Health care
operations'' are certain activities of a HIPAA covered entity that are
necessary to run its business and to support the core functions of
treatment and payment, including ``conducting or arranging for medical
review, legal services, and auditing functions * * *.'' 45 CFR 164.501.
Thus, a business operation designation by the Secretary that enables a
HIPAA covered entity to disclose patient safety work product containing
protected health information to professionals is permissible as health
care operations disclosures under the HIPAA Privacy Rule. Generally
such professionals would fall within the definition of business
associate at 45 CFR 160.103 and would require a business associate
agreement.
The Secretary's Business Operations Exception Designation Authority
Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(F), gives the Secretary broad authority to designate
additional exceptions that are necessary for business operations and
are consistent with the goals of the Patient Safety Act. At this point,
we plan to designate additional exceptions only through regulation.
Although the Patient Safety Act establishes that other means are
available for adoption by the Secretary, which we interpret as
including the publication of letters, notice within the Federal
Register or publication on the Department Web site, we believe these
methods may not provide for sufficient opportunity for public comment
or transparency in the development of other business operations
exceptions. Moreover, because an impermissible disclosure that violates
a business operations exception can result in a civil money penalty, we
believe it is important that any proposed business operations exception
be implemented in a way that is unquestionably binding on both the
public and the Department. We invite public comments with respect to
whether the Secretary should incorporate or preserve other mechanisms
for the adoption of business operations exceptions, given that we
cannot anticipate all potential business operations needs at this time.
(10) Proposed Sec. 3.206(b)(10)--Disclosure to Law Enforcement
Proposed Sec. 3.206(b)(10) permits the disclosure of identifiable
patient safety work product to law enforcement authorities, so long as
the person making the disclosure believes--and that belief is
reasonable under the circumstances--that the patient safety work
product disclosed relates to a crime and is necessary for criminal law
enforcement purposes. Under proposed Sec. 3.208, the disclosed patient
safety work product would continue to be privileged and confidential.
We view this exception as permitting, for example, a disclosure by
a whistleblower who would initiate the disclosure to law enforcement.
The focus of this exception is the state of mind of the subject
discloser. In making a disclosure, the discloser must reasonably
believe that the event constitutes a crime and that the patient safety
work product disclosed is necessary for criminal law enforcement
purposes. The discloser need not be correct in these determinations,
but his beliefs must be objectively reasonable. This standard provides
some constraint on the discloser, and further protects against a
release merely in response to a request by law enforcement.
Patient safety work product received by law enforcement under this
exception continues to be confidential and privileged. The law
enforcement entity receiving the patient safety work product may use
the patient safety work product to pursue any law enforcement purposes;
however, because the patient safety work product disclosed to law
enforcement entities under the Patient Safety Act and proposed Sec.
3.206(b)(10) remains privileged and confidential, the law enforcement
entity can only disclose such patient safety work product--including in
a court proceeding--as permitted by this proposed rule.
We further propose that a law enforcement entity be permitted to
redisclose the patient safety work product it receives under this
exception to other law enforcement entities as needed for law
enforcement activities related to the event that gave rise to the
disclosure. We seek comment regarding whether these provisions allow
for legitimate law enforcement needs, while ensuring appropriate
protections.
We note that disclosure pursuant to this exception does not except
patient safety work product from the privilege protection. Thus,
patient safety work product cannot be subpoenaed, ordered, or entered
into evidence in a criminal or civil proceeding through this exception;
[[Page 8152]]
nor should a discloser rely solely on a law enforcement agent's
statement that such information is necessary for law enforcement
purposes. As already discussed, the Patient Safety Act framework
permits an exception from privilege protection or law enforcement
compulsion only in very narrow circumstances (see above privilege
exception discussion). Under section 922(c)(1)(A) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(1)(A), patient safety work product
may be disclosed for use in a criminal proceeding, but only after a
judge has determined by means of an in camera review that the patient
safety work product is material to a criminal proceeding and not
reasonably available from any other source. Even after its use in such
a criminal proceeding, and the lifting of the confidentiality
protections with respect to such patient safety work product, the
privilege protection continues. In light of the strict privilege
protections for this information, we do not interpret this law
enforcement disclosure exception as allowing the disclosure of patient
safety work product based on a less compelling request by law
enforcement for its release. The decision as to whether a discloser
reasonably believes that the patient safety work product is necessary
for a law enforcement purpose is the discloser's decision alone,
provided that the decision is reasonable.
While the HIPAA Privacy Rule permits disclosures by HIPAA covered
entities to law enforcement under a variety of circumstances, few align
well with the proposed interpretation of this exception as being
limited to disclosures to law enforcement initiated by the HIPAA
covered entity. Although there is a very narrow set of HIPAA Privacy
Rule permissions under which a HIPAA covered entity as a holder of
patient safety work product would be allowed to release patient safety
work product that contains protected health information to law
enforcement, we note that a HIPAA covered entity would be permitted to
de-identify the protected health information, in which case only the
Patient Safety Act would apply to the disclosure of the patient safety
work product. If the protected health information is needed by law
enforcement, the HIPAA Privacy Rule has standards that permit the
release of protected health information in response to certain law
enforcement processes. If such information is not patient safety work
product, it would not be subject to the privilege protections of the
Patient Safety Act.
(C) Proposed Sec. 3.206(c)--Safe Harbor
Proposed Sec. 3.206(c) is based on section 922(c)(2)(H) of the
Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision
permits the disclosure of identifiable patient safety work product when
that information does not include oral or written materials that either
contain an assessment of the quality of care of an identifiable
provider or describe or pertain to the actions or failure to act of an
identifiable provider. The use of this exception is limited to persons
other than PSOs. This provision essentially prohibits the disclosure of
a subject provider's identity with information, whether oral or
written, that: (1) Assesses that provider's quality of care; or (2)
identifies specific acts attributable to such provider. Thus, a
permissible disclosure may include a provider's identity, so long as no
``quality information'' about the subject provider is also disclosed
and so long as it does not describe or pertain to an action or failure
to act by the subject provider.
We propose that the provider identity element under this exception
means the identity of any provider that is a subject of the patient
safety work product. In other words, if the patient safety work product
does not contain quality information about a particular provider or
describe or pertain to any actions or failures to act by the provider,
such provider could be identifiable within the patient safety work
product disclosed pursuant to this exception. For example, if a nurse
reports a patient safety event, but was not otherwise involved in the
occurrence of that event, the nurse could be named in the disclosure.
Providers that cannot be identified are those about whom the patient
safety work product assesses the quality of care or describes or
pertains to actions or failures to act of that provider. We propose
that the threshold for identification of a provider will be determined
in accordance with the nonidentification standard set forth in proposed
Sec. 3.210. Thus, confidential patient safety work product disclosed
under this exception may identify providers, reporters or patients so
long as the provider(s) that are the subject of the actions described
are nonidentified.
In general, the determination with respect to the content of
quality information is straightforward. We also interpret quality
information to include the fact that patient safety work product
exists, without the specifics of the patient safety event at issue. For
example, if a provider employee discloses to a friend that a particular
surgeon had an incident reported to the PSO, without actually
describing this incident, the fact that the surgeon was associated with
patient safety work product would be a prohibited disclosure.
This is the only exception that defines prohibited conduct, rather
than permitted conduct. We recognize that institutional providers, even
practitioners offices, are communities unto themselves. We
preliminarily interpret this exception as creating a narrow safe harbor
for disclosures, possibly inadvertent, which may occur by a provider or
other responsible person, when the patient safety work product does not
reveal a link between a subject provider and the provider's quality of
care or an action or failure to act by that subject provider. By
proposing this provision as a safe harbor, we seek to have it available
to mitigate harmless errors, rather than as a disclosure permission
that may render all other disclosure permissions practically
meaningless.
Under the HIPAA Privacy Rule, HIPAA covered entities are broadly
permitted to disclose protected health information for the HIPAA
covered entity's treatment, payment or health care operations.
Otherwise, specific standards are described that limit the use and
disclosure of protected health information. If such disclosure is made
by a HIPAA covered entity, it is possible that the disclosure of
protected health information would be permissible as a health care
operation, or as incidental to another permitted disclosure.
Nevertheless, examination of whether a HIPAA Privacy Rule standard has
been violated will need to be made on a case-by-case basis.
(D) Proposed Sec. 3.206(d)--Implementation and Enforcement of the
Patient Safety Act
Proposed Sec. 3.206(d) permits the disclosure of relevant patient
safety work product to or by the Secretary as needed for investigating
or determining compliance with this Part or for enforcement of the
confidentiality provisions of this Subpart or in making or supporting
PSO certification or listing decisions under the Patient Safety Act and
Subpart B of this regulation. This disclosure parallels the privilege
exception under proposed Sec. 3.204(c). Patient safety work product
disclosed under this exception remains confidential. This exception
does not limit the ability of the Secretary to disclose patient safety
work product in accordance with the exceptions under proposed Sec.
3.206(b) or this Part. Rather, this proposed section provides a
specific permission pursuant to which
[[Page 8153]]
patient safety work product may be disclosed to the Secretary and the
Secretary may further use such disclosed patient safety work product
for compliance and enforcement purposes.
We propose to permit a disclosure of patient safety work product in
order to allow the Secretary to obtain such information as is needed to
implement and enforce this program, both for the purposes of enforcing
the confidentiality of patient safety work product and for the
oversight of PSOs. Enforcement of the confidentiality provisions
includes the imposition of civil money penalties and adherence to the
prohibition against imposing a civil money penalty for a single act
that violates both the Patient Safety Act and the HIPAA Privacy Rule.
This exception ensures that there will not be a conflict between the
confidentiality obligations of a holder of patient safety work product
and other provisions that allow the Secretary access to protected
information and/or require disclosure to the Secretary for enforcement
purposes. See proposed Sec. Sec. 3.110, 3.210, and 3.310. Although the
statute does not explicitly address this disclosure, we believe that
the authority to disclose to the Secretary for these purposes is
inherent in the statute, and that this disclosure is permitted and
necessary to meaningfully exercise our authority to enforce against
breaches of confidentiality as well as to ensure that PSOs meet their
certification attestations if needed. Proposed Sec. 3.312(c) discusses
the limitations on what the Secretary may do with any patient safety
work product obtained pursuant to an investigation or compliance review
regarding an alleged impermissible disclosure.
This proposed provision would permit the disclosure of patient
safety work product to the Secretary or disclosure by the Secretary so
long as such disclosure is limited to the purpose of implementation and
enforcement of these proposed regulations. Such disclosure would
include the introduction of patient safety work product into
proceedings before ALJs or the Board under proposed Subpart D by the
Secretary, as well as the disclosure during investigations by the
Secretary, or activities in reviewing PSO certifications by AHRQ.
Disclosures of patient safety work product made to the Board or other
parts of the Department that are received by workforce members, such as
contractors operating electronic web portals or mail sorting and paper
scanning services, would be permitted as a disclosure to the Secretary
under this proposed provision. This provision would also permit the
Board to disclose any patient safety work product in order to properly
review determinations or to provide records for court review.
We believe strongly in the protection of patient safety work
product as provided in the Patient Safety Act and the proposed
regulations, and seek to minimize the risk of improper disclosure of
patient safety work product by using and disclosing patient safety work
product only in limited and necessary circumstances. With respect to
disclosures to an ALJ or the Board, we note that the Board has numerous
administrative, technical and physical safeguards available to protect
sensitive information. For example, the Board has the authority to:
Enter protective orders; hold closed hearings; redact records;
anonymize names of cases and parties prior to publishing opinions; and
put records under seal. It routinely maintains a controlled
environment; trains staff about proper handling of confidential
information; flags confidential information in records prior to
archiving cases and shreds copies of case files, etc. Most importantly,
understanding that any patient safety work product that is used in an
enforcement proceeding is sensitive, the Board would seek to include
only information in an opinion that is necessary to the decision, and
omit any extraneous sensitive information that is not needed for its
judgments.
This proposed provision also requires that patient safety work
product disclosed to or by the Secretary must be necessary for the
purpose for which the disclosure is made. We intend that any disclosure
made pursuant to this proposed provision be limited in the amount of
patient safety work product disclosed to accomplish the purpose of
implementation, compliance, and enforcement. We discuss our anticipated
uses and protections further in proposed Subpart D.
(E) Proposed Sec. 3.206(e)--No Limitation on Authority To Limit or
Delegate Disclosure or Use
Proposed Sec. 3.206(e) reflects the Patient Safety Act's rule of
construction in section 922(g)(4) of the Public Health Service Act, 42
U.S.C. 299b-22(g)(4), establishing that a person holding patient safety
work product may enter into a contract that requires greater
confidentiality protections or may delegate its authority to make a
disclosure in accordance with this Subpart. For example, a provider may
delegate its permission (which it may have as a provider) to disclose
to the FDA under proposed Sec. 3.206(b)(7) to a PSO through a
contractual arrangement. In such a case, the PSO would be acting on
behalf of the provider in making disclosures to the FDA. Without the
delegated permission, it would, in this scenario, be impermissible for
the PSO to disclose identifiable patient safety work product to the
FDA, and a PSO that made such a disclosure could be subject to a civil
money penalty. However, if a delegation of disclosing authority exists,
the delegating person would be responsible for the disclosures of the
delegee. Thus, in the example above, if the PSO made an impermissible
disclosure, the delegating provider could be liable under the principle
of principal liability for the acts of its agent. The PSO making the
disclosure could also be liable. See discussion in proposed Sec.
3.402(b). Neither the statute nor the proposed rule limits the
authority of a provider to place limitations on disclosures or uses.
For example, a provider may require that a PSO remove all employee
names prior to disclosing any patient safety work product despite such
disclosure being permissible under this Subpart with the names
included.
3. Proposed Sec. 3.208--Continued Protection of Patient Safety Work
Product
Proposed Sec. 3.208 provides that the privilege and
confidentiality protections continue to apply to patient safety work
product when disclosed and describes the narrow circumstances when the
protections terminate. Generally, when identifiable patient safety work
product is disclosed, whether pursuant to a permitted exception to
privilege and/or confidentiality or disclosed impermissibly, that
patient safety work product continues to be privileged and
confidential. Any person receiving such patient safety work product
receives that patient safety work product pursuant to the privilege and
confidentiality protections. The receiving person holds the patient
safety work product subject to these protections and is generally bound
by the same limitations on disclosure and the potential civil money
penalty liability if he or she discloses the patient safety work
product in a manner that warrants imposition of a civil money penalty
under proposed Subpart D.
An example would be if identifiable patient safety work product is
disclosed to a provider's employee for patient safety activities, the
identifiable patient safety work product disclosed to the employee
would be confidential and the employee would be subject to civil money
penalty liability for any knowing
[[Page 8154]]
or reckless disclosure of the patient safety work product in
identifiable form not permitted by the exceptions. Similarly, if
confidential patient safety work product is received impermissibly,
such as by an unauthorized computer access (i.e., hacker), the
impermissible disclosure, even when unintentional, does not terminate
the confidentiality. Thus, the hacker may be subject to civil money
penalty liability for impermissible disclosures of that information.
We do not require that notification of the privilege and
confidentiality of patient safety work product be made with each
disclosure. We also note that the Secretary does not have authority to
impose a civil money penalty for an impermissible breach of the
privilege protection. Rather, any breach of privilege, permissible or
not, would encompass a disclosure and concurrent breach of
confidentiality, subject to penalty under the CMP provisions of the
Patient Safety Act and this proposed rule, unless a confidentiality
exception applied. See the discussion above of confidentiality
protections at proposed Sec. 3.206 and the discussion of the
enforcement provisions at proposed Subpart D.
Nor do we require notification of either the confidentiality of
patient safety work product or the fact that patient safety work
product is being disclosed. The Secretary's authority to impose a civil
money penalty is not dependent upon whether the disclosing entity or
person knows that the information being disclosed is patient safety
work product or whether patient safety work product is confidential
(see discussion under proposed Subpart D). Thus, we do not require that
the disclosure of patient safety work product be accompanied by a
notice as to either the fact that the information disclosed is patient
safety work product or that it is confidential. Labeling does not make
information protected patient safety work product, and the failure to
label patient safety work product does not remove the protection.
However, we do believe that such a notification would be beneficial to
the recipient to alert such recipient to the fact that the information
received should be held in a confidential manner and that knowing or
reckless disclosure in violation of the confidentiality protection may
subject a discloser to civil money penalties. Labeling patient safety
work product may also make it easier for the provider to establish that
such information is privileged patient safety work product. Also, a
notification may also be prudent management for providers, PSOs, and
responsible persons who could be subject to liability under agency
principles for actions of disclosing agents. Moreover, such a
notification policy may serve as a mitigating factor under the factors
outlined under proposed Subpart D. Similarly, labeling of patient
safety work product may be a good practice for the internal management
of information by an entity that holds protected patient safety work
product.
There are two exceptions to the continued protection of patient
safety work product which terminate either the confidentiality or both
the privilege and confidentiality under section 922(d)(2) of the Public
Health Service Act, 42 U.S.C. 299b-22(d)(2). The first exception to
continued protection is an exception to continued confidentiality when
patient safety work product is disclosed for use in a criminal
proceeding, pursuant to proposed Sec. Sec. 3.204(b)(1) and
3.206(b)(1). Proposed Sec. 3.204(b)(1) is an exception to privilege
for the particular proceeding at issue and does not permit the use of
such patient safety work product in other proceedings or otherwise
remove the privilege protection afforded such information. Thus, in the
case of a criminal proceeding disclosure, the privilege continues even
though the confidentiality terminates. In other words, when a court
makes an in camera determination that patient safety work product can
be entered into a criminal proceeding, that information remains
privileged for any future proceedings, but is no longer confidential
and may be further disclosed without restriction.
The second exception to continued protection is when patient safety
work product is disclosed in nonidentifiable form, pursuant to proposed
Sec. Sec. 3.204(b)(4) and 3.206(b)(5). Under both of these exceptions,
the patient safety work product disclosed is no longer confidential,
and may be further disclosed without restriction. The termination of
the continued protections is based on section 922(d)(2) of the Public
Health Service Act, 42 U.S.C. 299b-22(d)(2).
4. Proposed Sec. 3.210--Required Disclosure of Patient Safety Work
Product to the Secretary
We are proposing in Sec. 3.210 that providers, PSOs, and other
persons that hold patient safety work product be required to disclose
such patient safety work product to the Secretary upon a determination
by the Secretary that such patient safety work product is needed for
the investigation and enforcement activities related to this Part, or
is needed in seeking and imposing civil money penalties. Such patient
safety work product disclosed to the Secretary will be excepted from
privilege and confidentiality protections insofar as the Secretary has
a need to use such patient safety work product for the above purposes
which include: accepting, conditioning, or revoking acceptance of PSO
certification or in supporting such actions. See proposed Sec.
3.206(d).
5. Proposed Sec. 3.212--Nonidentification of Patient Safety Work
Product
Proposed Sec. 3.210 establishes the standard by which patient
safety work product will be determined nonidentifiable. For the ease of
the reader, we have discussed this standard within the context of
proposed Sec. 3.206(b)(5), the confidentiality disclosure exception
for nonidentifiable patient safety work product.
D. Subpart D--Enforcement Program
The authority of the Secretary to enforce the confidentiality
provisions of the Patient Safety Act is intended to deter impermissible
disclosures of patient safety work product. Proposed Subpart D would
establish a framework to enable the Secretary to monitor and ensure
compliance with this Part, procedures for imposing a civil money
penalty for breach of confidentiality, and procedures for a hearing
contesting a civil money penalty.
The proposed enforcement program has been designed to provide
maximum flexibility to the Secretary in addressing violations of the
confidentiality provisions to encourage participation in patient safety
activities and achieve the goals of the Patient Safety Act while
safeguarding the confidentiality and protected nature of patient safety
work product under the Patient Safety Act and this part. Failures to
maintain confidentiality may be serious, deleterious and broad-ranging,
and, if unpunished, may discourage participation by providers in the
PSO voluntary reporting system. The Secretary's enforcement authority
will be exercised commensurately to respond to the nature of any such
failure and the resulting harm from such failures. The proposed
regulations seek to provide the Secretary with reasonable discretion,
particularly in areas where the exercise of judgment is called for by
the statute or proposed rules, and to avoid being overly prescriptive
in areas and causing unintended adverse effects where it would be
helpful to gain experience with the practical impact of the proposed
rules.
The provisions of section 1128A of the Social Security Act, 42
U.S.C. 1320a-7a, apply to the imposition of a
[[Page 8155]]
civil money penalty under section 922(f) of the Public Health Service
Act, 42 U.S.C. 299b-22(f), ``in the same manner as'' they apply to the
imposition of civil money penalties under section 1128A itself. Section
1128A(1) of the Social Security Act, 42 U.S.C. 1320a-7a(l), provides
that a principal is liable for penalties for the actions of its agents
acting within the scope of their agency. Therefore, a provider or PSO
will be responsible for the actions of a workforce member when such
member discloses patient safety work product in violation of the
confidentiality provisions while acting within the scope of the
member's agency relationship.
Proposed Sec. Sec. 3.304 through 3.314 are designed to enable the
Secretary to assist with, monitor, and investigate alleged failures
with respect to compliance with the confidentiality provisions.
Proposed Sec. Sec. 3.304 through 3.314 would establish the processes
and procedures for the Secretary to provide technical assistance with
compliance, for filing complaints with the Secretary, and for
investigations and compliance reviews performed by the Secretary.
Proposed Sec. Sec. 3.402 through 3.426 would provide the legal basis
for imposing a civil money penalty, determining the amount of a civil
money penalty, implementing the prohibition on the imposition of a
civil money penalty under both HIPAA and the Patient Safety Act, and
issuing a notice of proposed determination to impose a civil money
penalty and establishing the process that would be relevant subsequent
to the issuance of such a notice, whether or not a hearing follows the
issuance of the notice of proposed determination. These sections also
would contain provisions on the statute of limitations, authority to
settle, collection of any penalty imposed for violation of the
confidentiality provisions, and public notice of the imposition of such
penalties. Finally, proposed Sec. 3.504 addresses the administrative
hearing phase of the enforcement process, including provisions for
appellate review within HHS of a hearing decision and burden of proof
in such proceedings.
Generally, proposed Subpart D is based on the HIPAA Enforcement
Rule, 45 CFR Part 160, Subparts C, D and E. We have closely followed
the HIPAA Enforcement Rule for several reasons. First, because civil
money penalties under both the HIPAA Enforcement Rule and Patient
Safety Act are based on section 1128A of the Social Security Act, 42
U.S.C. 1320a-7a, we believe there is benefit in maintaining a common
approach to enforcement and appeals of such civil money penalty
determinations. Second, we believe that these procedures set forth in
the HIPAA Enforcement Rule, which in turn are based on the procedures
established by the OIG, work and satisfactorily address issues raised
and addressed in prior rulemakings by the Department and the OIG. We do
not reiterate those concerns, or their resolutions, here, but they have
informed our decision making on these proposed rules.
Proposed Sec. Sec. 3.504(b)-(d), (f)-(g), (i)-(k), (m), (n), (t),
(w) and (x) of the proposed rule are unchanged from, or incorporate the
provisions of, the HIPAA Enforcement Rule. For a full discussion of the
basis for these proposed sections, please refer to the proposed and
final HIPAA Enforcement Rule, published on April 18, 2005, at 70 FR
20224 (proposed) and on February 16, 2006, at 71 FR 8390 (final).
Although the preamble discussion of the HIPAA Enforcement Rule pertains
to the HIPAA Administrative Simplification provisions, HIPAA covered
entities, and protected health information under HIPAA, we believe the
same interpretations and analyses are applicable to the Patient Safety
Act confidentiality provisions, providers, PSOs, and responsible
persons, and patient safety work product.
Proposed Sec. Sec. 3.424 and 3.504(a), (e), (h), (l), (o)-(s), (u)
and (v) of the proposed rule also are based on, or incorporate, the
HIPAA Enforcement Rule, but include technical changes made in order to
adapt these provisions to the Patient Safety Act confidentiality
provisions. We discuss these technical changes below but refer to the
proposed and final HIPAA Enforcement Rule for a substantive discussion
of these proposed sections.
For the above proposed sections, while we have chosen not to repeat
our discussion of the rationale for these regulations, we invite
comments regarding whether any further substantive or technical changes
are needed to adapt these provisions to the Patient Safety Act
confidentiality provisions.
The remaining sections in Subpart D of the proposed rule reprint
HIPAA Enforcement Rule provisions in their entirety or constitute
substantive changes from the analogous provisions of the HIPAA
Enforcement Rule. We discuss these proposed sections in full below.
1. Proposed Sec. 3.304--Principles for Achieving Compliance
Proposed Sec. 3.304(a) would establish the principle that the
Secretary will seek the cooperation of providers, PSOs, and responsible
persons in maintaining and preserving the confidentiality of patient
safety work product, relying on the civil money penalty authority when
appropriate to remediate violations. Proposed Sec. 3.304(b) provides
that the Secretary may provide technical assistance to providers, PSOs,
and responsible persons to help them comply with the confidentiality
provisions.
We will seek to achieve compliance through technical assistance and
outreach so that providers, PSOs, and responsible persons that hold
patient safety work product may better understand the requirements of
the confidentiality provisions and, thus, may voluntarily comply by
preventing breaches. However, we believe that the types of events that
are likely to trigger complaints are actual breaches of confidentiality
which will need remedial action (such events cannot be mitigated
through preventive measures alone). Given the existing framework of
peer review systems and other similar processes, we believe that most
providers and patient safety experts already have well-established
mechanisms for using sensitive information while respecting its
confidentiality. Moreover, such persons will have incentives to
maintain the confidentiality of patient safety work product each such
person possesses in the future. Thus, while there may be situations
where an issue may be resolved through technical assistance and
corrective action, we anticipate that the resolution of complaints of
breaches of confidentiality may warrant imposition of a civil money
penalty to deter future non-compliance and similar violations. This
Subpart preserves the discretion of the Secretary to enforce
confidentiality in the manner that best fits the situation.
The Secretary will exercise discretion in developing a technical
assistance program that may include the provision of written material
when appropriate to assist persons in achieving compliance. We
encourage persons to share ``best practices'' for the confidential
utilization of patient safety work product. However, the absence of
technical assistance or guidance may not be raised as a defense to
civil money penalty liability.
2. Proposed Sec. 3.306--Complaints to the Secretary
We are proposing in Sec. 3.306 that any person may file a
complaint with the Secretary if the person believes that a provider,
PSO or responsible person has disclosed patient safety work product in
violation of the confidentiality
[[Page 8156]]
provisions. A complaint-driven process would provide helpful
information about the handling and disclosure of patient safety work
product and could serve to identify particularly troublesome compliance
problems on an early basis.
The procedures proposed in this section are modeled on those used
for the HIPAA Enforcement Rule. We would require: complaints to be in
writing; complainants to identify the person(s), and describe the acts,
alleged to be out of compliance; and that the complainant file such
complaint within 180 days of when the complainant knew or should have
known that the act complained of occurred, unless this time limit is
waived by the Secretary for good cause shown. We have tried to keep the
requirements for filing complaints as minimal as possible to facilitate
use of this process. The Secretary would also attempt to keep the
identity of complainants confidential, if possible. However, we
recognize that it could be necessary to disclose the identity of a
complainant in order to investigate the substance of the complaint, and
the rules proposed below would permit such disclosures.
For the same reason that the HIPAA Enforcement Rule adopted the
``known or should have known'' standard for filing a complaint, we
require that complaints be filed within 180 days of when the
complainant knew or should have known that the violation complained of
occurred unless this time limit is waived by the Secretary for good
cause shown. We believe that an investigation of a complaint is likely
to be most effective if persons can be interviewed and documents
reviewed as close to the time of the alleged violation as possible.
Requiring that complaints generally be filed within a certain period of
time increases the likelihood that the Secretary will be able to obtain
necessary and reliable information in order to investigate allegations.
Moreover, we are taking this approach in order to encourage
complainants to file complaints as soon as possible. By receiving
complaints in a timely fashion, we can, if such complaints prove valid,
reduce the harm caused by the violation.
In most cases, we expect that the providers, PSOs, responsible
persons, and/or their employees will be aware of disclosures of patient
safety work product. Nevertheless, other persons may become aware of
the wrongful disclosure of patient safety work product as well. For
these reasons, we do not limit who may file a complaint. We will accept
complaints alleging violations from any person.
Once a complaint is received, the Secretary will notify the
provider, PSO, or responsible person(s) against whom the complaint has
been filed (i.e., the respondent), investigate and seek resolution to
any violations based on the circumstances of the violation, in
accordance with the principles for achieving compliance. In enforcing
the confidentiality provisions of the Patient Safety Act, the Secretary
will generally inform the respondent of the nature of any complaints
received against the respondent. The Secretary will also generally
afford the entity an opportunity to share information with the
Secretary that may result in an early resolution.
3. Proposed Sec. 3.308--Compliance Reviews
We are proposing in Sec. 3.308 that the Secretary could conduct
compliance reviews to determine whether a provider, PSO, or responsible
person is in compliance. A compliance review could be based on
information indicating a possible violation of the confidentiality
provisions even though a formal complaint has not been filed. As is the
case with a complaint investigation, a compliance review may examine
the policies, practices or procedures of a respondent and may result in
voluntary compliance or in a finding of a violation or no violation
finding.
We believe the Secretary's ability to conduct compliance reviews
should be flexible and unobstructed by limitations or required links to
ongoing investigations. We do not establish any affirmative criteria
for the conduct of a compliance review. Compliance reviews may be
undertaken without regard to ongoing investigations or prior conduct.
We recognize that cooperating with compliance reviews may create some
burden and expense. However, the Secretary needs to maintain the
flexibility to conduct whatever reviews are necessary to ensure
compliance with the rule.
We note that, at least in the short term, HHS will be taking a
case-based, complaint-driven approach to investigations and
enforcement, rather than focusing resources on compliance reviews
unrelated to any information or allegations of confidentiality
violations.
4. Proposed Sec. 3.310--Responsibilities of Respondents
Proposed Sec. 3.310 establishes certain obligations for
respondents that would be necessary to enable the Secretary to carry
out the statutory role to determine their compliance with the
requirements of the confidentiality provisions. Respondents would be
required to maintain records as proposed in this proposed rule,
participate as required in investigations and compliance reviews, and
provide information to the Secretary upon demand. Respondents would
also be required to disclose patient safety work product to the
Secretary for investigations and compliance activities. We interpret
the enforcement provision at section 922(f) of the Patient Safety Act,
42 U.S.C. 299b-22(f), to allow for such disclosure to the Secretary for
the purpose of enforcing the confidentiality provisions.
Proposed Sec. 3.310(b) would require cooperation by respondents
with investigations as well as compliance reviews.
Proposed Sec. 3.310(c) would provide that the Secretary must be
provided access to a respondent's facilities, books, records, accounts,
and other sources of information, including patient safety work
product. Ordinarily, the Secretary will provide notice requesting
access during normal business hours. However, if exigent circumstances
exist, such as where documents might be hidden or destroyed, the
Secretary may require access at any time and without notice. The
Secretary will consider alternative approaches, such as subpoenas or
search warrants, in seeking information from respondents that are not
providers, PSOs, or a member of their workforce.
5. Proposed Sec. 3.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Proposed Sec. 3.312(a) provides that, if a complaint investigation
or compliance review indicates noncompliance, the Secretary may attempt
to resolve the matter by informal means. If the Secretary determines
that the matter cannot be resolved by informal means, the Secretary
will issue findings to the respondent and, if applicable, the
complainant.
Proposed Sec. 3.312(a)(1) provides that, where noncompliance is
indicated, the Secretary could seek to reach a resolution of the matter
satisfactory to the Secretary by informal means. Informal means would
include demonstrated compliance or a completed corrective action plan
or other agreement. Under this provision, entering into a corrective
action plan or other agreement would not, in and of itself, resolve the
noncompliance; rather, the full performance by the respondent of its
obligations under the corrective action plan or other agreement would
be necessary to resolve the noncompliance.
[[Page 8157]]
Proposed Sec. Sec. 3.312(a)(2) and (3) address what notifications
would be provided by the Secretary where noncompliance is indicated,
based on an investigation or compliance review. Notification under
these paragraphs would not be required where the only contacts made
were with the complainant to determine whether the complaint warrants
investigation. Section 3.312(a)(2) proposes written notice to the
respondent and, if the matter arose from a complaint, the complainant,
where the matter is resolved by informal means. If the matter is not
resolved by informal means, proposed Sec. 3.312(a)(3)(i) would require
the Secretary to so inform the respondent and provide the respondent 30
days in which to raise any mitigating factors the Secretary should
consider in imposing a civil money penalty. Section 3.312(a)(3)(ii)
proposes that, where a matter is not resolved by informal means and the
Secretary decides that imposition of a civil money penalty is warranted
based upon a response from the respondent or expiration of the 30 day
response time limit, the formal finding would be contained in the
notice of proposed determination issued under proposed Sec. 3.420.
Proposed Sec. 3.312(b) provides that, if the Secretary finds,
after an investigation or compliance review, no further action is
warranted, the Secretary will so inform the respondent and, if the
matter arose from a complaint, the complainant. This section does not
apply where no investigation or compliance review has been initiated,
such as where a complaint has been dismissed due to lack of
jurisdiction.
Proposed Sec. 3.312(c) addresses how the Secretary will handle
information obtained during the course of an investigation or
compliance review. Under proposed Sec. 3.312(c)(1), identifiable
patient safety work product obtained by the Secretary in connection
with an investigation or compliance review under this Part remains
subject to the privilege and confidentiality protections and will not
be disclosed except in accordance with proposed Sec. 3.206(d), if
necessary for ascertaining or enforcing compliance with this part, or
as permitted by this Part or the Patient Safety Act. In other words,
the Secretary, as with any other entity or person, would receive
patient safety work product subject to the confidentiality and
privilege requirements and protections. The proposed rule strikes a
balance between these protections and enforcement, providing that the
Secretary would not disclose such patient safety work product, except
as may be necessary to enable the Secretary to ascertain compliance
with this Part, in enforcement proceedings, or as otherwise permitted
by this Part. We note that, pursuant to section 922(g)(3) of the Public
Health Service Act, 42 U.S.C. 299b-22(g)(3), as added by the Patient
Safety Act, the Patient Safety Act does not affect the implementation
of the HIPAA confidentiality regulations (known as the HIPAA Privacy
Rule). Accordingly, we propose that the Secretary may use patient
safety work product obtained in connection with an investigation
hereunder to enforce the HIPAA confidentiality regulations.
Proposed Sec. 3.312(c)(2) provides that, except for patient safety
work product, testimony and other evidence obtained in connection with
an investigation or compliance review may be used by HHS in any of its
activities and may be used or offered into evidence in any
administrative or judicial proceeding. Such information would include
that which is obtained from investigational subpoenas and inquiries
under proposed Sec. 3.314. The Department generally seeks to protect
the privacy of individuals to the fullest extent possible, while
permitting the exchange of records required to fulfill its
administrative and programmatic responsibilities. The Freedom of
Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45
CFR Part 5, provide substantial protection for records about
individuals where disclosure would constitute an unwarranted invasion
of their personal privacy. Moreover, in enforcing the Patient Safety
Act and its implementing regulations, OCR plans to continue its current
practice of protecting its complaint files from disclosure. These
files, thus, would constitute investigatory records compiled for law
enforcement purposes, one of the exemptions to disclosure under the
Freedom of Information Act. In the case of patient safety work product
that is not otherwise subject to a statutory exception permitting
disclosure, the Patient Safety Act prohibits the disclosure of such
information in response to a Freedom of Information Act request. See
section 922(a)(3) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(3).
The Secretary continues to be subject to the existing HIPAA
Enforcement Rule with respect to the use and disclosure of protected
health information received by the Secretary in connection with a HIPAA
Privacy Rule investigation or compliance review (see 45 CFR
160.310(c)(3)); these proposed provisions do not modify those
regulations.
6. Proposed Sec. 3.314--Investigational Subpoenas and Inquiries
Proposed Sec. 3.314 provides procedures for the issuance of
subpoenas to require the attendance and testimony of witnesses and the
production of any other evidence, including patient safety work
product, during an investigation or compliance review. We propose to
issue subpoenas in the same manner as 45 CFR 160.314(a)(1)-(5) of the
HIPAA Enforcement Rule, except that the term ``this part'' shall refer
to 42 CFR Part 3. The language modification is necessary to reference
the appropriate authority.
We also propose that the Secretary is permitted to conduct
investigational inquiries in the same manner as the provisions of 45
CFR 160.314(b)(1)-(9) of the HIPAA Enforcement Rule. The referenced
provisions describe the manner in which investigational inquiries will
be conducted.
7. Proposed Sec. 3.402--Basis for a Civil Money Penalty
Under proposed Sec. 3.402, a person who discloses identifiable
patient safety work product in knowing or reckless violation of the
confidentiality provisions shall be subject to a civil money penalty of
not more than $10,000 for each act constituting a violation. See
section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(1).
(A) Proposed Sec. 3.402(a)--General Rule
Proposed Sec. 3.402(a) would allow the Secretary to impose a civil
money penalty on any person which the Secretary determines has
knowingly or recklessly violated the confidentiality provisions. This
provision is based on the language in section 922(f) of the Public
Health Service Act, 42 U.S.C. 299b-22(f), that ``a person who discloses
identifiable patient safety work product in knowing or reckless
violation of subsection (b) shall be subject to a civil money penalty
of not more than $10,000 for each act constituting such violation.''
A civil money penalty may only be imposed if the Secretary first
establishes a wrongful disclosure (i.e., (1) the information disclosed
was identifiable patient safety work product; (2) the information was
disclosed; and (3) the manner of the disclosure does not fit within any
permitted exception). If a wrongful disclosure is established, the
Secretary must then determine whether the person making the disclosure
acted ``knowingly'' or ``recklessly.''
The applicable law on the issue of ``knowing'' provides that
``unless the
[[Page 8158]]
text of the statute dictates a different result, the term `knowingly'
merely requires proof of knowledge of the facts that constitute the
offense [rather than] a culpable state of mind or [] knowledge of the
law.'' Bryan v. United States, 524 U.S. 184 (1998) (emphasis added).
Applying this meaning in the context of the Patient Safety Act, the
Secretary would not need to prove that the person making the disclosure
knew the law (i.e., knew that the disclosed information constituted
identifiable patient safety work product or that such disclosure did
not meet one of the standards for a permissive disclosure in the
Patient Safety Act). Rather, the Secretary would only need to show that
the person knew a disclosure was being made. Although knowledge that
disclosed information is patient safety work product is not required,
circumstances in which a person can show no such knowledge and no
reason to know such knowledge may warrant discretion by the Secretary.
By contrast, as a person's opportunity for knowledge and disregard of
that opportunity increases, the Secretary's compulsion to exercise
discretion not to impose a penalty declines.
Where a ``knowing'' violation cannot be established, the Secretary
can still impose a civil money penalty by showing that the person was
reckless in making the disclosure of identifiable patient safety work
product. A person acts recklessly if they are aware, or a reasonable
person in their situation should be aware, that their conduct creates a
substantial risk of disclosure of information and to disregard such
risk constitutes a gross deviation from reasonable conduct. A
``substantial risk'' represents a significant threshold, more than the
mere possibility of disclosure of patient safety work product. Whether
a risk is ``substantial'' is a fact-specific inquiry. Additionally,
whether a reasonable person in the situation should know of a risk is
based on context. For example, an employee whose job duties regularly
involve working with sensitive patient information may be expected to
know of disclosure risks of which other types of employees may
reasonably be unaware.
Finally, the disregarding of the risk must be a gross deviation
from reasonable conduct. This gross deviation standard is commonly used
to describe reckless conduct. See, e.g., Model Penal Code Sec.
2A1.4(2006), definition of ``reckless'' for purposes of involuntary
manslaughter; Black's Law Dictionary (8th ed., 2004). This does not
mean that the conduct itself must be a gross deviation from reasonable
conduct. Rather, the standard is whether the disregarding of the risk
was a gross deviation (i.e., whether a reasonable person who is aware
of the substantial risk of making an impermissible disclosure would
find going forward despite the risk to be grossly unreasonable). Thus,
disclosures that violate this Part and occur because an individual
acted despite knowing of, or having reason to know of, a grossly
unreasonable risk of disclosure are punishable by civil money penalty,
regardless of whether such conduct may otherwise be widespread in the
industry.
An example of a reckless disclosure of identifiable patient safety
work product would be leaving a laptop unattended in a public area and
accessible to unauthorized persons with identifiable patient safety
work product displayed on the laptop screen. Such a situation would be
reckless because it would create a substantial risk of disclosure of
the information displayed on the laptop screen. If a person did not
remove the identifiable patient safety work product from the laptop
screen or take other measures to prevent the public view of the laptop
screen, then leaving the laptop unattended would be a disregard for the
substantial risk of disclosure that would be a gross deviation from
reasonable conduct. Under these circumstances, the person leaving the
laptop unattended could be liable for a civil money penalty.
The use of the term ``shall be subject to'' in section 922(f) of
the Public Health Service Act, 42 U.S.C. 299b-22(f), conveys authority
to the Secretary to exercise discretion as to whether to impose a
penalty for a knowing or reckless violation of the confidentiality
provisions. Based on the nature and circumstances of a violation and
whether such violation was done in a knowing or reckless manner, the
Secretary may impose a civil money penalty, require a corrective action
plan, or seek voluntary compliance with these regulations.
Even in cases that constitute violations of the confidentiality
provisions, the Secretary may exercise discretion. For example, in a
situation where a provider makes a good faith attempt to assert the
patient safety work product privilege, but is nevertheless ordered by a
court to make a disclosure, and the provider does so, the Secretary
could elect not to impose a civil money penalty. Thus, for example, it
is not the Secretary's intention to impose a civil money penalty on a
provider ordered by a court to produce patient safety work product
where the provider has deliberately and in good faith undertaken
reasonable steps to avoid such production and is, nevertheless, faced
with compelled production or being held in contempt of court.
Similarly, an individual may innocently come into possession of
information, unaware of the fact that the information is patient safety
work product, and may innocently share the information in a manner not
permitted by the confidentiality provisions. In such circumstances, the
Secretary would look at the facts and circumstances of the case and
could elect not to impose a penalty. Relevant facts and circumstances
might include the individual's relationship with the source of the
information (e.g., whether the information originated with a health
care provider or a patient safety organization for which the individual
was employed); whether, and the extent to which, the individual had a
basis to know the information was patient safety work product or to
know that the information was confidential; to whom the information was
disclosed; and the intent of the individual in making the disclosure.
(B) Proposed Sec. 3.402(b)--Violations Attributed to a Principal
The proposed rule includes a provision, at proposed Sec. 3.402(b),
that addresses the liability of a principal for a violation by a
principal's agent. Proposed Sec. 3.402(b) adopts the principle that
the federal common law of agency applies when addressing the liability
of a principal for the acts of his or her agent. Under this principle,
a provider, PSO or responsible person generally can be held liable for
a violation based on the actions of any agent, including an employee or
other workforce member, acting within the scope of the agency or
employment. This liability is separate from the underlying liability
attributable to the agent and could result in a separate and exclusive
civil money penalty. In other words, a principal may be liable for a
$10,000 civil money penalty and an agent may be liable for a separate
$10,000 civil money penalty arising from the same act that is a
violation.
Section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(2), provides that ``the provisions of section 1128A * * * shall
apply to civil money penalties under this subsection [of the Patient
Safety Act] in the same manner as such provisions apply to a penalty or
proceeding under section 1128A.'' Section 1128A(l) of the Social
Security Act, 42 U.S.C. 1320a-7a(l), establishes that ``a principal is
liable for penalties * * * under this section for the actions of the
principal's agents acting within the scope of the agency.'' This is
similar
[[Page 8159]]
to the traditional rule of agency in which principals are vicariously
liable for the acts of their agents acting within the scope of their
authority. See Meyer v. Holley, 537 U.S. 280 (2003). Therefore, a
provider, PSO or responsible person generally will be responsible for
the actions of its workforce members within the scope of agency, such
as where an employee discloses confidential patient safety work product
in violation of the confidentiality provisions during the course of his
or her employment.
The determination of whether or not a principal is responsible for
a violation would be based on two fact-dependent determinations. First,
the Secretary must find that a principal-agent relationship exists
between the person doing the violative act and the principal. If a
principal-agent relationship is established, then a second
determination, whether the act in violation of the confidentiality
provisions was within the scope of the agency, must be made. The
determination as to whether an agent's conduct is outside the scope of
the agency will be dependent upon the application of the federal common
law of agency to the facts.
The purpose of applying the federal common law of agency to
determine when a provider, PSO, or responsible person is vicariously
liable for the acts of its agents is to achieve nationwide uniformity
in the implementation of the confidentiality provisions and nationwide
consistency in the enforcement of these rules by OCR. Reliance on State
law could introduce inconsistency in the implementation of the patient
safety work product confidentiality provisions by persons or entities
in different States.
Federal Common Law of Agency
A principal's liability for the actions of its agents is generally
governed by State law. However, the U.S. Supreme Court has provided
that the federal common law of agency may be applied where there is a
strong governmental interest in nationwide uniformity and a predictable
standard, and when the federal rule in question is interpreting a
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).
The confidentiality and enforcement provisions of this regulation
interpret a federal statute, the Patient Safety Act. Under the Patient
Safety Act, there is a strong interest in nationwide uniformity in the
confidentiality provisions and how those provisions are enforced. The
fundamental goal of the Patient Safety Act is to promote the
examination and correction of patient safety events in order to improve
patient safety and create a culture of patient safety in the health
care system. Therefore, it is essential for the Secretary to apply one
consistent body of law regardless of where an agent is employed, an
alleged violation occurred, or an action is brought. The same
considerations support a strong federal interest in the predictable
operation of the confidentiality provisions, to ensure that persons
using patient safety work product can do so consistently so as to
facilitate the appropriate exchange of information. Thus, the tests for
application of the federal common law of agency are met.
Where the federal common law of agency applies, the courts often
look to the Restatement (Second) of Agency (1958) (Restatement) as a
basis for explaining the common law's application. While the
determination of whether an agent is acting within the scope of its
authority must be decided on a case-by-case basis, the Restatement
provides guidelines for this determination. Section 229 of the
Restatement provides:
(1) To be within the scope of the employment, conduct must be of
the same general nature as that authorized, or incidental to the
conduct authorized.
(2) In determining whether or not the conduct, although not
authorized, is nevertheless so similar to or incidental to the conduct
authorized as to be within the scope of employment, the following
matters of fact are to be considered;
(a) Whether or not the act is one commonly done by such servants;
(b) The time, place and purpose of the act;
(c) The previous relations between the master and the servant;
(d) The extent to which the business of the master is apportioned
between different servants;
(e) Whether or not the act is outside the enterprise of the master
or, if within the enterprise, has not been entrusted to any servant;
(f) Whether or not the master has reason to expect that such an act
will be done;
(g) The similarity in quality of the act done to the act
authorized;
(h) Whether or not the instrumentality by which the harm is done
has been furnished by the master to the servant;
(i) The extent of departure from the normal method of accomplishing
an authorized result; and
(j) Whether or not the act is seriously criminal.
In some cases, under federal agency law, a principal may be liable
for an agent's acts even if the agent acts outside the scope of its
authority. Restatement (Second) of Agency section 219 (1958). However,
proposed Sec. 3.402(b) would follow section 1128A(l) of the Social
Security Act, 42 U.S.C. 1320a-7a(l), which limits liability for the
actions of an agent to those actions that are within the scope of the
agency.
Agents
Various categories of persons may be agents of a provider, PSO, or
responsible person. These persons include workforce members. We propose
a slightly expanded definition of ``workforce'' from the term defined
in the HIPAA Privacy Rule. The proposed definition of ``workforce''
includes employees, volunteers, trainees, contractors, and other
persons whose conduct, in the performance of work for a provider, PSO
or responsible person, is under the direct control of such principal,
whether or not they are paid by the principal. Because of the ``direct
control'' language of the proposed rule, we believe that all workforce
members, including those who are not employees, are agents of a
principal. Under the proposed rule, a principal could be liable for a
violation based on an act that is a violation by any workforce member
acting within the scope of employment or agency. The determinative
issue is whether a person is sufficiently under the control of a person
or entity and acting within the scope of the agency. Proposed Sec.
3.402(b) creates a presumption that a workforce member is an agent of
an employer.
8. Proposed Sec. 3.404--Amount of Civil Money Penalty
Proposed Sec. 3.404, the amount of the civil money penalty, is
determined in accordance with section 922(f) of the Public Health
Service Act, 42 U.S.C. 299b-22(f), and the provisions of this Part.
Section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(1), establishes a maximum penalty amount for violations of ``not
more than $10,000'' per person for each violation. The statutory cap is
reflected in proposed Sec. 3.404(b).
The statute establishes only maximum penalty amounts, so the
Secretary has the discretion to impose penalties that are less than the
statutory maximum. This proposed regulation would not establish minimum
penalties. Under proposed Sec. 3.404(a), the penalty amount would be
determined using the factors set forth in proposed Sec. 3.408, subject
to the statutory maximum reflected in proposed Sec. 3.404(b).
As stated in the discussion under proposed Sec. 3.402(b), a
principal can be
[[Page 8160]]
held liable for the acts of its agent acting within the scope of the
agency. Read together, with proposed Sec. 3.404(b), if a principal and
an agent are determined to be liable for a single act that is a
violation, the Secretary may impose a penalty of up to $10,000 against
each separately. That is, the $10,000 limit applies to each person
separately, not the act that was a violation. Thus, in the circumstance
where an agent and a principal are determined to have violated the
confidentiality provisions, the Secretary may impose a civil money
penalty of up to $10,000 against the agent and a civil money penalty of
up to $10,000 against the principal, for a total of $20,000 for a
single act that is a violation.
9. Proposed Sec. 3.408--Factors Considered in Determining the Amount
of a Civil Money Penalty
Section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d),
made applicable to the imposition of civil money penalties by section
922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2),
requires that, in determining the amount of ``any penalty,'' the
Secretary shall take into account: (1) The nature of the claims and the
circumstances under which they were presented, (2) the degree of
culpability, history of prior offenses, and financial condition of the
person presenting the claims, and (3) such other matters as justice may
require. This language establishes factors to be considered in
determining the amount of a civil money penalty.
This approach is taken in other regulations that cross-reference
section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, which
rely on these factors for purposes of determining civil money penalty
amounts. See, for example, 45 CFR 160.408. The factors listed in
section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d),
were drafted to apply to violations involving claims for payment under
federally funded health programs. Because Patient Safety Act violations
will not be about specific claims, we propose to tailor the section
1128A(d) factors to violations of the confidentiality provisions and
further particularize the statutory factors by providing discrete
criteria, as done in the HIPAA Enforcement Rule and the OIG regulations
that implement section 1128A of the Social Security Act, 42 U.S.C.
1320a-7a. Consistent with these other regulations, and to provide more
guidance to providers, PSOs, and responsible persons as to the factors
that would be used in calculating civil money penalties, we propose the
following detailed factors:
(1) The nature of the violation.
(2) The circumstances and consequences of the violation, including
the time period during which the violation occurred; and whether the
violation caused physical or financial harm or reputational damage.
(3) The degree of culpability of the respondent, including whether
the violation was intentional, and whether the violation was beyond the
direct control of the respondent.
(4) Any history of prior compliance with the confidentiality
provisions, including violations, by the respondent, and whether the
current violation is the same as or similar to prior violation(s),
whether and to what extent the respondent has attempted to correct
previous violations, how the respondent has responded to technical
assistance from the Secretary provided in the context of a compliance
effort, and how the respondent has responded to prior complaints.
(5) The financial condition of the respondent, including whether
the respondent had financial difficulties that affected its ability to
comply, whether the imposition of a civil money penalty would
jeopardize the ability of the respondent to continue to provide health
care or patient safety activities, and the size of the respondent.
(6) Such other matters as justice may require.
For further discussion of these factors, please see the preambles
to the Interim Final Rule and the Final Rule for the HIPAA Enforcement
Rule at 70 FR 20235-36, Apr. 18, 2005, and 71 FR 8407-09, Feb. 16,
2006. Meeting certain conditions, such as financial condition, is a
fact-specific determination based upon the individual circumstances of
the situation presented.
We seek comments regarding whether the above list of factors should
be expanded to expressly include a factor for persons who self-report
disclosures that may potentially violate the confidentiality provisions
such that voluntary self-reporting would be a mitigating consideration
when assessing a civil money penalty. Voluntary self-reporting may
encourage persons to report breaches of confidentiality, particularly
breaches that may otherwise go unnoticed, and to demonstrate the
security practices that led to the discovery of the breach and how the
breach has been remedied. However, including self-reporting as a factor
may be viewed incorrectly as an additional reporting obligation to
report every potentially impermissible disclosure, thereby,
unnecessarily increasing administrative burdens on the Department and
the individuals or entities making the self-reporting, or it may
interfere with obligations to identified persons, particularly when a
negotiated, contractual relationship between a provider and a PSO
exists that addresses how the parties are to deal with breaches.
Respondents are responsible for raising any issues that pertain to
any of the factors to the Secretary within 30 days after receiving
notice from the Secretary that informal resolution attempts have not
resolved the issue in accordance with proposed Sec. 3.312(a)(3)(i).
The Secretary is under no obligation to affirmatively raise any
mitigating factor if a respondent fails to identify the issue. See
proposed Sec. 3.504(p).
In many regulations that implement section 1128A of the Social
Security Act, 42 U.S.C. 1320a-7a, the statutory factors and/or the
discrete criteria are designated as either aggravating or mitigating.
For example, at 42 CFR 1003.106(b)(3) of the OIG regulations, ``history
of prior offenses'' is listed as an aggravating factor and is
applicable as a factor to a narrow range of prohibited conduct.
However, because proposed Sec. 3.408 will apply to a variety of
persons and circumstances, we propose that factors may be aggravating
or mitigating, depending on the context. For example, the factor ``time
period during which the violation(s) occurred'' could be an aggravating
factor if the respondent's violation went undetected for a long period
of time or undetected actions resulted in multiple violations, but
could be a mitigating factor if a violation was detected and corrected
quickly. This approach is consistent with other regulations
implementing section 1128A of the Social Security Act, 42 U.S.C. 1320a-
7a. See, for example, 45 CFR 160.408.
We propose to leave to the Secretary's discretion the decision
regarding when aggravating and mitigating factors will be taken into
account in determining the amount of a civil money penalty. The facts
of each violation will drive the determination of whether a particular
factor is aggravating or mitigating.
10. Proposed Sec. 3.414--Limitations
Proposed Sec. 3.414 sets forth the 6-year limitations period on
initiating an action for imposition of a civil money penalty provided
for by section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-
7a(c)(1). We propose the date of the occurrence of the violation be the
date from which the limitation period begins.
[[Page 8161]]
11. Proposed Sec. 3.416--Authority to Settle
Proposed Sec. 3.416 states the authority of the Secretary to
settle any issue or case or to compromise any penalty during the
process addressed in this Part, including cases that are in hearing.
The first sentence of section 1128A(f) of the Social Security Act, 42
U.S.C. 1320a-7a(f), made applicable by section 922(f)(2) of the Public
Health Service Act, 42 U.S.C. 299b-22(f)(2), states, in part, ``civil
money penalties * * * imposed under this section may be compromised by
the Secretary.'' This authority to settle is the same as that set forth
in 45 CFR 160.416 of the HIPAA Enforcement Rule.
12. Proposed Sec. 3.418--Exclusivity of Penalty
Proposed Sec. 3.418 makes clear that, except as noted below,
penalties imposed under this Part are not intended to be exclusive
where a violation under this Part may also be a violation of, and
subject the respondent to, penalties under another federal or State
law. This provision is modeled on 42 CFR 1003.108 of the OIG
regulations.
Proposed Sec. 3.418(b) repeats the statutory prohibition against
imposing a penalty under both the Patient Safety Act and under HIPAA
for a single act or omission that constitutes a violation of both the
Patient Safety Act and HIPAA. Congress recognized that there could be
overlap between the confidentiality provisions and the HIPAA Privacy
Rule. Because identifiable patient safety work product includes
individually identifiable health information as defined under the HIPAA
Privacy Rule, HIPAA covered entities could be liable for violations of
the HIPAA Privacy Rule based upon a single disclosure of identifiable
patient safety work product. We tentatively interpret the Patient
Safety Act as only prohibiting the imposition of a civil money penalty
under the Patient Safety Act when there have been civil, as opposed to
criminal, penalties imposed on the respondent under the HIPAA Privacy
Rule for the same single act or omission. In other words, a person
could have a civil money penalty imposed against him under the Patient
Safety Act as well as a criminal penalty under HIPAA for the same act
or omission. However, an act that amounts to a civil violation of both
the confidentiality provisions and the HIPAA Privacy Rule would be
enforceable under either authority, but not both.
The decision regarding which statute applies to a particular
situation will be made based upon the facts of individual situations.
HIPAA covered entities that seek to disclose confidential patient
safety work product that contains protected health information must
know when such disclosure is permissible under both statutes.
13. Proposed Sec. 3.420--Notice of Proposed Determination
Proposed Sec. 3.420 sets forth the requirements for the notice to
a respondent sent when the Secretary proposes a penalty under this
Part. This notice implements the requirement for notice contained in
section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-
7a(c)(1). These requirements are substantially the same as those in the
HIPAA Enforcement Rule at 45 CFR 160.420, except for the removal of
provisions related to statistical sampling.
The notice provided for in this section must be given whenever a
civil money penalty is proposed. The proposed requirements of this
section serve to inform any person under investigation of the basis for
the Secretary's proposed civil money penalty determination. These
requirements include the statutory basis for a penalty, a description
of the findings of fact regarding the violation, the reasons the
violation causes liability, the amount of the proposed penalty, factors
considered under proposed Sec. 3.408 in determining the amount of the
penalty, and instructions for responding to the notice, including the
right to a hearing.
At this point in the process, the Secretary may also send a notice
of proposed determination to a principal based upon liability for a
violation under proposed Sec. 3.402(b).
14. Proposed Sec. 3.422--Failure To Request a Hearing
Under proposed Sec. 3.422, when a respondent does not timely
request a hearing on a proposed civil money penalty, the Secretary may
impose the civil money penalty or any less severe civil money penalty
permitted by section 1128A(d)(5) of the Social Security Act, 42 U.S.C.
1320a-7a(d)(5). Once the time has expired for the respondent to file
for an appeal, the Secretary will decide whether to impose the civil
money penalty and provide notice to the respondent of the civil money
penalty. If the Secretary does pursue a civil money penalty, the civil
money penalty is final, and the respondent has no right to appeal a
civil money penalty imposed under these circumstances. This section is
similar to 45 CFR 160.422 of the HIPAA Enforcement Rule.
For purposes of determining when subsequent actions may commence,
such as collection of an imposed civil money penalty, we propose that
the penalty be final upon receipt of a penalty notice sent by certified
mail return receipt requested.
15. Proposed Sec. 3.424--Collection of Penalty
Proposed Sec. 3.424 provides that once a determination to impose a
civil money penalty has become final, the civil money penalty must be
collected by the Secretary, unless compromised, and prescribes the
methods for collection. We propose that civil money penalties be
collected as set forth under the HIPAA Enforcement Rule at 45 CFR
160.424, except that the term ``this part'' shall refer to 42 CFR Part
3. The modification is made for the provision to refer to the
appropriate authority.
16. Proposed Sec. 3.426--Notification of the Public and Other Agencies
Proposed Sec. 3.426 would implement section 1128A(h) of the Social
Security Act, 42 U.S.C. 1320a-7a(h). When a civil money penalty
proposed by the Secretary becomes final, section 1128A(h) of the Social
Security Act, 42 U.S.C. 1320a-7a(h), directs the Secretary to notify
appropriate State or local agencies, organizations, and associations
and to provide the reasons for the civil money penalty. We propose to
add the public generally as a group that may receive notice, in order
to make the information available to anyone who must make decisions
with respect to persons that have had a civil money penalty imposed for
violation of the confidentiality provisions. For instance, knowledge of
the imposition of a civil money penalty for violation of the Patient
Safety Act could be important to hospitals, other health care
organizations, health care consumers, as well as to current and future
business partners throughout the industry.
The basis for this public notice portion lies in the Freedom of
Information Act, 5 U.S.C. 552. The Freedom of Information Act requires
final opinions and orders made in adjudication cases to be made
available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A).
While it is true that section 1128A(h) of the Social Security Act, 42
U.S.C. 1320a-7a(h), does not require that such notice be given to the
public, neither does it prohibit such wider dissemination of that
information, and nothing in section 1128A(h) of the Social Security
Act, 42 U.S.C. 1320a-7a(h), suggests that it modifies the Secretary's
obligations under the Freedom of Information Act.
[[Page 8162]]
The Freedom of Information Act requires making final orders or opinions
available for public inspection and copying by ``computer
telecommunication * * * or other electronic means,'' which would
encompass a display on the Department's Web site. See 5 U.S.C.
552(a)(2).
A civil money penalty is considered to be final, for purposes of
notification, when it is a final agency action (i.e., the time for
administrative appeal has run or the adverse administrative finding has
otherwise become final). The final opinion or order that is subject to
the notification provisions of this section is the notice of proposed
determination, if a request for hearing is not timely filed, the
decision of the ALJ, if that is not appealed, or the final decision of
the Board.
Currently final decisions of the ALJs and the Board are made public
via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such
postings, however, would not include penalties that become final
because a request for hearing was not filed under proposed Sec.
3.504(a). Under proposed Sec. 3.426, notices of proposed determination
under proposed Sec. 3.420 that become final because a hearing has not
been timely requested, would also be made available for public
inspection and copying as final orders, with appropriate redaction of
any patient safety work product or other confidential information, via
OCR's Web site. See the OCR patient safety Web site at http://www.hhs.gov/ocr/PSQIA. By making the entire final opinion or order
available to the public, the facts underlying the penalty determination
and the law applied to those facts will be apparent. Given that
information, the public may discern the nature and extent of the
violation as well as the basis for imposition of the civil money
penalty.
The regulatory language would provide for notification in such
manner as the Secretary deems appropriate. Posting to a Department Web
site and/or the periodic publication of a notice in the Federal
Register are among the methods which the Secretary is considering using
for the efficient dissemination of such information. These methods
would avoid the need for the Secretary to determine which entities,
among a potentially large universe, should be notified and would also
permit the general public served by providers, PSOs, and responsible
persons upon whom civil money penalties have been imposed--as well as
their business partners--to be apprised of this fact, where that
information is of interest to them. While the Secretary could provide
notice to individual agencies where desired, the Secretary could, at
his option, use a single public method of notice, such as posting to a
Department Web site, to satisfy the obligation to notify the specified
agencies and the public.
17. Proposed Sec. 3.504--Procedures for Hearings
Proposed Sec. 3.504 is a compilation of procedures related to
administrative hearings on civil money penalties imposed by the
Secretary. The proposed section sets forth the authority of the ALJ,
the rights and burdens of proof of the parties, requirements for the
exchange of information and pre-hearing, hearing, and post-hearing
processes. These individual sections are described in greater detail
below.
This proposed section cross-references the HIPAA Enforcement Rule
extensively due to the similar nature of the enforcement and appeal
procedures, the nature of the issues and substance presented, and the
parties most affected by these proposed regulations. We intend that the
provisions of the HIPAA Enforcement Rule will be applied to the
imposition of civil money penalties under this Subpart in the same
manner as they are applied to violations of the HIPAA administrative
simplification provisions, subject to any modifications set forth in
proposed Sec. 3.504. We believe the best and most efficient manner of
achieving this result is through explicitly referencing and adopting
the relevant provisions of the HIPAA Enforcement Rule. Where
modifications are necessary to address the differences between the
appeals of determinations under the HIPAA Enforcement Rule and the
Patient Safety Act, we have made specific exceptions that we discuss
below.
We note that the recently published Notice of Proposed Rulemaking
entitled ``Revisions to Procedures for the Departmental Appeals Board
and Other Departmental Hearings'' (see 72 FR 73708 (December 28, 2007))
proposes to modify the HIPAA Enforcement Rule, which we reference
extensively in this proposed rule. Our intent for the patient safety
regulations would be to maintain the alignment between the patient
safety enforcement process and the HIPAA Enforcement Rule, as stated
previously. Should the amendments to the HIPAA Enforcement Rule become
final based on that Notice of Proposed Rulemaking, our intent would be
to incorporate those changes in any final rulemaking here. That Notice
of Proposed Rulemaking proposes to amend 45 CFR 160.508(c) and 45 CFR
160.548, and to add a new provision, 45 CFR 160.554, providing that the
Secretary may review all ALJ decisions that the Board has declined to
review and all Board decisions for error in applying statutes,
regulations or interpretive policy.
18. Proposed Sec. 3.504(a)--Hearings Before an ALJ
Proposed Sec. 3.504(a) provides the time and manner in which a
hearing must be requested, or dismissed when not timely requested. This
proposed section applies the same regulations as the HIPAA Enforcement
Rule cited at 45 CFR 160.504(a)-(d), except that the language in
paragraph (c) of 45 CFR 160.504 following and including ``except that''
does not apply. The excluded provision refers to the ability of
respondents to raise an affirmative defense under 45 CFR 160.410(b)(1)
for which we have not adopted a comparable provision because the
provision implements a statutory defense unique to HIPAA.
19. Proposed Sec. 3.504(b)--Rights of the Parties
Proposed Sec. 3.504(b) provides that the rights of the parties not
specifically provided elsewhere in this Part shall be the same as those
provided in 45 CFR 160.506 of the HIPAA Enforcement Rule.
20. Proposed Sec. 3.504(c)--Authority of the ALJ
Proposed Sec. 3.504(c) provides that the general guidelines and
authority of the ALJ shall be the same as provided in the HIPAA
Enforcement Rule at 45 CFR 160.508(a)-(c)(4). We exclude the provision
at 45 CFR 160.508(c)(5) because there is no requirement under the
Patient Safety Act for remedied violations based on reasonable cause to
be insulated from liability for a civil money penalty.
21. Proposed Sec. 3.504(d)--Ex parte Contacts
Proposed Sec. 3.504(d) is designed to ensure the fairness of the
hearing by prohibiting ex-parte contacts with the ALJ on matters at
issue. We propose to incorporate the same restrictions as provided for
in the HIPAA Enforcement Rule at 45 CFR 160.510.
22. Proposed Sec. 3.504(e)--Prehearing Conferences
Proposed Sec. 3.504(e) adopts the same provisions as govern
prehearing conferences in the HIPAA Enforcement Rule at 45 CFR 160.512,
except that the term ``identifiable patient safety work product'' is
substituted for ``individually identifiable health
[[Page 8163]]
information.'' Under this proposed provision, the ALJ is required to
schedule at least one prehearing conference, in order to narrow the
issues to be addressed at the hearing and, thus, expedite the formal
hearing process, and to prescribe a timeframe for prehearings.
23. Proposed Sec. 3.504(f)--Authority To Settle
Proposed Sec. 3.504(f) adopts 45 CFR 160.514 of the HIPAA
Enforcement Rule. This proposal provides that the Secretary has
exclusive authority to settle any issue or case at any time and need
not obtain the consent of the ALJ.
24. Proposed Sec. 3.504(g)--Discovery
We propose in Sec. 3.504(g) to adopt the discovery procedures as
provided for in the HIPAA Enforcement Rule at 45 CFR 160.516. These
provisions allow limited discovery in the form of the production for
inspection and copying of documents that are relevant and material to
the issues before the ALJ. These provisions do not authorize other
forms of discovery, such as depositions and interrogatories.
Although the adoption of 45 CFR 160.516 would permit parties to
raise claims of privilege and permit an ALJ to deny a motion to compel
privileged information, a respondent could not claim privilege, and an
ALJ could not deny a motion to compel, if the Secretary seeks patient
safety work product relevant to the alleged confidentiality violation
because the patient safety work product would not be privileged under
proposed Sec. 3.204(c).
Under this proposal, a respondent concerned with potential public
access to patient safety work product may raise the issue before the
ALJ and seek a protective order. The ALJ may, for good cause shown,
order appropriate redactions made to the record after hearing. See
proposed Sec. 3.504(s).
25. Proposed Sec. 3.504(h)--Exchange of Witness Lists, Witness
Statements, and Exhibits
Proposed Sec. 3.504(h) provides for the prehearing exchange of
certain documents, including witness lists, copies of prior statements
of witnesses, and copies of hearing exhibits. We propose that the
requirements set forth in 45 CFR 160.518 of the HIPAA Enforcement Rule
shall apply, except that the language in paragraph (a) of 45 CFR
160.518 following and including ``except that'' shall not apply. We
exclude the provisions relating to the provision of a statistical
expert's report not less than 30 days before a scheduled hearing
because we do not propose language permitting the use of statistical
sampling to estimate the number of violations.
26. Proposed Sec. 3.504(i)--Subpoenas for Attendance at Hearing
Proposed Sec. 3.504(i) provides procedures for the ALJ to issue
subpoenas for witnesses to appear at a hearing and for parties and
prospective witnesses to contest such subpoenas. We propose to adopt
the same regulations as provided at 45 CFR 160.520 of the HIPAA
Enforcement Rule.
27. Proposed Sec. 3.504(j)--Fees
Proposed Sec. 3.504(j) provides for the payment of witness fees by
the party requesting a subpoena. We propose that the fees requirements
be the same as those provided in 45 CFR 160.522 of the HIPAA
Enforcement Rule.
28. Proposed Sec. 3.504(k)--Form, Filing and Service of Papers
Proposed Sec. 3.504(k) provides requirements for documents filed
with the ALJ. We propose to adopt the requirements of 45 CFR 160.524 of
the HIPAA Enforcement Rule.
29. Proposed Sec. 3.504(l)--Computation of Time
Proposed Sec. 3.504(l) provides the method for computing time
periods under this Part. We propose to adopt the requirements of 45 CFR
160.526 of the HIPAA Enforcement Rule, except the term ``this subpart''
shall refer to 42 CFR Part 3, Subpart D and the citation ``Sec.
3.504(a) of 42 CFR Part 3'' shall be substituted for the citation
``Sec. 160.504.''
30. Proposed Sec. 3.504(m)--Motions
Proposed Sec. 3.504(m) provides requirements for the content of
motions and the time allowed for responses. We propose to adopt the
requirements of 45 CFR 160.528 of the HIPAA Enforcement Rule.
31. Proposed Sec. 3.504(n)--Sanctions
Proposed Sec. 3.504(n) provides the sanctions an ALJ may impose on
parties and their representatives for failing to comply with an order
or procedure, failing to defend an action, or other misconduct. We
propose to adopt the provisions of 45 CFR 160.530 of the HIPAA
Enforcement Rule.
32. Proposed Sec. 3.504(o)--Collateral Estoppel
Proposed Sec. 3.504(o) would adopt the doctrine of collateral
estoppel with respect to a final decision of an administrative agency.
Collateral estoppel means that determinations made with respect to
issues litigated and determined in a proceeding between two parties
will bind the respective parties in later disputes concerning the same
issues and parties. We propose to adopt the provisions of 45 CFR
160.532 of the HIPAA Enforcement Rule, except that the term ``a
confidentiality provision'' shall be substituted for the term ``an
administrative simplification provision''.
33. Proposed Sec. 3.504(p)--The Hearing
Proposed Sec. 3.504(p) provides for a public hearing on the
record, the burden of proof at the hearing and the admission of
rebuttal evidence. We propose to adopt the provisions of 45 CFR 160.534
of the HIPAA Enforcement Rule, except the following text shall be
substituted for Sec. 160.534(b)(1): ``The respondent has the burden of
going forward and the burden of persuasion with respect to any
challenge to the amount of a proposed penalty pursuant to Sec. Sec.
3.404-3.408 of 42 CFR Part 3, including any factors raised as
mitigating factors.'' We propose to adopt this new language for Sec.
160.534(b)(1) because references to affirmative defenses in the
excluded text are not applicable in the context of the Patient Safety
Act as such defenses are under the HIPAA Enforcement Rule; nor does the
Patient Safety Act include provisions for the waiver or reduction of a
civil money penalty in accordance with 45 CFR 160.412.
45 CFR 160.534(c) states that the hearing must be open to the
public unless otherwise ordered by the ALJ for good cause shown. In
proposed Sec. 3.504(p) of this Subpart, we propose that good cause
shown under 45 CFR 160.534(c) may be that identifiable patient safety
work product has been introduced into evidence or is expected to be
introduced into evidence. Protecting patient safety work product is
important and is an issue about which all parties and the ALJ should be
concerned.
34. Proposed Sec. 3.504(q)--Witnesses
Under proposed Sec. 3.504(q), the ALJ may allow oral testimony to
be admitted or provided in the form of a written statement or
deposition so long as the opposing party has a sufficient opportunity
to subpoena the person whose statement is being offered. We propose to
adopt the provisions of 45 CFR 160.538 of the HIPAA Enforcement Rule,
except that the citation ``Sec. 3.504(h) of 42 CFR Part 3'' shall be
substituted for the citation ``Sec. 160.518.''
[[Page 8164]]
35. Proposed Sec. 3.504(r)--Evidence
Proposed Sec. 3.504(r) would provide guidelines for the acceptance
of evidence in hearings. We propose to adopt the provisions of 45 CFR
160.540 of the HIPAA Enforcement Rule, except that the citation ``Sec.
3.420 of 42 CFR Part 3'' shall be substituted for the citation ``Sec.
160.420 of this part''.
In the same manner as the exception to privilege for enforcement
activities under Sec. 3.204(c) applies to proposed Sec. 3.504(g), the
exception to privilege applies under proposed Sec. 3.504(r) as well.
Although the adoption of 45 CFR 160.540(e) would permit parties to
raise claims of privilege and permit an ALJ to exclude from evidence
privileged information, a respondent could not claim privilege and an
ALJ could not exclude identifiable patient safety work product if the
Secretary seeks to introduce that patient safety work product because
disclosure of the patient safety work product would not be a violation
of the privilege and confidentiality provisions under proposed Sec.
3.204(c).
36. Proposed Sec. 3.504(s)--The Record
Proposed Sec. 3.504(s) provides for recording and transcription of
the hearing, and for the record to be available for inspection and
copying by any person. We propose to adopt the provisions at 45 CFR
160.542 of the HIPAA Enforcement Rule. We also propose to provide that
good cause for making appropriate redactions includes the presence of
identifiable patient safety work product in the record.
37. Proposed Sec. 3.504(t)--Post-Hearing Briefs
Proposed Sec. 3.504(t) provides that the ALJ has the discretion to
order post-hearing briefs, although the parties may file post-hearing
briefs in any event if they desire. We propose to adopt the provisions
of 45 CFR 160.544 of the HIPAA Enforcement Rule.
38. Proposed Sec. 3.504(u)--ALJ's Decision
Proposed Sec. 3.504(u) provides that not later than 60 days after
the filing of post-hearing briefs, the ALJ shall serve on the parties a
decision making specific findings of fact and conclusions of law. The
ALJ's decision is the final decision of the Secretary, and will be
final and binding on the parties 60 days from the date of service of
the ALJ decision, unless it is timely appealed by either party. We
propose to adopt the provisions of 45 CFR 160.546 of the HIPAA
Enforcement Rule, except the citation ``Sec. 3.504(v) of 42 CFR Part
3'' shall be substituted for ``Sec. 160.548.''
39. Proposed Sec. 3.504(v)--Appeal of the ALJ's Decision
Proposed Sec. 3.504(v) provides for manner and time for review of
an ALJ's decision regarding penalties imposed under this Part and
subsequent judicial review. We propose to adopt the same provisions as
45 CFR 160.548 of the HIPAA Enforcement Rule, except the following
language in paragraph (e) of 45 CFR 160.548 shall not apply: ``Except
for an affirmative defense under Sec. 160.410(b)(1) of this part.'' We
exclude this language because the Patient Safety Act does not provide
for affirmative defenses in the same manner as HIPAA.
40. Proposed Sec. 3.504(w)--Stay of the Secretary's Decision
Proposed Sec. 3.504(w) provides that a respondent may request a
stay of the effective date of a penalty pending judicial review. We
propose to adopt the provisions of 45 CFR 160.550 of the HIPAA
Enforcement Rule to govern this process.
41. Proposed Sec. 3.504(x)--Harmless Error
Proposed Sec. 3.504(x) adopts the ``harmless error'' standard as
expressed in the HIPAA Enforcement Rule at 45 CFR 160.522. This
proposed rule provides that the ALJ and the Board at every stage of the
proceeding will disregard any error or defect in the proceeding that
does not affect the substantial rights of the parties.
IV. Impact Statement and Other Required Analyses
Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act requires that a
covered agency prepare a budgetary impact statement before promulgating
a rule that includes any Federal mandate that may result in the
expenditure by State, local, and Tribal governments, in the aggregate,
or by the private sector, of $100 million or more in any one year. The
Department has determined that this proposed rule would not impose a
mandate that will result in the expenditure by State, Local, and Tribal
governments, in the aggregate, or by the private sector, of more than
$100 million in any one year.
Paperwork Reduction Act
This notice of proposed rulemaking adding a new Part 3 to volume 42
of the Code of Federal Regulations contains information collection
requirements. This summary includes the estimated costs and assumptions
for the paperwork requirements related to this proposed rule. A copy of
the information collection request will be available on the PSO Web
site (www.pso.ahrq.gov) and can be obtained in hardcopy by contacting
Susan Grinder at the Center for Quality Improvement and Patient Safety,
AHRQ, (301) 427-1111 (o); (301) 427-1341 (fax). These paperwork
requirements have been submitted to the Office of Management and Budget
for review under number xxxx-xxxx as required by 44 U.S.C.
3507(a)(1)(c) of the Paperwork Reduction Act of 1995, as amended (PRA).
Respondents are not required to respond to any collection of
information unless it displays a current valid OMB control number.
With respect to proposed Sec. 3.102 concerning the submission of
certifications for initial and continued listing as a PSO, and of
updated information, all such information would be submitted on Form
SF-XXXX. To maintain its listing, a PSO must also submit a brief
attestation, once every 24-month period after its initial date of
listing, submitted on Form SF-XXXX, stating that it has entered
contracts with two providers. We estimate that the proposed rule would
create an average burden of 30 minutes annually for each entity that
seeks to become a PSO to complete the necessary certification forms.
Table 1 summarizes burden hours.
Table 1.--Total Burden Hours Related to Certification Forms
[Summary of all burden hours, by Provision, for PSOs]
------------------------------------------------------------------------
Provision Annualized burden hours
------------------------------------------------------------------------
3.112..................................... 30 minutes.
------------------------------------------------------------------------
HHS is working with OMB to obtain approval of the associated burden
in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3507(d)) before the effective date of the final rule. Comments on this
proposed information collection should be directed to Susan Grinder, by
sending an e-mail to [email protected] or sending a fax to (301)
427-1341.
Under 5 CFR 1320.3(c), a covered collection of information includes
the requirement by an agency of a disclosure of information to third
parties by means of identical reporting, recordkeeping, or disclosure
requirements, imposed on ten or more persons. The proposed rule
reflects the previously established reporting requirements for breach
of confidentiality applicable to business associates under HIPAA
regulations requiring contracts top contain a provision requiring the
business associate (in this case, the PSO) to notify
[[Page 8165]]
providers of breaches of their identifiable patient data's
confidentiality or security. Accordingly, this reporting requirement
referenced in the regulation previously met Paperwork Reduction Act
review requirements.
The proposed rule requires in proposed Sec. 3.108(c) that a PSO
notify the Secretary if it intends to relinquish voluntarily its status
as a PSO. The entity would be required to notify the Secretary that it
has, or will soon, alert providers and other organizations from which
it has received patient safety work product or data of its intention
and provide for the appropriate disposition of the data in consultation
with each source of patient safety work product or data held by the
entity. In addition, the entity is asked to provide the Secretary with
current contact information for further communication from the
Secretary as the entity ceases operations. The reporting aspect of this
requirement is essentially an attestation that is equivalent to the
requirements for listing, continued listing, and meeting the minimum
contracts requirement. This minimal data requirement would come within
5 CFR 1320.3(h)(1) which provides an exception from PRA requirements
for affirmations, certifications, or acknowledgments as long as they
entail no burden other than that necessary to identify the respondent,
the date, the respondent's address, and the nature of the instrument.
In this case, the nature of the instrument would be an attestation that
the PSO is working with its providers for the orderly cessation of
activities. The following other collections of information that would
be required by the proposed regulation under proposed Sec. 3.108 are
also exempt from PRA requirements pursuant to an exception in 5 CFR
1320.4 for information gathered as part of administrative
investigations and actions regarding specific parties: information
supplied in response to preliminary agency determinations of PSO
deficiencies or in response to proposed revocation and delisting (e.g.,
information providing the agency with correct facts, reporting
corrective actions taken, or appealing proposed agency revocation
decisions).
Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on state
and local governments, preempts State law, or otherwise has Federalism
implications. The Patient Safety Act upon which the proposed regulation
is based makes patient safety work product confidential and privileged.
To the extent this would not be consistent with any state law,
including court decisions, the Federal statute would preempt such state
law or court order. The proposed rule (and subsequent final rule) will
not have any greater preemptive effect on state or local governments
than that imposed by the statute. While the Patient Safety Act does
establish new Federal confidentiality and privilege protections for
certain information, these protections only apply when health care
providers work with PSOs and new processes, such as patient safety
evaluation systems, that do not currently exist. These Federal data
protections provide a mechanism for protection of sensitive information
that could improve the quality, safety, and outcomes of health care by
fostering a non-threatening environment in which information about
adverse medical events and near misses can be discussed. It is hoped
that confidential analysis of patient safety events will reduce the
occurrence of adverse medical events and, thereby, reduce the costs
arising from such events, including costs incurred by state and local
governments attributable to such events.
AHRQ, in conjunction with OCR, held three public listening sessions
prior to drafting the proposed rule. Representatives of several states
participated in these sessions. In particular, states that had begun to
collect and analyze patient safety event information spoke about their
related experiences and plans. Following publication of the NPRM, AHRQ
will consult with appropriate state officials and organizations to
review the scope of the proposed rule and to specifically seek input on
federalism issues and a proposal in the rule at proposed Sec.
3.102(a)(2) that would limit the ability of public or private sector
regulatory entities to seek listing as a PSO.
Regulatory Impact Analysis
Under Executive Order 12866 (58 FR 51735, October 4, 1993), Federal
Agencies must determine whether a regulatory action is ``significant''
and, therefore, subject to OMB review and the requirements of the
Executive Order. Executive Order 12866 defines ``significant regulatory
action'' as one that is likely to result in a rule that may:
1. Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or state, local, or tribal government or communities.
2. Create a serious inconsistency or otherwise interfere with an
action taken or planned by another agency.
3. Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs or the rights and obligations of recipients
thereof.
4. Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
AHRQ has accordingly examined the impact of the proposed rule under
Executive Order 12866, the Regulatory Flexibility Act (5 U.S.C. 601-
612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4).
Executive Order 12866 directs agencies to assess all costs and benefits
of available regulatory alternatives and, when regulation is necessary,
to select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety, and other
advantages; distributive impacts; and equity). A regulatory impact
analysis must be prepared for major rules with economically significant
effects ($100 million or more in any one year). In the course of
developing the proposed rule, AHRQ has considered the rule's costs and
benefits, as mandated by Executive Order 12866. Although we cannot
determine with precision the aggregate economic impact of the proposed
rule, we believe that the impact may approach $100 million or more
annually. HHS has determined that the proposed rule is ``significant''
also because it raises novel legal and policy issues with the
establishment of a new regulatory framework, authorized by the Patient
Safety Act, and imposes requirements, albeit voluntary, on entities
that had not previously been subject to regulation in this area.
Consequently, as required under Executive Order 12866, AHRQ conducted
an analysis of the economic impact of the proposed rule.
Background
The Patient Safety Act establishes a framework for health care
providers voluntarily to report information on the safety, quality, and
outcomes of patient care that to PSOs listed by HHS. The main
objectives of the Patient Safety Act are to: (1) Encourage health care
providers to collect and examine patient safety events more freely and
consistently than they do now, (2) encourage many provider arrangements
or contracts with expert PSOs to receive, aggregate, and analyze data
on patient
[[Page 8166]]
safety events so that PSOs may provide feedback and assistance to the
provider to improve patient safety and (3) allow the providers to
improve the quality of care delivered and reduce patient risk. The
Patient Safety Act provides privilege from legal discovery for patient
safety work product, as well as confidentiality protections in order to
foster a culture of patient safety. The Patient Safety Act does not
contain mandatory reporting requirements. It does, however, require
information submissions by entities that voluntarily seek to be
recognized, (i.e., listed) as PSOs by the Secretary.
The cost of an adverse patient safety event can be very high in
terms of human life, and it also often carries a significant financial
cost. The Institute of Medicine report, To Err is Human: Building a
Safer Health Care System, estimates that adverse events cost the United
States approximately $37.6 billion to $50 billion each year. ``Total
national costs (lost income, lost household production, disability, and
health care costs) of preventable adverse events (medical errors
resulting in injury) are estimated to be between $17 billion and $29
billion, of which health care costs represent over one-half.'' \18\
---------------------------------------------------------------------------
\18\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,
Pike, K. C., for the Committee on Quality of Health Care in America.
To Err is Human: Building a Safer Health System. Washington, DC.:
National Academy Press; 2000.
---------------------------------------------------------------------------
The proposed rule was written to minimize the regulatory and
economic burden on an entity that seeks certification as a PSO in order
to collect, aggregate, and analyze confidential information reported by
health care providers. Collecting, aggregating, and analyzing
information on adverse events will allow problems to be identified,
addressed, and eventually prevented. This, in turn, will help improve
patient safety and the quality of care, while also reducing medical
costs. The following analysis of costs and benefits--both quantitative
and qualitative--includes estimates based on the best available health
care data and demonstrates that the benefits of the proposed regulation
justify the costs involved in its implementation.
The economic impact of an alternative to the proposed rule is not
discussed in the following analysis because an alternative to the
statutorily authorized voluntary framework is the existence of no new
program, which would produce no economic change or have no economic
impact, or--alternatively--a mandatory regulatory program for all
health care providers, which is not authorized by the Patient Safety
Act and which is necessarily not a realistic alternative and would
likely be much more expensive. (A guiding principle of those drafting
the regulation was to minimize the economic and regulatory burden on
those entities seeking to be PSOs and providers choosing to work with
PSOs, within the limits of the Patient Safety Act. Hence this proposed
rule represents the Department's best effort at minimal impact while
still meeting statutory provisions.)
AHRQ has relied on key findings from the literature to provide
baseline measures for estimating the likely costs and benefits of the
proposed rule. We believe that the costs of becoming a PSO (i.e., the
costs of applying to be listed by the Secretary) will be relatively
small, and the costs of operating a PSO will be small, in relation to
the possible cost savings that will be derived from reducing the number
of preventable adverse medical events each year.
The direct costs to individual providers of working with PSOs will
vary considerably. For an institutional or individual provider that
chooses to report readily accessible information to a PSO occasionally,
costs may be negligible. The proposed rule does not require a provider
to enter into a contract with a PSO, establish internal reporting or
analytic systems, or meet specific security requirements for patient
safety work product. A provider's costs will derive from its own choice
whether to undertake and, if so, whether to conduct or contract for
data collection, information development, or analytic functions. Such
decisions will be based on the provider's assessment of the cost and
benefits it expects to incur and achieve. As we discuss below,
hospitals in particular have developed, and can be expected to take
advantage of the protections afforded by the Patient Safety Act by
expanding data collection, information development, and analytic
functions at their institutions. We anticipate that many providers will
choose to enter into contracts with PSOs voluntarily. If providers
choose to report data routinely to a PSO, a contract will be a good
business practice. It provides greater assurance that a provider can
demonstrate, if its claims of protections are challenged, that it is
operating in full compliance with the statute. It enables the provider
to exert greater control over the use and sharing of its data and, in
the case of a provider that is a covered entity under the HIPAA Privacy
Rule, the provider will need to enter a business associate agreement
with a PSO for compliance with that regulation if the reported data
includes protected health information.
The following cost estimates represent an effort to develop an
``upper bound'' on the cost impact of the proposed rule by assuming
that providers choosing to work with PSOs will follow best business
practices, take full advantage of the Patient Safety Act's protections,
and develop robust internal reporting and analytic systems, rather than
meeting the minimal requirements of the proposed rule. The cost
estimates below are based on existing hospital-based activities for
reporting patient safety events, which are likely to be similar to most
events that a PSO will analyze (namely quality and safety activities
within hospitals). While the Patient Safety Act is not limited to
hospitals, AHRQ has received indications from various stakeholder
groups that hospital providers will be the predominant provider type
initially interested in working with PSOs.
Affected Entities
To date, AHRQ has no hard information on the exact number of
interested parties that may wish to become a PSO. AHRQ estimates,
however, that 50 to 100 entities may request to become a listed PSO by
the Secretary during the first three years after publication of the
final rule. AHRQ anticipates a gradual increase in the number of
entities seeking listing as a PSO and estimates that roughly 50
entities will seek PSO certification during Year 1, 25 entities during
Year 2, and an additional 25 entities during Year 3, totaling 100 PSOs
by the end of Year 3. After Year 3, we anticipate that the number of
PSOs will remain about constant, with the number of new entrants
roughly equivalent to the number of PSOs that cease to operate.
Healthcare providers, especially hospitals, currently assume some
level of burden to collect, develop, and analyze patient safety event
information similar to the information that will be reported to PSOs.
We note that most institutional providers (especially larger ones)
already do some of this data gathering. AHRQ anticipates that entities
that currently operate internal patient safety event reporting systems
either may be interested in: (1) Establishing a component organization
to seek certification as a PSO; or (2) contracting with a PSO. Using
data from the 2004 American Hospital Association, AHRQ conducted an
analysis of the burden hours and likely costs associated with reporting
patient safety event information to a PSO. See below.
[[Page 8167]]
Costs
The proposed rule enables providers to receive Federal protections
for information on patient safety events that the providers choose to
collect, analyze, and report in conformity with the requirements of the
Patient Safety Act and the proposed rule. The proposed rule, consistent
with the Patient Safety Act, does not require any entity to seek
listing as a PSO and does not require any provider to work with a PSO.
While all holders of patient safety work product must avoid
impermissible disclosures of patient safety work product, we do not
impose any specific requirements that holders must meet to comply with
this obligation. The requirements of the proposed rule apply only to
entities that choose to seek listing by the Secretary as a PSO.
Similarly, the proposed rule does not impose requirements on States or
private sector entities (including small businesses) that would result
in additional spending, that is, the government is not imposing any
direct costs on States or the private sector.
The Patient Safety Act, and therefore, the proposed rule, does
impose obligations on entities that are listed by the Secretary as
PSOs. Every PSO must carry out eight patient safety activities and
comply with seven statutory criteria during its period of listing,
including requirements related to the provision of security for patient
safety work product, the ability to receive and analyze data from
providers and assist them in implementing system improvements to
mitigate or eliminate potential risk or harm to patients from the
delivery of health care services.\19\ Because this is a new, untested,
and voluntary initiative--coupled with the fact that PSOs currently do
not exist--AHRQ does not have data on PSO fees, income, or expenses to
estimate the precise monetized and non-monetized costs and benefits of
the proposed rule. The following estimates reflect the cost of all
incremental activities required (or contemplated) by the proposed rule.
---------------------------------------------------------------------------
\19\ These 15 requirements from the Patient Safety Act are
discussed in proposed Sec. 3.102(b). The eight patient safety
activities are defined in proposed Sec. 3.20 and the seven criteria
are specified in proposed Sec. 3.102(b)(2).
---------------------------------------------------------------------------
For entities that seek to be listed as a PSO by the Secretary, AHRQ
assumes that most of the total costs incurred will be for the
establishment of a new organizational structure. AHRQ expects such
costs to vary considerably based on the types of entities that request
PSO listing (e.g., size; geographic location; setting; academic,
professional, or business affiliation; and whether or not the entity is
a component of a parent organization). It is anticipated that the
proposed rule's cost to a PSO will likely be highest in the first year
due to start-up and initial operational costs and establishment of
policies and procedures for complying with PSO regulations. PSO
operational costs will include the hiring of qualified staff, setting
up data collection and reporting systems, establishing policies and
procedures for ensuring data security and confidentiality, maintaining
a patient safety evaluation system as required by the Patient Safety
Act, and receiving and generating patient safety work product. The fact
that PSOs are new entities for which there are no existing financial
data means that estimates of the cost or charges for PSO services are a
matter of speculation at this time. Additionally, the degree to which
PSOs will exercise market power, what services they will offer, and the
impact of a competitive environment is not yet known. Based on
discussions with stakeholder groups, we believe that there will be a
number of business models that emerge for PSOs. We anticipate that many
PSOs will be components of existing organizations, which will likely
subsidize the operations of their component PSOs for some time. Despite
these limitations, AHRQ believes it can construct reasonable estimates
of the costs and benefits of the Patient Safety Act. See ``Provider--
PSO Costs and Charges'' for an explanation of why the above-mentioned
uncertainties do not preclude AHRQ from calculating overall costs,
benefits, and net benefits of the Patient Safety Act.
As noted above, the proposed rule does not require providers to
establish internal reporting or analytic systems. AHRQ expects,
however, that many providers will do so in order to take full advantage
of the protections of the Patient Safety Act. As a result, our
estimates reflect an upper bound on the potential costs associated with
implementation by assuming that all providers that choose to
participate will establish robust internal reporting and analytic
systems.
AHRQ recognizes that many state governments, public and private
health care purchasers, and private accrediting and certifying
organizations already employ voluntary and/or mandatory patient safety
event reporting systems. As health care organizations increasingly
focus on the monitoring of adverse events, the use of voluntary
reporting systems to detect, evaluate, and track such events has also
increased. Preliminary findings from AHRQ's Adverse Event Reporting
Survey, conducted by the RAND Corporation (RAND) and the Joint
Commission on Accreditation of Healthcare Organizations (JCAHO), show
that 98 percent of hospitals are already reporting adverse medical
events.\20\ This survey was administered to a representative sample of
2,000 hospitals, with an 81 percent response rate. Thus, it is
anticipated that the associated costs of the proposed rule for
hospitals with existing patient safety event reporting systems will be
very minimal, because the majority of these organizations already have
the institutional infrastructure and operations to carry out the data
collection activities of the proposed rule. AHRQ assumes that the
estimated 2 percent of hospitals that currently have no reporting
system are unlikely to initiate a new reporting system based on the
proposed rule, at least in the first year that PSOs are operational.
---------------------------------------------------------------------------
\20\ RAND and Joint Commission on Accreditation of Healthcare
Organizations. Survey on Hospital Adverse Event Reporting Systems:
Briefing on Baseline Data. August 16, 2006 Briefing.
---------------------------------------------------------------------------
Hospital Costs
We extrapolated findings from the RAND-JCAHO survey in order to
calculate the burden hours and monetized costs associated with the
proposed rule, using data from the American Hospital Association's 2004
\21\ annual survey of hospitals in the United States \22\ to estimate
the number of hospitals nationwide. This figure served as the
denominator in our analysis. We acknowledge that, over time, not all
providers working with PSOs will be hospitals; however, it is
reasonable to use hospitals as a basis for our initial estimates, given
the preliminary indications that hospitals will be the predominant, if
not exclusive, providers submitting information to PSOs during the
early years in which PSOs are operational.
---------------------------------------------------------------------------
\21\ American Hospital Association. Fast Facts on U.S. Hospitals
from AHA Hospital Statistics. November 14, 2005. Available at:
http://www.aha.org/aha/resource_center/fastfacts/fast_facts_US_hospitals.html. Web Page.
\22\ The 2005 survey results will likely be release in November
2006.
---------------------------------------------------------------------------
Based on American Hospital Association data, there are 5,759
registered U.S. hospitals--including community hospitals, Federal
hospitals, non-Federal psychiatric hospitals, non-Federal long-term
care hospitals, and hospital units of institutions--in which there are
955,768 staffed operational beds. Based on the RAND-JCAHO finding
regarding event reporting in hospitals, AHRQ calculates that 98 percent
of the 5,759 hospitals (5,644 hospitals with 936,653 staffed beds)
[[Page 8168]]
already have, and are supporting the costs of, a centralized patient
safety event reporting system.
AHRQ assumed that an institution will report an average of one
patient safety event (including no harm events and close calls) per bed
per month. Based on this assumption, AHRQ estimates that all hospitals
nationwide are currently completing a total of 11,239,832 patient
safety event reports per year. Based on the assumption that it takes 15
minutes to complete each patient safety event report, we estimate that
hospitals are already spending 2,809,958 hours per year on this
activity. At a Full-Time Equivalent (FTE) rate of $80 per hour, we
estimate that all hospitals nationwide are currently spending
approximately $224,796,634 per year on patient safety event reporting
activities.
AHRQ estimates that, once collected, it will take an additional
five minutes for hospital staff to submit patient safety event
information to a PSO. We, therefore, estimate that the total burden
hours for all hospitals nationwide to submit patient safety event
information to a PSO totals 936,653 hours annually with an associated
cost of $74,932,211 based on the assumption that all hospitals
nationwide reported all possible patient safety events (using the
heuristic of one event per bed per month).
During the first year following publication of the final rule PSOs
will be forming themselves into organizations and engaging in startup
activities. We assume that there will be a gradual increase in the
number of entities seeking listing as PSOs, beginning with a 10 percent
participation rate. We assume as many as 25 percent of hospitals may
enter into arrangements with PSOs by the end of the first year;
however, the overall effective participation rate will only average 10
percent. This assumption translates to 93,665 hours of additional
burden for hospitals to report patient safety event information to PSOs
with an estimated cost of $7,493,221. Assuming a 40 percent
participation rate of all hospitals nationwide during the second year
that PSOs are operational, there would be 374,660 burden hours with an
estimated cost of $29,972,884. Assuming there is 60 percent
participation rate of all hospitals nationwide during the third year
that PSOs are operational, there would be 561,990 burden hours
nationwide with an estimated cost of $44,959,326. (See Table 1).
In summary, the direct costs--which would be voluntarily incurred
if all hospitals nationwide that choose to work with PSOs during the
first five years also chose to establish systematic reporting systems--
are projected to range from approximately $7.5 million to nearly $63.7
million in any single year, based on 10 percent to 85 percent
participation rate among hospitals. These cost estimates may be high if
provider institutions, such as hospitals, do not submit all the patient
safety data they collect to a PSO. If only a fraction of the data is
reported to a PSO, the cost estimates and burden will be
proportionately reduced.
Table 1.--Estimated Hospitals Costs To Submit Information to PSOs: 2008-2012
----------------------------------------------------------------------------------------------------------------
Year 2008 2009 2010 2011 2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate..... 10%............ 40%............ 60%........... 75%........... 85%.
Hospital Cost................. $7.5 M......... $30.0 M........ $45.0 M....... $56.2 M....... $63.7 M.
----------------------------------------------------------------------------------------------------------------
PSO Costs
A second category of costs, in addition to incremental costs borne
by hospitals, is that of the PSOs themselves. PSO cost estimates are
based on estimates of organizational and consulting capabilities and
statutory requirements. We followed the standard accounting format for
calculating ``independent government cost estimates,'' although the
categories did not seem entirely appropriate for the private sector. In
order to estimate PSO costs over a five-year period, we made several
assumptions about the size and operations of new PSOs. Specifically, we
assumed that PSOs would be staffed modestly, relying on existing
hospital activities in reporting adverse events, and that a significant
proportion of PSOs are likely to be component PSOs, with support and
expertise provided by a parent organization. Our assumptions are that
PSOs will hire dedicated staff of from 1.5 to 4 FTEs, assuming an
average salary rate of $67/hour. We estimate that a significant
overhead figure of 100%, coupled with 20% for General and
Administrative (G&A) expenses, will cover the appreciable costs
anticipated for legal, security, travel, and miscellaneous PSO
expenses.
Although we believe that the above estimates may be conservative,
we also believe that PSOs will become more effective over time without
increasing staff size. Finally, we estimate that the number of PSOs
will increase from 50 to 100 during the first three years in which the
Secretary lists PSOs and remain at 100 PSOs in subsequent years. Table
2 summarizes PSO operational costs for the first five years based on
these estimates.
Table 2.--Total PSO Operational Costs: 2008-2012
----------------------------------------------------------------------------------------------------------------
Year 2008 2009 2010 2011 2012
----------------------------------------------------------------------------------------------------------------
Number of PSOs................ 50............. 75............. 100........... 100........... 100.
PSO Cost...................... $61.4 M........ $92.1 M........ $122.8 M...... $122.8 M...... $122.8 M.
----------------------------------------------------------------------------------------------------------------
Table 3 presents the total estimated incremental costs related to
implementation of the Patient Safety Act, based on new activities on
the part of hospitals and the formation of new entities, PSOs, from
2008-2012. Estimates for total Patient Safety Act costs are $80 million
in Year 1, increasing to $186.5 million in Year 5.
[[Page 8169]]
Table 3.--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2008-2012
----------------------------------------------------------------------------------------------------------------
Year 2008 2009 2010 2011 2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate..... 10%............ 40%............ 60%........... 75%........... 85%.
Hospital Cost................. $7.5 M......... $30.0 M........ $45.0 M....... $56.2 M....... $63.7 M.
PSO Cost...................... $61.4 M........ $92.1 M........ $122.8 M...... $122.8 M...... $122.8 M.
---------------------------------------------------------------------------------
Total Cost................ $68.9 M........ $122.1 M....... $167.8 M...... $179.0 M...... $186.5 M.
----------------------------------------------------------------------------------------------------------------
Provider--PSO Costs and Charges
We have not figured into our calculations any estimates for the
price of PSO services, amounts paid by hospitals and other health care
providers to PSOs, PSO revenues, or PSO break-even analyses. We have
not speculated about subsidies or business models. Regardless of what
the costs and charges are between providers and PSOs, they will cancel
each other out, as expenses to providers will become revenue to PSOs.
Benefits
The primary benefit of the proposed rule is to provide the
foundation for new, voluntary opportunities for health care providers
to improve the safety, quality, and outcomes of patient care. The non-
monetized benefits to public health from the proposed rule are clear,
translating to improvements in patient safety, although such benefits
are intangible and difficult to quantify, not only in monetary terms
but also with respect to outcome measures such as years added or years
with improved quality-of-life. Although AHRQ is unable to quantify the
net benefits of this proposed rule precisely, it believes firmly that
the proposed rule will be effective in addressing costly medical care
problems in the health system that adversely affect patients, their
families, their employees, and society in general. Finally, estimating
the impact of the proposed rule in terms of measurable monetized and
non-monetized benefits is a challenge due to a lack of baseline data on
the incidence and prevalence of patient safety events themselves. In
fact, one of the intended benefits of the Patient Safety Act is to
provide more objective data in this important area, which will begin to
allow tracking of improvement.
AHRQ has relied on key findings from the medical professional
literature to provide a qualitative description of the scope of the
problem. The Institute of Medicine reports that 44,000 to 98,000 people
die in hospitals each year as a result of adverse events.\23\ The
Harvard Medical Practice Study found a rate of 3.7 adverse events per
100 hospital admissions.\24\ Similar results were found in a
replication of this study in Colorado and Utah; adverse events were
reported at a rate of 2.9 per 100 admissions.\25\ Adverse events do not
occur only in hospitals; they also occur in physician's offices,
nursing homes, pharmacies, urgent care centers, ambulatory care
settings, and care delivered in the home.
---------------------------------------------------------------------------
\23\ Institute of Medicine, ``To Err Is Human: Building a Safer
Health System'', 1999.
\24\ Brennan TA, Leape LL, Laird NM, et al. Incidence of Adverse
Events and Negligence in Hospitalized Patients. New England Journal
of Medicine. 1991. 324: 370-76.
\25\ Thomas EJ, Studdert DM, Burstin HR, et al. Incidence and
Types of Adverse Events and Negligent Care in Utah and Colorado.
Medical Care. 2000. 38: 261-71.
---------------------------------------------------------------------------
The importance of evaluating the incidence and cost of adverse
events cannot be underestimated. They are not only related to possible
morbidity and mortality, but also impose a significant economic burden
on both society and the individual (patient, family, health care
workers) in terms of consumption of health care resources and lost
productivity, and in many cases avoidable pain and suffering. However,
to prevent adverse events, it may take many years for the proposed rule
to achieve its full beneficial effects, and it will remain a challenge
to track the effect of the proposed rule on the patient population and
society, generally.
It may be possible to measure improvements in patient safety in
general descriptive terms regarding improved health outcomes. However,
it is more difficult to translate such improvements to direct monetary
savings or outcome measures that can be integrated into a single
numerical index (e.g., units of health improvement, years of life
gained). By analyzing patient safety event information, PSOs will be
able to identify patterns of failures in the health care system and
propose measures to eliminate patient safety risks and hazards as a
means to improve patient outcomes. As more information is learned about
patient safety events through data collection by the PSOs, the care
delivery environment can be redesigned to prevent adverse events in the
future. However, PSOs will not have the necessary authority to
implement recommended changes to improve patient safety in providers'
health care delivery organizations. It will be up to the providers
themselves to bring about the changes that will result in a reduction
in adverse events and a resultant improvement in the quality of care
delivered.
The submission of more comprehensive information by health care
providers regarding patient risks and hazards will likely increase the
understanding of the factors that contribute to events that adversely
affect patients. The expected benefit of this information would be
improvements in patient safety event reports and analyses, which would
translate to better patient outcomes and possible economic savings
attributable to the more efficient use of health care services. Due to
the uncertainty of the benefits and costs associated with the proposed
rule as delineated above, it is then possible only to make general
estimates of the monetary values of expected improvements in patient
outcomes, that is, savings to the healthcare system.
We can estimate monetized benefits by referring to the Institute of
Medicine report, To Err Is Human,\26\ which estimates total national
costs of preventable adverse events to be between $17 billion and $29
billion, of which direct health care costs represent over one-half
(totaling between $8.5 billion and $14.5 billion). Based on the
assumption that PSOs may be able to reduce the preventable adverse
events by between one percent and three percent within their first five
years of operation, this reduction would amount to be between $85
million--$145 million in savings at the 1 percent level if the whole
nation were affected, and $255 million--$435 million at the 3 percent
level, if the whole nation were affected. Applying a median figure from
the Institute of Medicine range to PSOs, based on an increasing impact
from 1%-3% as it grows over the first five
[[Page 8170]]
years, we see progressively growing savings as shown in Table 4. It
should be noted that we are estimating savings by assuming a percentage
reduction of adverse events from the overall occurrence rate delineated
by the Institute of Medicine report. We are not tying the estimated
reduction to those events specifically reported to PSOs. Events that
have already occurred do not represent a potential for savings. The
presumption behind the estimated savings is that the reporting,
analysis, and institution of ameliorating policies and procedures will
result in fewer adverse events going forward because of such PSO
activities.
---------------------------------------------------------------------------
\26\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,
Pike, K. C., for the Committee on Quality of Health Care in America.
To Err Is Human: Building a Safer Health System. Washington, DC:
National Academy Press; 2000.
Table 4.--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2008-2012 *
----------------------------------------------------------------------------------------------------------------
Year 2008 2009 2010 2011 2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate.... 10%........... 40%........... 60%........... 75%.............. 85%.
Percent Reduction in Adverse 1%............ 1.5%.......... 2%............ 2.5%............. 3%.
Events.
Savings...................... $11.5 M....... $69 M......... $138 M........ $215.625 M....... $293.25 M.
----------------------------------------------------------------------------------------------------------------
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with
preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point
figures.
It is assumed that when the proposed rule is implemented, it will
have a beneficial effect on patient outcomes. Eliminating adverse
events would help to ensure the greatest value possible from the
billions of dollars spent on medical care in the United States.\27\
AHRQ concludes that the potential benefits of the Patient Safety Act--
which encourages hospitals, doctors, and other health care providers to
work voluntarily with PSOs by reporting of health care errors and
enabling PSOs to analyze them to improve health care quality and
safety--would justify the costs of the proposed rule.
---------------------------------------------------------------------------
\27\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,
Pike, K. C., for the Committee on Quality of Health Care in America.
To Err Is Human: Building a Safer Health System. Washington, DC:
National Academy Press; 2000.
---------------------------------------------------------------------------
During the first five operational years of PSOs, we calculated the
net benefits based on total costs and benefits. (See Table 5.) We
estimate that costs of implementing the Patient Safety Act will reach
break-even after 2010 and provide progressively greater benefits
thereafter.
Table 5.--Net Benefits: 2008-2012
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year 2008 2009 2010 2011 2012
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total Benefits.................... $11.5 M............... $69 M................. $138 M................ $215.625 M........... $293.25 M.
Total Costs....................... $68.9 M............... $122.1 M.............. $167.8 M.............. $179.0 M............. $186.5 M.
Net Benefits...................... ($57.4) M............. ($53.1) M............. ($29.8) M............. $36.625 M............ $106.75 M.
Discounted net present value at 3% ($55.7) M............. ($50.0) M............. ($27.3) M............. $32.5 M.............. $92.1 M.
Discounted net present value at 7% ($53.6) M............. ($46.4) M............. ($24.3) M............. $27.9 M.............. $76.1 M.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Confidentiality Rule
The confidentiality provisions are included in the Patient Safety
Act to encourage provider participation. Without such protections,
providers will be reluctant to participate in the expanded reporting
and analysis of patient safety events, and low participation will
severely inhibit the opportunity to reap the benefits from efforts to
improve patient safety. The proposed rule requires any holder of
patient safety work product to maintain its confidentiality but, with
the exception of PSOs, the appropriate security measures are left to
the holder's discretion. Proposed Sec. 3.106 establishes a security
framework that PSOs must address but, even then, PSOs are given
discretion to establish the specific security standards most
appropriate to their organization. Violation of the confidentiality
provisions under the proposed rule creates a risk of liability for a
substantial civil money penalty. If a person makes a knowing or
reckless disclosure in violation of the confidentiality provisions,
that person will be subject to the enforcement process, and subject to
costs including participation in an investigation and payment of a
civil money penalty, if imposed.
While participating providers may incur some costs associated with
maintaining the confidentiality of patient safety work product (e.g.,
developing policies/procedures to keep information confidential,
safeguarding the information, training staff, etc.), those activities
and associated costs are not required by the proposed rule and are
likely minimal in light of existing procedures to meet existing
requirements on providers to maintain sensitive information as
confidential. We are proposing a scheme that places the least possible
amount of regulatory burden on participants while simultaneously
ensuring that the confidentiality provisions are effectively
implemented and balanced with the objective of encouraging the maximum
amount of participation possible. We were mindful of not placing
unnecessary regulatory requirements on participating entities because
this is a voluntary initiative, and we did not want entities interested
in participating to forego participation because of concerns about the
associated risk of liability for civil money penalties.
Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act requires agencies to analyze
regulatory options that would minimize any significant impact of a rule
on small entities. Because the Patient Safety Act enables a broad
spectrum of entities--public, private, for-profit, and not-for-profit--
to seek certification as a PSO, there may be many different types of
organizations interested in becoming certified as a PSO that would be
affected by the proposed rule. The proposed rule minimizes possible
barriers to entry and creates a review process that is both simple and
quick. As a result, AHRQ expects that a broad range of health care
provider systems, medical specialty societies, and provider-based
membership organizations will seek listing as a PSO by the Secretary.
AHRQ preliminarily determines that the proposed rule does not have
a
[[Page 8171]]
significant impact on small businesses because it does not impose a
mandatory regulatory burden, and because the Department has made a
significant effort to promulgate regulations that are the minimum
necessary to interpret and implement the law. As stated previously,
working with PSOs is completely voluntary; the proposed rule provides
benefits in the form of legal protections that are expected to outweigh
the cost of participation from the perspective of participating
providers. AHRQ believes that the proposed rule will not have a
significant impact on a substantial number of small entities because
the proposed rules do not place small entities at a significant
competitive disadvantage to large entities. AHRQ does not anticipate
that there will be a disproportional effect on profits, costs, or net
revenues for a substantial number of small entities. The proposed rule
will not significantly reduce profit for a substantial number of small
entities.
Impacts on Small Entities
1. The Need for and the Objectives of the Proposed Rule
The proposed rule establishes the authorities, processes, and
requirements necessary to implement the Patient Safety Act, sections
921-926 of the Public Health Service Act, 42 U.S.C. 299b-21 to 299b-26.
The proposed rules seek to establish a streamlined process for the
Department to accept certification by entities seeking to become PSOs.
Under the proposal, PSOs will be available voluntarily to enter into
arrangements with health care providers and provide expert advice
regarding the causes and prevention of adverse patient safety events.
Information collected or developed by a health care provider or PSO,
and reported to or by a PSO, that relate to a patient safety event
would become privileged and confidential. Related deliberations would
also be protected. Persons who breached the confidentiality provisions
of the rule could be subject to civil money penalties of up to $10,000.
2. Description and Estimate of the Number of Small Entities Affected
For purposes of the Regulatory Flexibility Act, small entities
include small businesses, non-profit organizations, and government
jurisdictions. Most hospitals and many other health care providers and
suppliers are small entities, either because they are nonprofit
organizations or because they generate revenues of $6.5 million to
$31.5 million in any one year. Individuals and States are not included
in the definition of a small entity. The proposed rule would affect
most hospitals, and other health care delivery entities, plus all small
entities that are interested in becoming certified PSOs. Based on
various stakeholder meetings, AHRQ estimates that approximately 50-100
entities may be interested in becoming listed as PSOs during the first
three years following publication of the final rule. This figure is
likely to stabilize over time, as some new PSOs form and some existing
PSOs cease operations.
3. Impact on Small Entities
AHRQ believes that the proposed rule will not have a significant
impact on a substantial number of small provider or PSO entities
because the proposed rule does not place a substantial number of small
entities at a significant competitive disadvantage to large entities.
AHRQ does not anticipate that there will be a disproportional effect on
profits, costs, or net revenues for a substantial number of small
entities. The proposed rule will not significantly reduce profit for a
substantial number of small entities. In fact, when fully implemented,
we expect that the benefits and/or provider savings will outweigh the
costs.
Compliance requirements for small entities under this proposed rule
are the same as those described above for other affected entities. AHRQ
has proposed only those regulations that are necessary to comply with
provisions and goals of the Patient Safety Act, with the objective of
encouraging the maximum participation possible. The proposed rule was
written to minimize the regulatory and economic burden on any entity
that seeks to be listed as a PSO by the Secretary, regardless of size.
It is impossible for AHRQ to develop alternatives to the proposed rule
for small entities, as the proposed rule must adhere to statutory
requirements. For example, the proposed rule requires confidentiality
and privilege protections and places the least amount of regulatory
burden on participating players--while simultaneously ensuring that the
goals of confidentiality are effectively implemented--with the
objective of encouraging the maximum participation possible. In
addition, the proposed rule was written recognizing that many providers
will be HIPAA covered entities, and many PSOs will be business
associates, which entails certain obligations under the HIPAA Privacy
Rule. Thus, this proposed rule is coordinated with existing law, to
minimize the burden of compliance.
AHRQ believes that the proposed rule will not have a significant
impact on small providers. The proposed rule does not impose any costs
directly on providers, large or small, that choose to work with a PSO.
To the extent that providers hold patient safety work product, they
must prevent impermissible disclosures; however, the proposed rule does
not establish requirements for how providers must meet this
requirement.
Finally, it is the statutory and supporting regulatory guarantee of
the confidentiality of the reporting of adverse events that will enable
PSOs to operate and perform their function. Thus, while the compliance
costs in the form of start-up operational costs may be substantial, the
benefits that will be generated as a result of these costs will exceed
the actual costs, as illustrated in Table 5.
The Secretary certifies that the proposed rule will not have a
significant economic impact on a substantial number of small entities.
List of Subjects in 42 CFR Part 3
Administrative practice and procedure, Civil money penalty,
Confidentiality, Conflict of interests, Courts, Freedom of information,
Health, Health care, Health facilities, Health insurance, Health
professions, Health records, Hospitals, Investigations, Law
enforcement, Medical research, Organization and functions, Patient,
Patient safety, Privacy, Privilege, Public health, Reporting and
recordkeeping requirements, Safety, State and local governments,
Technical assistance.
For the reasons stated in the preamble, the Department of Health
and Human Services proposes to amend Title 42 of the Code of Federal
Regulations by adding a new part 3 to read as follows:
PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK
PRODUCT
Subpart A--General Provisions
Sec.
3.10 Purpose.
3.20 Definitions.
Subpart B--PSO Requirements and Agency Procedures
3.102 Process and requirements for initial and continued listing of
PSOs.
3.104 Secretarial actions.
3.106 Security requirements.
3.108 Correction of deficiencies, revocation, and voluntary
relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.
[[Page 8172]]
Subpart C--Confidentiality and Privilege Protections of Patient Safety
Work Product
3.204 Privilege of Patient Safety Work Product.
3.206 Confidentiality of Patient Safety Work Product.
3.208 Continued protection of Patient Safety Work Product.
3.210 Required disclosure of Patient Safety Work Product to the
Secretary
3.212 Nonidentification of Patient Safety Work Product.
Subpart D--Enforcement Program
3.304 Principles for achieving compliance.
3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding complaints and compliance
reviews.
3.314 Investigational subpoenas and inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the amount of a civil money
penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other agencies.
3.504 Procedures for hearings.
Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C.
299c-6
Subpart A--General Provisions
Sec. 3.10 Purpose.
The purpose of this Part is to implement the Patient Safety and
Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title
IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Sec. 3.20 Definitions.
As used in this Part, the terms listed alphabetically below have
the meanings set forth as follows:
AHRQ stands for the Agency for Healthcare Research and Quality in
HHS.
ALJ stands for an Administrative Law Judge of HHS.
Board means the members of the HHS Departmental Appeals Board, in
the Office of the Secretary, who issue decisions in panels of three.
Bona fide contract means:
(1) A written contract between a provider and a PSO that is
executed in good faith by officials authorized to execute such
contract; or
(2) A written agreement (such as a memorandum of understanding or
equivalent recording of mutual commitments) between a Federal, State,
Local, or Tribal provider and a Federal, State, Local, or Tribal PSO
that is executed in good faith by officials authorized to execute such
agreement.
Complainant means a person who files a complaint with the Secretary
pursuant to Sec. 3.306.
Component organization means an entity that is either:
(1) A unit or division of a corporate organization or of a multi-
organizational enterprise; or
(2) A separate organization, whether incorporated or not, that is
owned, managed or controlled by one or more other organization(s),
i.e., its parent organization(s).
Component PSO means a PSO listed by the Secretary that is a
component organization.
Confidentiality provisions means for purposes of Subparts C and D,
any requirement or prohibition concerning confidentiality established
by section 921 and 922(b), (d), (g) and (i) of the Public Health
Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the
provisions, at Sec. Sec. 3.206 and 3.208, that implement the statutory
prohibition on disclosure of identifiable patient safety work product.
Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of patient safety work product by a
person holding the patient safety work product to another.
Entity means any organization or organizational unit, regardless of
whether the organization is public, private, for-profit, or not-for-
profit.
Group health plan means employee welfare benefit plan (as defined
in section 3(1) of the Employee Retirement Income Security Act of 1974
(ERISA)) to the extent that the plan provides medical care (as defined
in paragraph (2) of section 2791(a) of the Public Health Service Act,
including items and services paid for as medical care) to employees or
their dependents (as defined under the terms of the plan) directly or
through insurance, reimbursement, or otherwise.
Health insurance issuer means an insurance company, insurance
service, or insurance organization (including a health maintenance
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed
to engage in the business of insurance in a State and which is subject
to State law which regulates insurance (within the meaning of 29 U.S.C.
1144(b)(2)). The term does not include a group health plan.
Health maintenance organization means:
(1) A Federally qualified health maintenance organization (HMO) (as
defined in 42 U.S.C. 300e(a)),
(2) An organization recognized under State law as a health
maintenance organization, or
(3) A similar organization regulated under State law for solvency
in the same manner and to the same extent as such a health maintenance
organization.
HHS stands for the United States Department of Health and Human
Services.
HIPAA Privacy Rule means the regulations promulgated under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.
Identifiable patient safety work product means patient safety work
product that:
(1) Is presented in a form and manner that allows the
identification of any provider that is a subject of the work product,
or any providers that participate in, or are responsible for,
activities that are a subject of the work product;
(2) Constitutes individually identifiable health information as
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the
identification of an individual who in good faith reported information
directly to a PSO or to a provider with the intention of having the
information reported to a PSO (``reporter'').
Nonidentifiable patient safety work product means patient safety
work product that is not identifiable patient safety work product in
accordance with the nonidentification standards set forth at Sec.
3.212.
OCR stands for the Office for Civil Rights in HHS.
Parent organization means an entity that, alone or with others,
either owns a provider entity or a component organization, or has the
authority to control or manage agenda setting, project management, or
day-to-day operations, or the authority to review and override
decisions of a component organization.
Patient Safety Act means the Patient Safety and Quality Improvement
Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public
Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C,
sections 921 through 926, which are codified at 42 U.S.C. 299b-21
through 299b-26.
Patient safety activities means the following activities carried
out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health
care delivery;
(2) The collection and analysis of patient safety work product;
[[Page 8173]]
(3) The development and dissemination of information with respect
to improving patient safety, such as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety work product for the purposes
of encouraging a culture of safety and of providing feedback and
assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with
respect to patient safety work product;
(6) The provision of appropriate security measures with respect to
patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety
evaluation system and to the provision of feedback to participants in a
patient safety evaluation system.
Patient safety evaluation system means the collection, management,
or analysis of information for reporting to or by a PSO.
Patient safety organization (PSO) means a private or public entity
or component thereof that currently is listed as a PSO by the Secretary
in accordance with Subpart B. A health insurance issuer or a component
organization of a health insurance issuer may not be a PSO. See also
the exclusion in proposed Sec. 3.102 of this Part.
Patient safety work product (PSWP).
(1) Except as provided in paragraph (2) of this definition, patient
safety work product means any data, reports, records, memoranda,
analyses (such as root cause analyses), or written or oral statements
(or copies of any of this material)
(i)(A) Which are assembled or developed by a provider for reporting
to a PSO and are reported to a PSO; or
(B) Are developed by a PSO for the conduct of patient safety
activities; and which could improve patient safety, health care
quality, or health care outcomes; or
(ii) Which identify or constitute the deliberations or analysis of,
or identify the fact of reporting pursuant to, a patient safety
evaluation system.
(2)(i) Patient safety work product does not include a patient's
medical record, billing and discharge information, or any other
original patient or provider information; nor does it include
information that is collected, maintained, or developed separately, or
exists separately, from a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO shall not by
reason of its reporting be considered patient safety work product.
(ii) Nothing in this part shall be construed to limit information
that is not patient safety work product from being:
(A) Discovered or admitted in a criminal, civil or administrative
proceeding;
(B) Reported to a Federal, State, local or tribal governmental
agency for public health or health oversight purposes; or
(C) Maintained as part of a provider's recordkeeping obligation
under Federal, State, local or tribal law.
Person means a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private.
Provider means:
(1) An individual or entity licensed or otherwise authorized under
State law to provide health care services, including--
(i) A hospital, nursing facility, comprehensive outpatient
rehabilitation facility, home health agency, hospice program, renal
dialysis facility, ambulatory surgical center, pharmacy, physician or
health care practitioner's office (includes a group practice), long
term care facility, behavior health residential treatment facility,
clinical laboratory, or health center; or
(ii) A physician, physician assistant, registered nurse, nurse
practitioner, clinical nurse specialist, certified registered nurse
anesthetist, certified nurse midwife, psychologist, certified social
worker, registered dietitian or nutrition professional, physical or
occupational therapist, pharmacist, or other individual health care
practitioner;
(2) Agencies, organizations, and individuals within Federal, State,
local, or Tribal governments that deliver health care, organizations
engaged as contractors by the Federal, State, local, or Tribal
governments to deliver health care, and individual health care
practitioners employed or engaged as contractors by the Federal State,
local, or Tribal governments to deliver health care; or
(3) A parent organization that has a controlling interest in one or
more entities described in paragraph (1)(i) of this definition or a
Federal, State, local, or Tribal government unit that manages or
controls one or more entities described in (1)(i) or (2) of this
definition.
Research has the same meaning as the term is defined in the HIPAA
Privacy Rule at 45 CFR 164.501.
Respondent means a provider, PSO, or responsible person who is the
subject of a complaint or a compliance review.
Responsible person means a person, other than a provider or a PSO,
who has possession or custody of identifiable patient safety work
product and is subject to the confidentiality provisions.
Workforce means employees, volunteers, trainees, contractors, and
other persons whose conduct, in the performance of work for a provider,
PSO or responsible person, is under the direct control of such
provider, PSO or responsible person, whether or not they are paid by
the provider, PSO or responsible person.
Subpart B--PSO Requirements and Agency Procedures
Sec. 3.102 Process and requirements for initial and continued listing
of PSOs.
(a) Eligibility and process for initial and continued listing.
(1) Submission of Certification. Any entity, except as specified in
paragraph (a)(2) of this section, may request from the Secretary an
initial or continued listing as a PSO by submitting a completed
certification form that meets the requirements of this section, in
accordance with the submission requirements at Sec. 3.112. An
individual with authority to make commitments on behalf of the entity
seeking listing will be required to acknowledge each of the
certification requirements, attest that the entity meets each
requirement, provide contact information for the entity, and certify
that the PSO will promptly notify the Secretary during its period of
listing if it can no longer comply with any of the criteria in this
section.
(2) Restrictions on certain entities. Entities that may not seek
listing as a PSO include: health insurance issuers or components of
health insurance issuers. Any other entity, public or private, that
conducts regulatory oversight of health care providers, such as
accreditation or licensure, may not seek listing, except that a
component of such an entity may seek listing as a component PSO. An
applicant completing the required certification forms described in
paragraph (a)(1) of this section will be required to attest that the
entity is not subject to the restrictions of this paragraph.
(b) Fifteen general PSO certification requirements. The
certifications submitted to the Secretary in accordance with paragraph
(a)(1) of this section must conform to the following 15 requirements:
(1) Required certification regarding eight patient safety
activities. An entity seeking initial listing as a PSO must certify
that it has written policies and procedures in place to perform each of
the eight patient safety activities,
[[Page 8174]]
defined in Sec. 3.20. Such policies and procedures will provide for
compliance with the confidentiality provisions of subpart C of this
part and the appropriate security measures required by Sec. 3.106 of
this subpart. A PSO seeking continued listing must certify that it is
performing, and will continue to perform, each of the patient safety
activities, and is and will continue to comply with subpart C of this
part and the security requirements referenced in the preceding
sentence.
(2) Required certification regarding seven PSO criteria. In its
initial certification submission, an entity must also certify that it
will comply with the additional seven requirements in paragraphs
(b)(2)(i) through (b)(2)(vii) of this section. A PSO seeking continued
listing must certify that it is complying with, and will continue to
comply with, the requirements of this paragraph.
(i) The mission and primary activity of a PSO must be to conduct
activities that are to improve patient safety and the quality of health
care delivery.
(ii) The PSO must have appropriately qualified workforce members,
including licensed or certified medical professionals.
(iii) The PSO, within the 24-month period that begins on the date
of its initial listing as a PSO, and within each sequential 24-month
period thereafter, must have entered into 2 bona fide contracts, each
of a reasonable period of time, each with a different provider for the
purpose of receiving and reviewing patient safety work product.
(iv) The PSO is not a health insurance issuer, and is not a
component of a health insurance issuer.
(v) The PSO must make disclosures to the Secretary as required
under Sec. 3.102(d), in accordance with Sec. 3.112 of this subpart.
(vi) To the extent practical and appropriate, the PSO must collect
patient safety work product from providers in a standardized manner
that permits valid comparisons of similar cases among similar
providers.
(vii) The PSO must utilize patient safety work product for the
purpose of providing direct feedback and assistance to providers to
effectively minimize patient risk.
(c) Additional certifications required of component organizations.
In addition to meeting the 15 general PSO certification requirements of
paragraph (b) of this section, an entity seeking initial listing that
is a component of another organization or enterprise must certify that
it will comply with the requirements of paragraphs (c)(1) through
(c)(3) of this section. A component PSO seeking continued listing must
certify that it is complying with, and will continue to comply with,
the requirements of this paragraph.
(1) Separation of patient safety work product.
(i) A component PSO must:
(A) Maintain patient safety work product separately from the rest
of the parent organization(s) of which it is a part; and
(B) Not have a shared information system that could permit access
to its patient safety work product to an individual(s) in, or unit(s)
of, the rest of the parent organization(s) of which it is a part.
(ii) Notwithstanding the requirements of paragraph (c)(1)(i) of
this section, a component PSO may provide access to identifiable
patient safety work product to an individual(s) in, or a unit(s) of,
the rest of the parent organization(s) of which it is a part if the
component PSO enters into a written agreement with such individuals or
units that requires that:
(A) The component PSO will only provide access to identifiable
patient safety work product to enable such individuals or units to
assist the component PSO in its conduct of patient safety activities,
and
(B) Such individuals or units that receive access to identifiable
patient safety work product pursuant to such written agreement will
only use or disclose such information as specified by the component PSO
to assist the component PSO in its conduct of patient safety
activities, will take appropriate security measures to prevent
unauthorized disclosures and will comply with the other certifications
the component has made pursuant to paragraphs (c)(2) and (c)(3) of this
section regarding unauthorized disclosures and conflicts with the
mission of the component PSO.
(2) Nondisclosure of patient safety work product. A component PSO
must require that members of its workforce and any other contractor
staff, or individuals in, or units of, its parent organization(s) that
receive access in accordance with paragraph (c)(1)(ii) of this section
to its identifiable patient safety work product, not be engaged in work
for the parent organization(s) of which it is a part, if the work could
be informed or influenced by such individuals' knowledge of
identifiable patient safety work product, except for individuals whose
other work for the rest of the parent organization(s) is solely the
provision of clinical care.
(3) No conflict of interest. The pursuit of the mission of a
component PSO must not create a conflict of interest with the rest of
the parent organization(s) of which it is a part.
(d) Required notifications. PSOs must meet the following
notification requirements:
(1) Notification regarding PSO compliance with the minimum contract
requirement. No later than 45 calendar days prior to the last day of
the applicable 24-month assessment period, specified in paragraph
(b)(2)(iii) of this section, the Secretary must receive from a PSO a
certification that states whether it has met the requirement of that
paragraph regarding two bona fide contracts, in accordance with Sec.
3.112 of this subpart.
(2) Notification regarding a PSO's relationships with its
contracting providers. A PSO must submit to the Secretary a disclosure
statement, in accordance with Sec. 3.112 of this subpart, regarding
its relationships with each provider with which the PSO has a contract
pursuant to the Patient Safety Act if the circumstances described in
either paragraph (d)(2)(i) or (d)(2)(ii) of this section are
applicable. The Secretary must receive a disclosure statement within 45
days of the date on which a PSO enters a contract with a provider if
the circumstances are met on the date the contract is entered. During
the contract period, if a PSO subsequently enters one or more
relationships with a contracting provider that create the circumstances
described in paragraph (d)(2)(i) of this section or a provider exerts
any control over the PSO of the type described in paragraph (d)(2)(ii)
of this section, the Secretary must receive a disclosure statement from
the PSO within 45 days of the date that the PSO entered each new
relationship or of the date on which the provider imposed control of
the type described in paragraph (d)(2)(ii).
(i) Taking into account all relationships that the PSO has with the
provider, other than the bona fide contract entered into pursuant to
the Patient Safety Act, the PSO must fully disclose any other
contractual, financial, or reporting relationships described below that
it has with that provider.
(A) Contractual relationships which are not limited to
relationships based on formal contracts but also encompass
relationships based on any oral or written agreement or any arrangement
that imposes responsibilities on the PSO.
(B) Financial relationships including any direct or indirect
ownership or investment relationship between the PSO and the
contracting provider, shared or common financial interests or direct or
indirect compensation
[[Page 8175]]
arrangement, whether in cash or in-kind.
(C) Reporting relationships including any relationship that gives
the provider access to information or control, directly or indirectly,
over the work of the PSO that is not available to other contracting
providers.
(ii) Taking into account all relationships that the PSO has with
the provider, the PSO must fully disclose if it is not independently
managed or controlled, or if it does not operate independently from,
the contracting provider. In particular, the PSO must further disclose
whether the contracting provider has exercised or imposed any type of
management control that could limit the PSO's ability to fairly and
accurately perform patient safety activities and fully describe such
control(s).
(iii) PSOs may also describe or include in their disclosure
statements, as applicable, any agreements, stipulations, or procedural
safeguards that have been created to protect the ability of the PSO to
operate independently or information that indicates the limited impact
or insignificance of its financial, reporting, or contractual
relationships with a contracting provider.
Sec. 3.104 Secretarial actions.
(a) Actions in response to certification submissions for initial
and continued listing as a PSO. (1) In response to an initial or
continued certification submission by an entity, pursuant to the
requirements of Sec. 3.102 of this subpart, the Secretary may--
(i) Accept the certification submission and list the entity as a
PSO, or maintain the listing of a PSO, if the Secretary determines that
the entity meets the applicable requirements of the Patient Safety Act
and this subpart;
(ii) Deny acceptance of a certification submission and, in the case
of a currently listed PSO, remove the entity from the list if the
entity does not meet the applicable requirements of the Patient Safety
Act and this subpart; or
(iii) Condition the listing of an entity, or continued listing of a
PSO, following a determination made pursuant to paragraph (c) of this
section.
(2) Basis of determination. In making a determination regarding
listing, the Secretary will consider the certification submission; any
prior actions by the Secretary regarding the entity or PSO including
delisting; any history of or current non-compliance by the entity or
the PSO with statutory or regulatory requirements or requests from the
Secretary; the relationships of the entity or PSO with providers; and
any findings made by the Secretary in accordance with paragraph (c) of
this section.
(3) Notification. The Secretary will notify in writing each entity
of action taken on its certification submission for initial or
continued listing. The Secretary will provide reasons when an entity's
certification is conditionally accepted and the entity is conditionally
listed, when an entity's certification is not accepted and the entity
is not listed, or when acceptance of its certification is revoked and
the entity is delisted.
(b) Actions regarding PSO compliance with the minimum contract
requirement. When the Secretary receives notification required by Sec.
3.102(d)(1) of this subpart that the PSO has met the minimum contract
requirement, the Secretary will acknowledge in writing receipt of the
notification and add information to the list established pursuant to
paragraph (d) of this section stating that the PSO has certified that
it has met the requirement. If the PSO states that it has not yet met
the minimum contract requirement, or if notice is not received by the
date specified in Sec. 3.102(d)(1) of this subpart, the Secretary will
issue to the PSO a notice of a preliminary finding of deficiency as
specified in Sec. 3.108(a)(2) and establish a period for correction
that extends until midnight of the last day of the PSO's applicable 24-
month period of assessment. Immediately thereafter, if the requirement
has not been met, the Secretary will provide the PSO a written notice
of proposed revocation and delisting in accordance with Sec.
3.108(a)(3) of this subpart.
(c) Actions regarding required disclosures by PSOs of relationships
with contracting providers. The Secretary will review and make findings
regarding each disclosure statement submitted by a PSO, pursuant to
Sec. 3.102(d)(2) of this subpart, regarding its relationships with
contracting provider(s), determine whether such findings warrant action
regarding the listing of the PSO, and make the findings public.
(1) Basis of findings regarding PSO disclosure statements. In
reviewing disclosure statements, submitted pursuant to Sec.
3.102(d)(2) of this subpart, the Secretary will consider the nature,
significance, and duration of the disclosed relationship(s) between the
PSO and the contracting provider and will determine whether the PSO can
fairly and accurately perform the required patient safety activities.
(2) Determination by the Secretary. Based on the Secretary's review
and findings, he may choose to take any of the following actions:
(i) For an entity seeking an initial or continued listing, the
Secretary may list or continue the listing of an entity without
conditions, list the entity subject to conditions, or deny the entity's
certification for initial or continued listing; or
(ii) For a listed PSO, the Secretary may determine that the entity
will remain listed without conditions, continue the entity's listing
subject to conditions, or remove the entity from listing.
(3) Release of disclosure statements and Secretarial findings.
(i) Subject to paragraph (c)(3)(ii) of this section, the Secretary
will make disclosure statements available to the public along with
related findings that are made available in accordance with paragraph
(c) of this section.
(ii) The Secretary may withhold information that is exempt from
public disclosure under the Freedom of Information Act.
(d) Maintaining a list of PSOs. The Secretary will compile and
maintain a publicly available list of entities whose certifications as
PSOs have been accepted. The list will include contact information for
each entity, a copy of all certification forms and disclosure
statements submitted by each entity, the effective date of the PSO's
listing, and information on whether a PSO has certified that it has met
the two-contract requirement. The list also will include a copy of the
Secretary's findings regarding each disclosure statement submitted by
an entity, information describing any related conditions that have been
placed by the Secretary on the listing of an entity as a PSO, and other
information that this Subpart states may be made public. AHRQ will
establish a PSO Web site (or a comparable future form of public notice)
and may post the list on this Web site.
(e) Three-year period of listing. (1) The period of listing of a
PSO will be for a three-year period, unless the listing is revoked or
relinquished prior to the expiration of the three-year period, in
accordance with Sec. 3.108 of this subpart.
(2) The Secretary will send a written notice of imminent expiration
to a PSO at least 45 calendar days prior to the date on which its
three-year period of listing expires if the Secretary has not received
a certification for continued listing.
(f) Effective dates of Secretarial actions. Unless otherwise
stated, the effective date of each action by the Secretary pursuant to
this subpart will be specified in the written notice of such action
that is sent to the entity. When the Secretary sends a notice that
addresses acceptance or revocation of an
[[Page 8176]]
entity's certifications or voluntary relinquishment by an entity of its
status as a PSO, the notice will specify the effective date and time of
listing or delisting.
Sec. 3.106 Security requirements.
(a) Application. A PSO must provide security for patient safety
work product that conforms to the security requirements of paragraph
(b) of this section. These requirements must be met at all times and at
any location at which the PSO, its workforce members, or its
contractors hold patient safety work product.
(b) Security framework. PSOs must consider the following framework
for the security of patient safety work product. The framework includes
four elements: security management, separation of systems, security
monitoring and control, and system assessment. To address the four
elements of this framework, a PSO must develop appropriate and scalable
security standards, policies, and procedures that are suitable for the
size and complexity of its organization.
(1) Security management. A PSO must address:
(i) Maintenance and effective implementation of written policies
and procedures that conform to the requirements of this section to
protect the confidentiality, integrity, and availability of the patient
safety work product that is processed, stored, and transmitted; and to
monitor and improve the effectiveness of such policies and procedures,
and
(ii) Training of the PSO workforce and PSO contractors who access
or hold patient safety work product regarding the requirements of the
Patient Safety Act, this Part, and the PSO's policies and procedures
regarding the confidentiality and security of patient safety work
product.
(2) Separation of Systems. A PSO must address:
(i) Maintenance of patient safety work product, whether in
electronic or other media, physically and functionally separate from
any other system of records;
(ii) Protection of the media, whether in electronic, paper, or
other format, that contain patient safety work product, limiting access
to authorized users, and sanitizing and destroying such media before
disposal or release for reuse; and
(iii) Physical and environmental protection, to control and limit
physical and virtual access to places and equipment where patient
safety work product is stored or used.
(3) Security control and monitoring. A PSO must address:
(i) Identification of those authorized to have access to patient
safety work product and an audit capacity to detect unlawful,
unauthorized, or inappropriate access to patient safety work product,
and
(ii) Measures to prevent unauthorized removal, transmission or
disclosure of patient safety work product.
(4) Security assessment. A PSO must address:
(i) Periodic assessments of security risks and controls, as
determined appropriate by the PSO, to establish if its controls are
effective, to correct any deficiency identified, and to reduce or
eliminate any vulnerabilities.
(ii) System and communications protection, to monitor, control, and
protect PSO uses, communications, and transmissions involving patient
safety work product to and from providers and any other responsible
persons.
Sec. 3.108 Correction of deficiencies, revocation, and voluntary
relinquishment.
(a) Process for correction of a deficiency and revocation--(1)
Circumstances leading to revocation. The Secretary may revoke his
acceptance of an entity's certification and delist the entity as a PSO
if he determines--
(i) The PSO is not fulfilling the certifications it made to the
Secretary that are set forth in Sec. 3.102 of this subpart;
(ii) The PSO has not timely notified the Secretary that it has met
the two contract requirement, as required by Sec. 3.102(d)(1) of this
subpart;
(iii) The Secretary, based on a PSO's disclosures made pursuant to
Sec. 3.102(d)(2) of this subpart, makes a public finding that the
entity cannot fairly and accurately perform the patient safety
activities of a PSO; or
(iv) The PSO is not in compliance with any other provision of the
Patient Safety Act or this Part.
(2) Notice of preliminary finding of deficiency and establishment
of an opportunity for correction of a deficiency. (i) If the Secretary
determines that a PSO is not in compliance with its obligations under
the Patient Safety Act or this Subpart, the Secretary must send a PSO
written notice of the preliminary finding of deficiency. The notice
must state the actions or inactions that encompass the deficiency
finding, outline the evidence that the deficiency exists, specify the
possible and/or required corrective actions that must be taken, and
establish a date by which the deficiency must be corrected. The
Secretary may specify in the notice the level of documentation required
to demonstrate that the deficiency has been corrected.
(ii) The notice of a preliminary finding of deficiency is presumed
received five days after it is sent, absent evidence of the actual
receipt date. If a PSO does not submit evidence to the Secretary within
14 calendar days of actual or constructive receipt of such notice,
whichever is longer, which demonstrates that the preliminary finding is
factually incorrect, the preliminary finding will be the basis for a
finding of deficiency.
(3) Determination of correction of a deficiency. (i) Unless the
Secretary specifies another date, the Secretary must receive
documentation to demonstrate that the PSO has corrected the deficiency
no later than five calendar days following the last day of the
correction period, that is specified by the Secretary in the notice of
preliminary finding of deficiency.
(ii) In making a determination regarding the correction of any
deficiency, the Secretary will consider the documentation submitted by
the PSO, the findings of any site visit that he determines is necessary
or appropriate, recommendations of program staff, and any other
information available regarding the PSO that the Secretary deems
appropriate and relevant to the PSO's implementation of the terms of
its certification.
(iii) After completing his review, the Secretary may make one of
the following determinations:
(A) The action(s) taken by the PSO have corrected any deficiency,
in which case the Secretary will withdraw the notice of deficiency and
so notify the PSO;
(B) The PSO has acted in good faith to correct the deficiency but
the Secretary finds an additional period of time is necessary to
achieve full compliance and/or the required corrective action specified
in the notice of a preliminary finding of deficiency needs to be
modified in light of the experience of the PSO in attempting to
implement the corrective action, in which case the Secretary will
extend the period for correction and/or modify the specific corrective
action required; or
(C) The PSO has not completed the corrective action because it has
not acted with reasonable diligence or speed to ensure that the
corrective action was completed within the allotted time, in which case
the Secretary will issue to the PSO a notice of proposed revocation and
delisting.
(iv) When the Secretary issues a written notice of proposed
revocation and delisting, the notice will specify the
[[Page 8177]]
deficiencies that have not been timely corrected and will detail the
manner in which the PSO may exercise its opportunity to be heard in
writing to respond to the deficiencies specified in the notice.
(4) Opportunity to be heard in writing following a notice of
proposed revocation and delisting. The Secretary will afford a PSO an
opportunity to be heard in writing, as specified in paragraph (a)(4)(i)
of this section, to provide a substantive response to the deficiency
finding(s) set forth in the notice of proposed revocation and
delisting.
(i) The notice of proposed revocation and delisting is presumed
received five days after it is sent, absent evidence of actual receipt.
The Secretary will provide a PSO with a period of time, beginning with
the date of receipt of the notice of proposed revocation and delisting
of which there is evidence, or the presumed date of receipt if there is
no evidence of earlier receipt, and ending at midnight 30 calendar days
thereafter, during which the PSO can submit a substantive response to
the deficiency findings in writing.
(ii) The Secretary will provide to the PSO rules of procedure
governing the form or transmission of the written response to the
notice of proposed revocation and delisting. The Rules may also be
posted on the AHRQ PSO Web site or published in the Federal Register.
(iii) If a PSO does not submit a written response to the deficiency
finding(s) within 30 calendar days of receipt of the notice of proposed
revocation and delisting, the notice of proposed revocation becomes
final as a matter of law and the basis for Secretarial action under
paragraph (b)(1) of this section.
(5) The Secretary's decision regarding revocation. The Secretary
will review the entire administrative record pertaining to a notice of
proposed revocation and delisting and any written materials submitted
by the PSO under paragraph (a)(4) of this section. The Secretary may
affirm, reverse, or modify the notice of proposed revocation and
delisting and will make a determination with respect to the continued
listing of the PSO.
(b) Revocation of the Secretary's acceptance of a PSO's
certifications--(1) Establishing revocation for cause. When the
Secretary concludes, in accordance with a decision made under paragraph
(a)(5) of this section, that revocation of the acceptance of a PSO's
certification is warranted for its failure to comply with requirements
of the Patient Safety Act or of this Subpart, the Secretary will
establish the time and date for the prompt revocation and removal of
the entity from the list of PSOs, so notify the PSO in writing, and
provide the relevant public notice required by Sec. 3.108(d) of this
subpart.
(2) Required notification of providers and status of data. Within
15 days of being notified of the Secretary's action pursuant to
paragraph (b)(1) of this section, an entity subject to paragraph (b)(1)
of this section will submit to the Secretary confirmation that it has
taken all reasonable actions to notify each provider, whose patient
safety work product it collected or analyzed, of the Secretary's
action(s). Confidentiality and privilege protections that applied to
patient safety work product while the former PSO was listed continue to
apply after the entity is removed from listing. Data submitted by
providers to the former PSO within 30 calendar days of the date on
which it is removed from the list of PSOs pursuant to paragraph (b)(1)
of this section will have the same status as data submitted while the
entity was still listed.
(3) Disposition of patient safety work product and data. Following
revocation and delisting pursuant to paragraph (b)(1) of this section,
the former PSO will take one or more of the following measures:
(i) Transfer such patient safety work product or data, with the
approval of the source from which it was received, to a PSO that has
agreed to receive such patient safety work product or data;
(ii) Return such work product or data to the source from which it
was submitted; or
(iii) If returning such patient safety work product or data to its
source is not practicable, destroy such patient safety work product or
data.
(c) Voluntary relinquishment--(1) Circumstances constituting
voluntary relinquishment. A PSO will be considered to have voluntarily
relinquished its status as a PSO if the Secretary accepts a
notification from a PSO that it wishes to relinquish voluntarily its
listing as a PSO or the Secretary determines that an implied voluntary
relinquishment has taken place because the period of listing of a PSO
has expired without receipt of a timely submission of certifications
for continued listing.
(2) Notification of voluntary relinquishment. A PSO's notification
of voluntary relinquishment to the Secretary must include the
following:
(i) An attestation that all reasonable efforts have been made, or
will have been made by a PSO within 15 calendar days of this statement,
to notify the sources from which it received patient safety work
product or data of the PSO's intention to cease operations, to
relinquish voluntarily its status as a PSO, to request that these other
entities cease reporting or submitting any further information to the
PSO as soon as possible, and inform them that any data submitted after
the effective date and time of delisting, that the Secretary sets
pursuant to paragraph (c)(3) of this section, will not be protected as
patient safety work product under the Patient Safety Act based upon
such submissions;
(ii) An attestation that the entity has established a plan, or
within 15 calendar days of this statement, will have made all
reasonable efforts to establish a plan, in consultation with the
sources from which it received patient safety work product or data,
that provides for the disposition of such patient safety work product
or data consistent with, to the extent practicable, the statutory
options for disposition of patient safety work product or data as set
out in paragraphs (b)(3)(i) through (iii) of this section; and
(iii) Appropriate contact information for further communications
from the Secretary.
(3) Response to notification of voluntary relinquishment. (i) After
a PSO provides the notification required by paragraph (c)(2) of this
section, the Secretary will respond in writing to the entity indicating
whether the proposed voluntary relinquishment of its PSO status is
accepted. If the voluntary relinquishment is accepted, the Secretary's
response will indicate an effective date and time for the entity's
removal from the list of PSOs and will provide public notice of the
delisting, in accordance with Sec. 3.108(d) of this subpart.
(ii) If the Secretary receives a notification of voluntary
relinquishment during or immediately after revocation proceedings for
cause under paragraphs (a)(4) and (a)(5) of this section, the
Secretary, as a matter of discretion, may accept voluntary
relinquishment in accordance with the preceding paragraph or decide not
to accept the entity's proposed voluntary relinquishment and proceed
with the revocation for cause and delisting pursuant to paragraph
(b)(1) of this section.
(4) Implied voluntary relinquishment. (i) If the period of listing
of a PSO lapses without timely receipt and acceptance by the Secretary
of a certification seeking continued listing or timely receipt of a
notification of voluntary relinquishment of its PSO status in
accordance with paragraph (c)(2) of this section, the Secretary will
determine that voluntary relinquishment has
[[Page 8178]]
occurred and will remove the entity from the list of PSOs effective as
of midnight on the last day of its three-year period of listing. The
Secretary will take reasonable measures to notify the entity of its
delisting and will provide public notice of the delisting in accordance
with Sec. 3.108(d) of this subpart.
(ii) The Secretary will request in the notice to the entity that it
make reasonable efforts to comply with the requirements of paragraph
(c)(2) of this section with respect to notification, appropriate
disposition of patient safety work product, and the provision of
contact information to the Secretary.
(5) Non-applicability of certain procedures and requirements. (i) A
decision by the Secretary to accept a request by a PSO to relinquish
voluntarily its status as a PSO pursuant to paragraph (c)(2) of this
section or a decision that voluntary relinquishment has occurred
pursuant to paragraph (c)(4) of this section does not constitute a
determination of a deficiency in PSO compliance with the Patient Safety
Act or with this Subpart and no opportunity for corrective action by
the PSO is required.
(ii) The procedures and requirements of Sec. 3.108(a) of this
subpart regarding deficiencies including the opportunity to be heard in
writing, and those that are based upon determinations of the Secretary
pursuant to Sec. 3.108(b)(1) of this subpart are not applicable to
determinations of the Secretary made pursuant to paragraph (c) of this
section.
(d) Public notice of delisting regarding removal from listing. If
the Secretary removes an entity from the list of PSOs following
revocation of acceptance of the entity's certification pursuant to
Sec. 3.108(b)(1) of this subpart or following a determination of
voluntary relinquishment pursuant to Sec. 3.108(c)(3) or (c)(4) of
this subpart, the Secretary will promptly publish in the Federal
Register and on the AHRQ PSO Web site, or in a comparable future form
of public notice, established pursuant to Sec. 3.104(d) of this
subpart, a notice of the actions taken and the effective dates.
Sec. 3.110 Assessment of PSO compliance.
The Secretary may request information or conduct announced or
unannounced reviews of or site visits to PSOs, to assess or verify PSO
compliance with the requirements of this subpart and for these purposes
will be allowed to inspect the physical or virtual sites maintained or
controlled by the PSO. The Secretary will be allowed to inspect and/or
be given or sent copies of any PSO records deemed necessary and
requested by the Secretary to implement the provisions of this subpart.
Such PSO records may include patient safety work product in accordance
with Sec. 3.206(d) of this subpart.
Sec. 3.112 Submissions and forms.
(a) Forms referred to in this subpart may be obtained on the AHRQ
PSO Web site or a comparable future form of public notice or by
requesting them in writing by e-mail at [email protected], or by
mail from the Agency for Healthcare Research and Quality, CQuIPS, PSO
Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any
required attachments) must be submitted in accordance with the
accompanying instructions.
(b) Information submitted to AHRQ in writing, but not required to
be on a form, and requests for information from AHRQ, may be submitted
by mail or other delivery to the Agency for Healthcare Research and
Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850, by
facsimile at (301) 427-1341, or by e-mail at [email protected].
(c) If a submission to the Secretary is incomplete or additional
information is needed to allow a determination to be made under this
subpart, the submitter will be notified if any additional information
is required.
Subpart C--Confidentiality and Privilege Protections of Patient
Safety Work Product
Sec. 3.204 Privilege of Patient Safety Work Product
(a) Privilege. Notwithstanding any other provision of Federal,
State, local, or tribal law and subject to paragraph (b) of this
section and Sec. 3.208 of this subpart, patient safety work product
shall be privileged and shall not be:
(1) Subject to a Federal, State, local, or tribal civil, criminal,
or administrative subpoena or order, including in a Federal, State,
local, or tribal civil or administrative disciplinary proceeding
against a provider;
(2) Subject to discovery in connection with a Federal, State,
local, or tribal civil, criminal, or administrative proceeding,
including in a Federal, State, local, or tribal civil or administrative
disciplinary proceeding against a provider;
(3) Subject to disclosure pursuant to section 552 of Title 5,
United States Code (commonly known as the Freedom of Information Act)
or any other similar Federal, State, local, or tribal law;
(4) Admitted as evidence in any Federal, State, local, or tribal
governmental civil proceeding, criminal proceeding, administrative
rulemaking proceeding, or administrative adjudicatory proceeding,
including any such proceeding against a provider; or
(5) Admitted in a professional disciplinary proceeding of a
professional disciplinary body established or specifically authorized
under State law.
(b) Exceptions to privilege. Privilege shall not apply to (and
shall not be construed to prohibit) one or more of the following
disclosures:
(1) Disclosure of relevant patient safety work product for use in a
criminal proceeding, subject to the conditions at Sec. 3.206(b)(1) of
this subpart.
(2) Disclosure to the extent required to permit equitable relief
subject to the conditions at Sec. 3.206(b)(2) of this subpart.
(3) Disclosure pursuant to provider authorizations subject to the
conditions at Sec. 3.206(b)(3) of this subpart.
(4) Disclosure of non-identifiable patient safety work product
subject to the conditions at Sec. 3.206(b)(5) of this subpart.
(c) Implementation and Enforcement of the Patient Safety Act.
Privilege shall not apply to (and shall not be construed to prohibit)
disclosures of relevant patient safety work product to or by the
Secretary if such patient safety work product is needed to investigate
or determine compliance with this part or is needed in seeking or
imposing civil money penalties, or in making or supporting PSO
certification or listing decisions, under the Patient Safety Act.
Sec. 3.206 Confidentiality of Patient Safety Work Product.
(a) Confidentiality. Subject to paragraphs (b) through (e) of this
section, and Sec. Sec. 3.208 and 3.210 of this subpart, patient safety
work product shall be confidential and shall not be disclosed.
(b) Exceptions to confidentiality. The confidentiality provisions
shall not apply to (and shall not be construed to prohibit) one or more
of the following disclosures:
(1) Criminal proceedings. Disclosure of relevant patient safety
work product for use in a criminal proceeding, but only after a court
makes an in camera determination that:
(i) Such patient safety work product contains evidence of a
criminal act;
(ii) Such patient safety work product is material to the
proceeding; and
(iii) Such patient safety work product is not reasonably available
from any other source.
(2) Equitable relief for reporters. Disclosure of patient safety
work
[[Page 8179]]
product to the extent required to permit equitable relief under section
922 (f)(4)(A) of the Public Health Service Act.
(3) Authorized by identified providers. (i) Disclosure of
identifiable patient safety work product consistent with a valid
authorization if such authorization is obtained from each provider
identified in such work product prior to disclosure. A valid
authorization must:
(A) Be in writing and signed by the provider from whom
authorization is sought; and
(B) Contain sufficient detail to fairly inform the provider of the
nature and scope of the disclosures being authorized;
(ii) A valid authorization must be retained by the disclosing
entity for six years from the date of the last disclosure made in
reliance on the authorization and made available to the Secretary upon
request.
(4) Patient safety activities--(i) Disclosure between a provider
and a PSO. Disclosure of patient safety work product for patient safety
activities by a provider to a PSO or by a PSO to that disclosing
provider.
(ii) Disclosure to a contractor of a provider or a PSO. A provider
or a PSO may disclose patient safety work product for patient safety
activities to an entity with which it has contracted to undertake
patient safety activities on its behalf. A contractor receiving patient
safety work product for patient safety activities may not further
disclose patient safety work product, except to the entity with which
it is contracted.
(iii) Disclosure by a PSO to another PSO or by a provider to
another provider. Disclosure of patient safety work product for patient
safety activities by a PSO to another PSO or to another provider that
has reported to the PSO, or by a provider to another provider,
provided:
(A) The following direct identifiers of any providers and of
affiliated organizations, corporate parents, subsidiaries, practice
partners, employers, members of the workforce, or household members of
such providers are removed:
(1) Names;
(2) Postal address information, other than town or city, State and
zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security numbers or taxpayer identification numbers;
(7) Provider or practitioner credentialing or DEA numbers;
(8) National provider identification number;
(9) Certificate/license numbers;
(10) Web Universal Resource Locators (URLs);
(11) Internet Protocol (IP) address numbers;
(12) Biometric identifiers, including finger and voice prints; and
(13) Full face photographic images and any comparable images; and
(B) With respect to any individually identifiable health
information in such patient safety work product, the direct identifiers
listed at 45 CFR 164.514(e)(2) have been removed.
(5) Disclosure of nonidentifiable patient safety work product.
Disclosure of nonidentifiable patient safety work product when patient
safety work product meets the standard for nonidentification in
accordance with Sec. 3.212 of this subpart.
(6) For research. (i) Disclosure of patient safety work product to
persons carrying out research, evaluation or demonstration projects
authorized, funded, certified, or otherwise sanctioned by rule or other
means by the Secretary, for the purpose of conducting research.
(ii) If the patient safety work product disclosed pursuant to
paragraph (b)(6)(i) of this section is by a HIPAA covered entity as
defined at 45 CFR 160.103 and contains protected health information as
defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient
safety work product may only be disclosed under this exception in the
same manner as would be permitted under the HIPAA Privacy Rule at 45
CFR 164.512(i).
(7) To the Food and Drug Administration (FDA).
(i) Disclosure by a provider of patient safety work product
concerning an FDA-regulated product or activity to the FDA or to an
entity required to report to the FDA concerning the quality, safety, or
effectiveness of an FDA-regulated product or activity.
(ii) The FDA and any entity receiving patient safety work product
pursuant to paragraph (b)(7)(i) of this section may only further
disclose such patient safety work product for the purpose of evaluating
the quality, safety, or effectiveness of that product or activity
between each other, their contractors, and the disclosing provider. A
contractor receiving patient safety work product pursuant to this
paragraph may not further disclose patient safety work product, except
to the entity from which it received the patient safety work product.
(8) Voluntary disclosure to an accrediting body.
(i) Voluntary disclosure by a provider of patient safety work
product that identifies that provider to an accrediting body that
accredits that provider. Such accrediting body may not further disclose
such patient safety work product.
(ii) An accrediting body may not take an accrediting action against
a provider based on a good faith participation of the provider in the
collection, development, reporting, or maintenance of patient safety
work product in accordance with this Part. An accrediting body may not
require a provider to reveal its communications with any PSO.
(9) Business operations. (i) Disclosure of patient safety work
product by a provider or a PSO for business operations to attorneys,
accountants, and other professionals. Such contractors may not further
disclose patient safety work product, except to the entity from which
they received the information.
(ii) Disclosure of patient safety work product for such other
business operations that the Secretary may prescribe by regulation as
consistent with the goals of this part.
(10) Disclosure to law enforcement.
(i) Disclosure of patient safety work product to an appropriate law
enforcement authority relating to an event that either constitutes the
commission of a crime, or for which the disclosing person reasonably
believes constitutes the commission of a crime, provided that the
disclosing person believes, reasonably under the circumstances, that
the patient safety work product that is disclosed is necessary for
criminal law enforcement purposes.
(ii) Law enforcement personnel receiving patient safety work
product pursuant to paragraph (b)(10)(i) of this section may disclose
that patient safety work product to other law enforcement authorities
as needed for law enforcement activities related to the event that gave
rise to the disclosure under paragraph (b)(10)(i) of this section.
(c) Safe harbor. A provider or responsible person, but not a PSO,
is not considered to have violated the requirements of this subpart if
a member of its workforce discloses patient safety work product,
provided that the disclosure does not include materials, including oral
statements, that:
(1) Assess the quality of care of an identifiable provider; or
(2) Describe or pertain to one or more actions or failures to act
by an identifiable provider.
(d) Implementation and Enforcement of the Patient Safety Act. The
confidentiality provisions shall not apply to (and shall not be
construed to
[[Page 8180]]
prohibit) disclosures of relevant patient safety work product to or by
the Secretary if such patient safety work product is needed to
investigate or determine compliance with this part or is needed in
seeking and imposing civil money penalties, or in making or supporting
PSO certification or listing decisions, under the Patient Safety Act.
(e) No limitation on authority to limit or delegate disclosure or
use. Nothing in subpart C of this part shall be construed to limit the
authority of any person to enter into a contract requiring greater
confidentiality or delegating authority to make a disclosure or use in
accordance with this subpart.
Sec. 3.208 Continued protection of Patient Safety Work Product.
(a) Except as provided in paragraph (b) of this section, patient
safety work product disclosed in accordance with this subpart, or
disclosed impermissibly, shall continue to be privileged and
confidential.
(b)(1) Patient safety work product disclosed for use in a criminal
proceeding pursuant to section 922(c)(1)(A) of the Public Health
Service Act and/or pursuant to Sec. 3.206(b)(1) of this subpart
continues to be privileged, but is no longer confidential.
(2) Non-identifiable patient safety work product that is disclosed
is no longer privileged or confidential and not subject to the
regulations under this part.
(3) Paragraph (b) of this section applies only to the specific
patient safety work product disclosed.
Sec. 3.210 Required disclosure of Patient Safety Work Product to the
Secretary.
Providers, PSOs, and responsible persons must disclose patient
safety work product upon request by the Secretary when the Secretary
determines such patient safety work product is needed to investigate or
determine compliance with this part or is needed in seeking and
imposing civil money penalties or making determinations on certifying
and listing PSOs.
Sec. 3.212 Nonidentification of Patient Safety Work Product.
(a) Patient safety work product is nonidentifiable with respect to
a particular identified provider or a particular identified reporter
if:
(1) A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods
for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk
is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an identified provider or reporter;
and
(ii) Documents the methods and results of the analysis that justify
such determination; or
(2)(i) The following identifiers of such provider or reporter and
of affiliated organizations, corporate parents, subsidiaries, practice
partners, employers, members of the workforce, or household members of
such providers or reporters are removed:
(A) Names;
(B) Geographic subdivisions smaller than a State, including street
address, city, county, precinct, zip code and equivalent geocodes,
except for the initial three digits of a zip code if, according to the
current publicly available data from the Bureau of the Census, the
geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people;
(C) All elements of dates (except year) for dates directly related
to a patient safety incident or event;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers or taxpayer identification numbers;
(H) Provider or practitioner credentialing or DEA numbers;
(I) National provider identification number;
(J) Certificate/license numbers;
(K) Web Universal Resource Locators (URLs);
(L) Internet Protocol (IP) address numbers;
(M) Biometric identifiers, including finger and voice prints;
(N) Full face photographic images and any comparable images; and,
(O) Any other unique identifying number, characteristic, or code
except as permitted for re-identification; and
(ii) The provider, PSO or responsible person making the disclosure
does not have actual knowledge that the information could be used,
alone or in combination with other information that is reasonably
available to the intended recipient, to identify the particular
provider or reporter.
(3) Re-identification. A provider, PSO, or responsible person may
assign a code or other means of record identification to allow
information made nonidentifiable under this section to be re-identified
by such provider, PSO, or responsible person, provided that:
(i) The code or other means of record identification is not derived
from or related to information about the provider or reporter and is
not otherwise capable of being translated so as to identify the
provider or reporter; and
(ii) The provider, PSO, or responsible person does not use or
disclose the code or other means of record identification for any other
purpose, and does not disclose the mechanism for re-identification.
(b) Patient safety work product is non-identifiable with respect a
particular patient only if the individually identifiable health
information regarding that patient is de-identified in accordance with
the HIPAA Privacy Rule standard and implementation specifications for
the de-identification at 45 CFR 164.514 (a) through (c).
Subpart D--Enforcement Program
Sec. 3.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of providers, PSOs, and responsible persons in
obtaining compliance with the applicable confidentiality provisions.
(b) Assistance. The Secretary may provide technical assistance to
providers, PSOs, and responsible persons to help them comply
voluntarily with the applicable confidentiality provisions.
Sec. 3.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes that patient
safety work product has been disclosed in violation of the
confidentiality provisions may file a complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or
electronically.
(2) A complaint must name the person that is the subject of the
complaint and describe the act(s) believed to be in violation of the
applicable confidentiality provision(s).
(3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act complained of
occurred, unless this time limit is waived by the Secretary for good
cause shown.
(4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
(c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include
[[Page 8181]]
a review of the pertinent policies, procedures, or practices of the
respondent and of the circumstances regarding any alleged violation. At
the time of initial written communication with the respondent about the
complaint, the Secretary will describe the act(s) that are the basis of
the complaint.
Sec. 3.308 Compliance reviews.
The Secretary may conduct compliance reviews to determine whether a
respondent is complying with the applicable confidentiality provisions.
Sec. 3.310 Responsibilities of respondents.
(a) Provide records and compliance reports. A respondent must keep
such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
respondent has complied or is complying with the applicable
confidentiality provisions.
(b) Cooperate with complaint investigations and compliance reviews.
A respondent must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of the respondent to determine whether it is
complying with the applicable confidentiality provisions.
(c) Permit access to information. (1) A respondent must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
patient safety work product, that are pertinent to ascertaining
compliance with the applicable confidentiality provisions. If the
Secretary determines that exigent circumstances exist, such as when
documents may be hidden or destroyed, a respondent must permit access
by the Secretary at any time and without notice.
(2) If any information required of a respondent under this section
is in the exclusive possession of any other agency, institution, or
person, and the other agency, institution, or person fails or refuses
to furnish the information, the respondent must so certify and set
forth what efforts it has made to obtain the information.
Sec. 3.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution when noncompliance is indicated. (1) If an
investigation of a complaint pursuant to Sec. 3.306 of this subpart or
a compliance review pursuant to Sec. 3.308 of this subpart indicates
noncompliance, the Secretary may attempt to reach a resolution of the
matter satisfactory to the Secretary by informal means. Informal means
may include demonstrated compliance or a completed corrective action
plan or other agreement.
(2) If the matter is resolved by informal means, the Secretary will
so inform the respondent and, if the matter arose from a complaint, the
complainant, in writing.
(3) If the matter is not resolved by informal means, the Secretary
will--
(i) So inform the respondent and provide the respondent an
opportunity to submit written evidence of any mitigating factors. The
respondent must submit any evidence to the Secretary within 30 days
(computed in the same manner as prescribed under Sec. 3.504(l) of this
subpart) of receipt of such notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this
section, the Secretary decides that a civil money penalty should be
imposed, inform the respondent of such finding in a notice of proposed
determination in accordance with Sec. 3.420 of this subpart.
(b) Resolution when no violation is found. If, after an
investigation pursuant to Sec. 3.306 of this subpart or a compliance
review pursuant to Sec. 3.308 of this subpart, the Secretary
determines that further action is not warranted, the Secretary will so
inform the respondent and, if the matter arose from a complaint, the
complainant, in writing.
(c) Uses and disclosures of information obtained. (1) Identifiable
patient safety work product obtained by the Secretary in connection
with an investigation or compliance review under this subpart will not
be disclosed by the Secretary, except in accordance with Sec. 3.206(d)
of this subpart, or if otherwise permitted by this part or the Patient
Safety Act.
(2) Except as provided for in paragraph (c)(1) of this section,
information, including testimony and other evidence, obtained by the
Secretary in connection with an investigation or compliance review
under this subpart may be used by HHS in any of its activities and may
be used or offered into evidence in any administrative or judicial
proceeding.
Sec. 3.314 Investigational subpoenas and inquiries.
(a) The Secretary may issue subpoenas in accordance with 42 U.S.C.
405(d) and (e), and 1320a-7a(j), to require the attendance and
testimony of witnesses and the production of any other evidence
including patient safety work product during an investigation or
compliance review pursuant to this part. The Secretary will issue and
serve subpoenas pursuant to this subpart in accordance with 45 CFR
160.314(a)(1) through (5), except the term ``this part'' shall refer to
42 CFR part 3.
(b) Investigational inquiries are non-public investigational
proceedings conducted by the Secretary. The Secretary will conduct
investigational proceedings in accordance with 45 CFR 160.314(b)(1)
through (9).
Sec. 3.402 Basis for a civil money penalty.
(a) General rule. A person who discloses identifiable patient
safety work product in knowing or reckless violation of the
confidentiality provisions shall be subject to a civil money penalty
for each act constituting such violation.
(b) Violation attributed to a principal. A principal is
independently liable, in accordance with the federal common law of
agency, for a civil money penalty based on the act of the principal's
agent, including a workforce member, acting within the scope of the
agency if such act could give rise to a civil money penalty in
accordance with Sec. 3.402(a) of this subpart.
Sec. 3.404 Amount of a civil money penalty.
(a) The amount of a civil money penalty will be determined in
accordance with paragraph (b) of this section and Sec. 3.408 of this
subpart.
(b) The Secretary may impose a civil money penalty in the amount of
not more than $10,000.
Sec. 3.408 Factors considered in determining the amount of a civil
money penalty.
In determining the amount of any civil money penalty, the Secretary
may consider as aggravating or mitigating factors, as appropriate, any
of the following:
(a) The nature of the violation.
(b) The circumstances, including the consequences, of the
violation, including:
(1) The time period during which the violation(s) occurred; and
(2) Whether the violation caused physical or financial harm or
reputational damage;
(c) The degree of culpability of the respondent, including:
(1) Whether the violation was intentional; and
(2) Whether the violation was beyond the direct control of the
respondent.
(d) Any history of prior compliance with the Patient Safety Act,
including violations, by the respondent, including:
(1) Whether the current violation is the same or similar to prior
violation(s);
[[Page 8182]]
(2) Whether and to what extent the respondent has attempted to
correct previous violations;
(3) How the respondent has responded to technical assistance from
the Secretary provided in the context of a compliance effort; and
(4) How the respondent has responded to prior complaints.
(e) The financial condition of the respondent, including:
(1) Whether the respondent had financial difficulties that affected
its ability to comply;
(2) Whether the imposition of a civil money penalty would
jeopardize the ability of the respondent to continue to provide health
care or patient safety activities; and
(3) The size of the respondent.
(f) Such other matters as justice may require.
Sec. 3.414 Limitations.
No action under this subpart may be entertained unless commenced by
the Secretary, in accordance with Sec. 3.420 of this subpart, within 6
years from the date of the occurrence of the violation.
Sec. 3.416 Authority to settle.
Nothing in this subpart limits the authority of the Secretary to
settle any issue or case or to compromise any penalty.
Sec. 3.418 Exclusivity of penalty.
(a) Except as otherwise provided by paragraph (b) of this section,
a penalty imposed under this part is in addition to any other penalty
prescribed by law.
(b) Civil money penalties shall not be imposed both under this part
and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).
Sec. 3.420 Notice of proposed determination.
(a) If a penalty is proposed in accordance with this part, the
Secretary must deliver, or send by certified mail with return receipt
requested, to the respondent, written notice of the Secretary's intent
to impose a penalty. This notice of proposed determination must
include:
(1) Reference to the statutory basis for the penalty;
(2) A description of the findings of fact regarding the violations
with respect to which the penalty is proposed;
(3) The reason(s) why the violation(s) subject(s) the respondent to
a penalty;
(4) The amount of the proposed penalty;
(5) Any factors described in Sec. 3.408 of this subpart that were
considered in determining the amount of the proposed penalty; and
(6) Instructions for responding to the notice, including a
statement of the respondent's right to a hearing, a statement that
failure to request a hearing within 60 days permits the imposition of
the proposed penalty without the right to a hearing under Sec. 3.504
of this subpart or a right of appeal under Sec. 3.504(v) of this
subpart, and the address to which the hearing request must be sent.
(b) The respondent may request a hearing before an ALJ on the
proposed penalty by filing a request in accordance with Sec. 3.504 of
this subpart.
Sec. 3.422 Failure to request a hearing.
If the respondent does not request a hearing within the time
prescribed by Sec. 3.504 of this subpart and the matter is not settled
pursuant to Sec. 3.416 of this subpart, the Secretary may impose the
proposed penalty or any lesser penalty permitted by 42 U.S.C. 299b-21
through 299b-26. The Secretary will notify the respondent by certified
mail, return receipt requested, of any penalty that has been imposed
and of the means by which the respondent may satisfy the penalty, and
the penalty is final on receipt of the notice. The respondent has no
right to appeal a penalty under Sec. 3.504(v) of this subpart with
respect to which the respondent has not timely requested a hearing.
Sec. 3.424 Collection of penalty.
Once a determination of the Secretary to impose a penalty has
become final, the penalty will be collected by the Secretary in
accordance with 45 CFR 160.424, except the term ``this part'' shall
refer to 42 CFR Part 3.
Sec. 3.426 Notification of the public and other agencies.
Whenever a proposed penalty becomes final, the Secretary will
notify, in such manner as the Secretary deems appropriate, the public
and the following organizations and entities thereof and the reason it
was imposed: The appropriate State or local medical or professional
organization, the appropriate State agency or agencies administering or
supervising the administration of State health care programs (as
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and
quality control peer review organization, and the appropriate State or
local licensing agency or organization (including the agency specified
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).
Sec. 3.504 Procedures for hearings.
(a) Hearings before an ALJ. A respondent may request a hearing
before an ALJ. Hearings must be requested in accordance with 45 CFR
160.504(a) through (c), except the language in paragraph (c) following
and including ``except that'' shall not apply. The ALJ must dismiss a
hearing request in accordance with 45 CFR 160.504(d).
(b) Rights of the parties. The hearing rights of the parties will
be determined in accordance with 45 CFR 160.506.
(c) Authority of the ALJ. The ALJ will conduct a fair and impartial
hearing in accordance with 45 CFR 160.508(a) through (c)(4).
(d) Ex parte contacts. Ex parte contacts are prohibited in
accordance with 45 CFR 160.510.
(e) Prehearing conferences. Prehearing conferences will be
conducted in accordance with 45 CFR 160.512, except the term
``identifiable patient safety work product'' shall apply in place of
the term ``individually identifiable health information.''
(f) Authority to settle. The Secretary has authority to settle
issues in accordance with 45 CFR 160.514.
(g) Discovery. Discovery will proceed in accordance with 45 CFR
160.516.
(h) Exchange of witness lists, witness statements, and exhibits.
The parties will exchange hearing material in accordance with 45 CFR
160.518, except the language in paragraph (a) following and including
``except that'' shall not apply.
(i) Subpoenas for attendance at hearing. The ALJ will issue a
subpoena for the appearance and testimony of any person at the hearing
in accordance with 45 CFR 160.520.
(j) Fees. Fees and mileage for subpoenaed witnesses will be paid in
accordance with 45 CFR 160.522.
(k) Form, filing, and service of papers. Hearing documents will be
filed and serviced in accordance with 45 CFR 160.524.
(l) Computation of time. Computation of time shall be in accordance
with 45 CFR 160.526, except the term ``this subpart'' shall refer to 42
CFR part 3, Subpart D, and the citation ``Sec. 3.504(a) of 42 CFR part
3'' shall apply in place of the citation ``Sec. 160.504.''
(m) Motions. Procedures for the filing and disposition of motions
will be in accordance with 45 CFR 160.528.
(n) Sanctions. The ALJ may sanction a person in accordance with
authorities at 45 CFR 160.530.
(o) Collateral estoppel. Collateral estoppel will apply to hearings
conducted pursuant to this subpart in accordance with 45 CFR 160.532,
except the term ``a confidentiality provision'' shall apply in place of
the term ``an administrative simplification provision.''
(p) The hearing. Hearings will be conducted in accordance with 45
CFR
[[Page 8183]]
160.534, except the following text shall apply in place of Sec.
160.534(b)(1): ``The respondent has the burden of going forward and the
burden of persuasion with respect to any challenge to the amount of a
proposed penalty pursuant to Sec. Sec. 3.404-3.408 of 42 CFR part 3,
including any factors raised as mitigating factors.'' Good cause shown
under 45 CFR 160.534(c) may be that identifiable patient safety work
product has been introduced into evidence or is expected to be
introduced into evidence.
(q) Witnesses. The testimony of witnesses will be handled in
accordance with 45 CFR 160.538, except that the citation ``Sec.
3.504(h) of 42 CFR part 3'' shall apply in place of the citation
``Sec. 160.518.''
(r) Evidence. The ALJ will determine the admissibility of evidence
in accordance with 45 CFR 160.540, except that the citation ``Sec.
3.420 of 42 CFR part 3'' shall apply in place of the citation ``Sec.
160.420 of this part.''
(s) The record. The record of the hearing will be created and made
available in accordance with 45 CFR 160.542. Good cause under 45 CFR
160.542(c) through (d) may include the presence in the record of
identifiable patient safety work product.
(t) Post hearing briefs. Post-hearing briefs, if required by the
ALJ, will be filed in accordance with 45 CFR 160.544.
(u) ALJ's decision. The ALJ will issue a decision in accordance
with 45 CFR 160.546, except the citation ``Sec. 3.504(v) of 42 CFR
part 3'' shall apply in place of ``Sec. 160.548.''
(v) Appeal of the ALJ's decision. Any party may appeal the decision
of the ALJ in accordance with 45 CFR 160.548, except the following
language in paragraph (e) shall not apply: ``Except for an affirmative
defense under Sec. 160.410(b)(1) of this part.''
(w) Stay of the Secretary's decision. Pending judicial review, a
stay of the Secretary's decision may be requested in accordance with 45
CFR 160.550.
(x) Harmless error. Harmless errors will be handled in accordance
with 45 CFR 160.552.
Dated: October 5, 2007.
Michael O. Levitt,
Secretary.
[FR Doc. E8-2375 Filed 2-11-08; 8:45 am]
BILLING CODE 4153-01-P